Re: Fw: [IP] Malware kills 154
Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001 This was very poorly reported. The malware was on a ground system that wouldn't have provided realtime warnings of the configuration problem that caused the plane to crash anyway. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Has there been a change in US banking regulations recently?
What on earth happened? Was there a change in banking regulations in the last few months? No, but we know that banks move in herds, and they mostly talk to each other, not anyone with outside expertise. More likely someone noticed that computers are a lot faster than they were a decade ago, you can do all the crypto you want and your 8 core 3 GNz servers are still I/O bound, so the traditional folklore that SSL is so slow you use it only where absolutely mandatory no longer applies and you might as well use SSL on everything. Then he went to a meeting and told all his friends. I've been noticing something similar at abuse.net, a service I run where people can publish their domains' abuse contacts. The folklore in small credit unions is that you're supposed to hide your domain's registration details using a proxy service, I think due to a misreading of an old letter from the NCUA. Earlier this year someone at a meeting must have told them that it would be a good idea to register with abuse.net, so I've been getting a stream of attempted registrations from small credit unions with proxy registration, which I reject. About half of them get the hint, turn off the proxy, and try again, the other half give up. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Five Theses on Security Protocols
Nice theses. I'm looking forward to the other 94. The first one is a nice summary of why DKIM might succeed in e-mail security where S/MIME failed. (Succeed as in, people actually use it.) 2 A third party attestation, e.g. any certificate issued by any modern CA, is worth exactly as much as the maximum liability of the third party for mistakes. If the third party has no liability for mistakes, the certification is worth exactly nothing. All commercial CAs disclaim all liability. Geotrust, to pick the one I use, has a warranty of $10K on their cheap certs and $150K on their green bar certs. Scroll down to the bottom of this page where it says Protection Plan: http://www.geotrust.com/resources/repository/legal/ It's not clear to me how much this is worth, since it seems to warrant mostly that they won't screw up, e.g., leak your private key, and they'll only pay to the party that bought the certificate, not third parties that might have relied on it. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Crypto dongles to secure online transactions
we claimed we do something like two orders magnitude reduction in fully-loaded costs by going to no personalization (and other things) ... My concern with that would be that if everyone uses the the same signature scheme and token, the security of the entire industry becomes dependent on the least competent bank in the country not leaking the verification secret. For something like a chip+pin system it is my understanding that the signature algorithm is in the chip and different chips can use different secrets and different algorithms, so a breach at one bank need not compromise all the others. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Crypto dongles to secure online transactions
In this case, heck, no. The whole point of this thing is that it is NOT remotely programmable to keep malware out. Which is perhaps why it is not a good idea to embed an SSL engine in such a device. Agreed. A display and signing engine would be quite adequate. Such a device does however need to be able to suppor multiple mutually distrusting verifiers, thus the destination public key is managed by the untrusted PC + browser, only the device signing key is inside the trust boundary. A user should be able to enroll the same device with another bank, ... If you really need the ability to do that, I'd think it would be better to make an expandable version into which you could plug each bank's chip+pin cards, not try to invent a super-protocol for downloading a bank's preferred keys. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Crypto dongles to secure online transactions
So should or should not an embedded system have a remote management interface? In this case, heck, no. The whole point of this thing is that it is NOT remotely programmable to keep malware out. If you have a modest and well-defined spec, it is well within our abilities to produce reliable code. People write software for medical devices and vehicle control which is not remotely updated, and both our pacemakers and are cars are adequately reliable. If you define the spec carefully enough that you can expect to make a million devices, the cost of even very expensive software is lost in the noise. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Crypto dongles to secure online transactions
At a meeting a few weeks ago I was talking to a guy from BITS, the e-commerce part of the Financial Services Roundtable, about the way that malware infected PCs break all banks' fancy multi-password logins since no matter how complex the login process, a botted PC can wait until you login, then send fake transactions during your legitimate session. This is apparently a big problem in Europe. I told him about an approach to use a security dongle that puts the display and confirmation outside the range of the malware, and although I thought it was fairly obvious, he'd apparently never heard it before. When I said I'd been thinking about it for a while, he asked if I could write it up so we could discuss it further. So before I send it off, if people have a moment could you look at it and tell me if I'm missing something egregiously obvious? Tnx. I've made it an entry in my blog at http://weblog.johnlevine.com/Money/securetrans.html Ignore the 2008 date, a temporary fake to keep it from showing up on the home page and RSS feed. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Collection of code making and breaking machines
