Re: Fw: [IP] Malware kills 154

2010-08-23 Thread John Levine
 Authorities investigating the 2008 crash of Spanair flight 5022
 have discovered a central computer system used to monitor technical
 problems in the aircraft was infected with malware
 
 http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001

This was very poorly reported.  The malware was on a ground system that
wouldn't have provided realtime warnings of the configuration problem
that caused the plane to crash anyway.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Has there been a change in US banking regulations recently?

2010-08-13 Thread John Levine
What on earth happened?  Was there a change in banking regulations in
the last few months?

No, but we know that banks move in herds, and they mostly talk to each
other, not anyone with outside expertise.

More likely someone noticed that computers are a lot faster than they
were a decade ago, you can do all the crypto you want and your 8 core
3 GNz servers are still I/O bound, so the traditional folklore that
SSL is so slow you use it only where absolutely mandatory no longer
applies and you might as well use SSL on everything.  Then he went to
a meeting and told all his friends.

I've been noticing something similar at abuse.net, a service I run
where people can publish their domains' abuse contacts.  The folklore
in small credit unions is that you're supposed to hide your domain's
registration details using a proxy service, I think due to a
misreading of an old letter from the NCUA.  Earlier this year someone
at a meeting must have told them that it would be a good idea to
register with abuse.net, so I've been getting a stream of attempted
registrations from small credit unions with proxy registration, which
I reject.  About half of them get the hint, turn off the proxy, and
try again, the other half give up.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Five Theses on Security Protocols

2010-07-31 Thread John Levine
Nice theses.  I'm looking forward to the other 94.  The first one is a
nice summary of why DKIM might succeed in e-mail security where S/MIME
failed.  (Succeed as in, people actually use it.)

2 A third party attestation, e.g. any certificate issued by any modern
  CA, is worth exactly as much as the maximum liability of the third
  party for mistakes. If the third party has no liability for
  mistakes, the certification is worth exactly nothing. All commercial
  CAs disclaim all liability.

Geotrust, to pick the one I use, has a warranty of $10K on their cheap
certs and $150K on their green bar certs.  Scroll down to the bottom
of this page where it says Protection Plan:

http://www.geotrust.com/resources/repository/legal/

It's not clear to me how much this is worth, since it seems to warrant
mostly that they won't screw up, e.g., leak your private key, and
they'll only pay to the party that bought the certificate, not third
parties that might have relied on it.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Crypto dongles to secure online transactions

2009-11-25 Thread John Levine
we claimed we do something like two orders magnitude reduction in
fully-loaded costs by going to no personalization (and other things)
...

My concern with that would be that if everyone uses the the same
signature scheme and token, the security of the entire industry
becomes dependent on the least competent bank in the country not
leaking the verification secret.

For something like a chip+pin system it is my understanding that the
signature algorithm is in the chip and different chips can use
different secrets and different algorithms, so a breach at one bank
need not compromise all the others.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Crypto dongles to secure online transactions

2009-11-18 Thread John Levine
 In this case, heck, no.  The whole point of this thing is that it is
 NOT remotely programmable to keep malware out.

Which is perhaps why it is not a good idea to embed an SSL engine in such
a device.

Agreed.  A display and signing engine would be quite adequate.

Such a device does however need to be able to suppor multiple mutually
distrusting verifiers, thus the destination public key is managed by
the untrusted PC + browser, only the device signing key is inside
the trust boundary. A user should be able to enroll the same device
with another bank, ...

If you really need the ability to do that, I'd think it would be
better to make an expandable version into which you could plug each
bank's chip+pin cards, not try to invent a super-protocol for
downloading a bank's preferred keys.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Crypto dongles to secure online transactions

2009-11-17 Thread John Levine
 So should or should not an embedded system have a remote management
 interface?

In this case, heck, no.  The whole point of this thing is that it is
NOT remotely programmable to keep malware out.

If you have a modest and well-defined spec, it is well within our
abilities to produce reliable code.  People write software for medical
devices and vehicle control which is not remotely updated, and both
our pacemakers and are cars are adequately reliable.  If you define
the spec carefully enough that you can expect to make a million
devices, the cost of even very expensive software is lost in the
noise.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Crypto dongles to secure online transactions

2009-11-08 Thread John Levine
At a meeting a few weeks ago I was talking to a guy from BITS, the
e-commerce part of the Financial Services Roundtable, about the way
that malware infected PCs break all banks' fancy multi-password logins
since no matter how complex the login process, a botted PC can wait
until you login, then send fake transactions during your legitimate
session.  This is apparently a big problem in Europe.

I told him about an approach to use a security dongle that puts the
display and confirmation outside the range of the malware, and
although I thought it was fairly obvious, he'd apparently never heard
it before.  When I said I'd been thinking about it for a while, he
asked if I could write it up so we could discuss it further.

So before I send it off, if people have a moment could you look at it
and tell me if I'm missing something egregiously obvious?  Tnx.

