Re: Using crypto against Phishing, Spoofing and Spamming...

[John Levine]

>But is it so harmful?  How much money is lost in a typical phishing
>attack against a large US bank, or PayPal?

A lot.  According to people at the anti-phishing conference earlier
this year, six-figure losses are common, and seven-figure not unknown.

The kind of phishes we all see, trolling for credit card or ISP
account info with spam, are the lowest level kind.  The serious ones
carefully choose their targets, e.g., ebay sellers with very high
positive ratings, or people who live outside the US and have large US
bank accounts, and are more likely to send hundreds of messages than
millions.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: $90 for high assurance _versus_ $349 for low assurance

[John Levine]

>Does anyone have a view on what "low" and "high" means in this
>context?  Indeed, what does "assurance" mean?

Just last week I was trying to figure out what the difference was
between a StarterSSL certificate for $35 (lists at $49 but you might
as well sign up for the no-commitment reseller price) and a QuickSSL
cert for $169.  If you look at the bits in the cert, they're nearly
identical, both signed by Geotrust's root.

As far as the verification they do, QuickSSL sends an e-mail to the
domain's contact address (WHOIS or one of the standard domain
addresses like webmaster), and if someone clicks through the URL, it's
verified.  StarterSSL even though it costs less has a previous
telephone step where you give them a phone number, they call you, and
you have to punch in a code they show you and then record your name.
Score so far: QuickSSL 0.001, StarterSSL 0.0015.

Both have various documents available with impressive certifications
from well-paid accountants, none of which mean anything I can tell.
Under some circumstances they might pay back some amount to someone
defrauded by a spoofed cert, but if anyone's figured out how to take
advantage of this, I'd be amazed.

Comodo, who sell an inferior variety of cert with a chained signature
(inferior because less software supports it, not because it's any less
secure) is slightly more demanding, although I stumped then with
abuse.net which isn't incorporated, isn't a DBA, and isn't anything
else other than me.  I invented some abuse.net stationery and faxed
them a letter assuring that I was in fact me, which satisfied them.

Back when I had a cert from Thawte, they wanted DUNS numbers which I
didn't have, not being incorporated nor doing enough business to get a
business credit rating, so they were satisfied with a fax of my county
business license, a document which, if I didn't have one, costs $25 to
get a real one, or maybe 15 minutes in Photoshop to make a fake one
good enough to fool a fax machine.  

I gather that the fancier certs do more intrusive checking, but I
never heard of any that did anything that might make any actual
difference, like getting business documents and then checking with the
purported issuer to see if they were real or, perish forbid, visiting
the nominal location of the business to see if anything is there.

So the short answer to what's the difference between a ten dollar cert
and a $350 cert is:   $340.

Next question?

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I shook hands with Senators Dole and Inouye," said Tom, disarmingly.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: $90 for high assurance _versus_ $349 for low assurance

[John Levine]

>John, thanks for this fascinating report!

>Conclusion? `Not all CAs/certs are created equal`... therefore we
>should NOT automatically trust the contents of every certificate
>whose CA appears in the `root CA` list of the browser.

Although some certs make more intrusive checks, it all strikes me as
security theater.  In particular, although some of them make some
effort to verify that I am who I say I am, I don't see any of them
making any effort to verify that my web sites are what they say they
are.  It would be an interesting experiement to register, say,
PAYPAL-VERIFICATION.COM (which is available) with my own info in
WHOIS, then apply for a cert from Verisign saying that it's me, and
see if they ask if I'm Paypal.  My guess is that they wouldn't.

Treating CAs differently would be a fine idea if there were a real
difference, but $300 or $1000 still isn't anywhere close to what it
would cost to do a meaningful investigation of someone's identity.

I've been proposing for a while that we try industry-specific branded
certs.  The branding would put a logo in the signing cert (there's
already a field for it) and adjust browsers to display the signing
cert's logo in a place where users can't put anything else, e.g., the
corner that usually displays the IE "e" or Firefox bat.  Industry
specific means that the certs would be issued by a regulator or
industry association who already knows who the legitimate entities
are, such as the FDIC for banks in the US, so there's no extra step of
introducing the certified parties to the certifier.

The point of branding the signer is that you then have a single brand
that you want to tell people to look for, e.g. "Would you bank at an
office without the FDIC logo in the window?  Look for the same logo
on your bank's web site."

There remain some issues, notably how you keep fake signing certs out
of computers of people who will click the OK box in a window that says
"Harvest all your account numbers and steal all your money?"  But it
seems to me a reasonable approach to more credible online identity for
often-faked targets.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Some companies are just asking for it.

[John Levine]

>My girlfriend just got an (apparently legitimate from what I can tell)
>HTML email from her credit card company, complete with lots of lovely
>images and an exhortation to sign up for their new secure online
>"ShopSafe" service that apparently generates one time credit card
>numbers on the fly.

Shopsafe is rather nice.  I use it all the time, and it's written in
flash which works on my FreeBSD laptop.

On the other hand, MBNA's mail practices would be laughable if they
weren't entirely in line with every other bank in the country.  If you
read Dave Farber's IP list, a couple of days ago Bob Frankston sent in
an alarmed note saying that some info from his Bank of America account
had apparently been stolen and used in a phish, and I wrote to tell him
that no, the mail was real, from the service bureau they use which has
a name nobody outside the banking industry knows.

Aaron Emigh of Radix Labs wrote to tell me about a talk he gave
earlier this year at an Anti-Phishing Working Group earlier this year
on this topic, which starts with a set of examples of real bank mail
each of which looks phishier than the last.

This is 30MB due to the voiceover, but if you have a fast web
connection, it's worth running.  It needs Powerpoint:

 http://www.radixlabs.com/idtheft/aaron-emigh-education.pps

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[John Levine]

>Why does the clerk at Blockbuster want to see your driver's license?
>Because his management has been told, by their bank, that if they do
>not attempt to verify the identity of credit card users they will
>risk their business relationship with the bank.

It's been my impression that the way you're supposed to verify the ID
of a credit card user is by checking the signature.  I've heard of
banks telling businesses not to demand separate ID.  On the other
hand, I can easily believe that Blockbuster came up with the ID idea
all by themselves.

