[Discuss] Most common (or Most important) privacy leaks

Bill Horne bill at horne.net
Fri Feb 20 10:06:15 EST 2015


On Friday, February 20, 2015 06:54:37 AM Jerry Feldman wrote:
> On 02/19/2015 11:07 AM, Gordon Marx wrote:
> > On Thu, Feb 19, 2015 at 10:52 AM, Doug <sweetser at alum.mit.edu> wrote:
> >> > 2. I would like to hear more about " tools for plausible-deniability of
> >> > the
> >> > existence of secondary access codes".  I don't quite know what that
> >> > means.
> > 
> > I think the idea is to give the ability to communicate to the system
> > "Yes, I'm logging in, but I'm being coerced -- but don't let on that
> > you know, because I'm in danger if this doesn't appear to work".
> 
> I agree with this. This should also be employed in home security systems
> also.

The problem with "coercion" codes is that they are only a delaying tactic, and 
tend to lead to hostage-taking. No matter how prompt the response, the best 
result which might be attained is that the criminals will abandon their attack 
when they find out help is on the way. 

That leaves a property-owner in  a worse situation than before: he still has 
the asset, to be sure, but he's also still vulnerable, and the attackers now 
know that he was able to trick  them, which is not a good place to put a 
Sociopath. 

As a rhetorical discussion, coercion codes seem like great James Bond stuff. 
However, in practice, they are both dangerous and unreliable - could /you/ 
enter one without giving any clue? - and, truth be told, they require a degree 
of dedication and bravery few can measure up to. 

For those entrusted with other people's money or secrets, the game is over 
before it starts. It's not their property, no skin off their ears, and the 
worst penalty for cooperation is a few boring hours with police investigators 
and a need to find another job.

Someone protecting his own fortune will almost always have other safeguards in 
place, from the mundane use of a secondary account which doesn't have 
electronic access, to the need for a business partner or other trusted third 
party to supply part of an access code, or even kidnap and ransom insurance 
that will cover the loss. 

Those  whom lay hands on people are penalized *much* more harshly than those 
who commit crimes against property, and criminals know that. For the same 
reason that a burglar might decide to go unarmed, a cyber-attacker is likely 
to know a lot about my habits and routine *before* the attack, since the real 
wet work puts him over the line into *armed* robbery, and a minimum of six or 
seven more years on his sentence.

Forget anything you saw in movies: nobody moves millions of dollars  around, 
or even tens of thousands, without safeguards that obviate the need for 
courage-under-fire. Corporate secrets are never entrusted to a single 
individual, "X" never marks the spot, and no matter how valuable the software, 
design, or manufacturing technique may be, it's *always* cheaper to go around 
it or figure a different method, instead of entertaining thoughts of being under 
the thumb of thugs who will be back for more, again and again.

Bill

-- 
Bill Horne
William Warren Consulting
339-364-8487



More information about the Discuss mailing list