Cash, Credit -- or Prints?
http://online.wsj.com/article_print/0,,SB109744462285841431,00.html The Wall Street Journal October 11, 2004 Cash, Credit -- or Prints? Fingerprints May Replace Money, Passwords and Keys; One Downside: Gummi Fakes By WILLIAM M. BULKELEY Staff Reporter of THE WALL STREET JOURNAL October 11, 2004; Page B1 Fingerprints aren't just for criminals anymore. Increasingly, they are for customers. Fingerprint identification is being used to speed up checkouts at Piggly Wiggly supermarkets in South Carolina, and to open storage lockers at the Statue of Liberty. Fingerprints are also being used as password substitutes in cellphones and laptop computers, and in place of combinations to open up safes. But these aren't the fingerprints of yore, in which the person placed his hand on an ink pad, then on paper. Instead, the user sets his hand on a computerized device topped with a plate of glass, and an optical reader and special software and chips identify the ridges and valleys of the fingertips. Fingerprint technology seems to be reaching critical mass and is spreading faster than other widely promoted biometric identification methods, such as eyeball scanning, handprint-geometry reading and facial recognition. Interest in these and other new security systems was heightened by the September 2001 terror attacks. Fingerprints will be dominant for the foreseeable future, says Don McKeon, the product manager for biometric security at International Business Machines Corp. One reason fingerprint-security is spreading is that technological advances are bringing the cost down. Microsoft Corp. recently introduced a stand-alone fingerprint reader for $54, and a keyboard and a mouse with fingerprint readers. Last week, IBM said it would start selling laptop computers with fingerprint readers built in. These products reduce the need for personal-computer users to remember passwords. A customer uses a fingerprint reader to pay at a Piggly Wiggly store, cutting his checkout time. Earlier this year, American Power Conversion Corp., a Rhode Island company that makes backup computer batteries, started selling a fingerprint reader for PCs with a street price of $45 -- less than half the price of competitors at the time. American Power says it has sold tens of thousands of the devices since. Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip at its base that requires the owner's finger to be swiped across its surface before the phone can be used. This summer, NTT DoCoMo Inc. started selling a similar phone reader that is being used on Japanese trains as an electronic wallet to pay fares or to activate withdrawals from on-board cash machines. Proponents have never had trouble explaining the benefits of fingerprints as payment-and-password alternatives: Each person has a unique set, and their use is established in the legal system as an authoritative means of identification. But some people are uneasy about registering their fingerprints because of the association with criminality and the potential that such a universal identifier linked to all personal information would reduce privacy. Moreover, numerous businesses and governments have tested fingerprint systems in the past only to rip them out when the hype failed to match reality. That's partly because the optical readers have had problems with certain people's fingers. Elderly people with dry skin, children who pressed down too hard, even women with smaller fingers -- including many Asians -- were often rejected as unreadable. Security experts also have successfully fooled some systems by making plaster molds of fingers and then creating fake fingers by filling the molds with Silly-Putty-type plasticizers or gelatin similar to that used in candy Gummi Bears. But advocates say the rate of false rejections of legitimate users has been greatly reduced by improved software. I'd say 99% of people can register their fingers, says Brad Hill, who installed fingerprint-controlled lockers at his souvenir store at the Statue of Liberty this summer when the National Park Service forbade tourists from entering the statue while carrying packages. Mr. Hill was worried that tourists would lose locker keys when security screeners forced them to empty their pockets. Some makers of readers also say their technology can solve the fake-finger problem by taking readings from below the surface skin layer. Or they suggest combining four-digit ID codes with fingerprint scanning to virtually eliminate false readings. Makers of fingerprint readers acknowledge the privacy concerns. But they maintain that the threat of personal invasion is minimized because most systems don't store the actual print, but instead use it to generate a unique series of numbers that can't be reverse-engineered to re-create the print. And public willingness to submit to fingerprint readers has soared since the 2001 terrorist attacks, as the need for security overcomes worries about
Congress Close to Establishing Rules for Driver's Licenses
http://nytimes.com/2004/10/11/politics/11identity.html?pagewanted=printposition= The New York Times October 11, 2004 Congress Close to Establishing Rules for Driver's Licenses By MATTHEW L. WALD ASHINGTON, Oct. 10 - Following a recommendation of the Sept. 11 commission, the House and Senate are moving toward setting rules for the states that would standardize the documentation required to obtain a driver's license, and the data the license would have to contain. Critics say the plan would create a national identification card. But advocates say it would make it harder for terrorists to operate, as well as reduce the highway death toll by helping states identify applicants whose licenses had been revoked in other states. The Senate version of the intelligence bill includes an amendment, passed by unanimous consent on Oct. 1, that would let the secretary of homeland security decide what documents a state would have to require before issuing a driver's license, and would also specify the data that the license would have to include for it to meet federal standards. The secretary could require the license to include fingerprints or eye prints. The provision would allow the Homeland Security Department to require use of the license, or an equivalent card issued by motor vehicle bureaus to nondrivers for identification purposes, for access to planes, trains and other modes of transportation. The bill does not give the department the authority to force the states to meet the federal standards, but it would create enormous pressure on them to do so. After a transition period, the department could decide to accept only licenses issued under the rules as identification at airports. The House's version of the intelligence bill, passed Friday, would require the states to keep all driver's license information in a linked database, for quick access. It also calls for an integrated network of screening points that includes the nation's border security system, transportation system and critical infrastructure facilities that the secretary determines need to be protected against terrorist attack. The two versions will go to a House-Senate conference committee. Some civil liberties advocates say they are horrified by the proposal. I think it means we're going to end up with a police state, essentially, by allowing the secretary of homeland security to designate the sensitive areas and allowing this integrating screening system, said Marv Johnson, the legislative counsel for the American Civil Liberties Union. If the requirement to show the identification card can be applied to any mode of transportation, he said, that could eventually include subways or highways, and the result would be to require you to have some national ID card, essentially, in order to go from point A to point B. James C. Plummer Jr., a policy analyst at Consumer Alert, a nonprofit organization based here, said, You're looking at a system of internal passports, basically. But a Senate aide who was involved in drafting the bipartisan language of the amendment said that in choosing where to establish a checkpoint, the provision does not give the secretary of homeland security any new authority. The aide, who asked not to be identified because of his involvement in drafting the measure, said it would not create a national identification card but would standardize a form of identification routinely issued by states. Representative Candice S. Miller, the Michigan Republican who drafted the license section of the House measure, said, I don't think this is anything that should cause anyone concern. Of the 50 states, 48 are members of interstate compacts that exchange information on moving violations, so that a driver from, say, Maryland, who picks up a speeding ticket in Florida will accumulate points in his home state. But Michigan and Wisconsin are not members of a compact. Ms. Miller said one purpose of the provision she wrote was to fix that problem. A spokesman for the American Association of Motor Vehicle Administrations, which represents the state officials who issue driver's licenses, said linking the databases and strengthening control over who could get a license was long overdue. The American public should be outraged to know that departments of motor vehicles nationwide lack the capability to do the jobs we've asked them to do, said the spokesman, Jason King. In both houses, the legislation is geared to respond to numerous recommendations made by the Sept. 11 commission. For years before the terrorist attacks of Sept. 11, 2001, law enforcement officials, especially those concerned with identity theft, argued that the states should have more rigorous standards for issuing driver's licenses. But the commission pointed out that fraud in identification documents is no longer just a problem of theft. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/
Airline ID requirement faces legal challenge
http://www.usatoday.com/tech/news/surveillance/2004-10-10-privacy_x.htm USA Today Airline ID requirement faces legal challenge By Richard Willing, USA TODAY At a time when Americans have come to expect tight security for air travel, it might seem to be an odd question: Does requiring airline passengers to show identification before they board domestic flights amount to an unreasonable search under the Constitution? John Gilmore is challenging the federal domestic airline ID requirement, saying it violates his right to travel in the USA anonymously. File photo Yes, says John Gilmore, a computer whiz who made a fortune as an early employee of Sun Microsystems. His challenge of the federal ID requirement, which soon could get a hearing before a U.S. appeals court in San Francisco, is one of the latest court battles to test the balance between security concerns and civil liberties. At issue is Gilmore's claim that checking the IDs of passengers on domestic flights violates his right to travel throughout the USA anonymously, without the government monitoring him. Lawyers involved in the case say it apparently is the first such challenge to the federal rules that require airline passengers to provide identification. In a similar case, two peace activists are suing the U.S. government to determine how their names came to be placed on a federal no-fly list. Rebecca Gordon and Janet Adams were not allowed to board a San Francisco to Boston flight in August 2002 after they were told that their names were on a secret FBI list of potential security threats, their court filing says. I believe I have a right to travel in my own country without presenting what amounts to an internal passport, Gilmore, 49, said in an interview. I have a right to be anonymous, (to not) be tracked by my government for no good reason. Gilmore said he has no problem with security checks that focus on passengers' luggage. He says he also does not object to having to present a passport to board flights to other countries. Some privacy groups say Gilmore has a point. But others who support the ID requirement have cast the San Francisco resident as being out of touch with the realities of air travel since the Sept. 11 attacks. Kent Scheidegger, counsel for the Criminal Justice Legal Foundation, a conservative group in Sacramento, says the ID requirement is good policy and eminently constitutional. The Fourth Amendment forbids not searches that you don't like, it forbids unreasonable searches, he says. Nothing could be more reasonable at this time than to know who you're flying with. The Justice Department is fighting Gilmore's claim. Acting on the department's motion, a U.S. district court judge in San Francisco dismissed the suit last March. Gilmore has appealed; a hearing before the 9th Circuit Court of Appeals is likely to be scheduled after briefs are filed next month. In court papers, the Justice Department has not defended the ID policy, or even acknowledged it exists. It has said national security law requires that this aspect of the case be argued in a courtroom closed to the public, including Gilmore. The appeals court denied the government's secrecy request Sept. 20, and the government has asked the court to reconsider. Rules on the Transportation Security Administration's Web site say passengers 18 and older need one form of government-issued photo identification or two forms of non-photo identification to board domestic flights. Airlines adopted such a policy on their own after terrorists bombed an international flight over Lockerbie, Scotland, in December 1988. The bomb that killed all 270 passengers on the jet was said to have been placed in a passenger's luggage by a terrorist who got into a restricted area. The airlines say checking IDs against luggage and passenger information is a way to deny terrorists access to flights. The TSA, formed two years ago in the wake of the Sept. 11 attacks, checks IDs to verify passenger identities and to check them against watch lists of known or suspected terrorists. Gilmore's suit says the requirement amounts to an unreasonable search, a burden on the right to travel and a form of self-incrimination because it singles out anonymous travelers for searching. Gilmore said the ID requirement does little to ensure security. Ordinary citizens may show correct identification, but do we really think that someone who is willing to commit a terrorist act won't also be willing to present false identification? Gilmore's suit was filed in 2002, after he was denied seats on two flights at the airport in Oakland. It was his first domestic flight since the 9/11 attacks. Before then, Gilmore said, he was permitted to board flights after presenting a Federal Aviation Administration document that said showing IDs was optional. In 1982, Gilmore, a computer programmer, was the first person hired by the founders of what became Sun Microsystems. He retired eight years ago with what his
Tor 0.0.9pre3 is out (fwd from [EMAIL PROTECTED])
--- begin forwarded text Date: Thu, 14 Oct 2004 12:45:03 +0200 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Tor 0.0.9pre3 is out (fwd from [EMAIL PROTECTED]) User-Agent: Mutt/1.4i Sender: [EMAIL PROTECTED] From: Roger Dingledine [EMAIL PROTECTED] Subject: Tor 0.0.9pre3 is out To: [EMAIL PROTECTED] Date: Thu, 14 Oct 2004 06:36:18 -0400 Reply-To: [EMAIL PROTECTED] Along with the bugfixes from 0.0.8.1, plus more bugfixes, this release makes the dirservers file obsolete (finally) in favor of config option lines to specify the location and fingerprint of each dirserver you want to trust. We also now support the use of an http proxy for fetching directories. tarball: http://freehaven.net/tor/dist/tor-0.0.9pre3.tar.gz signature: http://freehaven.net/tor/dist/tor-0.0.9pre3.tar.gz.asc (use -dPr tor-0_0_9pre3 if you want to check out from cvs) o Bugfixes on 0.0.8.1: - Better torrc example lines for dirbindaddress and orbindaddress. - Improved bounds checking on parsed ints (e.g. config options and the ones we find in directories.) - Better handling of size_t vs int, so we're more robust on 64 bit platforms. - Fix the rest of the bug where a newly started OR would appear as unverified even after we've added his fingerprint and hupped the dirserver. - Fix a bug from 0.0.7: when read() failed on a stream, we would close it without sending back an end. So 'connection refused' would simply be ignored and the user would get no response. o Bugfixes on 0.0.9pre2: - Serving the cached-on-disk directory to people is bad. We now provide no directory until we've fetched a fresh one. - Workaround for bug on windows where cached-directories get crlf corruption. - Make get_default_conf_file() work on older windows too. - If we write a *:* exit policy line in the descriptor, don't write any more exit policy lines. o Features: - Use only 0.0.9pre1 and later servers for resolve cells. - Make the dirservers file obsolete. - Include a dir-signing-key token in directories to tell the parsing entity which key is being used to sign. - Remove the built-in bulky default dirservers string. - New config option Dirserver %s:%d [fingerprint], which can be repeated as many times as needed. If no dirservers specified, default to moria1,moria2,tor26. - Make moria2 advertise a dirport of 80, so people behind firewalls will be able to get a directory. - Http proxy support - Dirservers translate requests for http://%s:%d/x to /x - You can specify HttpProxy %s[:%d] and all dir fetches will be routed through this host. - Clients ask for /tor/x rather than /x for new enough dirservers. This way we can one day coexist peacefully with apache. - Clients specify a Host: %s%d http header, to be compatible with more proxies, and so running squid on an exit node can work. -- -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ISN] 2-Fingerprint Border ID System Called Inadequate
--- begin forwarded text Date: Tue, 19 Oct 2004 21:40:22 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] 2-Fingerprint Border ID System Called Inadequate Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.washingtonpost.com/wp-dyn/articles/A43276-2004Oct18.html By Robert O'Harrow and Jr. Scott Higham Washington Post Staff Writers October 19, 2004 Terrorists who alter their fingerprints have about an even chance of slipping past U.S. border watch-list checks because the government is using a two-fingerprint system instead of one that relies on all 10 prints, a lawmaker said in a letter he made public yesterday to Homeland Security Secretary Tom Ridge. Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system is no more than 53 percent effective in matching fingerprints with poor image quality against the government's biometric terrorist watch-list. Turner said the system falls far short of keeping the country secure. It's going to be a coin toss as to whether we can identify terrorists, Turner, the ranking member of the House Select Committee on Homeland Security, said in an interview yesterday. It's a 50-50 chance, and that's not good enough. Turner's Oct. 15 letter comes as government officials supervising the burgeoning border security system, known as US-VISIT, have been touting their use of fingerprints for identifying people crossing the border and checking them against watch lists of suspected terrorists. The US-VISIT program aims to create a virtual border using computer networks, databases, fingerprints and other biometric identifiers. The program requires foreign visitors to register their names before traveling to the United States and have their fingerprints checked when they arrive and depart. Officials estimate the system could cost up to $10 billion and take a decade to build. The border security program is relying on technology first developed for a program at the former Immigration and Naturalization Service called IDENT. Government officials have known for years that IDENT did not work well with the identification system used by the Justice Department, a 10-fingerprint system called the Integrated Automated Fingerprint Identification System. That system is known for producing good results, even with poor-quality fingerprint images, Turner's letter said. But homeland security officials have told Congress they decided to use the IDENT system for the first phase of US-VISIT as a way to quickly improve security at the borders, and move to a 10-fingerprint system later. It was a logistical issue we had to deal with, said Robert A. Mocny, deputy director of US-VISIT. It will get better. . . . It's a matter of what we can do right now. Turner's letter said the Department of Homeland Security ignored numerous warnings from the government's top biometric scientists that the two-fingerprint system could not accurately perform watch list searches and the ten-fingerprint system was far preferable. The letter quotes Stanford researcher Lawrence M. Wein, who said his study found that at best, with a software fix, the two-finger system would properly identify only about three of four people. Two weeks ago, Wein told the Homeland Security Committee that the implications of our findings are disturbing. Turner accused homeland security officials of failing to be more forthcoming about the limitations of their approach. Turner asked Ridge to direct homeland security officials to preserve all documents and electronic communications relating to their decision on fingerprints. I understand your desire to deploy biometric screening at our borders as quickly as possible, Turner said in his letter. But more than three years after the 9/11 attacks, we have invested more than $700 million in an entry-exit system that cannot reliably do what the Department so often said it would: Use a biometric watch-list to keep known terrorists out of the country. A spokesman for the Republican-controlled Homeland Security Committee, Ken Johnson, said the release of Turner's letter was driven by election-year politics. Johnson acknowledged that there are some concerns with the current system, but he said US-VISIT continues to evolve. In a perfect world, where money is not an issue, and people wouldn't mind spending countless hours or days at the border, the 10-fingerprint system would be preferable. But that's not reality, Johnson said. They're playing politics with some very sensitive issues. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded
[ISN] Worldwide Phishing Attacks May Stem from Few Sources
--- begin forwarded text Date: Wed, 20 Oct 2004 01:41:32 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Worldwide Phishing Attacks May Stem from Few Sources Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.eweek.com/article2/0,1759,1679953,00.asp By Dennis Fisher October 19, 2004 Research from an e-mail security provider suggests that a handful of people are responsible for the vast majority of the phishing attacks on the Internet and the perpetrators are using a rotating series of zombie networks to launch them. Researchers at CipherTrust Inc. analyzed more than four million e-mails collected from the company's customers during the first two weeks of October and found that nearly a third of all of the zombie machines sending the phishing messages are based in the United States. That's twice as many as the 16 percent that are found in South Korea. However, these findings do not mean that these attacks are originating from inside these countries. The global nature of the Internet allows attackers anywhere in the world to compromise machines in any location. In fact, many experts believe that the majority of phishers are in some way connected to organized crime groups in Russia or Eastern Europe and that most such attacks begin there. The most surprising conclusion of the research is that the attackers sending out the phishing messages are using zombie networks of only about 1,000 PCs. That's a pretty small bot network for the volume of stuff that these guys are doing, said Dmitri Alperovitch, the research engineer at Atlanta-based CipherTrust Inc. who conducted the study. But the trick is that they rotate to a different set of compromised machines each day. They don't keep going to the same ones each time. Crackers for years have been accumulating large networks of machines compromised with small programs that give them the ability to control the PCs remotely. They routinely sell or trade access to the networks to others in the cracker underground and the PCs typically are used either for launching DDoS (distributed denial of service attacks). But as authorities began cracking down on spammers in recent years, the spammers have begun relying on these networks to send out their messages, too. Now, phishers have gotten into the game. Alperovitch said that there are fewer than five operators in control of the zombie networks that he identified in his research. And, even though they're generating thousands of fraudulent e-mails every day, their output was still a tiny fraction.less than one percent--of the four million messages CipherTrust examined. Phishers seem to be concentrating their efforts on a few high-profile targets, as well. In the sample CipherTrust looked at, 54 percent of the phishing messages used CitiGroup's Citibank name to entice recipients. Another 13 percent use Citigroup Global Markets Inc.'s Smith Barney's brand and eBay Inc. is the victim in about four percent of the scams. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Are new passports [an] identity-theft risk?
http://worldnetdaily.com/news/printer-friendly.asp?ARTICLE_ID=41030 WorldNetDaily Thursday, October 21, 2004 YOUR PAPERS, PLEASE Are new passports identity-theft risk? Privacy advocates warn data chips can be 'seen' by anyone with reader Posted: October 21, 2004 5:00 p.m. Eastern While the U.S. State Department prepares to switch over to passports that include embedded data chips, privacy experts worry the new technology will open Americans to identity theft and fraud. New passports will be fitted with chips using RFID, or radio frequency identification, technology. Reader devices at borders and customs checkpoints will be able to read the information stored on the chip, including the person's name, address and digital photo. Kelly Shannon is a spokesperson for the State Department. She told Wired News: The reason we are doing this is that it simply makes passports more secure. It's yet another layer beyond the security features we currently use to ensure the bearer is the person who was issued the passport originally. RFID technology has been used for tracking everything from store inventory to family members visiting an amusement park. It is also used in the Digital Angel human implant that recently was approved by the FDA for storing medical information. Wired reports civil libertarians and some technologists say the passport chips are actually a boon to identity thieves, stalkers and commercial data collectors, since anyone with the proper reader can download a person's biographical information and photo from several feet away. Even if they wanted to store this info in a chip, why have a chip that can be read remotely? Barry Steinhardt, who directs the American Civil Liberty Union's Technology and Liberty program, asked Wired. Why not require the passport be brought in contact with a reader so that the passport holder would know it had been captured? Americans in the know will be wrapping their passports in aluminum foil. Last week, the government contracted with four companies to develop the chips and readers for the program. The report stated diplomats and State Department employees will be issued the new passports as early as January, while others applying for new passports will receive the new version starting in the spring. Electronic Frontier Foundation attorney Lee Tien told Wired RFID chips in passports are a privacy horror and would be even if the data were encrypted, which it isn't. If 180 countries have access to the technology for reading this thing, whether or not it is encrypted, from a security standpoint, that is a very leaky system, Tien said. Strictly from a technology standpoint, any reader system, even with security, that was so widely deployed and accessible to so many people worldwide will be subject to some very interesting compromises. An engineer and RFID expert with Intel claims there is little danger of unauthorized people reading the new passports. Roy Want told the newssite: It is actually quite hard to read RFID at a distance, saying a person's keys, bag and body interfere with the radio waves. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Patriot Act redux?
http://news.com.com/2102-1071_3-5414087.html?tag=st.util.print Patriot Act redux? By Declan McCullagh http://news.com.com/Patriot+Act+redux/2010-1071_3-5414087.html Story last modified October 18, 2004, 4:00 AM PDT With Election Day fast approaching, it was only a matter of time before the usual congressional shenanigans that typically punctuate the political season. This time, politicians appear to have seized on what could be called the Patriot Act strategy, drafting antiterrorism legislation in secret and then ramming it through the Senate and House of Representatives with minimal debate. Then it's back to the home districts to boast how they protected voters from the bad guys. The vehicles chosen for this strategy are two bills described as being inspired by the 9/11 Commission's report, a politically potent text that's become a best-selling book. The Senate and House have approved their own versions of the legislation, and negotiators are now meeting privately to decide on the final draft. Early indications are not promising. While portions of the massive legislation are no doubt praiseworthy, other important sections--especially those envisioning stuffing more information into government databases--deserve special scrutiny from privacy hawks. Both the House and Senate bills coerce state governments into creating what critics are calling a national ID card. Because the House version is nearly three times as long, its authors had more room to promote private agendas. One section anticipates storing the lifetime travel history of each foreign national or United States citizen into a database for the convenience of government officials. It mentions passports, but there's nothing that would preclude recording the details of trips that Americans take inside the United States. President Bush would be required to create a secure information sharing network to exchange data among law enforcement, military and spy agencies. Aside from a bland assurance that civil liberties will be protected, there are zero details on what databases will be vacuumed in or what oversight will take place. A second network would be created by the first person to get the new job of national intelligence director. That network must provide immediate access to information in databases of federal law enforcement agencies and the intelligence community that is necessary to identify terrorists. It hardly needs to be said that snaring terrorists is what our government should be doing. But it's not clear that the House bill is a step in the right direction. Jim Dempsey, executive director of the Center for Democracy and Technology, hopes that the aides negotiating the final bill end up adopting the Senate language instead. It also would create an information-sharing network--while requiring that Congress receive semiannual reports on how the network is being used. There are dozens if not hundreds of government programs under way to do just that (already), Dempsey warns. They are fragmented; they are overlapping. They are occurring outside of any framework of oversight. Still, the Senate bill is no prize. A last-minute amendment added by Sen. John McCain, R-Ariz., would require the Department of Homeland Security to create an integrated screening system inside the United States. McCain envisions erecting physical checkpoints, dubbed screening points, near subways, airports, bus stations, train stations, federal buildings, telephone companies, Internet hubs and any other critical infrastructure facility deemed vulnerable to terrorist attacks. Secretary Tom Ridge would appear to be authorized to issue new federal IDs--with biometric identifiers--that Americans could be required to show at checkpoints. Both the House and Senate bills coerce state governments into creating what critics are calling a national ID card. Under the proposals, federal agencies will accept only licenses and state ID cards that comply with specific to-be-established standards--a requirement that would affect anyone who wants to get a U.S. passport, obtain Social Security benefits, or even wander into a federal courthouse. That's why Jim Harper, director of information policy studies at the Cato Institute, is no fan of either bill. They say that if we just put appropriate rules and restrictions in place, everything will be fine, Harper said. But of course those rules and restrictions will drop away over the years or if there are new terrorist attacks. They say, 'Of course lion-taming is safe. They're our friends.' But then one day the lion grabs you by the neck and drags you off the stage. A few other courageous Washingtonians have raised similar concerns. Rep. Ron Paul, R-Texas, warned last week that the House bill will not make America safer (but will definitely) make us less free. And 25 former senior officials from the FBI, CIA and military have sent a letter to Congress indicating that the 9/11 Commission's
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
At 10:41 PM +0200 10/23/04, Eugen Leitl wrote: No, that's going to be the mobile phone. Certainly getting to be like Chaum's ideal crypto device. You own it, it has its own I/O, and it never leaves your sight. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Financial identity is *dangerous*? (was re: Fake companies, real money)
At 9:30 AM -0400 10/25/04, Trei, Peter wrote: If we're going to insist on dedicated, trusted, physical devices for these bearer bonds, then how is this different than what Chaum proposed over 15 years ago? I don't think that face to face will be necessary. It just means keeping control of your keys, etc. You can stash bearer-bonds on the net in m-of-n storage, where nobody knows what's what, paid by the bit, etc. If you just add a requirment for face to face transactions, then I already have one of these - its called a wallet containing cash. Certainly bits are smaller. See above, though. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
E-Vote Vendors Hand Over Software
http://www.wired.com/news/print/0,1294,65490,00.html Wired News E-Vote Vendors Hand Over Software By Kim Zetter? Story location: http://www.wired.com/news/evote/0,2645,65490,00.html 03:00 PM Oct. 26, 2004 PT In an effort to increase the integrity of next week's presidential election, five voting machine makers agreed for the first time to submit their software to the National Software Reference Library for safekeeping, federal officials said on Tuesday. The stored software will serve as a comparison tool for election officials should they need to determine whether anyone tampered with programs installed on voting equipment. The National Software Reference Library is part of an election security initiative launched by the U.S. Election Assistance Commission, a new federal entity that Congress created after the Florida 2000 election problems. The EAC is the first federal entity established to improve the integrity and efficiency of elections. DeForest Soaries, chairman of the EAC, in June requested software from the largest voting companies, which provide 90 percent of the software to be used in computerized voting machines on Tuesday. The EAC will eventually ask all voting companies, even those that produce counting software for punch card machines, to submit their software. Soaries called the library a major step and praised the vendors for their willingness to increase the transparency of elections. Their acceptance of our request to submit their software begins the process that assures the country that we will have (a) higher level of security and therefore confidence in e-voting than we have ever had before, Soaries said in a press conference. The National Institute of Standards and Technology -- the agency that sets official measurements and defines standards for all kinds of commercial products -- will maintain the voting software library. NIST already manages a library of other types of software, like the Windows 2000 operating system, to help law enforcement investigate crimes involving computers. Doug White, the library's project leader, said NIST stores applications on CDs in a room that is similar to a criminal investigator's evidence locker, which means the software can be used as evidence in a court. Counties and states will eventually be able to use the library to verify that they are using a certified version of software. This is good news to Scott Konopasek, the registrar of voters for San Bernardino County in California. In September, after California certified a new version of software for his county's voting system, the vendor, Sequoia Voting Systems, sent Konopasek the software to load on his machines. But when Konopasek asked the state to verify that the software the vendor gave him was unchanged from the version the state certified, state officials told him they had no means to verify it and that Konopasek would have to trust the vendor. Vendor trust was precisely the measure of verification the state was using last November when it discovered that Diebold Election Systems had installed uncertified software on machines in 17 California counties without telling the state. NIST's voting software library was established too late this year to examine software that has already been loaded onto locked voting machines, so election officials won't be able to verify that they have unchanged, certified software before Tuesday's election. But if questions about the veracity of a voting system arise after the election, computer forensic experts will be able to compare the software used on machines with the software in the NIST library to see if the software was altered. They can do this by comparing hash files, which are digital fingerprints that identify the integrity of software. The hash is a mathematical sum derived from the software code. If someone changes the software, the mathematical sum changes as well. This gives us one more mechanism for assuring voters that their votes have been recorded and reported correctly and haven't been tampered with, Konopasek said. There's no one single thing that election officials will ever be able to do to convince everyone. But the more we can add to our inventory of audits and controls, the more we can establish confidence of voters -- not just the technically savvy voters, but all voters. Soaries acknowledged that the library alone can't secure elections and voting systems but can only work in concert with other procedures. And the EAC still has to work out several issues related to the library, such as who will be responsible for checking hashes before an election if county election officials don't have someone knowledgeable on staff to do so. EAC has to determine how best to handle patches, or last-minute fixes and upgrades to machines. Currently, it will be up to the county and vendor to decide whether to resubmit that software to the library before an election. And the EAC has to establish a policy for dealing with
Deadline extended to November 5th - Fourth Annual PKI RD Workshop
--- begin forwarded text From: Carl Ellison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Deadline extended to November 5th - Fourth Annual PKI RD Workshop Date: Tue, 26 Oct 2004 21:00:01 -0700 Thread-Index: AcS72W7c3/cyBY4hSTyGnbNT4eKDuQ== Sender: [EMAIL PROTECTED] The deadline for paper submissions to the Fourth Annual PKI RD Workshop: Multiple Paths to Trust and has been extended until 5:00 PM Pacific time on Friday November 5th. http://middleware.internet2.edu/pki05/http://middleware.internet2.edu/pki05/ This year, the workshop has a particular interest in how emergent trust mechanisms will interact with each other mechanisms at the technical, policy and user levels. Clifford Neuman Program Committee Chair --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New 32-bit SIM Chip from STMicroelectronics
The core includes dedicated DES (Data Encryption Standard) instructions for Secret Key cryptography, and a fast Multiply and Accumulate instruction for Public Key (RSA) and Elliptic Curve cryptography, plus a CRC (Cyclic Redundency Check) instruction. A firmware cryptographic subroutine library is located in a secure ROM area to save designers the need to code first-layer functions. http://www.tmcnet.com/usubmit/2004/Oct/1087666.htm Technology Marketing Corporation TMCNet [October 27, 2004] New 32-bit SIM Chip from STMicroelectronics Will Benefit Mobile Phone Multimedia Services GENEVA, Oct. 27 /PRNewswire-FirstCall/ -- STMicroelectronics has announced a new smartcard MCU in its ST22 range -- based on the SmartJ(TM) Java-accelerated RISC architecture -- which integrates 256-kbytes of EEPROM memory with a high performance CPU to support the demands of multimedia applications on the latest mobile phones. With sales of multimedia-equipped handsets booming, mobile communications operators supporting 3G (Third Generation) and 2.5G mobile phones need (U)SIM cards (Universal Subscriber Identity Modules) that have sufficient memory capacity to store Multimedia Messaging System (MMS) data, video, and photographic images, coupled with the capability to transfer and use this data efficiently to provide advanced phonebooks and audio-visual services. 2.5G is an intermediate level of service that uses an enhanced second-generation technology to provide some of the 3G features over GPRS (General Packet Radio Service). The ST22N256 is perfectly in line with the growing demand for secure high-performance chips with high-speed interfaces and a large memory capacity, for use in 2.5 and 3G SIMs, said Reza Kazerounian, General Manager of ST's Smart Card ICs Division. ST already offers the largest range of secure 32-bit processors for smartcard systems, and will remain at the forefront of smartcard silicon suppliers as 3G takes off. The SmartJ CPU core at the heart of ST22 Family -- which the new ST22N256 now combines with 256-kbytes of EEPROM -- is a 32-bit RISC-architecture core developed specifically to provide very fast execution of Java, the programming language commonly used for small applications, or applets, downloaded to mobile phones. The ST22 augments its own highly efficient native RISC instruction set with a hardware decoder that directly converts Java bytecodes into native microcode instructions, thereby eliminating the overhead and lower performance of processors based on Java emulation. The result is not only very fast Java execution but also reduced power consumption. An essential component of all GSM (Global System for Mobile Communications) mobile phones, the SIM card stores critical subscriber authentication information; private data such as personal phone directories, messages, audio, and images; and the operating system and operator's multimedia environment. With the quantity and size of users' MMS messages increasing, operators will now be able to provide increased storage for subscriber data without impacting user friendliness, due to the exceptional performance of the ST22N256's SmartJ processor, and its communication through a fast Asynchronous Serial Interface (ASI) which enables 440-kbit/s communication speeds with mobile equipment, in line with the fastest deployments of ISO 7816 in the GSM world. Two additional serial I/O ports are also provided. The Java-accelerated CPU ensures that the ST22N256 not only provides the memory needed for today's multimedia services (M-services), but also the processing power to exploit it. The core, with 24-bit linear memory addressing, is complemented by 368-kbytes of on-chip ROM, 16-kbytes of RAM, and a set of standard peripherals and custom plug-in circuits. Logical and physical security mechanisms are fully integrated into the silicon, including a hardware Memory Protection Unit for application firewalling and peripheral access control, and a protected Context Stack. The core includes dedicated DES (Data Encryption Standard) instructions for Secret Key cryptography, and a fast Multiply and Accumulate instruction for Public Key (RSA) and Elliptic Curve cryptography, plus a CRC (Cyclic Redundency Check) instruction. A firmware cryptographic subroutine library is located in a secure ROM area to save designers the need to code first-layer functions. The ST22 product platform is supported by a comprehensive Integrated Development Environment, which allows coding, compilation, and debugging using a common interface. It provides a code-generation chain that includes a C/C++ compiler, a native and JavaCard assembler and a linker, plus a SmartJ instruction set simulator, C/C++ source level debugger, and hardware emulation tools. Operating System developers currently working with the 128-kbyte ST22L128 will be able to benefit from the design continuity offered by the ST22N256, as well as its immediate availability and compliance with the fastest