>A system in which the credit card was replaced by a small, calculator
>style token with a smartcard style connector could effectively
>eliminate most of the in person and over the net fraud we experience,

I was in England last week where I noticed that the banks are
switching all UK credit cards to chip+pin technology.  We'll see.  For
that matter, French cards have all been chip+pin for years.  Any idea
what their fraud rates are like?  The French card machines will do
magstripe with a signature, but it's mostly us foreigners who need it.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[John Levine]

>| Not having to show ID may save annoyance, but it doesn't significantly
>| improve privacy.
>
>Most credit card issuers will happily give you extra cards, so your
>friends can spend your money.  In whatever name you want.  If you need
>to show ID, this can become, umm, complicated.

I dunno about your bank, but my credit card banks want the name,
relationship, and SSN for each extra card, and they tell me in various
ways that if I lend the card to anyone else, anything bad that happens
is my problem.




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: PKI too confusing to prevent phishing, part 28

[John Levine]

In article <[EMAIL PROTECTED]> you write:
>
>
>Summary: some phishes are going to SSL-secured sites that offer up 
>their own self-signed cert. Users see the warning and say "I've seen 
>that dialog box before, no problem", and accept the cert. From that 
>point on, the all-important lock is showing so they feel safe.

I don't get it.  When you can get a free cert good for a month and
signed by Geotrust, why waste time with self-signed certs?  See
http://zblog.abuse.net for a sample.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: 'Virtual Card' Offers Online Security Blanket

[John Levine]

>Offered to holders of Citi, Discover and MBNA cards, these "virtual
>credit cards," or single-use card numbers, are designed to give some
>peace of mind to consumers concerned about credit card fraud.

I've been using MBNA's Shopsafe virtual cards for years.  They're
issued by a small flash application which, to my amazement, works just
fine in Firefox on FreeBSD.  Each card can only be used at a single
merchant, and you can either use them once or set them up to be good
for a year with a per transaction limit for subscriptions or places
where you do repeat business.

I've actually found them more useful for cancelling subscriptions than
for preventing fraud.  There are lots of places where it's easy to
sign up online and nearly (or actually) impossible to cancel.  Since I
give them virtual card numbers, I send them my cancel notice, then
turn off the card.  I can't ever recall an instance where they
cancelled my account as I requested before sending me a alarming
notice that they'd have to suspend my account because my card wasn't
good any more.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: automatic toll collection, was Japan Puts Its Money on E-Cash

[John Levine]

>> Some Americans, analysts note, are already using a version of e-
>> cash to bypass toll lanes on highways.

>Don't take that as a sign of consumer acceptance, though.  In
>Illinois, if you won't pre-pay your tolls in $40 increments, you will
>pay double the rate in cash at the toolbooth.

Here in the northeast where E-ZPass is much more established, the
discounts for using the pass are much smaller unless you get a
commuter plan, but they're extremely popular because they save a great
deal of time.  In New Jersey, they've redone several high-volume toll
plazas so the road splits with the right lanes going to toll booths
and the left lanes running under a grid of pass readers where you
don't even slow down.  The prepay increment is only $15.

> And the electronic system is anything but anonymous.

No argument there.  I always figured that I'll use my pass for normal
travel but wrap it in foil and pay cash when I'm disposing of my
political opponents' bodies.  "Couldn't have been me, my car has a
pass.  Look at all these toll logs."

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: automatic toll collection, was Japan Puts Its Money on E-Cash

[John Levine]

> And, while there is a privacy issue, optical license plate readers
> are getting good enough that the issue may soon be moot.

Seems moot now.  The 407 toll road around Toronto has no toll booths
at all.  If you drive on it frequently, you can get a transponder but
otherwise, they take a picture of your plates, look you up, and mail
you a bill.  This does work -- I've gotten a bill for my NY car after
a trip.  The web site at http://www.407etr.com/ makes it clear that
the transponder is completely optional, and won't save you any money
unless you use it more than 7 times a year.  (The transponder costs
$2/mo and saves $3.45 per trip.)

The easiest way to get a transponder appears to be to drive on the
road, wait until you get a bill on which they will have assigned you
an account number, then use that number to log into their web site and
order one.

An article in Wikipedia says that congestion tolls in London (UK) are
also collected automatically by taking pictures of license plates.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Get a boarding pass, steal someone's identity

[John Levine]

>  http://www.guardian.co.uk/idcards/story/0,,1766266,00.html
>
>The story may be exaggerated but it feels quite real. Certainly I've
>found similar issues in the past.

It sounds real to me, with an airline whose security is slightly but
not greatly worse than typical.  

I buy a lot of online tickets in the US and I believe that although I
can enter whatever frequent flyer number I want when I buy a ticket, I
always have to provide a PIN to get access to any history or account
info.  But I don't lose my PINs (being a bad user I use the same PIN
many places) so I haven't looked to see how hard it would be to fake
out the various password recovery schemes.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Get a boarding pass, steal someone's identity

[John Levine]

>Have you noticed that airline tickets are once again de-facto  
>transferable?  If you print your own boarding pass at home, you can  
>digitally change the name on it before you print.

Lots of us have noticed that, print one version for the person at
security with a name that matches the ID, print another version for
the person at the gate with a name that matches the reservation and
the bar code.

But actually, you don't even have to do that.  When I travel with my
wife and daughter, whose names are completely unlike mine, I always
put the boarding passes in a stack with one of theirs on top and hand
the person my ID.  I would say at least half the time they don't even
bother to look and see if one of the other passes has a name that
matches the ID.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: A lack of US cryptanalytic security before Midway?

[John Levine]

>The conventional wisdom is that the successful US cryptanalytic efforts
>against Japanese naval codes was a closely-held secret.

Has the conventional wisdom forgotten that it was reported in the
Chicago Tribune in 1942?

See, for example, http://www.newseum.org/warstories/essay/secrecy.htm

Fortunately, the Navy Department had enough sense not to make a public
stink, and the Japanese evidently didn't read the Chicago paper.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: signing all outbound email

[John Levine]

  James A. Donald wrote:
> > > In order for [DKIM] to actually be any use, ...

>Anne & Lynn Wheeler wrote:
> > so what if an isp only signs email where ...

etc, etc.

You know, we've already had all these arguments on the DKIM mailing
list about a hundred times.  

