Perfect privacy podcast with Markus Jakobsson
20th episode of The Silver Bullet Security Podcast.
Interview with Markus Jakobsson
In corp research you dont need to worry about funding - compare to academic.
everybody wants to see what's they are doing change the world...
I left academia to see if i can change the world
Thesis: privacy vs authenticity : there is a necessity to balance between privacy & payment.
at that time there was a believe it must be absolute privacy in perfect privacy payment scheme in cryptographic community <- I dont believe this
today the balance is actually on the other side, payment lack of privacy
Scott McNealy: "get over it, You have zero privacy anyway..."
ppl sell their privacy for very low price.
I dont believe fundamental trade off between security vs privacy:
security: you cannot be abused
privacy: your information that you want to be leaked - cannot be abused
it's a naming convention
Hard core cryptography does not change the world - so I'm changing my approach.
if you really want security to happen, you have to realize that it's not enough with algorithm, but you also need to present info to user & make sure they understand.
research, the reaction the user inferface to ppl.. then folded to applied in security...
it's far too common to say: "oh man ppl are dumb, and all dump ppl has to suffer their consequences"
"ppl are remarkably dumb because to them it makes no sense to use SSL cert.... they just need to go on with their life"
that dumb can be your mum or my mum... and I dont want that.
if you can educate ppl, what can u educate?
I care about the effect of security on ppl... the key is the interface...
I have collection of syntactical phishing experiment
synthetical phishing: instead saying this is your last 4 digit, it says this is your first 4 digit - to ppl, this has absolutely no security difference - yes this is the 1st 4 digit of my bank account, then I'm talking to my bank...
actually 1st 4 digit corresponds to the issuer...
this means authentication ppl with the last 4 digits is an insane way to do, because you teach user.. 4 digits it's OK... then when the phisher comes around with 1st 4 phisher, they are hooked.
length: 24:29m
* this is a very good interview
Interview with Markus Jakobsson
In corp research you dont need to worry about funding - compare to academic.
everybody wants to see what's they are doing change the world...
I left academia to see if i can change the world
Thesis: privacy vs authenticity : there is a necessity to balance between privacy & payment.
at that time there was a believe it must be absolute privacy in perfect privacy payment scheme in cryptographic community <- I dont believe this
today the balance is actually on the other side, payment lack of privacy
Scott McNealy: "get over it, You have zero privacy anyway..."
ppl sell their privacy for very low price.
I dont believe fundamental trade off between security vs privacy:
security: you cannot be abused
privacy: your information that you want to be leaked - cannot be abused
it's a naming convention
Hard core cryptography does not change the world - so I'm changing my approach.
if you really want security to happen, you have to realize that it's not enough with algorithm, but you also need to present info to user & make sure they understand.
research, the reaction the user inferface to ppl.. then folded to applied in security...
it's far too common to say: "oh man ppl are dumb, and all dump ppl has to suffer their consequences"
"ppl are remarkably dumb because to them it makes no sense to use SSL cert.... they just need to go on with their life"
that dumb can be your mum or my mum... and I dont want that.
if you can educate ppl, what can u educate?
I care about the effect of security on ppl... the key is the interface...
I have collection of syntactical phishing experiment
synthetical phishing: instead saying this is your last 4 digit, it says this is your first 4 digit - to ppl, this has absolutely no security difference - yes this is the 1st 4 digit of my bank account, then I'm talking to my bank...
actually 1st 4 digit corresponds to the issuer...
this means authentication ppl with the last 4 digits is an insane way to do, because you teach user.. 4 digits it's OK... then when the phisher comes around with 1st 4 phisher, they are hooked.
length: 24:29m
* this is a very good interview
posted by omarg at
8:00 AM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home