Europe opts for biometric passports
http://news.com.com/2102-1012_3-5429679.html?tag=st.util.print CNET News Europe opts for biometric pasports By Lars Pasveer http://news.com.com/Europe+opts+for+biometric+pasports/2100-1012_3-5429679.html Story last modified October 27, 2004, 5:56 PM PDT Ministers for European Union member states agreed on Tuesday to adopt biometric passports. The first biometric passports are set to arrive in 18 months and initially will record the facial characteristics of the bearer. In three years, European travelers will also have to provide a fingerprint for the passport. The facial and fingerprint data will be stored on an embedded chip, along with a digital copy of the bearer's photo. The decision, made at a meeting of interior ministers in Luxembourg, is not yet final. Austria, Finland and the Netherlands have voiced minor concerns about the proposal, but they will probably not turn out to be insurmountable obstacles. The European push for biometrics is heavily influenced by a United States policy change for passports for people from visa waiver countries after the Sept. 11 attacks. U.S. plans to introduce a biometric passport requirement by this fall for these countries were widely seen as unrealistic. However, by Oct. 26 next year, all visitors from these countries will have to provide a machine-readable passport with biometric data. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
At 9:29 AM -0700 10/28/04, James A. Donald wrote: Is there a phone that is programmable enough to store secrets on and sign and decrypt stuff? I think we're getting there. We're going to need a, heh, killer ap, for it, of course. :-) Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ISN] Secret Service busts online organized crime ring
--- begin forwarded text Date: Fri, 29 Oct 2004 03:31:38 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Secret Service busts online organized crime ring Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.computerworld.com/securitytopics/security/story/0,10801,97017,00.html By Dan Verton OCTOBER 28, 2004 COMPUTERWORLD In what it called an Information Age undercover investigation, the U.S. Secret Service today announced that it has arrested 28 people from eight U.S. states and six countries allegedly involved in a global organized cybercrime ring. Charges filed against the suspects include identity theft, computer fraud, credit card fraud and conspiracy. The investigation, code-named Operation Firewall, resulted in what the Secret Service described as a significant disruption of organized criminal activity online that was targeting the financial infrastructure of the U.S. The suspects are alleged to have collectively trafficked in at least 1.7 million stolen credit card numbers. Financial institutions have estimated their losses associated with the suspects targeted by the investigation to be more than $4.3 million. Led by the Secret Service Newark Field Office, investigators from nearly 30 domestic and foreign Secret Service offices and their global law enforcement counterparts have prevented potentially hundreds of millions of dollars in loss to the financial and hi-tech communities, Secret Service Director W. Ralph Basham said in a statement. These suspects targeted the personal and financial information of ordinary citizens, as well as the confidential and proprietary information of companies engaged in e-commerce. Operation Firewall began in July 2003 and quickly evolved into a transnational investigation of global credit card fraud and online identity theft. The underground criminal groups have been identified as Shadowcrew, Carderplanet and Darkprofits. The organizations operated Web sites used to traffic counterfeit credit cards and false identification information and documents. The groups allegedly used the sites to share information on how to commit fraud and sold the stolen information and the tools needed to commit such crimes. International law enforcement organizations that took part in the investigation and arrests included the U.K.'s National Hi-Tech Crimes Unit, the Vancouver Police Department's Financial Crimes Section, the Royal Canadian Mounted Police and Europol. Officials in Bulgaria, Belarus, Poland, Sweden, the Netherlands and Ukraine also were involved. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Trio try for better mobile security
http://www.vnunet.com/print/1159101 vnunet.com Trio try for better mobile security The Trusted Mobile Platform from Intel, IBM and NTT DoCoMo aims to make mobiles a better bet for secure networking Daniel Robinson, IT Week 01 Nov 2004 Intel, IBM and mobile communications company NTT DoCoMo last week announced a set of security specifications for mobile client devices. They said the aim is to create a secure architecture for future wireless data services. The Trusted Mobile Platform specification, available via the link below, defines a set of hardware and software components plus communication protocols that can be used to build devices with various levels of security. It is intended to be an open standard, according to NTT DoCoMo chief executive Takanori Utano. The specification defines three classes of trusted mobile device (TMD), ranging from handsets with no hardware security features to those that include a trusted platform module (TPM) to handle cryptography functions and hardware-enforced separation between trusted and untrusted applications and their data. It also defines a set of protocols that allow a TMD to communicate with other platforms more securely The partnership brings together Intel's expertise in silicon and wireless devices, IBM's experience of business security and NTT DoCoMo's knowledge of security in wireless networks, the companies said. This collaboration enhances handheld architectures to provide the trusted capabilities vital for widespread adoption of mobile commerce and enterprise usage, said Intel vice-president Sean Maloney. Chip designer ARM already includes technology called TrustZone in its latest processor cores to provide separation between secure and non-secure code. Although Intel uses ARM technology in its XScale mobile chips, the company has not disclosed whether the Trusted Mobile Platform supports technologies such as TrustZone. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Corporate governance goals impossible - RSA
http://www.theregister.co.uk/2004/11/04/rsa_redux/print.html The Register Biting the hand that feeds IT The Register » Business » Management » Original URL: http://www.theregister.co.uk/2004/11/04/rsa_redux/ Corporate governance goals impossible - RSA By John Leyden (john.leyden at theregister.co.uk) Published Thursday 4th November 2004 16:43 GMT Companies are struggling to cope with tighter corporate governance regimes, which might even work against the goal of achieving improved IT security they are partly designed to promote. The need to comply with requirements such as data protection, Sarbanes-Oxley, Basel II and other corporate governance reforms is tying up IT managers in red tape, according to a banking security expert. Recent legislation is having a negative impact on risk management, said Michael Colao, director of Information Management at Dresdner Kleinwort Wasserstein. In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a good thing. CIOs are now relying on convoluted processes rather than using sound business judgement based on years of experience. A process is easier to defend in court than personal judgement. This means that in many cases unnecessarily cautious decisions are being taken because the CIO is focusing on their own personal liability, rather than what is best for the business, he said.? Different implementations of the European Data Protection Directive in different countries are creating a headache for multinational firms, according to Colao. This legislation was brought in as part of the EU common market and was supposed to provide clarity and harmony across Europe. Because each country implements legislation in very different ways, the result is a very fragmented and disjointed approach which causes all sorts of problems, particularly for global organisations, he said. Colao made his comments at the Axis Action Forum, a meeting of IT directors sponsored by RSA Security, in Barcelona this week. RSA Security said differences in European legislation highlighted by Colao were a real problem for its clients. Tim Pickard, strategic marketing director at RSA Security EMEA, said: The nature of implementation of EU directives in member states means that it is almost impossible for today's global CIO to be fully compliant and is therefore likely to be breaking the law in at least one member state. Business managers becoming fed up with FUD In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security breaches. The finding suggests widespread boardroom indifference to security issues despite the high profile security has been given in the media and by numerous industry initiatives. Firms only take security seriously in the aftermath of attacks, according to one delegate. Part of the reason could be that business managers are becoming inured to alarmist security pitches. Simon Linsley, head of consultancy and development, Philips said: For years we have had to go to the Board with messages that create the Fear of God. We can no longer rely on these doom and gloom messages - we have to go to the Board with solutions that add value to the business. The Axis Action Forum attended by more than 30 CIOs, IT directors and heads of security from a range of medium to large businesses. ® Related stories UK corporate governance bill to cost millions (http://www.theregister.co.uk/2004/09/08/companies_bill_it_costs/) Hackers cost UK.biz billions (http://www.theregister.co.uk/2004/04/28/dti_security_survey/) IT voices drowned in corporate governance rush (http://www.theregister.co.uk/2004/04/22/it_in_corporate_governance/) Big.biz struggles against security threats (http://www.theregister.co.uk/2004/10/27/netsec_security_survey/) © Copyright 2004 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
When A Pencil And Paper Makes Sense
http://www.forbes.com/2004/11/05/cx_ah_1105tentech_print.html Forbes Ten O'Clock Tech When A Pencil And Paper Makes Sense Arik Hesseldahl, 11.05.04, 10:00 AM ET Thank goodness, it's over. Sometime around 4:30 A.M. Wednesday I went to bed, not the least bit uncertain that George W. Bush had been re-elected. But the one thing during this election cycle about which I have been uncertain is electronic voting. Florida in 2000 was a mess, and in reaction, some states and counties have turned to newfangled electronic voting machines, thinking that computer technology is the answer to a voting system that has started to creak under pressure. It seems that despite much worry about a repeat of Florida in other states, voting has gone pretty smoothly. Electronic voting methods are getting high marks. Of the 27,500 voting problems reported to the Verified Voting Project, a San Francisco-based group that monitored the election for voting problems, less than 6% of the issues reported stemmed from electronic voting machines. Election officials in states like Nevada, Georgia and Hawaii gave electronic voting systems a try. There were some problems: a memory card on an electronic voting machine in Florida failed; five machines in Reno, Nev., malfunctioned, causing lines to back up. Overall voter turnout was high. The Committee for the Study of the American Electorate, a nonprofit, nonpartisan outfit based in Washington, D.C., estimated that 120.2 million people, or 59.6% of those eligible to vote, cast ballots in this election, which would be an improvement of 5% and 15 million people, compared with the 2000 elections, and would make 2004's turnout the highest since 1968. Still, that's not as high as voter participation in my home state of Oregon, where 1.7 million people, or nearly 82% of those eligible, voted. In Oregon, voters cast their votes from home rather than going to a polling place. They submit their ballots by mail. The state abolished polling places in 1998 and has been voting entirely by mail ever since. Voters get their ballots roughly two weeks before election day. This year some were delayed because of an unexpectedly high number of voter registrations. Ballots must be received by county elections offices by 8 P.M. on the day of the election. Drop boxes are located throughout the state, as well. Voting should indeed take time and effort. It's undoubtedly important. But I like Oregon's common-sense approach. Voting from the comfort of your own home eliminates the inherent disincentive that comes from having to stand on a long line, for example. It's pretty simple. Oregon voters fill out their ballots using a pencil, just like those standardized tests everyone took in high school. If they want to write in a candidate, the ballot allows for that, too. I thought of this as I stood for about 45 minutes in a long, cold line at 6:30 A.M. to vote in my neighborhood in New York's Upper East Side. Throughout the day I heard reports from around the country of people who had to stand in line for as long as eight hours so they could vote, and I wondered how many others just threw up their hands in frustration because they had someplace else to be. The mail-in ballot also gives the voter a little time to consider his or her choice. Too often, voters will enter a voting booth knowing a few of the people they intend to vote for, but read about some ballot initiative or amendment for the first time. Rather than having to make a snap decision in the voting booth, having a ballot handy at home can give voters time to educate themselves and make a more informed decision. Sometimes, the best solution isn't a computer at all, but a good old-fashioned pencil and paper. Click here for more Ten O'Clock Tech Columns -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Your source code, for sale
At 10:18 AM -0800 11/5/04, Hal Finney wrote: Yes, I'm looking at ideas like this for ecash gambling, but you have a who-goes-first problem. Whenever we talk about financial applications, where the assets represented by one bearer certificate are exchanged for those represented by another, what's really happening is a redeem-reissue process anyway. Since it's the underwriters' reputations you're trusting anyway, we've always assumed that there would be communication between the underwriters in order to execute, clear, and settle the trade all at once. For streaming stuff, we figured that since we were streaming cash for streaming bits, like movies, or content of some kind, you'd just do tit for tat, one stream (cash, probably signed probabalistically tested coins in the last iteration that we called Nicko-mint :-)) against another, the movie, song, etc being streamed. There's the missing last 5 minutes problem, but I think that, in recursive auction-settled cash market for digital goods like this (Eric Hughes' institutional 'pirate' scheme, the 'silk road' stuff, whatever), that there will always be another source to buy what's left from, once the intellectual property issues solve themselves because of the auction process. For things that aren't useful except in their entirety, like code, or executables, (or storing money :-)), I've always been a fan of the Mojo/BitTorrent stuff, where you hash the file into bits, ala m-of-n Shamir secret splitting, and store/buy them from lots of places at once. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Machine Error Gives Bush Extra Ohio Votes
http://apnews.myway.com/article/20041105/D865R1DO0.html Machine Error Gives Bush Extra Ohio Votes Email this Story Nov 5, 11:56 AM (ET) COLUMBUS, Ohio (AP) - An error with an electronic voting system gave President Bush 3,893 extra votes in suburban Columbus, elections officials said. Franklin County's unofficial results had Bush receiving 4,258 votes to Democrat John Kerry's 260 votes in a precinct in Gahanna. Records show only 638 voters cast ballots in that precinct. Bush actually received 365 votes in the precinct, Matthew Damschroder, director of the Franklin County Board of Elections, told The Columbus Dispatch. State and county election officials did not immediately respond to requests by The Associated Press for more details about the voting system and its vendor, and whether the error, if repeated elsewhere in Ohio, could have affected the outcome. Bush won the state by more than 136,000 votes, according to unofficial results, and Kerry conceded the election on Wednesday after acknowledging that 155,000 provisional ballots yet to be counted in Ohio would not change the result. The Secretary of State's Office said Friday it could not revise Bush's total until the county reported the error. The Ohio glitch is among a handful of computer troubles that have emerged since Tuesday's elections. In one North Carolina county, more than 4,500 votes were lost because officials mistakenly believed a computer that stored ballots electronically could hold more data than it did. And in San Francisco, a malfunction with custom voting software could delay efforts to declare the winners of four races for county supervisor. In the Ohio precinct in question, the votes are recorded onto a cartridge. On one of the three machines at that precinct, a malfunction occurred in the recording process, Damschroder said. He could not explain how the malfunction occurred. (AP) Voters waited up to three hours to cast ballots after one of two voting machines failed to work at... Full Image Damschroder said people who had seen poll results on the election board's Web site called to point out the discrepancy. The error would have been discovered when the official count for the election is performed later this month, he said. The reader also recorded zero votes in a county commissioner race on the machine. Workers checked the cartridge against memory banks in the voting machine and each showed that 115 people voted for Bush on that machine. With the other machines, the total for Bush in the precinct added up to 365 votes. Meanwhile, in San Francisco, a glitch occurred with software designed for the city's new ranked-choice voting, in which voters list their top three choices for municipal offices. If no candidate gets a majority of first-place votes outright, voters' second and third-place preferences are then distributed among candidates who weren't eliminated in the first round. When the San Francisco Department of Elections tried a test run on Wednesday of the program that does the redistribution, some of the votes didn't get counted and skewed the results, director John Arntz said. All the information is there, Arntz said. It's just not arriving the way it was supposed to. A technician from the Omaha, Neb. company that designed the software, Election Systems Software Inc., was working to diagnose and fix the problem. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Broward machines count backward
http://www.palmbeachpost.com/politics/content/news/epaper/2004/11/05/a29a_BROWVOTE_1105.html Palm Beach Post Broward machines count backward By Eliot Kleinberg Palm Beach Post Staff Writer Friday, November 05, 2004 FORT LAUDERDALE - It had to happen. Things were just going too smoothly. Early Thursday, as Broward County elections officials wrapped up after a long day of canvassing votes, something unusual caught their eye. Tallies should go up as more votes are counted. That's simple math. But in some races, the numbers had gone . . . down. Officials found the software used in Broward can handle only 32,000 votes per precinct. After that, the system starts counting backward. Why a voting system would be designed to count backward was a mystery to Broward County Mayor Ilene Lieberman. She was on the phone late Wednesday with Omaha-based Elections Systems and Software. Bad numbers showed up only in running tallies through the day, not the final one. Final tallies were reached by cross-checking machine totals, and officials are confident they are accurate. The glitch affected only the 97,434 absentee ballots, Broward Elections Supervisor Brenda Snipes said. All were placed in their own precincts and optical scanners totaled votes, which were then fed to a main computer. That's where the counting problems surfaced. They affected only votes for constitutional amendments 4 through 8, because they were on the only page that was exactly the same on all county absentee ballots. The same software is used in Martin and Miami-Dade counties; Palm Beach and St. Lucie counties use different companies. The problem cropped up in the 2002 election. Lieberman said ESS told her it had sent software upgrades to the Florida Secretary of State's office, but that the office kept rejecting the software. The state said that's not true. Broward elections officials said they had thought the problem was fixed. Secretary of State spokeswoman Jenny Nash said all counties using this system had been told that such problems would occur if a precinct is set up in a way that would allow votes to get above 32,000. She said Broward should have split the absentee ballots into four separate precincts to avoid that and that a Broward elections employee since has admitted to not doing that. But Lieberman said later, No election employee has come to the canvassing board and made the statements that Jenny Nash said occurred. Late Thursday, ESS issued a statement reiterating that it learned of the problems in 2002 and said the software upgrades would be submitted to Hood's office next year. The company was working with the counties it serves to make sure ballots don't exceed capacity and said no other counties reported similar problems. While the county bears the ultimate responsibility for programming the ballot and structuring the precincts, we . . . regret any confusion the discrepancy in early vote totals has caused, the statement said. After several calls to the company during the day were not returned, an ESS spokeswoman said late Thursday she did not know whether ESS contacted the secretary of state two years ago or whether the software is designed to count backward. While the problem surfaced two years ago, it was under a different Br oward elections supervisor and a different secretary of state. Snipes said she had not known about the 2002 snafu. Later, Lieberman said, I am not passing judgments and I'm not pointing a finger. But she said that if ESS is found to be at fault, actions might include penalizing ESS or even defaulting on its contract. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A Man of Many Words, David Shulman Dies at 91
During World War II, he cracked Japanese secret codes for the Army, then returned to puzzles. He was a founder of the American Cryptogram Association, and in 1976 published An Annotated Bibliography of Cryptography, still used by experts. He was a champion scrabble player, and wrote a scholarly article about the game's lexicography. Cheers, RAH -- http://www.nytimes.com/2004/11/07/nyregion/07shulman.html?pagewanted=printposition= The New York Times November 7, 2004 A Man of Many Words, David Shulman Dies at 91 BY DOUGLAS MARTIN David Shulman, a self-described Sherlock Holmes of Americanisms who dug through obscure, often crumbling publications to hunt down the first use of thousands of words, died on Oct. 30 at Victory Memorial Hospital in Brooklyn. He was 91 and lived in Brooklyn. His friend David Kahn announced the death. Jesse Sheidlower, editor at large of the Oxford English Dictionary, said Mr. Shulman contributed uncountable early usages to the 20-volume lexicon. All very good stuff, Mr. Sheidlower said. What David did was read through the sort of things most people don't read, he added, mentioning yellowing editions of The National Police Gazette. Mr. Sheidlower said only a few contributors were more prolific and fewer still possessed Mr. Shulman's knack for sending usable material. His name appeared in the front matter to O.E.D.'s epochal second edition, each of the Addition Series volumes, and is currently on the Web. Mr. Shulman avoided excessive modesty, letting it drop that he was at least temporarily the last word on words that included The Great White Way, Big Apple, doozy, hoochie-coochie. Gerald Cohen, professor of foreign languages at the University of Missouri, Rolla, said Mr. Shulman did indeed contribute to the understanding of all these words and many more. He said Mr. Shulman's most pioneering effort concerned the term hot dog. He found the word was college slang before it was a sausage, paving the way for deeper investigation. A book on hot dog's glossarial provenance will appear this year under the names of Mr. Shulman, Mr. Cohen and Barry Popick. Dr. Cohen said Mr. Shulman obliterated a big impediment to finding the origins of the word jazz by proving it was on a 1919 record, not the 1909 version of the same disk. (Other scholars traced first use of the term to the baseball columns of Scoop Gleeson in the San Francisco Bulletin in 1913.) Mr. Cohen said that Mr. Shulman was first to challenge that shyster derived from a lawyer named Scheuster. Others, particularly Roger Mohovich, then traced the etymology to 1843-1844. Shyster turned out to be a Yiddish corruption of a German vulgarism meaning a crooked lawyer. Mr. Shulman considered the New York Public Library on Fifth Avenue his real home. He commuted by subway to its rare books room, to which he donated valuable volumes. David Shulman was the one reader I could count on seeing at the library every day, Paul LeClerc, president of the library, said. We often spoke about his work, and I never knew anyone who thrilled to bookish discoveries as he did. Every inch of Mr. Shulman, from his sneakers to his plastic bag crammed with scrawled notes to his soiled baseball cap, suggested the classic New York eccentric. He recorded his finds on index cards, sending them to the O.E.D. when he got 100. His obsessions included trying to prove that Steve Brodie jumped off the Brooklyn Bridge on July 23, 1886, not faking it as many reports claimed. He once wrote a sonnet, Washington Crossing the Delaware in which each line is an anagram of the title. But in 70 years at the library, he allowed as how he had seen, well, odder folks. There was the well-dressed chap who wandered about for years carrying his hat and never touching a book. Or the man who tracked down burial places of 60,000 New Jersey soldiers. Mr. Shulman finally asked why. I might as well be plain with you, the man replied, according to an interview with Mr. Shulman in The New York Times in 1990. I'm a nut. David Shulman was born on Nov. 12, 1912, and grew up on the Lower East Side speaking Yiddish, according to an interview in The Jerusalem Report in 1999. His first library was a branch in the Bronx. After City College, he devised puzzles and puzzle contests for newspapers. During World War II, he cracked Japanese secret codes for the Army, then returned to puzzles. He was a founder of the American Cryptogram Association, and in 1976 published An Annotated Bibliography of Cryptography, still used by experts. He was a champion scrabble player, and wrote a scholarly article about the game's lexicography. After a heart attack in his early 80's, Mr. Shulman gave beloved possessions to the New York Public Library. Gifts included a primer from Colonial America, 20,000 century-old postcards and Bowery Boys novels the library did not have. He earlier donated his cryptography collection, including a book about secret writing from 1518. His mentor at the
Single Field Shapes Quantum Bits
http://www.technologyreview.com/articles/04/11/rnb_110804.asp?trk=nl Technology Review Single Field Shapes Quantum Bits November 8, 2005 Quantum computers, which tap the properties of particles like atoms, photons and electrons to carry out computations, could potentially use a variety of schemes: individual photons controlled by optical networks, clouds of atoms linked by laser beams, and electrons trapped in quantum dots embedded in silicon chips. Due to the strange nature of quantum particles, quantum computers are theoretically much faster than ordinary computers at solving certain large problems, like cracking secret codes. Chip-based quantum computers would have a distinct advantage - they could leverage the manufacturing infrastructure of the semiconductor industry. Controlling individual electrons, however, is extremely challenging. Researchers have recently realized that it may be possible to control the electrons in a quantum computer using a single magnetic field rather than having to produce extremely small, precisely focused magnetic fields for each electron. Researchers from the University of Toronto and the University of Wisconsin at Madison have advanced this idea with a scheme that allows individual electrons to serve as the quantum bits that store and process computer information. Electrons have two magnetic orientations, spin up and spin down, which can represent the 1s and 0s of computing. The researchers' scheme relies on the interactions of pairs of electrons. Tiny electrodes positioned near quantum dots -- bits of semiconductor material that can trap single electrons - can draw neighboring electrons near enough that they exchange energy. The researchers' scheme takes a pair of electrons through eleven incremental steps that involve the electron interaction and a global magnetic field to flip one of the bits from a 0 to a 1 or vice versa. The technique could be used practically in 10 to 20 years, according to the researchers. The work appeared in the July 15, 2004 issue of Physical Review Letters. Technology Research News -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
No mandate for e-voting, computer scientist says
http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2story.id=27861 No mandate for e-voting, computer scientist says 11/09/04 By William Jackson, GCN Staff Despite wide use in last week's presidential election, direct-recording electronic voting still is a faulty method of casting ballots, one computer scientist says. Paperless electronic-voting systems are completely unacceptable, said Dan Wallach, assistant professor of computer science at Rice University. Assurances about the machines' accuracy and reliability are not based on verifiable data, Wallach said today at the Computer Security Institute's annual conference in Washington. Wallach was one of a team of computer scientists who in 2003 examined source code for voting machines from Diebold Election Systems Inc. of North Canton, Ohio, and reported numerous security flaws. Cryptography implementation and access controls showed an astonishingly naive design, he said. As far as we know, these flaws are still there today. Diebold has defended its technology and said the computer scientists examined an outdated version of the code. Wallach countered that without access to current code for any voting machines, it's impossible to verify manufacturers' claims. The proprietary nature of the code and a lack of government standards for voting technology also make certification of the hardware and software meaningless, he said. The IT Association of America hailed the Nov. 2 election as a validation of direct-recording technology. But Wallach said sporadic problems with the systems have been reported, and a thorough analysis of Election Day procedures and results is under way. Plus, a paper ballot that can be recounted is essential to a reliable system, he said. Probably the best voting system we have today is the optical scan system, with a precinct-based scanner, Wallach said. It is very simple, it is accurate, and it is auditable. He suggested that a hybrid voting system that produces a verifiable paper ballot would be as reliable as optical systems and would offer convenience and accessibility for disabled voters. A number of states, including California and Nevada, have laws or legislation pending to require that voting machines produce paper ballots. Wallach said technical standards that demand transparent certification processes would go a long way toward increasing voting reliability. I think the Common Criteria would be a good place to start, he said, referring to the set of internationally recognized standards for evaluating security technology, either against vendor claims or against a set of needs specified by a user. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Calif. settles electronic voting suit against Diebold for $2.6M
http://sfgate.com/cgi-bin/article.cgi?f=/news/archive/2004/11/10/financial1831EST0118.DTL Ths San Francisco Chronicle Calif. settles electronic voting suit against Diebold for $2.6M RACHEL KONRAD, AP Technology Writer Wednesday, November 10, 2004 (11-10) 15:31 PST SAN FRANCISCO (AP) -- California Attorney General Bill Lockyer announced Wednesday a $2.6 million settlement with Diebold Inc., resolving a lawsuit alleging that the company sold the state and several counties shoddy voting equipment. Although critics characterized the settlement as a slap on the wrist, Diebold also agreed to pay an undisclosed sum to partially reimburse Alameda, San Diego and other counties for the cost of paper backup ballots, ink and other supplies in last week's election. California's secretary of state banned the use of one type of Diebold machine in May, after problems with the machines disenfranchised an unknown number of voters in the March primary. Faulty equipment forced at least 6,000 of 316,000 voters in Alameda County, just east of San Francisco, to use backup paper ballots instead of the paperless voting terminals. In San Diego County, a power surge resulted in hundreds of touch-screens that wouldn't start when the polls opened, forcing election officials to turn voters away from the polls. According to the settlement, the North Canton, Ohio-based company must also upgrade ballot tabulation software that Los Angeles County and others used Nov. 2. Diebold must also strengthen the security of its paperless voting machines and computer servers and promise never to connect voting systems to outside networks. There is no more fundamental right in our democracy than the right to vote and have your vote counted, Lockyer said in a statement. In making false claims about its equipment, Diebold treated that right, and the taxpayers who bought its machines, cavalierly. This settlement holds Diebold accountable and helps ensure the future quality and security of its voting systems. The tentative settlement could be approved as soon as Dec. 10. The original lawsuit was filed a year ago by Seattle-based electronic voting critic Bev Harris and Sacramento-based activist Jim March, who characterized the $2.6 million settlement as peanuts. March, a whistle blower who filed suit on behalf of California taxpayers, could receive as much as $75,000 because of the settlement. But he said the terms don't require Diebold to overhaul its election servers -- which have had problems in Washington's King County and elsewhere -- to guard them from hackers, software bugs or other failures. The former computer system administrator was also upset that the state announced the deal so quickly. Several activist groups, computer scientists and federal researchers are analyzing Nov. 2 election data, looking for evidence of vote rigging or unintentional miscounts in hundreds of counties nationwide that used touch-screen terminals. Results are expected by early December. This settlement will shut down a major avenue of investigation before evidence starts trickling in, March said. It's very premature. A Diebold executive said the settlement would allow the company to spend more money on improving software and avoid the distraction and cost of prolonged litigation. Diebold earnings plunged 5 cents per share in the third quarter because of the California litigation, which could cost an additional 1 cent per share in the current quarter. Diebold shares closed Wednesday at $53.20, up 1.22 percent from Tuesday in trading on the New York Stock Exchange. We've worked closely with California officials to come to an agreement that allows us to continue to move forward, Diebold senior vice president Thomas W. Swidarski said in a statement. While we believe Diebold has strong responses to the claims raised in the suit, we are primarily interested in building an effective and trusting relationship with California election officials. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
E-Mail Authentication Will Not End Spam, Panelists Say
http://www.washingtonpost.com/ac2/wp-dyn/A41460-2004Nov10?language=printer The Washington Post washingtonpost.com E-Mail Authentication Will Not End Spam, Panelists Say By Jonathan Krim Washington Post Staff Writer Thursday, November 11, 2004; Page E01 For consumers and businesses increasingly shaken by the growing onslaught of unwanted e-mail and the computer viruses and other nefarious hacking spam can bring, any hope for quick relief was soundly dashed yesterday during a government-hosted gathering of technology experts. Several executives and academics speaking at a forum sponsored by the Federal Trade Commission said criminals are already steps ahead of a major initiative by e-mail providers to counter those problems by creating a system to verify senders of e-mail. In theory, such an authentication system would make it harder for spammers to disguise their identities and locations in an attempt to avoid being shut down or prosecuted. But a majority of spam is launched by zombies, or infected personal computers that are controlled by remote spammers. E-mail from a zombie looks as if it is coming from a legitimate source -- because it is. The owner of that source is simply unaware that his or her computer has been commandeered. We'll be lucky if we solve 50 percent of the problem with e-mail authentication, said Pavni Diwanji, chairman of MailFrontier Inc., a Silicon Valley provider of e-mail security systems. By some estimates, the problem is rapidly becoming a crisis. In the first half of this year, an average of 30,000 computers a day were turned into zombies, according to the computer security firm Symantec Corp. In addition to serving up unwanted or fraudulent messages, spam is used to deliver viruses and other malicious software code that can allow hackers to capture private data such as credit card or bank account numbers from personal computers. Hackers and spammers also have been able to exploit a lack of awareness among many computer users, tricking them into providing their passwords or account information in response to e-mails that appear to be coming from legitimate financial institutions or retailers, a tactic known as phishing. The information is then rapidly sold on a black market heavily populated by elements of organized crime in Eastern Europe, Asia and elsewhere. As incidents of the resulting identity fraud mount, we're losing consumer confidence in this medium, said R. David Lewis, vice president of Digital Impact Inc., which provides bulk e-mail marketing services to large companies. Lewis and others said that if the public reaches a tipping point at which Internet commerce is no longer trusted, the economic consequences will be severe. Despite the authentication effort's shortcomings, none of yesterday's speakers suggested abandoning it, because it is seen as an essential building block for other solutions. But the forum demonstrated in stark terms the depth and complexity of the problem. Any e-mail authentication system, for example, would check that the block of Internet addresses assigned to an e-mail provider includes the specific numeric address of a sender of a piece of e-mail. Thus, a red flag would go up if a message seeming to come from [EMAIL PROTECTED] is actually not coming from a computer that uses the xyz-123.net mail service. But Scott Chasin, chief technology officer of e-mail security firm MX Logic Inc., said the underlying Internet system that houses the necessary data is insecure and can be tricked by hackers. Chasin said the problem has been known for 10 years, but industry and Internet standard-setters have been unable or unwilling to fix the problem by encrypting the data. Getting agreement on an authentication system has been similarly difficult and is partly why the FTC held the summit. The major e-mail providers, America Online Inc., Microsoft Corp., Yahoo Inc. and EarthLink Inc., are still testing and pushing various plans. The Internet group assigned to endorse a standard disbanded recently, unable to resolve discord and uncertainty over whether licensing rights asserted by Microsoft would cut out a broad swath of organizations that use so-called open-source software. Chasin and other panelists also said the basic operating systems that power computers -- the most dominant of which is Microsoft Windows -- remain too vulnerable to hackers. He said a worm was recently discovered that lodges itself in Windows files and goes to work when a computer user tries to access the Web site of his or her bank. The malicious code automatically redirects the Web browser to a fake page that looks like the real thing. In this scenario, the user has not been duped by a fake phishing e-mail. Instead, the vulnerability in the operating system has allowed the code to redirect the user's browser to a phony page where a hacker can capture the user's name and password. Still, panelists insisted authentication is a vital first step.