It's true, just about everything that is wrong with DKIM is also wrong
with every other signature scheme.  The salient difference is that
DKIM sets its sights lower and is designed to be more easily
deployable so there is more of a chance that it can break out of the
ghetto where all the existing message signature schems languish, and
at least increase the amount of mail that peoples' known
correspondents have signed.  Despite a great deal of misreporting and
wishful thinking, we do know that it is neither a magic bullet against
spam nor against phishing.

Rather than having the same old arguments yet again, how about reading
the list archives linked from
http://www.mipassoc.org/dkim/ietf-dkim.htm and at least argue about
something different?

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: cellphones as room bugs

[John Levine]

>8Kbit/second is enough if all you need is to understand what is being
>said, not recognize the speaker.  The processing power to do this is
>pretty small on today's scale of things.)

With decent compression techniques, 8kbps is close to telephone
quality, and 2400bps has artifacts but is still quite clear.  There
are some nice examples at:

http://www.data-compression.com/speech.shtml

1kbps would be adequate for understandable speech, so I would expect
that a modern phone with megabytes for music storage could easily
store several days of voice-activated room bugging.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Failure of PKI in messaging

[John Levine]

>Banks [use] a web interface, after the user logs in to their account.

>So, what's missing in the email PKI model is two-sidedness.
>Fairness.

Not really.  What's missing is, if you'll pardon the phrase, a central
point of failure.

If you can persuade everyone to use a single system, it's not hard to
make communication adequately secure.  Look at Hushmail; if you
believe that their internal processes are OK, you can set up an
account and communicate quite securely with other Hushmail users on
their web site, or for the more nerdy, you can use SSL IMAP and PGP to
communicate with their central site.  It's been limping along since
1999, I don't know anyone who uses it which says something about its
actual utility.

But that's not e-mail.  The great thing about Internet e-mail is that
vast numbers of different mail systems that do not know or trust each
other can communicate without prearrangement.  And of couse the awful
thing about Internet e-mail is the same thing.  It's hard to see any
successful e-mail system in the future, secure or otherwise, that
doesn't do that, since Internet mail killed all of the closed systems
that preceded it.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Failure of PKI in messaging

[John Levine]

>Suppose we have a messaging service that, like Yahoo, is
>also a single signon service, ...

Then you just change the attack model.

There are a bunch of sites that do various things with your address
book ranging from the toxic Plaxo which slurps it up and sends spam to
everyone in it masquerading as an address change message from you to
more reasonable ones like LinkedIn which offers controlled messaging
to friends of friends.

Since typing in address book info by hand is hard, a lot of them sync
with your existing Outlook addressbook via a plugin, and some of them
also offer to sync with your Yahoo or or Gmail or Hotmail address
book.  What a bad idea -- those are single signon systems. If you've
ever bought anything at one of their hosted stores or use one of their
premium services, it's the same credential that lets people charge
stuff to your credit card.

It gets even messier.  Look at a configurable aggregator page like the
very spiffy Netvibes.  It has modules to check mail at AOL, MSN,
Yahoo, Gmail, and your POP provider, all conveniently remembering your
login info.  As far as I know Netvibes is reliable and competent, but
they have an extension API that lets anyone write extension modules
and offer them to Netvibes users.

I realize that readers of this list will use separate accounts for
financial info and free webmail, but the other 99.9% of people in
the world will be delighted that they only have one password to
write on a post-it rather than six.

It should be obvious why overloading phish protection onto this is an
equally bad idea -- it drops the security of the phish protection to
the security of the sleaziest aggregator module or address book site
that someone might use, and puts valuable financial and antiphish info
in the same security bucket as the three most recent subject lines
from your web mail.  Thanks, but no thanks.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Failure of PKI in messaging

[John Levine]

> > If you can persuade everyone to use a single system,
> > it's not hard to make communication adequately secure.
> ...

>You are making the Katrina reaction "we need someone in
>charge". ...

Oh, not at all. I guess I wasn't clear.  To the extent that people use
a single system it can be secure, but that doesn't scale.  I have a
rule of thumb that any walled garden big enough to be interesting is
probably also big enough that bad guys have snuck in.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Failure of PKI in messaging

[John Levine]

> >> Suppose we have a messaging service that, like Yahoo,
> >> is also a single signon service, ...
>
>  John Levine wrote:
> > Then you just change the attack model.

>My proposal closes off the major attack path, and leaves the trojan
>and virus attack path wide open.

It doesn't do anything about the obvious attack path of phishing
credentials from the users to stick bogus trusted entries into their
accounts.  My examples showed all sorts of benign looking situations
in which users provide their credentials to parties of unknown
identity or reliability.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: DNSSEC to be strangled at birth.

[John Levine]

>  The DHS has "requested the master key for the DNS root zone."

> Can anyone seriously imagine countries like Iran or China signing up
> to a system that places complete control, surveillance and
> falsification capabilities in the hands of the US' military
> intelligence?

For anyone who hasn't been paying attention, the root zone is
maintained by IANA which since February 2000 has been run by ICANN
under a contract with the US Department of Commerce.  DOC calls the
shots and always has.

I don't understand any better than anyone else why DHS sent out a
press release that can accomplish nothing but get people upset, but at
most this is a turf battle between two cabinet departments.  The war
was over seven years ago.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: hoofbeats of zebras, was DNSSEC to be strangled at birth.

[John Levine]

>You assume the new .net key (and what's signed with it) would be
>supplied to all users of the DNS, rather than used for a targeted
>attack on one user (or a small number of users).  Why assume the
>potential adversary will restrict himself to the dumbest possible way
>to use the new tools you're about to hand him?

I dunno about you, but if some part of the Federal government wanted
to mess with a particular target, it's much more likely they would
arrange for some large NSPs do some adjusted BGP.  Or even more likely
some guys in suits would show up at Verisign and say, "We're from
[redacted] and we would appreciate it if you arranged for requests for
[redacted].net from network [redacted]/15 to resolve to [redacted] for
the next couple of weeks."

Personally, I like Paul's theory about the DHS dork with a press
release.  He doesn't understand zones or delegation or the root
servers or routing or anything else, but the signing key will let them
Take Control of this Vital Resource in case of National Emergency.
You know, like they did in New Orleans.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

[John Levine]

>I've heard nothing formal, but my strong understanding is a lot of US
>government machines, at least if we're talking workstations on
>non-classified nets, are in fact "0wn3d" at this point.