I've made it an entry in my blog at

http://weblog.johnlevine.com/Money/securetrans.html 

Ignore the 2008 date, a temporary fake to keep it from showing up on
the home page and RSS feed.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Collection of code making and breaking machines

2009-10-20 Thread John Levine
A bit too far for a quick visit (at least for me):
http://news.bbc.co.uk/2/hi/uk_news/england/8241617.stm

Bletchley Park is always worth a visit, with or without a special
exhibit, as is the adjacent National Museum of Computing which houses
Colossus and a lot more interesting stuff.

An important difference between this museum and computer museums in
the US is that lots of the stuff works.  The rebuilt bombe actually
works.  The rebuilt Collussus actually works.  An impressive number of
the old computers in the NMC work, including a room of old personal
computers that are set up so you can use them.

Not at all coincidentally, Bletchley is an easy day trip from
Cambridge, Oxford, and London.  (That's why they put Bletchley Park at
Bletchley Park.)

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Kahn's Seizing the Enigma back in print -- with a catch

2009-08-14 Thread John Levine
David Kahn's Seizing the Enigma is back in print.  However, it's
only available from Barnes and Noble -- their publishing arm is doing
the reprint.  According to the preface, the new edition corrects
minor errors, but didn't give any details.

http://search.barnesandnoble.com/Seizing-the-Enigma/David-Kahn/e/9781435107915/?itm=1

We cheapskates can also find lots of used copies of the old edition
for $2.  I wonder how different it is.

http://www.alibris.com/booksearch?binding=mtype=keyword=Seizing+the+Enigma%3A+The+Race+to+Break+hs.x=16hs.y=11hs=Submit

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Seizing the Enigma

2009-08-14 Thread John Levine
Speaking of seizing an Enigma, here's a picture of a handy one rotor
version I got at Bletchley Park.  The rotor flips over so there's two
possible rotors and the determined cryptographer can use multiple
rotors by making several passes manually over the data.

http://www.taugh.com/enigma.jpeg

You can order your own here:

http://www.bletchleypark.org.uk/shop/view_product.rhtm/130864/238505/detail.html

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: CSPRNG algorithms

2009-05-01 Thread John Levine
I have never seen a good catalog of computationally-strong
pseudo-random number generators.

Chapter 3 of Knuth's TAOCP is all about pseudo-random number
generators, starting with a fine example of the wrong way to do it.
My copy is several thousand miles away but my recollection is that his
main advice was to stick to linear congruential PRNGs, perhaps with a
buffered postpass to scramble up the order or the results.

It's certainly a good place to start.

R's,
John

[Moderator's note: none of the generators in TAOCP are cryptographically
strong. They are fine for Monte Carlo simulations and such. --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Security through kittens, was Solving password problems

2009-02-25 Thread John Levine
This means a site paying attention to such things could notice a
change in IP address, or, if several users were attacked this way,
notice repeated connections from the same IP. (Granted the MITM
could distribute the queries over a botnet, but it raises the bar
somewhat.)

I have no idea if sites do such check, just speculation on my part.

You're right, but it's not obvious to me how a site can tell an evil
MITM proxy from a benign shared web cache.  The sequence of page
accesses would be pretty similar. I suppose that you could hope that
legitimate HTTPS requests would come direct from the client machine,
so requests for multiple users on the same IP would be suspicious, but
on networks like AOL's, I wouldn't count on it working that way.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Security through kittens, was Solving password problems

2009-02-24 Thread John Levine
you enter a usercode in the first screen, you are presented with a
second screen to enter your password. The usercode is a mnemonic
6-character code such as HB75RC (randomly generated, you receive from
the server upon registration). Your password is freely choosen by you
upon registration.That second screen also has something that you and
the correct server know but that you did not disclose in the first
screen --

This scheme is quite popular with banks.  I have at least three
accounts where I enter my user name in one screen, then on a second
password entry screen it shows me a picture chosen when I set up the
account along with a caption I wrote.  They have a large library of
pictures of cute animals, household appliances, and so forth.

Clever though this scheme is, man-in-the middle attacks make it no
better than a plain SSL login screen.  Since the bad guy knows what
site you're trying to reach, he can use your usercode to fetch the
shared secret from the real site and present it to you on his fake
site.  It's true, the fake site won't have the same URL as the real
site, but if the security of this scheme still depends on people
scrutinizing the browser's address bar to be sure they're visiting the
site they think they are, how is this any better than an ordinary
kitten-free SSL login screen?

Another bank sent me a dongle that generates a timestamped six-digit
number that I use as part of the login.  Even with the dongle, MITM
attacks are still effective.  The bad guy can only steal one session
rather than a user's permanent credentials, but that's still plenty
to, e.g., wire money out of the country.

The only thing I've been able to come up with that seems even somewhat
secure is a USB dongle that plugs into your computer and can set up an
end-to-end encrypted channel with the bank, and that has a screen big
enough that once you've set up your transaction in your browser, the
bank then sends a description to the dongle to display on its screen,
and YES and NO buttons on the dongle itself.

Unless the screen and the buttons are physically part of the dongle,
you're still subject to MITM attacks.  But a dongle with a screen big
enough for my 87 year old father to read, and buttons big enough for
him to push reliably would be unlikely to fit on his keychain.  It's a
very hard problem.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
More Wiener schnitzel, please, said Tom, revealingly.




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: UCE - a simpler approach using just digital signing?

