[cap-talk] Re: First point of consensus

[Ian G]

Tyler Close wrote:

>I am claiming:
>1. The petname toolbar conveniently presents all the information needed
>to avoid a phishing attack.
>2. An attacker cannot trick the petname toolbar into assisting the
>deception.
>  
>

Sure he can.  He sticks a virus into your
computer, rewrites your pet name database,
and then inserts the email into inbox.  Now,
you're probably going to say you assumed
viruses away, but they are already out there,
infecting user's DNS files.

This is security work, not building bridges.
Treating an attacker like rain on iron over
time isn't going to work.  He doesn't work
to seasonal patterns, he looks for what you
left out and attacks there.

All assumptions are up for grabs, every
single one.  You need to be able to separate
out the various attacks, assign probabilities
and confidence levels, and divide them into
classes of "covered" and "not covered" and
hope that the ones in the latter basket are
really low probability.

>>You call me "picky" for refusing to make an overreaching blanket
>>claim.
>>    
>>
>
>I call you "picky" for attempting to paint me as making an overreaching
>blanket claim that is clearly unreasonable. You have associated
>additional and incorrect meaning with my statement.
>  
>

You keep making these overreaching and blanket
claims.  "Prevent" is one of them.  Here's some more:

"That's how the petname toolbar solves the phishing problem,
both in theory and in practice."

"To defend against phishing, we need only prevent
subversion of existing trust relationships."



It may be a great sales technique, but it really slows
down the process of doing a security design, because
everyone else has to a) mentally unravell what's
wrong with it, and b) figure out whether there is
anything left of value.  It's very expensive in every
body else's time to deal with.

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/