[NTLUG:Discuss] OT? security comparsion

Chris Cox cjcox at acm.org
Mon Nov 28 11:34:02 CST 2005 

m m wrote:
> All:
> 
> Thanks for all the valuable inputs
> 
> Sorry for not very clearly state my question:
> What I am asking is "in sending of packet(s)" (make sense ?)
> 
> "from the user input the credit card number (for example)
> on the web form (from the user's browser)
> to the server (database, email server...)"
> 
> An example:
> If there is a e-commerce website
> you want to buy something from them
> they offer 4 type of payment method
> (the credit, address... information need to be submitted/sent)
> 
> 1. submit information with regular http:// form
Never do.  I can GUARANTEE you that you will be the
victim of card theft.

> 2. submit information with SSL https:// form
Considered to be safe.  Everyone considers this
to be safe.  However, if the site stores your
information insecurely... you could still be
the victim of card theft.

> 3. Fax information to them
Sloppy.  Error prone.  Somewhat safe.

> 4. Call them and give the information (leave message)
Sloppy.  Error prone.  Somewhat safe... unless
the employee is untrustworthy (but that's always
an issue).

> 
> 
> which way(s) you will not (never) do?
> why? most of the answer would be security reason.
> 
> most people will do #2 but not #1
> I think this is because SSL.
> 
> But how is the chance your information got
> captured in the "middle the net"?
100%

> if the chance is the 0.1%
> I think I have a ridiculous conclusion:
> #1 and #2 have almost no different
> but is the chance is 80% and above
> definitely, no option for #1
It's 100% now.  Well maybe 99.9999%


> 
>> From Madhat and other mentioned
> How does the information been saved, stored
> Janitor see the fax information...
> I think this is another issue.
> because you never know
> how they store/handle your information, right?
> 
> 
> 
>> From: MadHat <madhat at unspecific.com>
>> Reply-To: NTLUG Discussion List <discuss at ntlug.org>
>> To: NTLUG Discussion List <discuss at ntlug.org>
>> Subject: Re: [NTLUG:Discuss] OT? security comparsion
>> Date: Wed, 16 Nov 2005 11:38:44 -0600
>>
>> On Nov 16, 2005, at 11:04 AM, Neil Aggarwal wrote:
>>> Greg:
>>>
>>> I did not dismiss SSL in any of my comments.
>>>
>>> He was asking if email or fax was more secure than an SSL connection
>>> and I stated that email was not.
>>
>> Fax is not more secure, unless you know where it is going.  About 
>> like SSL it is about how the data is handled on the far end.  If you 
>> are sending a FAX to a general fax machine, anyone in the company may 
>> see it.  Do you know if the janitor, who makes minimum wage, has 
>> access to the faxes?  Do they shred the faxes after the data is 
>> entered somewhere else or do they just through them away?  Transport 
>> is only one issue to worry about.
>>
>>
>>>
>>>     Neil
>>>
>>> -- 
>>> Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com
>>> FREE! Valuable info on how your business can reduce operating costs by
>>> 17% or more in 6 months or less! http://newsletter.JAMMConsulting.com
>>>
>>> -----Original Message-----
>>> From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] 
>>> On Behalf
>>> Of Greg Edwards
>>> Sent: Wednesday, November 16, 2005 9:55 AM
>>> To: NTLUG Discussion List
>>> Subject: Re: [NTLUG:Discuss] OT? security comparsion
>>>
>>> Neil Aggarwal wrote:
>>>> Terry:
>>>>
>>>> Using your analogy, I think it is like putting the key in an  envelope,
>>>> writing the word "Key" on the outside, and leaving it on top of the
>>> doormat.
>>>>
>>>> Anyone that is looking will have full access to whatever you are 
>>>> sending.
>>>>
>>>> If they are looking the in the first place, they have some 
>>>> mischeivious
>>>> or malicious intent.
>>>>
>>>>     Neil
>>>>
>>>
>>> Don't be so quick to dismiss the value of SSL.  As well stated  earlier,
>>> it's not SSL and the information transferred that hackers get.   They
>>> get
>>> it from the back end of systems they've broken into.  I don't know the
>>> percentages of which OS is cracked more often, but I'd think my  luck
>>> guess
>>> of M$ being in the 95%+ would be right ;)
>>>
>>> If you do insist on sending zip files encrypt them first.  Let your
>>> receivers know off line what the encryption key is and they'll be 
>>> able to
>>> decrypt and uncompress with "unzip".  Your unzip does have to have the
>>> encryption option compiled in.
>>>
>>> -- 
>>> Greg Edwards
>>> New Age Software, Inc. - Software Engineering Services
>>> http://www.nas-inet.com
>>>
>>> _______________________________________________
>>> https://ntlug.org/mailman/listinfo/discuss
>>>
>>>
>>> _______________________________________________
>>> https://ntlug.org/mailman/listinfo/discuss
>>>
>>
>> -- 
>> MadHat (at) Unspecific.com, C�ISSP
>> E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98
>> gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
>>
>>
>> _______________________________________________
>> https://ntlug.org/mailman/listinfo/discuss
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> 
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
> 
>

More information about the Discuss mailing list