30 Lies About Secure Electronic Commerce: The Truth Exposed - UNDER DEVELOPMENT

You are likely to hear all sorts of things about secure electronic commerce these days, and I figured you might want to know what kind of assertions with limited veracity value are out there.

The biggest class of lies is that the Web is a place that gives the consumer better information or somehow levels the playing field between the big money and the little money. Here are some of the examples:

Lie 1: The Web is a place where you can easily find the best price. It used to be but it is no longer. Rather, it is a place where people with advertising dollars can put their prices in front of you ahead of others - just like it is in paper, telephones, television, and every other media.
Lie 2: The big search engines reference anybody out there. Not even close. They reference people who use products that push Web pages out for referencing, and those who pay for the service can usually get on the earlier pages of your searches.
Lie 3: The Web is a place where content dominates. It used to be true, and there is certainly more content on the Web than anywhere else, but the vast majority of commercial Web sites today have very limited content and are predominantly advertising vehicles. Most of what you find is not useful content and choosing the proper search terms is not as easy as you are told.
Lie 4: The Internet is a friendly place to voice your opinions. Who are we trying to kid. The Internet is often very impolite, insulting, and rude.
Lie 5: The vast majority of the information on the Internet is truthful and accurate. Highly dubious claim. In my field, I find that less than 20 percent of the content is accurate to the standard I require, and as for truthfulness, false advertising has found a whole new meaning in the Web.
Lie 6: Misinformation and reputations are easily corrected in the Web. Nothing could be further from the truth. The Internet is the greatest rumor mill ever created. A lie can spread like wildfire, but try to correct it, and you will be faces with a huge uphill battle.
Lie 7: If enough people say it, it's likely to be true. There are people who assume multiple identities in the Internet so that they can self-authenticate their lies. They even disagree with themselves selectively in order to maintain their supposed independence and authenticity.
Lie 8: The Web promotes democracy. Wrong word - the proper word for the Internet is anarchy, and more often than not, it is the anarchy of lies and rumors that rules the Internet.
Lie 9: The Internet is fair to all people of all cultures. Huh! If anything, the Internet further promotes the use of written English over all other language as the exclusive way to communicate for business. The cultural differences between people fall quickly under the social pressures of the Internet.
Lie 10: Intellectual property will be the same as it has always been - the Internet is just another printing media. I wish it were true, but because of the international nature of the Internet, the laws and ability to enforce intellectual property simply don't work. People take the property of other peoples' minds at will and without recourse.

The second biggest class of lies is that some vendor is going to make you safe. Here are some examples of this one:

Lie 11: Microsoft is going to make you safe. This is perhaps the most bizarre statement ever concieved by humanity. Just about every Microsoft product ranks as the most unsafe, insecure product of its kind available on the market.
Lie 12: A virus scanner will make you safe. No virus scanner can ever make you safe. The best it can do is to detect some of the viruses that exist today and some of the viruses that are yet to exist. This may make you a bit safer, but it only solves a small subset of the overall set of issues you face.
Lie 13: Your firewall will make you safe. There is no firewall today, nor is there likely to ever be a firewall that will keep you safe from attack. Firewalls, like other technologies, can help to prevent and detect some class of attacks that might otherwise succeed, but for every now attack that firewalls deal with, there are hundreds that firewalls fail to protect against.
Lie 14: A router will make you safe. Many people mistake the function of a router for a firewall in terms of the security features it provides - but even this limited upgrade is not accurate. Routers are primarily designed to facilitate proper flow of traffic and not to prevent, detect, or react to attempts at subversion.
Lie 15: An intrusion detection system will make you safe. Current intrusion detection technology is so poor as to be laughable. Read the "50 Ways to Defeat Your Intrusion Detection System" article if you don't believe it.
Lie 16: Changes in laws will make you safe. The legal system doesn't make people safe, if only because it depends on people who don't understand the detailed issues make all the decisions. New laws criminalize all sorts of things, and they will no doubt end up in putting plenty of people in jail, but this does little to help most victims, and evil less to mitigate criminal activity.
Lie 17: The police/government will make you safe. The law enforecement agencies around the world are seriously behind the times in terms of cyber security issues. For the most part, if you get stabbed or shot or held up at gunpoint, the police have a chance at helping you and catching the bad guy - but if your computer is attacked and you lose a fortune, the odds of the police helping you out are very nearly zero, and it is likely that the cost of calling them will far exceed any benefit you gain from the exercise.
Lie 18: Your consultant will make you safe. Most consultants are out for one thing - personal income. Most consultants in computer security know little or nothing about the subject. Their job is to get you to give them money in exchange for convincing you that whatever solution they have provided will help keep you safe. You may feel safe, but you are not safe. There are many exceptionally knowledgeable and honest consultants in this field, but for the most part, they are not differentiable by most customers from the multitudes of rip off artists. Press here for more information on outsourcing information protection consultants.
Lie 19: Artificial distributed intelligent against will make you safe. Please!!! First it was artificial intelligence, then expert systems, then knowledge-based systems, then fuzzy logic, then... I forget the whole list. Suffice it to say that people have been anthropomorphising computer software to human attributes since computers existed and they will likely continue to do so until a computer actually reaches the level where we can't tell it from a computer - at which time they will scramble to tell us that computers are not as good as people. Don't believe anything you hear about computer intelligence - and little that you hear about human intelligence.
Lie 20: Some breakthrough technology will make you safe. Mostly we encounter breakthroughs in marketing technology - a new and exciting way for you to send me money and feel happy about it. Technical advances are steadily underway, but in the end, it is not technology that makes people safe anyway.

