Re: [Clips] Banks Seek Better Online-Security Tools
I would never use online banking, and I advise all my friends and colleagues (particularly those who _aren't_ computer-security-geeks) to avoid it. On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote: I've been using online banking for many years, both US and Germany. The German PIN/TAN system is reasonably secure, being an effective one-time pad distributed through out of band channel Ahh, but how do you know that the transaction actually sent to the bank is the same as the one you thought you authorized with that OTP? If your computer (or web browser) has been cracked, you can't trust _anything_ it displays. There are already viruses "in the wild" attacking German online banking this way: http://www.bsi.bund.de/av/vb/pwsteal_e.htm I also don't trust RSAsafe or other such "2-factor authentication" gadgets, for the same reason. [I don't particularly trust buying things online with a credit card, either, but there my liability is limited to 50 Euros or so, and the credit card companies actually put a modicum of effort into watching for suspicious transactions, so I'm willing to buy (a few) things online.] ciao, -- -- Jonathan Thornburg <[EMAIL PROTECTED]> Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Proving the randomness of a random number generator?
| There's another definition of randomness I'm aware of, namely that the | bits are derived from independent samples taken from some sample space | based on some fixed probability distribution, but that doesn't seem | relevant unless you're talking about a HWRNG. As another poster | pointed out, this definition is about a process, not an outcome, as | all outcomes are equally likely. That's not a definition of randomness except in terms of itself. What does "independent samples" mean? For that matter, what's a "sample"? It's an element chosen at random from a sample space, no? "All outcomes equally likely" is again simply a synonym: "Equally likely" comes down to "any of them could come out, and the one that does is chosen at random". Probability theory isn't going to help you here. It takes the notion of randomness as a starting point, not something to define - because you really can't! Randomness is defined by its properties within the theory; it doesn't need anything else. One can, in fact, argue plausibly that randomness doesn't "really" exist: It's simply a reflection of lack of knowledge. Even if you get down to the level of quantum mechanics, it's not so much that when an atom decays is random, it's that we don't - and, in fact, perhaps *can't* - have the knowledge of when that decay will happen ahead of time. Once the decay has occurred, all the apparent randomness disappears. If it was "real", where did it go? (It's easy to see where our *ignorance* went) -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
On Mon, Dec 05, 2005 at 09:24:04AM +, Ian G wrote: > [EMAIL PROTECTED] wrote: > >it seems to me the question is how much liability do i expose myself to by > >doing this, in return for what savings and convenience. > > That part I agree with, but this part: > > >i don't keep a lot of money in banks (why would anyone?) -- most of > >the assets are in (e.g.) brokerage accounts. at most i'm exposing > >a month of payroll check to an attacker briefly until it pays some > >bill or is transferred to another asset account. > > George's story - watching my Ameritrade account get phished out in 3 minutes > https://www.financialcryptography.com/mt/archives/000515.html > > Seems like a hopeful categorisation! > > iang okay, i read this story from 7/2005 reporting an incident in 5/2005. the short form of it is: the bad guys changed the associated bank account, then they placed orders to sell everything at market prices. at some point they changed the email address to a hotmail account (if they'd done this first he would have gotten less notice) for some unexplained reason he received confirmations of the trades at the old email address. actual cash didn't get transfered at least because of the 3 day settlement time for the trades. the rest was dealing with law enforcement and customer service punes who wouldn't tell him anything for "privacy reasons". well, i have lots of nit-picking questions, about the actual incident and about the general point. about the actual incident: maybe his password was phished, maybe it was malware, maybe it was password reuse and some other account was phished. how was the bofa account set up? (the fraudster's destination account) in these days of patriot act "know your customer"? (or was it someone's phished account also used just for transit?) why didn't they just do the wire transfer early, and leave him with a giant margin balance to be paid from the proceeds at settlement? about the general point: the main thing online access changes (compared with phone access, or written instructions) is the velocity. most sensible institutions provide "change of account status" notifications by both email and postal mail (to both the old and the new addresses). some sensible institutions put brakes on removing money from the system, certainly for new accounts and (as i recommend to my clients) after an account change reflecting identity or control. aside from the time and energy drain of identity theft, what is the financial liability for consumers if your us-based brokerage account is phished resulting in a fraudulent