[fc-discuss] Financial Cryptography Update: 2005 in review - The Year I lost my Identity
iang@iang.org
iang@iang.org
Fri, 16 Dec 2005 08:36:32 +0000 (GMT)
Financial Cryptography Update: 2005 in review - The Year I lost my Identity
December 16, 2005
------------------------------------------------------------------------
https://www.financialcryptography.com/mt/archives/000588.html
------------------------------------------------------------------------
In the closing weeks of 2005, we can now look back and see how the
Snail slithered its way across the landscape.
https://www.financialcryptography.com/mt/archives/000263.html
1. Banks failed to understand phishing at any deep level. They failed
in these ways:
* Pushing out websites that offered Login boxes on unencrypted pages
opens the door to phishing attacks and gets them the bank on Amir's
Hall of Shame. http://www.cs.biu.ac.il/~herzbea/shame/index.html
* Rollout of two-factor authentication tokens -- a.k.a. SecureIds as
promoted by RSADSI, as ordered by the FDIC, and as jumped on by the
banks desperate to be seen to do something -- devices which only
address one easily 'fixed' issue in phishing: realtime access. Yet,
even as the bandwaggon was exceeding the speed limit, we already saw
the first realtime atacks. I predicted that we'll see the first fully
perfect attacks by the end of the year.
https://www.financialcryptography.com/mt/archives/000577.html
http://www.secureidnews.com/library/2005/11/28/ffiec-tells-banks-to-mak
e-transactions-more-secure-with-twofactor-authentication/
* Banks experienced a wave of chill when Lopez sued Bank of America.
Although they knew that they were in the right, they also knew this
case would probably be lost. Or, at least, it was the beginning of the
end of the easy risk separation.
2. Browser manufacturers have moved slightly faster than your average
glacier. Microsoft moved forward by announcing that phishing was a
browser problem (Mozilla and KDE followed 8 months later), and again by
putting some tools into the IE7 release. Another big step forward was
announcing the switch-off of SSL v2.
But Microsoft also moved backwards one step IMO by going for the
"shared database of phishing alerts" idea pioneered by Netcraft.
Computer scientists and security gurus are still scratching their heads
over how that is ever going to work, given that it never worked the
other several hundred times we tried it. And another step backwards
was announced as Microsoft went for an upgraded super-authentication
concept for CAs. Those CAs that pass their upgraded rules will get
rewarded by the CA's name on the browser, and the site will appear in
green. Unfortunately, this confirms Microsoft in the position of
super-CA, as they've now taken a position of judgement. Worse, it
probably won't do anything to address the security problems we have
now. As James Donald says, "the revenue model [for certificates] is
based on sprinkling holy water over communications, rather than
actually providing security. Hence the proposal to address phishing by
providing higher priced grades of holy water."
3. Data hacking blew American innocence away when Choicepoint revealed
that they'd lost about 150,000 data sets to a guy with a stolen credit
card. That's identities, to the plebians. Instead of doing the right
thing and looking sorry, they ducked and weaved. Unfortunately, the
underlying spark was the California law that said you had to notify the
victims.
Within a month there were something like 6-8 large-scale copy cat
victim companies. The sudden knowledge of actual public attention and
actual duty of care and actual potential for damages electrified the
corporates like they'd received the other famous sentance from
California - deathrow. The year rolled on, and by the time it hit
50,000,000 sets of data -- people, identities, you but not me --
analysts got bored and stopped counting. Basically, all of them or as
many as you'd ever need.
(http://bankinfosecurity.com/node/2697 reports 104 documented
instances.)
4. Keylogging and malware and spyware slipped in and ruined -- totally
and utterly destroyed -- any notion that *your Windows PC* was safe.
It's a bit darn unfair as Microsoft did manage to improve the security
of their most famous and most hackable platform, but to little avail.
Underground rumour has had it for some time that corporates were also
playing the same game using weaknesses deliberately left in by the
manufacturer, and we got some great evidence when Sony was caught in
the act. In order to protect some 32 or so of their CDs, they
installed root kits across millions of machines (it's not really clear
what it means see half a million DNS servers).