2009-02-01 Thread John Levine
One idea I have not seen mentioned here (and which I have not yet
encountered in RL, but only weird people send me email these days) is
for the sending MTA to use pgp to encrypt mail using the recipient's
public key, available on one of the key servers near you.

I don't understand what problem this is intended to solve.  Bad guys
can look up PGP keys just like good guys, so all this would accomplish
would be to fill your inbox with signed spam.

Perhaps it would be useful to make a section of the ASRG wiki in which
we describe the difference between the spam problem and the other
problems that people confuse with the spam problem, such as the
introduction problem and (more familiar to cryptographers) the
authentication problem, the interception problem, the non-repudiation
problem, and doubtless others that I can't think of just now.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: UCE - a simpler approach using just digital signing?

2009-01-31 Thread John Levine
That's basically what I'm using, just without the digital signature 
part: each person/organisation/website/whatever gets a different email 
address for communicating with me (qmail makes this easy to implement)

I do that too -- I bet half the people on this list do, and there's
lots of free and commercial services like Yahoo and Spamex who will
let you do it.  But it's not much of a solution to spam because it
requires significant manual work to maintain the addresses, and only
deals with places where you individually give them the address to send
mail to.

Another scheme (that could be combined with the above one to solve only 
the CC party problem) would be accepting only PGP mail and use a 
manually updated white list

This has the same fundamental problem as Zoemail and any other white
list system.  It's really easy to implement a white list.  Unless your
name is Paypal, the amount of mail forging your address is vanishingly
small, and the utterly insecure From: line address works just fine for
practical purposes.  I use that to manage my 12 year old daughter's
mail.

But whitelists replace the spam problem with the equally intractable
introduction problem, deciding whether to accept the first message
from someone you don't know.  People have been thinking about that for
a long time (indeed, for millenia in contexts other than e-mail) and
the snarky comments I made yesterday about wonderful anti-spam ideas
apply here, too.

The ASRG is still eager to hear from people who want to do just about
anything related to spam other than hash over known-ineffective old
ideas. See http://wiki.asrg.sp.am.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Proof of Work - atmospheric carbon

2009-01-30 Thread John Levine
You know those crackpot ideas that keep showing up in snake oil crypto?
Well, e-postage is snake oil antispam.

While I think this statement may be true for POW coinage, because for a bot
net it grows on trees, for money that traces back to the international
monetary exchange system, it may not be completely true.

It's close enough to completely true.  Stealing postage via bots is
only one of multiple fatal problems.

I wrote this white paper in 2004; some of the details could stand a
little update but the conclusions are as clear as ever:

http://www.taugh.com/epostage.pdf

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Proof of Work - atmospheric carbon

2009-01-30 Thread John Levine
Richard Clayton and I claim that PoW doesn't work:
http://www.cl.cam.ac.uk/~rnc1/proofwork.pdf

I bumped into Cynthia Dwork, who originallyinvented PoW, at a CEAS
meeting a couple of years ago, and she said she doesn't think it
works, either.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: UCE - a simpler approach using just digital signing?

2009-01-30 Thread John Levine
Hi.  One of the hats I wear is the chair of the Anti-Spam Research
Group of the Internet Research Task Force, which is down the virtual
hall from the IETF.

You know how you all feel when someone shows up with his super duper
new unbreakable crypto scheme?  Well, that's kind of how I feel here.
Dealing with spam is surprisingly subtle, a lot of smart people have
been thinking about it for a long time, and most new ideas turn out
to be old ideas with well known flaws or limitations.

 Consider the implications of a third field, or trust token, which
 works like a password to fred's mail box.  Your mailer's copy of
 fred's email address would look like fred#to...@example.com where
 token was a field that was your own personal password to fred's
 mailbox.

It's not a bad idea.  Its best known implementation was done in 1996
by Robert Hall of ATT Labs who called it Zoemail.  You can learn all
about it in US Patent 5,930,479.

This is the wrong place to go into detail about its limitations,
although it should be self-evident that if it were effective, sometime
in the past 13 years we'd have started using it.

You're all welcome in the ASRG, which has a wiki at
http://wiki.asrg.sp.am with pointers to the mailing list and other
resources.  One of our slow moving projects is a taxonomy of anti-spam
techniques, both ones that work and ones that don't work.  If you'd
like to contribute, drop me a note and I'll give you a password so you
can edit it.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
More Wiener schnitzel, please, said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: What EV certs are good for

2009-01-28 Thread John Levine
 I just received a phishing email, allegedly from HSBC:

Dear HSBC Member,

So did the link have a EV cert?

Hardly matters.  HSBC has vast numbers of web servers all over the world,
some with EV certs, some without.

For example, their US customer site for deposit customers at
https://www.us.hsbc.com/ doesn't, but their site for credit cards at
https://www.hsbccreditcard.com/ does, although it's kind of hard to
tell because they tend to put you on a non-https page until you log
in.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Proof of Work - atmospheric carbon

2009-01-28 Thread John Levine
(Also, it's not clear that a deterministic POW works well for an
application like Bitcoin; it might let the owner of the fastest computer
win every POW race, giving him too much power.)

