Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message 52291a36.9070...@av8n.com, John Denker j...@av8n.com writes To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. In fact the Nazis did have many suspicions that Enigma was compromised, no more so (this from memory, the books with the fuller account are on a shelf several thousand miles away from my current desk) than in the Python incident where the Devonshire was sent to sink a German U-boat refuelling boat ... and the Dorsetshire turned up at the same place by chance and chipped in. The subsequent German inquiry (two enemy ships appearing over the horizon heading straight for your refuelling point in the middle of the empty South Atlantic is deeply worrying) relied upon them reading our North Atlantic convoy traffic (they were breaking Allied codes at that point in the war) where they found no evidence of Enigma acquired information being used to avoid U-boat movements. This was because their inquiry happened to coincide with a short period during which we were not reading their traffic! The inquiry concluded that Enigma was not broken (which was strictly correct at that moment) and it carried on being used. Such are the random chances, good and bad, which occur in the real world. Of course there were improvements made to Enigma throughout the war both to the hardware and also to operating procedures... it was harder to break in 1945 than 1939. So my question is: What would we have to do to produce /tamper-evident/ data security? As a preliminary outline of the sort of thing I'm talking about, you could send an encrypted message that says The people at 1313 Mockingbird Lane have an enormous kiddie porn studio in their basement. and then watch closely. See how long it takes until they get raided. you will have noted the requirement for some of the agencies who have been given NSA material (such as telco metadata) to recreate it for the benefit of their court cases ... so you'd probably fail to observe any background activity that tested whether this information was plausible or not (assuming that the NSA considered this issue important enough to pursue); and then some chance event would occur that caused someone from Law Enforcement (or even a furnace maintenance technician) to have to look in the basement. You'd be left saying this proves it and everyone else will be spending their time commenting on whether your particular style of tinfoil hat appeared sartorially suitable - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBUik0UeINNVchEYfiEQIj1wCgjvXptGYkMdfKFI7pQfQuMUZJOAkAmwV2 UiNLZIncCKWCsUynA0p5y/Ws =fqW2 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Email and IM are ideal candidates for mix networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message fdd34a58-6ce6-497a-a177-b940d36d0...@lrw.com, Jerry Leichter leich...@lrw.com writes On the flip side, mail systems like gMail or Yahoo mail are complex and difficult to run *exactly because they are immense*. The mail systems part is really rather simple... and pretty much looks after itself. That's not where all the employees work. But what are they getting for that size? There are no economies of scale here - in fact, there are clear *dis*economies. ... the economy of scale is in identifying and routing spam of various kinds. Some can be detected a priori -- the majority of the detection relies on feedback from users (the chances are that someone else got the bad mail before you did, so it can be arranged that you are not bothered) Even without the recent uproar over email privacy, at some point, someone was going to come up with a product along the following lines: Buy a cheap, preconfigured box with an absurd amount of space (relative to the huge amounts of space, like 10GB, the current services give you); then sign up for a service that provides your MX record and on-line, encrypted backup space for a small monthly fee. (Presumably free services to do the same would also appear, perhaps from some of the dynamic DNS providers.) Just what the world needs, more free email sending provision! sigh What's the value add of one of the giant providers? If you run your own emails system then you'll rapidly find out what 2013's spam / malware problem looks like. Just as success in crypto deployment isn't about algorithms or file formats, success in mail handling isn't about MX records and MTAs. - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBUhrsBeINNVchEYfiEQKkQQCcDXtNGi30Zp8yhazPbQOvqEmu6icAnjqe y5QvKffZakNHejWz1tu4PJ4d =oGIg -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: street prices for digital goods?
