Re: Blinky Rides Again: RCMP suspect al-Qaida messages
It seems consistent that Al Qaeda prefers being 'fish in the sea' to standing out by use of crypto. Also, given the depth and breadth of conspiracies they believe in, it seems that they might see all us cryptographers as a massive deception technique to get them to use bad crypto. (And hey, they're almost right! We love that they use bad crypto.) Right. Although only based on very limited experiences, where I've come across those in interesting lines of business, the strong impression I get is that they would not touch any new or geeky tool that had some claimed benefits that couldn't be proven on examination. This was most forcefully put to me by a dealer of narcotics in Amsterdam (I wasn't buying, just trying to be polite at a party ;) who said that he and his like would not use any of the payment systems that had supposed privacy built in, as they assumed that the makers were lying about the privacy provisions. As far as 3 systems that the guy was aware of, he was dead right twice, and for the third, I'd say he was approximately right. So, if this is a valid use case and we can extend from small time narcotics payments to big time terrorism chitchat, we could suggest that they will be using standard people tools, and trying hard to stay unobservable in the mass of traffic. In this sense, one could say they were using steganography, but I think it is more useful to say they are simply staying out of sight. Either way, the public policy implication is to challenge any specious claims of how we need to control XXX because terrorists use it. In the case of crypto, it would appear they don't use much, and what's more, they shouldn't. And see the link there to Ian Grigg's http://www.financialcryptography.com/mt/archives/000246.html I was hoping that the 'Terrorist Encyclopedia' had made its way to somewhere like smoking gun or cryptome by now. iang
L/Cs, e-gold and regulated banking
(Guys, this has drifted out of crypto into finance, so I have a feeling that it will disappear of the crypto list. But the topics that are raised are interesting and important enough to carry on, I think.) [Hal:] Interesting. In the e-gold case, both parties have the same bank, e-gold ltd. The corresponding protocol would be for the buyer to instruct e-gold to set aside some money which would go to the seller once the seller supplied a certain receipt. That receipt would be an email return receipt showing that the seller had sent the buyer the content with hash so-and-so, using a cryptographic email return-receipt protocol. [iang:] This is to mix up banking and payment systems. Enzo's description shows banks doing banking - lending money on paper that eventually pays a rate of return. In contrast, in the DGC or digital gold currency world, the issuers of gold like e-gold are payment systems and not banks. The distinction is that a payment system does not issue credit. [enzo:] Actually, seeing issuance and acceptance of L/C's only as a money-lending activity is not 100% accurate. Letter of credit is a misnomer: an L/C _may_ be used by the seller to obtain credit, but if the documents are sent for collection rather than negotiated, the payment to the seller is delayed until the opening bank will have debited the buyer's account and remitted the due amount to the negotiating bank. To be precise: when the documents are submitted to the negotiating bank by the seller, the latter also draws under the terms of the L/C a bill of exchange to be accepted by the buyer; that instrument, just like any draft, may be either sent for collection or negotiated immediately, subject, of course, to final settlement. Also, depending on the agreements between the seller and his bank, the received L/C may be considered as collateral to get further allocation of credit, e.g. to open a back-to-back L/C to a seller of raw materials. However, if the documents and the draft are sent for collection, and no other extension of credit are obtained by the buyer, the only advantage of an L/C for the seller is the certainty of being paid by _his_ (negotiating) bank, which he trusts not to collude with the buyer to claim fictitious discrepancies between the actual documents submitted and what the L/C was requesting. (And even in case such discrepancies will turn out to be real, the opening bank will not surrender the Bill of Lading, and therefore the cargo, to the buyer until the latter will have accepted all the discrepancies: so in the worst case the cargo will remain under the seller's control, to be shipped back and/or sold to some other buyer. If it acted differently, the opening bank would go against the standard practice defined in the UCP ICC 500 (http://internet.ggu.edu/~emilian/PUBL500.htm) and its reputation would be badly damaged). So, the L/C mechanism, independently from allocation of credit, _does_ provide a way out of the dilemma which one should come first, payment or delivery?; and this is achieved by leveraging on the reputation of parties separately trusted by the endpoints of the transaction. An excellent description; I was unaware that the system could be used in a non-credit fashion. Thanks for correcting me. Generally speaking, it is debatable whether doing banking only means accepting deposits and providing credit or also handling payments for a fee: There are many definitions of banking and unfortunately they are different enough that one will make mistakes routinely. Here are the most useful three that I know of: 1. borrowing from the public as deposits and lending those deposits to the public. This is the favoured definition for economists, because it concentrates on the specialness that is banking, which is the foundation for its special regulatory structure. 2. Banking is what banks do, and banks do banking. This is the favoured definition of banks, and often times, regulators, because it gives them a free hand to exploit their special franchise / subsidy. It was codified in law in many countries as just this, but I believe it is out of favour to write it down these days. However, the Fed and other US regulators have from time to time resorted to this definition, when convenient. 3. Banking is what the regulator says is banking. This is the favoured definition of regulators, and sometimes of banks. It means that there is little or no argument or discussion in protecting the flock. This is the much more prevalent in smaller countries, where the notion of sending in the lawyers is simply too expensive. 4. There is a popular definition that says something like, if it is to do with money it is banking. That's not a very useful one, but it's prevalent enough to need to be aware of it. ... surely banks routinely do both, although they do not usually enjoy a _regulatory franchise_ on payments because failures in that field are
