Comments: Leadership, the very definition of fraud, and the court of security ideas

Can you comment further on the flaws of Ross Anderson's article? (Or did I miss an earlier post that covered this?)

Posted by Toby at May 10, 2007 10:10 AM

But here's what I noted up until I stopped counting:

"Since about 2000..." no, work was done before that, and the realisation was widespread, just in different places.

"The critical change was..." no, the critical change was that villians worked out how to make scads of money.

"[Phishing] started in 2003..." no, it started against online FIs in 2001. Against e-gold! Also, it was a variation of something that existed before, going back to around 1997 from memory.

"By 2006 ... nine figures in the USA" No, we'd passed a billion per year by mid 2004.

"...and finally move them through a nonbank such as eGold or Western Union."

No, He tries to make the case that nonbanks are always part of the chain. Nonsense; they are only in the chain in some cases. In many cases, the banks are the all of the chain, but it ends with banks in strange faraway places.

The problem with a lot of these errors is that they feed directly into the conclusions, which are unsustainable, IMHO.

(And as everyone knows, I won't hesitate to criticise who he's trying to criticise.....)

Posted by Iang at May 10, 2007 10:36 AM

minor topic drift in sci.crypt ng ... the thread was "open source voting" ... but the response was to some comments about financial industry having standards and standards bodies (this is before current state where sci.crypt is being bombed by somebody ... all the posts are really coming from the same id if you look at the hdrs)
http://www.garlic.com/~lynn/2007j.html#67 open source voting

Posted by Lynn Wheeler at May 10, 2007 11:09 AM

Lynn, I guess you are talking about this bit:

part of this was because it was in the heyday of "PKI is the answer, now what is the question?" ... and the adding of digital certificate processing to existing payment transactions was resulting in factor of two orders of magnitude (100 times) bloat in both payload size and processing overhead:
http://www.garlic.com/~lynn/subpubkey.html#bloat

the issue is more along the lines of risk adverse in disputes and where the burden of proof lies. a financial institution electing to not use a "standard" will find that they have a significantly more difficult burden of proof placed on them in any dispute/litigation. this has actually shown up in at least one litigation dispute in europe ... where the plantiff claimed damages (and prevailed) from financial institution in a an unexplained large financial transaction and only cited DES as still being used (after it had been depreciated). as a result, the burden of proof fell on the financial institution to prove that the continued use of DES could not be a factor.

there was some additional transformation when NIST announced that it no longer needed to create standards from scratch ... but could cite as standards, work done by other bodies ... like X9F (I think the first instance was x9.62 having to do with elliptical curve cryptography).

Posted by Iang at May 10, 2007 11:33 AM

re:
http://www.garlic.com/~lynn/2007j.html#67 open source voting
http://www.garlic.com/~lynn/aadsm27.htm#5 Leadership, the very definition of fraud, and the court of security ideas

aka the original post appeared to assert that the reason that the financial industry had "open" security standards was because that the standards were "open" to lots of people looking at them ... and potentially with all the examination, would result in identifying deficiencies and result in overall better security.

an alternative possible explanation was that in a dispute or litigation ... showing that there was conformance to (some) accepted standards ... reduced what needed to be established/proven (from scratch) in resolving the dispute ... aka the use of standards is a (at least partial) defense.

better defense (in litigation) and better security are not necessarily identical.

Posted by Lynn Wheeler at May 10, 2007 02:20 PM

Cheers for that. The final point seems the most critical, but also the one for which we have the least evidence. Is there anything out there that suggests how often a nonbank is the final destination of phished funds?

In general, that looks like a good start to a rebuttal. Given Anderson's influence, a rebuttal might be a useful thing to produce.

Posted by Toby at May 11, 2007 10:59 AM

I'd put bank phished funds vs e-gold phished funds it in terms of the animal kingdom ... Think about a blue whale vs any snake, even the biggest. That's about the size-range I guess represented by the situation.

Posted by SnakeCharmer at May 11, 2007 02:02 PM

re:
http://www.garlic.com/~lynn/aadsm27.htm#5 Leadership, the very definition of fraud, and the court of security ideas
http://www.garlic.com/~lynn/aadsm27.htm#6 Leadership, the very definition of fraud, and the court of security ideas

the other part is that a lot of the industry is point-solution wonderkind patches ... that don't actually correct any problem but create a paradigm of life-long patches.
http://www.garlic.com/~lynn/2007j.html#67 open source voting

this somewhat tempts to stray into the subject nothing succeeds like failure ... referenced here:
http://www.garlic.com/~lynn/aadsm26.htm#59 On cleaning up the security mess: escaping the self-perpetuating trap of Fraud?

and misc. post postings making reference to (problems with) security point-solution (patches)
http://www.garlic.com/~lynn/2005t.html#25 Why does my address appear as part of my name?
http://www.garlic.com/~lynn/2007e.html#12 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007i.html#66 John W. Backus, 82, Fortran developer, dies

Posted by Lynn Wheeler at May 12, 2007 11:28 AM

In response to Toby's question about bank v. non-bank channels, I've asked around for opinions. I'll post them if I get any ... but I wouldn't hold out much hope for a useful scientific answer. I suspect nobody has as yet given any serious thought to putting a number on the question.

Posted by Iang at May 13, 2007 06:32 AM

Hi Ian,
this question would assume knowledge of money laundering felonies taking place, to know of same and to not report same is a misprison of a felony, something NO banker would "knowingly" do, or be one of the principals in e-gold currently under attack by US TREASURY/IRS/DOJ/DEA, etc..

any info you are likely to get will be heavily biased... (even prosecutions(failed attempts at laundering same))

FINCEN may have some current stats if u ask them real nice..

gwen - former banker/researcher...

Posted by gwen hastings at May 13, 2007 06:35 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55dcab643c20) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.