Indeed.  And don't forget that through the magic of botnets, the bad
guys have vastly more compute power available than the good guys.

You know those crackpot ideas that keep showing up in snake oil crypto?
Well, e-postage is snake oil antispam.

R's,
John
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Proof of Work - atmospheric carbon

2009-01-26 Thread John Levine
Can't we just convert actual money in a bank account into bitbux --
cheaply and without a carbon tax?  Please?

If only.  People have been saying for at least a decade that all we
have to do to solve the spam problem is to charge a small fee for
every message sent.  Unfortunately, there's a variety of reasons
that's never going to work.  One of the larger reasons is that despite
a lot of smart people working on micropayments, we have nothing
approaching a system that will work for billions of tranactions per
day, where 90% of the purported payments are bogus, along with the
lack of any interface to the real world financial system that would
scale and withstand the predictable attacks.

My white paper could use a little updating, but the basic conclusions
remain sound:

http://www.taugh.com/epostage.pdf

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Bitcoin P2P e-cash paper

2008-11-03 Thread John Levine
 As long as honest nodes control the most CPU power on the network,
 they can generate the longest chain and outpace any attackers.

But they don't.  Bad guys routinely control zombie farms of 100,000
machines or more.  People I know who run a blacklist of spam sending
zombies tell me they often see a million new zombies a day.

This is the same reason that hashcash can't work on today's Internet
-- the good guys have vastly less computational firepower than the bad
guys.

I also have my doubts about other issues, but this one is the killer.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: road toll transponder hacked

2008-08-28 Thread John Levine
 The relationship to this list may then be thin
 excepting that the collection and handling of
 such data remains of substantial interest.

Actually, it points to cash settlement of road tolls.

That's not unknown.  On the Niagara Falls toll bridges, they have an
ETC system where you buy your transponder for cash at a toll booth and
refill it with cash.  I suppose they could take your picture and link
it to your license plate, but they can do that if you throw quarters
into the bin, too.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: road toll transponder hacked

2008-08-26 Thread John Levine
  So, I believe, at least for E-Z Pass, the attack would have to include
  cloning the license plate and pictures may still be available whenever
  a victim realizes they have been charged for trips they did not take.

The 407 toll road in Toronto uses entirely automated toll collection.
They offer transponders (which, annoyingly, are the same system as
NY's EZ-Pass but don't interoperate) for commuters and trucks, but for
casual use by cars, it reads your plates and sends you a bill.

I can report from experience that when I use it with my NY plates, I
always get a bill a month or so later.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: security questions

2008-08-10 Thread John Levine
 IIRC, it used personal data already available to DEC -- so they
 didn't have to ask their employees for it

That works great so long as the personal data is accurate.

Banks these days are supposed to verify your identity when you open an
account.  Online banks pull your credit report anyway, so they make up
some verification questions from historical info in the report.  I'm
regularly asked which of four street addresses I've lived at.

Unfortunately, in my case the correct answer is invariably none of
them.  I'm part owner of a relative's house in New Jersey, and the
credit bureaus all are sure that since my name is on the deed, that
must be where I live.  So that's the address that shows up.  Adding to
the excitement, they often ask what city, to which the answer would
still be none of them even if I lived in that house.  It's in
Lawrenceville, but I guess it gets mail delivered from the Trenton
P.O. so the allegedly correct answer is Trenton.

It's not too hard for me to figure these out, but given the amount of
plain wrong info in credit reports, this approach must lead to some
pretty frustrating failures.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
More Wiener schnitzel, please, said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Kaminsky finds DNS exploit

2008-07-14 Thread John Levine
CERT/CC mentions this:

| It is important to note that without changes to the DNS protocol, such
| as those that the DNS Security Extensions (DNSSEC) introduce, these
| mitigations cannot completely prevent cache poisoning.

Why wouldn't switching to TCP lookups solve the problem?  It's
arguably more traffic than DNSSEC, but it has the large practical
advantage that they actually work with deployed servers today.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Kaminsky finds DNS exploit

2008-07-09 Thread John Levine
However, we in the security circles don't need to spread the 
Kaminsky finds meme.

Quite right.  Paul Vixie mentioned it in 1995, Dan Bernstein started
distributing versions of dnscache with randomized port and sequence
numbers in 2001.

The take-away here is not that Dan didn't discover the problem, but
Dan got it fixed. An alternate take-away is that IETF BCPs don't
make nearly as much difference as a diligent security expert with a
good name.

I suppose 13 years is kind of a long time, but better late than never.
It would be modestly interesting to learn what is different now that
motivated him to get people to fix it.


R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: delegating SSL certificates

2008-03-19 Thread John Levine
| Presumably the value they add is that they keep browsers from popping
| up scary warning messages
Apple's Mail.app checks certs on SSL-based mail server connections.
It has the good - but also bad - feature that it *always* asks for
user approval if it gets a cert it doesn't like.

Good point -- other mail programs such as Thunderbird also pop up
the scary warnings.  I've paid the $15 protection money for the certs
on my mail servers.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: delegating SSL certificates

2008-03-16 Thread John Levine
 So at the company I work for, most of the internal systems have
 expired SSL certs, or self-signed certs.  Obviously this is bad.