Re: Your source code, for sale
Enzo Michelangeli writes: In the world of international trade, where mutual distrust between buyer and seller is often the rule and there is no central authority to enforce the law, this is traditionally achieved by interposing not less than three trusted third parties: the shipping line, the opening bank and the negotiating bank. Interesting. In the e-gold case, both parties have the same bank, e-gold ltd. The corresponding protocol would be for the buyer to instruct e-gold to set aside some money which would go to the seller once the seller supplied a certain receipt. That receipt would be an email return receipt showing that the seller had sent the buyer the content with hash so-and-so, using a cryptographic email return-receipt protocol. This is to mix up banking and payment systems. Enzo's description shows banks doing banking - lending money on paper that eventually pays a rate of return. In contrast, in the DGC or digital gold currency world, the issuers of gold like e-gold are payment systems and not banks. The distinction is that a payment system does not issue credit. So, in the e-gold scenario, there would need to be similar third parties independent of the payment system to provide the credit moving in the reverse direction to the goods. In the end it would be much like Enzo's example, with a third party with the seller, a third party with the buyer, and one or two third parties who are dealing the physical goods. There have been some thoughts in the direction of credit creation in the gold community, but nothing of any sustainability has occurred as yet. iang
Re: Are new passports [an] identity-theft risk?
R.A. Hettinga wrote: http://worldnetdaily.com/news/printer-friendly.asp?ARTICLE_ID=41030 An engineer and RFID expert with Intel claims there is little danger of unauthorized people reading the new passports. Roy Want told the newssite: It is actually quite hard to read RFID at a distance, saying a person's keys, bag and body interfere with the radio waves. Who was it that pointed out that radio waves don't interfere, rather, receivers can't discriminate? iang
Re: potential new IETF WG on anonymous IPSec
Joe Touch wrote: Ian Grigg wrote: On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship. My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate) While inspired by this issue, there may be other solutions (e.g., IMO IPsec) which are more appropriate for BGP peers. Thanks for the clarification. Re-reading (all) of the above, I noticed that these are DOS attacks. (That changes things - crypto protocols don't really a priori stop or defeat DOS attacks. They can help, or they may not, it all depends.) It's then important to examine the threat here. Who is the attacker and what motives and tools does he have available? It would be annoying to do all the work, only to discover that he has other tools that are just as easy... (This is called what's-your-threat-model, sometimes abbreviated to WYTM?) The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place Except that certs need to be signed by authorities that are trusted. Right, in that the CA model seeks to add trust to the wild wild west by the provision of these signed / trusted certs. Whether it achieves that depends on the details. It is not wise to just assume it succeeds because someone said so. - both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world? iang I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs. Let's see if I can make these assumptions clearer, because I still perceive that CAs have no place in BGP, and you seem to be assuming that they do. In the world of PKIs, there are some big assumptions. Here's two of them: Alice and Bob don't know each other, and don't necessarily trust each other. There exists a central stable party that *both* Alice and Bob know better than each other and can be trusted to pass the trust on. Known as a trusted third party, TTP, or a certificate authority, CA, in particular. This situation exists in large companies for example - the company knows Alice and Bob better than they may know each other. (In theory.) Now, whether it exists in any real world depends on which world pertains. In the world of browsing, it is .. assumed to exist, but that can be challenged. In the world of email, it pretty clearly doesn't exist - almost all (desired) email is done between known parties, and the two parties generally have much better ways of establishing and bootstrapping a crypto relationship than asking for some centralised party to do it. (Hence, the relative success of PGP over S/MIME.) Ditto for the world of secure systems administration (SSH). When we come to BGP, it seems that BGP routing parties have a very high level of trust between them. And this trust is likely to exceed by orders of magnitude any trust that a third party could generate. Hence, adding certs signed by this TTP (well known CA or not) is unlikely to add anything, and will thus likely add costs for no benefit. If anyone tried to impose a TTP for this purpose, I'd suspect the BGP admins would ignore it. Another way of thinking about it is to ask who would the two BGP operators trust more than each other? In such a world, a CA-signed certificate is an encumberance only, and seems to be matched by comments in the AnonSec draft that they are unlikely to be deployed. iang PS: on the general issue of doing what you call anonSec, I'd say, fantastic, definately overdue, could save IPSec from an embarrassingly slow adoption! I do concur with all the other posts about how anon is the wrong word, but I'd say that getting the right term is not so important as doing the work! On the point of what the right word is, that depends on the technique chosen. I haven't got that far in the draft as yet.
