Re: [9fans] offered without comment or judgement

[Wes Kussmaul <wes@authentrus.com>]

[-- Attachment #1: Type: text/plain, Size: 2601 bytes --]

Devon H. O'Dell wrote:
> 2010/6/29 Wes Kussmaul <wes@authentrus.com>:
>
>> Stanley Lieber wrote:
>>
>>> Anywhere legitimate identification is used, legitimate identification can
>>> be purchased.
>>>
>> There are imperfect but very good ways to protect against that
>> vulnerability. They vary with the needs (and budgets) of relying parties.
>>
>
> I'm pretty sure you can't solve the problem. At the end of the day, it
> boils down to client-side security and what a person is willing to
> defend with their life. It's perfectly feasible to assume that
> identity information in a PKI world can be coerced and stolen as
> easily as physical identity information such as drivers licenses and
> social security cards. The security always breaks down at the personal
> level, and most private individuals aren't willing to die to protect
> this information.
>
> But you can do at least as good as these forms of ID. PKI requires
> knowledge of some sort of passkey. (I just worry about identification
> for people who are not smart enough to pick a good key. Which,
> unfortunately, is also most people

It's true, people give up their ATM card PINs at gunpoint. Guns are a
problem, especially where people tend to still use currency. Online, not
so much.

Possession is still the most effective factor. As our site points out,
------------------------------------------------------------------------
After spending millions of dollars on network security, corporations
still have major security problems.

Meanwhile, your ATM card allows your bank to dispense cash with
confidence from a machine on a city sidewalk.

The technology used by your ATM card is more ancient than the floppy
disk. So why are bank ATM networks generally secure, while corporate
information networks, in spite of continuous investment in the latest
security technology, are barely able to keep ahead of intruders?

The difference is not about technology. The difference is about
assumptions and architecture.

Your bank's ATM network starts with the premise that knowing who you are
is the foundation of security.

If a trusted co-worker asked you to share your ATM card and associated
PIN, what would you say? Of course, they would never ask in the first place.

If that co-worker asked you for your network password, what would you
say? In many companies, collaborative work gets done by sharing access
credentials, in spite of rules against it.


--
Learn about The Authenticity Economy at

http://video.google.com/videoplay?docid=-1419344994607129684&hl=en#


[-- Attachment #2: Type: text/html, Size: 3453 bytes --]