Well, here's an anecdote: at last year's CEAS conference, Rob Thomas
of Team Cymru gave the keynote on the underground economy, with a most
horrifying set of both live demos and selected snapshots of the online
bazaars where online warez are traded, everything from zombie farms to
spamware to stolen credit cards.  One of the more amusing was a guy
who offered a zombie in some part of the government that you'd hope
would be moderately secure, NASA or someplace like that, at a higher
than normal price.  The immediate response was ridicule, bots on
government nets are a dime a dozen, and aren't worth any more than any
other bot.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: 307 digit number factored

[John Levine]

>somewhere over the yrs the term "certification authority" was truncated
>to "certificate authority" ... along with some impression that 
>certificates are being sold (as opposed to certification processes).

When I pay $14.95 for a certificate, with the investigation of my bona
fides limited to clicking through a link in an e-mail, and answering
the phone*, entering a short code, and responding to a request to
state your name**, it sure seems to me like I'm buying a certificate.
The only reason I do it is that for that price it's cheaper than
explaining to people why the threat that web certs defend against is
stupid.

> getting totally rid of the need for domain name certificates ... DNS
> serving up both ip-addresses and public keys in single operation.

DKIM does that, you can get the MX and verification key for a domain.
But I wouldn't say that was a security improvement except insofar as
it makes the process easy enough that people are more likely to use it
than they are the more cumbersome systems like S/MIME.

R's,
John

* - any old phone, I've had them call random VoIP numbers in other
continents that I was experimenting with

** - so of course I say "your name".

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: remote-attestation is not required (Re: The bank fraud blame game)

[John Levine]

>I do not believe the mentioned conflict exists.  The aim of these
>calculator-like devices is to make sure that no malware, virus etc can
>create unauthorized transactions.  The user should still be able to
>debug, and inspect the software in the calculator-like device, or
>virtual software compartment, just that installation of software or
>upgrades into that area should be under direct explicit user control.
>(eg with BIOS jumper required to even make any software change!)

In view of the number of people who look at an email message, click on
an attached ZIP file, rekey a file password in the message, and then
run the program in the file, thereby manually installing a virus, it's
way too dangerous to let users install any code at all on a security
device.

R's,
John

PS: Yes, they really do.  I didn't believe it either.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: remote-attestation is not required (Re: The bank fraud blame game)

[John Levine]

>I think you misread what I said about "BIOS jumper required install".
>
>Ie this is not a one click install from email.  It is something one
>user in 10,000 would even install at all!

If only.  If you can e-mail me a cool widget with directions I can
follow to install it, a virus can e-mail a million people a copy of
itself with installation instructions, too.  Passworded zip viruses
require considerable effort to install.  I was amazed how many people
do it.

Experience says that enough people will follow the instructions, no
matter how many dire warnings you give them, that anything that's user
programmable isn't a security device.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: unintended consequences?

[John Levine]

> Does that mean that the new fiber is less tappable?

Somehow, I suspect that Corning and the relevant authorities have been
in touch to work out any problems.

Corning is a politically very well connected company.  Amory Houghton,
a member of the family that has controlled the company since its
founding in 1851, was company CEO from 1965-84, and was then the
member of Congress from my district from 1986-2005.  His father was
CEO and later ambassador to France.  His grandfather was CEO and later
member of Congress and then ambassador to first Germany and later
Britain.  You get the idea.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

[John Levine]

I always understood snake oil crypto to refer to products that were of
no value to anyone, e.g., products that claim to have secret
unbreakable encryption, million bit keys, or "one time pads" produced
by PRNGs.

What we have here is something else, a product that is reasonable for
one kind of threat, physically losing it, oversold for a threat where
it's not, end to end security.

Seems to me that we need a different term for this category.  Of
course, given the nature of marketing departments, it may well
apply to all crypto products.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[John Levine]

>Since email between hushmail accounts is generally PGPed.  (That is 
>the point, right?)

Hushmail is actually kind of a scam.  In its normal configuration,
it's in effect just webmail with an HTTPS connection and a long
password.  It will generate and verify PGP signatures and encryption
for mail it sends and receives, but they generate and maintain their
users' PGP keys.

There's a Java applet that's supposed to do end to end encryption, but
since it's with the same key that Hushmail knows, what's the point?





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[John Levine]

>I'm sorry, but that's a slur. Hushmail is not a scam. They do a very  
>good job of explaining what they do, what they cannot do, and against  
>which threats they protect.

Have you looked at Hushmail lately?  Before I sent that note, I signed
up for an account and sent myself a few messages to be sure I
understood what happens.  They really did generate a PGP key for me
when I signed up.  At least I think they did, the Java thingie that
was supposed to let me download a copy of the key didn't work, but the
mail arrived with a reasonable looking PGP signature.  It also let me
upload my public key for my regular address so Hushmail users can send
me PGP mail.

If you want Web mail that does PGP inbound and outbound, they do a
perfectly fine job, but I suspect that interception in transit isn't
the threat that most users are worried about.

As far as explaining what they do, here's a typical piece of blurbage
snipped from Hushmail's web site.

  By contrast, Hushmail keeps your online communications private and
  secure. Not even a Hushmail employee with access to our servers can
  read your encrypted email, since each message is uniquely encoded
  before it leaves your computer.

In fact they sent and received my mail through an https web site so
although it is encoded in transit (https from me to them, PHP from
them to the other end), it's in the clear at their end.

>You also mischaracterize the Hushmail system. The "classic" Hushmail  
>does not generate the keys

That may well be true, but that's not what I got when I signed up last
night.  Take a look, sign up for one of their free accounts, and see
if you agree with my description of what it does.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[John Levine]

>In practice, the larger danger with email is that the high-profile
>threats to email security are on the client side.

Right.  I haven't used the end to end Java stuff, but I believe that
it works.  Unfortunately, when you go to sign up, what you get by
default is a version that is little more than plain old web mail, and
their signup process does not say "if you use the web mail we can read
all your mail and will provide it in plain text if suboenaed."

That's what I take issue with, promoting web mail as though it were
secure end to end PGP.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: PlayStation 3 predicts next US president

[John Levine]

>The financial industry has actually created its own system - I forget
>the name, some like a Gold Bond Certification - that it requires for
>certain "high-importance" transactions (e.g., a document asserting you
>own some stock for which you've lost the certificates).