Re: potential new IETF WG on anonymous IPSec
Bill Stewart wrote: Also, the author's document discusses protecting BGP to prevent some of the recent denial-of-service attacks, and asks for confirmation about the assertion in a message on the IPSEC mailing list suggesting E.g., it is not feasible for BGP routers to be configured with the appropriate certificate authorities of hundreds of thousands of peers. Routers typically use BGP to peer with a small number of partners, though some big ISP gateway routers might peer with a few hundred. (A typical enterprise router would have 2-3 peers if it does BGP.) If a router wants to learn full internet routes from its peers, it might learn 1-200,000, but that's not the number of direct connections that it has - it's information it learns using those connections. And the peers don't have to be configured rapidly without external assistance - you typically set up the peering link when you're setting up the connection between an ISP and a customer or a pair of ISPs, and if you want to use a CA mechanism to certify X.509 certs, you can set up that information at the same time. On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship. The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place - both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world? iang
Re: Firm invites experts to punch holes in ballot software
Brian McGroarty wrote: On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote: It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? Suppose individual ballots weren't usable to verify a vote, but instead confirming data was distributed across 2-3 future ballot receipts such that all of them were needed to reconstruct another ballot's vote. It would then be possible to verify an election with reasonable confidence if a large number of ballot receipts were collected, but individual ballot receipts would be worthless. If I'm happy to pervert the electoral process, then I'm quite happy to do it in busloads. In fact, this is a common approach, busses are paid for by a party candidate, the 1st stop is the polling booth, the 2nd stop is the party booth. In the west, this is done with old people's homes, so I hear. Now, one could say that we'd distribute the verifiability over a random set of pollees, but that would make the verification impractically expensive. iang
Re: Firm invites experts to punch holes in ballot software
Trei, Peter wrote: Frankly, the whole online-verification step seems like an unneccesary complication. It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? It would seem that the former must give way to the latter, at least in political voting. I.e., no verification after the vote. iang
Re: Digital cash and campaign finance reform
Steve Schear wrote: By combining a mandated digital cash system for contributions, a cap on the size of each individual contribution (perhaps as small as $100), randomized delays (perhaps up to a few weeks) in the posting of each transaction to the account of the counter party, it could create mix conditions which would thwart the ability of contributors to easily convince candidates and parties that they were the source of particular funds and therefore entitled to special treatment. How would you audit such a system? I'm not that up on political cash, but I would have expected that there would be a need to figure out where money was coming from, by some interested third party at least. Also there would be a need to prove that the funds were getting there, otherwise, I'd be the first to jump in there and run the mix. Or, the mint. iang
Re: When encryption is also authentication...
SSL for commerce is readily in place without batting an eyelid these days. Costs are still way too high. This won't change until browsers are shipped that treat self-signed certs as being valid. Unfortunately, browser manufacturers believe in cert-ware for a variety of non-security reasons. Hopefully, one day the independant browser manufacturers will ship browsers that show a different icon for self- certs, rather than annoy the user with mindless security warnings. Then, we can expect a massive increase in secure browsing as sites start defaulting to self-signed certs, and a consequent massive increase in security, as well as a follow-on massive increase in the sale of certs. Unfortunately, we probably won't see an enhanced market for CA certs until Verisign goes broke. However, I'd be interested to know just how many users out there would enter their card details on an unprotected site, despite the unclosed padlocks and the alert boxes. Huge numbers of them. You won't see it in security lists, but most of your average people out there do not understand the significance of the padlock, and when merchants request credit card numbers, they quietly forget to tell them. And, in a lot of cases, credit card details are shipped over cleartext email rather than browsers. Many of these merchants have card-holder-present agreements, the restrictions of which, they just ignore. Commerce being what commerce is, it is more important to get the sale than deal with some obscure security nonsense that doesn't make sense. Have security fears and paranoia been abated by widespread crypto to the point whereby users will happily transmit private data, whether encrypted or nay, just because they *perceive* the threat to now be minimal? Now that the media has grown tired of yet-another-credit-card-hack story? Much of today's body of (OECD) net users don't read the news about the net and don't understand the debate, nor can they make sense of how to protect themselves from a site that is hacked... Three or four years back, much of the body of the net was still technically advanced and capable of understanding the fallacious security arguments. These days, perversely, the users are better able to evaluate the security risks, because they don't understand the arguments, so they look to the actual experience, which provides no warnings. Pointers to any evidence/research into this much appreciated... ta. Unfortunately, real data is being kept back by the credit card majors. It is my contention that there has never been a case of sniffed-credit-card-abuse, and nobody I've ever talked to in the credit card world has ever been able to change that. On the whole, all net-related credit card fraud is to do with other factors: mass thefts from hacked databases, fraudulent merchant gatherings, fear-of- wife revocations, etc. Nothing, ever, to do with on-the-wire security. -- iang
