Shostack + Friends Blog Archive


"Encryption is hard, let's go shopping!"

On upcoming changes to the Payment Card Industry Data Security Standard:

“Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.
Yeah. It sure is hard to encrypt a file. Or a filesystem. After all, the important thing about controls is not that they achieve their objectives, but that they be palatable.
Note to credit card companies:
sed ‘s/Veteran’s Administration/YOU/g’ BlinkTank/Tim Wright)

4 comments on ""Encryption is hard, let's go shopping!""

  • Alex Hutton says:

    But Chris, you missed the big news today, SSL is no longer safe, so why bother with encryption…
    Oh, wait the strength of SSL isn’t what that story is about?

  • Chris Walsh says:

    Bruce Schneier and I are both right :^) (I need spread that meme!)
    He is referring to SSL ubiquity pushing attackers to capture the endpoints, or to trick people into going to the wrong (but nonetheless SSL-protected) endpoint. I am referring to encryption of so-called data at rest.
    Even if you accept the argument that banks’ marketing imperatives require them to defeat the “know your peer” assurance that SSL is intended to provide, there is still plenty to be gained by securing stored data with encryption.
    I am not sure of the precise details of the VA case (no transcript of the testimony in congress as of last night), but if the stuff was on a thumb drive, encryption would’ve been a particularly big help. I guess we should thank heaven the stuff wasn’t on an iPod. Can you imagine the result?

  • Alex Hutton says:

    Somehow my tags didn’t take. Must be your blogging software.
    I was just pointing out the horrid sensationalist headline than anything. There’s a billion Blue-Coat and other proxies breaking SSL all the time, and yes, as soon as every two bit consumer-oriented F.I. app gets another factor of authentication, then the phishing will turn to Trojans, and the fact that banks have to “play keep up” will always make good press. I’ll be happy when there are more blogs in the information risk space and the federalized journalism we now get becomes less of a factor.

  • alex Hutton says:

    that would be sarcasm tags. LOL

Comments are closed.