[OT] Re: [Forwarded] RealID: How to become an unperson.

2005-07-06 Thread J.A. Terranson

On Tue, 5 Jul 2005 [EMAIL PROTECTED] wrote:

 your ID card. Exactly that circular problem as mentioned in the
 posting.

 But when I explained that circular problem, they checked by phone with
 the town's registry office and gave me the copy of the birth
 certificate without an ID card to solve the problem.

While I am glad it worked out for you, I somehow doubt that the workers of
the once great city of New York would be quite as accomodating :-/
Fortunately, I found a way around the problem that didn't force me to try
and find out though!

 But nevertheless, I do not understand why americans are so afraid of
 an ID card. It has by far more advantages than disadvantages, and

This is probably a uniquely american thing - culturally we are a bunch of
loners, who all believe that the government has no *right* to identify
or otherwise monitor us.  As a scrappy bunch of loners with attitude
problems, the pros vs. cons of The Card really never make it to the
equation: as a people, most of us just naturally have a Time May reaction
to authority in general and government authority in particular.
Personally, I'd rather go back to the old paper license I used to have in
the 80's that had no pic and was not usable as ID, but I know it isn't
going to happen.  Sigh...

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


Never belong to any party, always oppose privileged classes and public
plunderers, never lack sympathy with the poor, always remain devoted to
the public welfare, never be satisfied with merely printing news, always
be drastically independent, never be afraid to attack wrong, whether by
predatory plutocracy or predatory poverty.

Joseph Pulitzer
1907 Speech

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-06 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], [EMAIL PROTECTED] writes:


But nevertheless, I do not understand why americans are so afraid of
an ID card. It has by far more advantages than disadvantages, and
actually the US driving license is already a kind of ID card.

Let me refer you to a National Academies report (I was on the 
committee):  Stephen T. Kent and Lynette Millett, ed. IDs -- Not That
Easy: Questions About Nationwide Identity Systems. National Academies
Press, 2002.  http://books.nap.edu/html/id_questions/  Briefly, the 
report notes that there are a very large number of questions that need 
to be answered about any such system before it's even possible to 
discuss it intelligently.

 And
whenever I enter the US, I have to give the fingerprints of my index
fingers and they take a picture of me. That's worse than an ID card. 

Agreed.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-06 Thread hadmut
On Tue, Jul 05, 2005 at 11:26:54PM -0400, Steven M. Bellovin wrote:
 
 Let me refer you to a National Academies report (I was on the 
 committee):  Stephen T. Kent and Lynette Millett, ed. IDs -- Not That
 Easy: Questions About Nationwide Identity Systems. National Academies
 Press, 2002.  http://books.nap.edu/html/id_questions/  Briefly, the 
 report notes that there are a very large number of questions that need 
 to be answered about any such system before it's even possible to 
 discuss it intelligently.
 


Thanks for the hint, but I am too busy to read it in detail before
next week.


However, there is a funny thing I need to mention:

- In Germany we have an ID card and I have it in my pocket all the
  time. But actually it is rarely used, I do need it not more than
  maybe three times a year. At the moment I can't remember to have it
  used within the last two years, except for in my job when entering
  high security areas and some protected company premises. But rarely
  in private life. I know one shop where they do ask for when paying
  with a card.


- In the USA they say they don't have ID cards. 

  But whereever I walk through the streets of cities at the
  east- or westcoast, they all ask me for picture IDs. Some years ago 
  I couldn't even enter a night club without a picture ID, and in
  every supermarket they have signs that they don't sell alcohol or 
  cigarettes without picture ID (besides the fact that I neither drink
  nor smoke). Even in some hotels and gas stations they ask for a 
  picture ID.





Isn't that ridiculous? In the USA where they allegedly don't have ID cards
you are approx. more than 20 times as often asked for a picture ID than 
in Germany where we have ID cards officially. 



Last November I attended an Anti-Spam-Summit at FTC in Washington 
DC. As usual they were checking for metal in the clothes, x-raying 
bags, and (*surprise*) asking for a picture ID. Someone didn't have 
a driving license. They accepted his WalMart Customer Card as a 
picture ID. Isn't that scary?


reards
Hadmut









-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Time-Memory-Key tradeoff attacks?