In article [EMAIL PROTECTED], David Molnar [EMAIL PROTECTED] writes Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? up to a point... see the other responses The Symantec Threat Reports do seem to report advertised prices for a basket of goods, starting in Volume XI (March 2007) and running through the present. For example, Volume XI Table 3 states a Skype account is worth $12, valid Hotmail cookie $3, etc. These are interesting, yes :) I've been thinking about this for some time -- I have found that it makes for some interesting questions to corporate types presenting ain't it awful PowerPoint slides that they don't quite understand :) but it's hard to see changes since they're reported as a band of prices presumably aggregated from many different sources. Indeed, but deeper than this, you have to ask yourself what the price means... I'm curious because it would be interesting to look at the street price for a specific online bank's logins before and after the bank makes a change to its security practices. exactly so ... if the price of BoA cards was $2 and is now $1 does this mean: (a) production surplus -- so the scammers are cutting each other's throats to offload their stashes is this because the bank's security is rubbish? is it because everyone has decided to attack this particular bank under the assumption that it is _the_ Bank of America? or because a new kit has come out for them to use (b) consumption scarcity -- no-one wants to buy is this because the bank's back-room operations are excellent and so it is hard to extract value? is it because the people who can cash the cards out have all the cards they can handle at the moment? (c) adulterated supply -- only one card in 800 is any good it's sometimes claimed that the loss per card is around $800, so if lots of the numbers don't work you need to reduce the price per card (d) incompetent pricing by the sellers the real price should be much higher, but the sellers have been persuaded that $1 is fair reward for their effort and so they don't attempt to get any more for their goods (e) incompetent pricing by the buyers most cards are worthless because the bank's back room operations are so good, but not all buyers have realised this so they overpay and probably (f)... onwards as well viz: in the absence of evidence that an efficient market is operating and without clear evidence of what price elasticity there is, it is almost impossible to draw conclusions about bank (in)efficiency from merely observing average prices :( There's a similar issue relating to the relative cost of cards and whole life details. The latter are more expensive, but perhaps only by a factor of 10-20. Is this a reflection of restricted supply? or does it reflect a paucity of buyers (you might use these details to scam the cost of a medium-size dwelling) or that there are very few buyers who are prepared to handle a specialist product... There is undoubtedly an interesting econometrics paper to be written here, but it will rely upon not only extensive data from the Underground Economy but also on good data from a bank (or banks) -- and this is impossible to obtain at present :( One then needs to tease out enough almost the same but not quite scenarios to be able to isolate the various factors and thereby put some numbers to the model... finally, does anyone happen to know of a good review of how the focus on street price has performed as a metric for drug interdiction? it usually demonstrates that the police overpay :) and that leads on to a further problem with the Underground Economy monitoring. You are only seeing list prices and anyone in business knows that you don't need to pay list price! -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Levels of security according to the easiness to steel biometric data
In article [EMAIL PROTECTED], Danilo Gligoroski [EMAIL PROTECTED] writes For example, I guess that stealing information of someone's face is easier than stealing information about someone's fingerprints, but stealing information about someone's retina would be much harder. if you meant retina then yes, but if you meant iris then no http://www.cl.cam.ac.uk/~jgd1000/afghan.html -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: ad hoc IPsec or similiar
In article [EMAIL PROTECTED], Eugen Leitl [EMAIL PROTECTED] writes There's a rather ominous EU legislation to be passed soon, which requires any party acting as a provider (you run anonymous proxy, or mix cascade, you are a provider) to log all connection info (when, who, with whom). What's the status of ad hoc IPsec or any other TCP/IP-tunneling VPN for random endpoints? (a) the EU legislation was actually passed well over a year ago http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2006/l_105/l_1052 0060413en00540063.pdf and applies to service providers so random endpoints will be unlikely to be caught by its requirements. (b) what the Directive exactly means is anyone's guess (the wording shows a deep failure to understand how the Internet works), and it is entirely clear that it will in practice mean different things in different EU countries. In the UK it's likely to only apply to large public ISPs -- and retention will be restricted to records of who used which IP address, email server records, and possibly web cache logs (possibly not, since web caches may not be economic if the logs have to be retained)... ... the wikipedia page on the topic http://en.wikipedia.org/wiki/Data_retention ... has information for other countries that looks fairly plausible from what I know about their plans. Note that the Directive also applies to phone calls ... and the transposition of that into national laws is supposed to be completed by October 2007; most countries have until March 2009 for Internet logs -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Tamperproof, yet playing Tetris.
