Re: What good are smartcard readers for PCs
-- James A. Donald Increasingly however, we see smartcard interfaces sold for PCs. What for, I wonder? On 24 Sep 2002 at 1:41, Bill Stewart wrote: I'm not convinced that the number of people selling them is closely related to the number of people buying; this could be another field like PKIs where the marketeers and cool business plans never succeeded at getting customers to use them. On 24 Sep 2002 at 19:12, Peter Gutmann wrote: Companies buy a few readers for their developers who write software to work with the cards. [...] Eventually the clients discover how much of a bitch they are to work with [] users decide to live with software-only crypto until the smart card scene is a bit more mature. Given that n_users n_card_vendors, this situation can keep going for quite some time. I have found that the administrative costs of PKI are intolerable. End users do not really understand crypto, and so will fuck up. Only engineers can really control a PKI certificate, and for the most part they just do not. In principle the thingness of a smartcard should reduce administrative costs to a low level -- they should supposedly act like a purse, a key, a credit card, hence near zero user training required. The simulated thingness created by cryptographic cleverness should be manifested to the user as physical thingness of the card. Suppose, for example, we had working Chaumian digicash. Now imagine how much trouble the average end user is going to get into with backups, and with moving digicash from one computer to another. If all unused Chaumian tokens live in a smartcard, one might expect the problem to vanish. The purselike character of the card sustains the coin like character of Chaumian tokens. Of course if one has to supply the correct driver for the smart card, then the administration problem reappears. USB smartcard interfaces could solve this problem. Just plug them in, and bingo, it should just go. Ummh, wait a moment, go where, do what? What happens when one plugs in a USB smartcard interface? Still, making crypto embodied in smart cards intelligible to the masses would seem to be a soluble problem, even if not yet solved, whereas software only crypto is always going to boggle the masses. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG UpBeNFF1UW7r7Fw8pVMxQG+xJ3mwsngHIp62BxL6 4D+u3ZM5e1JbeYAKaQ4dhOQrlZ42vq05cfz83rnCZ -- _ Remember Kids- Somebody tries to kill you, you try and kill'em right back... _ Kevin Elliott mailto:[EMAIL PROTECTED] ICQ#23758827
Re: What good are smartcard readers for PCs
Hey don't forget you can still buy a smart card reader from that most cypherpunkish of babes BRITNEY SPEARS ! Only $30 ! https://www.visiblevisitors.com/mltest/order_form.asp -- _ Remember Kids- Somebody tries to kill you, you try and kill'em right back... _ Kevin Elliott mailto:[EMAIL PROTECTED] ICQ#23758827
Re: What good are smartcard readers for PCs
On Fri, Sep 27, 2002 at 07:27:36PM -0400, Steve Furlong wrote: On Friday 27 September 2002 18:53, Major Variola (ret) wrote: Besides, its computers we have to ban, then the internet problem goes away too, see... No, that won't do it. People could still spread their dissentious ideas by telephone, and photocopy the intellectual property of content providers. We need to ban electricity, then the problem goes away... Yes, what brought down the Soviet Union was not the internet, merely faxes and copy machines. Would it were so simple at the moment. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com
Re: What good are smartcard readers for PCs
At 07:53 PM 09/27/2002 -0500, Harmon Seaver wrote: Forget the pencils and pens, just ban paper. Or perhaps a step in the right direction would be to ban all paper except that made from hemp, thereby solving numerous problems at the stroke of a (gasp) pen. You don't need to do that - just require that all the possible copyright-infringement media, such as paper and cdroms, have a stamp on them as a receipt for the copyright tax. Oh, wait, I suppose that's been done before
Re: What good are smartcard readers for PCs
At 02:39 PM 9/27/02 -0500, Lisa wrote: I didn't suggest that they should be banned. I simply stated that this was one consumer usage of the smart card reader. Take a stress pill, Dave (and pass one this way). B.L. was clearly being sarcastic/rhetorical and no one following the thread would think you were doing anything other than commenting, as you say. Besides, its computers we have to ban, then the internet problem goes away too, see... On Thu, 26 Sep 2002, Ben Laurie wrote: Lisa wrote: They are also actively used to modify DirecTV Dish Network access cards to steal service. Damn. We'd better ban them then. I've heard this Interweb thingy is used to steal content - should we ban that, too?
