Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)

2013-09-05 Thread Richard Clayton
Hash: SHA1

In message, John Denker

To say the same thing the other way, I was always amazed that the
Nazis were unable to figure out that their crypto was broken during 
WWII.  There were experiments they could have done, such as sending
out a few U-boats under strict radio silence and comparing their 
longevity to others.

In fact the Nazis did have many suspicions that Enigma was compromised,
no more so (this from memory, the books with the fuller account are on a
shelf several thousand miles away from my current desk) than in the
Python incident where the Devonshire was sent to sink a German U-boat
refuelling boat ... and the Dorsetshire turned up at the same place by
chance and chipped in.

The subsequent German inquiry (two enemy ships appearing over the
horizon heading straight for your refuelling point in the middle of the
empty South Atlantic is deeply worrying) relied upon them reading our
North Atlantic convoy traffic (they were breaking Allied codes at that
point in the war) where they found no evidence of Enigma acquired
information being used to avoid U-boat movements. This was because their
inquiry happened to coincide with a short period during which we were
not reading their traffic!  The inquiry concluded that Enigma was not
broken (which was strictly correct at that moment) and it carried on
being used. Such are the random chances, good and bad, which occur in
the real world.

Of course there were improvements made to Enigma throughout the war both
to the hardware and also to operating procedures... it was harder to
break in 1945 than 1939.

So my question is:  What would we have to do to produce /tamper-evident/
data security?

As a preliminary outline of the sort of thing I'm talking about, you
could send an encrypted message that says 
  The people at 1313 Mockingbird Lane have an 
   enormous kiddie porn studio in their basement.
and then watch closely.  See how long it takes until they get raided.

you will have noted the requirement for some of the agencies who have
been given NSA material (such as telco metadata) to recreate it for the
benefit of their court cases ...

so you'd probably fail to observe any background activity that tested
whether this information was plausible or not (assuming that the NSA
considered this issue important enough to pursue); and then some chance
event would occur that caused someone from Law Enforcement (or even a
furnace maintenance technician) to have to look in the basement.

You'd be left saying this proves it and everyone else will be spending
their time commenting on whether your particular style of tinfoil hat
appeared sartorially suitable

- -- 
richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

Version: PGPsdk version 1.7.1

The cryptography mailing list

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-26 Thread Richard Clayton
Hash: SHA1

In message, Jerry Leichter writes

On the flip side, mail systems like gMail or Yahoo mail are complex and 
difficult to run *exactly because they are immense*.

The mail systems part is really rather simple... and pretty much looks
after itself. That's not where all the employees work.

  But what are they getting 
for that size?  There are no economies of scale here - in fact, there are 

... the economy of scale is in identifying and routing spam of various
kinds. Some can be detected a priori -- the majority of the detection
relies on feedback from users (the chances are that someone else got the
bad mail before you did, so it can be arranged that you are not bothered)

Even without the recent uproar over email privacy, at some point, someone was 
going to come up with a product along the following lines:  Buy a cheap, 
preconfigured box with an absurd amount of space (relative to the huge 
of space, like 10GB, the current services give you); then sign up for a 
that provides your MX record and on-line, encrypted backup space for a small 
monthly fee.  (Presumably free services to do the same would also appear, 
perhaps from some of the dynamic DNS providers.)  

Just what the world needs, more free email sending provision!  sigh

What's the value add of one of the giant providers?

If you run your own emails system then you'll rapidly find out what
2013's spam / malware problem looks like.

Just as success in crypto deployment isn't about algorithms or file
formats, success in mail handling isn't about MX records and MTAs.

- -- 
richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

Version: PGPsdk version 1.7.1

The cryptography mailing list

Re: street prices for digital goods?