Banks brace for cashpoint attack
http://www.theregister.co.uk/2004/11/11/banks_prepare_for_atm_cyber_crime/print.html The Register Biting the hand that feeds IT The Register » Security » Network Security » Original URL: http://www.theregister.co.uk/2004/11/11/banks_prepare_for_atm_cyber_crime/ Banks brace for cashpoint attack By Kevin Poulsen, SecurityFocus (klp at securityfocus.com) Published Thursday 11th November 2004 10:42 GMT An international group of law enforcement and financial industry associations hopes to prevent a new type of bank robbery before it gets off the ground: cyber attacks against automated teller machines. This fall the Global ATM Security Alliance (GASA) published what it says are the first international cyber security guidelines specifically tailored to cash machines. Experts see new dangers as legacy ATMs running OS/2 give way to modern terminals built on Microsoft Windows. The recommendations presented in this manual are essentially designed to provide a common sense approach to ... the rapidly changing threat model that the introduction to the ATM channel of the Windows XP and other common use operating systems, as well as the TCP/IP network protocol suite, has created, said the manual's author, Ian Simpson, in a statement. The move comes one year after the Nachi worm compromised (http://www.securityfocus.com/news/7517) Windows-based automated teller machines at two financial institutions, in the only acknowledged case of malicious code penetrating ATMs. The cash machines, made by Diebold, were built on Windows XP Embedded, which suffered from the RPC DCOM security hole Nachi exploited. In response to the incident, Diebold began shipping new Windows-based ATMs preinstalled with host-based firewall software, and offered to add the program for existing customers. Though ATMs typically sit on private networks or VPNs, supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer. Last year's Slammer worm indirectly shut down some 13,000 Bank of America ATMs by infecting database servers on the same network, and spewing so much traffic that the cash machines couldn't processes customer transactions. The goal of the ATM cyber security best practices document, which has not been made public, and a related white paper developed by GASA, is to be proactive in fighting what might be the next wave of ATM crime - namely cyber attacks, said Mike Lee, founding coordinator of the group, in a statement. GASA's members include fraud prevention agencies, financial industry associations, the US Secret Service, Visa and MasterCard, and some ATM networks and manufacturers, including Diebold and NCR. Related stories ATMs in peril from computer worms? (http://www.theregister.co.uk/2004/10/20/atm_viral_peril/) The ATM keypad as security portcullis (http://www.theregister.co.uk/2004/07/21/atm_keypad_security/) Ukrainian teen fights the Rise of the Machines (http://www.theregister.co.uk/2004/10/13/girl_terminates_atm/) -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Gov't Orders Air Passenger Data for Test
http://news.yahoo.com/news?tmpl=storycid=519u=/ap/20041112/ap_on_re_us/passenger_screening_1printer=1 Yahoo! Gov't Orders Air Passenger Data for Test Fri Nov 12, 2:35 PM ET By LESLIE MILLER, Associated Press Writer WASHINGTON - The government on Friday ordered airlines to turn over personal information about passengers who flew within the United States in June in order to test a new system for identifying potential terrorists. The system, dubbed Secure Flight, will compare passenger data with names on two government watch lists, a no fly list comprised of people who are known or suspected to be terrorists, and a list of people who require more scrutiny before boarding planes. Secure Flight represents a significant step in securing domestic air travel and safeguarding national security information, namely, the watchlists, the Transportation Security Administration said in a notice announcing the order. Currently, the federal government shares parts of the list with airlines, which are responsible for making sure suspected terrorists don't get on planes. People within the commercial aviation industry say the lists have the names of more than 100,000 people on them. The order follows a 30-day period during which the public was allowed to comment on the Secure Flight proposal. About 500 people commented on the plan; the overwhelming majority opposed it, saying it would invade their privacy and infringe on their civil liberties. An airline industry representative said the carriers, which support the plan, are studying the order. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Want to surf net? Show I-card
http://www.hindustantimes.com/onlineCDA/PFVersion.jsp?article=http://10.81.141.122/news/181_1104972,0006.htm : HindustanTimes.com Prove identity to surf net in Bangalore Press Trust of India Bangalore, November 15 Advertisement Internet surfers in over 50,000 cyber cafés across Karnataka now need to show an identity proof before browsing the web. With an aim to prevent misuse of the Internet by criminals, the state government has made it mandatory for all such cafes to have a record of net users, failing which the police can impound their licenses. We are introducing this law to check anti-social elements and anti-national activities. Internet is a great medium for communication, but people can also carry out a lot of such (illegal) activities through it, state IT secretary K.N. Shankaralinge Gowda told here. According to the new norms, a surfer needs to display his/her identity card at the cyber café or be photographed by a web camera by the attendant before logging on. Printed From -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ISN] Japanese Government Bans Security Researcher's Speech
--- begin forwarded text Date: Mon, 15 Nov 2004 04:48:20 -0600 (CST) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Japanese Government Bans Security Researcher's Speech Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.ejovi.net/archives/2004/11/japanese_govern.html November 12, 2004 [JUKI net is Japan's national ID system. Ejovi performed a security audit of the system for Nagano Prefecture one year ago] Its been a long day. I am greatly disappointed that Soumushou, the Japanese government that maintains JUKI net, prevented me from speaking today at the PacSec security conference. Soumushou prevented my talk by threatening the Japanese event who currently are seeking contracts from the government The Japanese government gave me two options. 1) Do not talk 2) Drastically change your slides to say what they want me to. When I offered to not use slides at all and give my own opinion they told me that I would not be permitted to speak AT ALL. It is obvious to me that they did not have an issue with my slides or presentation. They were afraid that I would draw attention to problems in JUKI net. Soumushou thinks that they can hide from the issues. They think that if they keep people from speaking about the issues, it will go away. I thought I would be immune from such Japanese government pressures however I underestimated Soumushou's ability to manipulate those around me. Soumushou's reason for forbidding me to speak was this Since we are endorsing the convention we have to right to tell you not to speak if this is the case, the Japanese government needs only sponsor or endorse ANY event in which they don't agree with and force the organizers to change the content. If this is the case Japan will never make any progress towards a safer environment. What is most upsetting to me is the fact that I HAD NO PLANS TO CRITIZE the Japanese government. My talk was going to be extremely fair and balanced addressing the issues raised by both sides. In fact I invited Soumushou to meet with me directly so that I can address any issues they may have. I told them this on the telephone and by email. Instead they choose to pressure the Japanese representatives of the conference. They never attempted to talk with me directly. Why is this? If they had issues with something I may say why not ask me about it? Why pressure a company they relies on government contracts? Is this fair? The purpose of my talk was to present both sides of JUKI net security systems. I have no vested interest in seeing it fail or in seeing it succeed. I only wanted to recommend how best to make it safer, how best to improve the system. But Soumushou believed that my recommendations on how to improve its security alone would mean that JUKI net has problems and they refused to admit this. I'm sorry to tell them but it does have security problems. The good news is that the technical issues can be easily resolved. However the greatest problem with JUKI net is not technical but Soumushou's inability to even acknowledge that they exist! How can a system become secure if the Japanese government are not willing to listen to someone who points out issues. Today was a sad day for Japan and a frustrating day for me. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Osint] DHS Now Has Non-Disclosure Agreement For *Un*classified Info
--- begin forwarded text To: Bruce Tefft [EMAIL PROTECTED] Thread-Index: AcTLBDc4vJyL80TwSZuIiwn1AOddIQACB0Zg From: Bruce Tefft [EMAIL PROTECTED] Mailing-List: list [EMAIL PROTECTED]; contact [EMAIL PROTECTED] Date: Mon, 15 Nov 2004 07:13:19 -0500 Subject: [osint] A NON-DISCLOSURE AGREEMENT FOR UNCLASSIFIED INFO] Reply-To: [EMAIL PROTECTED] A NON-DISCLOSURE AGREEMENT FOR UNCLASSIFIED INFO In a momentous expansion of the apparatus of government secrecy, the Department of Homeland Security (DHS) is requiring employees and others to sign legally binding non-disclosure agreements as a condition of access to certain categories of unclassified information. Up to now, non-disclosure agreements have only been used by government agencies to regulate access to classified information. In fact, they are one of the defining features of the national security classification system, along with security clearances and the need to know principle. As far as Secrecy News could determine, such classification-like controls have never before been systematically imposed on access to unclassified information. But now at DHS a non-disclosure agreement must be executed in order to gain access to any one of a panoply of new and existing categories of unclassified information, including: For Official Use Only (FOUO); Official Use Only (OUO); Sensitive Homeland Security Information (SHSI); Limited Official Use (LOU); Law Enforcement Sensitive (LES); Safeguarding Information (SGI); Unclassified Controlled Nuclear Information (UCNI); and any other identifier used by other government agencies to categorize information as sensitive but unclassified. The proliferation of controls on unclassified information signifies a massive increase in government secrecy, particularly since the number of officials who are authorized to designate information in one of these categories dwarfs the number of officials who can create classified information. And while the classification system operates according to certain well-defined rules and limitations, including procedures for review and challenge of classification decisions, the same is not true of the sensitive but unclassified domain. Furthermore, there is nothing like the Information Security Oversight Office to monitor and oversee the restriction of unclassified information. (Some types of sensitive but unclassified information are not specifically protected by statute and can still be successfully requested under the Freedom of Information Act. But with Justice Department encouragement, agencies take an expansive view of the scope of the Act's exemptions and access is increasingly uncertain.) The DHS non-disclosure agreement is apparently the first such document crafted in the Bush Administration. It represents a new high water mark in the rising tide of official secrecy. A copy of DHS Form 11000-6, Non-Disclosure Agreement for Sensitive But Unclassified Information, dated August 2004, was obtained by Secrecy News and is posted here: http://www.fas.org/sgp/othergov/dhs-nda.pdf Yahoo! Groups Sponsor ~-- Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar. Now with Pop-Up Blocker. Get it for free! http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/TySplB/TM ~- -- Want to discuss this topic? Head on over to our discussion list, [EMAIL PROTECTED] -- Brooks Isoldi, editor [EMAIL PROTECTED] http://www.intellnet.org Post message: [EMAIL PROTECTED] Subscribe:[EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ --- end forwarded text -- - R. A. Hettinga
Certicom First to Earn FIPS 186-2 Validation for Elliptic Curve Digital Signature Algorithm
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=109STORY=/www/story/11-15-2004/0002456260EDATE= Certicom First to Earn FIPS 186-2 Validation for Elliptic Curve Digital Signature Algorithm Validation of ECC-based algorithm another step in ECC standardization and widespread adoption MISSISSAUGA, ON, Nov. 15 /PRNewswire-FirstCall/ - Certicom Corp. (TSX: CIC), the authority for strong, efficient cryptography, today announced that its implementation for the Elliptic Curve Digital Signature Algorithm (EassociateCDSA) has earned the Federal Information Processing Standards (FIPS) 186-2 validation certification No. 1 - making it the first company to receive the designation for an elliptic curve cryptography (ECC) -based algorithm. This validation is particularly valuable for original equipment manufacturers (OEMs) and software vendors who sell to government organizations. By using Certicom's ECDSA implementation in their products, they meet FIPS requirements without undergoing the time-consuming and costly testing process. ECDSA is used to build in digital signature functionality and is a faster alternative to legacy algorithms. For the cryptography community, and in particular proponents of ECC, the testing of ECC as part of the FIPS validation process is a significant step in the adoption of this public key cryptosystem. Considered a benchmark for security in government, a FIPS validation assures users that a given technology has passed rigorous testing by an accredited third party lab as set out by the National Institute of Standards for Technology (NIST) and can be used to secure sensitive information. Typically, it drives wide-scale adoption in government and in commercial sectors, particularly in the financial and healthcare sectors that recognize the significance of FIPS validation. This milestone in ECC's evolution follows last year's announcement from the National Security Agency (NSA) that ECC is a 'crucial technology'. Both events are part of the U.S. Government's crypto modernization program. A major hurdle to widespread adoption of any security technology is standardization. We witnessed that 25 years ago with the Data Encryption Standard (DES) and now are seeing it play out with Advanced Encryption Standards (AES), the successor to DES, said Scott Vanstone, founder and executive vice-president, strategic technology at Certicom. As a complementary cryptosystem to AES, we can expect the same for ECC. By testing ECC-based algorithms in the FIPS certification process, NIST added a level of assurance that says they've done the due diligence on it and now organizations can be very comfortable adopting it. ECC is a computationally efficient form of cryptography that offers equivalent security to other competing technologies but with much smaller key sizes. This results in faster computations, lower power consumption, as well as memory and bandwidth savings, thereby making it ideal for today's resource-constrained environments. Certicom is considered a pioneer in ECC research and implementations, backed by 20 years of experience. The company developed the industry's first toolkit to include ECC, which has since been adopted by over 300 organizations. Tomorrow it will host the Certicom ECC Conference 2004, the first-ever conference that brings together Elliptic Curve Cryptography researchers, industry experts and users. During the two-day conference, participants from North America, Europe and Asia will discuss the evolution of ECC and share best implementation practices and insights for future applications. About Certicom Certicom Corp. (TSX:CIC) is the authority for strong, efficient cryptography required by software vendors and device manufacturers to embed security in their products. Adopted by the US Government's National Security Agency (NSA), Certicom technologies for Elliptic Curve Cryptography (ECC) provide the most security per bit of any known public key scheme, making it ideal for constrained environments. Certicom products and services are currently licensed to more than 300 customers including Motorola, Oracle, Research In Motion, Terayon, Texas Instruments and Unisys. Founded in 1985, Certicom is headquartered in Mississauga, ON, Canada, with offices in Ottawa, ON; Reston, VA; San Mateo, CA; and London, England. Visit http://www.certicom.com . Certicom, Certicom Security Architecture, Certicom CodeSign, Security Builder, Security Builder Middleware, Security Builder API, Security Builder Crypto, Security Builder SSL, Security Builder PKI, and Security Builder GSE are trademarks or registered trademarks of Certicom Corp. Intel is registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All other companies and products listed herein are trademarks or registered trademarks of their respective holders. Except for historical information contained
[ISN] BlackBerry prickles Department of Defence spooks
--- begin forwarded text Date: Tue, 16 Nov 2004 07:34:56 -0600 (CST) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] BlackBerry prickles Department of Defence spooks Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.theage.com.au/articles/2004/11/15/1100384480556.html By Rob O'Neill November 16, 2004 Next Department of Defence communications spooks are restricting the use of wireless BlackBerry devices in government over concerns about the security of confidential and restricted information. The Defence Signals Directorate (DSD), the nation's high-tech electronic eavesdropper, says the popular devices must not be used to transmit confidential or secret information or connect to systems that process it. Agencies may use BlackBerry devices with systems that handle unclassified, x-in-confidence (excluding cabinet-in-confidence) and restricted information. Telstra, one of several providers of BlackBerry services, insists the systems are secure. They are used by a lot of customers that require high levels of security in the financial services industry, and even the CIA and the Pentagon, a Telstra spokesman says. Paul Osmond, Asia-Pacific regional director of BlackBerry developer Research In Motion, is thrilled the Government has decided the Department of Defence can use the device, because 18 months ago they were prohibited. Their restrictions are fairly common when you look at a first go-around, Osmond says. They are similar to those the US defence forces put out when they first used it. The DSD will review the guidelines in February when it is expected RIM and ISPs will seek to have their say. The hand-held BlackBerry device, which allows access to corporate email, including attachments, from almost any location, has become the new must-have corporate accessory in the US and is receiving strong support here. But the swarm of new mobile computing devices poses security challenges to government and private organisations. They are keen to have the functionality but worry about privacy and access. Other consumer devices have also generated alarm. A British security firm's survey revealed Apple's iPod, which has large portable storage capacity and can be plugged into most PCs, is considered a threat. Sometimes such concerns can seem overblown, as in 1999 when the Furby, a computerised toy, was banned from US National Security Agency premises because it could be used as a recorder. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
'Virtual Debit Card' Aims To Combat Online Fraud
http://online.wsj.com/article_print/0,,SB110056759053675009,00.html The Wall Street Journal November 16, 2004 MONEY 'Virtual Debit Card' Aims To Combat Online Fraud By JENNIFER SARANOW Staff Reporter of THE WALL STREET JOURNAL November 16, 2004; Page D2 Consumers typically have been wary of using bank cards online. One bank's solution is to get rid of the cards. In an effort to ease customers' concerns about fraud and identity theft when shopping online, PNC Bank has launched a new checking account with a virtual debit card. In addition to a regular debit card that can be used at automated teller machines and in stores, the Digital Checking account comes with an eSpend card. The card is basically a piece of paper with an account number, expiration date and verification code for making purchases online, over the phone and by mail order. Customers can set a daily limit for their eSpend card (say $1,000) and once that amount is spent, additional purchases won't be approved. PNC Bank, a unit of PNC Financial Services Group Inc., Pittsburgh, hopes the eSpend card will attract people who want to make purchases online with their debit card but are uncomfortable doing so for fear of making their bank account vulnerable to fraud. If an unauthorized person obtains a customer's eSpend number, only the specified daily limit could be taken out of a customer's bank account. If this occurs, PNC says customers aren't liable for the charges. Purchases made with the eSpend card show up separately on bank statements. The account, which is aimed at online-banking customers, also comes with identity-theft reimbursement insurance, a debit card rewards program and no fee for using non-PNC ATMs. The account has a monthly $11 service fee unless customers opt for direct deposit of paychecks or government checks such as Social Security, and pay at least three bills online. The eSpend card comes as debit cards are quickly overtaking cash and checks as preferred methods of payment. According to a report from the American Bankers Association and Boston-based Dove Consulting, 31% of in-store purchases were made with a debit card last year, up from 21% in 1999. Consumers typically have been wary of using debit cards online because, unlike credit cards, they are directly tied to bank accounts. But online use of debit cards is starting to grow. In the first quarter of this year, Visa debit cards were used for 46% of online purchases, up from 43% a year earlier, according to Visa International. Analysts are skeptical about how excited consumers will be about PNC's new card. I think it's an interesting idea but if you look at consumer usage, consumers are using their debit cards online today in increasing numbers, so it's unclear how much of a demand there would be for a card with that unique application, says Tony Hayes, a Dove analyst. Other banks have long offered similar credit-card products as a way to encourage purchases on the Internet and reduce the amount of fraud they are liable for. In June of 2002, for example, Citigroup Inc.'s Citibank launched free, downloadable software that allows credit-card customers to obtain a new disposable account number each time they make a purchase online. A downside: Such virtual account numbers can't be used when a credit card must be shown at pickup. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The Beginning of the Crypto Era
http://www.eweek.com/print_article2/0,2533,a=139274,00.asp EWeek The Beginning of the Crypto Era November 15, 2004 By Larry Seltzer In a move that was totally expected, if a little early, Yahoo has announced that it will put its money where its mouth is and start checking Yahoo Mail with its DomainKeys system. The company had told me that it would do so by the end of the year, but I suppose it had had this last week, during the FTC e-mail authentication summit, as an internal deadline. Earthlink also announced that it will test DomainKeys on its system. DomainKeys is important. It is the main implementation of the second of the two most credible approaches to SMTP authentication, specifically the use of cryptographic signatures to authenticate messages against the domains from which they were sent. The other approach-to check against the IP addresses of the servers in those domains-also moved forward recently with the second version of the Sender ID spec. Don't assume that the DomainKeys implementation is the final form. There is an IETF group called ietf-mailsig working in preliminary stages to standardize the crypto approach to SMTP authentication and they might want to make some changes to the approach used by Yahoo. And I expect Yahoo to be open to such suggestions. In fact, Yahoo's openness to reasonable suggestions and unobjectionable licenses is a big reason to be optimistic about widespread adoption of it. Indeed, while Yahoo has intellectual property claims on its developments in DomainKeys, the company isn't being a jerk about it, like some other coMpanieS in this business that shall remain naMeleSs. There are some interesting questions about DomainKeys and Yahoo's handling of it. The first has to do with performance. My own first impression of cryptography as a solution was that the added performance burden on MTAs (message transfer agents, better known as mail servers) would be great and that many companies would have to upgrade their hardware to run a DomainKeys-enabled server with decent performance. In a recent eSeminar in which I participated, Richi Jennings of Ferris Research echoed this view. But while it's still too early to tell, there's reason to believe the performance issue is not as serious as first impressions would indicate. I've spoken to Sendmail, the leading MTA company in the world, about it. Nobody, except Yahoo, has more hands-on experience actually testing and coding DomainKeys than Sendmail. Sendmail thinks the added performance burden, entirely CPU-based, is on the order of 15 percent to 20 percent. This isn't nothing, but MTAs aren't typically CPU-constrained-they are network- and perhaps disk-constrained-so there could easily be spare CPU capacity in the typical MTA (unless it's running Exchange Server or Notes, in which case it's CPU-starved). Next Page: Why no SPF implementation? The other question I have about Yahoo is why it has refused to implement SPF. Sender Policy Framework is the uncontroversial part of Sender ID, the part that checks the message envelope. Many people still argue that SPF is all we really need. But no serious people believe this, least of all SPF's author Meng Weng Wong, who is a principal author and sponsor of the Sender ID spec and also a fan of DomainKeys. All SPF really stops is bounce messages, also known as Joe Jobs. It's an important part of the solution, but it's far from an adequate one. But it is an easy one, and there's no good technical reason why Yahoo should resist it. All the other major mail providers, to my knowledge, are implementing SPF as part of their experimentation. The answer for Yahoo is probably something as stupid as not wanting people to get the misimpression that they are hedging on DomainKeys. I asked the company about this several weeks ago, and it weaseled out of a direct answer. Most dissatisfying. The Yahoo announcement focuses on phishing, probably because it's topical. Spam has become a major annoyance, but phishing is scary. And SPF does nothing to address phishing. This is why Microsoft developed Caller ID, the header portion of Sender ID. I should also take a moment to wag my finger at those who continue to express concern at how spammers are adopting SPF and other authentication standards in order to get around them. I don't know if they're walking into a trap or if they're just experimenting, but it won't do them any good. The more spammers authenticate, the easier they will make themselves to block. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog. Remember, authentication systems are not complete anti-spam systems. They just identify who is sending the mail, not why they are sending it. This whole approach requires the coordinated use of reputation systems that will use the authenticated address to tell you whether a sender is trustworthy. In such a scenario, an authenticated spammer becomes easy to block. The
Crypto-Tax: Re: India to tax / levy license fees on ISPs that offer VPNs
--- begin forwarded text Date: Wed, 17 Nov 2004 05:47:53 +0530 From: Suresh Ramasubramanian [EMAIL PROTECTED] To: Deepak Jain [EMAIL PROTECTED] Cc: NANOG [EMAIL PROTECTED] Subject: Re: India to tax / levy license fees on ISPs that offer VPNs Organization: Outblaze Limited - http://www.outblaze.com User-Agent: Mutt/1.5.6i Sender: [EMAIL PROTECTED] Deepak Jain [16/11/04 18:15 -0500]: I guess it depends on how you define a VPN over just a private network. Is an SSH tunnel a VPN? What about an encrypting SOCKS proxy? This tax is aimed at a few Indian ISPs that are making lots of money selling managed IP-VPN services.. the incumbent telco seems to think all the money going there would be better spent by companies if they bought copper / fiber from it, and so the DoT (http://www.dot.gov.in) - lots of telco types there who wouldn't know a vpn from a hole in the ground - decided to level the playing field Just for laughs, here's the DoT press release on this: srs http://www.dot.gov.in/pressnote10nov04ISP.doc 142/04 www.pib.nic.in PRESS INFORMATION BUREAU GOVERNMENT OF INDIA ** ISP LICENSING CONDITIONS AMENDED TO PERMIT VPN SERVICES New Delhi, Kartika 19, 1926 November 10, 2004 The Department of Telecommunications today decided to extend the scope of the Licence conditions of Internet Service Providers (ISP) ,thereby allowing them to provide managed Virtual Private Network services to corporates and individuals. In accordance with the decision, the ISP licences (both -Licence without Internet Telephony and with Internet Telephony) will have an enabling provision for VPN services by ISPs under specified terms conditions. The annual licence fee will be at 8% of the Gross Revenue generated under the licence. There will be one time non-refundable entry fee of Rs. 10, 2 and 1 crore for Category A, B , and C ISPs respectively ISP-with VPN licencee will be permitted to lay optical fibre cable or use radio links for provision of the services under their licence in its Service Area. Further, ISPs shall be free to enter into mutually agreed commercial agreement with infrastructure service providers for sharing of infrastructure. The ISPs shall not engage in reselling bandwidth directly or indirectly. The above decision will help as many 388 ISP Licensees, more particularly 61 all India (Category A) ISP Licensees, to offer VPN services to their customers, thus adding to their revenue stream from Internet Access Services. VPN is a service where a customer perceives to have been provided with a private network which actually is configured over a shared public network. Benefits of VPN include secure communication over public network and guaranteed quality of service. A High Level DoT Committee had examined the matter and had observed that while on one hand such VPN services were not under the scope of the present ISP licences, on the other hand it would be desirable to permit ISPs to provide such services in the present day liberalized telecom environment in the country. The services which are technologically possible should be allowed while at the same time ensuring level playing field to all the service providers. Such VPN services which provide a platform for utilization of bandwidth in a very cost effective and efficient manner are emerging services internationally. This facility is necessary for the corporate world in meeting their growing communication needs of inter-office connectivity to send/transfer data securely and such services are widely available in telecom sector globally. RM/AMA 101104 ISP Licencing Conditions --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Just Another Chip in the (Privacy) Wall
http://www.technologyreview.com/articles/04/11/wo_kushner111804.asp?p=0 Technology Review Just Another Chip in the (Privacy) Wall An electronic database implanted under the skin can assure speedy and proper medical care-but is it worth it? By David Kushner November 18, 2004 You can almost see the ads now: Imagine a bright future with a chip in your arm! Went to the supermarket, but left the wallet at home? No problem! Flex your bicep and the smiling cashier passes a scanner over your arm. Voila-identification chip recognized! Problem solved. Your credit is good with us! Passed out during a sunrise jaunt on the top of Haleakala Mountain in Maui? Fret not! The hospital down below is on the case. Arm please. Scanner! The readout on the computer is fine. Just a little altitude sickness. Key to the safety deposit box weighing you down? Chuck it! Next time you're in the bank, give the teller a friendly wave-and watch the doors open to greet you! After decades as the stuff of sci-fi novels and anime movies, the age of chipped humans is finally a reality. Last month, following two years of review, the Food and Drug Administration approved the use of an implantable chip for medical applications. Each Verichip is the size of a grain of rice and contains a unique, 16-digit radio frequency ID. Linked to a database, that ID tag can call up a variety of information-from medical records to financial information. Not surprisingly, the technology is causing its share of controversy. Civil liberties groups are calling this the end of privacy. Religious groups are calling it the number of the beast. Down on the shores of Delray Beach, FL, Applied Digital-the company behind the Verichip-calls it a goldmine. Like a lot of new technologies, the Verichip happened rather by accident. Fifteen years ago, a company called Digital Angel developed implantable identification chips for the purpose of tracking companion pets and cattle. But the idea was nothing to moo at. Last year, 800,000 animal chips were sold in the United States for $55 to $70 apiece-30 percent more than in 2002. If the chips could identify animals, why not a human being? This thought occurred to Richard Seelig, a surgeon in New Jersey, shortly after the attacks of September 11, 2001. Seelig watched with horror as New York City firemen scrawled their social security numbers in black ink on the forearms-just in case they were to be burned beyond recognition in the inferno. Familiar with Digital Angel's work, Seelig voluntarily implanted himself with a radio frequency identification chip. And the race to bring it to the rest of the world was on. According to Angela Fulcher, spokesperson for Applied Digital, the human chip works in essentially the same manner as the animal chips. The chip is contained inside a cylindrical transponder, a glass tube 11 millimeters in length and 2.1 millimeters in diameter. Along with the chip is an antenna coil, which picks up and transmits the identification number to a scanner. The Pocket Reader, an existing handheld scanner created by Applied Digital, reads the radio frequency ID number when it's passed over the skin within a space of three or four inches. Unlike the animal version, the human chip is coated with Biobond-a porous polypropylene sheathe that connects to surrounding tissues. The chip is implanted, via a proprietary Verichip inserter, in a fleshy area such as the bicep. Based on our experience at with microchips and animals, Fulcher says, we see the lifespan at being 10 years. Although newly approved by the FDA, Verichips are already in use outside the United States. In total, an estimated 1,000 people have been implanted thus far. In Mexico, Rafael Macedo de la Concha, the country's attorney general, was implanted with a chip to provide secure access to government documents. In Barcelona, a beach club is injecting partiers with ID chips in lieu of hand stamps. Despite the announcement of the FDA approval, however, such frivolous implants may soon be second guessed. Organizations have criticized Applied Digital for not adequately disclosing the FDA's finding of Verichip's risks. A group called the Consumers Against Supermarket Privacy Invasion and Numbering, or Caspian, obtained a letter from the FDA to Applied Digital dated October 12, and posted it on the Web. The letter cites several potential risks to health associated with the device, including adverse tissue reaction, migration of the implanted transponder, electromagnetic interference, electrical hazards, and incompatibility with magnetic resonance imaging. In addition to medical concerns, privacy advocates lament the potential abuses of implantable IDs. The outcry stems from the proliferation of radio frequency identification in products and badges. The San Francisco Public Library is trying to put ID chips in all of its books. In Virginia, the Department of Motor Vehicles is considering putting chips on every driver's license.