A bit too far for a quick visit (at least for me): http://news.bbc.co.uk/2/hi/uk_news/england/8241617.stm Bletchley Park is always worth a visit, with or without a special exhibit, as is the adjacent National Museum of Computing which houses Colossus and a lot more interesting stuff. An important difference between this museum and computer museums in the US is that lots of the stuff works. The rebuilt bombe actually works. The rebuilt Collussus actually works. An impressive number of the old computers in the NMC work, including a room of old personal computers that are set up so you can use them. Not at all coincidentally, Bletchley is an easy day trip from Cambridge, Oxford, and London. (That's why they put Bletchley Park at Bletchley Park.) R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Seizing the Enigma
Speaking of seizing an Enigma, here's a picture of a handy one rotor version I got at Bletchley Park. The rotor flips over so there's two possible rotors and the determined cryptographer can use multiple rotors by making several passes manually over the data. http://www.taugh.com/enigma.jpeg You can order your own here: http://www.bletchleypark.org.uk/shop/view_product.rhtm/130864/238505/detail.html R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: CSPRNG algorithms
I have never seen a good catalog of computationally-strong pseudo-random number generators. Chapter 3 of Knuth's TAOCP is all about pseudo-random number generators, starting with a fine example of the wrong way to do it. My copy is several thousand miles away but my recollection is that his main advice was to stick to linear congruential PRNGs, perhaps with a buffered postpass to scramble up the order or the results. It's certainly a good place to start. R's, John [Moderator's note: none of the generators in TAOCP are cryptographically strong. They are fine for Monte Carlo simulations and such. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Security through kittens, was Solving password problems
This means a site paying attention to such things could notice a change in IP address, or, if several users were attacked this way, notice repeated connections from the same IP. (Granted the MITM could distribute the queries over a botnet, but it raises the bar somewhat.) I have no idea if sites do such check, just speculation on my part. You're right, but it's not obvious to me how a site can tell an evil MITM proxy from a benign shared web cache. The sequence of page accesses would be pretty similar. I suppose that you could hope that legitimate HTTPS requests would come direct from the client machine, so requests for multiple users on the same IP would be suspicious, but on networks like AOL's, I wouldn't count on it working that way. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Security through kittens, was Solving password problems
you enter a usercode in the first screen, you are presented with a second screen to enter your password. The usercode is a mnemonic 6-character code such as HB75RC (randomly generated, you receive from the server upon registration). Your password is freely choosen by you upon registration.That second screen also has something that you and the correct server know but that you did not disclose in the first screen -- This scheme is quite popular with banks. I have at least three accounts where I enter my user name in one screen, then on a second password entry screen it shows me a picture chosen when I set up the account along with a caption I wrote. They have a large library of pictures of cute animals, household appliances, and so forth. Clever though this scheme is, man-in-the middle attacks make it no better than a plain SSL login screen. Since the bad guy knows what site you're trying to reach, he can use your usercode to fetch the shared secret from the real site and present it to you on his fake site. It's true, the fake site won't have the same URL as the real site, but if the security of this scheme still depends on people scrutinizing the browser's address bar to be sure they're visiting the site they think they are, how is this any better than an ordinary kitten-free SSL login screen? Another bank sent me a dongle that generates a timestamped six-digit number that I use as part of the login. Even with the dongle, MITM attacks are still effective. The bad guy can only steal one session rather than a user's permanent credentials, but that's still plenty to, e.g., wire money out of the country. The only thing I've been able to come up with that seems even somewhat secure is a USB dongle that plugs into your computer and can set up an end-to-end encrypted channel with the bank, and that has a screen big enough that once you've set up your transaction in your browser, the bank then sends a description to the dongle to display on its screen, and YES and NO buttons on the dongle itself. Unless the screen and the buttons are physically part of the dongle, you're still subject to MITM attacks. But a dongle with a screen big enough for my 87 year old father to read, and buttons big enough for him to push reliably would be unlikely to fit on his keychain. It's a very hard problem. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
One idea I have not seen mentioned here (and which I have not yet encountered in RL, but only weird people send me email these days) is for the sending MTA to use pgp to encrypt mail using the recipient's public key, available on one of the key servers near you. I don't understand what problem this is intended to solve. Bad guys can look up PGP keys just like good guys, so all this would accomplish would be to fill your inbox with signed spam. Perhaps it would be useful to make a section of the ASRG wiki in which we describe the difference between the spam problem and the other problems that people confuse with the spam problem, such as the introduction problem and (more familiar to cryptographers) the authentication problem, the interception problem, the non-repudiation problem, and doubtless others that I can't think of just now. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