2005-07-06 Thread D. J. Bernstein
My paper ``Understanding brute force'' explains an attack with a much
better price-performance ratio than the attack described by Biryukov:

   http://cr.yp.to/talks.html#2005.05.27
   http://cr.yp.to/papers.html#bruteforce

Biryukov's central point regarding key amortization was made earlier
(and, I think, more clearly) in my paper. My paper also analyzes the
merits of various defenses against the attack.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-06 Thread Amir Herzberg

Lance James wrote:

Amir Herzberg wrote:

Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html



This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to 
understand the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks


Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then 


It's not the new issue - it's the concern that frames with other SSL 
protect information is not being indicated to the user, thus you can 
encrypt data with another valid cert within a frame(s) and the user will 
only know of the main cert from the domain that is indicated by the 
address bar.
Well, but I don't see that this has much to do with SSL, really. The 
problem is that the attacker is able to cause the server to send a page 
controlled (partially or fully) by the attacker. This should not happen. 
SSL is only supposed to ensure that the client got the page as the 
server sent it - and this does happen. Of course, this cannot protect 
against an infinite list of possible errors and vulnerabilities of the 
server:

-- XSS attacks
-- Defacement
-- an employee intentionally putting a script to do something
...
I think that your complaint/observation is that browsers normally warn 
when displaying a page which is partially protected and partially not, 
but may not complain when displaying a page protected by cert X, but 
including frame protected by cert Y. Well, this can be fixed, but I'm 
not sure this is really important. The problem is really the fact that 
the page was modified in the first place. Instead of including a 
protected (or unprotected) frame with the rogue code, the attack could 
have sent the rogue code directly from the compromised site.

--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Private info for sale in Moscow kiosks...

2005-07-06 Thread Perry E. Metzger

Bruce Schneier's blog had a pointer to this story, about the black
market in personal information in Moscow:

http://www.globetechnology.com/servlet/story/RTGAM.20050705.gtrussia05/BNStory/Technology/

   At the Gorbushka kiosk, sales are so brisk that the vendor excuses
   himself to help other customers while the foreigner considers his
   options: $43 for a mobile phone company's list of subscribers? Or $100
   for a database of vehicles registered in the Moscow region?

   The vehicle database proves irresistible. It appears to contain names,
   birthdays, passport numbers, addresses, telephone numbers,
   descriptions of vehicles, and vehicle identification (VIN) numbers for
   every driver in Moscow.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


A Note About Trust Anchor Key Distribution

2005-07-06 Thread Thierry Moreau

To all:

Here is a scheme for a central organization
distributing a trust anchor public key with rollover
requirement. The suggested acronym for this scheme is
TAKREM for Trust Anchor Key REnewal Method.

We use the notation #R[i]# for the public root public
key #R[i]#, with the private key counterpart #r[i]#.

The central organization establishes key pairs
#r[0],R[0]#, #r[1],R[1]#, #r[2],R[2]#, ...,
#r[n],R[n]#, allocating the pair #r[0],R[0]# as the
initial private/public trusted key pair, and reserving
each key pairs #r[i],R[i]# for the cryptoperiod
starting with the #i#'th root key renewal, for
#1=i=n#.

A separate MASH (Modular Arithmetic Secure Hash)
instance #H[i]# is created for each #R[i]#. MASH is
defined in International standard document ISO/IEC
10118-4:1998, Information technology - Security
techniques - Hash-functions - Part 4: Hash-functions
using modular arithmetic.

That is, the central organization selects a large
composite modulus number #N[i]# used in the MASH round
function and a prime number #P[i]# used in the MASH
final reduction function.

Then, the central organization selects a random salt
field #s[i]#.

A hash computation gives a root key digest #D[i]# :
  #D[i]=H[i](s[i]|R[i]|N[i]|P[i])# .
The digest #D[i]# is like an advanced notice of future
trust anchor key #R[i]#.

The data tuple #r[i],R[i],N[i],P[i],s[i]# is set
aside in dead storage.

The trust anchor key initial distribution is
  #R[0], D[1], D[2], ..., D[n]# .

Security rationale: with data tuple
#r[i],R[i],N[i],P[i],s[i]# totally concealed until
the usage period for key pair #r[i],R[i]#, an
adversary is left with the digest #D[i]# from which it
is deemed impossible to mount a brute force attack.

A root key rollover is triggered by the following
message:
  #i,R[i],N[i],P[i],s[i]# .

Upon receipt of this messsage, the end-user system
becomes in a position to validate the root key digest
#D[i]#.