You only think this is bad because you believe CAs add some value.

Presumably the value they add is that they keep browsers from popping
up scary warning messages.  There are all sorts of reasonable
arguments to be made that the browsers are doing the wrong thing (and
the way that Microsoft prevents you from ever deleting any of their
preinstalled CA certs is among the wrongest.)

Nonetheless, unless we can persuade all the users in question to
adjust their browsers, which is always a losing battle, it's easier
just to pay the $15 protection money and get a CA signature.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
More Wiener schnitzel, please, said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: delegating SSL certificates

2008-03-15 Thread John Levine
Are there any options that don't involve adding a new root CA?

Assuming your sites all use subdomains of your company domain,
a wildcard cert for *.whatever might do the trick.  It's relatively
expensive, but you can use the same cert in all your servers.

I would think this would be rather common, and I may have heard about
certs that had authority to sign other certs in some circumstances...

They do exist, Comodo has sold certs signed that way, but I wouldn't
recommend it since the depth of chaining the browsers recognize varies
considerably.  My copy of Firefox doesn't accept many of Microsoft's
certs because the chaining is too deep.

Another possibility is just to pay to have your certs signed by one of
the public signers.  At the current going rate of $15, you can get a
lot of signatures for the cost of doing anything else.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: House o' Shame: Amtrak

2008-02-21 Thread John Levine
  http://amtrak.bfi0.com/.

Lesson for phishers: If you want your phish to seem more legit, outsource it
to Bigfoot Interactive, which seems to lead back to Epsilon Agency Services,
who specialise in... well, phishing, but for the good guys.  I bet the Russian
Business Network could do it for less though :-).

Having dealt at length with people from BFI/Epsilon, I can confirm that
many of them are not the sharpest needles in the etui.

This problem is well known in the ESP (bulk mail for hire) industry,
and the better ones know how to deal with it.  If you are on Orbitz'
mailing list, for example, the mail comes from [EMAIL PROTECTED],
and the links in the mail all go to http://my.orbitz.com/whatever.  Do
a few DNS lookups and you'll find NS records from Orbitz that delegate
my.orbitz.com to Responsys, their ESP.  This is a straightforward and
effective way to manage the namespace for outsourced mail, and my
biggest question is why so many ESPs don't do it yet.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-06 Thread John Levine
They can't be as anonymous as cash if the party being dealt with
can be identified.  And the party can be identified if the
transaction is online, real-time.  Even if other clues are erased,
there's still traffic analysis in this case.

If I show up at a store and pay cash for something every week, they
can still do traffic analysis on me (oh him, he's a regular
customer) unless I go out of my way to obscure my routine like asking
other people to buy stuff for me.

It's not clear to me what the object of this argument is.  Yes, the
harder you work, the more difficult you can make it for other people
to tie your transactions to you.  This shouldn't be news to anyone.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: patent of the day

2008-01-23 Thread John Levine
In article [EMAIL PROTECTED] you write:

http://www.google.com/patents?vid=USPAT6993661

Gee, the inventor is Simson Garfinkel, who's written a bunch of books
including Database Nation, published in 2000 by O'Reilly, about all
the way the public and private actors are spying on us.

I wonder whether this was research to see how hard it was to
get the PTO to grant an absurd patent.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PlayStation 3 predicts next US president

2007-12-14 Thread John Levine
The financial industry has actually created its own system - I forget
the name, some like a Gold Bond Certification - that it requires for
certain high-importance transactions (e.g., a document asserting you
own some stock for which you've lost the certificates).

That's a medallion signature guarantee provided by a bank or similar
institution.  Unlike a notary, the guarantee means something, with
the institution accepting liability for forgery.

Not surprisingly, it's a rare bank bank who will do this for anyone who
isn't already a customer.  At my bank, the same person happens to be a
notary and the guarantee officer and she knows me, so she just asks which
stamp I want.

http://en.wikipedia.org/wiki/Medallion_signature_guarantee
http://www.sec.gov/answers/sigguar.htm

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: unintended consequences?

2007-08-09 Thread John Levine
 Does that mean that the new fiber is less tappable?

Somehow, I suspect that Corning and the relevant authorities have been
in touch to work out any problems.

Corning is a politically very well connected company.  Amory Houghton,
a member of the family that has controlled the company since its
founding in 1851, was company CEO from 1965-84, and was then the
member of Congress from my district from 1986-2005.  His father was
CEO and later ambassador to France.  His grandfather was CEO and later
member of Congress and then ambassador to first Germany and later
Britain.  You get the idea.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: remote-attestation is not required (Re: The bank fraud blame game)

2007-07-03 Thread John Levine
I do not believe the mentioned conflict exists.  The aim of these
calculator-like devices is to make sure that no malware, virus etc can
create unauthorized transactions.  The user should still be able to
debug, and inspect the software in the calculator-like device, or
virtual software compartment, just that installation of software or
upgrades into that area should be under direct explicit user control.
(eg with BIOS jumper required to even make any software change!)

In view of the number of people who look at an email message, click on
an attached ZIP file, rekey a file password in the message, and then
run the program in the file, thereby manually installing a virus, it's
way too dangerous to let users install any code at all on a security
device.

