Reply From: edison <edisonat_private> A few thoughts on the subject. First, with the frightening amount of completely unsecured consumer info sites on (and off) the net today, I would disagree that ICSA's actions reflect "very badly" on our industry. Because there are much easier targets, consumerinfo.com can be resonably certain that it won't even be attacked for quite some time. At least until most of the rest of the sites are secure in the same fashion. Don't get me wrong, I'm not advocating 40-bit encryption as 'secure,' but it is 'more secure' than nothing at all. And until the ingorant IT managers with sites on the net clue in, this kind of certification won't _hurt_ our industry. Please don't attack me - I'm just saying that while we professionals might recognize weaknesses in this level of security, those outside don't and "we" still look good to them. Second, if you've every been to a hacker BBS/site, you have to know that getting into Equifax or any other reporting agency is pitifully easy. If you think 40-bit encryption is weak, how about a 2 character alphanumeric "password" on accounts that can be pulled from your own credit report? And for that matter, there are posted algorithms to the account scheme, so you can even generate your own. I will agree that there are more unsavory characters on the net than there are people aware of CBI dialups. But then again, 40-bit crypto is not exactly _easy_ to crack. -edison On Fri, 28 May 1999, cult hero wrote: > I am becoming concerned about the apparent lack of professional competence > within even well-known segments of the security community. I hope the > incident I discovered is an isolated one, but even a single such incident > is disquieting. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:24:01 PDT