[Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)Tapes lost)
Paul Ferguson
fergdawg at netzero.net
Sat Jun 7 04:14:50 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- "Marjorie Simmons" <lawyer at carpereslegalis.com> wrote:
>Paul Ferguson wrote in reply to Marjorie Simmons:
> [Simmons wrote in reply to Michele Corcoran]
> | > | Even if you go with a conservative estimate that one
> | > | 'identity' is worth less than 20 bucks (recently stated
> | > | in a paper) . . .
> | >
> |>>First, the worth of an identity is not the market value
> |>>of the identity, because the market is illegitimate.
>
> |> I would suggest that is actually not the case -- while the
> |> market for identity credentials (includes login IDs, credit
> |> card numbers, CVV & Track 2 data, SSNs, etc.) may indeed be
> |> illegitimate, it is thriving.
>
> |> So as far as I'm concerned, the statement above on market
> |> value is completely meaningless.
>
>Paul, it is not clear to which statement you are referring.
The worth of an identity depends upon to whom you
are referring: the loser or the purchaser. If it is the loser,
the worth of an identity is not equal to the market value.
If it is to the purchaser, it may be, it depends. You may
have misunderstood my meaning, and perhaps I could
have been clearer.
>
>To illustrate, consider the market value of a certain stock.
On Wall Street, the stock price may be $x per share. To
an investor with an agenda or plan it may be worth much
more or much less, even if that investor purchases some
shares at the market price.
>
>To most individuals their identity is worth quite a bit,
even if a thief can sell it on the black market for $20.
>
Well, let's leave it as an exercise for the readers. ;-)
My primary workload these days is working with law enforcement,
NGOs (the various regional CERTs/CSIRTs, ISPs, etc.) on incident
notification -- usually by the time I notify them they have a
problem, there are already victims. My primary task is to shrink
the "time-to-exploit" window as much as possible.
What I'm saying is not so different that what you are saying,
although I'm approaching this issue from a slightly different
perspective. Unfortunately, I have accepted that fact that there
will be compromises -- but I'm also of the opinion that the "stick"
is needed now since the "carrot" has obviously not worked -- companies
hide behind compliance mandates and do not radically change their
behavior until it is too late, and consumers get pinched.
Before I ramble on too much further, let me say this -- there is
a thriving underground economy which exists because "legitimate"
businesses do not adhere to (what could be considered) "best
practices", much less industry compliance mandates and regulations.
This sort of lackadaisical attitude is prevalent all across the
board, from we hosters, to Enterprise organizations, to e-commerce,
to banks, to even the SCADA community. and until a "stick" approach
is taken to provide punishment from making bad business decisions,
this trend will become worse than it already is.
In fact, if you look to New Zealand and the U.K, they are already
pushing fraud loss liability back onto the consumer.
$.02,
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFISgs3q1pz9mNUZTMRAjwdAJ9zj6hr9Xgzrfklcd26aFNW76SUxwCffuUo
RQf6PE6Mx495Y+pSttuzf6U=
=4VpJ
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the Dataloss
mailing list