BreachExchange mailing list archives
Re: time to name names (was Re: MORE BNY (Mellon Corp)Tapes lost)
From: "Paul Ferguson" <fergdawg () netzero net>
Date: Sat, 7 Jun 2008 04:14:50 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Marjorie Simmons" <lawyer () carpereslegalis com> wrote:
Paul Ferguson wrote in reply to Marjorie Simmons: [Simmons wrote in reply to Michele Corcoran] | > | Even if you go with a conservative estimate that one | > | 'identity' is worth less than 20 bucks (recently stated | > | in a paper) . . . | > |>>First, the worth of an identity is not the market value |>>of the identity, because the market is illegitimate. |> I would suggest that is actually not the case -- while the |> market for identity credentials (includes login IDs, credit |> card numbers, CVV & Track 2 data, SSNs, etc.) may indeed be |> illegitimate, it is thriving. |> So as far as I'm concerned, the statement above on market |> value is completely meaningless. Paul, it is not clear to which statement you are referring.
The worth of an identity depends upon to whom you are referring: the loser or the purchaser. If it is the loser, the worth of an identity is not equal to the market value. If it is to the purchaser, it may be, it depends. You may have misunderstood my meaning, and perhaps I could have been clearer.
To illustrate, consider the market value of a certain stock.
On Wall Street, the stock price may be $x per share. To an investor with an agenda or plan it may be worth much more or much less, even if that investor purchases some shares at the market price.
To most individuals their identity is worth quite a bit,
even if a thief can sell it on the black market for $20.
Well, let's leave it as an exercise for the readers. ;-) My primary workload these days is working with law enforcement, NGOs (the various regional CERTs/CSIRTs, ISPs, etc.) on incident notification -- usually by the time I notify them they have a problem, there are already victims. My primary task is to shrink the "time-to-exploit" window as much as possible. What I'm saying is not so different that what you are saying, although I'm approaching this issue from a slightly different perspective. Unfortunately, I have accepted that fact that there will be compromises -- but I'm also of the opinion that the "stick" is needed now since the "carrot" has obviously not worked -- companies hide behind compliance mandates and do not radically change their behavior until it is too late, and consumers get pinched. Before I ramble on too much further, let me say this -- there is a thriving underground economy which exists because "legitimate" businesses do not adhere to (what could be considered) "best practices", much less industry compliance mandates and regulations. This sort of lackadaisical attitude is prevalent all across the board, from we hosters, to Enterprise organizations, to e-commerce, to banks, to even the SCADA community. and until a "stick" approach is taken to provide punishment from making bad business decisions, this trend will become worse than it already is. In fact, if you look to New Zealand and the U.K, they are already pushing fraud loss liability back onto the consumer. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFISgs3q1pz9mNUZTMRAjwdAJ9zj6hr9Xgzrfklcd26aFNW76SUxwCffuUo RQf6PE6Mx495Y+pSttuzf6U= =4VpJ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: time to name names (was Re: MORE BNY (Mellon Corp)Tapes lost) Paul Ferguson (Jun 06)