More details are provided in
http://www.connotech.com/takrem.pdf.

Regards,

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-06 Thread Stefan Kelm
 Isn't that ridiculous? In the USA where they allegedly don't have ID cards
 you are approx. more than 20 times as often asked for a picture ID than
 in Germany where we have ID cards officially.

True. But funny, isn't it: I always enjoy looking at the most
puzzled facial expression of some twenty-odd year old selling
beer at a football game trying to understand my german passport.
They give up eventually, selling me what I wanted...   :-)

(asking me for an ID is absolutely ludicrous in the first place
since I've been looking older than 21 for decades now...)

Cheers,

Stefan.
---
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Straße 12-14, D-76137 Karlsruhe

Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
---
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-06 Thread Jörn
--- Jonathan Thornburg [EMAIL PROTECTED] wrote:

 [EMAIL PROTECTED] wrote:
  - In Germany we have an ID card and I have it in my pocket all the
   time. But actually it is rarely used, I do need it not more than
   maybe three times a year. [[...]]

I think this has a lot to do with the fact that Germany and the US have
different standards of liability. The legal drinking age in Germany is
16 for beer and wine and 18 for distilled alcoholic beverages. A minor
under the age of 16 may consume alcohol with parental consent, as long
as that parent or a legal guardian is present. A violation is a mere
misdemeanor and may result in a fine but, in reality, hardly ever does.


The consequences of selling alcohol to a person who is not of legal age
are far more severe in the US. Aside from losing your liquor license
(and hence very likely your main source of income), you can expect
both, criminal prosecution and a civil suit, in most places. That's why
establishments in the US err on the side of caution and card their
customers. Most bars, liquor stores and gas stations even have zero
tolerance policies. It's not unusual for a twenty-something year old to
be carded for a pack of cigarettes or a single beer can.  People would
never put up with something like that in Germany.

Another factor is that the German ID card is mainly used by government
agencies. There are severe restrictions for non-government uses.
Private businesses may, for instance, not use the unique ID numbers as
identifiers or store them in a database. That makes them pretty much
useless for most non-official purposes. In the US, businesses are
pretty much free to request your SSN whenever they please.

 As a Canadian living and working in Germany, my legal ID card is
 my (Canadian) passport.  (I don't have a German (or Canadian!)
 driver's
 license.)  When I bought a cellphone calling plan the cellphone store
 asked for this (I guess the police want to make sure an identifyable
 person can be found for each cellphone number).

They actually have to verify your identity. There is a ruling from
RegTP, which is a governing body in many ways similar to the FCC, that
stipulates that carriers have to retain the complete name, date and
place of birth and current address of anyone who buys a GSM SIM card.
Failure to do so usually results in hefty fines. That's why the
carriers make sure that the ruling is actually enforced.

On a slightly unrelated note: contrary to popular belief, there is no
German law that requires you to have your ID card or passport on your
person. You are required to give your name and date of birth to a law
enforcement officer or authorized agent of the state - but only upon
request. They may even take you into custody until they can positively
verify your identity but you do have to carry ID.
 
 It was clear from our conversation that very few (if any) Canadians
 had ever bought cellphone calling plans from this employee before.
 (Not surprisingly -- there aren't that many other Canadians living
 or travelling here.)  Indeed, I rather suspect mine may have been 
 the first Canadian passport this particular employee had ever seen.

That's indeed quite likely. The original purpose of the RegTP's ruling
was to discourage theft though. There usually is little to no
resistance to giving up your personal data to the government in
Germany. In fact, there's federal law that requires anyone residing in
the country to keep their current address on file with their county's
record office. And this seems perfectly normal to most Germans. If
Congress tried to pass a law that required US citizens to register
their current address with the federal government, people would scream
bloody murder (despite the fact that it would be easy to get anyone's
address from the IRS, individual state's DMV databases or Google, for
that matter).

A terrorist, however, would have no reason to register their real
address or to show a real ID card when purchasing a cell phone. After
all, there are plenty of easier options available (theft, eBay, fake
ID, using public pay phones, etc).

Exactly the same applies to driver's licenses. A terrorist could just
fake one or use fake documents to obtain a real one. I think it's safe
to assume that if high school graduates have the means to obtain a
decent fake ID, terrorists do as well. The only way to tell if a
driver's license is real or not is by checking if the data on it
matches what's in the DMV's database. And that doesn't help if a
terrorist just decides to fake a birth certificate and marriage
license. I would be surprised if your average county clerk or DMV
worker actually managed to check if a document that's maybe fourty
years old is in fact the real deal.

