[cryptography] PKI "fixes" that don't fix PKI (part III)

Jeffrey Walton noloader at gmail.com
Sun Sep 11 09:13:45 EDT 2011


On Sun, Sep 11, 2011 at 8:58 AM, Ian G <iang at iang.org> wrote:
>
>
> On 11/09/2011, at 7:50, Steven Bellovin <smb at cs.columbia.edu> wrote:
>
>>
>> On Sep 10, 2011, at 4:14 00PM, John Levine wrote:
>>
>>>> [SNIP]
>
>> The issue, then, is one of
>> motivation -- given the current market price for stolen credit card
>> numbers, are they motivated to try to steal them?  That answer in turn
>> depends on the return per unit of effort expended.
>
> Right. Easy to show motivation by attack scenario:
>
> An eavesdropping attack is o(1) in work factor. That is, it's a hack, or script kiddie process.
>
> (forget MITM)
>
> Now, a breach is also o(1) work, as it's the same sort of hack / script kiddy thing.
>
> But, a breach returns o(1000) units of value. An eavesdrop returns o(1) units.
>
> Mix with standard math. QED. No actor in his right mind will bother to eavesdrop while breaches are possible.
Hmmm.... If the 1 unit is high value, I don't believe it holds.
Consider an eavesdropper who intercepts information on a high dollar
merger between banks, versus a collection of CCs/CCVs. I think the
same applies to defense R&D, and intellectual property.

>>  It is precisely
>> because of SSL that the actual vulnerability rate is very low, which in
>> turn removes the incentive.
>
> Two opposing claims!  It seems that the encryption claim is a prediction based on theories of security.
>
> Whereas, the no-encryption claim is based on economics. It also has the merit that the economics are supported by the prices and actions in the market for batches of stolen card sets.
>
It does not hurt that US legislation is corporate biased. PII and CC
losses are absorbed by individuals, merchants and shareholders. The
executives responsible for things such as risk management and security
postures are not held accountable.

Consider the absurdity: when is the last time you heard a judge throw
out a theft case because
"there's no evidence the thief who stole the money spent the money."
Yet class actions on PII losses are thrown out regularly, and
Visa/Banks/Merchants don't litigate against one another (they just
pass it on to the consumer).

Jeff



More information about the cryptography mailing list