2008-09-11 Thread Richard Clayton
In article [EMAIL PROTECTED], David Molnar

Dan Geer's comment about the street price of heroin as a metric for 
success has me thinking - are people tracking the street prices of 
digital underground goods over time?

up to a point... see the other responses

 The Symantec Threat Reports do seem 
to report advertised prices for a basket of goods, starting in Volume XI 
(March 2007) and running through the present. For example, Volume XI 
Table 3 states a Skype account is worth $12, valid Hotmail cookie $3, 
etc. These are interesting, 

yes :)

I've been thinking about this for some time -- I have found that it
makes for some interesting questions to corporate types presenting
ain't it awful PowerPoint slides that they don't quite understand :)

but it's hard to see changes since they're 
reported as a band of prices presumably aggregated from many different 

Indeed, but deeper than this, you have to ask yourself what the price

I'm curious because it would be interesting to look at the street 
price for a specific online bank's logins before and after the bank 
makes a change to its security practices.

exactly so ...   if the price of BoA cards was $2 and is now $1 does
this mean:

(a) production surplus -- so the scammers are cutting each other's
throats to offload their stashes

is this because the bank's security is rubbish?

is it because everyone has decided to attack this particular
bank under the assumption that it is _the_ Bank of America? or
because a new kit has come out for them to use

(b) consumption scarcity -- no-one wants to buy

is this because the bank's back-room operations are excellent
and so it is hard to extract value?

is it because the people who can cash the cards out have all the
cards they can handle at the moment?

(c) adulterated supply -- only one card in 800 is any good

it's sometimes claimed that the loss per card is around $800, so
if lots of the numbers don't work you need to reduce the price
per card

(d) incompetent pricing by the sellers

the real price should be much higher, but the sellers have been
persuaded that $1 is fair reward for their effort and so they
don't attempt to get any more for their goods

(e) incompetent pricing by the buyers

most cards are worthless because the bank's back room operations
are so good, but not all buyers have realised this so they

and probably (f)... onwards as well

viz: in the absence of evidence that an efficient market is operating
and without clear evidence of what price elasticity there is, it is
almost impossible to draw conclusions about bank (in)efficiency from
merely observing average prices :(

There's a similar issue relating to the relative cost of cards and
whole life details. The latter are more expensive, but perhaps only by
a factor of 10-20. Is this a reflection of restricted supply? or does it
reflect a paucity of buyers (you might use these details to scam the
cost of a medium-size dwelling) or that there are very few buyers who
are prepared to handle a specialist product...

There is undoubtedly an interesting econometrics paper to be written
here, but it will rely upon not only extensive data from the Underground
Economy but also on good data from a bank (or banks) -- and this is
impossible to obtain at present :(  One then needs to tease out enough
almost the same but not quite scenarios to be able to isolate the
various factors and thereby put some numbers to the model...

finally, does anyone happen to know of a good review of how the focus on 
street price has performed as a metric for drug interdiction?

it usually demonstrates that the police overpay :)

and that leads on to a further problem with the Underground Economy
monitoring. You are only seeing list prices and anyone in business
knows that you don't need to pay list price!

richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Levels of security according to the easiness to steel biometric data

2008-04-16 Thread Richard Clayton
In article [EMAIL PROTECTED], Danilo
Gligoroski [EMAIL PROTECTED] writes

For example, I guess that stealing information of
someone's face is easier than stealing information
about someone's fingerprints,
but stealing information about someone's retina
would be much harder.

if you meant retina then yes, but if you meant iris then no

richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: ad hoc IPsec or similiar

2007-06-21 Thread Richard Clayton
In article [EMAIL PROTECTED], Eugen Leitl

There's a rather ominous EU legislation to be passed soon,
which requires any party acting as a provider (you run anonymous
proxy, or mix cascade, you are a provider) to log all connection
info (when, who, with whom). What's the status of ad hoc IPsec
or any other TCP/IP-tunneling VPN for random endpoints?

(a) the EU legislation was actually passed well over a year ago

and applies to service providers so random endpoints will be
unlikely to be caught by its requirements.

(b) what the Directive exactly means is anyone's guess (the wording
shows a deep failure to understand how the Internet works), and it is
entirely clear that it will in practice mean different things in
different EU countries.

In the UK it's likely to only apply to large public ISPs -- and
retention will be restricted to records of who used which IP address,
email server records, and possibly web cache logs (possibly not, since
web caches may not be economic if the logs have to be retained)...

... the wikipedia page on the topic

... has information for other countries that looks fairly plausible from
what I know about their plans.