That's basically what I'm using, just without the digital signature part: each person/organisation/website/whatever gets a different email address for communicating with me (qmail makes this easy to implement) I do that too -- I bet half the people on this list do, and there's lots of free and commercial services like Yahoo and Spamex who will let you do it. But it's not much of a solution to spam because it requires significant manual work to maintain the addresses, and only deals with places where you individually give them the address to send mail to. Another scheme (that could be combined with the above one to solve only the CC party problem) would be accepting only PGP mail and use a manually updated white list This has the same fundamental problem as Zoemail and any other white list system. It's really easy to implement a white list. Unless your name is Paypal, the amount of mail forging your address is vanishingly small, and the utterly insecure From: line address works just fine for practical purposes. I use that to manage my 12 year old daughter's mail. But whitelists replace the spam problem with the equally intractable introduction problem, deciding whether to accept the first message from someone you don't know. People have been thinking about that for a long time (indeed, for millenia in contexts other than e-mail) and the snarky comments I made yesterday about wonderful anti-spam ideas apply here, too. The ASRG is still eager to hear from people who want to do just about anything related to spam other than hash over known-ineffective old ideas. See http://wiki.asrg.sp.am. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
You know those crackpot ideas that keep showing up in snake oil crypto? Well, e-postage is snake oil antispam. While I think this statement may be true for POW coinage, because for a bot net it grows on trees, for money that traces back to the international monetary exchange system, it may not be completely true. It's close enough to completely true. Stealing postage via bots is only one of multiple fatal problems. I wrote this white paper in 2004; some of the details could stand a little update but the conclusions are as clear as ever: http://www.taugh.com/epostage.pdf R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
Richard Clayton and I claim that PoW doesn't work: http://www.cl.cam.ac.uk/~rnc1/proofwork.pdf I bumped into Cynthia Dwork, who originallyinvented PoW, at a CEAS meeting a couple of years ago, and she said she doesn't think it works, either. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
Hi. One of the hats I wear is the chair of the Anti-Spam Research Group of the Internet Research Task Force, which is down the virtual hall from the IETF. You know how you all feel when someone shows up with his super duper new unbreakable crypto scheme? Well, that's kind of how I feel here. Dealing with spam is surprisingly subtle, a lot of smart people have been thinking about it for a long time, and most new ideas turn out to be old ideas with well known flaws or limitations. Consider the implications of a third field, or trust token, which works like a password to fred's mail box. Your mailer's copy of fred's email address would look like fred#to...@example.com where token was a field that was your own personal password to fred's mailbox. It's not a bad idea. Its best known implementation was done in 1996 by Robert Hall of ATT Labs who called it Zoemail. You can learn all about it in US Patent 5,930,479. This is the wrong place to go into detail about its limitations, although it should be self-evident that if it were effective, sometime in the past 13 years we'd have started using it. You're all welcome in the ASRG, which has a wiki at http://wiki.asrg.sp.am with pointers to the mailing list and other resources. One of our slow moving projects is a taxonomy of anti-spam techniques, both ones that work and ones that don't work. If you'd like to contribute, drop me a note and I'll give you a password so you can edit it. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: What EV certs are good for
I just received a phishing email, allegedly from HSBC: Dear HSBC Member, So did the link have a EV cert? Hardly matters. HSBC has vast numbers of web servers all over the world, some with EV certs, some without. For example, their US customer site for deposit customers at https://www.us.hsbc.com/ doesn't, but their site for credit cards at https://www.hsbccreditcard.com/ does, although it's kind of hard to tell because they tend to put you on a non-https page until you log in. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
(Also, it's not clear that a deterministic POW works well for an application like Bitcoin; it might let the owner of the fastest computer win every POW race, giving him too much power.) Indeed. And don't forget that through the magic of botnets, the bad guys have vastly more compute power available than the good guys. You know those crackpot ideas that keep showing up in snake oil crypto? Well, e-postage is snake oil antispam. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Proof of Work - atmospheric carbon
Can't we just convert actual money in a bank account into bitbux -- cheaply and without a carbon tax? Please? If only. People have been saying for at least a decade that all we have to do to solve the spam problem is to charge a small fee for every message sent. Unfortunately, there's a variety of reasons that's never going to work. One of the larger reasons is that despite a lot of smart people working on micropayments, we have nothing approaching a system that will work for billions of tranactions per day, where 90% of the purported payments are bogus, along with the lack of any interface to the real world financial system that would scale and withstand the predictable attacks. My white paper could use a little updating, but the basic conclusions remain sound: http://www.taugh.com/epostage.pdf R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Bitcoin P2P e-cash paper
