Ross Anderson paper on fraud, risk and nonbank payment systems

[Read the paper here: http://www.cl.cam.ac.uk/%7Erja14/Papers/nonbanks.pdf Very interesting stuff, but not likely new to most here.] The Federal Reserve commissioned me to research and write a paper on fraud, risk and nonbank payment systems. I found that phishing is facilitated by payment sy

Fwd: [gsc] Digital cache with extended features

[Some interesting thinking going on. Wasn't there some similar ideas presented/published at a past FC conference?] Subject: [gsc] Digital cache with extended features Date: Sun, 06 May 2007 12:57:08 +0300 From: George Hara <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] I

Re: Was a mistake made in the design of AACS?

At 07:50 AM 5/4/2007, Nicolas Williams wrote: On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote: > At 03:52 PM 5/2/2007, Ian G wrote: > >This seems to assume that when a crack is announced, all revenue > >stops. This would appear to be false. When cracks are an

Re: Was a mistake made in the design of AACS?

At 03:52 PM 5/2/2007, Ian G wrote: Hal Finney wrote: Perry Metzger writes: Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue durin

Re: AACS and Processing Key

At 11:32 AM 5/2/2007, Perry E. Metzger wrote: Anyone very familiar with AACS have ideas on what optimal attack and defense strategies are? This seems like a fertile new ground for technical discussion. Ed Felton wrote and excellent piece on AACS from the technical and economic/tactical standp

Re: Governance of anonymous financial services

At 12:15 PM 3/30/2007, Hal Finney wrote: > If the backing is distributed among a multitude of holders (e.g., in a > fashion similar to how Lloyds backs their insurance empire), who's > identities are kept secret until audit time and then only a few, randomly > selected, names and claimed deposit

Re: Governance of anonymous financial services

At 08:23 PM 3/29/2007, Allen wrote: Steve, I assume that you mean the owner of the on-line financial service when you say "operator," correct? In which case what exactly are the auditors going to be looking at when comes time to audit but the operator's identity, whereabouts, the servers and

Governance of anonymous financial services

Here is the situation. An on-line financial service, for example a DBC (Digital Bearer Certificate), operator wishes his meat space identity, physical whereabouts, the transaction servers and at least some of the location(s) of the service's asset backing to remain secret. The service provide

Re: private credential/ecash thread on slashdot (Re: announce: credlib library with brands and chaum credentials)

At 04:40 PM 2/20/2007, Adam Back wrote: There is quite some underinformed speculation as critique on the thread... Its interesting to see people who probably understand SSL, SMIME and stuff at least at a power user if not programmer level, try to make logical leaps about what must be wrong or li

New digital bearer cash site launched

With the expiration of Chaum's key patents it was assumed that someone would step up an try their hand at launching a DBC-based financial service. Some time has passed and I'm happy to announce that this has finally happened. Taking a cue from the lively Digital Gold Currencies, eCache's firs

Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

At 03:57 PM 1/18/2007, Saqib Ali wrote: When is the last time you checked the code for the open source app that you "use", to make sure that it is written properly? When is the last time you carefully checked the code for a closed source app that you use? (Besides the one you mentioned to sta

Real-world password guessing

http://dilbert.com/comics/dilbert/archive/dilbert-20070117.html http://dilbert.com/comics/dilbert/archive/dilbert-20070118.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED

Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

At 08:08 AM 1/16/2007, Steven M. Bellovin wrote: On Tue, 16 Jan 2007 07:56:22 -0800 Steve Schear <[EMAIL PROTECTED]> wrote: > At 06:32 AM 1/16/2007, Steven M. Bellovin wrote: Legal access is a special case -- what is the law (and practice) in any given country on forced access to

Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

At 06:32 AM 1/16/2007, Steven M. Bellovin wrote: Disk encryption, in general, is useful when the enemy has physical access to the disk. Laptops -- the case you describe on your page -- do fit that category; I have no quarrel with disk encryption for them. It's more dubious for desktops and *much

SC-based link encryption

I haven't been following the smartcard scene for a while. I'm looking to create a low-cost and portable link encryptor, with D-H or similar key exchange, for lower <100kbps data speeds. Is this possible? Steve - The Cryptogra

Re: cellphones as room bugs

At 07:21 AM 12/2/2006, Perry E. Metzger wrote: Quoting: The FBI appears to have begun using a novel form of electronic surveillance in criminal investigations: remotely activating a mobile phone's microphone and using it to eavesdrop on nearby conversations. BTW, its easy to thwar

Re: cellphones as room bugs

At 07:21 AM 12/2/2006, Perry E. Metzger wrote: Quoting: The FBI appears to have begun using a novel form of electronic surveillance in criminal investigations: remotely activating a mobile phone's microphone and using it to eavesdrop on nearby conversations. The technique is cal

Re: fyi: On-card displays

At 02:45 PM 9/20/2006, [EMAIL PROTECTED] wrote: Via Bruce Schneier's blog, flexible displays that can sit on smartcards. So we finally have an output mechanism that means you don't have to trust smartcard terminal displays: http://www.cr80news.com/library/2006/09/16/on-card-displays-become-realit

Re: NSA knows who you've called.