Note that the Directive also applies to phone calls ... and the
transposition of that into national laws is supposed to be completed by
October 2007; most countries have until March 2009 for Internet logs

richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Tamperproof, yet playing Tetris.

2007-01-07 Thread Richard Clayton
In article [EMAIL PROTECTED], Perry E. Metzger

Handheld Chip  Pin terminals for reading credit cards in the UK are
required to be tamperproof to avoid the possibility of people
suborning them. Here is a report from a group that has not merely
tampered with such a terminal, but has (as a demo) converted it into a
tetris game to demonstrate that they can make it do whatever they

I think the proof-of-concept has been slightly misunderstood :(

The terminal is intended to be tamperproof in that once you have messed
with it, it can no longer communicate with the bank. As far as I know
the terminal delivers on this -- hard to say, because I bought it from
eBay as is with no knowledge of who had used it before or what secrets
it contained [it's legally my terminal, but that's the end of my
involvement !  all the credit goes to Saar and Steven who had all the
ideas and did all of the work]

However, if you don't want your terminal to do payments but just wish to
use it to capture PINs then it's tamper-evidence that is needed : and
that requires not only fancy seals and such, but also training for the
general public, such that they know what to look for.  Also, mayhap,
training for the merchant's staff if the merchant isn't in on the scam
and the terminal's innards have been surreptitiously replaced.

Of course you could have a bog-standard PC playing Tetris ... but it
doesn't seem terribly likely that people would type their PIN on the
keyboard; hence the subverting of a genuine device to clearly make the
point that people have no idea what is a genuine terminal attached to a
genuine credit card network. They just type and trust -- and the real
story here is that the protocols are not end to end :( and hence a man-
in-the-middle can do a great deal more than would be desirable :(

Note also that without a payment going through for the card (there's
that tamperproof property again), the credit card company's fancy
pattern recognition schemes for spotting fraud have nothing to bite

... at least until all the fraud victims complain that not only are
there n unauthorised charges on their bill (which are being hotly
disputed because the PIN was used so they must be genuine) but ALSO
that there is one tell-tale missing charge, for the site at which the
Tetris playing (well, that might be a give-away!) terminal was used.

richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: AOL Help : About AOL® PassCode

2005-01-07 Thread Richard Clayton
In article [EMAIL PROTECTED], Joerg Schneider

Florian Weimer wrote:
 I think you can forward the PassCode to AOL once the victim has
 entered it on a phishing site.  Tokens à la SecurID can only help if


 the phishing schemes *require* delayed exploitation of obtained
 credentials, and I don't think we should make this assumption.  Online
 MITM attacks are not prevented.

So, PassCode and similar forms of authentication help against the 
current crop of phishing attacks, but that is likely to change if 
PassCode gets used more widely and/or protects something of interest to 

as in the story of the two hunters and the bear ... the banks only need
to outrun another vulnerable target:

so making passive password/PIN collection ineffective and requiring
phishers to operate in real-time may be a sufficient win.

Actually I have been waiting for phishing with MITM to appear for some 
time (I haven't any yet - if somebody has, I'd be interested to hear 

I've been shown something similar last July ... which was, IIRC, a
PayPal phish where the web page you went to checked that the password it
was given was in fact valid.  It wasn't a full-scale MITM attack, but it
did have some real-time elements.

I haven't been bothering to look at phishing sites recently, so I don't
know if the technology to do this has become the general state of the
art, or if it was just one gangs unique coding style ?

because it has some advantages for the attacker:

* he doesn't have to bother to (partially) copy the target web site

* easy to implement - plug an off-the-shelf mod_perl module for reverse 
proxy into your apache and add 10 minutes for configuration. You'll find 
the passwords in the log file. Add some simple filters to attack PassCode.

* more stealthy, because users see exactly, what they are used to, e.g. 
for online banking they see account balance etc. To attack money 
transfers protected by PassCode, the attacker could substitute account 
and amount and manipulate the server response to show what was entered 
by user.

this is the fundamental problem with using the passcode, the user is
signing just the single bit I authorise rather than the full bag of
bits {amount, payee, timestamp} ... as soon as you write out formally
what is going on the shortcoming is entirely obvious

Assuming that MITM phishing will begin to show up and agreeing that 
PassCode over SSL is not the solution - what can be done to counter 
those attacks?

