On 15/10/2007, at 16.44, Bill Maas wrote: > Hello Stanislav, > > On Mon, 2007-10-15 at 12:54 +0200, Stanislav Meduna wrote: >> Bill Maas wrote: >> >>> The problem is that I don't like having my credit card nos. all >>> over the >>> place, so I asked Wim Vandeputte from soekris.kd85.com >> .. >>> A company named Escrow.com (www.escrow.com) >> >> And why exactly do you trust Escrow.com more than Wim Vandeputte? > > I'd trust my private data to be with a single organization more > than Wim > Vandeputte and a 1000 other sellers. It has noting to do with Wim > personally, I hope that's clear;).
You really should just trust and depend on your card issuer, which you have entered into agreement with when getting the card. While escrow.com might be a great company for some purposes, it really doesn't add anything when you have a company you buy from. If I paid amazon.com and the goods don't arrive I can contact the company that issued my card, VISA and get the amount back. The shops that accept the VISA cards all must be in compliance with the VISA PCI requirements which states that you cannot store CVV etc. In any case it is mostly THEIR problem, not yours - so adding complexity for your part won't solve any problems. In real life, of course you decide which shops to use based on some kind of reputation - to avoid the hassle of contacting your bank and getting them to start investigation and getting your money back. But you don't need to trust them as much as you trust you own bank. > >> You are probably not USA-based if you buy from Wim - good luck >> to dispute something if they screw up... > > Would not need any luck if an escrow were used.. Yes, you would - in case you happened to use a fraudulent escrow service you would probably loose your money - and trying to go after a company in another country is not something to be taken lightly. It would cost a lot of money just getting somebody do initial investigation, let alone secure your money. Escrow might have its place when strangers make deals, but calling soekris or Wim or another shop that has existed with large internet presence in multiple years, coooooome on ... no need to use escrow for that. > >>> The key issue is trust, the financial side should be much less >>> of a problem (basically all that is required is a computer >>> and a bank account). >> >> Yes, the key issue is trust. So how exactly can an "open >> source community" help here? > > OK, it's maybe a weird idea. The point being that I'd trust a bunch > of, > say, OpenBSD diehards at least as much than the average bank when it > comes to security issues. And I'd trust an organization backed by > FreeBSD, OpenBSD, GNU et al at least as much as some financial > institution I've never heard of before. And it could be non-profit. Don't - they drink a lot and listen to strange humppa ;-) > > But that's more of an ideological story, so let's just forget about > that > one. I just didn't want to promote Escrow.com, yet at the same time > state that Soekris Engineering should really use [something like] it > [and not Paypal for reasons explained]. Actually I REAAAALLLY DON'T trust large groups of people which have little to loose and much to gain from abuse. So actually I think it is fine that we need to buy SSL certificates from companies like verisign, of course competition is fine - but it should cost a lot to subvert, which is why we trust it. Not, sure if I get my point across, but I don't trust CAcert project for the same reasons - how much would it cost me to get enough signatures from real people in some low income country to get enough points to make some false certificate that others would trust? I trust that the OpenBSD people do a great job, and importantly IF there was some problem with the software I could either myself look into the source, or pay somebody to verify claims of the problems. Open source is great for that. > > And I see no reason why I should trust any seller with my CC nos., no > matter what they should or should not do, how strong or weak SSL > encryption is etc. In my view it's just plain nonsense having to send > such data over the wires over and over again. Yeah, you should have to TRAVEL my rowing BOAT to another part of the world to buy rice in person! You should ONLY be able to get real pizza and pasta in Italy. Using all this techno to buy across the internet is BAAAAAD ;-) No, seriously - the current financial system in europe is regulated a lot, to avoid money laundering etc. that using the current creditcard number, expiration date and card verification code from the back is "good enough" and the buyer is protected. The real problem is that this might change in the future, and waking up one day and realizing that you need to PROVE you didn't make that transaction might become hard. Most of this is simple logic, follow the money and make things simple! Trust me on that ;-) Best regards Henrik PS this thread is WAY of topic, and I wish that Mail.app on OSX would get a kill-thread button ... -- Henrik Lund Kramshøj, Follower of the Great Way of Unix [EMAIL PROTECTED], +45 2026 6000 cand.scient CISSP CEH http://www.security6.net - IPv6, sikkerhed, netværk _______________________________________________ Soekris-tech mailing list [email protected] http://lists.soekris.com/mailman/listinfo/soekris-tech