Microchip passport critics say ID theft possible
http://www.usatoday.com/tech/news/2004-11-22-hitech-passport_x.htm USA Today Microchip passport critics say ID theft possible The Associated Press The United States hasn't issued any microchip-equipped passports yet, but as the Department of State tests different prototypes, the international standards for the passports are under fire from privacy advocates who worry the technology won't protect travelers from identity thieves. The American Civil Liberties union has raised alarms and even an executive at one of the companies developing a prototype for the State Department calls the international standards woefully inadequate. The international standards for electronic passports were set by the U.N.-affiliated International Civil Aviation Organization, which has worked on standards for machine-readable passports since 1968. On the latest passports, the agency has taken a 'keep it simple' approach, which, unfortunately, really disregards a basic privacy approach and leaves out the basic security methods we would have expected to have been incorporated for the security of the documents, said Neville Pattinson, an executive at Axalto North America, which is working on a prototype U.S. electronic passport. As part of heightened security post-Sept. 11, all new U.S. passports issued by the end of 2005 are expected to have a chip containing the holders' name, birth date and issuing office, as well as a biometric identifier - a photo of the holders' face. The photo is the international standard for biometrics, but countries are free to add other biometrics, such as fingerprints, for greater accuracy. Privacy advocates have complained about the security standards for the passports, but Pattinson is the most prominent person involved in their creation to express concern that they could become prey for identity thieves if safeguards aren't standardized. A slide in a presentation he gives says, Don't lose the public's confidence at the get go. Another asks, Who is up for a black eye? The international passport standards call for a very sophisticated smart card device, that uses a chip and an antenna embedded in the passports' covers, Pattinson said. Unlike cheaper and dumber RFID tags, the passport chips would be microprocessors that could send one piece of information at a time in answer to queries from a machine reader. They could also be equipped with multiple layers of encryption for security. The international standards spell out ways the passports could incorporate more protection from identity thieves, but they make those methods optional. Under the standards, information on the chip could be picked up by someone who wires a briefcase with a reader, then swings it within inches of a passports, Pattinson said. Over a greater distance, an interloper could eavesdrop on border control devices reading the passports, he said. There's no security built into it, said Barry Steinhardt, director of the technology and liberty program, at the American Civil Liberties Union. This will enable identity theft and put Americans at some risk when they travel internationally. One rudimentary way to protect electronic passports from identity thieves is to wrap them in tinfoil, which blocks radio waves. A single size Doritos bag would do the trick. Protecting border control agents' readers with a metal shield would protect against eavesdropping. The International Civil Aviation Organization and State Department say they're looking at more organized methods. The privacy issues have come up and they are being looked at, said Denis Schagnon, a spokesman for ICAO. This is a process that is being implemented over the next few years, it is not something that happens overnight. One way to fight identity theft is already in the standards, he said: The passports will have built-in encrypted authentication to let electronic readers know they are original documents, not forgeries. The international standard is obviously a baseline, said Angela Aggeler, spokesperson for the bureau of consular affairs at the State Department. This is something we continue to develop and work on. (Privacy) is the thing that is driving a lot of our considerations. Personal privacy issues are of paramount consideration. Other countries are also making the switch to microchipped, biometric passports, at U.S. request. Under the Patriot Act, visitors from 27 countries whose citizens don't need visas to visit the United States will need electronic passports, too. The United States originally asked that visitors from those countries have the electronic passports by this October. President Bush in August gave the countries an extra year to issue them; they will be required by next October. In testimony before a House committee, Secretary of State Colin Powell said that other countries were finding the switch daunting, as was the United States. The Government Printing Office is manufacturing test passports using chip packages
Nonce Stamp: SRI International Receives Security Technology Patent for Paper-based Transactions
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_viewnewsId=20041123005187newsLang=en November 23, 2004 08:01 AM US Eastern Timezone SRI International Receives Security Technology Patent for Paper-based Transactions MENLO PARK, Calif.--(BUSINESS WIRE)--Nov. 23, 2004-- Nonce Stamp Offers Many Applications, Including Electronically Downloaded Airline Tickets, Travelers Checks, Passports, Postage, Legal Documents, and Event and Movie Tickets SRI International, a leading independent, nonprofit research institute known for its pioneering innovations, today announced that it has been issued a fundamental U.S. patent for its nonce stamp technology, which can secure and authenticate paper documents against fraudulent creation and use. U.S. Patent No. 6,820,201 covers SRI's information-based indicia technology for securing and authenticating paper documents. The SRI technology addresses the security issues inherent in today's popular print-at-home documents, such as postage and movie tickets, which can be readily counterfeited. The recently awarded patent and related pending SRI patents cover an innovative use of a nonce (an element used to protect electronic cryptography systems from being cracked) to protect paper-based documents. The nonce is a unique number preprinted on a forgery-resistant material. When the user wishes to print an article of value, such as a postage stamp, the value of the nonce is combined with other information (e.g., the value of the postage) and a digital certificate is created. The digital certificate, in electronic or printed form, together with the nonce stamp, provides cryptographically secure proof of the uniqueness and authenticity of the certificate. The inventors are laboratory director Patrick D. Lincoln, Ph.D., and staff scientist Natarajan Shankar, Ph.D., of SRI's Computer Science Laboratory. Most paper currency and other documents that have monetary value include security features to prevent fraud. SRI saw the need to also secure today's popular print-at-home documents to eliminate forgery and counterfeiting, said Dr. Lincoln. Nonce stamps are a way of creating unique physical representations of digital certificates that are easily authenticated and that cannot be forged. About SRI International Silicon Valley-based SRI International (www.sri.com) is one of the world's leading independent research and technology development organizations. Founded as Stanford Research Institute in 1946, SRI has been meeting the strategic needs of clients for almost 60 years. The nonprofit research institute performs contract research and development for government agencies, commercial businesses and nonprofit foundations. In addition to conducting contract RD, SRI licenses its technologies, forms strategic partnerships and creates spin-off companies. Contacts SRI International Ellie Javadi, 650-859-4874 [EMAIL PROTECTED] -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SSRN- Deworming the Internet by Douglas Barnes
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=622364 SSRN Deworming the Internet DOUGLAS BARNES University of Texas at Austin - School of Law Texas Law Review, Vol. 83, No. 1 Abstract: Both law enforcement and markets for software standards have failed to solve the problem of software that is vulnerable to infection by network-transmitted worms. Consequently, regulatory attention should turn to the publishers of worm-vulnerable software. Although ordinary tort liability for software publishers may seem attractive, it would interact in unpredictable ways with the winner-take-all nature of competition among publishers of mass-market, internet-connected software. More tailored solutions are called for, including mandatory bug bounties for those who find potential vulnerabilities in software, minimum quality standards for software, and, once the underlying market failure is remedied, liability for end users who persist in using worm-vulnerable software. Keywords: Worms, viruses, software, market failure, network externality, negative externality, perverse incentives, tort liability, lemons equilibrium, regulation JEL Classifications: K29, K13, L86, 031 Accepted Paper Series Abstract has been viewed 392 times Contact Information for DOUGLAS BARNES (Contact Author) Email address for DOUGLAS BARNES University of Texas at Austin - School of Law 727 East Dean Keeton Street Austin , TX 78705 United States 512-689-1875 (Phone) Suggested Citation Barnes, Douglas A, Deworming the Internet . Texas Law Review, Vol. 83, No. 1 http://ssrn.com/abstract=622364 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
DIY fingerprint idea thwarts ID thieves
http://www.theregister.co.uk/2004/11/24/fingerprint_fights_id_theft/print.html The Register Biting the hand that feeds IT Original URL: http://www.theregister.co.uk/2004/11/24/fingerprint_fights_id_theft/ DIY fingerprint idea thwarts ID thieves By John Leyden (john.leyden at theregister.co.uk) Published Wednesday 24th November 2004 07:59 GMT The Home Office is touting ID cards as a solution to ID theft in today's Queen's Speech (http://news.bbc.co.uk/1/hi/uk_politics/4034543.stm) but a Yorkshire man has taken matters into his own hands. Jamie Jameson, a civil servant from Scarborough in North Yorkshire, insists that credit can only be extended in his name on production of a thumbprint. Jameson hit on the idea of writing to the UK's three main credit reference agencies - Equifax, Experian and Call Credit - and requesting that they put a 'Notice of Correction' on his file stating that a print must be offered with applications for loans or credit cards issued in his name. At the same time he submitted his fingerprint. This Notice of Correction of the first thing a prospective lender will see when it calls up his records. Normally this facility provides a way for individuals to explain why they have a county court judgement against their name or other qualifications to their credit history. Jameson is using it to do a cheap security check. Although uncommon in the UK, thumbprints are often used as an audit mechanism for people cashing cheques in US banks. A similar scheme was trialled (http://www.south-wales.police.uk/fe_news_w/news_details.asp?newsid=169) in Wales. Jameson takes a little ink pad similar to that used in US banks around with him all the time just in case he might need it. If an application for credit is accepted without a thumbprint - against Jameson's express instructions - then he will not be liable for losses. If a would-be fraudster gives a false print on an application then it makes it easier for them to be traced by the police. Lenders don't have to match prints. Using prints just establishes an audit trail if anything goes wrong, Jameson explained. It's not so much me proving who I am as preventing someone else being me. Jameson has been using the idea successfully for over a year. He concedes that the scheme isn't foolproof and that it's possible to fake (http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/) fingerprints (nothing's perfect, as he puts it). As far as Jameson knows he's the only person who's using the technique in the UK. The scheme delays the issuing of credit, which could be a problem with people who apply for multiple accounts but this is a minor inconvenience for Jameson. This is driven by the individual so there are no data protection issues. It's a real deterrent to ID theft, he told El Reg. ® -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Hacking tool 'draws FBI subpoenas'
http://www.theregister.co.uk/2004/11/25/nmap_draws_fbi_subpoenas/print.html The Register Biting the hand that feeds IT The Register » Security » Network Security » Original URL: http://www.theregister.co.uk/2004/11/25/nmap_draws_fbi_subpoenas/ Hacking tool 'draws FBI subpoenas' By Kevin Poulsen, SecurityFocus (klp at securityfocus.com) Published Thursday 25th November 2004 10:42 GMT The author of the popular freeware hacking tool Nmap warned users this week that FBI agents are increasingly seeking access to information from the server logs of his download site, insecure.org. I may be forced by law to comply with legal, properly served subpoenas, wrote Fyodor, the 27-year-old Silicon Valley coder responsible for the post scanning tool, in a mailing list message. At the same time, I'll try to fight anything too broad... Protecting your privacy is important to me, but Nmap users should be savvy enough to know that all of your network activity leave traces. Probably the most widely-used freeware hacking tool, Nmap is a sophisticated port scanner that sends packets to a machine, or a network of machines, in an attempt to discern what services are running and to make an educated guess about the operating system. An Nmap port scan is a common prelude to an intrusion attempt, and the tool is popular both with security professionals performing penetration tests, and genuine intruders with mischief in their hearts. Last year Nmap crept into popular culture when the movie the Matrix Reloaded depicted Carrie-Anne Moss's leather-clad superhacker Trinity performing an Nmap portscan (http://www.theregister.co.uk/2003/05/16/matrix_sequel_has_hacker_cred/) on a power grid computer prior to hacking in. But success comes with a price, and on Tuesday Fyodor felt the need to broach the sobering topic of FBI subpoenas with his users. He advised his most privacy conscious users to use proxy servers or other techniques when downloading the latest version of Nmap if they want to ensure their anonymity. In a telephone interview, Fyodor said the disclaimer wasn't prompted by any particular incident, and that he'd received less than half-a-dozen subpoenas this year. It's not a huge number, but I hadn't received any before 2004, and so it's a striking new issue, he said. None of the subpoenas produced anything, Fyodor says, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request has been narrowly crafted, usually directed at finding out who visited the site (http://www.insecure.org/) in a very short window of time, such as a five minute period. They have not made any broad requests like, 'Give me anyone who's visited insecure.org for a certain day,' he says. Fyodor theorizes the FBI is investigating cases in which an intruder downloaded Nmap directly onto a compromised machine. They assume that she might have obtained that URL by visiting the Nmap download page from her home computer, he wrote. He confesses mixed feelings over the issue. The side of me that questions authority is skeptical of these subpoenas, he told SecurityFocus. The other side says, this may be a very serious crime committed ... and if I were the victim of such a crime I would probably want people to cooperate -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
MyKad too hi-tech to forge
http://thestar.com.my/news/story.asp?file=/2004/11/27/nation/9513530sec=nation The Star Online News Saturday November 27, 2004 MyKad too hi-tech to forge BY JANE RITIKOS KUALA LUMPUR: The National Registration Department has detected about 10 cases of forged MyKad issued to illegal immigrants in the country since it was introduced in 2001. However, the chips in the cards were not forged ones. Its director-general Datuk Wan Ibrahim Wan Ahmad said those caught with the fake cards were Indonesians and Bangladeshis, who claimed they had paid about RM200 for the card. The fake cards looked like genuine ones except that the forgers could not duplicate the smart chip imbedded in MyKad. The physical appearance of the card looks real but the chip, a vital component of the card, is functionless and cannot be used for transactions. This is because the features of the MyKad chip are so high-tech that they cannot be duplicated. Even if they could make a forged chip it has no data that is linked to our database, he said. Wan Ibrahim also said the chip in the fake MyKad was not readable. We don't believe the chip can ever be forged. The information in our chip has data and biometric features, he said. The MyKad chip stores information of the cardholders including their identity cards, driving licences, passports and health data. Wan Ibrahim said there were also those caught with fake MyKad which had their laminated sheet tampered with to alter the physical details and picture. When these cards are read, the identity of the bearer is that of someone else. These included those who were checked at the Immigration checkpoints at the airport. At a glance the cards looked real, he added. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
I'm sorry, I haven't a clue
http://www.guardian.co.uk/print/0,3858,5072953-103390,00.html Guardian | Comment I'm sorry, I haven't a clue However cracked they may be, our fascination for codes remains Mark Lawson Saturday November 27, 2004 The Guardian The discovery of a code at Shugborough Hall, in Staffordshire - O.U.O.S.V.A.V.V - that may disclose the location of the holy grail has been widely compared to Dan Brown's super-selling novel The Da Vinci Code. This Shugborough cryptograph - on which old Bletchley Park codebreakers have been working - is seen as life imitating art, but the relationship between popular fiction and reality is more often the reverse. Novels sell well because they reflect our times: art imitating life, if often in heavy disguise. The biggest-selling novels of the 70s - Jaws and The Godfather - concerned shadowy forces, fish and criminal, beneath the surface of society. We can now see that these tales reflected the menaces to the American way from the cold war, Vietnam and Watergate. Similarly, the millions drawn in Britain at the same period to the animal epic Watership Down were drawn by a sentimental regret that our traditional way of life was being swamped by modernity. So, if bestselling books contain hidden messages about our times, then The Da Vinci Code, having cryptography as both content and method, may be the ultimate popular fiction. We can guess that the reason Brown's book has sold in such quantities is that we live surrounded by codes and puzzles that we fear may be broken (such as our computer and digital communications), or that we fear will not be (Osama bin Laden's instructions to his followers, the big wedding in America that turned out to be 9/11). It's the same instinct - of fear and fascination with encryption - that leads people to read both The Da Vinci Code and the newspaper stories about a supposed clue to the holy grail. And, coincidentally, a new non-fiction book reveals that one of the world's most famous figures believes that a secret code gives meaning to his life. The Pope in Winter, by John Cornwell, discusses John Paul II's conviction that his attempted assassination in 1981 had been predicted by an apparition of Christ's mother speaking to Portuguese children in 1917. But the lesson of both the Shugborough puzzle and the Pope's divine code is that predictive cryptography - as distinct from practical code-breaking, such as the Enigma work at Bletchley - works better in fiction than fact. The problem for code-breakers is that they are often forced to assume that a setter sophisticated with letters or numbers would be sloppy with grammar and spelling. Hence, notoriously, Nostradamus, credited by some fans with predicting the rise of a German tyrant called Hister, must be assumed to have had massive predictive powers but limited dictionary skills. So it is with Shugborough's O.U.O.S.V.A.V.V sequence. Cryptologists suggest that the letters can be made to say the Hebrew phrase Why Feather Curve or, in Latin, Best wife, best sister, widower most loving vows virtuously. But both interpretations feel like the kind of sentence you end up with after failing to solve a puzzle, rather than what you would begin with in setting one - a code consists of language to be broken, but it's not clear why it would be rooted in broken English. A similar application of linguistic imprecision to an art that should be precise is the Pope's assumption of the Third Secret of Fatima. This final dictation given to the Portuguese children by their shimmering vision was sealed by the Vatican for many decades, leading to much prediction that it contained the date of the end of the world. There were rumours of popes fainting when they took the envelope out of their library. At the turn of the millennium, John Paul II decided to break the code. He revealed that the long-suppressed message foresaw that a man in white would fall to the ground. He was convinced that these words anticipated his shooting in Rome. In fact, as Cornwell's book points out, you have to arm-lock the prophecy to get this reading. The seer in Portugal predicted that the white-clad man would be killed by a group of soldiers who fired bullets and arrows at him. Numerous civilians would also die in the attack. This raises the Nostradamus problem: why would someone with the ability to tell the story of the future be shown such a corrupted narrative? The need for codebreakers to ignore the bits that don't fit is why such puzzles are most satisfying in novels where, unusually, both the cipher and the solution are provided by the same mind and therefore must match. The prophecies of Nostradamus have always sold well, but The Da Vinci Code is Nostradamus without the bits that have proved to be embarrassingly wrong. Those who believe that the road to the holy grail leads from a stone at Lord Lichfield's family home should crack this code: T1BEM. The M, if it helps, is minute. -- - R. A. Hettinga mailto: [EMAIL
ACLU concerned that microchip passports won't be encrypted
http://www.indystar.com/articles/5/197851-1715-P.html The Indianapolis Star ACLU concerned that microchip passports won't be encrypted Associated Press November 27, 2004 WASHINGTON -- The Bush administration opposes security measures for new microchip-equipped passports that privacy advocates contend are needed to prevent identity theft, government snooping or a terrorist attack, according to State Department documents released Friday. The passports would emit radio waves that could be read electronically from as far away as 30 feet, according to the American Civil Liberties Union, which obtained the documents under a Freedom of Information Act request. The ability to remotely read personal data raises the possibility that passport holders would be vulnerable to identity theft, the ACLU said. It also would allow government agents to find out covertly who was attending a political meeting or make it easier for terrorists to target Americans traveling abroad, the ACLU said. Frank Moss of the State Department said the United States wants to ensure the safety and security of Americans traveling abroad. But encrypting the data might make it more difficult for other countries to read the passports, Moss said. All new U.S. passports issued by the end of 2005 are expected to have a chip containing the owner's name, birth date, issuing office and a biometric identifier -- a photo of the owner's face. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Some Secret: Open House, Open Bar
Must have passed some kinda big supplemental. Cheers, RAH --- http://www.washingtonpost.com/ac2/wp-dyn/A8583-2004Nov23?language=printer The Washington Post washingtonpost.com Round-Trip or One-Way Tickets? By Al Kamen Wednesday, November 24, 2004; Page A19 Some Secret: Open House, Open Bar Remember a while back when it came out that intelligence agencies such as the National Security Agency -- the supersecret spy crowd -- did not have the resources to keep up with the flood of intercepts to be able to translate terrorists' chatter on a timely basis? This naturally caused a big fuss, and Congress pledged big bucks to get the spooks up to speed. Seems to have worked out fine, judging from an invite we got to attend an open house Dec. 7 at the National Cryptologic Museum behind the Shell station at Fort Meade. Lots of fine finger food to be had, including a brie encrote with brown sugar and pecans, some Swiss cheese and chablis stuffed mushroom caps, a bit of roast turkey with cranberry mayo and mini pumpkin cheesecakes. Our very fine invite with the NSA gold-embossed seal notes Open bar. Must have passed some kinda big supplemental. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum memory for light
http://www.physorg.com/news2227.html PhysOrg Nano and Quantum Physics Technology Applied Physics Space and Earth science Electronic Devices Striking Research and Developments Quantum memory for light December 03, 2004 Realization of quantum memory for light allows the extension of quantum communication far beyond 100 km In the macroscopic classical world, it is possible to copy information from one device into another. We do this everyday, when, for example, we copy files in a computer or we tape a conversation. In the microscopic world, however, it is not possible to copy the quantum information from one system into another one. It can only be transferred, without leaving any trace on the original one. The manipulation and transfer of quantum information is, in fact, a very active field of research in physics and informatics, since it is the basis of all the protocols and algorithms in the fields of quantum communication and computation, which may revolutionize the world of information. In the work published in Nature, November 25, 2004, scientists from the Max Planck Institute for Quantum Optics in Garching and the Niels Bohr Institute in Copenhagen have proposed a scheme to transfer the quantum state of a pulse of light onto a set of atoms and have demonstrated it experimentally. -- Image: Experimental set-up: Atomic memory unit consisting of two caesium cells inside magnetic shields 1 and 2. The path of the recorded and read-out light pulses is shown with arrows. (Max Planck Institute of Quantum Optics / Niels Bohr Institute Copenhagen) - In the experiment, a pulse of light is prepared in a certain quantum state whose properties (polarization) are randomly chosen. Then, the light is sent through a set of atoms which are contained in a small transparent box (an atomic cell) at room temperature. In the cell, the light and atoms interact with each other, giving rise to an entangled state in which the two systems remain correlated. After abandoning the atomic sample, the pulse of light is detected. Due to the fact that the light and atoms are entangled, the process of measurement on the light affects the quantum state of the atoms in such a way that they acquire the original properties of the light. In this way, the state of polarization of the photons is transferred into the polarization state of the atoms. This action at a distance, in which by performing a measurement on a system it affects the state of another system which is at a different location is one of the most intriguing manifestations of Quantum Mechanics, and is the basis of applications such as quantum cryptography or phenomena like teleportation. In order to check that the transfer of polarization has indeed taken place, the researcher measured the polarization of the atoms at the beginning of the experiment and compared it with the original state of polarization of the light. In the experiment, these two polarizations coincided up to a 70% of the time. The main reason for the imperfections where the due to spontaneous emission, a process in which the atoms absorb the photons but then emit them in a different direction such that they do not go towards the photo-detector. A question that the authors of the paper had to carefully analyze was to what extent 70% percent of coincidence is enough to claim that the process was successful. Or, in other words, could they obtain the same result by measuring the state of polarization of the photons and then preparing the state of the atoms accordingly? The answer is no. Due to the basic properties of quantum mechanics, the state of polarization of a laser pulse cannot be fully detected. Due to the Heisenberg uncertainty principle, it is impossible to measure the full polarization exactly. In fact, as some of the authors together with K. Hammerer and M. Wolf (from the Max Planck Institute of Quantum Optics) have recently shown, the best one can do using this latter method would be 50%. This implies that the experiment indeed has successfully demonstrated the transfer beyond what one could do without creating the entangled state. The current experiment paves the way for new experiments in which the information contained in light can be mapped onto atomic clusters and then back into the light again. In this way, one could not only store the state of light in an atomic clusters, but also retrieve it. This process will be necessary if we want to build quantum repeaters, that is, devices which will allow the extension of quantum communication far beyond the distances (of the order of 100 km) which are achieved nowadays. Original work: B. Julsgaard, J. Sherson, J.I. Cirac, J. Fiurásek, und E.S. Polzik Experimental demonstration of quantum memory for light Nature 432, 482 (2004) Source: Max Planck Institute -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ...
