Comments: What happened in security over the last 10 years?

can you say (old thread) "naked transactions" ... my archived posts
http://www.garlic.com/~lynn/subintegrity.html#payments

reference to threads here:
https://financialcryptography.com/mt/archives/000745.html
https://financialcryptography.com/mt/archives/000744.html
https://financialcryptography.com/mt/archives/000747.html
https://financialcryptography.com/mt/archives/000749.html

... reference blog talks about safety of the enterprise domain and use of firewalls and SSL for dealing with outside the safety zone.

the biggest items in the press regarding "breach" scenarios (and protecting information) have involved information from financial transactions that crooks can use for (other) fraudulent financial transactions.

we had been called into consult with small client/server company that wanted to do payment transactions on their servers and had this thing they had invented called SSL they wanted to use. it is frequently now called electronic commerce. part of that was something called payment gateway
http://www.garlic.com/~lynn/subnetwork.html#gateway

then in the mid-90s, we were asked to play in the x9a10 financial standard working group that had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. Part of the effort involved detailed end-to-end, threat and vulnerability studies. The result was x9.59 protocol
http://www.garlic.com/~lynn/x959.html#x959

part of x9.59 was to meet the *ALL* requierment, all types of retail payments: credit, debit, stored-value, etc; *ALL* environments: POS, internet, unattended, contact, contactless, face-to-face, transit turnstyle, etc; and *ALL* values: low-value, high-value, very high-value, etc.

Part of it involved tweaking the paradigm so that information from previous transactions couldn't be used by crooks for fraudulent transactions (didn't do anything to eliminate breaches, just eliminated the threat from breaches). As it turns out it also eliminated the major use of SSL in the world (hiding information in financial transactions).

Part of addressing *ALL* values involved a framework we called "parameterised risk management". Some recent references:
http://www.garlic.com/~lynn/2008o.html#13 What risk of possible data leakage do you see for your organization?
http://www.garlic.com/~lynn/2008o.html#17 what will be a wow feature in a credit card
http://www.garlic.com/~lynn/2008o.html#47 Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?
http://www.garlic.com/~lynn/2008o.html#60 Biometric Credit cards
http://www.garlic.com/~lynn/2008o.html#64 In your experience which is a superior debit card scheme - PIN based debit or signature debit?

Posted by Lynn Wheeler at October 19, 2008 10:19 PM

Lynn, if you don't mind me askin', how long have you been doing this?

Are there any references to work that you may have done earlier, on say, the Rosetta Stone?

;-)

Posted by Anonymous Coward 2 at October 21, 2008 04:35 AM

archive of some old email
http://www.garlic.com/~lynn/lhwemail.html

recent semi-humorous post
http://www.garlic.com/~lynn/2008p.html#42 Password Rules

also reference to undergraduate in the 60s
http://www.garlic.com/~lynn/2008o.html#67 Invitation to Join Mainframe Security Guru Group

I was blamed for computer conferencing on the internal network (larger than internet/arpanet from just about the beginning until possibly summer '85) in the late 70s and early 80s. Partially as result of that, a research was paid to sit in the back of my office for 9 months talking notes on how I communicated. They also got copies of all my incoming and outgoing email and logs of all instant messages. The result was also material for Stanford phd thesis (joint between language and computer AI) and some number of papers and books. recent reference
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x

For another kind of reference
thtp://www.garlic.com/~lynn/2008p.html#27 Father of Financial Dataprocessing

Different kind of recent reference
http://www.garlic.com/~lynn/2008p.html#41 Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?

--
40+yrs virtualization experience, online at home since Mar70

Posted by Lynn Wheeler at November 8, 2008 02:18 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x560f7201fda8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.