nanog mailing list archives
Re: Malicious SS7 activity and why SMS should never by used for 2FA
From: bzs () theworld com
Date: Tue, 20 Apr 2021 15:17:04 -0400
Something which binds them together are their insurance underwriters who generally want to set minimum requirements without having to review home-brewed security schemes. They want buzzwords and acronyms to put onto checklists. Others would be courts (e.g., when lawsuits arise) and government and other contractors who, similarly, don't want to have to evaluate beyond checklists of accepted industry practices. And a major value of standardized practices is precisely so they don't become competitive advantages particularly by their omission. It's one reason, for example, car manufacturers are ok with something like requiring seat belts or air bags, or in many industries environmental regs, precisely so a competitor can't lower their costs (and likely prices) by omitting them. Everyone has to have them and up to some standard, compete on something else. Perhaps if we began referring to a lot of this as "safety" rather than "security" that would sink in. On April 20, 2021 at 06:59 mark@tinka.africa (Mark Tinka) wrote:
On 4/20/21 01:46, bzs () theworld com wrote:If they want to protect trillions of dollars in assets maybe they need to toss in a few billion to help, and stop hoping some bad press for the technical community will shame some geniuses into dreaming up better security for them mostly for free in terms of research and specs and acceptance but that's the hard part. You know what the net did successfully produce, over and over? Some of the wealthiest individuals and corporations etc in the history of civilization. Maybe the profit margins were a little too high and now we're paying the price, or someone is.For the most part, services that (want to) rely on security are providing their own security solutions. But they are bespoke, and each one is designing and pushing out their own solution in their own silo. So users have to contend with a multitude of security ideas that each of the services they consume come up with. Standardization, here, would go a long way in fixing much of this, but what's the incentive for them to all work together, when "better security" is one of their selling points? If, "magically", the Internet community came up with a solution that one felt is fairly standard, we've seen how well that would be adopted, a la DNSSEC, DANE and RPKI. At the very least, the discussions need to be had; but not as separate streams. Internet folk. Mobile folk. Telco folk. Service folk. Mark.
-- -Barry Shein Software Tool & Die | bzs () TheWorld com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Current thread:
- Re: Malicious SS7 activity and why SMS should never by used for 2FA, (continued)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Julien Goodwin (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Nathaniel Ferguson (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Randy Bush (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 20)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)