Certicom Extends Security Platform, Enabling Developers to Address Government Market
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=109STORY=/www/story/12-06-2004/0002584252EDATE= Certicom Extends Security Platform, Enabling Developers to Address Government Market Certicom Security Architecture for Government provides integrated suite of security toolkits that ensure critical FIPS 140-2 and ECC compliance MISSISSAUGA, ON, Dec. 6 /PRNewswire-FirstCall/ - Certicom Corp. (TSX: CIC), the authority for strong, efficient cryptography, has extended its Certicom Security Architecture(TM), enabling developers to embed a FIPS 140-2-validated cryptographic module into their products and be eligible for sale into the federal government market. The Certicom Security Architecture also provides developers with an efficient way to enhance new and existing applications with elliptic curve cryptography (ECC) and meet the field-of-use guidelines set out by the National Security Agency (NSA) to protect mission-critical national security information. The adoption of ECC within the U.S. federal government is proceeding rapidly, and Certicom is taking a leadership role in enabling agencies and government contractors to integrate the strongest security technology into their products. The comprehensive Certicom Security Architecture provides a bridge between legacy crypto systems and ECC, and gives developers the flexibility to standardize code among different security environments and platforms - maximizing code re-use and portability. This flexibility also means developers will not need to redesign their solutions to meet future government crypto requirements. Hardware and software developers are increasingly realizing that compliance with regulatory requirements for security is a pressing concern, said Dr. Jerry Krasner, vice president and chief analyst at Embedded Market Forecasters (http://www.embeddedforecast.com ), the premier market intelligence and advisory firm in the embedded technology industry. A cost-effective approach is to use a tool that ensures compliance with FIPS 140-2 requirements and eliminates the potentially costly step of third-party FIPS validation of a device or application. Strong security is a key requirement across all networked applications and devices. The Certicom Security Architecture allows developers who may have little security expertise to add FIPS 140-2 validated security to their solutions while avoiding the time and expense of the FIPS 140-2 validation process. A common application programming interface (API) unifies Certicom's proven developer toolkits to create a plug-and-play security architecture that includes higher level protocol functionality that can operate in FIPS mode, such as SSL and PKI. Certicom Security Architecture for Government makes it easy for OEMs, ISVs and integrators to sell products into the government sector that meet strict government security requirements, including FIPS 140-2 and ECC, said Roy Pereira, vice-president, marketing and product management at Certicom. The National Security Agency is committed to making elliptic curve cryptography the most widely used public-key cryptosystem for securing U.S. government information. Certicom is committed to providing the technology and tools to make that possible. The Security Builder developer toolkits integrated into the Certicom Security Architecture for Government include: - Security Builder(R) GSE(TM), a FIPS 140-2-validated cryptographic toolkit; - Security Builder(R) NSE(TM), a cryptographic toolkit for national security information; - Security Builder(R) Crypto(TM), a cross-platform cryptographic toolkit; - Security Builder(R) PKI(TM), a digital certificate management toolkit; - Security Builder(R) SSL(TM), a complete Secure Sockets Layer toolkit; and - Security Builder(R) IPSec(TM), a client-side virtual private network toolkit. Certicom Security Architecture for Government is available immediately, except for Security Builder NSE which is available in Q1 2005. For more information, visit http://www.certicom.com/gov . About Certicom Certicom Corp. (TSX:CIC) is the authority for strong, efficient cryptography required by software vendors and device manufacturers to embed security into their products. Adopted by the U.S. government's National Security Agency (NSA), Certicom technologies for Elliptic Curve Cryptography (ECC) provide the most security per bit of any known public-key scheme, making it ideal for resource-constrained environments. Certicom products and services are currently licensed to more than 300 customers including Motorola, Oracle, Research In Motion, Terayon, Texas Instruments and Unisys. Founded in 1985, Certicom is headquartered in Mississauga, ON, Canada, with offices in Ottawa, ON; Reston, VA; San Mateo, CA; and London, England. Visit http://www.certicom.com . Certicom, Certicom Security Architecture, Certicom CodeSign,
Australian snooping laws pass lower house
http://australianit.news.com.au/common/print/0,7208,11636719%5E15319%5E%5Enbv%5E15306,00.html Australian IT Snooping laws pass lower house DECEMBER 09, 2004 POLICE will be able to access stored voice mail, email and mobile phone text messages under new laws passed by federal parliament today. The laws recognise voice mail, email and SMS messages should fall outside telecommunication interception laws originally designed to stop law enforcement agencies from intercepting phone calls. Police and other law enforcement officers will still need a search warrant or a right of access to communications or storage equipment to access voice mail, email and SMS under the changes. These amendments make it easier for our law enforcement and regulatory agencies to access stored communications that could provide evidence of criminal activity, Attorney-General Philip Ruddock said. They will also assist in securing information systems by allowing network administrators to review stored communications for viruses and other inappropriate content. Labor referred the proposed law to a Senate committee three times before agreeing to it today. Opposition homeland security spokesman Robert McClelland said there needed to be a distinction between stored messages and live telephone conversations. There have been concerns expressed about privacy and there always has been a distinction between an eavesdropper and the reader of other people's correspondence, he said. But written documents have always been susceptible to legal process, to warrants. Everyone that creates a document does so knowing that that document can be read by others and can be subject to legal process. I don't think anything turns on the fact the document is written on a computer and sent by email as opposed to being written in long hand and popped in the letter box. The laws are a temporary measure and will cease to have effect after 12 months when a review of the measures will be undertaken. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New Global Directory of OpenPGP Keys
--- begin forwarded text Date: Thu, 9 Dec 2004 18:48:09 +0100 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: New Global Directory of OpenPGP Keys User-Agent: Mutt/1.4i Sender: [EMAIL PROTECTED] Link: http://slashdot.org/article.pl?sid=04/12/09/1446203 Posted by: michael, on 2004-12-09 15:50:00 from the how-may-i-direct-your-call dept. Gemini writes The [1]PGP company just announced a new type of [2]keyserver for all your OpenPGP keys. This server verifies (via mailback verification, like mailing lists) that the email address on the key actually reaches someone. Dead keys age off the server, and you can even remove keys if you forget the passphrase. In a classy move, they've included support for those parts of the OpenPGP standard that PGP doesn't use, but [3]GnuPG does. [4]Click Here References 1. http://www.pgp.com/downloads/beta/globaldirectory/index.html 2. http://keyserver-beta.pgp.com/ 3. http://www.gnupg.org/ 4. http://ads.osdn.com/?ad_id=5671alloc_id=12342site_id=1request_id=2385427o p=clickpage=%2farticle%2epl - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Toshiba shows practical quantum cryptography
http://www.zdnet.co.uk/print/?TYPE=storyAT=39181033-39020357t-1013c Toshiba shows practical quantum cryptography Rupert Goodwins ZDNet UK December 13, 2004, 18:15 GMT Toshiba Research Europe demonstrated last week what it claims is the world's first reliable automated quantum cryptography system and run it continuously for over a week. The system, which relies on single photons to transmit an untappable key over standard optical fibres, is capable of delivering thousands of keys a second and can be effective over distances of more than 100km. Although no price or launch date has been set yet, Toshiba is already in talks with a number of telcos and end users in preparation for commercialisation of the technology -- which offers the possibility of significantly more secure networking. We're talking to a number of potential end users at the minute, Dr Andrew Shields, group leader of Toshiba's Cambridge-based Quantum Information Group told ZDNet UK. We're planning to do some trials in the City of London next year, and are targeting users in the financial sector. We've also had some interest from telcos, including MCI with whom we've been running the installed fibre tests. The system works by transmitting a long stream of photons modulated to represent ones and zeros, most of which are lost along the way. These photons can be modulated in one of two ways through two different kinds of polarisation, but according to Heisenberg's Uncertainty Principle it is impossible to know both the kind of polarisation and the data represented by the photon. The receiver has to assume one to get the other, which it will frequently get wrong. The receiver picks up and attempts to decode a few out of those that make it, and reports back to the sender which ones it received and decoded thus making up a key that both ends know. Any interceptor can't know what the value of those photons is, because by reading them in transit it will destroy them, and it can't replace them after reading them because it can never know their exact details. Although Toshiba has been developing special hardware to create and analyse single photon transactions by quantum dots -- effectively artificial atoms integrated with control circuitry -- the current cryptographic equipment uses standard parts, including Peltier-effect cooled detectors operating at very low noise levels. The next generation of equipment is expected to use this new technology. Toshiba is also looking at ways to increase the range of the systems beyond the limitations of a single fibre -- because a photon can't be intercepted and retransmitted, it's not possible for the technology to incorporate repeaters to overcome the losses in multiple segments. However, says Shields, there is a possibility that repeaters may be created using quantum teleportation -- a new and still experimental effect where the quantum state of a particle can be transmitted across distances without it needing to be fully measured. Toshiba Research Europe Ltd is part of the European SECOQC project, which is working towards the development of a global network for secure communication using quantum technology. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cryptography Research wants piracy speed bump on HD DVDs
http://www.theregister.co.uk/2004/12/15/cryptography_research/print.html The Register Biting the hand that feeds IT The Register » Internet and Law » Digital Rights/Digital Wrongs » Cryptography Research wants piracy speed bump on HD DVDs By Faultline (peter at rethinkresearch.biz) Published Wednesday 15th December 2004 11:49 GMT Analysis Just about a year from today, if not sooner, if we believe the outpourings of both the DVD Forum and the Blu-Ray Disc Association, we will be able to go out to the shops and buy blue laser, high definition, high density DVDs in two completely different designs. We will also be able to buy the players and recorders by then, as well as studio content from virtually every major studio in the world, on one or the other system. If you believe the hype, DVD manufacturers will likely have to buy in two types of DVD manufacturing equipment. Households will have to buy two DVD players. Consumers will have to buy one PC with one type of high density DVD player and buy another separate player to read the other format of disk. We neither believe the hype, nor understand the argument between the two formats. Surely a single format is better for everyone, but it appears not. Every round of format wars that have gone on since the original VHS Betamax wars, has been split, and the result a draw, and it looks like this one will be too. In the end the devices are likely to be virtually identical. The Sony- Panasonic-Philips camp that inspired the Blu-ray version may have slightly more capacity on their discs, that's the official view right now, but it might change. They also have devices out right now and have had them for over a year, but they are very expensive, up at around $2,000 and are not the volume versions that will be able to play pre-recorded material. Eventually these devices will be about 10 per cent more than DVD players are now. The DVD Forum backed Toshiba and NEC technology may be slightly cheaper for studios to manufacture, but then again we only have the word of Toshiba on that, and most DVD producers seem set on supporting both. The disks need to play on PCs, as well as DVDs and games consoles, and it is unlikely that anyone is going to shoot themselves in the foot by making a disc that is incompatible with any of these devices. So Microsoft's VC 9 codec has to be supported, as does the prevalent MPEG2 and H.264 codecs, and nobody is planning to argue the toss about the quality of sound from Dolby. So there is a chance that all of the software on top of these disks is going to be identical. In the end all of the Blu-ray manufacturers are still in the DVD Forum, and given that the Blu-ray leaders make about 90 per cent of the worlds DVD players and that half of the studios have backed the DVD Forum standard, their players may well end up playing both formats. The early consumers may well be asking What's the difference a year from now having little clue as to how different the two technologies are, under the hood. But what if they each choose a different way to protect the content on their disks? How much danger would that put the two groups in? The Content Scrambling System of the DVD has come in for a lot of criticism over the years, as piracy has become relatively rampant. It was designed more or less as a speed bump to put off anyone other than the professional pirate. But then along came the internet, and it has become possible for anyone to download CSS circumvention or to read up, on various websites, how to go about it. The speed bump has been somewhat flattened and it needs reinforcement in the next technology. So it falls to these same companies to build something for the studios that will be rather harder and more persuasive, to act as a hurdle against piracy for these new DVDs. In fact an organization called Advanced Access Content System (AACS), formed back in July by such notables as IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Disney and Warner Brothers has come together in order to create a decent speed bump against piracy that should last at least for the next decade, a decade during which broadband lines improve to the point where it will be child's play to download even a high definition movie. The definition of what is required has been very clear from the studios. They want a system that has the ability for the security logic to be renewed and which should also have some form of forensic marking in order to help track pirates. At the heart of this protection system will be the safety of the revenue of all the major studios, which now get way in excess of 50 per cent of any given film's revenues from DVD sales. Faultline talked over such a system with its authors this week, who are optimistic about its bid to become the new, but more sophisticated CSS for the next generation DVD disk. Cryptographic Research's senior security architect, who also mockingly refers to himself as chief anti-pirate is Carter Laren, and Cryptography
Digipass Starts to Make a Mark
http://online.wsj.com/article_print/0,,SB110348908376704197,00.html The Wall Street Journal December 20, 2004 Digipass Starts to Make a Mark Vasco Enhances Online Security As Web Banks Gain Popularity By STEVE DE BONVOISIN DOW JONES NEWSWIRES December 20, 2004 BRUSSELS -- Life-insurance salesman Renaud Bruneels, 34 years old, says he doesn't have time to take care of life's little administrative issues by visiting a bank during regular business hours. The Belgian has solved the problem by becoming one of 12 million users world-wide of Vasco Data Security International Inc.'s Digipass. The pocket-size gadget, which looks like a calculator, lets him use a single password to pay everything from garbage fees to phone bills over the Internet. INSIDE TECH 1 See complete coverage2 of Europe's technology sector, from cellphones to software. It gives me the level of security I need to ... do all my banking transactions, Mr. Bruneels says. Vasco, which is based in Brussels and Chicago, is riding an uptick in online banking -- particularly in Europe, which has moved ahead of the U.S.; the company believes that the U.S. market will take off within the next two years, as banks roll out the service to retail customers. Digipass can be used to access anything online, from bank accounts to secure servers to a corporate intranet. Given a username and password, it issues a one-time code to be used for purchases or transactions on the Web. Because the code only works once, hackers who infiltrate a computer can't use it again. The added level of security sets the Digipass system apart from other online transactions via mobile handsets or laptop computers. Vasco was founded in 1997 by Digipass inventor Jan Valcke, a Belgian, and Ken Hunt, an American who ran an online-authentication software company. But after the Internet bubble burst in 2000, customers hesitated to invest in Internet banking security. Digipass came out a little too early ... when the big focus was on viruses and not on identity theft, said Edward Ching, technology analyst at Rodman Renshaw in New York. The stock fell from a high of $25 (¤18.81) in February 2000 to under $1 in early 2003, forcing Vasco to delist from Nasdaq's National Market and move on to the SmallCap Market. In 2002, Mr. Hunt took over as chief executive. Vasco switched to just in time production, and spent hundreds of thousands of dollars training resellers to tackle the corporate-access market. In November, the company posted its third consecutive quarterly sales increase. Vasco forecasts 2004 sales will rise between 23% and 25% from $22.87 million in 2003, and on Thursday Vasco said it expects 2005 sales to grow 35% to 45% with gross margins in the range of 60% to 65%. On Friday, Vasco shares fell eight cents to $6.40 in 4 p.m. Nasdaq Stock Market trading. Vasco still faces stiff competition. It has only about $10 million in cash, putting it at a disadvantage against U.S. rival RSA Security Inc., when chasing big contracts. In September, RSA signed a landmark deal with Time Warner Inc.'s America Online service to provide authentication for users signing into their online e-mail accounts. We don't have the brand recognition we deserve, says Mr. Hunt, who admits Vasco wasn't even invited to bid on the Time Warner contract. As a result, the company has increased its presence in trade shows together with partners such as Novell Inc. and Lucent Technologies Inc., and is bringing prospective and current clients together in workshops to help them solve operational problems. More than 100 million households world-wide now bank online, and that number is expected to triple to 300 million or more households by the end of the decade. Europe has taken the lead. About 37% of all Internet users on the Continent bank online, as opposed to 17% in the U.S., according to reports from research firms Gartner and Forrester Research. The number of Europeans carrying out financial transactions on the Net is expected to rise to 130 million by 2007, compared with 67 million Americans. Banks are Digipass's main customers. Digipass is the most secure system available and the one which offers the greatest mobility, said Liliane Tackaert, spokeswoman for Belgo-Dutch banking giant Fortis NV. About 775,000 of the bank's clients in Belgium and Luxembourg use the service. Rabobank, of the Netherlands, Europe's biggest online bank in terms of online customers, has more than two million Digipasses in use. Vasco hopes it will become a lead supplier for the new European EMV payment card next year. Developed jointly by Europay International, MasterCard Inc. and Visa International, the card requires a PIN number in addition to a usual signature when buying goods in a shop, as well as a one-time code -- such as the one generated by Digipass -- to buy goods online or over the phone. In addition to Vasco, Xiring, of Suresnes, France, and U.S.-based ActivCard Corp., Fremont, California, are in the
Re: International meet on cryptology in Chennai
--- begin forwarded text Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys Date: Tue, 21 Dec 2004 00:08:49 -0800 (PST) From: Sarad AV [EMAIL PROTECTED] Subject: Re: International meet on cryptology in Chennai To: R.A. Hettinga [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] --- R.A. Hettinga [EMAIL PROTECTED] wrote: They call it IndoCrypt http://www-rocq.inria.fr/codes/indocrypt2004/ Sarad. __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Border Patrol hails new ID system
http://www.washingtontimes.com/functions/print.php?StoryID=20041220-103705-9177r The Washington Times www.washingtontimes.com Border Patrol hails new ID system By Jerry Seper THE WASHINGTON TIMES Published December 21, 2004 Border Patrol agents assigned to U.S. Customs and Border Protection (CBP) identified and arrested 23,502 persons with criminal records nationwide through a new biometric integrated fingerprint system during a three-month period beginning in September, CBP officials said yesterday. Most of those arrested were foreign nationals. This 21st-century biometric identification technology is a critical law-enforcement tool for our CBP Border Patrol agents, said CBP Commissioner Robert C. Bonner. It allows CBP Border Patrol agents to quickly identify criminals by working faster, smarter and employing technology to better secure the nation. Mr. Bonner has described the new system as absolutely critical to CBP's priority mission of keeping terrorists and terrorist weapons out of the country, adding that it gives the agents the ability to identify those with criminal backgrounds we could never have identified before. The program, known as the Integrated Automated Fingerprint Identification System (IAFIS), is a biometric identification technology enabling Border Patrol agents to search CBP's Automated Biometric Identification System (IDENT) and the FBI's criminal fingerprint database simultaneously, CBP spokesman Mario Villarreal said. It allows Border Patrol agents to rapidly identify people with outstanding warrants and criminal histories by electronically comparing a live-scanned 10-fingerprint entry against a comprehensive national database of previously captured fingerprints, he said. The IAFIS/IDENT system went on line this year at all 148 Border Patrol station throughout the country. It began as a pilot project in San Diego, where it was employed at the Border Patrol's Brown Field, Calif., station, and at the Calexico, Calif., port of entry. During the three-month period this year, the agents identified and detained 84 homicide suspects, 37 kidnapping suspects, 151 sexual assault suspects, 212 robbery suspects, 1,238 suspects for assaults of other types, and 2,630 suspects implicated in dangerous narcotics-related charges. CBP is the unified border agency within the Department of Homeland Security charged with the management, control and protection of the nation's borders at and between the ports of entry. CBP is charged with keeping terrorists and terrorist weapons out of the country while enforcing hundreds of U.S. laws. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A Force Field in Flat Gray to Protect a Wireless Network
http://www.nytimes.com/2004/12/23/technology/circuits/23pain.html?pagewanted=printposition= The New York Times December 23, 2004 A Force Field in Flat Gray to Protect a Wireless Network Adam Baer s wireless networks have proliferated, computer security companies have come up with increasingly complex defenses against hackers: password protection, encryption, biometrics. Insulating the interior of a house, apartment or office from radio-wave interference is a simpler concept that has yet to become a popular consumer strategy, but a new product called DefendAir from Force Field Wireless could change that. Available online at forcefieldwireless.com, the product is a latex house paint that has been laced with copper and aluminum fibers that form an electromagnetic shield, blocking most radio waves and protecting wireless networks. Priced at $69 a gallon and available only in flat gray (it can be used as a primer), one coat shields Wi-Fi, WiMax and Bluetooth networks operating at frequencies from 100 megahertz to 2.4 gigahertz. Two or three coats will achieve the paint's maximum level of protection, good for networks operating at up to five gigahertz. Force Field Wireless also sells a paint additive ($34 for a 32-ounce container, enough to treat a gallon of paint) and $39 window-shield films. Harold Wray, a Force Field Wireless spokesman, said the paint must be carefully applied. Radio waves find leaks, he said. It should be applied selectively, he said, because it might hinder the performance of radios, televisions and cellphones. Our main goal is to shield your wireless radio waves from hackers and outside interference, he said. Plus, today, many people watch cable television. Adam Baer Copyrigh -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
U.S. passport privacy: Over and out?
http://www.iht.com/bin/print_ipub.php?file=/articles/2004/12/22/news/passport.html U.S. passport privacy: Over and out? By Hiawatha Bray The Boston Globe Thursday, December 23, 2004 It's December 2005 and you're all set for Christmas in Vienna. You have your most fashionable cold-weather gear, right down to Canada's national red maple leaf embroidered on your jacket and backpack, to conceal your American citizenship from hostile denizens of Europe. But your secret isn't really safe. As you stroll through the terminal, you pass a nondescript man with a briefcase. The briefcase contains a powerful radio scanner, and simply by walking past, you've identified yourself as an American. Without laying a finger on you, the man has electronically skimmed the data in your passport. Science fiction? The American Civil Liberties Union doesn't think so. Neither does Bruce Schneier, software engineer and author of multiple books on computer security, nor Katherine Albrecht, a privacy activist in Cambridge, Massachusetts. They are all worried about a State Department plan to put radio identification tags in all future U.S. passports, beginning next year. That way, American passport data can be read merely by waving it past a radio detector. But whose radio detector? That's what worries many people. Somebody can identify you as an American citizen from across the street because of the passport in your back pocket, said Albrecht, founder of a Web site concerned with the matter, spychips.com. You're a walking target. Nonsense, replies a State Department spokeswoman, Kelly Shannon. We're going to prevent the unauthorized skimming of the data, Shannon said. The U.S. government thinks the new passports will be harder to forge and easier to verify than the current model, without causing undue risk of identity theft. It is all part of the continuing debate over radio frequency identification systems, also known as RFID. Tags that let people zoom through a highway toll booth contain an RFID chip. Many American pets have them embedded under their skin and the U.S. Food and Drug Administration has approved doing the same for people, to provide reliable medical information to emergency room doctors. But privacy advocates like Albrecht contend that government agencies and big corporations want to embed RFID chips into virtually every product, giving them the ability to track almost every move that people make. The RFID chips contain a tiny bit of information that is transmitted via radio when the chip comes within range of a reading device. The chip could broadcast a simple code number, or it could contain a lot more information, like a traveler's name, nationality and digital photograph. This is what the chips planned for future U.S. passports will do, part of a plan to make the passport system more secure. But according to government documents released by the civil liberties union, early versions of the system allowed detection of personal data by a snoop 30 feet, or 9 meters, away. Shannon, of the State Department, dismissed this research, saying the equipment needed to capture the data was too complex and heavy to be used undercover. That is not much comfort to Schneier, the computer security expert. Technology only gets better, he said. It never gets worse. Schneier figures that would-be spies and snoops will find ways to pick up signals from the passport chips. The chips might be made more secure by encrypting the data they contain. That way, it would be useless even if intercepted. But the State Department opposes that idea, because immigration officials in many poor countries cannot afford the necessary decryption gear. Encryption limits the global interoperability of the passport, said Shannon. Why use a radio-based identity system at all? Smart chips, like those found in some credit cards, are plentiful and cheap, and they don't broadcast. You slide them through a chip reader that instantly scoops up the data. But the International Civil Aviation Organization, which sets global standards for passports, has decided on the use of a noncontact technology - another way of saying radio-based identification. So will Americans be stuck with high-tech passports that beam their personal data to all comers? Not necessarily. Turns out there's a simple fix: a passport cover made of aluminum foil. It would form what engineers call a Faraday cage, after Michael Faraday, the 19th-century British physicist who discovered the characteristics of electromagnetic waves. Wrap an RFID chip inside a Faraday cage, and the electromagnetic waves from the chip reader can't get in and activate the chip. The State Department says it may use the principle to give travelers an added sense of security. No, there won't be rolls of aluminum foil included with every passport. Instead, the passport cover may include a network of wires woven into the fabric. Fold the passport shut, and there's your Faraday
Banks Test ID Device for Online Security
Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH http://www.nytimes.com/2004/12/24/technology/24online.html?oref=loginpagewanted=printposition= The New York Times December 24, 2004 Banks Test ID Device for Online Security By JENNIFER A. KINGSON or years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. E*Trade Financial intends to introduce such a product in the first few months of 2005. And U.S. Bancorp says it will test a system, though it has not given a timetable. The devices, which are hand-held and small enough to attach to a keychain, are expected to cost customers roughly $10. They display a six-digit number that changes once a minute; people seeking access to their accounts would type in that number as well as a user name and password. The devices are freestanding; they do not plug into a computer. Some banks, like Wachovia of Charlotte, N.C., and Commerce Bancshares of Kansas City, Mo., already use these hardware tokens to identify employees and corporate customers, and say they are evaluating the technology for retail banking use. Others, like Fidelity Investments and Bank of America, are researching the matter. Every single major bank is considering it, said James Van Dyke, principal and founder of Javelin Strategy and Research of Pleasanton, Calif., which advises financial services companies on payments and technology issues. Although there are drawbacks in terms of cost and convenience - as well as questions about what would happen if a customer lost the device or it were stolen - there is growing pressure from bank regulators to add safeguards of this type to online financial services. In a report last week, the Federal Deposit Insurance Corporation, which insures bank deposits, said that existing authentication systems were not secure enough and that an extra layer of security should be added to the sign-in process. The financial services industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security, the F.D.I.C.'s report said. Two-factor authentication, which typically includes a memorized password and a hardware security device, has the potential to eliminate, or significantly reduce, account hijacking, it said. To be sure, there are many ways to add the kind of security that the agency is seeking, and any number of technology vendors eager to supply products. The F.D.I.C. evaluated some possible alternatives, including smart cards, which are plastic cards with embedded microprocessor chips; biometrics, which identify people by their fingerprints, voice or physical characteristics; and shared secrets, in which a customer is asked a question that, in theory, only he or she could answer. But the system that has so far taken root in the market is the one that relies on number-changing hardware tokens, which have the shape and feel of the plastic security devices that people click to unlock their cars. Several large banks in Europe and Australia - including Credit Suisse, ABN Amro and Rabobank - already issue these tokens to customers, sometimes making them bear the cost of the device. In the United States in September, America Online introduced a program, AOL Passcode, that lets subscribers buy the keychain device for $9.95 and use it for authentication purposes, at a subscriber fee of $1.95 to $4.95 a month, depending on the number of screen names linked to it. Proponents of these devices are aware that they present other problems. Financial companies are concerned about making online banking less convenient and about adding fees for the hardware token. Customers with accounts at several institutions may wind up with an unwieldy number of tokens or swamp call centers with questions about the new systems. Several foreign banks have made the tokens mandatory for online customers. E*Trade, which is expected to be the first United States financial institution to introduce the program for retail customers, will make it optional and charge for the device. Joshua S. Levine, chief technology officer at E*Trade, said the technology seemed to provide the comfort that most people want. And when you have your money at stake, he said, you really want to feel comfortable. E*Trade has been testing its program for the last two months, giving the devices free to 200 interested customers. So far, the tests have attracted customers with high incomes who conduct many transactions and tend to be knowledgeable about technology, Mr. Levine said. Based on the feedback these customers have been giving us, he added, we feel it
AOL Help : About AOL® PassCode
http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: How To: Billing Channels Communicating Online E-Mail More Subjects Products and Services AOL.COM AOL® Computer Check-Up AOL Deskbar AOL® Calendar AOL® File Backup AOL® PassCode AOL® Privacy Wall inStore Money Alerts Technical Support More Help: Help Tutorials Auto Fixes Pop-Up Controls Spam Mail Controls Anti-Virus Center AOL Help Community Safety, Security Privacy AOL Voice Services Products and Services AOL® PassCode About AOL® PassCode After purchasing and receiving your AOL® PassCode, go to AOL Keyword: PassCode and this screen appears, allowing you to secure your screen name to your AOL PassCode. On this screen you can also release your screen name from AOL PassCode, change service plans and order additional AOL PassCodes. Account Status This area lists your current AOL PassCode service plan, including the secured and unsecured screen names within the plan. If the maximum number of screen names in your service plan are secured to your AOL PassCode, the Manage Service Plan button will appear. View PassCode Account Activity Displays a screen listing a summary of your AOL PassCode account activity, such as the date you purchased your subscription, ordered AOL PassCode devices and details such as the price plan ordered and the quantity of AOL PassCodes ordered. Secure Screen Name To help protect your screen name with AOL PassCode, you need to secure your screen name to your specific AOL PassCode device. Each AOL PassCode has a unique serial number engraved on its back. By associating your screen name with a specific AOL PassCode serial number, the AOL service will know which six-digit number needs to be entered at each sign-on, helping to protect your screen name from unauthorized access. To secure a screen name to your AOL PassCode 1. Sign on to the AOL® service with the screen name you want to secure to your AOL PassCode. 2. Go to AOL Keyword: PassCode. 3. Click Secure Screen Name. 4. Type the eight-digit serial number engraved on the back of your AOL PassCode. 5. Type the six-digit number displayed on the front of your AOL PassCode. 6. Click Save. A confirmation screen appears. This change takes effect immediately and will be enforced the next time you sign on to the AOL service. Whenever you sign on to the AOL service using the screen name that you secured to AOL PassCode, you will be required to enter the six-digit number on the front of your AOL PassCode. Release Screen Name When the screen name you signed on to the AOL service with has already been secured to your AOL PassCode, the Secure Screen Name button changes to Release Screen Name. If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. 2. Go to AOL Keyword: PassCode. 3. Click Release Screen Name. The Secure Screen Name button changes to Release Screen Name when that particular screen name is secured to AOL PassCode. 4. Enter the answer to your account security question. For more information, see What is an Account Security Question. 5. Type the eight-digit serial number engraved on the back of your AOL PassCode. 6. Type the six-digit number displayed on the front of your AOL PassCode. 7. Click Save. This change takes effect immediately, and removes the AOL PassCode protection for subsequent sign-ons. Manage Service Plan Displays a screen with AOL PassCode service plan options, allowing you to change your current service plan. Order more PassCodes Displays a screen allowing you to order additional AOL PassCodes. Live Customer Support Contact AOL 24 hours a day, seven days a week! Chat With Us: Technical SupportBilling Support Call Us: Talk to an expert. AOL Help Main | Manage Your Account | Safety Security | Anti-Virus | Upgrade Center | Feedback | Privacy Policy Copyright © 2004 America Online, Inc. All rights reserved. Back to Top AOL 9.0 SE/LE Change Version -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Scientists close to network that defies hackers
http://news.ft.com/cms/s/a0dcf3f0-5874-11d9-9940-0e2511c8.html The Financial Times Scientists close to network that defies hackers By Clive Cookson, Science Editor Published: December 28 2004 02:00 | Last updated: December 28 2004 02:00 Scientists have taken what they say is a big step towards an intrinsically secure computer network which banks and other institutions could use to transmit data without risk of hacking. Toshiba Research Europe is one of several laboratories around the world racing to commercialise quantum cryptography, a technology that uses quantum mechanics to generate unbreakable codes. The Cambridge-based company says it has produced the first system robust enough to run uninterruptedly for long periods without human intervention. The Toshiba researchers have tested the system with MCI, the international telecommunications company, and plan next year to carry out trials with financial institutions in London. Secure digital communication uses long prime numbers as keys to encode data at one end and decode at the other. Inquantum cryptography, individual photons - light particles - transmit the secret keys down optical fibres. Each photon carries a digital bit of information, depending on its polarisation. To outwit hackers, the keys are changed many times a second. The extreme delicacy of these quantum bits is both the strength and weakness of quantum cryptography. On the positive side, a hacker cannot eavesdrop on the data transmission without changing it and alerting sender and receiver to the breach of security. But the system is easily disturbed by tiny fluctuations such as temperature changes in the transmission apparatus or movements in the optical fibres. Previous quantum cryptography transmissions have lasted only for minutes and required continual adjustment by experts, says Andrew Shields, head of Toshiba's quantum information group. His laboratory managed to extend the running time to a week's entirely automated and uninterrupted session. The Cambridge researchers stabilised the system and reduced the error rate by sending a bright guardian pulse of light down the fibres immediately after each information-carrying photon. Mr Shields said: The technology is now sufficiently mature to be used in real-world situations and we are currently discussing applications with interested parties. In the first instance we expect quantum cryptography to be used in companies' private networks - for example, to provide secure traffic in a link between two sites within a metropolitan area. Besides Japanese-owned Toshiba, large electronics companies competing to commercialise quantum cryptography include NEC of Japan and Hewlett-Packard of the US. There are also two start-ups, Magiq Technologies of the US and ID Quantique of Switzerland, with first generation quantum cryptography products on the market, although sales have not been large. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The story of Aldrich Ames and Robert Hanssen--from the KGB's point of view.