That's a medallion signature guarantee provided by a bank or similar
institution.  Unlike a notary, the guarantee means something, with
the institution accepting liability for forgery.

Not surprisingly, it's a rare bank bank who will do this for anyone who
isn't already a customer.  At my bank, the same person happens to be a
notary and the guarantee officer and she knows me, so she just asks which
stamp I want.

http://en.wikipedia.org/wiki/Medallion_signature_guarantee
http://www.sec.gov/answers/sigguar.htm

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: patent of the day

[John Levine]

In article <[EMAIL PROTECTED]> you write:
>
>http://www.google.com/patents?vid=USPAT6993661

Gee, the inventor is Simson Garfinkel, who's written a bunch of books
including Database Nation, published in 2000 by O'Reilly, about all
the way the public and private actors are spying on us.

I wonder whether this was research to see how hard it was to
get the PTO to grant an absurd patent.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

[John Levine]

>They can't be as "anonymous as cash" if the party being dealt with
>can be identified.  And the party can be identified if the
>transaction is "online, real-time".  Even if other clues are erased,
>there's still traffic analysis in this case.

If I show up at a store and pay cash for something every week, they
can still do traffic analysis on me ("oh him, he's a regular
customer") unless I go out of my way to obscure my routine like asking
other people to buy stuff for me.

It's not clear to me what the object of this argument is.  Yes, the
harder you work, the more difficult you can make it for other people
to tie your transactions to you.  This shouldn't be news to anyone.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: House o' Shame: Amtrak

[John Levine]

>  http://amtrak.bfi0.com/.

>Lesson for phishers: If you want your phish to seem more legit, outsource it
>to Bigfoot Interactive, which seems to lead back to Epsilon Agency Services,
>who specialise in... well, phishing, but for the good guys.  I bet the Russian
>Business Network could do it for less though :-).

Having dealt at length with people from BFI/Epsilon, I can confirm that
many of them are not the sharpest needles in the etui.

This problem is well known in the ESP (bulk mail for hire) industry,
and the better ones know how to deal with it.  If you are on Orbitz'
mailing list, for example, the mail comes from [EMAIL PROTECTED],
and the links in the mail all go to http://my.orbitz.com/whatever.  Do
a few DNS lookups and you'll find NS records from Orbitz that delegate
my.orbitz.com to Responsys, their ESP.  This is a straightforward and
effective way to manage the namespace for outsourced mail, and my
biggest question is why so many ESPs don't do it yet.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: delegating SSL certificates

[John Levine]

>Are there any options that don't involve adding a new root CA?

Assuming your sites all use subdomains of your company domain,
a wildcard cert for *.whatever might do the trick.  It's relatively
expensive, but you can use the same cert in all your servers.

>I would think this would be rather common, and I may have heard about
>certs that had authority to sign other certs in some circumstances...

They do exist, Comodo has sold certs signed that way, but I wouldn't
recommend it since the depth of chaining the browsers recognize varies
considerably.  My copy of Firefox doesn't accept many of Microsoft's
certs because the chaining is too deep.

Another possibility is just to pay to have your certs signed by one of
the public signers.  At the current going rate of $15, you can get a
lot of signatures for the cost of doing anything else.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: delegating SSL certificates

[John Levine]

>> So at the company I work for, most of the internal systems have
>> expired SSL certs, or self-signed certs.  Obviously this is bad.
>
>You only think this is bad because you believe CAs add some value.

Presumably the value they add is that they keep browsers from popping
up scary warning messages.  There are all sorts of reasonable
arguments to be made that the browsers are doing the wrong thing (and
the way that Microsoft prevents you from ever deleting any of their
preinstalled CA certs is among the wrongest.)

Nonetheless, unless we can persuade all the users in question to
adjust their browsers, which is always a losing battle, it's easier
just to pay the $15 protection money and get a CA signature.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: delegating SSL certificates

[John Levine]

>| Presumably the value they add is that they keep browsers from popping
>| up scary warning messages
>Apple's Mail.app checks certs on SSL-based mail server connections.
>It has the good - but also bad - feature that it *always* asks for
>user approval if it gets a cert it doesn't like.

Good point -- other mail programs such as Thunderbird also pop up
the scary warnings.  I've paid the $15 protection money for the certs
on my mail servers.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: the joy of "enhanced" certs

[John Levine]

>An object lesson in this just fell in my lap -- I just got my first
>email from a spammer that links to a web site that uses such a cert,
>certified by a CA I've never heard of ("Starfield Technologies, Inc.")

Oh, you've heard of them, just not under that name.  It's GoDaddy.

The green bar certs cost $500 for one year, $800 for two years, which
make them way more expensive than the $25 normal ones, but still
impressively cheap considering the claims made for them.

>To be really sure, we'll make them fax said document in on genuine
>company letterhead, since no one can forge letterhead.

Now, now, their verification process apparently involves checking that
the name of the organization you provide exists in the relevant
business registry, so when you're picking a fake name, be sure to do a
few wildcard lookups at the NYS DOS web site first.  They say their
process is so stringent it can take as long as FOUR HOURS to issue
your cert.  Wow!

You know, when I got my first ordinary SSL cert, it cost about $200
and I had to mail all sorts of paper documentation to Thawte in North
Carolina.  Does anyone know when issuers stopped bothering to verify
anything?

R's,
John



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Kaminsky finds DNS exploit

[John Levine]

>However, we in the security circles don't need to spread the 
>"Kaminsky finds" meme.

Quite right.  Paul Vixie mentioned it in 1995, Dan Bernstein started
distributing versions of dnscache with randomized port and sequence
numbers in 2001.

>The take-away here is not that "Dan didn't discover the problem", but
>"Dan got it fixed". An alternate take-away is that IETF BCPs don't
>make nearly as much difference as a diligent security expert with a
>good name.

I suppose 13 years is kind of a long time, but better late than never.
It would be modestly interesting to learn what is different now that
motivated him to get people to fix it.


R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Kaminsky finds DNS exploit

[John Levine]

>CERT/CC mentions this:
>
>| It is important to note that without changes to the DNS protocol, such
>| as those that the DNS Security Extensions (DNSSEC) introduce, these
>| mitigations cannot completely prevent cache poisoning.

