CDR: Re: Good work by FBI and SEC on Emulex fraud case
At 1:12 PM -0700 8/31/00, Eric Murray wrote:
A small note: IW digitally-signing the releases would not have made a difference in this case-- the guy used his knowledge of IW's procedures to social-engineer IW into accepting the fake release without doing their usual checking procedures.
At 01:22 PM 8/31/00 -0700, Tim May wrote:
The system I envision would mean each chunk of text ("press release") would carry a digital sig, which could be checked multiple times. Hard for social engineering to get past the fact that Emulex, say, had not digitally signed their own alleged press release.
How often do people check signatures? If they check them, and they pass, how often do they check keys? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
At 11:44 AM -0700 9/6/00, Bill Stewart wrote:
At 1:12 PM -0700 8/31/00, Eric Murray wrote:
A small note: IW digitally-signing the releases would not have made a difference in this case-- the guy used his knowledge of IW's procedures to social-engineer IW into accepting the fake release without doing their usual checking procedures.
At 01:22 PM 8/31/00 -0700, Tim May wrote:
The system I envision would mean each chunk of text ("press release") would carry a digital sig, which could be checked multiple times. Hard for social engineering to get past the fact that Emulex, say, had not digitally signed their own alleged press release.
How often do people check signatures? If they check them, and they pass, how often do they check keys?
Don't know. But not the problem of those issuing press releases. That _some_ people check signatures, whether electronic or inked, and _other_ people _don't_ doesn't lessen the significance of signing. Those who bother to check a putative press release and find the attached signature doesn't match what they have seen from Web sites (and related "widely witnessed events," including hashes published in the company's financial documents, etc.) will have competitive advantages over those who don't bother to check and just hit the panic button. Sounds fair to me. Sounds like evolution in action. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Tim May wrote:
At 11:44 AM -0700 9/6/00, Bill Stewart wrote:
How often do people check signatures? If they check them, and they pass, how often do they check keys?
doesn't matter. it's POSSIBLE, that's what is important. the first time you lose a million bucks at the exchange because you didn't check the sig and someone else did, you'll start doing it.
Sounds fair to me. Sounds like evolution in action.
definitely. I already suggested that my company sign PRs.
participants (3)
-
Bill Stewart
-
Tim May
-
Tom Vogt