Reply From: edison <edison@dhp.com>
A few thoughts on the subject.
First, with the frightening amount of completely unsecured consumer info
sites on (and off) the net today, I would disagree that ICSA's actions
reflect "very badly" on our industry. Because there are much easier
targets, consumerinfo.com can be resonably certain that it won't even be
attacked for quite some time. At least until most of the rest of the
sites are secure in the same fashion.
Don't get me wrong, I'm not advocating 40-bit encryption as 'secure,' but
it is 'more secure' than nothing at all. And until the ingorant IT
managers with sites on the net clue in, this kind of certification won't
_hurt_ our industry. Please don't attack me - I'm just saying that while
we professionals might recognize weaknesses in this level of security,
those outside don't and "we" still look good to them.
Second, if you've every been to a hacker BBS/site, you have to know that
getting into Equifax or any other reporting agency is pitifully easy. If
you think 40-bit encryption is weak, how about a 2 character alphanumeric
"password" on accounts that can be pulled from your own credit report?
And for that matter, there are posted algorithms to the account scheme, so
you can even generate your own.
I will agree that there are more unsavory characters on the net than there
are people aware of CBI dialups. But then again, 40-bit crypto is not
exactly _easy_ to crack.
-edison
On Fri, 28 May 1999, cult hero wrote:
> I am becoming concerned about the apparent lack of professional competence
> within even well-known segments of the security community. I hope the
> incident I discovered is an isolated one, but even a single such incident
> is disquieting.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
Received on Sun May 30 14:13:40 1999