http://www.opinionjournal.com/la/?id=110006088 OpinionJournal WSJ Online BOOKSHELF The Man Who Stole the Secrets The story of Aldrich Ames and Robert Hanssen--from the KGB's point of view. BY EDWARD JAY EPSTEIN Thursday, December 30, 2004 12:01 a.m. EST Recently a number of former CIA officers received an invitation from the Spy Museum in Washington to attend a luncheon for former KGB Col. Victor Cherkashin. The event, as the invitation said, would afford a once-in-a-lifetime opportunity to dine and dish with an extraordinary spymaster. In the heyday of the Cold War, such an offer, delivered with slightly more discretion, might have been the prelude to a KGB recruitment operation. Now it's merely the notice for a book party celebrating yet another memoir by a former KGB officer recounting how the KGB duped the CIA. In this case, there is a great deal to tell. Victor Cherkashin served in the KGB from 1952, when Stalin was still in power, until the Soviet Union disintegrated in 1991. During most of that time his mission was to organize KGB operations aimed at undermining the integrity, confidence and morale of the CIA. He seems to have been good at his job. His big opportunity came when he was the deputy KGB chief at the Soviet Embassy in Washington between 1979 and 1985. Those years were the height of a ferocious spy war within the Cold War. In Spy Handler, Mr. Cherkashin describes in detail how he helped convert two American counterintelligence officers--one well-placed in the CIA's Soviet Russia Division, the other in the FBI--into moles. Their names are notorious now, but over the course of a decade Aldrich Ames and Robert Hanssen operated with anonymous stealth, compromising most of the CIA's and FBI's espionage efforts in the Soviet Union. But that wasn't the end of Mr. Cherkashin's glory. Returning to Moscow, he helped run dangle operations in which KGB-controlled diplomats feigned a willingness to be recruited by their American counterparts, only to hand over disinformation when they were finally recruited. Thus when the CIA came around to investigating why its agents were being compromised in Russia, the KGB sent the CIA a disinformation agent, for example, to paint false tracks away from its moles. This agent--Mr. X--offered to betray the Soviet Union for $5,000. When the CIA snapped up the bait, Mr. X pointed it to its own secret communication center in Warrenton, Va., falsely claiming that the KGB was electronically intercepting data from its computers. The purpose, of course, was to divert the agency away from the mole, who continued betraying CIA secrets for eight more years. Told from the KGB's vantage point, Mr. Cherkashin's story provides a gripping account of its successes in the spy war. He shows Mr. Hanssen to have been an easily managed and highly productive penetration who operated via the unusual tradecraft of dead drops, leaving material at designated locations where it could be transferred without spy and handler ever meeting. (Indeed, the KGB never knew Mr. Hanssen's identity.) Mr. Ames, for his part, was a more complex case, since he had come under suspicion and the KGB had to concern itself with throwing the CIA off his trail. That America's counterespionage apparatus allowed both men to operate as long as they did is a testament to its complacency as much as to the KGB's cleverness. And indeed, Mr. Cherkashin skillfully torments his former adversary, the CIA, by attributing a large part of the KGB's success to the incompetence of the CIA leadership, or its madness. He asserts, in particular, that the CIA had been all but paralyzed by the paranoia of James Jesus Angleton, the CIA's longtime counterintelligence chief, who suspected that the KGB had planted a mole in the CIA's Soviet Russia division. Mr. Cherkashin is right that Mr. Angleton's concern retarded, if not paralyzed, CIA operations in Russia. After all, if the CIA was indeed vulnerable to KGB penetration, as Mr. Angleton believed, it had to assume that its agents in Russia would be compromised and used for disinformation. This suspicion would recommend a certain caution or tentativeness, to say the least. Mr. Cherkashin's taunt about Mr. Angleton's paranoia echoed what was said by Mr. Angleton's critics in the CIA, who resented his influence, believing that polygraph tests and other security measures immunized the CIA against such long-term penetration. But of course Mr. Angleton was right, too. On Feb. 21, 1994, Mr. Ames, the CIA officer who had served in the Soviet Russia division, was arrested by the FBI. He confessed that he had been a KGB mole for almost a decade and had provided the KGB with secrets that compromised more than 100 CIA operations in Russia. Mr. Hanssen was caught seven years later. Since Mr. Cherkashin had managed the recruitment of Mr. Ames and helped with that of Mr. Hanssen, his accusation that Mr. Angleton was paranoid for suspecting the possibility of a mole has the
eBay Dumps Passport, Microsoft Calls It Quits
http://www.techweb.com/article/printableArticle.jhtml;jsessionid=IUVVYXUECEG4MQSNDBGCKHSCJUMEKJVN?articleID=56800077site_section=700029 eBay Dumps Passport, Microsoft Calls It Quits By TechWeb News December 30, 2004 (12:51 PM EST) URL: http://www.techweb.com/wire/ebiz/56800077 Another Online auction site eBay announced Wednesday that it will soon drop support for Microsoft's Passport for log-in to the site and discontinuing alerts sent via Microsoft's .Net alerts. Microsoft responded by saying that it will stop marketing Passport to sites outside its own stable. As of late January, eBay will no longer display the Passport button on sign-in pages nor allow users to log in using their Passport accounts. Instead, members must log-in directly through eBay. Likewise, eBay's dumping .Net alerts, which means that eBay customers who want to receive alerts -- for such things as auction closings, outbids, and auction wins -- will have to make other arrangements. The free-of-charge eBay Toolbar, for instance, can be used to set up alerts going to the desktop, while alerts to phones, PDAs, or pagers can be created from the user's My eBay page. eBay was one of the first to jump on the Passport bandwagon in 2001, but is only the latest site to leap off. Job search site Monster.com, for instance, dropped Passport in October. Microsoft has decided to stop marketing its sign-on service to other Web sites, the Los Angeles Times confirmed Thursday. The pull-back, which had been long predicted by various analysts, follows a stormy life for Passport, which among other things, suffered a pair of security breakdowns in the summer of 2003 that could have led to hackers stealing users' IDs. Microsoft also pulled its online directory of sites using Passport -- perhaps because the list would have been depressingly short -- stating in the online notice that We have discontinued our Site Directory, but you'll know when you can use your Passport to make sign-in easier. Just look for the .NET Passport Sign In button! Passport will continue to be the sign-on service for various Microsoft properties, including the Hotmail e-mail service and MSN.com. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Korean Online Banks Will Be Liable for 'Hacking' Damages in 2006
--- begin forwarded text Date: Fri, 31 Dec 2004 04:30:34 -0600 (CST) From: InfoSec News [EMAIL PROTECTED] To: isn@attrition.org Subject: [ISN] Online Banks Will Be Liable for 'Hacking' Damages in 2006 Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://english.chosun.com/w21data/html/news/200412/200412300030.html Park Jong-se Dec. 30, 2004 Starting from 2006, financial institutions will be held responsible for any damage consumers may suffer at the hands of hackers or from malfunctioning computer systems while engaging in financial transactions on the Internet. The government adopted a financial e-transaction bill during a vice ministerial meeting Thursday. The bill will be discussed at a Cabinet meeting scheduled for Jan. 4 before being submitted to the National Assembly. According to the bill, if consumers incur damages or loss while engaging in e-banking because of an incident caused by a third factor, such as a case of hacking or computer system meltdowns, financial institutions or e-banking service providers will be liable. An exception that grants financial institutions immunity is also included in the bill. If consumers cause a problem deliberately or by their own mistakes, they will be held accountable. The bill states that consumers' identification number, secret code and certified document, all of which are essential prerequisites for e-banking, should be issued only when consumers apply for them and after their identity has been confirmed. It also mandates that transaction records should be kept. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New computerized passport raises safety concerns
http://www.sanluisobispo.com/mld/sanluisobispo/business/technology/10556269.htm?template=contentModules/printstory.jsp Posted on Mon, Jan. 03, 2005 New computerized passport raises safety concerns By Kristi Heim Seattle Times When traveling abroad these days, most Americans probably wouldn't want the contents of their passports to be secretly read by strangers. But when a new high-tech passport system goes into effect as early as next spring, that's exactly what critics say could happen. Before the end of the year, the first U.S. biometric passport will be issued with a tiny computer chip and antenna embedded inside it. The chip will contain a digital image of the person's face, along with other information such as name, birth date and birthplace. The data on the chip can be picked up wirelessly using a radio signal. When the traveler enters the United States, border-control officials will snap a digital photo of the person, scan the data from the passport and run a facial-recognition software program to compare the two images. The system is designed to prevent forged passports by making sure the original passport holder and the person standing at the immigration counter are one and the same. The problem, security and privacy experts say, is that the technical standard chosen for the system leaves passport data unprotected. The technology allows data on the chip to be read remotely using radio frequency identification or RFID. That means the passport does not have to be opened or even come in contact with a scanning device. Its contents can be read remotely -- some estimates claim as far away as 30 feet -- without the passport holder knowing anything about it. Privacy advocates and the American Civil Liberties Union have sharply criticized the proposed system, saying it effectively creates `a global infrastructure of surveillance.` `The U.S.-backed standard means that all the information on American passports can be read by anyone with an RFID reader, whether they are an identity thief, a terrorist trying to spot the Americans in a room or a government agent looking to vacuum up the identities of everyone at a political rally, gun show or mosque,` said Laura Murphy, director of the ACLU's Washington, D.C., legislative office. The ACLU also questioned the use of facial-recognition technology, which can be used to track people but is not foolproof when it comes to matching identity. The U.S. government is already requiring 27 foreign countries to include biometrics in their passports in order for their citizens to continue to travel to the United States without a visa. The mandate was passed in 2002 as part of an effort to tighten border security after the Sept. 11, 2001, attacks. Most of those countries, including the United Kingdom, have had trouble implementing the system and requested the deadline be postponed. Congress voted during the summer to extend the deadline one year to October 2005. Now the State Department plans to expand that program to include U.S. passports, which were not part of the original legislation. But it may only be a matter of time before countries required by the United States to issue biometric passports demand the same kind of passports from American visitors. By the end of 2005, according to the plan, all American passports produced domestically will be biometric passports. The new technology is set to go into diplomatic and official passports first, and move to all new and renewed regular passports around the middle of next year, said Kelly Shannon, spokeswoman in the State Department's Bureau of Consular Affairs. The standard being used for U.S. passports was developed by the International Civil Aviation Organization, a United Nations-affiliated group based in Montreal. As the standard was being decided this year, privacy and security experts argued it should include features to protect the data, such as encryption or the addition of a printed bar code inside the passport to `unlock` the data. Such features would let passport holders know who was reading their data and when. But the State Department so far has rejected proposals for encryption and other security measures. Department officials said encryption would hinder interoperability of the system among the different countries using it and slow down already tedious border crossings. It should function like RFID technology that monitors the flow of cars from a distance through automatic toll roads, for example. Security expert Bruce Schneier, founder and chief technical officer of Counterpane Internet Security, said encryption would not solve security problems for the passport system. Instead, he recommends a system that requires direct contact with the chip. `The owner of the passport has to acquiesce to give the data to somebody,` Schneier said. If the passport has to touch the reader or be opened before it can be read, there is less chance for secret `skimming` of personal data. That is a
[ISN] SSL VPNs Will Grow 54% A Year, Become Defacto Access Standard: Report
--- begin forwarded text Date: Fri, 7 Jan 2005 06:41:49 -0600 (CST) From: InfoSec News [EMAIL PROTECTED] To: isn@attrition.org Subject: [ISN] SSL VPNs Will Grow 54% A Year, Become Defacto Access Standard: Report Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.informationweek.com/story/showArticle.jhtml;jsessionid=NIOHIDQYVVDQSQSNDBESKHA?articleID=56900844 By Matthew Friedman Networking Pipeline Jan. 5, 2005 Spending on Secure Sockets Layer Virtual Private Networks (SSL VPN) will grow at a 53% compound annual growth rate, and SSL VPNs will surpass traditional IPsec VPNs as the de-facto remote access security standard by 2008, according to a new report from Forrester Research. In SSL VPNs Poised for Significant Growth, Forrester associate analyst Robert Whiteley says companies are attracted by the technology's application-level simplicity. Unlike IPsec VPNs, which require special client software to access the network, SSL VPN supports a wide range of devices, from desktop computers to PDAs, and applications, while offering network administrators greater granularity of user information and providing better endpoint security. According to the report, some 44% of American businesses have deployed SSL VPNs, spending $97 million on the technology last year alone. Despite the impressive adoption rate for a technology that has been in the business mainstream for less than a year, Forrester expects SSL VPN deployments to continue to take off, with the market growing at a 53% compound annual growth rate to $1.2 billion in 2004. SSL VPNs are already well-entrenched in the financial and business services industries and in the public sector. Driven by the need to ensure endpoint security for online services, the financial services industry can boast a 56% penetration rate, with business services just behind at 51%. In both cases, Whiteley predicts a compound annual growth of 34% to 2010 which, though impressive, pales beside the expected SSL VPN growth in late-adopting industries. Indeed, Whiteley writes that retail and manufacturing are poised to leap into SSL VPN with gusto over the next few years. Retail and wholesale allocates 7.8% of its IT spend to security more than even financial services, he notes. This vertical shows the most SSL VPN potential because of its eye toward security, relatively little penetration to date, and the need for large, distributed deployments resulting in 82% annual market growth through 2010. Though only 29% of manufacturers are currently invested in SSL VPNs, Whitely expects that to change dramatically through 2010, predicting a phenomenal 94% compound annual growth rate. IPSec was a poor fit for this vertical's needs, Whiteley observes, but the application-layer flexibility of SSL VPNs should spur rapid adoption. Manufacturing companies typically don't provide employees with corporate-managed laptops, he writes. Thus, SSL VPNs allows a 'bring-your-own computer' model where manufacturing companies still control security and user policy but don't have to incur the cost of unnecessary IT infrastructure. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[fc-announce] FC05 registration to open next week
--- begin forwarded text User-Agent: Microsoft-Entourage/11.1.0.040913 From: Stuart E. Schechter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [fc-announce] FC05 registration to open next week Sender: [EMAIL PROTECTED] Date: Fri, 07 Jan 2005 11:00:54 -0500 Registration for Financial Cryptography and Data Security 2005 will open early next week. My apologies for the delays and thanks for your patience. In the meantime, please do make sure that you've made all your other travel arrangements (flight/hotel/car rental). For more information, see http://fc05.ifca.ai/travel.html Please don't hesitate to get in touch if there's any further information that I can provide you. Best regards Stuart Schechter General Chair Financial Cryptography and Data Security 2005 ___ fc-announce mailing list [EMAIL PROTECTED] http://mail.ifca.ai/mailman/listinfo/fc-announce --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Atom demo fixes quantum errors
http://www.alwayson-network.com/comments.php?id=7746_0_6_0_C Always On Atom demo fixes quantum errors TRN NewsTeam | TRN [] | POSTED: 01.07.05 @09:47 Although quantum computers promise fantastic speed for certain types of very large problems, the logical components of quantum computers -- quantum bits -- are quite fragile, which makes for a large number of errors that must be corrected. Researchers from the National Institute of Standards and Technology have demonstrated a way to correct errors in qubits of beryllium ions held in an electromagnetic trap. The ions represent a 1 or 0 of computer information in their spin, which can be pictured as the counterclockwise or clockwise spin of a top. One way to carry out quantum computing is to take advantage of a weird trait of quantum particles -- they can become entangled, or linked, so that properties like spin remain in lockstep. The researchers' prototype uses lasers to control the qubits' states and electrodes to move them together, which allows them to be entangled. The researchers set a primary qubit to a particular state and entangled it with two other qubits. They deliberately induced an error and then disentangled the qubits by separating them. They measured the other two qubits to determine how the primary qubit needed to be corrected. Quantum error correction schemes have been well explored theoretically, but the researchers' experiment was the first demonstration of a repeatable error-correction procedure and the first using trapped ions, which are a promising candidate for practical quantum computers. Practical quantum computing is a decade or more away. The method could be used in quantum communications applications like quantum cryptography within a few years, according to the researchers. The work appeared in the December 2, 2004 issue of Nature. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
TSA: Tests going well for Secure Flight
http://www.cnn.com/2005/TRAVEL/01/07/passenger.screening.ap/index.html CNN TSA: Tests going well for Secure Flight Friday, January 7, 2005 Posted: 11:21 AM EST (1621 GMT) WASHINGTON (AP) -- The government has begun testing a computerized screening system that compares airline passengers' names with those on terrorist watch lists, a Transportation Security Administration official said Thursday. Called Secure Flight, it's meant to replace a plan that never got to the testing stage because of criticism that it gave the government access to too much personal information. Testing of Secure Flight began November 30. No announcement was made; TSA spokesman Justin Oberman disclosed its status when asked by The Associated Press. The testing has not turned up any suspected terrorists. Oberman said the agency expects to wrap up the first phase of testing in a month. The technology is working, doing exactly what we wanted it to do, he said. The TSA is testing data on passengers who flew domestic flights on U.S. airlines in June. The airlines, concerned about upsetting passengers, had refused to turn over the information, but the TSA issued a security directive ordering them to do so. About 1.9 million passengers travel by air daily, and part of the test will see if the government's system can handle that much information. The government has sought to improve its process for making sure terrorists don't get on planes since the September 11 hijackers exposed holes in the system. Airlines now simply match passenger names against government watch lists of people considered threats. Federal authorities don't disclose criteria for placing people on the lists, how many names are listed or any identities. In a number of well-publicized incidents, people with names similar to those on the lists were stopped from boarding planes. Among them was Sen. Edward M. Kennedy, D-Massachusetts. Marcia Hofmann, attorney for the Electronic Privacy Information Center, a Washington-based advocacy group, said many problems remain with the Secure Flight program. The redress process is still a question mark, Hofmann said. The ability of individuals to access and correct information that is being used to make determinations about them is still at issue. Oberman said the agency is working on a way for passengers to appeal if they think they've been wrongly identified as terrorists. Under Secure Flight, the airlines would electronically transmit to the government passenger names as well as other identifying information. The government would then match that information with the terrorist watch lists; names on those lists are supposed to include biographical information. The passenger information that's being tested is known as passenger name records, or PNR. It can include credit card numbers, travel itineraries, addresses, telephone numbers and meal requests. Oberman said further testing will show whether the system can handle a surge of information during busy air travel periods. Name-matching software will also be fine-tuned, he said. The TSA says Secure Flight differs from the previous plan because it does not compare personal data with commercial databases. Privacy advocates were concerned that doing so would allow the government to accumulate vast amounts of sensitive information about people who weren't suspected of breaking the law. The agency said, however, it will test the passenger information on a very limited basis against commercial data to see if that could reduce the number of people who are confused with names on watch lists. Before that happens, though, the Government Accountability Office must report to Congress on the TSA's plan to test the commercial data. That's expected by the end of March. Oberman said he expects testing will be completed by then. However, it's unclear when Secure Flight will be implemented. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Effort to Speed Airport Security Is Going Private
http://online.wsj.com/article_print/0,,SB110549106703823542,00.html The Wall Street Journal January 12, 2005 Effort to Speed Airport Security Is Going Private Move Aims to Expand Program That Preregisters People Who Travel Frequently By AMY SCHATZ Staff Reporter of THE WALL STREET JOURNAL January 12, 2005; Page D1 The Homeland Security Department, under pressure to jump-start a program allowing select preregistered travelers to speed through airport security, is turning to the private sector for help. The Registered Traveler program gives frequent air passengers access to special security lines, provided they first voluntarily undergo criminal and terrorist background checks. In exchange, they get a biometric identification card -- containing a fingerprint and other personal data -- and access to the shorter lines. The program has generally received favorable reviews from volunteers and the three-month trial has been extended indefinitely. There is just one problem: The pilot program, currently administered by the department's Transportation Security Administration, is offered at only five airports for just 10,000 volunteers. This means that Registered Travelers can use their cards only at their home airports and nowhere else. TSA's pace at expanding the test into a national program has, so far, been the biggest complaint. The slow introduction has prompted interest from some businesses, who believe that travelers would be willing to pay to participate in the program. Interested entrepreneurs include Steven Brill, who started American Lawyer magazine and Court TV and, after writing a book on Sept. 11, decided to get into the homeland-security business. In a plan set to be unveiled in coming weeks, TSA officials will lay out some details of a privately operated Registered Traveler pilot program at Orlando International Airport. The success of the pilot, expected to begin by the end of March, could determine the future of the Registered Traveler program and be a model for expanding it nationally. Mr. Brill and others have been pushing for TSA to privatize the program, saying that businesses are better equipped than the government to market and expand it, especially because some travelers have indicated that they would pay annual fees -- as much as $100 -- for faster screening. TSA officials agree, believing that passengers, not taxpayers, should fund Registered Traveler, because it is likely to be used by business people rather than leisure travelers. Homeland Security officials are eager to see it move forward. TSA has had some false starts in other initiatives, and it has taken knocks for long lines and intrusive pat-down searches. But privacy advocates, who have already voiced concern about the government-run pilot programs, are even more worried now that TSA is turning to the private sector. EXPRESS LINE How expedited security works in five pilot programs: Who's eligible: 10,000 frequent- flier club members; enrollment closed What they provide: Fingerprint, iris scan, personal data What they get: Biometric ID card What they have to do at airport: Open laptop, remove keys, coins. What they don't have to do: Join leisure travelers for random screening. They complain that Homeland Security officials routinely publish privacy guidelines too vague to give the public a real understanding of how personal data are handled. A privatized system could exacerbate the problem, says Marcia Hoffman, staff counsel of the Electronic Privacy Information Center, a Washington nonprofit organization. TSA sees private-sector involvement as a route to faster growth. We're trying to encourage as much private sector participation as possible, says Justin Oberman, a TSA official in charge of both Registered Traveler and its more controversial sister-project, Secure Flight, a computerized prescreening system that will replace a system currently run by the airlines. Plans to run the privatized pilot in Orlando were publicly disclosed in October, when AirTran Airways, a unit of Orlando-based AirTran Holdings Inc., said it would participate in the program. But efforts between TSA and the airport to reach terms on the pilot have dragged on. One reason: TSA officials haven't decided whether to compile a master list of Registered Travelers, which could be used to check passengers at all participating airports, or allow private companies to maintain passenger data in a universal format easily accessed by competitors. The Orlando airport hasn't yet chosen a vendor to run its test, although airport officials say they are in talks with Mr. Brill's New York-based company, Verified Identity Pass Inc. Verified Identity would essentially assume marketing responsibilities while its partners -- possibly including Lockheed Martin Corp. -- would install scanners, process applications and manufacture ID cards. TSA screeners, who are government employees, would continue to staff the security lines. Orlando
Sun creates worlds smallest SSL Web server
http://www.cbronline.com/article_news.asp?guid=38DE2210-C6D9-4A59-B84F-98588FA24962 - Computer Business Review Sun creates world's smallest SSL Web server Sun Microsystems Inc has created what can truly be called a microsystem. The tiny server, nicknamed Sizzle (from Slim SSL), is the size and shape of a quarter. It was created by Sun's engineers as a proof-of-concept machine for embedded applications and will be presented at the Pervasive Computing and Communications show in March. 14 Jan 2005, 10:47 GMT - Sizzle is a wireless Web server and is based on an 8-bit microprocessor designed by Crossbow Technology Inc. The server has 8Kb of main memory, which implements a stripped-down operating system plus a Web server and an SSL server. Crossbow has created its own operating system, called TinyOS, for these remote computers, often referred to as motes. The mote that Sun is using in Sizzle is called the MICA2DOT, and it is powered by a three-volt button battery, like the kind in your motherboard to keep your BIOS settings alive. It is unclear if Sun is using TinyOS or a stripped-down version of Solaris or Linux to create its micro Web server. Sun is adding 128Kb of flash memory to the mote, and it is implementing a version of SSL based on Elliptic Curve Cryptography (ECC) that Sun says makes public key cryptography suitable on a very tiny machine with extremely limited capabilities. Sizzle can complete an SSL handshake in under four seconds, and can do it in under two seconds with sessions that are reused; the Web server can transfer about 450 bytes per second. While you may not be able to run Yahoo on it, you can build vast arrays of sensors with ad hoc networking, which is what motes are for. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Hanging the Pirates
http://www.forbes.com/forbes/2005/0131/096_print.html Forbes Security Hanging the Pirates 01.31.05 Paul Kocher has a way to save Hollywood from illegal copying. Over the past few months top brass from Hollywood and Japan's consumer electronics giants have been hashing out their futures in hotel meeting rooms in Tokyo and Los Angeles. Topic A is the politically charged debate over the standard for the new high-definition DVDs, which the film industry hopes will swell the current $24 billion DVD market, as hi-def becomes the norm. Most of the players want to get something decided on within a year. But, as big as the stakes are in those discussions, the movie studios are even more keen on the outcome of the talks on the 39th floor of Toshiba's Tokyo headquarters. By the Numbers Price of Piracy Illegal file-sharing hits music far harder than film--for now. $21 billion n DVD sales in U.S. in 2004, a 200% increase since 2000. $12 billion CD sales in U.S., a 17% decline since 2000. $3 billion Amount movie studios lose to piracy each year. $4 billion Amount music publishers lose to piracy each year. Sources: Adams Media Research; RIAA; MPAA. There, a select security committee representing both hardware and film makers has an extremely rare opportunity to stop digital piracy from doing to movies what it did to music. Napster and its ilk have helped knock 17% off of record label sales in the past three years. With DVD's basic encryption already cracked and one-quarter of American homes now capable of broadband-speed downloads, it's inevitable that one day the latest Harry Potter film will be swapped as easily as U2's new hit. This is the number one priority at the highest levels, says Thomas Lesinski, president of Paramount Home Entertainment. The studios want to have more control over protecting our content. One of the most important people involved in that discussion is Paul Kocher, the 31-year-old president of Cryptography Research, a tiny San Francisco consulting and licensing firm that brought in $6 million last year. Kocher is soft-spoken, young and obscure, but his credibility in the encryption business is sterling. Eight years ago, fresh out of Stanford, Kocher cowrote Secure Sockets Layer (SSL), the protocol that secures the vast majority of commerce on the Internet. What Kocher is pushing is the concept of renewable security. Any attempt to erect a one-time, rigid barrier between thieves and content, he says, is useless, including the current method pushed through by the Japanese consumer electronics companies. With very few exceptions, all the major security systems being used by the studios today are either broken and can't be fixed, or they're not deployed widely enough to be worth hacking, says Kocher. Under the existing Content Scrambling System, electronics makers install the exact same encryption code into nearly every DVD player. But that was broken by European hackers in 1999 and the trick disseminated widely on the Internet. Even the least sophisticated user can now download a program that easily copies protected movies. Kocher's alternative is to allow for constant change. His system, called self-protecting digital content, places the security on the disc instead of in the player. A software recipe running into the millions of steps is burned onto every new movie disc. Each DVD player would contain a small chip costing only a few extra cents that would follow the recipe faithfully. If the DVD player decides the disc is secure, it will decode it and play the movie. But each film could have a different recipe. So if a pirate breaks the code on Spider-Man 2, he wouldn't necessarily be able to break the code on Elf. The studios would always be one step ahead of the thieves; at the very least it would take pirates more time to break each film. Not a big deal: Studios make most of their money from DVDs in the first three months, anyway. A lot of security systems are hard and brittle, says Robert Baldwin, head of the security firm Plus Five Consulting. Paul's is more like a willow tree. It bends and recovers. No studio executive contacted would comment on Kocher's scheme on the record, but it looks likely to be the backbone of any eventual security standard. A group including IBM, Toshiba, Time Warner and Microsoft is also angling to get a complementary encryption scheme called AACS into every future player. It will likely be written to work with Kocher's idea. Consumer electronics firms, which dictated the last encryption format, never had much to lose from security leaks. Film executives like the fact that Kocher's scheme gives them a stronger hand. Now they will be able to decide how much security they want on each disc and when it needs to be updated. Kocher, son of a physics professor at Oregon State University in Corvallis, says he learned about computing because he stayed home a lot, too lazy to bike the two miles into town. He initially wanted to be a
Webpay system open to voucher fraud
http://www.theregister.co.uk/2005/01/17/webpay_voucher_fraud/print.html The Register Biting the hand that feeds IT The Register » Security » Network Security » Original URL: http://www.theregister.co.uk/2005/01/17/webpay_voucher_fraud/ Webpay system open to voucher fraud By Jan Libbenga (libbenga at yahoo.com) Published Monday 17th January 2005 16:46 GMT Webpay International AG, the market leading payment system for digital content and services in Europe, doesn't offer a flawless micro payment service, at least in the Netherlands, according to Dutch consumer watchdog tv show Kassa and computer weekly Computer Idee. It is relatively easy to manipulate user data required for the Dutch MSN music download site (TV item in Dutch over here (http://cgi.omroep.nl/cgi-bin/streams?/tv/vara/kassa/bb.laatste.asf?start=00:16:24end=00:26:13) ). The payments for that site are handled by Webpay under its original name Firstgate. Firstgate users can buy online vouchers and decide which songs they want to purchase later. Kassa and Computer Idee discovered that these vouchers can be easily purchased by filling in someone else's name and bank details. Users can even add money to their prepaid account, again using details from other users. None of this information is verified by Firstgate. Even though upgrading the account requires a pin code, it isn't necessary to enter the code straight away. The song or album to be purchased can be downloaded immediately. Firstgate, which offers the same service for cable operator Chello, doesn't deny that this kind of fraud is possible, but stresses that that fraudsters can be traced and will be prosecuted. However, the company wasn't too thrilled with the publicity and originally threatened to sue broadcaster VARA. Webpay International licenses its micropayment clickbuy service also to British Telecom, and to Swisscom, which launched Swisscom clickbuy in Q4 2004. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Word and Excel have RC4 flaw, claim
http://www.theinquirer.net/print.aspx?article=20790print=1 Word and Excel have RC4 flaw, claim Cryptic cross words By: Nick Farrell Wednesday 19 January 2005, 07:50 SECURITY EXPERT Bruce Schneier claims that Microsoft's Word and Excel security protection systems have amateurish flaws which makes them easy to break. On his blog here, the writer of 'Applied Cryptography' said that VoleWare breaks one of the most important rules of stream ciphers. That is that you don't use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques, he said. Word and Excel both use this amateur crypto mistake Apparently Microsoft made the same mistake in 1999 with RC4 in WinNT Syskey. Five years later, Microsoft has the same flaw in other products, Schneier claims. µ -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Schneier on Security: Microsoft RC4 Flaw
http://www.schneier.com/blog/archives/2005/01/microsoft_rc4_f.html Bruce Schneier Schneier on Security A weblog covering security and security technology. January 18, 2005 Microsoft RC4 Flaw One of the most important rules of stream ciphers is to never use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques. It's an amateur crypto mistake. The easy way to prevent this attack is to use a unique initialization vector (IV) in addition to the key whenever you encrypt a document. Microsoft uses the RC4 stream cipher in both Word and Excel. And they make this mistake. Hongjun Wu has details (link is a PDF). In this report, we point out a serious security flaw in Microsoft Word and Excel. The stream cipher RC4 [9] with key length up to 128 bits is used in Microsoft Word and Excel to protect the documents. But when an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered easily. This isn't new. Microsoft made the same mistake in 1999 with RC4 in WinNT Syskey. Five years later, Microsoft has the same flaw in other products. Posted on January 18, 2005 at 09:00 AM -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Consumer-Electronics Firms Join To Develop Antipiracy Software