R's,
John

PS: Yes, they really do.  I didn't believe it either.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: 307 digit number factored

2007-05-23 Thread John Levine
somewhere over the yrs the term certification authority was truncated
to certificate authority ... along with some impression that 
certificates are being sold (as opposed to certification processes).

When I pay $14.95 for a certificate, with the investigation of my bona
fides limited to clicking through a link in an e-mail, and answering
the phone*, entering a short code, and responding to a request to
state your name**, it sure seems to me like I'm buying a certificate.
The only reason I do it is that for that price it's cheaper than
explaining to people why the threat that web certs defend against is
stupid.

 getting totally rid of the need for domain name certificates ... DNS
 serving up both ip-addresses and public keys in single operation.

DKIM does that, you can get the MX and verification key for a domain.
But I wouldn't say that was a security improvement except insofar as
it makes the process easy enough that people are more likely to use it
than they are the more cumbersome systems like S/MIME.

R's,
John

* - any old phone, I've had them call random VoIP numbers in other
continents that I was experimenting with

** - so of course I say your name.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-20 Thread John Levine
I've heard nothing formal, but my strong understanding is a lot of US
government machines, at least if we're talking workstations on
non-classified nets, are in fact 0wn3d at this point.

Well, here's an anecdote: at last year's CEAS conference, Rob Thomas
of Team Cymru gave the keynote on the underground economy, with a most
horrifying set of both live demos and selected snapshots of the online
bazaars where online warez are traded, everything from zombie farms to
spamware to stolen credit cards.  One of the more amusing was a guy
who offered a zombie in some part of the government that you'd hope
would be moderately secure, NASA or someplace like that, at a higher
than normal price.  The immediate response was ridicule, bots on
government nets are a dime a dozen, and aren't worth any more than any
other bot.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: hoofbeats of zebras, was DNSSEC to be strangled at birth.

2007-04-06 Thread John Levine
You assume the new .net key (and what's signed with it) would be
supplied to all users of the DNS, rather than used for a targeted
attack on one user (or a small number of users).  Why assume the
potential adversary will restrict himself to the dumbest possible way
to use the new tools you're about to hand him?

I dunno about you, but if some part of the Federal government wanted
to mess with a particular target, it's much more likely they would
arrange for some large NSPs do some adjusted BGP.  Or even more likely
some guys in suits would show up at Verisign and say, We're from
[redacted] and we would appreciate it if you arranged for requests for
[redacted].net from network [redacted]/15 to resolve to [redacted] for
the next couple of weeks.

Personally, I like Paul's theory about the DHS dork with a press
release.  He doesn't understand zones or delegation or the root
servers or routing or anything else, but the signing key will let them
Take Control of this Vital Resource in case of National Emergency.
You know, like they did in New Orleans.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
More Wiener schnitzel, please, said Tom, revealingly.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: DNSSEC to be strangled at birth.

2007-04-05 Thread John Levine
  The DHS has requested the master key for the DNS root zone.

 Can anyone seriously imagine countries like Iran or China signing up
 to a system that places complete control, surveillance and
 falsification capabilities in the hands of the US' military
 intelligence?

For anyone who hasn't been paying attention, the root zone is
maintained by IANA which since February 2000 has been run by ICANN
under a contract with the US Department of Commerce.  DOC calls the
shots and always has.

I don't understand any better than anyone else why DHS sent out a
press release that can accomplish nothing but get people upset, but at
most this is a turf battle between two cabinet departments.  The war
was over seven years ago.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
More Wiener schnitzel, please, said Tom, revealingly.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Failure of PKI in messaging

2007-02-15 Thread John Levine
Suppose we have a messaging service that, like Yahoo, is
also a single signon service, ...

Then you just change the attack model.

There are a bunch of sites that do various things with your address
book ranging from the toxic Plaxo which slurps it up and sends spam to
everyone in it masquerading as an address change message from you to
more reasonable ones like LinkedIn which offers controlled messaging
to friends of friends.

Since typing in address book info by hand is hard, a lot of them sync
with your existing Outlook addressbook via a plugin, and some of them
also offer to sync with your Yahoo or or Gmail or Hotmail address
book.  What a bad idea -- those are single signon systems. If you've
ever bought anything at one of their hosted stores or use one of their
premium services, it's the same credential that lets people charge
stuff to your credit card.

It gets even messier.  Look at a configurable aggregator page like the
very spiffy Netvibes.  It has modules to check mail at AOL, MSN,
Yahoo, Gmail, and your POP provider, all conveniently remembering your
login info.  As far as I know Netvibes is reliable and competent, but
they have an extension API that lets anyone write extension modules
and offer them to Netvibes users.

I realize that readers of this list will use separate accounts for
financial info and free webmail, but the other 99.9% of people in
the world will be delighted that they only have one password to
write on a post-it rather than six.

It should be obvious why overloading phish protection onto this is an
equally bad idea -- it drops the security of the phish protection to
the security of the sleaziest aggregator module or address book site
that someone might use, and puts valuable financial and antiphish info
in the same security bucket as the three most recent subject lines
from your web mail.  Thanks, but no thanks.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Failure of PKI in messaging

2007-02-15 Thread John Levine
  If you can persuade everyone to use a single system,
  it's not hard to make communication adequately secure.
 ...