Why wouldn't switching to TCP lookups solve the problem?  It's
arguably more traffic than DNSSEC, but it has the large practical
advantage that they actually work with deployed servers today.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: security questions

[John Levine]

> IIRC, it used personal data already available to DEC -- so they
> didn't have to ask their employees for it

That works great so long as the personal data is accurate.

Banks these days are supposed to verify your identity when you open an
account.  Online banks pull your credit report anyway, so they make up
some verification questions from historical info in the report.  I'm
regularly asked which of four street addresses I've lived at.

Unfortunately, in my case the correct answer is invariably "none of
them".  I'm part owner of a relative's house in New Jersey, and the
credit bureaus all are sure that since my name is on the deed, that
must be where I live.  So that's the address that shows up.  Adding to
the excitement, they often ask what city, to which the answer would
still be none of them even if I lived in that house.  It's in
Lawrenceville, but I guess it gets mail delivered from the Trenton
P.O. so the allegedly correct answer is Trenton.

It's not too hard for me to figure these out, but given the amount of
plain wrong info in credit reports, this approach must lead to some
pretty frustrating failures.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: road toll transponder hacked

[John Levine]

>> > So, I believe, at least for E-Z Pass, the attack would have to include
>> > cloning the license plate and pictures may still be available whenever
>> > a victim realizes they have been charged for trips they did not take.

The 407 toll road in Toronto uses entirely automated toll collection.
They offer transponders (which, annoyingly, are the same system as
NY's EZ-Pass but don't interoperate) for commuters and trucks, but for
casual use by cars, it reads your plates and sends you a bill.

I can report from experience that when I use it with my NY plates, I
always get a bill a month or so later.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: road toll transponder hacked

[John Levine]

>> The relationship to this list may then be thin
>> excepting that the collection and handling of
>> such data remains of substantial interest.
>
>Actually, it points to cash settlement of road tolls.

That's not unknown.  On the Niagara Falls toll bridges, they have an
ETC system where you buy your transponder for cash at a toll booth and
refill it with cash.  I suppose they could take your picture and link
it to your license plate, but they can do that if you throw quarters
into the bin, too.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Bitcoin P2P e-cash paper

[John Levine]

> As long as honest nodes control the most CPU power on the network,
> they can generate the longest chain and outpace any attackers.

But they don't.  Bad guys routinely control zombie farms of 100,000
machines or more.  People I know who run a blacklist of spam sending
zombies tell me they often see a million new zombies a day.

This is the same reason that hashcash can't work on today's Internet
-- the good guys have vastly less computational firepower than the bad
guys.

I also have my doubts about other issues, but this one is the killer.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Proof of Work -> atmospheric carbon

[John Levine]

>Can't we just convert actual money in a bank account into bitbux --
>cheaply and without a carbon tax?  Please?

If only.  People have been saying for at least a decade that all we
have to do to solve the spam problem is to charge a small fee for
every message sent.  Unfortunately, there's a variety of reasons
that's never going to work.  One of the larger reasons is that despite
a lot of smart people working on micropayments, we have nothing
approaching a system that will work for billions of tranactions per
day, where 90% of the purported payments are bogus, along with the
lack of any interface to the real world financial system that would
scale and withstand the predictable attacks.

My white paper could use a little updating, but the basic conclusions
remain sound:

http://www.taugh.com/epostage.pdf

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: What EV certs are good for

[John Levine]

>> I just received a phishing email, allegedly from HSBC:
>>
>>Dear HSBC Member,

>So did the link have a EV cert?

Hardly matters.  HSBC has vast numbers of web servers all over the world,
some with EV certs, some without.

For example, their US customer site for deposit customers at
https://www.us.hsbc.com/ doesn't, but their site for credit cards at
https://www.hsbccreditcard.com/ does, although it's kind of hard to
tell because they tend to put you on a non-https page until you log
in.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Proof of Work -> atmospheric carbon

[John Levine]

>(Also, it's not clear that a deterministic POW works well for an
>application like Bitcoin; it might let the owner of the fastest computer
>win every POW race, giving him too much power.)

Indeed.  And don't forget that through the magic of botnets, the bad
guys have vastly more compute power available than the good guys.

You know those crackpot ideas that keep showing up in snake oil crypto?
Well, e-postage is snake oil antispam.

R's,
John
 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Proof of Work -> atmospheric carbon

[John Levine]

>>You know those crackpot ideas that keep showing up in snake oil crypto?
>>Well, e-postage is snake oil antispam.
>
>While I think this statement may be true for POW coinage, because for a bot
>net it "grows on trees", for money that traces back to the international
>monetary exchange system, it may not be completely true.

It's close enough to completely true.  Stealing postage via bots is
only one of multiple fatal problems.

I wrote this white paper in 2004; some of the details could stand a
little update but the conclusions are as clear as ever:

http://www.taugh.com/epostage.pdf

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Proof of Work -> atmospheric carbon

[John Levine]

>Richard Clayton and I claim that PoW doesn't work:
>http://www.cl.cam.ac.uk/~rnc1/proofwork.pdf

I bumped into Cynthia Dwork, who originallyinvented PoW, at a CEAS
meeting a couple of years ago, and she said she doesn't think it
works, either.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: UCE - a simpler approach using just digital signing?

[John Levine]

Hi.  One of the hats I wear is the chair of the Anti-Spam Research
Group of the Internet Research Task Force, which is down the virtual
hall from the IETF.

You know how you all feel when someone shows up with his super duper
new unbreakable crypto scheme?  Well, that's kind of how I feel here.
Dealing with spam is surprisingly subtle, a lot of smart people have
been thinking about it for a long time, and most new ideas turn out
to be old ideas with well known flaws or limitations.

> Consider the implications of a third field, or "trust token," which
> works like a "password" to fred's mail box.  Your mailer's copy of
> fred's email address would look like "fred#to...@example.com" where
> "token" was a field that was your own personal password to fred's
> mailbox.

It's not a bad idea.  Its best known implementation was done in 1996
by Robert Hall of AT&T Labs who called it Zoemail.  You can learn all
about it in US Patent 5,930,479.

