a fraud is a sale, Re: The bank fraud blame game

2007-07-03 Thread Ed Gerck
Nicholas Bohm wrote: That is why efforts by banks to shift the risk to the customer are pernicious - they distort the incentive the bank ought to have to get the security right. Yes. Today, under current practice, there's actually a strong incentive to keep existing fraud levels than to try

fyi: UK National Information Assurance Strategy Launched

2007-07-03 Thread Jeff . Hodges
From: Peter Tomlinson [EMAIL PROTECTED] Subject: National IA Strategy To: [EMAIL PROTECTED] Date: Mon, 02 Jul 2007 16:00:16 +0100 From http://www.cabinetoffice.gov.uk/csia/ : News National Information Assurance Strategy launched

Re: Quantum Cryptography

2007-07-03 Thread John Denker
On 07/01/2007 05:55 AM, Peter Gutmann wrote: One threat model (or at least failure mode) that's always concerned me deeply about QC is that you have absolutely no way of checking whether it's working as required. With any other mechanism you can run test vectors through it, run

Re: The bank fraud blame game

2007-07-03 Thread Stefan Lucks
[EMAIL PROTECTED] (Peter Gutmann) writes: (The usage model is that you do the UI portion on the PC, but perform the actual transaction on the external device, which has a two-line LCD display for source and destination of transaction, amount, and purpose of the transaction. All communications

Re: TPM hacking

2007-07-03 Thread Sean W. Smith
Yes, and that's why we cited Kauer on the page, in Evan's paper, and in the video! http://os.inf.tu-dresden.de/papers_ps/kauer07-oslo.pdf (mainly section 2; section 2.2 describes the TPM Reset trick) - The Cryptography

remote-attestation is not required (Re: The bank fraud blame game)

2007-07-03 Thread Adam Back
I do not believe the mentioned conflict exists. The aim of these calculator-like devices is to make sure that no malware, virus etc can create unauthorized transactions. The user should still be able to debug, and inspect the software in the calculator-like device, or virtual software

Using crypto to prevent printer cartridge ink refills

2007-07-03 Thread Perry E. Metzger
Quoting: Cryptography Research Inc. (CRI), a San Francisco company, is developing chip technology aimed at helping printer manufacturers protect this primary source of profit. The company's chips use cryptography designed to make it harder for printers to use off-brand and

Re: The bank fraud blame game

2007-07-03 Thread Philipp G├╝hring
Hi, The problem I found (during my research for http://www.cacert.at/svn/sourcerer/CAcert/SecureClient.pdf ) for Smartcards and other external devices for secure banking is the following: About 50% of the online-banking users are doing personal online banking on company PCs, while they are at

Re: remote-attestation is not required (Re: The bank fraud blame game)

2007-07-03 Thread Hal Finney
Adam Back [EMAIL PROTECTED] writes: I do not believe the mentioned conflict exists. The aim of these calculator-like devices is to make sure that no malware, virus etc can create unauthorized transactions. The user should still be able to debug, and inspect the software in the

Re: The bank fraud blame game

2007-07-03 Thread Anne Lynn Wheeler
Adam Shostack wrote: It may be, indeed. You're going (as Lynn pointed out in another post) to be fighting an uphill battle against the last attempts. I don't think smartcards (per se) are the answer. What you really need is something like a palm pilot, with screen and input and a reasonably

Re: a fraud is a sale, Re: The bank fraud blame game

2007-07-03 Thread Anne Lynn Wheeler
Ed Gerck wrote: Yes. Today, under current practice, there's actually a strong incentive to keep existing fraud levels than to try to scrub it out -- fraud has become a sale: thread from earlier this year ... when over a period of a month or so there were several releases that essentially had

Re: remote-attestation is not required (Re: The bank fraud blame game)

2007-07-03 Thread John Levine
I do not believe the mentioned conflict exists. The aim of these calculator-like devices is to make sure that no malware, virus etc can create unauthorized transactions. The user should still be able to debug, and inspect the software in the calculator-like device, or virtual software

Re: Quantum Cryptography

2007-07-03 Thread Paul Hoffman
At 5:11 PM -0400 7/2/07, John Denker wrote: By that I mean: -- the integrity of DH depends fundamentally on the algorithm, so you should verify the algorithmic theory, and then verify that the box implements the algorithm correctly; while -- in the simple case, the integrity of quantum