As long as honest nodes control the most CPU power on the network, they can generate the longest chain and outpace any attackers. But they don't. Bad guys routinely control zombie farms of 100,000 machines or more. People I know who run a blacklist of spam sending zombies tell me they often see a million new zombies a day. This is the same reason that hashcash can't work on today's Internet -- the good guys have vastly less computational firepower than the bad guys. I also have my doubts about other issues, but this one is the killer. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: road toll transponder hacked
The relationship to this list may then be thin excepting that the collection and handling of such data remains of substantial interest. Actually, it points to cash settlement of road tolls. That's not unknown. On the Niagara Falls toll bridges, they have an ETC system where you buy your transponder for cash at a toll booth and refill it with cash. I suppose they could take your picture and link it to your license plate, but they can do that if you throw quarters into the bin, too. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: road toll transponder hacked
So, I believe, at least for E-Z Pass, the attack would have to include cloning the license plate and pictures may still be available whenever a victim realizes they have been charged for trips they did not take. The 407 toll road in Toronto uses entirely automated toll collection. They offer transponders (which, annoyingly, are the same system as NY's EZ-Pass but don't interoperate) for commuters and trucks, but for casual use by cars, it reads your plates and sends you a bill. I can report from experience that when I use it with my NY plates, I always get a bill a month or so later. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
IIRC, it used personal data already available to DEC -- so they didn't have to ask their employees for it That works great so long as the personal data is accurate. Banks these days are supposed to verify your identity when you open an account. Online banks pull your credit report anyway, so they make up some verification questions from historical info in the report. I'm regularly asked which of four street addresses I've lived at. Unfortunately, in my case the correct answer is invariably none of them. I'm part owner of a relative's house in New Jersey, and the credit bureaus all are sure that since my name is on the deed, that must be where I live. So that's the address that shows up. Adding to the excitement, they often ask what city, to which the answer would still be none of them even if I lived in that house. It's in Lawrenceville, but I guess it gets mail delivered from the Trenton P.O. so the allegedly correct answer is Trenton. It's not too hard for me to figure these out, but given the amount of plain wrong info in credit reports, this approach must lead to some pretty frustrating failures. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Kaminsky finds DNS exploit
CERT/CC mentions this: | It is important to note that without changes to the DNS protocol, such | as those that the DNS Security Extensions (DNSSEC) introduce, these | mitigations cannot completely prevent cache poisoning. Why wouldn't switching to TCP lookups solve the problem? It's arguably more traffic than DNSSEC, but it has the large practical advantage that they actually work with deployed servers today. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Kaminsky finds DNS exploit
However, we in the security circles don't need to spread the Kaminsky finds meme. Quite right. Paul Vixie mentioned it in 1995, Dan Bernstein started distributing versions of dnscache with randomized port and sequence numbers in 2001. The take-away here is not that Dan didn't discover the problem, but Dan got it fixed. An alternate take-away is that IETF BCPs don't make nearly as much difference as a diligent security expert with a good name. I suppose 13 years is kind of a long time, but better late than never. It would be modestly interesting to learn what is different now that motivated him to get people to fix it. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: delegating SSL certificates
| Presumably the value they add is that they keep browsers from popping | up scary warning messages Apple's Mail.app checks certs on SSL-based mail server connections. It has the good - but also bad - feature that it *always* asks for user approval if it gets a cert it doesn't like. Good point -- other mail programs such as Thunderbird also pop up the scary warnings. I've paid the $15 protection money for the certs on my mail servers. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: delegating SSL certificates
So at the company I work for, most of the internal systems have expired SSL certs, or self-signed certs. Obviously this is bad. You only think this is bad because you believe CAs add some value. Presumably the value they add is that they keep browsers from popping up scary warning messages. There are all sorts of reasonable arguments to be made that the browsers are doing the wrong thing (and the way that Microsoft prevents you from ever deleting any of their preinstalled CA certs is among the wrongest.) Nonetheless, unless we can persuade all the users in question to adjust their browsers, which is always a losing battle, it's easier just to pay the $15 protection money and get a CA signature. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: delegating SSL certificates
Are there any options that don't involve adding a new root CA? Assuming your sites all use subdomains of your company domain, a wildcard cert for *.whatever might do the trick. It's relatively expensive, but you can use the same cert in all your servers. I would think this would be rather common, and I may have heard about certs that had authority to sign other certs in some circumstances... They do exist, Comodo has sold certs signed that way, but I wouldn't recommend it since the depth of chaining the browsers recognize varies considerably. My copy of Firefox doesn't accept many of Microsoft's certs because the chaining is too deep. Another possibility is just to pay to have your certs signed by one of the public signers. At the current going rate of $15, you can get a lot of signatures for the cost of doing anything else. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: House o' Shame: Amtrak