This is the wrong place to go into detail about its limitations,
although it should be self-evident that if it were effective, sometime
in the past 13 years we'd have started using it.

You're all welcome in the ASRG, which has a wiki at
http://wiki.asrg.sp.am with pointers to the mailing list and other
resources.  One of our slow moving projects is a taxonomy of anti-spam
techniques, both ones that work and ones that don't work.  If you'd
like to contribute, drop me a note and I'll give you a password so you
can edit it.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: UCE - a simpler approach using just digital signing?

[John Levine]

>That's basically what I'm using, just without the digital signature 
>part: each person/organisation/website/whatever gets a different email 
>address for communicating with me (qmail makes this easy to implement)

I do that too -- I bet half the people on this list do, and there's
lots of free and commercial services like Yahoo and Spamex who will
let you do it.  But it's not much of a solution to spam because it
requires significant manual work to maintain the addresses, and only
deals with places where you individually give them the address to send
mail to.

>Another scheme (that could be combined with the above one to solve only 
>the CC party problem) would be accepting only PGP mail and use a 
>manually updated white list

This has the same fundamental problem as Zoemail and any other white
list system.  It's really easy to implement a white list.  Unless your
name is Paypal, the amount of mail forging your address is vanishingly
small, and the utterly insecure From: line address works just fine for
practical purposes.  I use that to manage my 12 year old daughter's
mail.

But whitelists replace the spam problem with the equally intractable
introduction problem, deciding whether to accept the first message
from someone you don't know.  People have been thinking about that for
a long time (indeed, for millenia in contexts other than e-mail) and
the snarky comments I made yesterday about wonderful anti-spam ideas
apply here, too.

The ASRG is still eager to hear from people who want to do just about
anything related to spam other than hash over known-ineffective old
ideas. See http://wiki.asrg.sp.am.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: UCE - a simpler approach using just digital signing?

[John Levine]

>One idea I have not seen mentioned here (and which I have not yet
>encountered in RL, but only weird people send me email these days) is
>for the sending MTA to use pgp to encrypt mail using the recipient's
>public key, available on one of the key servers near you.

I don't understand what problem this is intended to solve.  Bad guys
can look up PGP keys just like good guys, so all this would accomplish
would be to fill your inbox with signed spam.

Perhaps it would be useful to make a section of the ASRG wiki in which
we describe the difference between the spam problem and the other
problems that people confuse with the spam problem, such as the
introduction problem and (more familiar to cryptographers) the
authentication problem, the interception problem, the non-repudiation
problem, and doubtless others that I can't think of just now.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Security through kittens, was Solving password problems

[John Levine]

>you enter a usercode in the first screen, you are presented with a
>second screen to enter your password. The usercode is a mnemonic
>6-character code such as HB75RC (randomly generated, you receive from
>the server upon registration). Your password is freely choosen by you
>upon registration.That second screen also has something that you and
>the correct server know but that you did not disclose in the first
>screen --

This scheme is quite popular with banks.  I have at least three
accounts where I enter my user name in one screen, then on a second
password entry screen it shows me a picture chosen when I set up the
account along with a caption I wrote.  They have a large library of
pictures of cute animals, household appliances, and so forth.

Clever though this scheme is, man-in-the middle attacks make it no
better than a plain SSL login screen.  Since the bad guy knows what
site you're trying to reach, he can use your usercode to fetch the
shared secret from the real site and present it to you on his fake
site.  It's true, the fake site won't have the same URL as the real
site, but if the security of this scheme still depends on people
scrutinizing the browser's address bar to be sure they're visiting the
site they think they are, how is this any better than an ordinary
kitten-free SSL login screen?

Another bank sent me a dongle that generates a timestamped six-digit
number that I use as part of the login.  Even with the dongle, MITM
attacks are still effective.  The bad guy can only steal one session
rather than a user's permanent credentials, but that's still plenty
to, e.g., wire money out of the country.

The only thing I've been able to come up with that seems even somewhat
secure is a USB dongle that plugs into your computer and can set up an
end-to-end encrypted channel with the bank, and that has a screen big
enough that once you've set up your transaction in your browser, the
bank then sends a description to the dongle to display on its screen,
and YES and NO buttons on the dongle itself.

Unless the screen and the buttons are physically part of the dongle,
you're still subject to MITM attacks.  But a dongle with a screen big
enough for my 87 year old father to read, and buttons big enough for
him to push reliably would be unlikely to fit on his keychain.  It's a
very hard problem.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Security through kittens, was Solving password problems

[John Levine]

>This means a site paying attention to such things could notice a
>change in IP address, or, if several users were attacked this way,
>notice repeated connections from the same IP. (Granted the MITM
>could distribute the queries over a botnet, but it raises the bar
>somewhat.)
>
>I have no idea if sites do such check, just speculation on my part.

You're right, but it's not obvious to me how a site can tell an evil
MITM proxy from a benign shared web cache.  The sequence of page
accesses would be pretty similar. I suppose that you could hope that
legitimate HTTPS requests would come direct from the client machine,
so requests for multiple users on the same IP would be suspicious, but
on networks like AOL's, I wouldn't count on it working that way.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: CSPRNG algorithms

[John Levine]

>I have never seen a good catalog of computationally-strong
>pseudo-random number generators.

Chapter 3 of Knuth's TAOCP is all about pseudo-random number
generators, starting with a fine example of the wrong way to do it.
My copy is several thousand miles away but my recollection is that his
main advice was to stick to linear congruential PRNGs, perhaps with a
buffered postpass to scramble up the order or the results.

It's certainly a good place to start.