funds transfer? does anyone know if there is any uniform protection (such as reg e would cover for interbank funds transfers?) i insert the weasel-words "consumers" and "us-based" because of bofa's behavior in the joe lopez malware case, where they are trying to claim he is a business not a consumer, and that they are without fault in wire transfering his funds to latvia. slightly off-topic: remember abraham abdallah, the brooklyn busboy who assumed the identity of a large number of the fortune 200 richest? made goldman sachs "signature guaranteed stamps" and opened accounts in their number? had 800 fraudulent credit cards and 2 blank cards when he was arrested? ("hey kids! collect 'em all!"). my point is only that this is possible without my participating. as jerry leichter reminded me, the fact there there are these facilities available means a bad guy can use them even if i do not, unless i can not only opt out but forbid anyone else from subsequently opting in, the moral equivalent of cutting your debit card in half and returning it to the bank (rather than just destroying the PIN). even more off-topic: i'm surprised that the people on this list don't feel as if they have enough personal connections that at least they could figure out what happened to them as *some* financial institution. doesn't anyone else ask, as a basis for imputing trust "exactly who did that {protocol, architecture, code} review as a basis for imputing trust? maybe i'm delusional, but i give fidelity some residual credit for having adam shostack there, even some years ago, and there are some firms i'd use because i've been there enough to see their level of care. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
Kerry Thompson wrote: > [EMAIL PROTECTED] said: > >>You know, I'd wonder how many people on this >>list use or have used online banking. >> >>To start the ball rolling, I have not and won't. > > > I do. Although, only from PCs that I trust such as my linux box at home. > And I keep a close watch on my bank statements. > > All things considered, its safer than posting cheques or distributing your > credit card number around. That depends on how the risk of loss is allocated. This can vary between different legal systems, and may depend on the terms in force between bank and customer. For an exploration of this in the context of English law, see http://elj.warwick.ac.uk/jilt/00-3/bohm.html Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Proving the randomness of a random number generator?
On Mon, Dec 05, 2005 at 02:21:02AM -0600, Travis H. wrote: > On 12/4/05, Victor Duchovni <[EMAIL PROTECTED]> wrote: > > Wrong threat model. The OP asked whether the system generating random > > numbers can prove them to have been "randomly" generating to a passive > > observer. > > I didn't read it that way, but the question wasn't particularly > well-formed. I'm not sure what you mean by "prove them to have been > randomly generat[ed]". I read the question as something akin to what an on-line gambling site might seek to assure its customers that its dice are not loaded. > Given your discussion of an attacker being > able to predict the sequence due to having seen it before, it sounds a > lot like you're talking about unpredictability. The outcome is equally surprising to all observers, having it be completely predictable by all observers is an uninteresting degenerate case. > That's the main thing > people are looking for in cryptographic RNGs. What kind of randomness > or security properties are you talking about? There is no way to prove that dice you are watching on TV are not loaded (even if the value distribution is fair). If one gets to participate in a verifiable protocol that rolls the dice, the picture is different. > If the goal is truly to prove that the numbers are nondeterministic, > then an investigation of the physical proceses involved and careful > measurement (of the generation device, not the digital output!) is the > only proper way to get some assurance. Actually, even a perfect hardware RNG is of no use in convincing the skeptical remote observer. How do you prove that the output came from said RNG? How do you prove that it is "delayed", and that other participants are not viewing the output a few steps ahead of the skeptical observer? If I understood the OP's question correctly (indeed it was not precise), the answer is that no proof is possible for a non-interactive RNG. -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Fermat's primality test vs. Miller-Rabin
>Ok after making that change, and a few others. Selecting only odd numbers >(which acts as a small seive) I'm not getting much useful information. It >appears to be such that at 512 bits if it passes once it passes 128 times, >and it appears to fail on average about 120-130 times, so the sieve >amplifies the values more than expected. Granted this is only a test of the >generation of 128 numbers, but I got 128 primes (based on 128 MR rounds). O.k., so if I read this right, your new results concord with the analysis of Pomerance et al. That would make much more sense. When you say "on average about 120-130 times the test fails", out of how many is that? --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Fermat's primality test vs. Miller-Rabin
