Shostack + Friends Blog Archive


Small Bits: Risk Management by Law, Domain Names, and Cats

  • Not bad for a Cubicle has a good post on the credit card industry replacing their risk management efforts with bad law: Bad laws instead of good Risk Management. I like what he’s saying enough that I’ve added him to the blogroll.
  • Daring Fireball links to this article on How to Snatch a Domain Name, where a small bit of uncertainty creates an opportunity for hucksterism. This isn’t enterprenuership: The problem being solved is mostly unnatural because Verisign has chosen to administer the DNS with a three hour window, rather than announcing the exact time a domain will become available.
  • Boingboing points to this application of facial recognition…preventing cats from carrying animals into the house. I’m opposed to it, as I can see the day when I’ll be prevented from blogging while foaming at the mouth.

2 comments on "Small Bits: Risk Management by Law, Domain Names, and Cats"

  • Cypherpunk says:

    I saw an article recently that talked about how different policies for distributing risk lead to different results. The U.K. has less consumer friendly policies than the U.S. for misuse of ATM cards and credit cards, and that has slowed down the institution of security policies in the U.K., because the banks are not held responsible.
    The recent discussion of identity theft has pointed out another piece of bad institutional design. The big problem with identity theft isn’t the fact that the data gets stolen, it’s the fact that knowing this data is enough to get credit in the victim’s name. Why is that still happening? It’s because of the attribution of risk.
    When identity theft occurs, it is not the banks which are on the hook. Generally, it is the merchants who have to make good. This is true for any transaction over the phone, by mail, or over the net, which is how most identity thieves prefer to work. In any such exchange, the merchant is liable if fraud is detected.
    The problem is that it is the banks who are in a position to fix the problem. There’s no way that a merchant can protect himself if a fraudulent card is used. But since the banks aren’t liable, they don’t have the incentives to do what is necessary.
    I find that this explains a great deal about the identity theft problem. Unless or until we put the liability on the people who can fix it, the problem isn’t going to get better.

  • adam says:

    I’m in full agreement with you on this. The credit agencies carry no liability for saying “Yes, that’s Declan, he’s got great credit.”
    I’m pretty sure the paper you’re referring to was Anderson’s ‘Why Cryptosystems Fail’ paper.

Comments are closed.