http://online.wsj.com/article_print/0,,SB110609171910929502,00.html The Wall Street Journal January 19, 2005 Consumer-Electronics Firms Join To Develop Antipiracy Software By DON CLARK Staff Reporter of THE WALL STREET JOURNAL January 19, 2005; Page D5 Some of the biggest consumer-electronics companies are jointly developing new technology to control how consumers use digital content in the home. The companies -- Sony Corp., Samsung Electronics Co., Philips Electronics NV and Matsushita Electric Industrial Co., maker of Panasonic-brand products -- today are announcing what they are calling the Marlin Joint Development Association. The group, which includes a Silicon Valley company called Intertrust Technologies Corp., plans to develop standard specifications for software that can prevent digital movies and music from being improperly copied. It also intends to enforce rules about how such content can be played and shared. Fears of piracy have discouraged content owners from allowing some high-definition video and other digital programming from being distributed in the home. Makers of devices such as digital recorders and DVD players, meanwhile, are worried about adopting incompatible antipiracy technologies, which could mean a protected movie or song might play on one gadget but not another. Such technology is known by the acronym DRM, for digital rights management. Microsoft Corp. has been trying to get hardware makers to use its proprietary DRM software. Other companies, such as Apple Computer Inc., have developed such technology for their own products. A confusing array of joint DRM projects have also popped up, addressing specific problems such as video on a new-generation of disks that are expected to succeed DVDs. What makes Marlin different, backers say, is mainly that it is emanating from some of the biggest brands in consumer electronics. The CE industry has been pretty quiet, said Talal Shamoon, Intertrust's chief executive. Now, they are detonating their DRM, he said. But Michael McGuire, an analyst at Gartner Inc., noted that the new effort has yet to show it will win support from content holders, such as movie studios. The proliferation of DRM efforts also could confuse consumers. If I'm a user, I'm wondering, is this going to make things more complicated for me? Mr. McGuire said. Some of Marlin's current members also are likely to consider multiple DRM options. Sony, for example, said it is too early to say whether it will favor Marlin over its proprietary DRM technologies. We are actively evaluating opportunities to use Marlin, said Mack Araki, a Sony spokesman. But I can't comment on specific plans today. Marlin comes on the heels of an earlier joint effort, called the Coral Consortium, that had some common members with Marlin. Coral, however, was designed to let different DRM programs work together, rather than establish a specific piece of software as a standard for hardware companies to adopt, Mr. Shamoon said. Both efforts were partly based on technology developed by Intertrust, a company that was jointly purchased in 2003 by Sony, Philips and other investors. Success of earlier such efforts has been mixed. While DRM systems usually make piracy more difficult, hackers have successfully cracked some high-profile protection schemes, including FairPlay, the copy-protection software Apple uses for music it sells through its iTunes Music Store. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Tor 0.0.9.3 is out (fwd from [EMAIL PROTECTED])
--- begin forwarded text Date: Sat, 22 Jan 2005 10:01:46 +0100 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Tor 0.0.9.3 is out (fwd from [EMAIL PROTECTED]) User-Agent: Mutt/1.4i Sender: [EMAIL PROTECTED] From: Roger Dingledine [EMAIL PROTECTED] Subject: Tor 0.0.9.3 is out To: [EMAIL PROTECTED] Date: Sat, 22 Jan 2005 01:54:42 -0500 Reply-To: [EMAIL PROTECTED] Tor 0.0.9.3 improves cpu usage, works better when the network was recently offline and you try to use Tor, and makes hidden services less unbearable. http://tor.eff.org/download.html o Bugfixes on 0.0.9: - Backport the cpu use fixes from main branch, so busy servers won't need as much processor time. - Work better when we go offline and then come back, or when we run Tor at boot before the network is up. We do this by optimistically trying to fetch a new directory whenever an application request comes in and we think we're offline -- the human is hopefully a good measure of when the network is back. - Backport some minimal hidserv bugfixes: keep rend circuits open as long as you keep using them; actually publish hidserv descriptors shortly after they change, rather than waiting 20-40 minutes. - Enable Mac startup script by default. - Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas. - When you update AllowUnverifiedNodes or FirewallPorts via the controller's setconf feature, we were always appending, never resetting. - When you update HiddenServiceDir via setconf, it was screwing up the order of reading the lines, making it fail. - Do not rewrite a cached directory back to the cache; otherwise we will think it is recent and not fetch a newer one on startup. - Workaround for webservers that lie about Content-Encoding: Tor now tries to autodetect compressed directories and compression itself. This lets us Proxypass dir fetches through apache. -- -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
PET 2005 Submission deadline approaching (7 Feb) and PET Award (21 Feb)
--- begin forwarded text To: sec-lists: ;, anonymity researchers: ;, David Martin [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 15:05:55 + From: George Danezis [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: PET 2005 Submission deadline approaching (7 Feb) and PET Award (21 Feb) Sender: [EMAIL PROTECTED] Dear Colleagues, The submission deadline for the Privacy Enhancing Technologies workshop (PET 2005) is on the 7th February 2005. The latest CfP is appended. We also solicit nominations for the Award for Outstanding Research in Privacy Enhancing Technologies by February 21. For more information about suggesting a paper for the award: http://petworkshop.org/award/ Yours, George Danezis 5th Workshop on Privacy Enhancing Technologies Dubrovnik, CroatiaMay 30 - June 1, 2005 C A L L F O R P A P E R S http://petworkshop.org/2005/ Important Dates: Paper submission: February 7, 2005 Notification of acceptance: April 4, 2005 Camera-ready copy for preproceedings: May 6, 2005 Camera-ready copy for proceedings: July 1, 2005 Award for Outstanding Research in Privacy Enhancing Technologies Nomination period: March 4, 2004 through March 7, 2005 Nomination instructions: http://petworkshop.org/award/ --- Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior, and restrict the ability to publish or retrieve documents. Approaches to protecting individuals, groups, but also companies and governments from such profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. This 5th workshop addresses the design and realization of such privacy and anti-censorship services for the Internet and other communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present their perspectives on technological issues. As in past years, we will publish proceedings after the workshop in the Springer Lecture Notes in Computer Science series. Suggested topics include but are not restricted to: * Anonymous communications and publishing systems * Censorship resistance * Pseudonyms, identity management, linkability, and reputation * Data protection technologies * Location privacy * Policy, law, and human rights relating to privacy * Privacy and anonymity in peer-to-peer architectures * Economics of privacy * Fielded systems and techniques for enhancing privacy in existing systems * Protocols that preserve anonymity/privacy * Privacy-enhanced access control or authentication/certification * Privacy threat models * Models for anonymity and unobservability * Attacks on anonymity systems * Traffic analysis * Profiling and data mining * Privacy vulnerabilities and their impact on phishing and identity theft * Deployment models for privacy infrastructures * Novel relations of payment mechanisms and anonymity * Usability issues and user interfaces for PETs * Reliability, robustness and abuse prevention in privacy systems Stipends to attend the workshop will be made available, on the basis of need, to cover travel expenses, hotel, or conference fees. You do not need to submit a technical paper and you do not need to be a student to apply for a stipend. For more information, see http://petworkshop.org/2005/stipends.html General Chair: Damir Gojmerac ([EMAIL PROTECTED]), Fina Corporation, Croatia Program Chairs: George Danezis ([EMAIL PROTECTED]), University of Cambridge, UK David Martin ([EMAIL PROTECTED]), University of Massachusetts at Lowell, USA Program Committee: Martin Abadi, University of California at Santa Cruz, USA Alessandro Acquisti, Heinz School, Carnegie Mellon University, USA Caspar Bowden, Microsoft EMEA, UK Jean Camp, Indiana University at Bloomington, USA Richard Clayton, University of Cambridge, UK Lorrie Cranor, School of Computer Science, Carnegie Mellon University, USA Roger Dingledine, The Free Haven Project, USA Hannes Federrath, University of Regensburg, Germany Ian Goldberg, Zero Knowledge Systems, Canada Philippe Golle, Palo Alto Research Center, USA Marit Hansen, Independent Centre for Privacy Protection Schleswig-Holstein, Germany Markus Jakobsson, Indiana University at Bloomington, USA Dogan Kesdogan, Rheinisch-Westfaelische Technische Hochschule Aachen, Germany Brian Levine, University of Massachusetts at Amherst, USA Andreas Pfitzmann, Dresden University of Technology, Germany Matthias Schunter, IBM Zurich Research Lab, Switzerland Andrei Serjantov, The Free
Sleuthing Spyware--And Its Corporate Sponsors
http://www.forbes.com/2005/01/19/cx_pp_0120spyedelman_print.html Forbes Software Sleuthing Spyware--And Its Corporate Sponsors Penelope Patsuris, 01.19.05, 5:34 PM ET Benjamin Edelman became a spyware expert before most of us had any idea what was even clogging our computers. He's currently a candidate for a doctorate in economics at Harvard University and a Harvard Law student, but his work is hardly academic. Edelman, 24, has built a cottage industry documenting the nefarious ways of the spyware and adware industries, which he contends are one and the same. His extensive Web site is packed with the kind of hard evidence--screenshots and videos--that's required to combat the deception he says has been employed by companies like Claria, 180solutions, WhenU and DirectRevenue to make a buck. Each of these companies denies any wrongdoing, except DirectRevenue, whose spokesman had no comment. Many of Edelman's opponents say his accusations are self-serving, since he has at times worked for companies suing adware outfits. Edelman has lots of litigation experience despite his young age, having consulted for and testified on behalf of organizations like the ACLU, the National Association of Broadcasters and the National Football League. In 2002 he testified on behalf of a group of media outfits, including The New York Times Co. (nyse: NYT - news - people ), The Washington Post's (nyse: WPO - news - people ) interactive unit and Dow Jones (nyse: DJ - news - people ), in their lawsuit against adware outfit Gator--now named Claria. The suit claimed, among other things, that Gator's pop-up ads were unlawfully obscuring the media companies' own online content. The suit was settled under confidential terms in February 2003. Edelman doesn't just take on the makers of spyware--he outs the big-name companies that support them. In June 2004, he posted a list of WhenU advertisers, including J.P. Morgan Chase (nyse: JPM - news - people ), Verizon Communications (nyse: VZ - news - people ), Merck (nyse: MRK - news - people ) and T-Mobile. Advertisers react to the finger-pointing with varying degrees of concern. Verizon says that it no longer uses WhenU, while a spokesman for T-Mobile says that he hasn't received any complaints about the WhenU ads and that WhenU is opt-in and it can be removed easily. Repeated calls to Merck and J.P. Morgan Chase were not returned. Edelman's Web page also accuses WhenU of transmitting the browsing activity of its users back to the company, a practice that he says WhenU's privacy policy specifically promises not to engage in. He also writes that WhenU has spammed search giant Google (nasdaq: GOOG - news - people ). WhenU President Avi Naider says Edelman is wrong. In the past Mr. Edelman has made statements about WhenU that drew incorrect conclusions about WhenU and were legally inappropriate, says Naider. We take our privacy protection very seriously. He adds that WhenU's privacy policy has been audited by Microsoft's (nasdaq: MSFT - news - people ) former chief privacy officer, Richard Purcell, who is chairman of TRUSTe, a nonprofit online-privacy organization. Perhaps what's most interesting on Edelman's Web site is a video dated Nov. 18, 2004, which depicts roughly 25 different adware programs, including 180solutions, that download via security holes onto his browser. Todd Sawicki, 180's director of marketing, says that his company is taking various steps to prevent this kind of thing from happening, but that unfortunately, where there is money, the bad guys will follow. Edelman's biggest beef with Claria: Their license fails to prominently disclose the fact that they are collecting and storing information about what users do online, he says. But when you read the Claria installer, it never tells you, 'We collect information.' Instead it says, 'We show you ads that are based on where you visit.' Claria Chief Marketing Officer Scott Eagle says the company's updated user agreement clarifies that point, but admits that the update isn't presented to many users that get Claria when they download free software like Kazaa. Indeed, Claria said in an S-1 filing with the U.S. Securities and Exchange Commission--since withdrawn--that it gets most of its users via Kazaa. Still, Eagle questions Edelman's motives, saying he's worked for companies that are suing Claria. (Edelman did work for Teleflora, which has a case against Claria, but he no longer does.) Edelman counters, My clients don't hire me to help them with litigation against Claria because I'm a big fan. The Harvard student also takes Claria advertisers to task, posting a screen shot of a British ad for Dell (nasdaq: DELL - news - people ) that appeared on his PC via Claria when he was browsing IBM's (nyse: IBM - news - people ) Web site. Edelman notes the irony that Dell has been quite vocal about the burden that the spyware boom has placed on its own
Diebold completes e-voting printer prototype
Wherein Dieblod remembers, hey, presto, they're a cash-register company after all... Cheers, RAH --- http://www.usatoday.com/tech/news/techpolicy/evoting/2005-01-28-diebold-printout_x.htm USA Today Diebold completes e-voting printer prototype NORTH CANTON, Ohio (AP) - Diebold said Thursday it has completed a prototype printer designed for use with touch-screen electronic voting machines, allowing voters to print, review and verify ballot selections. Voter verified paper receipts are something new, said David Bear, a spokesman for subsidiary Diebold Election Systems in McKinney, Texas. No other type of voting provides a receipt for voters. But some states are asking for it, so we needed to develop a product that meets standards for functionality, he said. Voters can view their selections, but will not be able to remove the printout. The voter's printed selections would be placed into a secure enclosure, stored and numbered with a security tag. The printer weighs less than three pounds. The printer will be submitted to independent testing authorities to ensure that it meets federal standards as a prerequisite to certification in states, Bear said. The printer would be an optional component to any new or existing Diebold AccuVote TSx touch-screen voting machine. Bear said a per-unit cost and a time frame for possible sale are not yet determined. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ISN] REVIEW: Modern Cryptography: Theory and Practice, Wenbo Mao
--- begin forwarded text Date: Tue, 1 Feb 2005 03:05:23 -0600 (CST) From: InfoSec News [EMAIL PROTECTED] To: isn@attrition.org Subject: [ISN] REVIEW: Modern Cryptography: Theory and Practice, Wenbo Mao Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Forwarded from: Rob, grandpa of Ryan, Trevor, Devon Hannah [EMAIL PROTECTED] BKMDNCRP.RVW 20041207 Modern Cryptography: Theory and Practice, Wenbo Mao, 2004, 0-13-066943-1, U$54.99/C$82.99 %A Wenbo Mao %C One Lake St., Upper Saddle River, NJ 07458 %D 2004 %G 0-13-066943-1 %I Prentice Hall %O U$54.99/C$82.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130669431/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130669431/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130669431/robsladesin03-20 %O tl s rl 1 tc 3 ta 3 tv 0 wq 1 %P 707 p. %T Modern Cryptography: Theory and Practice A Short Description of the Book states that it is intended to address the issue of whether various crypto algorithms are practical, as opposed to just theoretically strong. This seems odd, since no algorithm is ready for implementation as such: it must be made part of a full system, and most problems with cryptography come in the implementation. The preface doesn't make things much clearer: it reiterates a fit-for-application mantra, but doesn't say clearly, at any point, why existing algorithms are not appropriate for use. The preface also suggests that this book is for advanced study in cryptography, although it states that security engineers and administrators, with special responsibility for developing or implementing cryptography, are also in the target audience. Part one is an introduction, consisting of two chapters. Chapter one outlines the idea of the first protocol of the book: a fair coin toss over the telephone, grounding the book firmly in the camp of cryptography for the purpose of secure communications. The remainder of the chapter points out all the requirements to make such an unbiased selector work, acting as a kind of sales pitch or come on to make you want to read the rest of the book. The promotion is slightly flawed by the fact that there is very little practical detail in the material (it takes a lot of work on the part of the reader to figure out that, yes, this system might work), excessive verbiage, and poor explanations. The stated objectives of the chapter, given at the end, say that you should have a fundamental understanding of cryptography: this is true only in the most limited sense. Chapter two slowly builds a kind of pseudo-Kerberos system. Part two covers mathematical foundations. Chapter three deals with probability and information theory, four with Turing Machines and the notion of computational complexity, five with the algebraic foundations behind the use of prime numbers and elliptic curves for cryptography, and various number theory topics are touched on in chapter six. Part three addresses basic cryptographic techniques. Chapter seven deals with basic symmetric encryption techniques, touching on substitution and transposition, as well as reviewing the operations of DES (Data Encryption Standard) and AES (Advanced Encryption Standard). The insistence on converting all operations, and giving all explanations, in symbolic logic does not seem to have any utility, does not provide any clarity, and makes the material much more difficult than it could be. Asymmetric techniques, and attacks against them, are outlined in chapter eight. Finding individual bits of the message, a process examined in chapter nine, can, over time, result in an attack on the message or key as a whole. Chapter ten looks at data integrity, hashes, and digital signatures. Part four deals with authentication. Chapter eleven reviews various conceptual protocols, pointing out (for example) that there is a serious problem of key storage for challenge/response systems. A variety of real applications are considered in chapter twelve, and warnings issued about each. Issues of authentication specific to asymmetric systems are covered in chapter thirteen. Part five looks at formal approaches to the establishment of security. There is more asymmetric cryptographic theory in chapter fourteen. Chapter fifteen examines a number of provably secure asymmetric cryptosystems, while sixteen does the same for digital signatures. Formal methods of authentication protocol analysis are given in chapter seventeen. Part six discusses abstract cryptographic protocols. Chapter eighteen reviews a number of zero knowledge protocols, which provide the basis for authentication where the principals are not previously known to each other. The coin flipping protocol, initiated in chapter one, is revisited in chapter nineteen. Chapter twenty wraps up with a summary of the author's intentions for the book. The book is certainly for advanced study, but it is hardly suitable for security
World-Renowned Cryptographer Arjen Lenstra Joins Bell Labs
http://www.mysan.de/international/article32397.html mysan.de/international - World-Renowned Cryptographer Arjen Lenstra Joins Bell Labs Adds Valuable Talent to Lucent Technologies#039; Network Security Research MURRAY HILL, N.J., Feb. 1 /PRNewswire-FirstCall/ -- Lucent Technologies (NYSE:LU) today announced that Arjen Lenstra, a world-renowned expert in evaluating, designing and developing the cryptographic algorithms and protocols that protect sensitive information as it is communicated electronically, has joined Bell Labs#039; Computing Sciences Research Center. Prior to joining Bell Labs, Lenstra was vice president of Information Security Services at Citigroup. Lenstra specializes in the security of systems that are widely used in e-commerce applications, such as key size selection, an important factor in how electronic transactions are secured, and the evaluation of cryptosystems such as RSA and ElGamal, encryption systems used in e-commerce protocols. quot;Arjen is a significant addition to an already world-class group of researchers at Bell Labs who are developing the algorithms, architectures and systems necessary to ensure the security and reliability of networks,quot; said Jeff Jaffe, president, Bell Labs Research and Advanced Technologies. quot;His expertise will have a profound impact not just on Lucent#039;s business, but on the business of our customers as well. We#039;re thrilled to have him on board.quot; Lenstra focuses on how academic cryptologic research and computational number theory impact practical security applications and practices. This is important because the vast majority of the crypto work happening today in research labs and universities around the world, while important and useful, is often too costly for practical implementation. Lenstra believes that bridging the gap between what#039;s theoretically possible and what#039;s practical is a major research challenge; it is the area he will concentrate on at Bell Labs. quot;I joined Bell Labs because I wanted to go back to designing algorithms and tackling hard problems in computational number theory in a way that will make a difference to people outside of academia,quot; said Lenstra. quot;What I found compelling about the Labs was that everyone I spoke with here knew exactly how the research they were doing helped the company or its customers in some meaningful way.quot; quot;Arjen#039;s network security expertise will further enhance Bell Labs#039; capability in this critical area and will enable Lucent to continue improving the security of the solutions we offer to our customers,quot; said Linda Bramblett, director of Lucent Worldwide Services#039; Security Practice. quot;We are pleased that Arjen recognized the company#039;s commitment to stay at the forefront of developing the next generation of security solutions and services, and that he will be part of the Bell Labs team helping us do just that.quot; One recent example of Lenstra#039;s expertise came after a recent cryptography conference where it was shown that some widely used hash functions -- cryptographic quot;fingerprintsquot; used in network protocols in such industries as banking to create secure digital signatures -- are weaker than expected, leaving online transactions potentially vulnerable to attack. Lenstra assessed these theories and demonstrated that their real-life impact was minimal. This kind of analysis helps Lucent#039;s customers avoid needless spending by evaluating the actual risk of developments advertised as quot;cryptographic disastersquot; to assess whether they have any significant real- life impact. Lenstra#039;s formal training is in computational number theory, a field concerned with finding and implementing efficient computer algorithms for solving various problems rooted in number theory. Lenstra was a key contributor to the team that successfully factored RSA-155, a 512-bit number, which at the time was the default key size used to secure e-commerce transactions on the Internet. This was a significant accomplishment because the RSA public-key cryptosystem relies on the inability to factor such a number, and Lenstra#039;s team was able to do so in less than seven months, suggesting this approach was not as secure as had been believed. Lenstra invented a number of widely used algorithms, cryptographic systems and software packages including FreeLIP, software used for efficient development and implementation of cryptographic protocols. In addition, Lenstra co-authored the influential paper quot;Selecting Cryptographic Key Sizes,quot; which offered guidelines for determining key sizes for cryptosystems based on a set of explicitly formulated hypotheses and data points about the cryptosystems. Lenstra has a bachelor#039;s degree in mathematics and physics, a master#039;s degree in mathematics, and a doctorate in mathematics and computer science from the University of Amsterdam. He has spent his career working, teaching or consulting
FSTC Announces Availability of FSTC Counter-Phishing Project Whitepaper and Supporting Documents
--- begin forwarded text Date: Tue, 01 Feb 2005 14:38:24 -0500 From: Zachary Tumin [EMAIL PROTECTED] Subject: FSTC Announces Availability of FSTC Counter-Phishing Project Whitepaper and Supporting Documents To: 'Members' members@ls.fstc.org Reply-To: [EMAIL PROTECTED] Thread-Index: AcUIlZgU2CHR/ELITdGfx45tInzmrg== To: All FSTC Members and Friends From: Zach Tumin, Executive Director I am pleased to announce the availability of FSTC's Understanding and Countering the Phishing Threat, the summary whitepaper of findings and recommendations of the FSTC Counter-Phishing Project. The whitepaper contains valuable data, published here for the first time, including FSTC's Phishing Attack Life Cycle and FSTC's Taxonomy of Phishing Attacks. This and all other project deliverables are located at http://fstc.org/projects/counter-phishing-phase-1/ In addition to the whitepaper, the following deliverables are being made available on the site, as follows: TO ALL: Results Summary: FSTC Counter-Phishing Solutions Survey: An overview of the 60+ solutions currently offered on the marketplace, broken down by where they map against the FSTC Phishing Attack Life Cycle TO ALL: Vocabulary of Phishing Terms: A glossary of terms used throughout the project. The project team used these to speak the same language when talking about the problem and potential solutions, whether internally, or with vendors, or with customers TO FSTC MEMBERS ONLY: Results Summarized By Solution: identifies solutions by company and product name as they map against the different phases of the FSTC Phishing Attack Life Cycle TO FSTC MEMBERS ONLY: Directory of Survey Respondents: contact information for each company/solution provider that responded to the survey FOR PURCHASE: Cost/Impact Spreadsheet Tool: a tool that provides a means to estimate the direct and indirect costs/impacts of phishing to a financial institution FSTC extends its gratitude to its member organizations for their efforts and contributions in completing this important industry research, and to the project's talented management team for helping our members realize their goals. To subscribe or unsubscribe from this elist use the subscription manager: http://ls.fstc.org/subscriber --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Dell to Add Security Chip to PCs
http://online.wsj.com/article_print/0,,SB110727370814142368,00.html The Wall Street Journal February 1, 2005 11:04 a.m. EST Dell to Add Security Chip to PCs By GARY MCWILLIAMS Staff Reporter of THE WALL STREET JOURNAL February 1, 2005 11:04 a.m. HOUSTON -- Dell Inc. today is expected to add its support to an industry effort to beef up desktop and notebook PC security by installing a dedicated chip that adds security and privacy-specific features, according to people familiar with its plans. Dell will disclose plans to add the security features known as the Trusted Computing Module on all its personal computers. Its support comes in the wake of similar endorsements by PC industry giants Advanced Micro Devices Inc., Hewlett-Packard Co., Intel Corp. and International Business Machines Corp. The technology has been promoted by an industry organization called the Trusted Computing Group. The company is also expected to unveil new network PCs. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
MSN Belgium to use eID cards for online checking
http://www.theregister.co.uk/2005/02/01/msn_belgium_id_cards/print.html The Register Biting the hand that feeds IT The Register » Internet and Law » Digital Rights/Digital Wrongs » Original URL: http://www.theregister.co.uk/2005/02/01/msn_belgium_id_cards/ MSN Belgium to use eID cards for online checking By Jan Libbenga (libbenga at yahoo.com) Published Tuesday 1st February 2005 14:34 GMT Microsoft will integrate the Belgian eID Card with MSN Messenger. Microsoft's Bill Gates and Belgian State Secretary for e-government Peter Vanvelthoven announced the alliance today in Brussels. We're working to ensure that our technologies support e-ID, to help make online transactions and communications more secure, Gates said. eID stands for Electronic Identity Card. The card contains an electronic chip and gradually will replace the existing ID card system in Belgium. By end-2005, over 3 million eID cards will be distributed in the country. Microsoft believes that combined with the eID Card MSN Messenger chatrooms will be much safer. Users would have a trustworthy way of identifying themselves online. The Belgian Federal Computer Crime Unit (FCCU) could even refuse young children access to certain chatrooms based on their electronic identity. We're not sure yet when we will be able to deliver this integration, Bill Gates said. But developers here in Belgium and the US have proven the concept and are working already on the actual solution. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Peppercoin Small Payments Processing Suite Available to First Data Channels
http://biz.yahoo.com/prnews/050202/new005_1.html Yahoo! Finance Press Release Source: Peppercoin Peppercoin Small Payments Processing Suite Available to First Data Channels Wednesday February 2, 9:03 am ET Small Transaction Suite Certified for Sale Through Processor's Merchant Acquiring Partners WALTHAM, Mass., Feb. 2 /PRNewswire/ -- Peppercoin, a payments company that enables profitable, new business models for low-priced digital content and physical goods, today announced its Small Transaction Suite is authorized for sale by First Data's merchant acquiring partners, to satisfy the small payment needs of the 3.5 million merchant clients they serve. Peppercoin offers merchants a hosted small-payment service, based on credit and debit card usage, which enables merchants to optimize revenue and profitability. Peppercoin is the only small-payment vendor that addresses the digital, mobile and physical point-of-sale (POS) markets. Our agreement with First Data Merchant Services validates Peppercoin's ability to deliver a desired and profitable small payment solution to the financial services market, as well as the growing need for small payment credit and debit card payments solutions, said Mark Friedman, president of Peppercoin. FDMS will enable a small payment business model that enhances merchant and acquirer revenue with one complete payment application. Significant Market Opportunity: Consumers are demonstrating a clear and growing preference to use their credit and debit cards for all sizes and types of purchases. In a 2004 study, Ipsos-Insight estimated that roughly 37.5 million US consumers would choose to use their credit and debit cards for transactions below $5. Each year, more than 354 billion cash transactions occur in the U.S. for less than $5 at the physical point-of-sale, representing $1.32 trillion in aggregate revenue. Leading markets include vending ($18 billion), parking ($10 billion), coin-op ($6 billion) and quick-serve-restaurants ($110 billion). The online and mobile small payment opportunities are substantial as well; fueled by music, games, video, publishing and services. TowerGroup estimates the digital micropayments opportunity reached more than $3 billion in 2004. And a September 2004 Ipsos-Insight study revealed that, in just one year, the number of US consumers who have made small online purchases grew 250%, from 4 million to 14 million. About Peppercoin, Inc. Peppercoin enables profitable new business models for low-priced digital content and physical goods. Peppercoin's small payment products help merchants, banks, and other payments companies build market adoption quickly through a flexible, consumer-friendly approach. Peppercoin integrates easily with existing business models and systems to accelerate revenues and increase profits while dramatically lowering transaction and customer service costs. For more information visit http://www.peppercoin.com. All trademarks are the property of their respective owners. Contact: Mark McClennan or Scott Love Schwartz Communications 781-684-0770 [EMAIL PROTECTED] Source: Peppercoin -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NIST moves to stronger hashing
http://www.fcw.com/print.asp Federal Computer Week Monday, February 7, 2005 NIST moves to stronger hashing BY Florence Olsen Published on Feb. 7, 2005 Federal agencies have been put on notice that National Institute of Standards and Technology officials plan to phase out a widely used cryptographic hash function known as SHA-1 in favor of larger and stronger hash functions such as SHA-256 and SHA-512. The change will affect many federal cryptographic functions that incorporate hashes, particularly digital signatures, said William Burr, manager of NIST's security technology group, which advises federal agencies on electronic security standards. There's really no emergency here, Burr said. But you should be planning how you're going to transition - whether you're a vendor or a user - so that you can do better cryptography by the next decade. Hashing is used to prevent tampering with electronic messages. A hash is a numerical code generated from a string of text when a message is sent. The receiving system checks it against a hash it creates from the same text, and if they match, the message was sent intact. Speaking at a recent meeting of the federal Public Key Infrastructure Technical Working Group at NIST, Burr said some critics have questioned the security of the government-developed SHA-1 after some researchers managed to break a variant of the SHA-1 hash function last year. But Burr said no complete implementation of the SHA-1 function has been successfully attacked. SHA-1 is not broken, he said, and there is not much reason to suspect that it will be soon. But advances in computer processing capability make it prudent to phase out SHA-1 by 2010, he said. Burr said other widely used hash functions such as MD5 are vulnerable to attack and their use should be discontinued. If by some chance you are still using MD5 in certificates or for digital signatures, you should stop, he said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum crypto firm charts way to mainstream
http://news.zdnet.com/2102-1009_22-5564288.html?tag=printthis Quantum crypto firm charts way to mainstream By Michael Kanellos URL: http://news.zdnet.com/2100-1009_22-5564288.html Magiq Technologies is creating a new line of products this year that it says could help make quantum encryption--theoretically impossible to crack--more palatable to mainstream customers. The New York-based company said it has signed a deal with Cavium Networks, under which Cavium's network security chips will be included inside Magiq's servers and networking boards. Magiq and Cavium will also create reference designs for networking boards and cards, with all of the necessary silicon to create a quantum encryption system. These will be marketed to networking gear makers, which, Magiq hopes, will include the boards inside future boxes. We have operability tests going on with major vendors, said Andy Hammond, vice president of marketing at Magiq. Our goal in life is to increase the adoption rate of this technology. By the fall, Magiq expects to be able to provide functioning beta, or test, products that include its quantum encryption boards. Volume sales to manufacturers are scheduled to begin in 2006. Quantum encryption involves sending data by way of photons, the smallest unit of light. The photons are polarized, or oriented, in different directions. Eavesdroppers cause detectable changes in the orientation, which in turn prevents them from getting secret information, as dictated by Heisenberg's Uncertainty Principle, which says you can't observe something without changing it. For added measure, the data is encrypted before sending. There is no cracking it. This is like the apple falling down, said Audrius Berzanskis, Magiq's vice president of security engineering, meaning that it was like one of Sir Isaac Newton's natural laws. This doesn't mean quantum encryption systems are unconditionally foolproof, he added. Hypothetically, radio transmitters or some other technology could intercept signals before they are sent. Still, these are computer architecture issues: Unlike traditional encryption systems, applying brute-force calculations to a message encrypted using quantum methods will not eventually yield its contents to an unauthorized party. However, quantum encryption systems are pricey. The two-box system Magiq sells goes for $70,000. Academic institutions and government agencies have been the primary customers, the company said. Whether demand will go mainstream is still a matter of debate. Nearly foolproof encryption has its obvious attractions. Various security experts have stated, however, that the strength of today's cryptography is the least of the security world's worries. Security is a chain; it's only as strong as the weakest link. Currently encryption is the strongest link we have. Everything else is worse: software, networks, people. There's absolutely no value in taking the strongest link and making it even stronger, Bruce Schneier, chief technology officer at Counterpane Internet Security, wrote in an e-mail to CNET News.com on quantum cryptography in general. It's like putting a huge stake in the ground and hoping the enemy runs right into it, he noted. Speed also has been a problem for quantum encryption. The deal with Cavium will ideally boost the performance of the Magiq products and lower the costs by standardizing some of the engineering. Cavium's chips, for instance, will assume encryption tasks now performed in software. Reference designs also allow potential customers to skirt some independent design tasks. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
MD5 comes in for further criticism
