Re: PGP master keys

2006-04-29 Thread Anne Lynn Wheeler

Anne  Lynn Wheeler wrote:
issues did start showing up in the mid-90s in the corporate world ... 
there were a large number of former gov. employees starting to show up 
in different corporate security-related positions (apparently after 
being turfed from the gov). their interests appeared to possibly reflect 
what they may have been doing prior to leaving the gov.

one of the issues is that corporate/commercial world has had much more 
orientation towards prevention of wrong doing. govs. have tended to be 
much more preoccupied with evidence and prosecution of wrong doing. the 
influx of former gov. employees into the corporate world in the 2nd half 
of the 90s, tended to shift some of the attention from activities 
related to prevention to activities related to evidence and prosecution 
(including evesdropping).

for lots of drift ... one of the features of the work on x9.59 from the 

was its recognition that insiders had always been a major factor in the 
majority of financial fraud and security breaches. furthermore that with 
various financial functions overloaded for both authentication and 
normal day-to-day operations ... that there was no way to practical way 
of eliminating all such security breaches with that type of information. 
... part of this is my repeated comment on security proportional to risk

the x9.59 approach was to eliminate the function overload so that the 
same information that was needed for normal day-to-day operation didn't 
also carry with it any authentication feature/attribute. the result was 
that data breaches could still occur, but no longer enabled the 
financial fraud that it once did ... and therefor it didn't really 
represent a serious security breach ... aka the countermeasure to 
financial fraud associated with the data breaches was to recognize that 
it was impossible to totally eliminate them, since the information was 
required extensively in day-to-day business processes, so to prevent the 
wrong doing, the authentication feature/attribute was removed from the 
associated information.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: VoIP and phishing

2006-04-29 Thread Bill Stewart

There are two sides to the voice phishing here -
- getting the target to call a phone number you've emailed him
- using cheap voice calls to call the target with your offer.

VOIP doesn't affect the former case much,
since the target is paying for the call,
but it does separate callee geography from phone numbers,
so you can use a plausible phone number (e.g. New York)
that's directed to a location with cheap criminal labor,
without the effort that used to be required to set up
FX numbers or expensive international private lines
or locate your call center in the target's country or state.

I've received one Nigerian 419 phone call, a few years back,
which used a Deaf Relay Operator to relay the call from
the scammer, and apparently they used to be heavy abusers of that service.
VOIP also makes that more practical, and somebody's coined
the term spit to refer to Spam over IP Telephony.

But phone calls are cheap enough that labor is the
dominant cost of the calls.  I receive frequent
offers to refinance my mortgage or get credit cards
that use presumably-standard phone banks, usually calling
from India and claiming to be US banks.
For all I know, they really are legitimate rude bankers
instead of scammers, but I don't care either way.
VOIP may have replaced voice over frame as the transmission medium,
but it's often an enabling technology for the telco rather than
voice over internet to the end user.

I've been at a lot of telecom trade shows recently,
and vendors have been showing off session border controllers
and various security devices and presence servers,
and while there are lots of tools to let the recipient
indicate whether he's accepting calls or not,
there doesn't seem to be much out there to detect and
reject unwanted calls wholesale.  Most of what I've seen
that's somewhat in that direction are buddy-list tools that
let your spouse/boss/etc. reach you directly and divert other
callers to voice mail or whatever, but within a year or two
we'll start needing to get more sophisticated filters the
way we do with email.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Government says EFF suit against ATT might reveal secrets!

2006-04-29 Thread Perry E. Metzger

The US government wants to intervene to request dismissal of EFF's
lawsuit against ATT -- the one alleging that it violated federal law
by permitting warrantless wiretapping.

One wonders what sort of state secret could still be secret here now
that the basics of the story have been revealed. Everyone knows that
if they're tapping phones they have to be doing it *somewhere*. The
most interesting thing, though, is the intervention itself, which
implies that EFF is right and ATT *was* allowing the NSA to put in
equipment wherever it liked.

The New York Times is also covering the story:

Though sadly that link will stop working soon as part of the
New York Times's effort to lose market share.


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: History and definition of the term 'principal'?

2006-04-29 Thread Florian Weimer
* Hadmut Danisch:

 The only precise definition I found is in a law dictionary where it is
 defined as a legal term.

The OED might also be helpful:

  B. [...] 2. a. A chief actor or doer; the chief person engaged in
  some transaction or function, esp. in relation to one employed by or
  acting for him (deputy, agent, etc.); the person for whom and by
  whose authority another acts.
  [...] 1962 H.O. Beecheno Introd. Business Stud. xiii. 117 Whereas an
  agent is not normally allowed to relend his principal's money at
  interest .. a bank is allowed to do this.  1976 Times 22
  Par. (Baltic Exchange Suppl.) p. i/9 The Baltic is unusual in being
  open both to middle men and principals.

I think this is a strong indication that the term is used in one of
its original meanings.  It also explained why nobody thinks it's
necessary to define it properly.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]