The 50 Ways Series
30 Lies About Secure Electronic Commerce: The Truth Exposed - UNDER DEVELOPMENT
You are likely to hear all sorts of things about
secure electronic commerce these days, and I figured you might want to
know what kind of assertions with limited veracity value are out there.
The biggest class of lies is that the Web is a place
that gives the consumer better information or somehow levels the playing
field between the big money and the little money. Here are some of the
- Lie 1: The Web is a place where you can easily find the best price. It
used to be but it is no longer. Rather, it is a place where people with
advertising dollars can put their prices in front of you ahead of others
- just like it is in paper, telephones, television, and every other
- Lie 2: The big search engines reference anybody out there. Not even
close. They reference people who use products that push Web pages out
for referencing, and those who pay for the service can usually get on
the earlier pages of your searches.
- Lie 3: The Web is a place where content dominates. It used to be true,
and there is certainly more content on the Web than anywhere else, but
the vast majority of commercial Web sites today have very limited
content and are predominantly advertising vehicles. Most of what you
find is not useful content and choosing the proper search terms is not
as easy as you are told.
- Lie 4: The Internet is a friendly place to voice your opinions. Who are
we trying to kid. The Internet is often very impolite, insulting, and rude.
- Lie 5: The vast majority of the information on the Internet is
truthful and accurate. Highly dubious claim. In my field, I find that
less than 20 percent of the content is accurate to the standard I
require, and as for truthfulness, false advertising has found a whole
new meaning in the Web.
- Lie 6: Misinformation and reputations are easily corrected in the
Web. Nothing could be further from the truth. The Internet is the
greatest rumor mill ever created. A lie can spread like wildfire, but
try to correct it, and you will be faces with a huge uphill battle.
- Lie 7: If enough people say it, it's likely to be true. There are
people who assume multiple identities in the Internet so that they can
self-authenticate their lies. They even disagree with themselves
selectively in order to maintain their supposed independence and
- Lie 8: The Web promotes democracy. Wrong word - the proper word
for the Internet is anarchy, and more often than not, it is the anarchy
of lies and rumors that rules the Internet.
- Lie 9: The Internet is fair to all people of all cultures. Huh! If
anything, the Internet further promotes the use of written English over
all other language as the exclusive way to communicate for business.
The cultural differences between people fall quickly under the social
pressures of the Internet.
- Lie 10: Intellectual property will be the same as it has always
been - the Internet is just another printing media. I wish it were true,
but because of the international nature of the Internet, the laws and
ability to enforce intellectual property simply don't work. People take
the property of other peoples' minds at will and without recourse.
The second biggest class of lies is that some vendor is
going to make you safe. Here are some examples of this one:
- Lie 11: Microsoft is going to make you safe. This is perhaps the
most bizarre statement ever concieved by humanity. Just about every
Microsoft product ranks as the most unsafe, insecure product of its kind
available on the market.
- Lie 12: A virus scanner will make you safe. No virus scanner can
ever make you safe. The best it can do is to detect some of the viruses
that exist today and some of the viruses that are yet to exist. This
may make you a bit safer, but it only solves a small subset of the
overall set of issues you face.
- Lie 13: Your firewall will make you safe. There is no firewall
today, nor is there likely to ever be a firewall that will keep you safe
from attack. Firewalls, like other technologies, can help to prevent
and detect some class of attacks that might otherwise succeed, but for
every now attack that firewalls deal with, there are hundreds that
firewalls fail to protect against.
- Lie 14: A router will make you safe. Many people mistake the
function of a router for a firewall in terms of the security features it
provides - but even this limited upgrade is not accurate. Routers are
primarily designed to facilitate proper flow of traffic and not to
prevent, detect, or react to attempts at subversion.
- Lie 15: An intrusion detection system will make you safe. Current
intrusion detection technology is so poor as to be laughable. Read the
"50 Ways to Defeat Your Intrusion Detection
System" article if you don't believe it.
- Lie 16: Changes in laws will make you safe. The legal system
doesn't make people safe, if only because it depends on people who don't
understand the detailed issues make all the decisions. New laws
criminalize all sorts of things, and they will no doubt end up in
putting plenty of people in jail, but this does little to help most
victims, and evil less to mitigate criminal activity.