http://amtrak.bfi0.com/. Lesson for phishers: If you want your phish to seem more legit, outsource it to Bigfoot Interactive, which seems to lead back to Epsilon Agency Services, who specialise in... well, phishing, but for the good guys. I bet the Russian Business Network could do it for less though :-). Having dealt at length with people from BFI/Epsilon, I can confirm that many of them are not the sharpest needles in the etui. This problem is well known in the ESP (bulk mail for hire) industry, and the better ones know how to deal with it. If you are on Orbitz' mailing list, for example, the mail comes from [EMAIL PROTECTED], and the links in the mail all go to http://my.orbitz.com/whatever. Do a few DNS lookups and you'll find NS records from Orbitz that delegate my.orbitz.com to Responsys, their ESP. This is a straightforward and effective way to manage the namespace for outsourced mail, and my biggest question is why so many ESPs don't do it yet. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fixing SSL (was Re: Dutch Transport Card Broken)
They can't be as anonymous as cash if the party being dealt with can be identified. And the party can be identified if the transaction is online, real-time. Even if other clues are erased, there's still traffic analysis in this case. If I show up at a store and pay cash for something every week, they can still do traffic analysis on me (oh him, he's a regular customer) unless I go out of my way to obscure my routine like asking other people to buy stuff for me. It's not clear to me what the object of this argument is. Yes, the harder you work, the more difficult you can make it for other people to tie your transactions to you. This shouldn't be news to anyone. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: patent of the day
In article [EMAIL PROTECTED] you write: http://www.google.com/patents?vid=USPAT6993661 Gee, the inventor is Simson Garfinkel, who's written a bunch of books including Database Nation, published in 2000 by O'Reilly, about all the way the public and private actors are spying on us. I wonder whether this was research to see how hard it was to get the PTO to grant an absurd patent. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unintended consequences?
Does that mean that the new fiber is less tappable? Somehow, I suspect that Corning and the relevant authorities have been in touch to work out any problems. Corning is a politically very well connected company. Amory Houghton, a member of the family that has controlled the company since its founding in 1851, was company CEO from 1965-84, and was then the member of Congress from my district from 1986-2005. His father was CEO and later ambassador to France. His grandfather was CEO and later member of Congress and then ambassador to first Germany and later Britain. You get the idea. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: remote-attestation is not required (Re: The bank fraud blame game)
I do not believe the mentioned conflict exists. The aim of these calculator-like devices is to make sure that no malware, virus etc can create unauthorized transactions. The user should still be able to debug, and inspect the software in the calculator-like device, or virtual software compartment, just that installation of software or upgrades into that area should be under direct explicit user control. (eg with BIOS jumper required to even make any software change!) In view of the number of people who look at an email message, click on an attached ZIP file, rekey a file password in the message, and then run the program in the file, thereby manually installing a virus, it's way too dangerous to let users install any code at all on a security device. R's, John PS: Yes, they really do. I didn't believe it either. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 307 digit number factored
somewhere over the yrs the term certification authority was truncated to certificate authority ... along with some impression that certificates are being sold (as opposed to certification processes). When I pay $14.95 for a certificate, with the investigation of my bona fides limited to clicking through a link in an e-mail, and answering the phone*, entering a short code, and responding to a request to state your name**, it sure seems to me like I'm buying a certificate. The only reason I do it is that for that price it's cheaper than explaining to people why the threat that web certs defend against is stupid. getting totally rid of the need for domain name certificates ... DNS serving up both ip-addresses and public keys in single operation. DKIM does that, you can get the MX and verification key for a domain. But I wouldn't say that was a security improvement except insofar as it makes the process easy enough that people are more likely to use it than they are the more cumbersome systems like S/MIME. R's, John * - any old phone, I've had them call random VoIP numbers in other continents that I was experimenting with ** - so of course I say your name. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. Well, here's an anecdote: at last year's CEAS conference, Rob Thomas of Team Cymru gave the keynote on the underground economy, with a most horrifying set of both live demos and selected snapshots of the online bazaars where online warez are traded, everything from zombie farms to spamware to stolen credit cards. One of the more amusing was a guy who offered a zombie in some part of the government that you'd hope would be moderately secure, NASA or someplace like that, at a higher than normal price. The immediate response was ridicule, bots on government nets are a dime a dozen, and aren't worth any more than any other bot. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: hoofbeats of zebras, was DNSSEC to be strangled at birth.