At 08:05 AM 5/11/2006, Perry E. Metzger wrote: Let me again remind people that if you do not inform your elected representatives of your displeasure with this sort of thing, eventually you will not be in a position to inform them of your displeasure with this sort of thing. I think begging elec

Black Hole Encryption

What happens to the quantum information ingested by a black hole? In 1997, Thorne and Hawking argued that information swallowed by a black hole is forever hidden, despite the fact that these dense objects do emit a peculiar kind of radiation and eventually evaporate. Preskill countered that for

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

At 11:14 AM 10/24/2005, cyphrpunk wrote: Note that e-gold, which originally sold non-reversibility as a key benefit of the system, found that this feature attracted Ponzi schemes and fraudsters of all stripes, and eventually it was forced to reverse transactions and freeze accounts. It's not cle

Re: [Clips] Read two biometrics, get worse results - how it works

At 08:34 PM 10/19/2005, R.A. Hettinga wrote: A regular correspondent (thanks, you know who you are) points us to some calculations by John Daugman, originator of the Daugman algorithms for iris recognition. These ought to provide disturbing reading for Home Office Ministers who casually claim

Re: Cryptography Expert Paul Kocher Warns: Future DVDs Prime Target for Piracy, Pay TV Foreshadows Challenges

At 10:40 AM 4/20/2004, R. A. Hettinga wrote: "While it's unfortunate that security on the current DVD format is broken and can't be reprogrammed, HD is what really matters. Once studios release high-definition content, there will be little or no distinction between studio-quality and consumer-quali

Re: Norwegian DVD Hacker Acquitted on Piracy Charges

At 12:49 PM 12/22/2003, R. A. Hettinga wrote: In 2001, the 2nd U.S. Circuit Court of Appeals in New York said postings of the encryption program violated the 1998 federal Digital Millennium Copyright Act, which prohibits the circumvention of copy controls along with discussions on how to do so. I t

Microsoft publicly announces Penny Black PoW postage project

http://news.bbc.co.uk/2/hi/technology/3324883.stm Adam Back is part of this team, I think. Similar approach to Camram/hahscash. Memory-based approaches have been discussed. Why hasn't Camram explored them? steve BTW, Penny Black stamp was only used briefly. It was the Penny Red which was

re: The RIAA Succeeds Where the CypherPunks Failed

At 12:39 PM 12/17/2003, Patrick Chkoreff on the [EMAIL PROTECTED] wrote: Well, Clay Shirky has done it again, writing a very insightful article on the current digital scene, this time on the unintended but beneficial consequences of RIAA's crackdown on file sharing. Here is one particularly telling

Fwd: Two interesting communication privacy tools

From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 1. Invisiblog http://invisiblog.com/ lets you publish a weblog using GPG and the Mixmaster anonymous remailer network. You don't ever have to reveal your identity - not even to us. You don't have to trust us, because we'll never know who you are. 2

Fwd: PhoneBook: Making your PC 'Police-Ready'

From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [Wherein the author of Freemail reveals his latest project idea. Comments to the author are appreciated.] PhoneBook is a suite of Linux software that allows you to protect your privacy by creating encrypted filesystems, in such a way as to defend y

Fwd: "Bedazzled" Log-in Method Whitepaper

"Bedazzled" Log-in Method Whitepaper Author: George Hara (http://www.filematrix.xnet.ro/ideas/whitepapers/login.htm) Introduction Using strings of characters as passwords has always been a security issue because they are hard to remember and can be stolen by key-loggers or screen-tex

Re: article on Rivest and Micali's Peppercoin system

At 11:37 AM 11/17/2003 -0500, Steve Bellovin <[EMAIL PROTECTED]> wrote: http://www.technologyreview.com/articles/huang1203.asp A nice puff piece but it steers clear of well know, if not respected, prognosticators that poo-poo any near-term potential for micro-payments. Conspicuously absent is e-

Re: 'Smart stamps' next in war on terrorism

"The postal notice itself says this is the first step to identify all senders, so this is not a matter of paranoia, this is reality. The post office is moving towards identification requirements for everyone," said Chris Hoofnagle, associate director of the Electronic Privacy Information Cente

Software protection scheme may boost new game sales

Companies are using a new software protection system, called Fade, to protect their intellectual property from software thieves. Fade is being introduced by Macrovision, which specializes in digital rights management, and the British games developer Codemasters. What the program does is make unauth

Freenet fork appears likely (was Re: Gmane -- Re: Why is Freenet so sick at the moment?)

