Re: Creativity and security

2006-03-27 Thread Joseph Ashwood
- Original Message - 
From: J. Bruce Fields [EMAIL PROTECTED]

Subject: Re: Creativity and security



On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote:

  IOW, unless we're talking about a corrupt employee with a photographic
memory and telescopic eyes,


Tiny cameras are pretty cheap these days, aren't they?  The employee
would be taking more of a risk at that point though, I guess.


The one I find scarier is the US restaurant method of handling cards. For 
those of you unfamiliar with it, I hand my card to the waiter/waitress, the 
card disappears behind a wall for a couple of minutes, and my receipt comes 
back for to sign along with my card. Just to see if anyone would notice I 
actually did this experiment with a (trusted) friend that works at a small 
upscale restaurant. I ate, she took my card in the back, without hiding 
anything or saying what she was doing she took out her cellphone, snapped a 
picture, then processes everything as usual. The transaction did not take 
noticably longer than usual, the picture was very clear, in short, if I 
hadn't known she was doing this back there I would never have known. Even at 
a high end restaurant where there are more employees than clients no one 
paid enough attention in the back to notice this. If it wasn't a trusted 
friend doing this I would've been very worried.
   Joe 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-27 Thread David Malone
On Sat, Mar 25, 2006 at 07:26:51PM -0500, John Denker wrote:
 Executive summary:  Small samples do not always exhibit average behavior.

That's not the whole problem - you have to be looking at the right
average too.

For the long run encodability of a set of IID symbols produced with
probability p_i, then that average is the Shannon Entropy.  If
you're interested in the mean number of guesses (per symbol) required
to guess a long word formed from these symbols, then you should be
looking at (\sum_i \sqrt(p_i))^2. Other metrics (min entropy, work
factor, ...) require other averages.

To see this behaviour, you both need a large sample and the right
type of average to match your problem (and I've assumed IID).

David.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-27 Thread Anne Lynn Wheeler
Joseph Ashwood wrote:
 The one I find scarier is the US restaurant method of handling cards.
 For those of you unfamiliar with it, I hand my card to the
 waiter/waitress, the card disappears behind a wall for a couple of
 minutes, and my receipt comes back for to sign along with my card. Just
 to see if anyone would notice I actually did this experiment with a
 (trusted) friend that works at a small upscale restaurant. I ate, she
 took my card in the back, without hiding anything or saying what she was
 doing she took out her cellphone, snapped a picture, then processes
 everything as usual. The transaction did not take noticably longer than
 usual, the picture was very clear, in short, if I hadn't known she was
 doing this back there I would never have known. Even at a high end
 restaurant where there are more employees than clients no one paid
 enough attention in the back to notice this. If it wasn't a trusted
 friend doing this I would've been very worried.
Joe

the trivial case from nearly 10 years ago was the waiter in nyc
restaurant (something sticks in my mind it was the Brazilian restaurant
just off times sq) that had pda and small magstripe reader pined to the
inside of their jacket. At some opportunity, they would causally pass
the card down the inside of their lapel (doesn't even really have to
disappear anyplace). This was before wireless and 801.11 ... so the
magstripe images would accumulate in the pda until the waiter took a
break ... and then they would be uploaded to a PC and then to the
internet (hong kong was used as example) ... counterfeit cards would be
on the street (opposite side of the world), still within a few hours at
most.

recent posts mentioning some skimming threats
http://www.garlic.com/~lynn/aadsm22.htm#27 Meccano Trojans coming to
desktop near you

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-27 Thread Anne Lynn Wheeler
ref:
http://www.garlic.com/~lynn/aadsm22.htm#30 Creativity and security

and a more recent skimming news item from this month:

Cloned-card scams socking it to bank accounts
http://www.mysanantonio.com/news/metro/stories/MYSA030506.09B.atm_theft.27d5322.html

the above card mentions pins with debit cards ... which is typically
required for atm machines for withdrawing cash ... but the new class of
debit cards with logos can also be used w/o pins at pos terminals (aka
at pos, it is option selection to decide whether the debit card is used
with or w/o pin).

various recent postings mentioning skimming attacks:
http://www.garlic.com/~lynn/2006e.html#2 When *not* to sign an e-mail
message?
http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail
message?
http://www.garlic.com/~lynn/2006e.html#4 When *not* to sign an e-mail
message?
http://www.garlic.com/~lynn/2006e.html#10 Caller ID spoofing
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#24 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#26 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act
of 2005 Make Sense
http://www.garlic.com/~lynn/aadsm22.htm#2 GP4.3 - Growth and Fraud -
Case #3 - Phishing
http://www.garlic.com/~lynn/aadsm22.htm#5 long-term GPG signing key
http://www.garlic.com/~lynn/aadsm22.htm#10 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#11 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#12 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#13 Face and fingerprints swiped
in Dutch biometric passport crack (another card skim vulnerability)
http://www.garlic.com/~lynn/aadsm22.htm#14 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#15 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - ChipPin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - ChipPin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - ChipPin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a
desktop near you


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-27 Thread brucee
regardingg the XXXing on receipts it turns out that things aren't
as grim as i thought.  i anlayzed the checksum algorithm and if
you are missing n digits there are 10^(n-1) clashes.

i verified this with a brute force program.

but in the photograph the card scenario ... if one digit is
blurry then you still win because 10^(n-1) is 1.

if two are unknown then mr nasty could try buying stuff from
10 diferent sites.

brucee

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]