http://www.techworld.com/storage/news/index.cfm?NewsID=3081Page=1pagePos=11 Techworld.com 07 February 2005 More experts warn of CAS arrays risks MD5 comes in for further criticism By Lucas Mearian, Computerworld (US) More security experts are warning against the use of the flawed hashing algorithm, MD5, for digital signatures on content addressed storage (CAS) systems. Last August, a Chinese researcher, Xiaoyun Wang, unveiled detailsof the flaw. Other security experts are now chipping in. An official at the National Institute of Standards and Technology said IT managers have good reason to be concerned about security flaws in MD5. It's pretty well known right now that it's just not up to what you need, said Elaine Barker, head of NIST's computer security division. Barker said NIST has no plans to certify or recommend the MD5 algorithm for government use. The warnings come as more vendors unveil CAS systems to meet the need for disk-based backup of fixed data such as e-mail and medical images. Experts say that under specific circumstances, hackers could create files containing malicious data that could cause data loss or the dissemination of bad data. Of the four major vendors of CAS storage, two of them - EMC and Archivas - use the MD5 algorithm. The other two, Permabit and Avamar Technologies do not. Archivas said it provides the option of using another method of indexing, called the Secure Hash Algorithm-1. Users of EMC and Archivas systems say they aren't concerned about the warnings. I believe that the possibility of a (problem) is so unlikely that it does not bother me, said John Halamka, CIO at Boston-based CareGroup, a hospital management company. Thus far, we've been working with (the) Centera (array) for more than a year without a single issue. Curt Tilmes, a systems engineer at NASA's Goddard Space Flight Center, has been beta-testing an Archivas Cluster CAS system for archiving satellite data about the earth's atmosphere for more than a year. He said he feels it's secure because it's on a private network with firewalls. I suppose it wouldn't hurt [to use a more secure algorithm], but for my application, it wouldn't have an effect, Tilmes said. Meanwhile, Sun's long-awaited CAS system, code-named Honeycomb, won't use the MD5 algorithm because of security concerns, said Chris Woods, chief technology officer for Sun's storage practice. Woods would not say which algorithm the company will use to index stored objects. It really is time for [the industry] to stop using MD5, said Dan Kaminsky, a security consultant at Avaya. MD5 has been a deprecated hashing algorithm for almost a decade. The industry has clung to the algorithm, partially out of inertia, partially out of scarcity of computer power. In a report last month, Kaminsky pointed out that an attack could be used to create two files with the same MD5 hash, one with safe data and one with malicious data. If both files were saved to the same system, a so-called collision could result, leading to data loss or the dissemination of bad data, he said. Mike Kilian, CTO at EMC's Centera division, contended that MD5 flaws don't apply to Centera arrays because once a piece of content is stored, a company can't change it. Centera from almost Day 1 has had multiple addressing schemes available to applications, Kilian said. Kaminsky disagreed. Cryptography tends to be a 'garbage algorithm in, garbage security out' discipline, he said. Let's say they were appending custom metadata to the end of their files. Conceivably, the attack would not care, as once two files have the same hash, you can append the same [identical] metadata to both of them and they'll still possess the same hash. Archivas officials noted that its CAS device does not use the MD5 hash key to name the file in the archive, the way EMC's product does. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[fc-announce] Transportation, Taxes, and Conference Events
--- begin forwarded text User-Agent: Microsoft-Entourage/11.1.0.040913 From: Stuart E. Schechter [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: [fc-announce] Transportation, Taxes, and Conference Events Sender: [EMAIL PROTECTED] Date: Mon, 07 Feb 2005 15:12:11 -0500 IMPORTANT NOTES FOR THOSE ATTENDING FC05 Transportation == We would like to accommodate attendees with discounted transportation to and from the airport. Please fill out the following survey if you would like to arrange for discounted transportation or give your opinion on conference activities. We need your answers this week. http://www.zoomerang.com/survey.zgi?p=WEB2244SFRHAFQ Dominica departure tax == Please note that there is a departure tax of approximately EC$50/US$22 payable at the airport on you way out of Dominica. You'll be reminded of the exact figure at the conference. New York Times article == Dominica was recently featured in Saturday's New York times. (Ignore the red herring of their reference to the Dominican Republic early in the article.) It's a great read to get yourself in the mood for your upcoming trip. http://nytimes.com/2005/02/06/travel/06dominica.html?pagewanted=all [Learn to] Scuba dive = Please contact me at [EMAIL PROTECTED] if you are interested in a discover-scuba social on Tuesday or Wednesday afternoon, if you are interested in getting a full open water certification on Dominica, or if you are already certified and want to dive with other attendees. Registration With three weeks to go before the conference registration has already exceeded our totals from last year by more than 10%. We're glad to see you're as excited as we are and we're looking forward to a great conference. Best regards Stuart Schechter General Chair Financial Cryptography and Data Security 2005 ___ fc-announce mailing list [EMAIL PROTECTED] http://mail.ifca.ai/mailman/listinfo/fc-announce --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Identity thieves can lurk at Wi-Fi spots
http://www.usatoday.com/tech/news/2005-02-06-evil-twin-usat_x.htm USA Today Identity thieves can lurk at Wi-Fi spots By Jon Swartz, USA TODAY SAN FRANCISCO - Coffee shop Web surfers beware: An evil twin may be lurking near your favorite wireless hotspot. Thieves are using wireless devices to impersonate legitimate Internet access points to steal credit card numbers and other personal information, security experts warn. So-called evil-twin attacks don't require technical expertise. Anyone armed with a wireless laptop and software widely available on the Internet can broadcast a radio signal that overpowers the hot spot. How to avoid an 'evil twin'?? Install personal firewall and security patches. Use hot spots for Web surfing only. Enter passwords only into Web sites that include an SSL key at bottom right. Turn off or remove wireless card if you are not using a hot spot. Avoid hot spots where it's difficult to tell who's connected, such as at hotels and airport clubs. If hot spot is not working properly, assume password is compromised. Change password and report incident to hot spot provider. Do not use insecure applications such as e-mail instant messaging while at hot spots. Source: AirDefense Then, masquerading as the real thing, they view the activities of wireless users within several hundred feet of the hot spot. It could be someone sitting next to you on a plane or in a parking lot across the street from a coffee shop, says Jon Green, director of technical marketing at Aruba Wireless Networks, which makes radio-wave-scanning equipment that detects and shuts down bogus hot spots. Wireless networks are wide open, says Steve Lewack, director of technology services for Columbus Regional Medical Center in Columbus, Ga. The facility uses software and sensors to monitor 480 wireless devices used by medical personnel at 110 access points. Last month, it stopped about 120 attempts to steal financial information from medical personnel and patients - double the number of incidents from a few months earlier. The recent surge in evil-twin attacks parallels phishing scams - fraudulent e-mail messages designed to trick consumers into divulging personal information. Though the problem is in its infancy, it has caught the attention of some businesses heavily dependent on wireless communications. But most consumers aren't aware of the threat, security expert Green says. Wi-Fi, or wireless Internet, sends Web pages via radio waves. Hot spots are an area within range of a Wi-Fi antenna. As the technology has grown - there are now about 20,000 hot spots in the USA, up from 12,000 a year ago - so too have security concerns. Anil Khatod, CEO of AirDefense, a maker of software and sensors, estimates break-ins number in the hundreds each month in the USA. Companies employing hundreds of people with wireless laptops are especially vulnerable to evil-twin scams. When a worker's information is filched, it can expose a corporate network. It presents a serious, hidden danger to Web users, says Phil Nobles, a wireless-security expert at Cranfield University in England who has researched the threat. It's hard to nab the perpetrator, and the victim has no idea what happened. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Group Aims to Make Internet Phone Service Secure
http://online.wsj.com/article_print/0,,SB110790485798349353,00.html The Wall Street Journal February 9, 2005 TELECOMMUNICATIONS Group Aims to Make Internet Phone Service Secure Alliance of Tech Companies Looks for Ways To Head Off Attacks by Hackers, Viruses By RIVA RICHMOND DOW JONES NEWSWIRES February 9, 2005; Page D4 A group of more than 20 technology companies and computer-security organizations has gone on the offensive to protect the burgeoning Internet telephone service from hackers, viruses and other security problems. The VOIP Security Alliance, which was announced earlier this week, will focus on uncovering security problems and promoting ways to reduce the risk of attack for voice over Internet protocol, or VOIP, technology. The group, known as VOIPSA, includes companies such as 3Com Corp., Alcatel SA, Avaya Inc., Siemens AG, Symantec Corp. and Ernst Young LLP. Other members include the National Institute of Standards and Technology, a federal government agency; the SANS Institute, a research organization for network administrators and computer-security professionals; and several universities. The group's goal is to help make VOIP as secure and reliable as traditional telephone service. VOIP breaks voice into digital information and moves it over the Internet. That can make phone service much cheaper, but it also opens the door to the kind of security woes that have come to plague the Internet. VOIP enthusiasts worry that security and privacy problems could hamper adoption of the technology. VOIP has a lot of great value propositions, but in order for it to be successful, it has to be secured and offer service quality that's on par with the current phone system, said David Endler, chairman of the alliance and an executive at TippingPoint, a security company that recently was acquired by 3Com. VOIPSA is a first step in doing that. Internet telephone service is expected to be rolled out rapidly to consumers and business customers, starting this year. Mr. Endler said many network operators don't realize they need to alter their security strategies when they add Internet phone service. For instance, traditional firewalls cannot police VOIP traffic, he said, and so networks will need to be upgraded with newer security technologies. There's little understanding of what security problems VOIP might introduce and what kind of defensive measures need to be taken. VOIPSA intends to improve that situation by sponsoring research, uncovering vulnerabilities, disseminating information about threats and security measures, and providing open-source tools to test network-security levels. Because VOIP will be dependent on the Internet, there's little hope that security troubles can be avoided, said Alan Paller, director of research at the SANS Institute, though early action by technology makers to address problems is positive and welcome. It's not a lightweight problem, he said. How well would you do with no phone? If Internet attacks can disrupt phone service, you radically expand the number of victims, he said. VOIP networks really inherit the same cyber-security threats that data networks are today prone to, but those threats take greater severity in some cases, Mr. Endler said. For instance, a life-or-death emergency call to 911 might not get through if a network is crippled by a hacker attack. Worse, a broad assault on the phone system could become a national security crisis that causes economic damage. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Hold the Phone, VOIP Isn't Safe
http://www.wired.com/news/print/0,1294,66512,00.html Wired News Hold the Phone, VOIP Isn't Safe By Elizabeth Biddlecombe? Story location: http://www.wired.com/news/technology/0,1282,66512,00.html 02:00 AM Feb. 07, 2005 PT In recognition of the fact that new technologies are just as valuable to wrongdoers as to those in the right, a new industry group has formed to look at the security threats inherent in voice over internet protocol. The VOIP Security Alliance, or VOIPSA, launches on Monday. So far, 22 entities, including security experts, researchers, operators and equipment vendors, have signed up. They range from equipment vendor Siemens and phone company Qwest to research organization The SANS Institute. They aim to counteract a range of potential security risks in the practice of sending voice as data packets, as well as educate users as they buy and use VOIP equipment. An e-mail mailing list and working groups will enable discussion and collaboration on VOIP testing tools. VOIP services have attracted few specific attacks so far, largely because the relatively small number of VOIP users doesn't make them a worthwhile target. (A report from Point Topic in December counted 5 million VOIP users worldwide.) But security researchers have found vulnerabilities in the various protocols used to enable VOIP. For instance, CERT has issued alerts regarding multiple weaknesses with SIP (session initiation protocol) and with H.323. Over the past year, experts have repeatedly warned that VOIP abuse is inevitable. The National Institute of Standards and Technology put out a report last month urging federal agencies and businesses to consider the complex security issues often overlooked when considering a move to VOIP. NIST is a member of VOIPSA. It is really just a matter of time before it is as widespread as e-mail spam, said Michael Osterman, president of Osterman Research. Spammers have already embraced spim (spam over instant messaging), say the experts. Dr. Paul Judge, chief technology officer at messaging-protection company CipherTrust, says 10 percent of instant-messaging traffic is spam, with just 10 to 15 percent of its corporate clients using IM. It is where e-mail was two and a half years ago, said Judge. To put that in perspective, according to another messaging-protection company, FrontBridge Technologies, 17 percent of e-mail was spam in January 2002. It put that figure at 93 percent in November 2004. So the inference is that spit (spam over internet telephony) is just around the corner. Certainly, the ability to send out telemarketing voicemail messages with the same ease as blanket e-mails makes for appealing economics. Aside from the annoyance this will cause, the strain on network resources when millions of 100-KB voicemail messages are transmitted, compared with 5- or 10-KB e-mails, will be considerable. But the threat shouldn't be couched solely within the context of unlawful marketing practices. Users might also see the audio equivalent of phishing, in which criminals leave voicemails pretending to be from a bank, said Osbourne Shaw, whose role as president of ICG, an electronic forensics company, has led him to try buying some of the goods advertised in spam. In fact, according to David Endler, chairman of the VOIP Security Alliance and director of digital vaccines at network-intrusion company TippingPoint, there are many ways to attack a VOIP system. First, VOIP inherits the same problems that affect IP networks themselves: Hackers can launch distributed denial of service attacks, which congest the network with illegitimate traffic. This prevents e-mails, file transfers, web-page requests and, increasingly, voice calls from getting through. Voice traffic has its own sensitivities, which mean the user experience can easily be degraded past the point of usability. Furthermore, additional nodes of the network can be attacked with VOIP: IP phones, broadband modems and network equipment, such as soft switches, signaling gateways and media gateways. Endler paints a picture in which an attack on a VOIP service could mean people would eavesdrop on conversations, interfere with audio streams, or disconnect, reroute or even answer other people's phone calls. This is a concern to the increasing number of call centers that put both their voice and data traffic on a single IP network. It is even more of a concern for 911 call centers. But Louis Mamakos, chief technology officer at broadband telephony provider Vonage, says he and his team spend a lot of time worrying about security but the problems the company has seen so far have centered on more pedestrian threats like identity theft. Vonage has not yet signed up for the VOIP Security Alliance, said Mamakos, and employees already spend a lot of time working on security issues with technology providers. I'm not sure if (VOIPSA) is a solution to a problem we don't have yet, he said. We need to judge what the
GNFC launches Indian Digital Certification services
Gujarat Narmada Valley Fertilizer Company??? ;-) Cheers, RAH --- http://www.deepikaglobal.com/ENG5_sub.asp?newscode=92273catcode=ENG5subcatcode= deepikaglobal.com - Business News Detail Thursday, February 10, 2005 Good Evening to you Business News GNFC launches nationwide Digital Certification services Mumbai, Feb 9 (UNI) Gujarat Narmada Valley Fertilizer Company (GNFC) promoted (n)Code Solutions today launched its nationwide services for providing ''Digital certificates to individuals and organisations aimed at boosting efforts for implementation of e-governance and e-commerce in the country''. Digital certificates can be explained as digital passports that help in authentication of the bearer on the net, while maintaining privacy and integrity of the net-based transactions. It is accorded the same value as paper-based signatures of the physical world by the Indian IT Act 2000 and each of these transactions help bring trust in the Internet-based transactions. Launching the services, Nasscom President Kiran Karnik said, ''The presence of a large number of credible public sector organisation in this domain will futher boost the efforts for implementation of e-governance in the country.'' He said that the safety and security of net-based transactions would enable to usher in higher levels of exellence at lower costs. Having carved an enviable reputation for itself in managing large and complex projects successfully, Mr Karnik said ''GNFC will duplicate its success in this IT venture as well.'' A K Luke, Managing Director of GNFC and another state-PSU Gujarat State Fertiliser Corporation, on this occasion, said ''The (n)Code Solutions infrastructure, set up for the purpose is at par with the best in the world.'' He said the GNFC was committed to diversifications in the emerging fields of IT like e-security. (n)Code Solutions has put in motion a nation-wide machinery to support different market segments like banking and financial institutions, public and private sector enterprises besides State and Central Government organisations, he added. He said the IT company of GNFC had simultaneously released a suite of applications like (n)Procure, (n)Sign, (n)Form and (n)Pay that make use of digital signatures to ensure safety and security in the virtual world in various ways. Mr Luke said these applications will address a wide spectrum of needs of the internet-dependent business world, ranging from online procurement to signing and sending web forms and enabling online payments to securing web servers or VPN devices. GNFC is a Rs 1800 crore fertiliser and chemicals company of the Gujarat Government. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Desire safety on Net? (n) code has the solution
I'm starting get the hang of this. I mean, fertilizer...crypto, crypto...fertilizer: They're both *munitions*, right? Right? :-) Cheers, RAH http://cities.expressindia.com/fullstory.php?newsid=117201# Express India Desire safety on Net? (n) code has the solution Express News Service Ahmedabad, February 9: ADDRESSING a wide spectrum of needs of the Net-dependent business world ranging from online buying to signing and sending web forms, (n) code solutions, promoted by IT branch of the Gujarat Narmada Valley Fertilizer Company Limited, has launched its nationwide services at NASSCOM, India Leadership Forum 2005. (n) code solutions has been recently licensed by the IT ministry as certifying authority for providing digital signature certificates to individuals and organisations. Digital certificates can be explained as digital passports, which help in authentication of the bearer on the Internet. This also helps maintain, privacy and integrity of Net-based transactions. Digital signatures are accorded the same value as paper-based signatures of the physical world by the Indian IT Act 2000. Each of these functions help bring trust in Net-based transactions. (n) code has simultaneously released a suite of applications like, (n) procure, (n) sign, (n) form and (n) pay to make use of digital signatures to ensure safety and security in the virtual world in various ways. (n) code has also put in motion, nationwide machinery to support different market segments like banking and financial institutions, public and private sector enterprises and state and central government organisation. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Vegas casino bets on RFID
http://news.com.com/2102-7355_3-5568288.html?tag=st.util.print Vegas casino bets on RFID By Alorie Gilbert Casino mogul Steve Wynn has pulled out all the stops for his new $2.7 billion mega-resort in Las Vegas: an 18-hole championship golf course, a private lake and mountain, and a bronze tower housing 2,700 plush guest rooms. But when its doors open in April, the Wynn Las Vegas will have one unique feature that few visitors are likely to notice--high-tech betting chips designed to deter counterfeiting, card-counting and other bad behavior. The fancy new chips look just like regular ones, only they contain radio devices that signal secret serial numbers. Special equipment linked to the casino's computer systems and placed throughout the property will identify legitimate chips and detect fakes, said Rick Doptis, vice president of table games for the Wynn. News.context What's new: Betting chips are getting a high-tech RFID makeover designed to deter counterfeiting and misbehavior at the tables. Bottom line:Despite this, RFID technology is still relatively rare in casinos--until that killer application arrives. More stories on RFID Security-wise, it will be huge for us, Doptis said. The technology behind these chips is known as radio frequency identification, or RFID, and it's been used for years to track livestock, enable employee security badges and pay tolls. The casino industry is just the latest to find new uses for RFID technology. Retail chains, led by Wal-Mart Stores, are using it to monitor merchandise. Libraries are incorporating it into book collections to speed checkouts and re-shelving. The United States and other nations are incorporating it into passports to catch counterfeits. One company even offers to inject people with RFID chips linked to their medical records to ensure they receive proper medical care. In casinos, RFID technology is still relatively rare and in search of a killer application to spur adoption. Yet some tech-savvy casino executives envision RFID transforming the way they operate table games, including blackjack, craps and roulette, over the next four or five years. For one thing, there's the counterfeiting problem, on which there is scant data. The Nevada Gaming Commission gets about a dozen complaints every year related to counterfeit chips, said Keith Copher, the agency's chief of enforcement. Last year, a casino in Reno quickly lost $26,000 in such a scheme--one of the biggest hits reported to the commission in recent years. And counterfeiting is on the rise at overseas casinos, Copher noted. The RFID technology would let dealers or cashiers see when the value of the chips in front of them don't match the scanners' tally. However, financial losses due to counterfeit chips are usually minor, and few perpetrators get away with it, Copher said. Perhaps that's why the Wynn has found a dual purpose for the high-tech chips: The casino is also using the chips to help account for the chips they issue on credit to players, since managing credit risk is a huge part of any big casino's operations. The Wynn plans to take note of the serial numbers of the chips they lend and of the name of players who cash them in. If someone else returns the chips, it could signal that the original player is using their credit line with the casino to make loans to others--something casinos generally frown upon. That sort of security doesn't come cheap: The Wynn is spending about $2 million on the chips. That's about double the price of regular chips, and doesn't include addition equipment the Wynn will need to purchase, such as RFID readers, computers and networking gear. Eye in the sky The technology could also help casinos catch card players who sneak extra betting chips onto the table after hands are dealt or players who count cards. That's one reason the Hard Rock Hotel and Casino in Las Vegas plans to switch on a new set of RFID-equipped betting chips and tables next month. The casino is installing RFID readers and PCs at game tables. With antennas placed under each player's place at the table, dealers can take a quick inventory of chips that have been wagered at the push of a button. The PCs display all the initial bets, deterring players from sneaking extra chips into their pile after hands are dealt. Yet the benefits of RFID go beyond security. It may also help casinos boost profits through savvier marketing. Vegas has a little bit of a wait-and-see attitude... They want to make sure the product is bulletproof. --Tim Richards, vice-president of marketing, Progressive Gaming International Take the Hard Rock Hotel. In addition to monitoring wagers, the casino plans to use its new RFID system to rate players--monitor gamblers to reward them with free rooms, meals and other perks based on how much and how often they wager. As the technology advances, RFID could also help track how well they play. The casinos generally reserve the most enticing rewards
House backs major shift to electronic IDs
http://news.com.com/2102-1028_3-5571898.html?tag=st.util.print CNET News House backs major shift to electronic IDs By Declan McCullagh Story last modified Thu Feb 10 17:46:00 PST 2005 The U.S. House of Representatives approved on Thursday a sweeping set of rules aimed at forcing states to issue all adults federally approved electronic ID cards, including driver's licenses. Under the rules, federal employees would reject licenses or identity cards that don't comply, which could curb Americans' access to airplanes, trains, national parks, federal courthouses and other areas controlled by the federal government. The bill was approved by a 261-161 vote. The measure, called the Real ID Act, says that driver's licenses and other ID cards must include a digital photograph, anticounterfeiting features and undefined machine-readable technology, with defined minimum data elements that could include a magnetic strip or RFID tag. The Department of Homeland Security would be charged with drafting the details of the regulation. Republican politicians argued that the new rules were necessary to thwart terrorists, saying that four of the Sept. 11, 2001, hijackers possessed valid state-issued driver's licenses. When I get on an airplane and someone shows ID, I'd like to be sure they are who they say they are, said Rep. Tom Davis, a Virginia Republican, during a floor debate that started Wednesday. States would be required to demand proof of the person's Social Security number and confirm that number with the Social Security Administration. They would also have to scan in documents showing the person's date of birth and immigration status, and create a massive store so that the (scanned) images can be retained in electronic storage in a transferable format permanently. Another portion of the bill says that states would be required to link their DMV databases if they wished to receive federal funds. Among the information that must be shared: All data fields printed on drivers' licenses and identification cards, and complete drivers' histories, including motor vehicle violations, suspensions and points on licenses. The Bush administration threw its weight behind the Real ID Act, which has been derided by some conservative and civil liberties groups as tantamount to a national ID card. The White House said in a statement this week that it strongly supports House passage of the bill. Thursday's vote mostly fell along party lines. About 95 percent of the House Republicans voted for the bill, which had been prepared by the judiciary committee chairman, F. James Sensenbrenner, a Wisconsin Republican. More than three-fourths of the House Democrats opposed it. Rep. Eleanor Holmes Norton, a Democrat from Washington, D.C., charged that Republicans were becoming hypocrites by trampling on states' rights. I thought the other side of the aisle extols federalism at all times, Norton said. Yes, even in hard times, even when you're dealing with terrorism. So what's happening now? Why are those who speak up for states whenever it strikes their fancy doing this now? Civil libertarians and firearm rights groups condemned the bill before the vote. The American Civil Liberties Union likened the new rules to a de facto national ID card, saying that the measure would force states to deny driver's licenses to undocumented immigrants and make DMV employees act as agents of the federal immigration service. Because an ID is required to purchase a firearm from a dealer, Gun Owners of America said the bill amounts to a bureaucratic back door to implementation of a national ID card. The group warned that it would empower the federal government to determine who can get a driver's license--and under what conditions. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Break-In At SAIC Risks ID Theft
http://www.washingtonpost.com/ac2/wp-dyn/A17506-2005Feb11?language=printer The Washington Post washingtonpost.com Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners By Griff Witte Washington Post Staff Writer Saturday, February 12, 2005; Page E01 Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees. The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers. Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud. David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure. I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem, said Kay, who lives in Northern Virginia. About 16,000 SAIC employees work in the Washington area. Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. It's worrisome, said Inman, who also received notification of the theft last week. If the security is sloppy, it raises questions. Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances. We're taking this extremely seriously, Haddad said. It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it. Gary Hassen of the San Diego Police Department said there are, at the moment, no leads. Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted. The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc. Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company. He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific. The theft comes at a time when the company, which depends on the federal government for more than 80 percent of its $7 billion annual revenue, is already under scrutiny for its handling of several contracts. Last week on Capitol Hill, FBI Director Robert S. Mueller III testified that the company had botched an attempt to build software for the bureau's new Virtual Case File system. The $170 million upgrade was supposed to allow agents to sift through different cases electronically, but the FBI has said the new system is so outdated that it will probably be scrapped. In San Antonio, SAIC is fighting the government over charges that the company padded its cost estimates on a $24 million Air Force contract. The case prompted the Air Force to issue an unusual alert to its contracting officials late last year, warning them that the Department of Justice believes that SAIC is continuing to submit defective cost or pricing data in support of its pricing proposals. SAIC has defended its work for the
Fighting Net crime with code / Surge in phishing e-mails to take spotlight at cryptography conference
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/02/14/BUG3NB9UTL1.DTLtype=printable www.sfgate.com Return to regular view Fighting Net crime with code Surge in phishing e-mails to take spotlight at cryptography conference - Carrie Kirby, Chronicle Staff Writer Monday, February 14, 2005 Every year, a bunch of cryptographers throw a big party, business mixer and study session in the Bay Area. In their effort to make the world love the science of code making and breaking as much as they do, they invoke dramatic historical uses of cryptography: the etchings of the ancient Maya, the Navajo code talkers of World War II. This time, the RSA Conference, opening today at Moscone Center in San Francisco, has crime as its theme. The 11,000 attendees will hear the tale of how federal agent Elizebeth Smith Friedman brought down a major ring of rum runners by cracking their sophisticated codes. The timing couldn't be more apt. More people than ever are not just shopping but conducting their finances online, with 45 percent of Americans paying bills over the Internet in 2004, according to research group Gartner. That's a 70 percent increase from 2003, a shift that is making the Internet more attractive than ever to criminals. Crime on the Internet is probably the fastest-growing business there, said Ken Silva, vice president of networking and information security at VeriSign, the Mountain View company that secures Web sites and Internet transactions. Phishing e-mails -- those little fraudulent notes asking you to confirm your bank account number, credit card number, ATM password or locker combination -- have been growing by 38 percent a month on average, according to the industry's Anti-Phishing Working Group. Gartner warns that phishing will erode the growth of e-commerce if nothing is done. The folks gathering at the Moscone Center this week are the ones who do battle with all that, using -- you guessed it -- cryptography. They're software developers, marketers, academics, business leaders -- including conference speakers Bill Gates of Microsoft, John Chambers of Cisco, Symantec's John Thompson and VeriSign's Stratton Sclavos -- and a few current and former government officials, such as Amit Yoran, who resigned in October after one year as the nation's top cyber security official. Because phishing has shown the downside of using just a user name and password to access an online bank account, a panel featuring Yoran and other experts will look at safer ways for consumers to identify themselves on the Internet. Another panel will address businesses' fear that adding more security could make e-commerce and e-banking sites too cumbersome for consumers to use. Another topic will be whether software companies should be held liable when bugs in their products allow theft to happen and whether the government should regulate software safety as the Federal Aviation Administration regulates airline safety. Because most hackers and viruses get into computers through holes in Microsoft's nearly ubiquitous Windows software, Microsoft is always central in such discussions. But that is not a favorite topic for Microsoft leaders, and the preview blurb for Gates' speech, scheduled for Tuesday morning, makes no mention of that controversy. Instead, Gates is to discuss his perspective on the state of security today, the importance of continued innovation, and advances in Microsoft's platform, products and technologies designed to better protect customers. The conference is run by Bedford, Mass., cryptography company RSA Security, which also has an office in San Mateo. E-mail Carrie Kirby at [EMAIL PROTECTED] Page E - 2 URL: http://sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/02/14/BUG3NB9UTL1.DTL ©2005 San Francisco Chronicle | Feedback | FAQ -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NSA May Be 'Traffic Cop' for U.S. Networks
http://www.kansascity.com/mld/kansascity/news/politics/10898954.htm?template=contentModules/printstory.jsp Posted on Mon, Feb. 14, 2005 NSA May Be 'Traffic Cop' for U.S. Networks TED BRIDIS Associated Press WASHINGTON - The Bush administration is considering making the National Security Agency - famous for eavesdropping and code breaking - its traffic cop for ambitious plans to share homeland security information across government computer networks, a senior NSA official says. Such a decision would expand NSA's responsibility to help defend the complex network of data pipelines carrying warnings and other sensitive information. It would also require significantly more money for the ultra-secret spy agency. The NSA's director for information assurance, Daniel G. Wolf, was expected to outline his agency's potential role during a speech Wednesday at the RSA technology conference in San Francisco. In an interview preceding his speech, Wolf told The Associated Press that computer networks at U.S. organizations are like medieval castles, each protected by different-size walls and moats. As the U.S. government moves increasingly to share sensitive security information across agencies, weaknesses inside one department can become opportunities for outsiders to penetrate the entire system, Wolf warned. Attackers could steal sensitive information or deliberately spread false information. If someone isn't working on being a traffic cop, giving guidance on how secure they need to be, a risk that is taken by one castle is really shared by other castles, Wolf said. Who's defining the standards? Who says how high the walls should be? The NSA already helps protect systems deemed vital to the nation's security, such as those involved in intelligence, cryptography and weapons. Wolf said the administration is considering whether to designate its fledgling information-sharing efforts also under the NSA's purview. The White House Office of Management and Budget currently directs efforts by civilian agencies to secure their computer networks. The NSA's information security programs are highly regarded among experts. Bring it on. This clearly ought to be done, said Paul Kurtz, a former White House cybersecurity adviser and head of the Washington-based Cyber Security Industry Alliance, a trade group. This will raise the bar across the federal government to a far more secure infrastructure. Congress has directed the NSA and the Department of Homeland Security to study the architecture and policies of computers for sharing sensitive homeland security information. In the latest blueprint for U.S. intelligence spending, lawmakers warned that attackers always search for weak links and that connecting distant systems will further increase the vulnerability of networks that originally were developed to be susbstantially isolated from one another. It's unclear how the NSA's efforts would affect private companies, which own and operate many of the electrical, water, banking and other systems vital to government. Wolf said the agency already works to secure such systems important to military installations, but he denied that NSA would have any new regulatory authority over private computers. When we talk about being the traffic cop, we're not in charge of these networks, Wolf said. We're not running these networks. It also was unclear how much the effort might cost. If you're going to have a network that everyone in government can get into, that means some agencies are going to have to come up to meet new, higher standards, and that's expensive, said James Lewis, director of technology policy at the Center for Strategic and International Studies, a conservative think-tank. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]