What's the significance of this? It totally destroys our cosy concept
that the attacker is the bad guy and we are the good guys. If I had
been caught putting a root kit on someone's machine, I'd have gone to
jail, but apparently for Sony, that's not an issue. Security observers
are learning the doublethink of one rule for Cuthbert and another rule
for Sony.
5. Although we saw the first signs of trouble for Mac OSX in late
2004, it failed to germinate. Macs reached 5% of the market, better
than they'd done for a long time. Mac users had peace - in our time,
their time and if things keep going as they are, in their children's
time.
6, Security observers exhibited surprise at how phishing had emerged.
SANS still doesn't list it as a threat, but they did decide the Apple
OS X was one, primarily because it now has 5% of the market. It's an
odd way to do security - punish for popularity - but SANS is popular
with its members and training courses sell well. Expect them to list
phishing as a threat when the phishers have also reached 5% of the
market.
7. In the good news section, Apple's music sales boomed. Primarily,
their great business achievement was managing to walk a line between
the cash cow mentality of the music owners and the chinashop bull
attitude of Internet mp3 users. Also, not to be underestimated as a
core driver of their success, they got the interface and technology
right enough such that it is relatively seamless - rumour has it, it
just works.
8. Although Apple's tune was heard loud and clear, file sharing
systems continued to romp. Growth continued unabated, and by some
estimates, 30% of all bandwidth on the net is consumed by these
systems. That's success! But it also means that they are now facing
limits to growth themselves. Prosecutions continued, but seemed to do
nothing towards growth of file sharing or growth of music sales (either
on or off net).
9. Firefox continued to grow, reaching about 10% of the market by the
end of the year. Riding on a complete new build, some solid software
engineering and some adroit choices not to follow the Microsoft
"innovations" in insecurity like ActiveX, their growth was joyously
exponential. Being the one compatible browser across all major
platforms did no harm either - corporates now find that they can
install it everywhere, and Linux, BSD, OSX *and* Windows users are
happy together at last.
10. Another slow year in Financial Cryptography. Paypal grew, but
fractured more and more along jurisdictional lines. e-gold survived.
Actually that's unfair, they survived in 2004 and grew in 2005, but
still nobody knows how. Goldmoney surpassed in total value under
management, but kept mum about transactions. Industry scuttlebut has
it that the bell doesn't ring much. Exchange traded funds are now
routine, as model copies of DGCs within the stock market regime.
11, The surprise entry is WebMoney. This Russian based company keeps
popping up above the radar with solid report after solid report. They
seem to have adopted many of the lessons of actual real financial
cryptography and are even market leaders in some areas. They are the
_only ones with low cost arbitration_ -- a development we've been
praying for for about 5 years now, in the forum of LexCybernatoria
conferences -- and rumour has it that they've actually moved into the
distributed issuance space, something that I bet the farm on in 1995 or
so.
How did they do all this? By following Iang's rule number one of
market growth, I'd guess: shut the f*** up and work for your
customers. Or maybe it was simply because all their press releases are
in Russian and only Dany has the time to translate them.
12. The year of the smart card was not announced. The year of RFIDs
was announced. Neither seemed to make any difference, as yet.
13. Grid became commonplace in the news, as did Virtualisation. The
latter has security connotations in that you can now partition off all
those dodgy PHP apps on the net. But wait, there's a catch - once you
virtualise, they are really separate machines! So it is not clear to
me yet how this does any more than firewall and contain the insecurity
of webapps. OTOH, I'm impressed by the buzz, and I argue we should be
doing the same thing within Apache - sharing multiple SSL servers over
one IP# (still not practical...).
14. In cryptography, the big news was that Skype romped into being the
altime world champion at spreading crypto to the masses, only to be
bought by eBay. The drums of cryptowar continue to murmur with today's
news that the NSA now spies domestically, so expect the NSA to
negotiate a pass with Skype. Also, message digests continue to be all
messed up, but it doesn't effect us in app space yet. NIST has still
not announced a path forward in message digests nor the venerable
Digital Signature Algorithm / Standard.
15. My predictions back in 2005 weren't so bad. Predictions for next
year coming up, if there is time before it hits us.
Thanks all to the readers!
--
Powered by Movable Type
Version 2.64
http://www.movabletype.org/