rob.schr...@gmail.com (Rob Schramm) writes: > Seems like there is a drift about security and walls.. interesting article > I found about walls when reading Cryptograms... > > https://warontherocks.com/2018/02/wall-wall-fortresses-fail/
re: http://www.garlic.com/~lynn/2018c.html#9 Graph database on z/OS? possibly more than you ever wanted to know, in part because of doing electronic commerce, was sucked into financial standards, financial industry critical infrastructure protection, and other efforts, like doing some work with these guys (but from 2004) Electronic Safety and Soundness Securing Finance in a New Age http://documents.worldbank.org/curated/en/756761468778791728/pdf/284050PAPER0WBWP026.pdf This monograph presents a four pillar framework for policymakers in emerging markets to use in designing responses to the challenge of assuring electronic safety and soundness of their financial systems. As such, this paper is focused in part on technological solutions, but more importantly on the incentives of the many parties involved in assuring the security of critical infrastructures--from telecommunications and financial sector service providers to the government and even to the many final consumers of financial or other services. ... snip ... we had been also brought in to help wordsmith some cal. state legislation, they were working on electronic signature, data breach notification, and opt-in privacy. several entities involved in privacy were involved and had done detailed, in-depth public surveys on privacy and the #1 issue was identity theft, specifically the form involving various breaches that resulted in fraudulent financial transactions. A problem was that little or nothing was being done about these breaches (except trying to keep them out of the news). A major issue is that entities take security measures in self protection ... the problem with the breaches was that the institutions weren't at risk, it was the public ... so they had little motivation. It was hoped that the publicity from the data breach notifications might motivate institutions to take security measures. that and a combination of other things resulted in doing financial transaction standard that slightly tweaked the current infrastructure ... and eliminated criminals ability to use information from previous transactions obtained in breaches for doing fraudulent transactions (form of replay attack) ... it didn't prevent breaches, but eliminated risk from (and major motivation for doing) breaches. two (other) problems: 1) "security proportional to risk": value of transaction information to merchant can be a few dollars (and a few cents to transaction processors), the value of the information to criminals can be the account balance (or credit limit) ... as a result criminals may be able to outspend by factor of 100 times attacking (than defenders can afford to spend) and 2) "dual use": transaction information is used for both authentication and dozens of business processes at millions of locations around the world ... as a result it has to be both kept absolutely secure and never divulged and simultaneously readily available. for various reasons there are numerous stakeholders with vested interests in preserving the status quo. from the law of unintended consequences ... "SSL" for electronic commerce (worked on earlier) was used to hide financial transaction information during transmission. the "tweak" eliminates the need to hide the information ... whether in transmission or "at rest". -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN