[cryptography] Diginotar Lessons Learned (long)

Andy Steingruebl andy at steingruebl.com
Sat Sep 10 17:53:26 EDT 2011

On Sat, Sep 10, 2011 at 10:38 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:

> My concern with this is that we've spent the last fifteen years energetically
> fixing the things that aren't being exploited.  When do we start fixing the
> things that are?

Got a prioritized list?  I'll tell you what I'm doing about them.
Quite seriously actually...

> people proposing new Rube Goldberg schemes - me included - should feel
> confident enough in them that they're prepared to say "My scheme, if adopted,
> will lead to an X% decrease in phishing".  It doesn't even have to be 25%,
> let's make it really easy and say 5%, or even just "statistically
> significant".  If you can't do that then you're not really proposing a
> solution but just looking for guinea pigs).

Actually, figuring out whether your solution will actually work is an
experiment right?  We can't know in advance for all of them, and w
can't even always A/B test things.  How much does DKIM signing help
against phishing?  How much does getting certain email providers to
reject things unsigned for a given domain?  How about formatting all
of your mails a certain way, only including links to your own domain,
etc.  Do you want to do each of those serially, with A/B testing?
You'll be waiting for years before you get the results.  Or you can
try all of them, over some period of time, hoping they make a
difference, and if the total phishing numbers are down, you win, as
long as you spent less to implement than you save in costs either in
direct losses or other metrics you care about like consumer

Me, I'm trying to stay ahead of the curve if I can.  Attackers aren't
spending a lot of time compromising home networking devices like
routers/modems, but we know some are vulnerable.  I'd just as soon
start fixing those things now, *before* people start abusing them.

- Andy

More information about the cryptography mailing list