Re: User interface, security, and "simplicity"
On Saturday 03 May 2008 14:00, Perry E. Metzger wrote: > Right now, to use SSH to remotely connect to a machine using public > keys, all I have to do is type "ssh-keygen" and copy the locally > generated public key to a remote machine's authorized keys file. > When there is an IPSEC system that is equally easy to use I'll switch > to it. OpenBSD has recently added the ipsecctl command, which greatly simplifies setting up IPSEC VPNs, especially between OpenBSD machines. A config file can be as simple as (from the man page): ike esp from 192.168.3.1 to 192.168.3.2 ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 And the file structure for storing certs, public/private keys, and shared secrets (which ipsecctl searches automatically) is equally simple. -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Has there been a change in US banking regulations recently?
On Friday 13 August 2010 04:59, Peter Gutmann wrote: > As part of a thread on another list, I noticed that Bank of America, who > until recently didn't bother protecting the page where users are expected > to enter their credentials with anything more substantial than a GIF of a > padlock, now finally use HTTPS on their home page, and redirect HTTP to > HTTPS (this only took them, what, about ten years to get right? Or is it > fifteen? When did BofA first get a web presence?). Wachovia now do it > too. And Citibank at least redirect you to an HTTPS page. And so does US > Bank, after asking for your ID. > > What on earth happened? Was there a change in banking regulations in the > last few months? > > Peter. It wouldn't surprise me if there's been some blowback from the adoption of PCI-DSS (Payment Card Industry Data Security Standards). As someone who has had to help several small to medium size businesses comply with these 'voluntary' standards, the irony of the fact that the big banks that require them often aren't in compliance themselves hasn't escaped my notice. -- Jeff Simmons jsimm...@goblin.punk.net Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has there been a change in US banking regulations recently?
On Friday 13 August 2010 11:33, eric.lengve...@wellsfargo.com wrote: > I'd like to clarify a bit. PCI-DSS wasn't developed by the big banks. It > isn't usually enforced by big banks except insofar as they are liable for > PCI-DSS compliance when outsourcing to or partnering with other companies. > So they may be forcing it on the SMBs you've worked with because they're > liable in some way. > > PCI-DSS was the brainchild of Visa. I'm a member of X9F (X9F6 is the > payment card security standards committee) and we wrote an open letter back > in 2005 to Visa and Mastercard asking them not to set new, separate > standards for the financial sector but to work from within X9F. They > ignored us. Even though you clearly indicate that they aren't truly > voluntary via your use of quotes, when the PCI group (VISA et al.) can > unilaterally level huge fines and/or penalties for non-compliance they > really are compulsory. Also, PCI certification requires that all of your partners (anyone you exchange payment card information with) be PCI compliant. At the level I work at, it's compulsory. Presently, it seems to apply to anyone taking payment cards over the web, and seems to be working its way down the food chain to brick and mortar vendors. For me, it's the equivalent of a congressional full employment act, so I'm not complaining a lot. > Luckily, PCI-DSS compliance != security. Or is that unluckily because of > how much money is wasted complying that could be better spent securing. The latter. And for many, many, many other reasons than just the financial hit. -- Jeff Simmons jsimm...@goblin.punk.net Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