On Sat, Oct 04, 2003 at 11:31:36PM -0700, Ian Clarke spake thusly: > I have never ever characterized Freenet as being anything other than in > development. If you don't like the fact that Freenet is taking so-long > to perfect, then either help, or use Earth Station 5 - I hear its great. You neve

hackers have broken into GPRS billing

Some time today (October 2th), the GPRS world will reveal that it has a security vulnerability which has seen an undisclosed number of its customers ripped off. They've been trapped into connecting to malicious content servers, by hackers penetrating the billing system. The first international

Re: Digital cash and campaign finance reform

At 04:51 PM 9/8/2003 -0700, Joseph Ashwood wrote: - Original Message - From: "Steve Schear" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> [anonymous funding of politicians] > Comments? Simple attack: Bob talks to soon to be bought politic

RE: Code breakers crack GSM cellphone encryption

hought to possess cellular spoofing equipment so targeted subscriber instruments can be captured by mobile "rouge" cell sites for fun stuff (I seem to recall Harris Communications made these). steve A foolish Constitutional inconsistency is the hobgoblin of freedom

Re: Code breakers crack GSM cellphone encryption

attackers, not idle retirees or jealous teenagers. Not if they can type GNURadio into Google. steve A foolish Constitutional inconsistency is the hobgoblin of freedom, adored by judges and demagogue statesmen. - Steve Schear - The C

Digital cash and campaign finance reform

judges and demagogue statesmen. - Steve Schear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: JAP back doored

http://www.heise.de/newsticker/data/jk-02.09.03-005/ German police have searched and seized the rooms (dorm?) of one of the JAP developers. They were on the look for data that was logged throughout the period when JAP had to log specific traffic. The JAP-people say that the seizure was not co

Hijacking .NET

In the .NET Framework, it's possible to access a private member of any class -- your own, another developer's, or even the classes in the .NET Framework itself! Appleman demonstrates this with a great example that uses private members to get the list of groups that the current user is a member

Re: traffix analysis

At 09:17 PM 8/27/2003 -0500, Anonymous wrote: It will often be possible to also trace the communication channel back through the crowd, by inserting delays onto chosen links and observing which ones correlate with delays in the data observed at the endpoint. This way it is not necessary to monitor

Re: traffix analysis

At 09:17 PM 8/27/2003 -0500, Anonymous wrote: > Then the opponent can put unlimited effort into > traffic analysis but won't get anything in return, > beyond the _a priori_ obvious fact that some pair > of subscribers *may* have communicated. This is not true, and in fact this result is one of the

Re: traffic analysis (was: blackmail / stego)

At 01:01 PM 8/27/2003 -0700, Jim McCoy wrote: While IANL, it seems that the whole anonymity game has a flaw that doesn't even require a totalitarian regime. I would direct you to the various laws in the US (to pick a random example :) regarding conspiracy. Subscribing to an anonymity service mig

Re: Crypto Hygiene?

At 04:45 PM 8/11/2003 -0400, dmolnar wrote: (also posted to sci.crypt in modified form) At Usenix Security, Eric Rescorla pointed out that some of the cryptographic flaws we have seen can be prevented by applying good "crypto hygiene." My questions for the floor -- * What is "good hygiene

Will 'Distributed Cloud' Network Structures Prevent Censorship?

Bennett Haselton believes that de-centralized information storage and transmission systems - so called 'Distributed Cloud' networks like Peekabooty,

Grey-World

An excellent site for those interested in tunneling, covert channels, network related steganographic methods developments. http://gray-world.net/ "There is no protection or safety in anticipatory servility." Craig Spencer - The

New toy: SSLbar

%2Fsslbar.metropipe.net>http://sslbar.metropipe.net Enjoy. "A Jobless Recovery is like a Breadless Sandwich." -- Steve Schear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Session Fixation Vulnerability in Web Based Apps

http://www.acros.si/papers/session_fixation.pdf "A Jobless Recovery is like a Breadless Sandwich." -- Steve Schear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]