[fc-discuss] Financial Cryptography Update: iVirus, Mr & Mrs Smythe, Shaking the Incumbents, Ping on convenience, Gmail on inconvenience

iang@iang.org iang@iang.org
Thu, 23 Feb 2006 08:28:12 +0000 (GMT)

 Financial Cryptography Update: iVirus, Mr & Mrs Smythe, Shaking the Incumbents, Ping on convenience, Gmail on inconvenience 

                           February 23, 2006




Curious that Apple's Safari wasn't mentioned in recent discussions
about High Assurance certs.  Which brings us to a rash of sightings of
Mac Viruses.  Well, three at least.  Unfortunately the media can be
relied upon to over-play the appearance of Mac Viruses, and downplay
the Microsoft ones.  That's because one is rare and the other is
common.  Although that will change over time, I predicted Macs won't be
overly troubled by it this year, so they'd better do the right thing!


More signs of aggressive play by media corporates seen.  This time, "Mr
& Mrs Smith" have been accused of playing on your PC with more than the
normal funny going's on.


It's not clear what it means when they say "like a root-kit" but maybe
you should play that movie at your mother-in-law's place first.

Dave discusses the effect of Skype on the telecoms industry. 
Curiously, although these forces have been building up for a decade
(does anyone remember the first IP phone?) and we've been discussing it
for even longer, it takes a big success like Skype to actually shake
the incumbents.


Exactly the same thing is happening in the DRM world as the incumbents
are waking up to the success of iPod.  Business plans and ideas are
flashing around just like the good old dotcom days.

Ping launches an essay on how to solve phishing.  He starts out from a
principle that bears thought:

I have an idea about how to solve the phishing problem.  Although
proposals to solve phishing are not yet as common as proposals to solve
spam, there certainly have been quite a few of them, so you would be
right to wonder what makes this proposal any different or any more
likely to work.

So, right up front, here is the key property of this proposal: using it
is more convenient than not using it.

This principle has been bubbling around for some time, awaiting a pithy
encapsulation.	Think about it - you use Skype because it is more
convenient than not.  You use SSH for the same reason.	You probably
benefit from SSL when you benefit only because you had to do nothing to
make it happen.  And Philipp points at how easy it is to turn off

Without any guarantees, here are two tips that will make sure you will
receive these new features as soon as they are available (and if you're
lucky, they will start working right away):

    * If you are using an https connection to access GMail, remove the
's' (i.e. the address should read "http://mail.google.com"). 
Eventually, all the new services will support https, but they typically
don't initially.


The comments are worth a read - for any security guy that needs to be
reminded about how users really respond.  Including this one which has
more FC significance:

Embedding Google Talk inside Google Mail is going to create a real
problem for some people.

I work for a bank where all external IM is forbidden. We can only go
through auditable internal IM applications. This is enforced by a proxy
server that blocks access to all known IM servers including MSN
Messenger, Yahoo, ICQ, AOL, Google Talk, Jabber, etc.

If the Compliance nazis hear that we can access Google Talk from Google
Mail, they will block Google Mail too.

I don't suppose there's much hope in asking, but is there any way we
can have a special version of Google Mail _without_ access to Google
Posted by: Anonymous Banker at February 10, 2006 03:17 AM

Powered by Movable Type
Version 2.64