- Original Message - From: "Sidney Markowitz" <[EMAIL PROTECTED]> Subject: Re: Fermat's primality test vs. Miller-Rabin Joseph Ashwood wrote: Granted this is only a test of the generation of 128 numbers, but I got 128 primes (based on 128 MR rounds). That doesn't make sense, unless I'm misinterpreting what you are saying. Primes aren't that common, are they? Apparently, they are, I'm ran a sample, but even with the added second sanity check, every one of them that passes a single round comes up prime. I then proceeded to move it to 2048-bit numbers. It takes longer and the gaps between primes is averaging around 700 right now, but once again if it passes a single test it passes all 128+128. This sample is currently statistically completely insignificant, but even after the currently 8 tries I'd expect something different. Joe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] wrote: dan, maybe you should just keep less money in the bank. i use online banking and financial services of almost every kind (except bill presentment, because i like paper bills). i ccannot do without it. it seems to me the question is how much liability do i expose myself to by doing this, in return for what savings and convenience. That part I agree with, but this part: i don't keep a lot of money in banks (why would anyone?) -- most of the assets are in (e.g.) brokerage accounts. at most i'm exposing a month of payroll check to an attacker briefly until it pays some bill or is transferred to another asset account. George's story - watching my Ameritrade account get phished out in 3 minutes https://www.financialcryptography.com/mt/archives/000515.html Seems like a hopeful categorisation! iang - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Proving the randomness of a random number generator?
On 12/4/05, Victor Duchovni <[EMAIL PROTECTED]> wrote: > Wrong threat model. The OP asked whether the system generating random > numbers can prove them to have been "randomly" generating to a passive > observer. I didn't read it that way, but the question wasn't particularly well-formed. I'm not sure what you mean by "prove them to have been randomly generat[ed]". Given your discussion of an attacker being able to predict the sequence due to having seen it before, it sounds a lot like you're talking about unpredictability. That's the main thing people are looking for in cryptographic RNGs. What kind of randomness or security properties are you talking about? There's another definition of randomness I'm aware of, namely that the bits are derived from independent samples taken from some sample space based on some fixed probability distribution, but that doesn't seem relevant unless you're talking about a HWRNG. As another poster pointed out, this definition is about a process, not an outcome, as all outcomes are equally likely. If the goal is truly to prove that the numbers are nondeterministic, then an investigation of the physical proceses involved and careful measurement (of the generation device, not the digital output!) is the only proper way to get some assurance. I'll sidestep the question of whether anything is really nondeterministic for the moment (God is omniscient, or so I'm told). -- http://www.lightconsulting.com/~travis/ -><- Knight of the Lambda Calculus "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote: > | To start the ball rolling, I have not and won't. > Until a couple of months ago, I avoided doing anything of this sort at all. > Simple reasoning: If I know I never do any financial stuff on-line, I can > safely delete any message from a bank or other financial institution. I've been using online banking for many years, both US and Germany. The German PIN/TAN system is reasonably secure, being an effective one-time pad distributed through out of band channel (mailed dead tree in a tamperproof envelope). It is of course not immune to phishing (PIN/TAN harvesting), which has become quite rampant recently. I'm about to setup HBCI with my business account (both GnuCash and openhbci/aqbanking from the command line), which can in principle cooperate with a smartcard. It is a major pain to set up, however, especially on an unsupported platform. I do have a HBCI smartcard setup with my private account but don't use it since it's locked in a proprietary software jail. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: Fermat's primality test vs. Miller-Rabin
Joseph Ashwood wrote: > Granted this is only a test of the > generation of 128 numbers, but I got 128 primes (based on 128 MR rounds). That doesn't make sense, unless I'm misinterpreting what you are saying. Primes aren't that common, are they? I don't have time right now to look for a bug in your code, but you could add a sanity check that would catch a bug immediately by adding in the appropriate spot a test like if (!curnum.isProbablePrime(128)) System.out.println("Something wrong, number is not really a prime!"); to check that your primality test gets the same result as the M-R primality test that comes with BigInteger. -- sidney - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] said: > > You know, I'd wonder how many people on this > list use or have used online banking. > > To start the ball rolling, I have not and won't. I do. Although, only from PCs that I trust such as my linux box at home. And I keep a close watch on my bank statements. All things considered, its safer than posting cheques or distributing your credit card number around. -- Kerry Thompson http://www.crypt.gen.nz - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]