You are making the Katrina reaction we need someone in
charge. ...

Oh, not at all. I guess I wasn't clear.  To the extent that people use
a single system it can be secure, but that doesn't scale.  I have a
rule of thumb that any walled garden big enough to be interesting is
probably also big enough that bad guys have snuck in.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: cellphones as room bugs

2006-12-13 Thread John Levine
8Kbit/second is enough if all you need is to understand what is being
said, not recognize the speaker.  The processing power to do this is
pretty small on today's scale of things.)

With decent compression techniques, 8kbps is close to telephone
quality, and 2400bps has artifacts but is still quite clear.  There
are some nice examples at:

http://www.data-compression.com/speech.shtml

1kbps would be adequate for understandable speech, so I would expect
that a modern phone with megabytes for music storage could easily
store several days of voice-activated room bugging.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: signing all outbound email

2006-10-03 Thread John Levine
  James A. Donald wrote:
   In order for [DKIM] to actually be any use, ...

Anne  Lynn Wheeler wrote:
  so what if an isp only signs email where ...

etc, etc.

You know, we've already had all these arguments on the DKIM mailing
list about a hundred times.  

It's true, just about everything that is wrong with DKIM is also wrong
with every other signature scheme.  The salient difference is that
DKIM sets its sights lower and is designed to be more easily
deployable so there is more of a chance that it can break out of the
ghetto where all the existing message signature schems languish, and
at least increase the amount of mail that peoples' known
correspondents have signed.  Despite a great deal of misreporting and
wishful thinking, we do know that it is neither a magic bullet against
spam nor against phishing.

Rather than having the same old arguments yet again, how about reading
the list archives linked from
http://www.mipassoc.org/dkim/ietf-dkim.htm and at least argue about
something different?

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
More Wiener schnitzel, please, said Tom, revealingly.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: A lack of US cryptanalytic security before Midway?

2006-09-08 Thread John Levine
The conventional wisdom is that the successful US cryptanalytic efforts
against Japanese naval codes was a closely-held secret.

Has the conventional wisdom forgotten that it was reported in the
Chicago Tribune in 1942?

See, for example, http://www.newseum.org/warstories/essay/secrecy.htm

Fortunately, the Navy Department had enough sense not to make a public
stink, and the Japanese evidently didn't read the Chicago paper.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Get a boarding pass, steal someone's identity

2006-05-09 Thread John Levine
Have you noticed that airline tickets are once again de-facto  
transferable?  If you print your own boarding pass at home, you can  
digitally change the name on it before you print.

Lots of us have noticed that, print one version for the person at
security with a name that matches the ID, print another version for
the person at the gate with a name that matches the reservation and
the bar code.

But actually, you don't even have to do that.  When I travel with my
wife and daughter, whose names are completely unlike mine, I always
put the boarding passes in a stack with one of theirs on top and hand
the person my ID.  I would say at least half the time they don't even
bother to look and see if one of the other passes has a name that
matches the ID.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Get a boarding pass, steal someone's identity

2006-05-07 Thread John Levine
  http://www.guardian.co.uk/idcards/story/0,,1766266,00.html

The story may be exaggerated but it feels quite real. Certainly I've
found similar issues in the past.

It sounds real to me, with an airline whose security is slightly but
not greatly worse than typical.  

I buy a lot of online tickets in the US and I believe that although I
can enter whatever frequent flyer number I want when I buy a ticket, I
always have to provide a PIN to get access to any history or account
info.  But I don't lose my PINs (being a bad user I use the same PIN
many places) so I haven't looked to see how hard it would be to fake
out the various password recovery schemes.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: automatic toll collection, was Japan Puts Its Money on E-Cash

2005-12-15 Thread John Levine
 And, while there is a privacy issue, optical license plate readers
 are getting good enough that the issue may soon be moot.

Seems moot now.  The 407 toll road around Toronto has no toll booths
at all.  If you drive on it frequently, you can get a transponder but
otherwise, they take a picture of your plates, look you up, and mail
you a bill.  This does work -- I've gotten a bill for my NY car after
a trip.  The web site at http://www.407etr.com/ makes it clear that
the transponder is completely optional, and won't save you any money
unless you use it more than 7 times a year.  (The transponder costs
$2/mo and saves $3.45 per trip.)

The easiest way to get a transponder appears to be to drive on the
road, wait until you get a bill on which they will have assigned you
an account number, then use that number to log into their web site and
order one.

An article in Wikipedia says that congestion tolls in London (UK) are
also collected automatically by taking pictures of license plates.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: automatic toll collection, was Japan Puts Its Money on E-Cash

2005-12-14 Thread John Levine
 Some Americans, analysts note, are already using a version of e-
 cash to bypass toll lanes on highways.

Don't take that as a sign of consumer acceptance, though.  In
Illinois, if you won't pre-pay your tolls in $40 increments, you will
pay double the rate in cash at the toolbooth.

