I shared the gist of the question with a leader of the Anti-Phishing Working Group, Peter Cassidy.
Thanks Dan, and thanks Peter,
I think we have that situation. For the first
time we are facing a real, difficult security
problem. And the security experts have shot
------- Part One
(just addressing Part one in this email)
I think the reason that, to date, the security community has been largely silent on phishing is that this sort of attack was considered a confidence scheme that was only potent against dim-wits - and we all know how symathetic the IT security/cryptography community is to those with less than powerful intellects.
OK. It could well be that the community has an inbuilt bias against protecting those that aren't able to protect themselves. If so, this would be cognitive dissonance on a community scale: in this case, SSL, CAs, browsers are all set up to meet the goal of "totally secure by default."
Yet, we know there aren't any secure systems, this is Adi Shamir's 1st law.
Ignoring attacks on dimwits is one way to meet that goal, comfortably.
But, let's go back to the goal. Why has it been set? Because it's been widely recognised and assumed that the user is not capable of dealing with their own security. In fact, in its lifetime over the last decade, browsers have migrated from a "ternary security rating" presented to the user, to whit, the old 40 bit crypto security, to a "binary security rating," confirming the basic principle that users don't know and don't care, and thus the secure browsing model has to do all the security for the user. Further, they've been protected from the infamous half-way house of self- signed certs, presumably because they are too dim- witted to recognise when they need less or more security against the evil and pervasive MITM.
Who is thus a dimwit. And, in order to bring it together with Adi's 1st law, we ignore attacks on dimwits (or in more technical terms, we assume that those attacks are outside the security model).
(A further piece of evidence for this is a recent policy debate conducted by Frank Hecker of Mozilla, which confirmed that the default build and root list for distribution of Mozilla is designed for users who could not make security choices for themselves.)
So, I think you're right.
> Also, it is true, it was considered a > sub-set of SPAM.
And? If we characterise phishing as a sub-set of spam, does this mean we simply pass the buck to anti-spam vendors? Or is this just another way of cataloging the problem in a convenient box so we can ignore it?
(Not that I'm disagreeing with the observation, just curious as to where it leads...)
The reliance on broadcast spam as a vehicle for consumer data recruitment is remaining but the payload is changing and, I think, in that advance is room for important contributions by the IT security/cryptography community. In a classic phishing scenario, the mark gets a bogus e-mail, believes it and surrenders his consumer data and then gets a big surprise on his next bank statement. What is emerging is the use of spam to spread trojans to plant key-loggers to intercept consumer data or, in the future, to silently mine it from the consumer's PC. Some of this malware is surprizingly clever. One of the APWG committeemen has been watching the devleopment of trojans that arrive as seemingly random blobs of ASCII that decrypt themselves with a one-time key embedded in the message - they all go singing straight past anti-virus.
This is actually much more serious, and I've noticed that the media has picked up on this, but the security community remains characteristically silent.
What is happening now is that we are getting much more complex attacks - and viruses are being deployed for commercial theft rather than spyware - information theft - or ego proofs. This feels like the nightmare scenario, but I suppose it's ok because it only happens to dimwits?
(On another note, as this is a cryptography list, I'd encourage Peter and Dan to report on the nature of the crypto used in the trojans!)
Since phishing, when successful, can return real money the approaches will become ever more sophisticated, relying far less on deception and more on subterfuge.
I agree this is to be expected. Once a revenue stream is earnt, we can expect that money to be invested back into areas that are fruitful. So we can expect much more and more complex and difficult attacks.
I.e., it's only just starting.
------- Part Two
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]