You assume the new .net key (and what's signed with it) would be supplied to all users of the DNS, rather than used for a targeted attack on one user (or a small number of users). Why assume the potential adversary will restrict himself to the dumbest possible way to use the new tools you're about to hand him? I dunno about you, but if some part of the Federal government wanted to mess with a particular target, it's much more likely they would arrange for some large NSPs do some adjusted BGP. Or even more likely some guys in suits would show up at Verisign and say, We're from [redacted] and we would appreciate it if you arranged for requests for [redacted].net from network [redacted]/15 to resolve to [redacted] for the next couple of weeks. Personally, I like Paul's theory about the DHS dork with a press release. He doesn't understand zones or delegation or the root servers or routing or anything else, but the signing key will let them Take Control of this Vital Resource in case of National Emergency. You know, like they did in New Orleans. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
The DHS has requested the master key for the DNS root zone. Can anyone seriously imagine countries like Iran or China signing up to a system that places complete control, surveillance and falsification capabilities in the hands of the US' military intelligence? For anyone who hasn't been paying attention, the root zone is maintained by IANA which since February 2000 has been run by ICANN under a contract with the US Department of Commerce. DOC calls the shots and always has. I don't understand any better than anyone else why DHS sent out a press release that can accomplish nothing but get people upset, but at most this is a turf battle between two cabinet departments. The war was over seven years ago. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Failure of PKI in messaging
Suppose we have a messaging service that, like Yahoo, is also a single signon service, ... Then you just change the attack model. There are a bunch of sites that do various things with your address book ranging from the toxic Plaxo which slurps it up and sends spam to everyone in it masquerading as an address change message from you to more reasonable ones like LinkedIn which offers controlled messaging to friends of friends. Since typing in address book info by hand is hard, a lot of them sync with your existing Outlook addressbook via a plugin, and some of them also offer to sync with your Yahoo or or Gmail or Hotmail address book. What a bad idea -- those are single signon systems. If you've ever bought anything at one of their hosted stores or use one of their premium services, it's the same credential that lets people charge stuff to your credit card. It gets even messier. Look at a configurable aggregator page like the very spiffy Netvibes. It has modules to check mail at AOL, MSN, Yahoo, Gmail, and your POP provider, all conveniently remembering your login info. As far as I know Netvibes is reliable and competent, but they have an extension API that lets anyone write extension modules and offer them to Netvibes users. I realize that readers of this list will use separate accounts for financial info and free webmail, but the other 99.9% of people in the world will be delighted that they only have one password to write on a post-it rather than six. It should be obvious why overloading phish protection onto this is an equally bad idea -- it drops the security of the phish protection to the security of the sleaziest aggregator module or address book site that someone might use, and puts valuable financial and antiphish info in the same security bucket as the three most recent subject lines from your web mail. Thanks, but no thanks. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Failure of PKI in messaging
If you can persuade everyone to use a single system, it's not hard to make communication adequately secure. ... You are making the Katrina reaction we need someone in charge. ... Oh, not at all. I guess I wasn't clear. To the extent that people use a single system it can be secure, but that doesn't scale. I have a rule of thumb that any walled garden big enough to be interesting is probably also big enough that bad guys have snuck in. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: cellphones as room bugs
8Kbit/second is enough if all you need is to understand what is being said, not recognize the speaker. The processing power to do this is pretty small on today's scale of things.) With decent compression techniques, 8kbps is close to telephone quality, and 2400bps has artifacts but is still quite clear. There are some nice examples at: http://www.data-compression.com/speech.shtml 1kbps would be adequate for understandable speech, so I would expect that a modern phone with megabytes for music storage could easily store several days of voice-activated room bugging. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: signing all outbound email
James A. Donald wrote: In order for [DKIM] to actually be any use, ... Anne Lynn Wheeler wrote: so what if an isp only signs email where ... etc, etc. You know, we've already had all these arguments on the DKIM mailing list about a hundred times. It's true, just about everything that is wrong with DKIM is also wrong with every other signature scheme. The salient difference is that DKIM sets its sights lower and is designed to be more easily deployable so there is more of a chance that it can break out of the ghetto where all the existing message signature schems languish, and at least increase the amount of mail that peoples' known correspondents have signed. Despite a great deal of misreporting and wishful thinking, we do know that it is neither a magic bullet against spam nor against phishing. Rather than having the same old arguments yet again, how about reading the list archives linked from http://www.mipassoc.org/dkim/ietf-dkim.htm and at least argue about something different? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A lack of US cryptanalytic security before Midway?