- Lie 17: The police/government will make you safe. The law
enforecement agencies around the world are seriously behind the times in
terms of cyber security issues. For the most part, if you get stabbed
or shot or held up at gunpoint, the police have a chance at helping you
and catching the bad guy - but if your computer is attacked and you lose
a fortune, the odds of the police helping you out are very nearly zero,
and it is likely that the cost of calling them will far exceed any
benefit you gain from the exercise.
- Lie 18: Your consultant will make you safe. Most consultants are
out for one thing - personal income. Most consultants in computer
security know little or nothing about the subject. Their job is to get
you to give them money in exchange for convincing you that whatever
solution they have provided will help keep you safe. You may feel safe,
but you are not safe. There are many exceptionally knowledgeable and
honest consultants in this field, but for the most part, they are not
differentiable by most customers from the multitudes of rip off artists.
Press here for more information on
outsourcing information protection consultants.
- Lie 19: Artificial distributed intelligent agents will make you
safe. Please!!! First it was artificial intelligence, then expert
systems, then knowledge-based systems, then fuzzy logic, then... I
forget the whole list. Suffice it to say that people have been
anthropomorphising computer software to human attributes since computers
existed and they will likely continue to do so until a computer actually
reaches the level where we can't tell it from a human - at which time
they will scramble to tell us that computers are not as good as people.
Don't believe anything you hear about computer intelligence - and little
that you hear about human intelligence.
- Lie 20: Some breakthrough technology will make you safe. Mostly we
encounter breakthroughs in marketing technology - a new and exciting way
for you to send me money and feel happy about it. Technical advances
are steadily underway, but in the end, it is not technology that makes
people safe anyway.
Let's move on to the almost mystical belief that the
magic of cryptography will make you safe.
- Lie 21: Better cryptogrpahy will make you safe. Current
cryptography technology is more than adequate for all financial
transactions, but the strength of the cryptographic system is not
the limiting factor in the security of electronic commerce.
- Lie 22: Public key cryptography is safer than private key
cryptography. This is patently false. The most secure cryptography and
the only provably secure cryptography is private key cryptography.
Public key systems are used because they are more convenient, not more
- Lie 23: Digital signatures are safe. Digital signatures - like all
cryptographic techniques - are subject to many constraints on their
proper use. Almost no current overall systems use digital signatures
in a way that makes the identity of the source certain.
- Lie 24: PGP will make you safe. PGP stands for "Pretty Good
Privacy" and that's just what it is - pretty good - but not great. And
even if PGP were great cryptography, as was stated above, cryptography
alone cannot ever make you safe.
- Lie 25: Certificate authorities will make you safe. Certificate
authorities do nothing of the sort - they don't even do what they are
usually believed to do - provide a proof of identity. For the most
part, anybody can get a certificate that claims anything they want to
claim and do so with little effort or cost. Furthermore, certificates
as they are most commonly used are susceptible to man-in-the-middle
attacks and other similar exploits.
- Lie 26: You can trust your credit cards to Internet cryptography.
The vast majority of credit card theft involving the Internet is from
servers that store and process large numbers of credit cards. In the
form most of these numbers are kept on those servers, cryptography has
nothing to do with the process.
- Lie 27: "128-bit encryption technology is the most secure form of
data scrambling commercially available." I read this one from a
commercial site - it's total baloney. Commercial cryptography is
available with unlimited key sizes, and furthermore, key size is not a
good measure of the strength or effectiveness of cryptography. Larger
keys don't always make for safer encryption.
- Lie 28: "SSL establishes a secure session by electronically
authenticating each end of an encrypted transmission. The idea is that
you know exactly whom you are communicating with before sending any
sensitive information." This is a total fantasy - it does no such thing.
SSL only sets up an exchange of information that is kept secret by
cryptographic techniques. There is no ability in this system to
prove anything about the identity of the person or organization at the
other end of the communication.
- Lie 29: The one-time-pad is not a practical cryptographic system.
Another fantasy put forth by the purveyors of crypto-fiction. Not only
is the one-time-pad viable, it is used in one form or another for all
applications where extremely high assurance is desired. The one-time-pad
is the only perfectly secure cryptographic system.
- Lie 30: It's just like a one-time-pad. I can't count the number of
vendors that have, at one time or another, sold a cryptographic system
as a one-time-pad when it wasn't one. There are true one-time-pad
systems, but the vast majority of claims about systems being just like it
- or in some cases - claims of being an actual one-time-pad are not to
be believed unless the claims are examined in minute detail by an expert.