[ic] Credit Card Info

[Dan Browning]

> 
> Quoting Jim Balcom <jim@idk-enterprises.com>:
> 
> > On Sat, 3 Nov 2001, Yahoo wrote:
> > 
> > Perhaps you are a small shop like mine, in which case it's 
> no problem. 
> > Scotty and I process orders interchangeably, and so we both 
> have full 
> > access to all of the computers, card #,s etc.
> 
> All of the computers? Does that include EVERY machine on teh 
> same subnet between your mail server and you??? TCP/IP 
> packets don't just go from A to B... They travel through 
> every network card on the network, so that machine can decide 
> if it is for it or not... VERY easy to packet snif e-mail 
> messages, with the right tools...
> 
> Just because you have access, or even the only access, to 
> point a and b doesn't mean 250 other people can't read the 
> exact same piece of mail...

Alright, now we're cookin' with gas.  Who's in the mood for a good ole'
Sunday Flamewar?  :-)  (Why is it that ic-users tends to get the worst
on Sundays?  Remember the last big flamewar wrt the need for
documentation?  That was on a Sunday).

I think you meant to refer to Ethernet, not TCP/IP.  Ethernet has the
"travels through every network card on the network" property.  That is
why Intel is trying to sell their eepro100S model of network card so
much -- to encourage everyone to use IPSEC encryption on the transport
layer because of their hardware encryption accelerator on the card.  Of
course, if you can do that then you can probably handle credit card
encryption.  And don't even get me started on TEMPEST.  :-)

Which illustrates the point that security is a lot more complete than
encryption.  (Which is also why ASPs sell security as a service, not a
product, these days).  I think the the moral of the story is that
unencrypted e-mail is not a secure transport method.

Dan Browning
Kavod Technologies