The conventional wisdom is that the successful US cryptanalytic efforts against Japanese naval codes was a closely-held secret. Has the conventional wisdom forgotten that it was reported in the Chicago Tribune in 1942? See, for example, http://www.newseum.org/warstories/essay/secrecy.htm Fortunately, the Navy Department had enough sense not to make a public stink, and the Japanese evidently didn't read the Chicago paper. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
Have you noticed that airline tickets are once again de-facto transferable? If you print your own boarding pass at home, you can digitally change the name on it before you print. Lots of us have noticed that, print one version for the person at security with a name that matches the ID, print another version for the person at the gate with a name that matches the reservation and the bar code. But actually, you don't even have to do that. When I travel with my wife and daughter, whose names are completely unlike mine, I always put the boarding passes in a stack with one of theirs on top and hand the person my ID. I would say at least half the time they don't even bother to look and see if one of the other passes has a name that matches the ID. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
http://www.guardian.co.uk/idcards/story/0,,1766266,00.html The story may be exaggerated but it feels quite real. Certainly I've found similar issues in the past. It sounds real to me, with an airline whose security is slightly but not greatly worse than typical. I buy a lot of online tickets in the US and I believe that although I can enter whatever frequent flyer number I want when I buy a ticket, I always have to provide a PIN to get access to any history or account info. But I don't lose my PINs (being a bad user I use the same PIN many places) so I haven't looked to see how hard it would be to fake out the various password recovery schemes. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: automatic toll collection, was Japan Puts Its Money on E-Cash
And, while there is a privacy issue, optical license plate readers are getting good enough that the issue may soon be moot. Seems moot now. The 407 toll road around Toronto has no toll booths at all. If you drive on it frequently, you can get a transponder but otherwise, they take a picture of your plates, look you up, and mail you a bill. This does work -- I've gotten a bill for my NY car after a trip. The web site at http://www.407etr.com/ makes it clear that the transponder is completely optional, and won't save you any money unless you use it more than 7 times a year. (The transponder costs $2/mo and saves $3.45 per trip.) The easiest way to get a transponder appears to be to drive on the road, wait until you get a bill on which they will have assigned you an account number, then use that number to log into their web site and order one. An article in Wikipedia says that congestion tolls in London (UK) are also collected automatically by taking pictures of license plates. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: automatic toll collection, was Japan Puts Its Money on E-Cash
Some Americans, analysts note, are already using a version of e- cash to bypass toll lanes on highways. Don't take that as a sign of consumer acceptance, though. In Illinois, if you won't pre-pay your tolls in $40 increments, you will pay double the rate in cash at the toolbooth. Here in the northeast where E-ZPass is much more established, the discounts for using the pass are much smaller unless you get a commuter plan, but they're extremely popular because they save a great deal of time. In New Jersey, they've redone several high-volume toll plazas so the road splits with the right lanes going to toll booths and the left lanes running under a grid of pass readers where you don't even slow down. The prepay increment is only $15. And the electronic system is anything but anonymous. No argument there. I always figured that I'll use my pass for normal travel but wrap it in foil and pay cash when I'm disposing of my political opponents' bodies. Couldn't have been me, my car has a pass. Look at all these toll logs. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PKI too confusing to prevent phishing, part 28
In article [EMAIL PROTECTED] you write: http://www.informationweek.com/story/showArticle.jhtml?articleID=171200010 Summary: some phishes are going to SSL-secured sites that offer up their own self-signed cert. Users see the warning and say I've seen that dialog box before, no problem, and accept the cert. From that point on, the all-important lock is showing so they feel safe. I don't get it. When you can get a free cert good for a month and signed by Geotrust, why waste time with self-signed certs? See http://zblog.abuse.net for a sample. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Some companies are just asking for it.