   -J.


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
The Cryptography Mailing 

[Clips] A Radical Tool To Fight ID Theft

2005-07-06 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 6 Jul 2005 16:12:29 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] A Radical Tool To Fight ID Theft
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://online.wsj.com/article_print/0,,SB112060885609977982,00.html

 The Wall Street Journal

  July 6, 2005
  MONEY

 A Radical Tool
  To Fight ID Theft
 U.S. Is Allowing Some Fraud Victims
  To Obtain New Social Security Numbers

 By CHRISTOPHER CONKEY
 Staff Reporter of THE WALL STREET JOURNAL
 July 6, 2005; Page D1


 As companies roll out a growing variety of tools to combat identity theft,
 some Americans are taking a more radical step: changing their Social
 Security number.

 Traditionally, trading in an old number for a new one is something
 attempted in only the most extreme circumstances. Not only does the Social
 Security Administration demand heavy, documented proof of hardship -- but
 it also means that an individual must then track down every bank, utility,
 credit-card association and government agency that might have the old
 number on file, and persuade them to use the new one.

 Despite the obstacles, in the 11-month period ended in March, roughly 1,000
 people were issued new Social Security numbers for reasons of identity
 theft. While the Social Security Administration started keeping statistics
 on the specific reasons people are issued new numbers only last year,
 consumer advocates expect the number of identity-theft-related requests to
 increase. Last year, the agency received 75,000 allegations of Social
 Security number misuse, up from just 11,000 in 1998.

 Social Security numbers can be particularly valuable assets in the hands of
 a criminal. With little more than a valid Social Security number and street
 address, a thief can often fraudulently open credit-card accounts or apply
 for loans in someone else's name, severely damaging his credit record.

 People who change their number are hoping not only to cut off their
 assailant, but also to make a fresh start with a clean credit history. Many
 people, though, are frustrated to discover that it doesn't solve their
 problems. In fact, some privacy advocates, government officials and
 consumers who have been through the ordeal warn that it can actually make
 matters worse in some circumstances.

 WRONG NUMBER?

 Some identity-theft victims change their Social Security
 number, but it's a tough task:

 Experts advise against it in most cases, saying it creates new problems,
 extra work and lots of explaining to banks and other institutions.

 Changing numbers isn't easy; considerable evidence is required to persuade
 the government you really need it.

 Even if you get a new number, the old one won't be deleted.

 Getting creditors to use the new number is a significant hassle that can
 take years.

 Identity theft affects nearly 5% of the adult population, according to the
 Federal Trade Commission, costing businesses and individuals a combined $53
 billion annually. Last year, the FTC received 246,000 reports of identity
 theft, nearly triple the number received in 2001.

 Concern is particularly high right now following a spate of recent security
 breaches, which compromised the data records of some 50 million people and
 left many more wondering whether they were affected. The scandals have
 implicated institutions ranging from ChoicePoint Inc., a data broker, to
 Bank of America Corp., to the University of California at Berkeley.

 People who have gotten new Social Security numbers report mixed results.
 Scott Lewis, an X-ray technician from Wintersville, Ohio, changed his
 number a few years ago to untangle his identity from a repeat
 drunken-driving offender who at one point faced murder charges.

 Mr. Lewis first noticed a problem during a job search: Several times he was
 told he was a top candidate for a job, but then would never hear back.
 Finally, one manager picked up the phone and said, 'You're an unsavory
 character, don't ever call here again,'  Mr. Lewis says. He did a
 background check on himself and discovered that, because of a clerical
 error -- a sheriff's office in Ohio had mistyped the arrested man's Social
 Security number, putting in Scott Lewis's instead -- his identity was being
 confused. At the advice of a prosecutor, he got the SSA to change his
 number. That was the beginning of a big mistake, he says. By doing that,
 I now had no credit history, so I can't get credit, and it appears that I'm
 using a fraudulent Social Security number.

 Even people who have had more success offer warnings. Ted Wern, a
 30-year-old corporate attorney in Chicago, changed his number in 2000 after
 someone started impersonating him and racked up large charges on credit
 cards. After years of effort, he persuaded credit-card companies and other
 organizations to start using his new number. Mr. Wern calls his decision a
 success,