Re: Bad guys vs. Good guys
Ken Brown wrote: Er, I hit send prematurely, and I meant to go on to say that I have often used 1 or 200 UKP in folding money - it is easy to do with universal availability of ATMs. If anything I use more cash than I did 15 years ago because it is so simple to get hold of. And saves the bother of waiting while they go online to validate the credit card if the latest series of Buffy on video exceeds the floor limit at the shop. Yes, that is because Bob's comments were originally biased to the American market. There, in the US (I don't know about Canada), compared to Europe and most other countries, the usage of the credit card is much higher, and ATMs are less used. The reason for this is the structure of the banking industry. In most countries, there are 3-4 huge national banks that dominate. Consequently, they drive banking, and they have powerful ATM networks that are national in scope. Also, they drive card usage more, and thus they don't advance the cause of the credit card any more than it suits them. In contrast, the US is one of the few countries with little national banking. There are something like 10,000 banks there, and there no national banks. Consequently, the glue that holds the system together is the credit card majors (amongst other things like the fed), and they drive much of the utilisation patterns. The US therefore has weaker ATM networks (compared with other countries). Whilst a lot of that ground has been caught up, it is the case that the CC majors own the two big networks (as Bob says). I use a debit card, one that draws against my bank current account the way a cheque does (probably check to you). It's the same card that is used as a cheque card. Lots of purchases over $100. I've bought a miniature video camera with it, maybe 1500 dollars US. Debit cards I think are relatively new development in the US, as they bypass the CC companies' interests. They have been strong in the rest of the world for a longer time. For that reason, there is a whole host of charges as they go through the different institutions, including the CC networks, which you won't find so strong elsewhere. Still involves merchant charges of course. As far as they are concerned it is no different from a credit card. The cashier at the till probably doesn't even know the difference (after all it says Visa on it). (PS: I could be wrong about the details above, I haven't checked any of them, but I think I have the big picture down.) -- iang
Re: Bad guys vs. Good guys
R. A. Hettinga wrote: At 6:03 PM -0700 on 5/11/02, Eric Cordian wrote: The reason we have ready availability of credit in the first place is because consumer debt is the most profitable business in the United States. What are the margins on consumer debt? Isn't it all securitized, thus efficient? I really wonder what component of this market is actually payment driven. After all, to easily buy *anything* over, say, $100 right now, you have to borrow money, use a credit card, to do it. Well, all of it, if you are talking about costs of doing the payment. The problem with paying for anything over $100 is having the money with you at that time. Most purchases are done at some random future time, and without a credit payment, it would be necessary to take huge amounts of cash with you at all times. This results in costs: forgone interest on ones wealth, risk of seizure, and the mere cost of having to wear clothing with big pockets. A credit token allows you to bring the stored wealth with you; but it's not the only way. If there was pervasive FC, then you would have choice between credit and accrued wealth. You could flip out your palmtop, access your stored stocks in MicroHard, flip it in the market and pay with straight now cash. Or you could chose credit. But one could imagine that if you can access your real wealth straight away then a lot of rational people with palmtops with financial modelling on them would calculate the effective price of the two choices (credid v. now-cash flipped from stored wealth t+3) quickly enough to show you that paying with cash was optimal in far more circumstances. If it were actually cheaper -- and safer -- to use some form of internet financial cryptography protocol like blind signatures, I wonder how much of that consumer debt market would go away. Not all of it, obviously, but I do wonder about how much of that number is purely consumer debt and not just payment finance, for lack of a better term Rational individuals pay with cash when they can. They stop paying with cash when they run out, as the cost of cash rises rapidly with volume. CC vendors exploit this by offering free credit for a month, thus making one perceive that there is no benefit to using credit, and then, it wins hands down over cash. Providing access to stored wealth in t+3 would redress the balance and provide for a more optimal solution. OTOH, rational companies pay with debt when they can. So it's not as if the world will lose the credit industry just because FC provides us with now-cash. And, I suspect people acting as corporate actors would treat their credit requirements as delivering cash and adding to their total credit equation, as the spectrum between credit and wealth becomes efficient. That is, they might pay with credit, but the credit is provided in cash, and then passed on to the merchant, so the credit provider is unlinked from the purchase. PS: t+3 means trade settlement in 3 seconds. -- iang