Let's move on to the almost mystical belief that the magic of cryptography will make you safe.

Lie 21: Better cryptogrpahy will make you safe. Current cryptography technology is more than adequate for all financial transactions, but the strength of the cryptographic system is not the limiting factor in the security of electronic commerce.
Lie 22: Public key cryptography is safer than private key cryptography. This is patently false. The most secure cryptography and the only provably secure cryptography is private key cryptography. Public key systems are used because they are more convenient, not more secure.
Lie 23: Digital signatures are safe. Digital signatures - like all cryptographic techniques - are subject to many constraints on their proper use. Almost no current overall systems use digital signatures in a way that makes the identity of the source certain.
Lie 24: PGP will make you safe. PGP stands for "Pretty Good Privacy" and that's just what it is - pretty good - but not great. And even if PGP were great cryptography, as was stated above, cryptography alone cannot ever make you safe.
Lie 25: Certificate authorities will make you safe. Certificate authorities do nothing of the sort - they don't even do what they are usually believed to do - provide a proof of identity. For the most part, anybody can get a certificate that claims anything they want to claim and do so with little effort or cost. Furthermore, certificates as they are most commonly used are susceptible to man-in-the-middle attacks and other similar exploits.
Lie 26: You can trust your credit cards to Internet cryptography. The vast majority of credit card theft involving the Internet is from servers that store and process large numbers of credit cards. In the form most of these numbers are kept on those servers, cryptography has nothing to do with the process.
Lie 27: "128-bit encryption technology is the most secure form of data scrambling commercially available." I read this one from a commercial site - it's total baloney. Commercial cryptography is available with unlimited key sizes, and furthermore, key size is not a good measure of the strength or effectiveness of cryptography. Larger keys don't always make for safer encryption.
Lie 28: "SSL establishes a secure session by electronically authenticating each end of an encrypted transmission. The idea is that you know exactly whom you are communicating with before sending any sensitive information." This is a total fantasy - it does no such thing. SSL only sets up an exchange of information that is kept secret by cryptographic techniques. There is no ability in this system to prove anything about the identity of the person or organization at the other end of the communication.
Lie 29: The one-time-pad is not a practical cryptographic system. Another fantasy put forth by the purveyors of crypto-fiction. Not only is the one-time-pad viable, it is used in one form or another for all applications where extremely high assurance is desired. The one-time-pad is the only perfectly secure cryptographic system.
Lie 30: It's just like a one-time-pad. I can't count the number of vendors that have, at one time or another, sold a cryptographic system as a one-time-pad when it wasn't one. There are true one-time-pad systems, but the vast majority of claims about systems being just like it - or in some cases - claims of being an actual one-time-pad are not to be believed unless the claims are examined in minute detail by an expert.