Re: What good are smartcard readers for PCs
On Friday 27 September 2002 18:53, Major Variola (ret) wrote: Besides, its computers we have to ban, then the internet problem goes away too, see... No, that won't do it. People could still spread their dissentious ideas by telephone, and photocopy the intellectual property of content providers. We need to ban electricity, then the problem goes away... -- Steve FurlongComputer Condottiere Have GNU, Will Travel Vote Idiotarian --- it's easier than thinking
Re: What good are smartcard readers for PCs
On Fri, 27 Sep 2002, Steve Furlong wrote: No, that won't do it. People could still spread their dissentious ideas by telephone, and photocopy the intellectual property of content providers. We need to ban electricity, then the problem goes away... But then wouldn't all those lecherous pirates just copy works by hand or, *gasp*, transcribe them with typewriters? And musicians(and labels) can be deprived of their well-deserved income with nothing more than a musical instrument! I mean, yeah, sure, banning unlicensed pencils, pens, paper, typewriters, or musical instruments good first step, but the copyright problem will not be solved until we can close the optical hole. We must not allow unlicensed, non-copy-protecting optical sensors(like eyes) if we're to maintain the solvency of the Content Economy. And if the content economy becomes unsolvent, the economic devastation would be unparalleled! The damage to the american economy at large would be horrific. Clearly, only a terrorist would want to possess unlicensed eyes. -adam
Re: What good are smartcard readers for PCs
On Fri, Sep 27, 2002 at 05:22:23PM -0700, Adam Stenseth wrote: On Fri, 27 Sep 2002, Steve Furlong wrote: No, that won't do it. People could still spread their dissentious ideas by telephone, and photocopy the intellectual property of content providers. We need to ban electricity, then the problem goes away... But then wouldn't all those lecherous pirates just copy works by hand or, *gasp*, transcribe them with typewriters? And musicians(and labels) can be deprived of their well-deserved income with nothing more than a musical instrument! I mean, yeah, sure, banning unlicensed pencils, pens, paper, typewriters, or musical instruments good first step, but the copyright problem will not be solved until we can close the optical hole. We must not allow unlicensed, non-copy-protecting optical sensors(like eyes) if we're to maintain the solvency of the Content Economy. And if the content economy becomes unsolvent, the economic devastation would be unparalleled! The damage to the american economy at large would be horrific. Clearly, only a terrorist would want to possess unlicensed eyes. -adam Forget the pencils and pens, just ban paper. Or perhaps a step in the right direction would be to ban all paper except that made from hemp, thereby solving numerous problems at the stroke of a (gasp) pen. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com
Re: What good are smartcard readers for PCs
At most, it'll contain a name+password for HTTP basic-auth (and to identify users to the site so they can be connected with the info they supplied at purchase time). You've spent too long in the crypto world. Having poked around in the FAQ (I can't believe I'm wasting my time on this), it could be one of three things: 1. Dumb memory card. 2. As (1) but with basic PIN-protected memory region (unlikely, since the user isn't asked to enter a PIN and unique PINs means they can't hardcode it into the access software). 3. Eurochip-type challenge-response card. In other words, a phone card. Also not too likely, since you can't do this via basic-auth. The FAQ handwaves the details, so it could be either 1 or 3. Can someone who has one of these things try reading the ATR off it? (You can also see, from the large number of FAQ entries covering potential problems and all the warnings about things to look out for when you use the card/reader, how not-ready-for-prime-time smart cards still are). Peter.
