Re: What good are smartcard readers for PCs
At most, it'll contain a name+password for HTTP basic-auth (and to identify users to the site so they can be connected with the info they supplied at purchase time). You've spent too long in the crypto world. Having poked around in the FAQ (I can't believe I'm wasting my time on this), it could be one of three things: 1. Dumb memory card. 2. As (1) but with basic PIN-protected memory region (unlikely, since the user isn't asked to enter a PIN and unique PINs means they can't hardcode it into the access software). 3. Eurochip-type challenge-response card. In other words, a phone card. Also not too likely, since you can't do this via basic-auth. The FAQ handwaves the details, so it could be either 1 or 3. Can someone who has one of these things try reading the ATR off it? (You can also see, from the large number of FAQ entries covering potential problems and all the warnings about things to look out for when you use the card/reader, how not-ready-for-prime-time smart cards still are). Peter.
Re: What good are smartcard readers for PCs
-- Neil Johnson wrote: Hey don't forget you can still buy a smart card reader from that most cypherpunkish of babes BRITNEY SPEARS ! Only $30 ! https://www.visiblevisitors.com/mltest/order_form.asp James A. Donald: A previous poster suggested that the smart card industry had usuability problems. If these guys are selling to that market, they must have solved those problems -- or believe that they have. Peter Gutmann wrote: All they're doing is reading a URL off a USB dongle (technically a 256-byte I2C memory card plugged into a reader, but in effect the combination is a USB dongle). That's a no-brainer, I can do that with two wires taped to the card contacts and poked into the PC's parallel port, and around 50 bytes of code on the PC. If all they were doing is reading the URL, presumably you can already get to the site without owning the smartcard. I believe the card cryptographically proves its presence to the site to show that the user is authorized to hit the site. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG pTZSolt9/2ZzWLDufFApvlnFJTl7qJ+k/1P6N4E5 4+/ztYC9AfVoSBhBwjbH0ljx00WVl9cpQ4D/Kw7Ze
Re: What good are smartcard readers for PCs
James A. Donald [EMAIL PROTECTED] writes: Peter Gutmann wrote: All they're doing is reading a URL off a USB dongle (technically a 256-byte I2C memory card plugged into a reader, but in effect the combination is a USB dongle). That's a no-brainer, I can do that with two wires taped to the card contacts and poked into the PC's parallel port, and around 50 bytes of code on the PC. If all they were doing is reading the URL, presumably you can already get to the site without owning the smartcard. Yup, but that wouldn't be Cool(tm) any more. I believe the card cryptographically proves its presence to the site to show that the user is authorized to hit the site. That would be a considerable feat for a 256-byte dumb memory card. At most, it'll contain a name+password for HTTP basic-auth (and to identify users to the site so they can be connected with the info they supplied at purchase time). You've spent too long in the crypto world. Peter.
Re: What good are smartcard readers for PCs
James A. Donald [EMAIL PROTECTED] writes: On 25 Sep 2002 at 18:36, Neil Johnson wrote: Hey don't forget you can still buy a smart card reader from that most cypherpunkish of babes BRITNEY SPEARS ! Only $30 ! https://www.visiblevisitors.com/mltest/order_form.asp A previous poster suggested that the smart card industry had usuability problems. If these guys are selling to that market, they must have solved those problems -- or believe that they have. All they're doing is reading a URL off a USB dongle (technically a 256-byte I2C memory card plugged into a reader, but in effect the combination is a USB dongle). That's a no-brainer, I can do that with two wires taped to the card contacts and poked into the PC's parallel port, and around 50 bytes of code on the PC. Getting a general-purpose crypto smart card working usefully, now that's a challenge. Peter.
Re: What good are smartcard readers for PCs
I wrote: The FAQ handwaves the details, so it could be either 1 or 3. Can someone who has one of these things try reading the ATR off it? He Who has No Shame [0] reports that it's a GemClub memory card, which is reasonably similar to the old SLE4428-style cards: 256 bytes of memory, some of it PIN-protected. Available commands are read, write, and verify PIN. Given the info in the FAQ, it would appear that the PIN is fixed/hardcoded into the driver, since there's no indication that users are asked for it, and it mentions that if someone else finds your card, they get access (or they may just use the non-protected storage in the card). I'm guessing this was a marketing decision, expecting x-teen-year-old kids (whatever the target market for these things is) to remember and enter PINs, not to mention the UI issues involved in obtaining the things, would make it unworkable, while reading off a URL and password and poking it into a browser is something which is a lot safer to deploy. Access control is by an XML version of basic-auth. In other words, it's (effectively) a dumb memory card with (effectively) HTTP basic-auth. It does however use the T=0 serial protocol and not I2C, which is a bit trickier to read with wires poked in the parallel port :-). Peter. [0] He actually bought it under his own name, without pretending it was for his nieces or something.
House will be busy next week fighting terrorism
-- S. 2690, the Pledge of Allegiance Reaffirmation Act. Sponsored by Senator Tim Hutchinson, this bill reaffirms the motto In God we trust and the language of the Pledge of Allegiance in its entirety, including the phrase one Nation under God. The Senate passed this bill on June 27, 2002 by a vote of 99-0. The bill was approved by the House Judiciary Committee on September 10, 2002 by a voice vote.
Re: What good are smartcard readers for PCs
I didn't suggest that they should be banned. I simply stated that this was one consumer usage of the smart card reader. On Thu, 26 Sep 2002, Ben Laurie wrote: Lisa wrote: They are also actively used to modify DirecTV Dish Network access cards to steal service. Damn. We'd better ban them then. I've heard this Interweb thingy is used to steal content - should we ban that, too?