Re: Cookie Monster

2008-09-20 Thread Matt Curtin
On Wed, Sep 17, 2008 at 6:39 PM, EMC IMAP <[EMAIL PROTECTED]> wrote:

> It turns out hardly anyone bothers to mark their cookies secure.  In
> Firefox, if you list your cookies, you can sort on the Secure field.  I only
> found a couple of cookies marked - mainly from American Express, one of the
> few sites that gets this right.  (Bank of America, for example, doesn't;
> Gmail with the new HTTPS-only setting does, but other Google services
> don't.)

This isn't a new problem.  I might be inclined to argue that it used
to be worse in terms of vulnerability (though today it's worse in the
asset exposed through vulnerability, e.g., a stolen session can be a
bigger problem today than it was).  We found the same problem with the
BankOne Online site eight years ago.  The part that we found
significant about that was that the UserID field then was a working
customer payment card number.
http://www.interhack.net/pubs/bankone-online/

Back-end systems for dealing with authentication of sessions and so on
tend to be more sophisticated these days, which also helps.  While
this is probably happening very little if at all in systems like
Web-based email, at least in higher-value Web applications there is
better detection of fraud.  In particular, I am seeing more systems
that are paying attention to source IP addresses in combination with
other factors like cookies to determine whether the request is
legitimate.

-- 
Matt Curtin, author of Brute Force: Cracking the Data Encryption Standard
Founder of Interhack Corporation +1 614 545 4225 http://web.interhack.com/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: street prices for digital goods?

2008-09-20 Thread David Molnar

John Ioannidis wrote:

Hmmm... a how about a market-data feed for warez?

That would be useful for research. My colleague Karl Chen pointed out 
that it would probably be more useful for the underground market.


For the case of drug street prices, the U.S. Drug Enforcement Agency 
does keep a database of prices, called STRIDE, obtained from informant 
and undercover agent buys of drugs. These are records from actual buys, 
so they partially address the concern Richard Clayton raises about going 
by advertised list price -- but there are concerns (to which Richard 
alludes) about whether agents systematically overpay or informants 
systematically lie about the  price they paid for drugs in order to 
pocket the difference between money given to them for drug buys and the 
actual price.


STRIDE also includes data on purity of drugs assayed in DEA labs. This 
includes drugs seized by the feds, but not usually drugs seized by local 
agencies. There's actually a trio of papers here in particular that 
might be of interest to people who want to look at possible parallels 
between data gathering on drug street prices and illegal digital goods.


The first is an overview paper that discusses the conceptual and 
practical problems in doing price and purity analyses over time for 
illegal drugs. The paper also points out some interesting features of 
the drug market. For example, the author points out that drugs are 
"experience goods." That is, the purchaser does not know the actual 
quality of the good until after making the purchase. For drugs, quality 
means purity of the drug. What this boils down to is that when looking 
at time series of drug street prices, it turns out you need to model 
what the buyer believes the purity of the drug will be to make sense of 
the data.


"Price and purity analysis for illicit drugs: Data and conceptual issues"
J.P. Caulkins
Drug and Alcohol Dependence , Volume 90 , Pages S61 - S68
http://linkinghub.elsevier.com/retrieve/pii/S0376871606003061
(Unfortunately the article is behind a paywall.)

The second looks at the STRIDE data and argues it is not suitable for 
use in economic analyses of the drug market. The primary criticism is 
that the data are mainly gathered from buys intended to produce evidence 
for busts, except for a smaller program aimed solely at heroin. They are 
therefore not a uniform sample of any kind. More interesting to me, 
however, is the author's contention that the data are not internally 
consistent: he is able to separate out prices reported by the DEA from 
prices reported by the DC metro police, then does a analysis showing 
that the two agencies report a statistically significant difference in 
prices. He concludes that the difference is greater than can be 
accounted for by normal price differences within a single city and that 
therefore something is wrong with the data.


"Should the DEA's STRIDE Data Be Used for Economic Analyses of Markets 
for Illegal Drugs?"

Horowitz, Joel L
http://www.biz.uiowa.edu/econ/papers/uia/STRIDE_rev1a.pdf

The third and final paper is a rebuttal of the second. The authors claim 
that the second paper improperly lumps together retail and wholesale 
purchases of illegal drugs. They also claim that the second paper does 
not properly account for the relationship between price and purity of a 
drug. Once they toss the appropriate magic indicator variables into 
their regressions and stratify by purchase type, the supposed conflict 
between DEA and DC police reported prices disappears.


Why the DEA STRIDE Data are Still Useful for Understanding Drug Markets
Jeremy Arkes, Rosalie Liccardo Pacula, Susan M. Paddock, Jonathan P. 
Caulkins, Peter Reuter

NBER Working Paper No. 14224
Issued in August 2008
http://www.nber.org/papers/w14224
(Also paywalled, unfortunately)

What is the relevance to us? Well, I see a couple of points:

1) Like drugs, compromised PayPal accounts appear to be experience 
goods. In the case of drugs, quality is purity. In the case of 
compromised PayPal accounts, quality is something like the amount of 
money that can be successfully moved out of the account. Therefore, I 
would expect the same kind of modelling the buyer's "expected quality" 
of the good would be useful for us. In particular, failing to take it 
into account when analyzing price series could lead to the same kind of 
internal inconsistencies noted by Horowitz.


Not clear to me where other illegal digital goods stand. Botnets for 
example seem easy enough to test whether they are real. Also as Peter 
Gutmann points out, escrow services are possible and exist with illegal 
digital goods to aid fair exchange -- this is not reported for drugs.


2) Unlike STRIDE, the data sets we have reported so far were gathered 
specifically for research in mind, and not as part of some other 
mission. Unfortunately, they still are almost certainly not uniform 
samples of illegal prices, and unlike STRIDE, as pointed out, they are 
not actual t

Re: Lava lamp random number generator made useful?

2008-09-20 Thread IanG
Jerry Leichter wrote:

> At ThinkGeek, you can now, for only $6.99, buy yourself a USB-powered
> mini lava lamp (see http://www.thinkgeek.com/gadgets/lights/7825/). 
> "All you need" is some way to watch the thing - perhaps a USB camera -
> and some software to extract random bits.  (This isn't *really* a lava
> lamp - the lamp is filled with a fluid containing many small reflective
> plastic chips, lit from below by a small incandescent bulb which also
> generates the heat that keeps the fluid circulating.  From any given
> vantage point, you get flashes as one of the plastic chips gets into
> just the right position to give you a reflected view of the bulb.  These
> should be pretty easy to extract, and should be quite  random.  Based on
> observation, the bit rate won't be very high - a bit every couple of
> seconds - though perhaps you can use cameras at a couple of vantage
> points.  Still, worth it for the bragging rights.)


Does anyone know of a cheap USB random number source?

As a meandering comment, it would be extremely good for us if we had
cheap pocket random number sources of arguable quality [1].

I've often thought that if we had an open source hardware design of
a USB random number generator ... that cost a few pennies to add
onto any other USB toy ... then we could ask the manufacturers to
throw it in for laughs.  Something like a small mountable disk that
returns randoms on every block read, so the interface is trivial.

Then, when it comes time to generate those special keys, we could
simply plug it in, run it, clean up the output in software and use
it.  Hey presto, all those nasty software and theoretical
difficulties evaporate.

iang

[1] the competitive process and a software clean-up would sort out
any quality issues.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]