Re: What good are smartcard readers for PCs
-- Neil Johnson wrote: Hey don't forget you can still buy a smart card reader from that most cypherpunkish of babes BRITNEY SPEARS ! Only $30 ! https://www.visiblevisitors.com/mltest/order_form.asp James A. Donald: A previous poster suggested that the smart card industry had usuability problems. If these guys are selling to that market, they must have solved those problems -- or believe that they have. Peter Gutmann wrote: All they're doing is reading a URL off a USB dongle (technically a 256-byte I2C memory card plugged into a reader, but in effect the combination is a USB dongle). That's a no-brainer, I can do that with two wires taped to the card contacts and poked into the PC's parallel port, and around 50 bytes of code on the PC. If all they were doing is reading the URL, presumably you can already get to the site without owning the smartcard. I believe the card cryptographically proves its presence to the site to show that the user is authorized to hit the site. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG pTZSolt9/2ZzWLDufFApvlnFJTl7qJ+k/1P6N4E5 4+/ztYC9AfVoSBhBwjbH0ljx00WVl9cpQ4D/Kw7Ze
Re: What good are smartcard readers for PCs
James A. Donald [EMAIL PROTECTED] writes: Peter Gutmann wrote: All they're doing is reading a URL off a USB dongle (technically a 256-byte I2C memory card plugged into a reader, but in effect the combination is a USB dongle). That's a no-brainer, I can do that with two wires taped to the card contacts and poked into the PC's parallel port, and around 50 bytes of code on the PC. If all they were doing is reading the URL, presumably you can already get to the site without owning the smartcard. Yup, but that wouldn't be Cool(tm) any more. I believe the card cryptographically proves its presence to the site to show that the user is authorized to hit the site. That would be a considerable feat for a 256-byte dumb memory card. At most, it'll contain a name+password for HTTP basic-auth (and to identify users to the site so they can be connected with the info they supplied at purchase time). You've spent too long in the crypto world. Peter.
Re: What good are smartcard readers for PCs
James A. Donald [EMAIL PROTECTED] writes: On 25 Sep 2002 at 18:36, Neil Johnson wrote: Hey don't forget you can still buy a smart card reader from that most cypherpunkish of babes BRITNEY SPEARS ! Only $30 ! https://www.visiblevisitors.com/mltest/order_form.asp A previous poster suggested that the smart card industry had usuability problems. If these guys are selling to that market, they must have solved those problems -- or believe that they have. All they're doing is reading a URL off a USB dongle (technically a 256-byte I2C memory card plugged into a reader, but in effect the combination is a USB dongle). That's a no-brainer, I can do that with two wires taped to the card contacts and poked into the PC's parallel port, and around 50 bytes of code on the PC. Getting a general-purpose crypto smart card working usefully, now that's a challenge. Peter.
Re: What good are smartcard readers for PCs
I wrote: The FAQ handwaves the details, so it could be either 1 or 3. Can someone who has one of these things try reading the ATR off it? He Who has No Shame [0] reports that it's a GemClub memory card, which is reasonably similar to the old SLE4428-style cards: 256 bytes of memory, some of it PIN-protected. Available commands are read, write, and verify PIN. Given the info in the FAQ, it would appear that the PIN is fixed/hardcoded into the driver, since there's no indication that users are asked for it, and it mentions that if someone else finds your card, they get access (or they may just use the non-protected storage in the card). I'm guessing this was a marketing decision, expecting x-teen-year-old kids (whatever the target market for these things is) to remember and enter PINs, not to mention the UI issues involved in obtaining the things, would make it unworkable, while reading off a URL and password and poking it into a browser is something which is a lot safer to deploy. Access control is by an XML version of basic-auth. In other words, it's (effectively) a dumb memory card with (effectively) HTTP basic-auth. It does however use the T=0 serial protocol and not I2C, which is a bit trickier to read with wires poked in the parallel port :-). Peter. [0] He actually bought it under his own name, without pretending it was for his nieces or something.
Re: What good are smartcard readers for PCs
I didn't suggest that they should be banned. I simply stated that this was one consumer usage of the smart card reader. On Thu, 26 Sep 2002, Ben Laurie wrote: Lisa wrote: They are also actively used to modify DirecTV Dish Network access cards to steal service. Damn. We'd better ban them then. I've heard this Interweb thingy is used to steal content - should we ban that, too?
