Anne & Lynn Wheeler wrote:
issues did start showing up in the mid-90s in the corporate world ... there were a large number of former gov. employees starting to show up in different corporate security-related positions (apparently after being turfed from the gov). their interests appeared to possibly reflect what they may have been doing prior to leaving the gov.

one of the issues is that corporate/commercial world has had much more orientation towards prevention of wrong doing. govs. have tended to be much more preoccupied with evidence and prosecution of wrong doing. the influx of former gov. employees into the corporate world in the 2nd half of the 90s, tended to shift some of the attention from activities related to prevention to activities related to evidence and prosecution (including evesdropping).

for lots of drift ... one of the features of the work on x9.59 from the mid-90s

was its recognition that insiders had always been a major factor in the majority of financial fraud and security breaches. furthermore that with various financial functions overloaded for both authentication and normal day-to-day operations ... that there was no way to practical way of eliminating all such security breaches with that type of information. ... part of this is my repeated comment on security proportional to risk

the x9.59 approach was to eliminate the function overload so that the same information that was needed for normal day-to-day operation didn't also carry with it any authentication feature/attribute. the result was that data breaches could still occur, but no longer enabled the financial fraud that it once did ... and therefor it didn't really represent a serious security breach ... aka the countermeasure to financial fraud associated with the data breaches was to recognize that it was impossible to totally eliminate them, since the information was required extensively in day-to-day business processes, so to prevent the wrong doing, the authentication feature/attribute was removed from the associated information.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to