Re: Creativity and security
- Original Message - From: "J. Bruce Fields" <[EMAIL PROTECTED]> Subject: Re: Creativity and security On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: IOW, unless we're talking about a corrupt employee with a photographic memory and telescopic eyes, Tiny cameras are pretty cheap these days, aren't they? The employee would be taking more of a risk at that point though, I guess. The one I find scarier is the US restaurant method of handling cards. For those of you unfamiliar with it, I hand my card to the waiter/waitress, the card disappears behind a wall for a couple of minutes, and my receipt comes back for to sign along with my card. Just to see if anyone would notice I actually did this experiment with a (trusted) friend that works at a small upscale restaurant. I ate, she took my card in the back, without hiding anything or saying what she was doing she took out her cellphone, snapped a picture, then processes everything as usual. The transaction did not take noticably longer than usual, the picture was very clear, in short, if I hadn't known she was doing this back there I would never have known. Even at a high end restaurant where there are more employees than clients no one paid enough attention in the back to notice this. If it wasn't a trusted friend doing this I would've been very worried. Joe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)
On Sat, Mar 25, 2006 at 07:26:51PM -0500, John Denker wrote: > Executive summary: Small samples do not always exhibit "average" behavior. That's not the whole problem - you have to be looking at the right "average" too. For the long run encodability of a set of IID symbols produced with probability p_i, then that average is the Shannon Entropy. If you're interested in the mean number of guesses (per symbol) required to guess a long word formed from these symbols, then you should be looking at (\sum_i \sqrt(p_i))^2. Other metrics (min entropy, work factor, ...) require other "averages". To see this behaviour, you both need a large sample and the right type of average to match your problem (and I've assumed IID). David. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
Joseph Ashwood wrote: > The one I find scarier is the US restaurant method of handling cards. > For those of you unfamiliar with it, I hand my card to the > waiter/waitress, the card disappears behind a wall for a couple of > minutes, and my receipt comes back for to sign along with my card. Just > to see if anyone would notice I actually did this experiment with a > (trusted) friend that works at a small upscale restaurant. I ate, she > took my card in the back, without hiding anything or saying what she was > doing she took out her cellphone, snapped a picture, then processes > everything as usual. The transaction did not take noticably longer than > usual, the picture was very clear, in short, if I hadn't known she was > doing this back there I would never have known. Even at a high end > restaurant where there are more employees than clients no one paid > enough attention in the back to notice this. If it wasn't a trusted > friend doing this I would've been very worried. >Joe the trivial case from nearly 10 years ago was the waiter in nyc restaurant (something sticks in my mind it was the Brazilian restaurant just off times sq) that had pda and small magstripe reader pined to the inside of their jacket. At some opportunity, they would causally pass the card down the inside of their lapel (doesn't even really have to disappear anyplace). This was before wireless and 801.11 ... so the magstripe images would accumulate in the pda until the waiter took a break ... and then they would be uploaded to a PC and then to the internet (hong kong was used as example) ... counterfeit cards would be on the street (opposite side of the world), still within a few hours at most. recent posts mentioning some skimming threats http://www.garlic.com/~lynn/aadsm22.htm#27 Meccano Trojans coming to desktop near you - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
ref: http://www.garlic.com/~lynn/aadsm22.htm#30 Creativity and security and a more recent skimming news item from this month: Cloned-card scams socking it to bank accounts http://www.mysanantonio.com/news/metro/stories/MYSA030506.09B.atm_theft.27d5322.html the above card mentions pins with debit cards ... which is typically required for atm machines for withdrawing cash ... but the new class of debit cards with logos can also be used w/o pins at pos terminals (aka at pos, it is option selection to decide whether the debit card is used with or w/o pin). various recent postings mentioning skimming attacks: http://www.garlic.com/~lynn/2006e.html#2 When *not* to sign an e-mail message? http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail message? http://www.garlic.com/~lynn/2006e.html#4 When *not* to sign an e-mail message? http://www.garlic.com/~lynn/2006e.html#10 Caller ID "spoofing" http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#24 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#26 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005 Make Sense http://www.garlic.com/~lynn/aadsm22.htm#2 GP4.3 - Growth and Fraud - Case #3 - Phishing http://www.garlic.com/~lynn/aadsm22.htm#5 long-term GPG signing key http://www.garlic.com/~lynn/aadsm22.htm#10 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#11 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#12 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#13 Face and fingerprints swiped in Dutch biometric passport crack (another card skim vulnerability) http://www.garlic.com/~lynn/aadsm22.htm#14 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#15 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a desktop near you - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
regardingg the XXXing on receipts it turns out that things aren't as grim as i thought. i anlayzed the checksum algorithm and if you are missing n digits there are 10^(n-1) clashes. i verified this with a brute force program. but in the "photograph the card" scenario ... if one digit is blurry then you still win because 10^(n-1) is 1. if two are unknown then mr nasty could try buying stuff from 10 diferent sites. brucee - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]