Re: What good are smartcard readers for PCs
-- On 25 Sep 2002 at 18:36, Neil Johnson wrote: Hey don't forget you can still buy a smart card reader from that most cypherpunkish of babes BRITNEY SPEARS ! Only $30 ! https://www.visiblevisitors.com/mltest/order_form.asp A previous poster suggested that the smart card industry had usuability problems. If these guys are selling to that market, they must have solved those problems -- or believe that they have. On 24 Sep 2002 at 19:12, Peter Gutmann wrote: Eventually the clients discover how much of a bitch they are to work with [] users decide to live with software-only crypto until the smart card scene is a bit more mature. Smartflash is supposed to be plug and play, no installation, no configuration. You just plug it into a usb port, poke your card into the reader and a browser window pops up, and takes you to the web page for that smartcard. If any software is needed, then it is in the form of activeX component, which means that the only installation interface is Do you trust this software from so-and-so? When Chaumian money comes into wide use, I think that for most end users we will have to stash all unused tokens inside smartcards. However, because of the critical mass problem, initial deployment for small payments cannot rely on such means, though initial deployment for large payments could. Unfortunately, deployment of uncrippled chaumian cash for large payments is likely to be illegal in most jurisdictions. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG zA52k2I/yOV3JjdMnqwOFMq4Io7yMmdhp7IVzbUE 48lR0zT5ZoHjtDYfcW0+xmlo00w3DS04U9nsJblFq
Re: What good are smartcard readers for PCs
Lisa wrote: They are also actively used to modify DirecTV Dish Network access cards to steal service. Damn. We'd better ban them then. I've heard this Interweb thingy is used to steal content - should we ban that, too? -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff
Re: What good are smartcard readers for PCs
Hey don't forget you can still buy a smart card reader from that most cypherpunkish of babes BRITNEY SPEARS ! Only $30 ! https://www.visiblevisitors.com/mltest/order_form.asp
Re: What good are smartcard readers for PCs
At 01:41 AM 9/24/02 -0700, Bill Stewart wrote: They're also used for non-cellular phone minutes - Ladatel in Mexico is a big user, and I've worked with some British Telecom folks whose business cards are also 1-pound telephone smartcards. Good lord, they only weigh mere grams here in the states :-)
Re: What good are smartcard readers for PCs
At 04:34 PM 09/23/2002 -0700, James A. Donald wrote: The biggest application of smart cards that I know of are anonymous phone minutes. They're also used for non-cellular phone minutes - Ladatel in Mexico is a big user, and I've worked with some British Telecom folks whose business cards are also 1-pound telephone smartcards. Supposedly Japan was a heavy user of the things for cheap vending machine payments. Another big usage is European satellite decoder keys; the low cost of smartcards is important because the codes keep getting cracked by commercial pirates. Increasingly however, we see smartcard interfaces sold for PCs. What for, I wonder? Obviously end users are buying this stuff. What are they buying smartcard readers for? I'm not convinced that the number of people selling them is closely related to the number of people buying; this could be another field like PKIs where the marketeers and cool business plans never succeeded at getting customers to use them. Mondex, as far as I know, sank with very little trace. At least here in San Francisco, Mondex tried very very hard to find all the ways that smartcard payment systems could be user-friendly and not implement them. They didn't just shoot themselves in the foot, they went out looking for more feet to shoot at. A Starbucks two blocks from my office accepted Mondex as payments for coffee, which would seem to be ideal, especially since there was a Wells Fargo Bank branch two blocks from them with a big Mondex sign on the door. But you couldn't just walk into the bank, slap down some dead presidents, get your card, and go buy coffee. You walked up to the unmanned Mondex desk, which had paper forms and a phone that called some office that had somebody who would tell you how to fill out the forms and snail-mail them in to people along with your bank account information who would then snail-mail you your card, though once you'd done so I gather you could refill it easily. I don't remember if you had to have a Wells Fargo bank account to do it, or could get by with a Visa card instead - I think the former. I took my dead presidents down to a non-Starbucks for some regular joe.
