Re: security on the web

> >I think she's still right - the technology required to snoop credit card
> >numbers off a web server is noticably newer (and hence less obtainable) than
> >the technology required to snoop credit card numbers off a hotels phone
> >lines.
> The issue isn't at the server, which is either run by competent, trustworthy
> people or there's no hope at all anyway.  At the _user_ end, though, you're
> trusting everybody who shares the same piece of ethernet.  In our public
> comuting sites that is a very scary thought.

Randoms on your ISP are a problem, yup. But that's also where the ROI for the
thief is lowest. If you're going to dedicate resources to swiping credit card
numbers off the net, you start looking at the place you're most likely to
find them, not with the random mishmash one finds on a large ISP.

Of course, you've also overstated the case. You don't trust everybody who
shares the same piece of ethernet, just those who can do computing on boxes
attached to it. If you're in a room full of CPUs on one net and surfing on one
of those, you've got a problem. If you're dialed into an ISP that doesn't have
shell accounts or puts the shell account machines on a different subnet than
the one you dial into, you don't.

The attack at the user end seems similar to a shoulder surfing attack for phone
card numbers . It works in ones and twos and is worthwhile for small-time
crooks, but simple precautions will prevent you from being a victim.


Received on Monday, 12 May 1997 15:33:32 UTC