My girlfriend just got an (apparently legitimate from what I can tell) HTML email from her credit card company, complete with lots of lovely images and an exhortation to sign up for their new secure online ShopSafe service that apparently generates one time credit card numbers on the fly. Shopsafe is rather nice. I use it all the time, and it's written in flash which works on my FreeBSD laptop. On the other hand, MBNA's mail practices would be laughable if they weren't entirely in line with every other bank in the country. If you read Dave Farber's IP list, a couple of days ago Bob Frankston sent in an alarmed note saying that some info from his Bank of America account had apparently been stolen and used in a phish, and I wrote to tell him that no, the mail was real, from the service bureau they use which has a name nobody outside the banking industry knows. Aaron Emigh of Radix Labs wrote to tell me about a talk he gave earlier this year at an Anti-Phishing Working Group earlier this year on this topic, which starts with a set of examples of real bank mail each of which looks phishier than the last. This is 30MB due to the voiceover, but if you have a fast web connection, it's worth running. It needs Powerpoint: http://www.radixlabs.com/idtheft/aaron-emigh-education.pps Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor I dropped the toothpaste, said Tom, crestfallenly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: $90 for high assurance _versus_ $349 for low assurance
Does anyone have a view on what low and high means in this context? Indeed, what does assurance mean? Just last week I was trying to figure out what the difference was between a StarterSSL certificate for $35 (lists at $49 but you might as well sign up for the no-commitment reseller price) and a QuickSSL cert for $169. If you look at the bits in the cert, they're nearly identical, both signed by Geotrust's root. As far as the verification they do, QuickSSL sends an e-mail to the domain's contact address (WHOIS or one of the standard domain addresses like webmaster), and if someone clicks through the URL, it's verified. StarterSSL even though it costs less has a previous telephone step where you give them a phone number, they call you, and you have to punch in a code they show you and then record your name. Score so far: QuickSSL 0.001, StarterSSL 0.0015. Both have various documents available with impressive certifications from well-paid accountants, none of which mean anything I can tell. Under some circumstances they might pay back some amount to someone defrauded by a spoofed cert, but if anyone's figured out how to take advantage of this, I'd be amazed. Comodo, who sell an inferior variety of cert with a chained signature (inferior because less software supports it, not because it's any less secure) is slightly more demanding, although I stumped then with abuse.net which isn't incorporated, isn't a DBA, and isn't anything else other than me. I invented some abuse.net stationery and faxed them a letter assuring that I was in fact me, which satisfied them. Back when I had a cert from Thawte, they wanted DUNS numbers which I didn't have, not being incorporated nor doing enough business to get a business credit rating, so they were satisfied with a fax of my county business license, a document which, if I didn't have one, costs $25 to get a real one, or maybe 15 minutes in Photoshop to make a fake one good enough to fool a fax machine. I gather that the fancier certs do more intrusive checking, but I never heard of any that did anything that might make any actual difference, like getting business documents and then checking with the purported issuer to see if they were real or, perish forbid, visiting the nominal location of the business to see if anything is there. So the short answer to what's the difference between a ten dollar cert and a $350 cert is: $340. Next question? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor I shook hands with Senators Dole and Inouye, said Tom, disarmingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Using crypto against Phishing, Spoofing and Spamming...
But is it so harmful? How much money is lost in a typical phishing attack against a large US bank, or PayPal? A lot. According to people at the anti-phishing conference earlier this year, six-figure losses are common, and seven-figure not unknown. The kind of phishes we all see, trolling for credit card or ISP account info with spam, are the lowest level kind. The serious ones carefully choose their targets, e.g., ebay sellers with very high positive ratings, or people who live outside the US and have large US bank accounts, and are more likely to send hundreds of messages than millions. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor A book is a sneeze. - E.B. White, on the writing of Charlotte's Web - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