Here in the northeast where E-ZPass is much more established, the
discounts for using the pass are much smaller unless you get a
commuter plan, but they're extremely popular because they save a great
deal of time.  In New Jersey, they've redone several high-volume toll
plazas so the road splits with the right lanes going to toll booths
and the left lanes running under a grid of pass readers where you
don't even slow down.  The prepay increment is only $15.

 And the electronic system is anything but anonymous.

No argument there.  I always figured that I'll use my pass for normal
travel but wrap it in foil and pay cash when I'm disposing of my
political opponents' bodies.  Couldn't have been me, my car has a
pass.  Look at all these toll logs.

R's,
John


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PKI too confusing to prevent phishing, part 28

2005-09-27 Thread John Levine
In article [EMAIL PROTECTED] you write:
http://www.informationweek.com/story/showArticle.jhtml?articleID=171200010

Summary: some phishes are going to SSL-secured sites that offer up 
their own self-signed cert. Users see the warning and say I've seen 
that dialog box before, no problem, and accept the cert. From that 
point on, the all-important lock is showing so they feel safe.

I don't get it.  When you can get a free cert good for a month and
signed by Geotrust, why waste time with self-signed certs?  See
http://zblog.abuse.net for a sample.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Some companies are just asking for it.

2005-06-23 Thread John Levine
My girlfriend just got an (apparently legitimate from what I can tell)
HTML email from her credit card company, complete with lots of lovely
images and an exhortation to sign up for their new secure online
ShopSafe service that apparently generates one time credit card
numbers on the fly.

Shopsafe is rather nice.  I use it all the time, and it's written in
flash which works on my FreeBSD laptop.

On the other hand, MBNA's mail practices would be laughable if they
weren't entirely in line with every other bank in the country.  If you
read Dave Farber's IP list, a couple of days ago Bob Frankston sent in
an alarmed note saying that some info from his Bank of America account
had apparently been stolen and used in a phish, and I wrote to tell him
that no, the mail was real, from the service bureau they use which has
a name nobody outside the banking industry knows.

Aaron Emigh of Radix Labs wrote to tell me about a talk he gave
earlier this year at an Anti-Phishing Working Group earlier this year
on this topic, which starts with a set of examples of real bank mail
each of which looks phishier than the last.

This is 30MB due to the voiceover, but if you have a fast web
connection, it's worth running.  It needs Powerpoint:

 http://www.radixlabs.com/idtheft/aaron-emigh-education.pps

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
I dropped the toothpaste, said Tom, crestfallenly.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-15 Thread John Levine
Does anyone have a view on what low and high means in this
context?  Indeed, what does assurance mean?

Just last week I was trying to figure out what the difference was
between a StarterSSL certificate for $35 (lists at $49 but you might
as well sign up for the no-commitment reseller price) and a QuickSSL
cert for $169.  If you look at the bits in the cert, they're nearly
identical, both signed by Geotrust's root.

As far as the verification they do, QuickSSL sends an e-mail to the
domain's contact address (WHOIS or one of the standard domain
addresses like webmaster), and if someone clicks through the URL, it's
verified.  StarterSSL even though it costs less has a previous
telephone step where you give them a phone number, they call you, and
you have to punch in a code they show you and then record your name.
Score so far: QuickSSL 0.001, StarterSSL 0.0015.

Both have various documents available with impressive certifications
from well-paid accountants, none of which mean anything I can tell.
Under some circumstances they might pay back some amount to someone
defrauded by a spoofed cert, but if anyone's figured out how to take
advantage of this, I'd be amazed.

Comodo, who sell an inferior variety of cert with a chained signature
(inferior because less software supports it, not because it's any less
secure) is slightly more demanding, although I stumped then with
abuse.net which isn't incorporated, isn't a DBA, and isn't anything
else other than me.  I invented some abuse.net stationery and faxed
them a letter assuring that I was in fact me, which satisfied them.

Back when I had a cert from Thawte, they wanted DUNS numbers which I
didn't have, not being incorporated nor doing enough business to get a
business credit rating, so they were satisfied with a fax of my county
business license, a document which, if I didn't have one, costs $25 to
get a real one, or maybe 15 minutes in Photoshop to make a fake one
good enough to fool a fax machine.  

I gather that the fancier certs do more intrusive checking, but I
never heard of any that did anything that might make any actual
difference, like getting business documents and then checking with the
purported issuer to see if they were real or, perish forbid, visiting
the nominal location of the business to see if anything is there.

So the short answer to what's the difference between a ten dollar cert
and a $350 cert is:   $340.

Next question?

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for 
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
I shook hands with Senators Dole and Inouye, said Tom, disarmingly.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-18 Thread John Levine
But is it so harmful?  How much money is lost in a typical phishing
attack against a large US bank, or PayPal?

A lot.  According to people at the anti-phishing conference earlier
this year, six-figure losses are common, and seven-figure not unknown.

The kind of phishes we all see, trolling for credit card or ISP
account info with spam, are the lowest level kind.  The serious ones
carefully choose their targets, e.g., ebay sellers with very high
positive ratings, or people who live outside the US and have large US
bank accounts, and are more likely to send hundreds of messages than
millions.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
A book is a sneeze. - E.B. White, on the writing of Charlotte's Web

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]