Re: Schneier on Bernstein factoring machine
The union of the two sets of cryptography users and paranoid people is necessarily non-empty. Who would bother to use cryptography sans a threat model? And if you've got a non-empty threat model, then by definition you're paranoid. Uh, I don't have to run faster than the bear I just have to run faster than you ? --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: KYC: new FinCEN rule on information sharing
http://www.treas.gov/fincen/po1044.htm For what it is worth, the apparent consensus view amongst U.S. financial institutions is that if T+1 clearence and straight through processing (STP) are to become operational realities, then authentication and authorization credentials must be ones that cross corporate boundaries. In other words, the know your customer (KYC) regime will include federated electronic identity management at the personal level. The Bank for International Settlements (BIS) has already weighed in on the concept of extending KYC from money-laundering protection alone to a broader and more critical role in general banking industry risk management. See, for an example, http://www.bis.org/publ/bcbs85.htm#pgtop = summary http://www.bis.org/publ/bcbs85.pdf = full publication --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Where's the smart money?
I predict a new EMP vandalism tool that fries the moneychip. And provides an alibi to passers of notes with no working chip. You are, of course, assuming that RFID money that has been damaged will still be accepted without manual processing delays to the putative depositor. I can, after all, tear all my paper USD in half but I will surely then incur some manual processing delay when uploading them to the bank, likely in proportion to the size of my deposit. The real question might be whether instead of today's dye pack one got an EMP generator as a special gift when holding up the local SL. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
|At 07:59 PM 1/26/2002 -0500, Scott Guthery wrote: |(A test GSM authentication algorithm, COMP128, was attacked |but it is not used in any large GSM networks. And it |was the algorithm not the SIM that was attacked.) | |and at Sun, 27 Jan 2002 13:56:13 EST. Greg Rose answered: |There are two problems with this statement. The first is that while |COMP128 was a demonstration (not test) algorithm, it turns out |that well over half of the deployed GSM systems do in fact use it. |And there is a very interesting paper coming soon to a conference |but the program hasn't yet been announced, so I can't yet say any |more, but it attacks the SIM. Ross Anderson and Markus Kuhn and |their group at Cambridge have done some very impressive work on |getting secrets out of SIMs and smartcards in general. The if you knew what I knew thing always encourages me to, shall we say, write, but notwithstanding that, Ross and Markus, as much as I admire them, are not exactly scalable as attack tools. Perhaps it is because of my workaday preoccupation with helping the user community spend economically rational amounts of money for economically rational amounts of security, but unless someone is about to can Ross__Markus in a script and put that on IRC for our everlasting global amusement, I'd score Round One for Scott. Best, --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
In the article they repeat the recommendation that you never use/register the same shared-secret in different domains ... for every environment you are involved with ... you have to choose a different shared-secret. One of the issues of biometrics as a shared-secret password (as opposed to the interface between you and your chipcard) is that you could very quickly run out of different, unique body parts. Compare and contrast, please, with the market's overwhelming desire for single-sign-on (SSO). Put differently, would the actual emergence of an actual SSO signal a market failure by the above analysis? --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
Folks, while we argue fine points we drift towards irrelevance [1] National ID in Development (USA Today) [2] Computer Security, Biometrics Dominate NIST Agenda (Washington Post) --dan [1] National ID in Development USA Today, 22 January 2002 Federal and state groups are moving to create a national ID card that contains fingerprints or magnetic strips, according to officials at the Justice Department and General Services Administration. According to a recent poll, 54 percent of adults support the creation of a national ID card. The figure is lower than those of polls from two month ago, in which two-thirds of adults supported such a move. A group of state officials, meanwhile, is seeking congressional approval to standardize documents for verifying identity when issuing driver's licenses. Sen. Dick Durbin (D-Ill.) has proposed federal funding for developing driver's license standards, including studies on fingerprints, palm prints, iris scans, face scans, or DNA. Durbin's proposals also allow motor vehicle authorities to access databases from the INS, the Social Security Administration, and unspecified law enforcement agencies. The bill would make the driver's license more reliable, he said. Similarly, the American Association of Motor Vehicle Administrators wants Congress to pass laws to fund a data-sharing network between the license agencies and federal agencies. Privacy advocates believe that the public will eventually come out in opposition of a national ID system. [2] Computer Security, Biometrics Dominate NIST Agenda By Brian