October 19, 2008

What happened in security over the last 10 years?

I keep having the same discussion in various places, and keep coming back to this eloquent description of where we are:

Gunnar's full blog post is here ... it includes some other things, but nothing quite so poignant.

Web Security hasn't moved since 1995. Oh well.

Posted by iang at October 19, 2008 09:19 PM | TrackBack

can you say (old thread) "naked transactions" ... my archived posts

reference to threads here:

... reference blog talks about safety of the enterprise domain and use of firewalls and SSL for dealing with outside the safety zone.

the biggest items in the press regarding "breach" scenarios (and protecting information) have involved information from financial transactions that crooks can use for (other) fraudulent financial transactions.

we had been called into consult with small client/server company that wanted to do payment transactions on their servers and had this thing they had invented called SSL they wanted to use. it is frequently now called electronic commerce. part of that was something called payment gateway

then in the mid-90s, we were asked to play in the x9a10 financial standard working group that had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. Part of the effort involved detailed end-to-end, threat and vulnerability studies. The result was x9.59 protocol

part of x9.59 was to meet the *ALL* requierment, all types of retail payments: credit, debit, stored-value, etc; *ALL* environments: POS, internet, unattended, contact, contactless, face-to-face, transit turnstyle, etc; and *ALL* values: low-value, high-value, very high-value, etc.

Part of it involved tweaking the paradigm so that information from previous transactions couldn't be used by crooks for fraudulent transactions (didn't do anything to eliminate breaches, just eliminated the threat from breaches). As it turns out it also eliminated the major use of SSL in the world (hiding information in financial transactions).

Part of addressing *ALL* values involved a framework we called "parameterised risk management". Some recent references:
http://www.garlic.com/~lynn/2008o.html#13 What risk of possible data leakage do you see for your organization?
http://www.garlic.com/~lynn/2008o.html#17 what will be a wow feature in a credit card
http://www.garlic.com/~lynn/2008o.html#47 Will cards with PayPass (from MasterCard) be using CHIP & PIN in the future?
http://www.garlic.com/~lynn/2008o.html#60 Biometric Credit cards
http://www.garlic.com/~lynn/2008o.html#64 In your experience which is a superior debit card scheme - PIN based debit or signature debit?

Posted by: Lynn Wheeler at October 19, 2008 10:19 PM

Lynn, if you don't mind me askin', how long have you been doing this?

Are there any references to work that you may have done earlier, on say, the Rosetta Stone?


Posted by: Anonymous Coward 2 at October 21, 2008 04:35 AM

archive of some old email

recent semi-humorous post
http://www.garlic.com/~lynn/2008p.html#42 Password Rules

also reference to undergraduate in the 60s
http://www.garlic.com/~lynn/2008o.html#67 Invitation to Join Mainframe Security Guru Group

I was blamed for computer conferencing on the internal network (larger than internet/arpanet from just about the beginning until possibly summer '85) in the late 70s and early 80s. Partially as result of that, a research was paid to sit in the back of my office for 9 months talking notes on how I communicated. They also got copies of all my incoming and outgoing email and logs of all instant messages. The result was also material for Stanford phd thesis (joint between language and computer AI) and some number of papers and books. recent reference
http://www.garlic.com/~lynn/2008o.html#49 Discussions areas, private message silos, and how far we've come since 199x

For another kind of reference
thtp://www.garlic.com/~lynn/2008p.html#27 Father of Financial Dataprocessing

Different kind of recent reference
http://www.garlic.com/~lynn/2008p.html#41 Automation is still not accepted to streamline the business processes... why organizations are not accepting newer technologies?

40+yrs virtualization experience, online at home since Mar70

Posted by: Lynn Wheeler at November 8, 2008 02:18 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.