R's,
John

[Moderator's note: none of the generators in TAOCP are cryptographically
strong. They are fine for Monte Carlo simulations and such. --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Kahn's "Seizing the Enigma" back in print -- with a catch

[John Levine]

>David Kahn's "Seizing the Enigma" is back in print.  However, it's
>only available from Barnes and Noble -- their publishing arm is doing
>the reprint.  According to the preface, the new edition corrects
>minor errors, but didn't give any details.

http://search.barnesandnoble.com/Seizing-the-Enigma/David-Kahn/e/9781435107915/?itm=1

We cheapskates can also find lots of used copies of the old edition
for $2.  I wonder how different it is.

http://www.alibris.com/booksearch?binding=&mtype=&keyword=Seizing+the+Enigma%3A+The+Race+to+Break+&hs.x=16&hs.y=11&hs=Submit

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Seizing the Enigma

[John Levine]

Speaking of seizing an Enigma, here's a picture of a handy one rotor
version I got at Bletchley Park.  The rotor flips over so there's two
possible rotors and the determined cryptographer can use multiple
rotors by making several passes manually over the data.

http://www.taugh.com/enigma.jpeg

You can order your own here:

http://www.bletchleypark.org.uk/shop/view_product.rhtm/130864/238505/detail.html

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Collection of code making and breaking machines

[John Levine]

>A bit too far for a quick visit (at least for me):
>http://news.bbc.co.uk/2/hi/uk_news/england/8241617.stm

Bletchley Park is always worth a visit, with or without a special
exhibit, as is the adjacent National Museum of Computing which houses
Colossus and a lot more interesting stuff.

An important difference between this museum and computer museums in
the US is that lots of the stuff works.  The rebuilt bombe actually
works.  The rebuilt Collussus actually works.  An impressive number of
the old computers in the NMC work, including a room of old personal
computers that are set up so you can use them.

Not at all coincidentally, Bletchley is an easy day trip from
Cambridge, Oxford, and London.  (That's why they put Bletchley Park at
Bletchley Park.)

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Crypto dongles to secure online transactions

[John Levine]

At a meeting a few weeks ago I was talking to a guy from BITS, the
e-commerce part of the Financial Services Roundtable, about the way
that malware infected PCs break all banks' fancy multi-password logins
since no matter how complex the login process, a botted PC can wait
until you login, then send fake transactions during your legitimate
session.  This is apparently a big problem in Europe.

I told him about an approach to use a security dongle that puts the
display and confirmation outside the range of the malware, and
although I thought it was fairly obvious, he'd apparently never heard
it before.  When I said I'd been thinking about it for a while, he
asked if I could write it up so we could discuss it further.

So before I send it off, if people have a moment could you look at it
and tell me if I'm missing something egregiously obvious?  Tnx.

I've made it an entry in my blog at

http://weblog.johnlevine.com/Money/securetrans.html 

Ignore the 2008 date, a temporary fake to keep it from showing up on
the home page and RSS feed.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Crypto dongles to secure online transactions

[John Levine]

> So should or should not an embedded system have a remote management
> interface?

In this case, heck, no.  The whole point of this thing is that it is
NOT remotely programmable to keep malware out.

If you have a modest and well-defined spec, it is well within our
abilities to produce reliable code.  People write software for medical
devices and vehicle control which is not remotely updated, and both
our pacemakers and are cars are adequately reliable.  If you define
the spec carefully enough that you can expect to make a million
devices, the cost of even very expensive software is lost in the
noise.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Crypto dongles to secure online transactions

[John Levine]

>> In this case, heck, no.  The whole point of this thing is that it is
>> NOT remotely programmable to keep malware out.
>
>Which is perhaps why it is not a good idea to embed an SSL engine in such
>a device.

Agreed.  A display and signing engine would be quite adequate.

>Such a device does however need to be able to suppor multiple mutually
>distrusting verifiers, thus the destination public key is managed by
>the untrusted PC + browser, only the device signing key is inside
>the trust boundary. A user should be able to enroll the same device
>with another "bank", ...

If you really need the ability to do that, I'd think it would be
better to make an expandable version into which you could plug each
bank's chip+pin cards, not try to invent a super-protocol for
downloading a bank's preferred keys.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Crypto dongles to secure online transactions

[John Levine]

>we claimed we do something like two orders magnitude reduction in
>fully-loaded costs by going to no personalization (and other things)
>...

My concern with that would be that if everyone uses the the same
signature scheme and token, the security of the entire industry
becomes dependent on the least competent bank in the country not
leaking the verification secret.

For something like a chip+pin system it is my understanding that the
signature algorithm is in the chip and different chips can use
different secrets and different algorithms, so a breach at one bank
need not compromise all the others.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Five Theses on Security Protocols

[John Levine]

Nice theses.  I'm looking forward to the other 94.  The first one is a
nice summary of why DKIM might succeed in e-mail security where S/MIME
failed.  (Succeed as in, people actually use it.)

>2 A third party attestation, e.g. any certificate issued by any modern
>  CA, is worth exactly as much as the maximum liability of the third
>  party for mistakes. If the third party has no liability for
>  mistakes, the certification is worth exactly nothing. All commercial
>  CAs disclaim all liability.

Geotrust, to pick the one I use, has a warranty of $10K on their cheap
certs and $150K on their green bar certs.  Scroll down to the bottom
of this page where it says Protection Plan:

http://www.geotrust.com/resources/repository/legal/

It's not clear to me how much this is worth, since it seems to warrant
mostly that they won't screw up, e.g., leak your private key, and
they'll only pay to the party that bought the certificate, not third
parties that might have relied on it.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Has there been a change in US banking regulations recently?

[John Levine]

>What on earth happened?  Was there a change in banking regulations in
>the last few months?

No, but we know that banks move in herds, and they mostly talk to each
other, not anyone with outside expertise.

More likely someone noticed that computers are a lot faster than they
were a decade ago, you can do all the crypto you want and your 8 core
3 GNz servers are still I/O bound, so the traditional folklore that
SSL is so slow you use it only where absolutely mandatory no longer
applies and you might as well use SSL on everything.  Then he went to
a meeting and told all his friends.

I've been noticing something similar at abuse.net, a service I run
where people can publish their domains' abuse contacts.  The folklore
in small credit unions is that you're supposed to hide your domain's
registration details using a proxy service, I think due to a
misreading of an old letter from the NCUA.  Earlier this year someone
at a meeting must have told them that it would be a good idea to
register with abuse.net, so I've been getting a stream of attempted
registrations from small credit unions with proxy registration, which
I reject.  About half of them get the hint, turn off the proxy, and
try again, the other half give up.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Fw: [IP] Malware kills 154

[John Levine]

>> "Authorities investigating the 2008 crash of Spanair flight 5022
>> have discovered a central computer system used to monitor technical
>> problems in the aircraft was infected with malware"
>> 
>> http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001

This was very poorly reported.  The malware was on a ground system that
wouldn't have provided realtime warnings of the configuration problem
that caused the plane to crash anyway.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com