In article [EMAIL PROTECTED], Perry E. Metzger [EMAIL PROTECTED] writes Handheld Chip Pin terminals for reading credit cards in the UK are required to be tamperproof to avoid the possibility of people suborning them. Here is a report from a group that has not merely tampered with such a terminal, but has (as a demo) converted it into a tetris game to demonstrate that they can make it do whatever they like. http://www.lightbluetouchpaper.org/2006/12/24/chip-pin-terminal-playing-tetris/ I think the proof-of-concept has been slightly misunderstood :( The terminal is intended to be tamperproof in that once you have messed with it, it can no longer communicate with the bank. As far as I know the terminal delivers on this -- hard to say, because I bought it from eBay as is with no knowledge of who had used it before or what secrets it contained [it's legally my terminal, but that's the end of my involvement ! all the credit goes to Saar and Steven who had all the ideas and did all of the work] However, if you don't want your terminal to do payments but just wish to use it to capture PINs then it's tamper-evidence that is needed : and that requires not only fancy seals and such, but also training for the general public, such that they know what to look for. Also, mayhap, training for the merchant's staff if the merchant isn't in on the scam and the terminal's innards have been surreptitiously replaced. Of course you could have a bog-standard PC playing Tetris ... but it doesn't seem terribly likely that people would type their PIN on the keyboard; hence the subverting of a genuine device to clearly make the point that people have no idea what is a genuine terminal attached to a genuine credit card network. They just type and trust -- and the real story here is that the protocols are not end to end :( and hence a man- in-the-middle can do a great deal more than would be desirable :( Note also that without a payment going through for the card (there's that tamperproof property again), the credit card company's fancy pattern recognition schemes for spotting fraud have nothing to bite upon... ... at least until all the fraud victims complain that not only are there n unauthorised charges on their bill (which are being hotly disputed because the PIN was used so they must be genuine) but ALSO that there is one tell-tale missing charge, for the site at which the Tetris playing (well, that might be a give-away!) terminal was used. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AOL Help : About AOL® PassCode
In article [EMAIL PROTECTED], Joerg Schneider
[EMAIL PROTECTED] writes
Florian Weimer wrote:
I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site. Tokens à la SecurID can only help if
Indeed.
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption. Online
MITM attacks are not prevented.
So, PassCode and similar forms of authentication help against the
current crop of phishing attacks, but that is likely to change if
PassCode gets used more widely and/or protects something of interest to
phishers.
as in the story of the two hunters and the bear ... the banks only need
to outrun another vulnerable target:
http://www.netfunny.com/rhf/jokes/89q3/oldbear.555.html
so making passive password/PIN collection ineffective and requiring
phishers to operate in real-time may be a sufficient win.
Actually I have been waiting for phishing with MITM to appear for some
time (I haven't any yet - if somebody has, I'd be interested to hear
about),
I've been shown something similar last July ... which was, IIRC, a
PayPal phish where the web page you went to checked that the password it
was given was in fact valid. It wasn't a full-scale MITM attack, but it
did have some real-time elements.
I haven't been bothering to look at phishing sites recently, so I don't
know if the technology to do this has become the general state of the
art, or if it was just one gangs unique coding style ?
because it has some advantages for the attacker:
* he doesn't have to bother to (partially) copy the target web site
* easy to implement - plug an off-the-shelf mod_perl module for reverse
proxy into your apache and add 10 minutes for configuration. You'll find
the passwords in the log file. Add some simple filters to attack PassCode.
* more stealthy, because users see exactly, what they are used to, e.g.
for online banking they see account balance etc. To attack money
transfers protected by PassCode, the attacker could substitute account
and amount and manipulate the server response to show what was entered
by user.
this is the fundamental problem with using the passcode, the user is
signing just the single bit I authorise rather than the full bag of
bits {amount, payee, timestamp} ... as soon as you write out formally
what is going on the shortcoming is entirely obvious
Assuming that MITM phishing will begin to show up and agreeing that
PassCode over SSL is not the solution - what can be done to counter
those attacks?
