On Sat, Sep 10, 2011 at 10:38 AM, Peter Gutmann <[email protected]> wrote:
> My concern with this is that we've spent the last fifteen years energetically > fixing the things that aren't being exploited. When do we start fixing the > things that are? Got a prioritized list? I'll tell you what I'm doing about them. Quite seriously actually... > people proposing new Rube Goldberg schemes - me included - should feel > confident enough in them that they're prepared to say "My scheme, if adopted, > will lead to an X% decrease in phishing". It doesn't even have to be 25%, > let's make it really easy and say 5%, or even just "statistically > significant". If you can't do that then you're not really proposing a > solution but just looking for guinea pigs). Actually, figuring out whether your solution will actually work is an experiment right? We can't know in advance for all of them, and w can't even always A/B test things. How much does DKIM signing help against phishing? How much does getting certain email providers to reject things unsigned for a given domain? How about formatting all of your mails a certain way, only including links to your own domain, etc. Do you want to do each of those serially, with A/B testing? You'll be waiting for years before you get the results. Or you can try all of them, over some period of time, hoping they make a difference, and if the total phishing numbers are down, you win, as long as you spent less to implement than you save in costs either in direct losses or other metrics you care about like consumer trust/spending/etc. Me, I'm trying to stay ahead of the curve if I can. Attackers aren't spending a lot of time compromising home networking devices like routers/modems, but we know some are vulnerable. I'd just as soon start fixing those things now, *before* people start abusing them. - Andy _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