Mutual authentication + establishment of a secure channel should do the 
trick. SSL with client authentication comes to my mind...

The problem with that is that people want (or at least think they want)
to use their online banking from home, from work and from a cybercafe
whilst they are on holiday or a business trip. Carting around the
credentials (and a secure way of checking them) is a non-starter

However, the banks could do a lot by starting to distinguish between
run-of-the-mill transactions : pay my gas bill and more sensitive ones
such as set up a new payee (or indeed change my gas company to
Nigerian OilGas). Insisting that the sensitive ones were only done
from the secured (and credential rich) home site would help.  They could
also check the IP address of the connection and form a view as to its
likely validity!

Yo rule out a MITM one might employ a secure side-channel (SMS text
message to one's mobile phone perhaps -- certainly a very plausible
approach in SMS-aware Europe) ... some banks are already using this; but
only as a cheap replacement for a SecureID :( ... so it's ineffective.

Now if Bill's browser could display the last six digits of the SSL key
then those could be compared with the SMS message and the customer would
know that they were safethe banks might even go for this
solution because it dumps the decision to go ahead (and hence the risk
as well) onto the customer :)

richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Security clampdown on the home PC banknote forgers

2004-06-13 Thread Richard Clayton
hq1.NA.RSA.NET, Trei, Peter [EMAIL PROTECTED] writes

From the original article:

  The software relies on features built into leading 
  currencies. Latest banknotes contain a pattern of 
  five tiny circles. On the £20 note, they're disguised 
  as a musical notation, on the euro they appear in a 
  constellation of stars; on the new $20 note, the 
  pattern is hidden in the zeros of a background 
  pattern. Imaging software or devices detect the 
  pattern and refuse to deal with the image.

It would be interesting to figure out exactly what the
'don't copy' information is. If it's really just five
little circles, think of the fun you could have -

The circles act as a do not copy for recent models of colour
photocopier. They are NOT the mechanism involved in the latest round of
software detection by Adobe et al .. hence the fun is limited :(

The circles have been on UK and EU notes for some time, you can also see
them all over the latest US $20 bill. It is suggested that there is more
information to be extracted from the way that the basic five circle
units are combined together (said to identify the issuing bank), but no
firm results are known.

Just the five circles on an otherwise blank sheet are definitely
sufficient to cause the particular copier experimented with to indicate
the presence of currency.  ie: it's all true :)

Markus Kuhn originally worked out the nature of the pattern in February
2002. It is now believed to have been invented by Omron, but this is
hearsay :( not something citable.

richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

Description: PGP signature

Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-30 Thread Richard Clayton
On Tue, 30 Dec 2003, Eric S. Johansson wrote:

  But using your spam size, , the slowdown factor becomes roughly
 73 times.  So they would need 73 machines running full tilt all the time
 to regain their old throughput.

Believe me, the professionals have enough 0wned machines that this is

On the flipside, it means the machines are burned faster.

only if the professionals are dumb enough to use the machines that are
making the stamps to actually send the email (since it is only the
latter which are, in practice, traceable)

 unfortunately, I think you making some assumptions that are not fully
 warranted.  I will try to do some research and figure out the number of
 machines compromised.  The best No. I had seen to date was about 350,000.

It's at least an order of magnitude higher than this, possibly 2 orders,
thanks to rampaging worms with spamware installation payloads
compromising cablemodem- and adsl- connected Windows machines worldwide.

the list (recently demised) listed nearly 700K machines that
had been detected (allegedly) sending spam... so since their detection
was not universal it would certainly be more than 700K :(

The Cryptography Mailing List

and in these schemes, where does our esteemed moderator get _his_ stamps
from ? remember that not all bulk email is spam by any means...  or do
we end up with whitelists all over the place and the focus of attacks
moves to the ingress to the mailing lists :(

I never understand why people think spam is a technical problem :( let
alone a cryptographic one :-(

richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]