Krebs, Newsbytes. WASHINGTON, D.C., U.S.A., 16 Jan 2002, 4:33 PM CST The events of Sept. 11 and the subsequent anthrax attacks have caused a major shift in priorities for the National Institute of Standard Technology, prompting the agency to double its efforts to develop new standards for everything from security scanners to biometrics to computer security, the agency's new chief said today. NIST Director Arden Bement said while many of the projects were begun prior to Sept. 11, the non-regulatory agency's new role in the Bush administration's Homeland Security initiative has added a sense of urgency to the mix. September 11 really focused our activities and gave them a sense of immediacy, Bement said in a meeting with reporters today. Our primary goal now is to take whatever technologies are available for application and to develop standards and test methods (that will) make them available to the public as quickly as possible. Bement said NIST is just a few months away from announcing a new biometric standard that will be used to confirm the identity of people seeking U.S. visas or using a visa to enter the United States. NIST also is working with the Biometric Consortium, which represents hundreds of companies that are developing technologies to identify people by their individual physical characteristics, such as thumbprints, facial recognition technology, iris and retinal scans. The biometric standards chosen by NIST could allow one or two technologies to gain early adoption and a strong foothold in an increasingly crowded market. Bement said biometric identifiers are being considered as a prerequisite for entry into government buildings, and the states are pushing ahead on a plan to link an as yet undetermined biometric technology to identity cards and driver's licenses. NIST also is working to develop more effective security standards for wireless communication networks, and is prepared to assume an even greater role in developing computer security standards for the federal government. I expect that role will expand significantly, Bement said. NIST recently released an updated standard for encryption technology that will soon be used to beef up security for a range of electronic transactions, from e-mail to e-commerce to ATM withdrawals. The agency also is bracing for more responsibility over the computer security standards adopted by the federal civilian agencies. Rep. Tom Davis, R-Va., chairman of the House Government Reform subcommittee on technology and procurement policy, is drafting legislation to reauthorize the Government Information Security Reform Act, a law passed in November 2000 that requires federal agencies to assess and test the security of their non-classified information systems. Davis plans to add a provision to the bill that would require NIST to establish minimum technology and security standards that all agencies must follow. NIST also is crafting new standards to protect the nation's most critical infrastructures, Bement said. The software that monitors and regulates the distribution of juice over the national power grid, for example, is not yet completely integrated. Grid control is a major issue now ... because a lot of the monitoring of power flows on the grid is done with different types of software and standards, Bement said. There's a fair amount of work necessary to raise the level of security so it can't
Re: Learning the rules
... They begin with swashbuckling independence: new players spring up, operating in a sort of new frontier, unconstrained by governments. But, once a technology acquires commercial importance, rules and standards emerge. Why? Because, argues Ms Spar, the industry's most successful companies want them. ... Or, simply, fortunes made by risk should not again be exposed to it. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Stegdetect 0.4 released and results from USENET search available
I download all of alt.anonymous.messages from the same news server that large numbers of people post and download child porn on. It might be that child porn posted to these lists is the most attractive vehicle as it is illegal everywhere, it will not be downloaded at random, those who do download it will be damned careful in where they keep it and how they use it, those who do not want it won't touch it, and the endlessly repetitious nature of the imagery makes it unlikely that those not looking for the special version with the embedded hidden message would bother taking down yet another copy. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New encryption technology closes WLAN security loopholes
Or in other words, the first requirement for perimeter security is a perimeter. Wireless networks have no interior. Merging them with a perimeter-protected network will yield a network with the character of the wireless net. This is at once the the beauty of community nets and the end of network security as a principle area of focus -- the apps are where the action is now. Within my firm's experience, fully 70% of the fatal application vulnerabilities seen in the field are design flaws so there is certainly work to be done. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Outreach Volunteers Needed - Content Control is a Dead End
Content control is a dead end. Folks, You only get an even number of {privacy, copyright} -- either the owner of information controls how it is used or he does not. Either you embrace copyright-and-privacy, or you embrace neither. It really is time to be careful what you ask for. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]