Mutual authentication + establishment of a secure channel should do the
trick. SSL with client authentication comes to my mind...
The problem with that is that people want (or at least think they want)
to use their online banking from home, from work and from a cybercafe
whilst they are on holiday or a business trip. Carting around the
credentials (and a secure way of checking them) is a non-starter
However, the banks could do a lot by starting to distinguish between
run-of-the-mill transactions : pay my gas bill and more sensitive ones
such as set up a new payee (or indeed change my gas company to
Nigerian OilGas). Insisting that the sensitive ones were only done
from the secured (and credential rich) home site would help. They could
also check the IP address of the connection and form a view as to its
likely validity!
Yo rule out a MITM one might employ a secure side-channel (SMS text
message to one's mobile phone perhaps -- certainly a very plausible
approach in SMS-aware Europe) ... some banks are already using this; but
only as a cheap replacement for a SecureID :( ... so it's ineffective.
Now if Bill's browser could display the last six digits of the SSL key
then those could be compared with the SMS message and the customer would
know that they were safethe banks might even go for this
solution because it dumps the decision to go ahead (and hence the risk
as well) onto the customer :)
--
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Security clampdown on the home PC banknote forgers
In article [EMAIL PROTECTED] hq1.NA.RSA.NET, Trei, Peter [EMAIL PROTECTED] writes From the original article: The software relies on features built into leading currencies. Latest banknotes contain a pattern of five tiny circles. On the £20 note, they're disguised as a musical notation, on the euro they appear in a constellation of stars; on the new $20 note, the pattern is hidden in the zeros of a background pattern. Imaging software or devices detect the pattern and refuse to deal with the image. It would be interesting to figure out exactly what the 'don't copy' information is. If it's really just five little circles, think of the fun you could have - The circles act as a do not copy for recent models of colour photocopier. They are NOT the mechanism involved in the latest round of software detection by Adobe et al .. hence the fun is limited :( The circles have been on UK and EU notes for some time, you can also see them all over the latest US $20 bill. It is suggested that there is more information to be extracted from the way that the basic five circle units are combined together (said to identify the issuing bank), but no firm results are known. Just the five circles on an otherwise blank sheet are definitely sufficient to cause the particular copier experimented with to indicate the presence of currency. ie: it's all true :) Markus Kuhn originally worked out the nature of the pattern in February 2002. It is now believed to have been invented by Omron, but this is hearsay :( not something citable. http://www.cl.cam.ac.uk/~mgk25/eurion.pdf -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin signature.asc Description: PGP signature
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
On Tue, 30 Dec 2003, Eric S. Johansson wrote: But using your spam size, , the slowdown factor becomes roughly 73 times. So they would need 73 machines running full tilt all the time to regain their old throughput. Believe me, the professionals have enough 0wned machines that this is trivial. On the flipside, it means the machines are burned faster. only if the professionals are dumb enough to use the machines that are making the stamps to actually send the email (since it is only the latter which are, in practice, traceable) unfortunately, I think you making some assumptions that are not fully warranted. I will try to do some research and figure out the number of machines compromised. The best No. I had seen to date was about 350,000. It's at least an order of magnitude higher than this, possibly 2 orders, thanks to rampaging worms with spamware installation payloads compromising cablemodem- and adsl- connected Windows machines worldwide. the easynet.nl list (recently demised) listed nearly 700K machines that had been detected (allegedly) sending spam... so since their detection was not universal it would certainly be more than 700K :( - The Cryptography Mailing List and in these schemes, where does our esteemed moderator get _his_ stamps from ? remember that not all bulk email is spam by any means... or do we end up with whitelists all over the place and the focus of attacks moves to the ingress to the mailing lists :( moan I never understand why people think spam is a technical problem :( let alone a cryptographic one :-( /moan -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