Re: What good are smartcard readers for PCs
James A. Donald [EMAIL PROTECTED] writes: Increasingly however, we see smartcard interfaces sold for PCs. What for, I wonder? Companies buy a few readers for their developers who write software to work with the cards. They may even roll out a few in pilots, and put out a stack of press releases and print brochures advertising how hip they are for using smart cards. Eventually the clients discover how much of a bitch they are to work with (installation problems/buggy drivers/incompatibilities/not having your card when you need it/etc, not helped by the fact that smart card vendor after- sales support is the most client-hostile of any PC hardware type I know of) that users decide to live with software-only crypto until the smart card scene is a bit more mature. Given that n_users n_card_vendors, this situation can keep going for quite some time. Peter.
Re: What good are smartcard readers for PCs
On Tue, Sep 24, 2002 at 07:12:47PM +1200, Peter Gutmann wrote: James A. Donald [EMAIL PROTECTED] writes: Increasingly however, we see smartcard interfaces sold for PCs. What for, I wonder? A previous company I worked for made a secure smart-card reader chip/system that used smart cards to carry a user's private key and cert. The initial application was the SET electronic payment protocol. (all together now: yuck!) SET didn't take off, and not many of these were sold. Amex hyped up their 'blue' card was giving out free readers for a while... until they discovered that the drivers were fatally broken (ha ha, it was done by a competitor of the company above, their product was shite). That, plus the fact that Amex couldn't get more than a few merchants to go along with it, doomed the project. They stopped giving out free smartcard readers pretty quickly. The company I work for now uses smart-cards in a K-of-N split key scheme to authenticate administrators of secure proxy servers. These are actually selling to real live customers and work just fine. Niche markets like these are the only place where smart card use will be growing in the near term, unless Larry Ellison and Scott you have no privacy McNealy get their fat government contracts for implementing the single signon surveilance state... Eric
Re: What good are smartcard readers for PCs
-- James A. Donald Increasingly however, we see smartcard interfaces sold for PCs. What for, I wonder? On 24 Sep 2002 at 1:41, Bill Stewart wrote: I'm not convinced that the number of people selling them is closely related to the number of people buying; this could be another field like PKIs where the marketeers and cool business plans never succeeded at getting customers to use them. On 24 Sep 2002 at 19:12, Peter Gutmann wrote: Companies buy a few readers for their developers who write software to work with the cards. [...] Eventually the clients discover how much of a bitch they are to work with [] users decide to live with software-only crypto until the smart card scene is a bit more mature. Given that n_users n_card_vendors, this situation can keep going for quite some time. I have found that the administrative costs of PKI are intolerable. End users do not really understand crypto, and so will fuck up. Only engineers can really control a PKI certificate, and for the most part they just do not. In principle the thingness of a smartcard should reduce administrative costs to a low level -- they should supposedly act like a purse, a key, a credit card, hence near zero user training required. The simulated thingness created by cryptographic cleverness should be manifested to the user as physical thingness of the card. Suppose, for example, we had working Chaumian digicash. Now imagine how much trouble the average end user is going to get into with backups, and with moving digicash from one computer to another. If all unused Chaumian tokens live in a smartcard, one might expect the problem to vanish. The purselike character of the card sustains the coin like character of Chaumian tokens. Of course if one has to supply the correct driver for the smart card, then the administration problem reappears. USB smartcard interfaces could solve this problem. Just plug them in, and bingo, it should just go. Ummh, wait a moment, go where, do what? What happens when one plugs in a USB smartcard interface? Still, making crypto embodied in smart cards intelligible to the masses would seem to be a soluble problem, even if not yet solved, whereas software only crypto is always going to boggle the masses. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG UpBeNFF1UW7r7Fw8pVMxQG+xJ3mwsngHIp62BxL6 4D+u3ZM5e1JbeYAKaQ4dhOQrlZ42vq05cfz83rnCZ