Re: Creativity and security

2006-03-27 Thread brucee
regardingg the XXXing on receipts it turns out that things aren't
as grim as i thought.  i anlayzed the checksum algorithm and if
you are missing n digits there are 10^(n-1) clashes.

i verified this with a brute force program.

but in the photograph the card scenario ... if one digit is
blurry then you still win because 10^(n-1) is 1.

if two are unknown then mr nasty could try buying stuff from
10 diferent sites.

brucee

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-23 Thread brucee
Blanking out all but the last 4 digits is foolish.  The last is a checksum
and the first four are determined by the merchant.  This greatly reduces
the possibilities for the other 8 digits.  I'd rather just Bank Name or even
the first 4 digits.  (I know that amex use only 15, even worse.)

brucee

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Motorist wins case after maths whizzes break speed camera code

2005-08-10 Thread brucee
The facts are very scrambled but I like it.
The brief TV reports from lawyers were more factual.

Motorist wins case after maths whizzes break speed camera code

Sydney Morning Herald
By Andrew Clark
August 11, 2005

A team of Chinese maths enthusiasts have thrown NSW's speed cameras
system into disarray by cracking the technology used to store data
about errant motorists.

The NRMA has called for a full audit of the way the state's 110
enforcement cameras are used after a motorist escaped a conviction by
claiming that data was vulnerable to hackers.

A Sydney magistrate, Laurence Lawson, threw out the case because the
Roads and Traffic Authority failed to find an expert to testify that
its speed camera images were secure.

The motorist's defence lawyer, Denis Mirabilis, argued successfully
that an algorithm known as MD5, which is used to store the time, date,
place, numberplate and speed of cars caught on camera, was a
discredited piece of technology.

Mr Mirabilis yesterday said he had received more than 100 inquiries
from motorists anxious to use the same defence. People have shown it
[the algorithm] has been hacked and it's open to viruses.

Designed in the early 1990s by an American academic, MD5 safeguards
against tampering by turning information into a 128-bit sequence of
digits. However, researchers from China's Shandong University have
proved it is possible to store conflicting pieces of information as
the same MD5 sequence.

Nick Ellsmore, an encryption expert at the consultancy SIFT, said this
theoretically meant the RTA could change the speed at which a car was
recorded and retain the same code.

Since the research came out, we've been recommending that clients
move away from MD5 and we've certainly recommended that people don't
use it for new applications, he said.

The NRMA said it was crucial the public had confidence in convictions.
Its policy specialist, Lisa McGill, said: We want a full audit and a
review of the system to ensure that it is working appropriately.

The RTA's spokesman, Paul Willoughby, rejected the decision as a
one-off: No one, in relation to court cases, can be a hundred per
cent sure they're going to win a hundred per cent of the time.

NSW's weekly take from the cameras is more than $1 million.

Meanwhile, the RTA denied reports that cameras catching toll evaders
in the Harbour Tunnel are routinely turned off.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]