[cryptography] Diginotar Lessons Learned (long)

Ian G iang at iang.org
Sun Sep 11 05:44:52 EDT 2011

On 11/09/2011, at 10:02, "James A. Donald" <jamesd at echeque.com> wrote:

> On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
>> 1. Phishing isn't the only problem right?

Malware + breaches might be the other  2 biggies.

Note that the malware/pc takeover market was probably financed by profits from phishing. Breaches seemed to rise in parallel. Ok, I've got no evidence for that, it's just a speculation.

>> 2. To some degree this is a game where we have to guess their next
>> step, and make that harder too.
> If we were doing something about their first step, then it would be necessary to guess their next step.

What James said. The history of threats developing to risks to institutionalized loss streams (cf CC) is one of ignoring the signs while looking elsewhere. Phishing in its mass (post-AOL) form was first tried approx 10 years ago against an FI. (for topical interest it was a 9/11 subject.)

It failed ... But by 2003 the early experimenters had got it right and were looking at a bright future.

We knew all that, and, institutionally speaking, ignored it.

The history of Internet threat analysis is equally poor.  SSL got the threat wrong because it predicted it - MITM. SSH got the threat right because it followed the losses and designed its model to beat the attackers.

Similar stories for IPSec and S/mime. Guesswork failed completely, response worked better, where it could.

Part of the problem is that we inherited the military threat concepts, CIA and all that. Another problem is that our successes aren't rewarded, theirs are. Hence, the net attacker gets smarter in swarm form, while we get dumber. They have the feedback loop, so they OODA us at a ratio of around 10:1.

Damn, there I go again, too many words. Iang

More information about the cryptography mailing list