Podcast: Crypto-Gram 15 July 2006: Economic considerations are everywhere in computer security
from the Jul 15, 2006 Crypto-Gram Newsletter
by Bruce Schneier
* Economics and Information Security
Economic considerations are everywhere in computer security. Hospitals' medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients' privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers.
Some of the most controversial cyberpolicy issues also sit squarely between information security and economics.
Ex: the issue of DRM: Is copyright law too restrictive -- or not restrictive enough -- to maximize society's creative output? And if it needs to be more restrictive, will DRM technologies benefit the music industry or the technology vendors? Is Microsoft's Trusted Computing Initiative a good idea, or just another way for the company to lock its customers into Windows, Media Player and Office? Any attempt to answer these questions becomes rapidly entangled with both information security and economic arguments.
* A Minor Security Lesson from Mumbai Terrorist Bombings
Cell phones are useful to terrorists, but they're more useful to the rest of us.
* Getting a Personal Unlock Code for Your O2 Cell Phone
O2 is a UK cell phone network. The company gives you the option of setting up a PIN on your phone. The idea is that if someone steals your phone, they can't make calls. If they type the PIN incorrectly three times, the phone is blocked. To deal with the problems of phone owners mistyping their PIN they can contact O2 and get a Personal Unlock Code (PUK).
O2 has decided to automate the PUK process.
This seems like a bad idea, but after I posted it on my blog a representative from O2 sent me the following:
"Yes, it does seem there is a security risk by O2 supplying such a service, but in fact we believe this risk is very small. The risk is when a customer's phone is lost or stolen. There are two scenarios in that event:
1) The phone is powered off. A PIN number would be required at next power on. Although the PUK code will indeed allow you to reset the PIN, you need to know the telephone number of the SIM in order to get it - there is no way to determine the telephone number from the SIM or handset itself. Should the telephone number be known the risk is then same as scenario 2.
2) The phone remains powered on: here, the thief can use the phone in any case without having to acquire PUK.
length: 21:36m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0607.html
by Bruce Schneier
* Economics and Information Security
Economic considerations are everywhere in computer security. Hospitals' medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients' privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers.
Some of the most controversial cyberpolicy issues also sit squarely between information security and economics.
Ex: the issue of DRM: Is copyright law too restrictive -- or not restrictive enough -- to maximize society's creative output? And if it needs to be more restrictive, will DRM technologies benefit the music industry or the technology vendors? Is Microsoft's Trusted Computing Initiative a good idea, or just another way for the company to lock its customers into Windows, Media Player and Office? Any attempt to answer these questions becomes rapidly entangled with both information security and economic arguments.
* A Minor Security Lesson from Mumbai Terrorist Bombings
Cell phones are useful to terrorists, but they're more useful to the rest of us.
* Getting a Personal Unlock Code for Your O2 Cell Phone
O2 is a UK cell phone network. The company gives you the option of setting up a PIN on your phone. The idea is that if someone steals your phone, they can't make calls. If they type the PIN incorrectly three times, the phone is blocked. To deal with the problems of phone owners mistyping their PIN they can contact O2 and get a Personal Unlock Code (PUK).
O2 has decided to automate the PUK process.
This seems like a bad idea, but after I posted it on my blog a representative from O2 sent me the following:
"Yes, it does seem there is a security risk by O2 supplying such a service, but in fact we believe this risk is very small. The risk is when a customer's phone is lost or stolen. There are two scenarios in that event:
1) The phone is powered off. A PIN number would be required at next power on. Although the PUK code will indeed allow you to reset the PIN, you need to know the telephone number of the SIM in order to get it - there is no way to determine the telephone number from the SIM or handset itself. Should the telephone number be known the risk is then same as scenario 2.
2) The phone remains powered on: here, the thief can use the phone in any case without having to acquire PUK.
length: 21:36m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0607.html
posted by omarg at
7:30 AM
0 Comments:
Post a Comment
<< Home