Re: RSA Security, Inc.
Vin McLellan wrote: Why did Baltimore Tech's founder flip out and denounce RSA's PKC as a secret stolen from the British GCHQ... shortly after RSA-Australia began shipping Eric Young's new SSL implementation code under the RSA brand name in the international market? (Young's BSAFE SSL-C was the first challenge from RSADSI to Baltimore and other non-American vendors which have sold full-strength RSA PKC for years.) Errr. New? Slight terminological inexactitude there. Try "old". And since we are in the questioning mood, why is it that far more people use OpenSSL than BSAFE SSL-C? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi
key revokation ain't
- Forwarded message from send mail ONLY to cs - From [EMAIL PROTECTED] Mon Sep 20 20:32:30 1999 Return-Path: [EMAIL PROTECTED] Received: from yyy.lanl.gov (yyy.lanl.gov [204.121.6.60]) by suburbia.net (Postfix) with ESMTP id 8C5026C6A1 for [EMAIL PROTECTED]; Mon, 20 Sep 1999 20:32:26 +1000 (EST) Received: from xxx.lanl.gov (xxx.lanl.gov [204.121.6.57]) by yyy.lanl.gov (x.x.x/x.x.x) with ESMTP id EAA19776; Mon, 20 Sep 1999 04:24:00 -0600 (MDT) Received: (from e-prints@localhost) by xxx.lanl.gov (x.x.x/x.x.x) id EAA20069; Mon, 20 Sep 1999 04:24:00 -0600 Date: Mon, 20 Sep 1999 04:24:00 -0600 Message-Id: [EMAIL PROTECTED] Precedence: bulk X-Note: e-print archive software written by PG at LANL (8/91,...,3/98) GTDA X-Supported-By: U.S. National Science Foundation, Agreement 9413208 (3/95-9/00) From: [EMAIL PROTECTED] (send mail ONLY to cs) Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] (cs daily title/abstract distribution) Subject: cs daily Subj-class mailing 1 1 -- -- send mail only to [EMAIL PROTECTED], do not reply to no-reply@... send any complaints regarding submissions directly to submitter. use a single `get' to request multiple papers, `list macros' for available macro packages, and `help' for a list of available commands and other info. -- point your www client at http://xxx.lanl.gov/ -- Submissions to: Cryptography and Security received from Thu 16 Sep 99 23:00:01 GMT to Fri 17 Sep 99 23:00:00 GMT -- -- \\ Paper: cs.CR/9909012 From: Jan Willemson [EMAIL PROTECTED] Date: Fri, 17 Sep 1999 08:00:35 GMT (14kb) Title: Certificate Revocation Paradigms Authors: Jan Willemson Comments: Tech report on 14 pages, 2 figures Subj-class: Cryptography and Security ACM-class: E.3;H.3 \\ Research in the field of electronic signature confirmation has been active for some 20 years now. Unfortunately present certificate-based solutions also come from that age when no-one knew about online data transmission. The official standardized X.509 framework also depends heavily on offline operations, one of the most complicated ones being certificate revocation handling. This is done via huge Certificate Revocation Lists which are both inconvenient and expencive. Several improvements to these lists are proposed and in this report we try to analyze them briefly. We conclude that although it is possible to do better than in the original X.509 setting, none of the solutions presented this far is good enough. \\ ( http://xxx.lanl.gov/abs/cs/9909012 , 14kb) %-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%- %%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%%--%% %%%---%%%---%%%---%%%---%%%---%%%---%%%---%%%---%%%---%%%---%%%---%%%---%%%--- - End of forwarded message from send mail ONLY to cs -
IP: Smart Cards with Chips encouraged
I remember Ian, Adam, someone else and I talking about the card-in-a-floppy thing at CFP '96. Soulda, woulda, coulda, and all that... Cheers, RAH --- begin forwarded text From: [EMAIL PROTECTED] Date: Mon, 20 Sep 1999 08:50:44 -0500 To: [EMAIL PROTECTED] Subject: IP: Smart Cards with Chips encouraged Cc: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: New York Times http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html September 20, 1999 By BOB TEDESCHI New Hardware Could Help Web Merchants Cut Fraud Credit card companies love the Internet, since they pocket a share of most e-commerce transactions. But like everything in the world of revolving credit, that love has limits. Stolen cards used to make purchases online, in particular, cost credit card issuers millions each year -- pushing the price of doing business on the Web higher for banks, merchants and, ultimately, users. So even as the major credit card companies and the banks that issue those cards explore ways to build Internet market share, they are also looking for creative ways to limit fraud. The recent launch of the American Express blue card, which comes with an embedded computer chip, is an example of both efforts. Since the card's chip can access a user's personal information, it will eliminate the hassle of typing in that data in every Web purchase -- and, American Express hopes, encourage people to use its card. At the same time, the chip limits the fraud by guaranteeing the shopper's identity and offering greater protection to the buyer's information during the transaction. The key to these features is a piece of computer hardware that, until now, has been foreign to the desktop: a credit card reading device. Starting in November, blue card owners will be able to obtain such a device, which they will be able to plug into their PC's, enabling them to swipe the card at home much like a sales clerk would at a retail store. Other credit card issuers are exploring similar technologies. One company that makes a card-reading device for personal computers, UTM Systems, recently announced that four major U.S. banks affiliated with both Visa and Mastercard International will begin distributing its system free to consumers before the end of the year. UTM's founder and chief executive, Robert Lee, declined to name the banks, but said they served "well over 10 million customers." The device, which costs the card issuers $6 a unit, is simple. When a user is ready to make an online purchase, the credit or debit card is placed in the UTM card reader, which is inserted into a floppy disk drive. A small window then appears on screen, asks for a personal identification number and sends the encrypted information to the retail site. When the transaction is complete, the window disappears. David Robertson, president of the Nilson Report, a credit card industry newsletter, predicted that credit card companies would be aggressive in spreading such technologies. "American Express is the first, but you'll see everyone start to do this by the end of the first quarter of next year," he said. "It's inevitable." From the standpoint of fraud prevention, card issuers have great incentive to promote the devices, he said. Issuers lose roughly 8 cents for every $100 in online sales to fraudulent card use -- "slightly higher than the market at large, but it's growing," Robertson said. "The industry has been fabulously successful at pushing fraud down in general," he added. "But that just highlights the liability associated with the Internet." Which is not to say that Visa, American Express and Mastercard are stepping lightly into the electronic frontier. Each has begun major Internet-related advertising efforts, of which Visa's is the most aggressive. According to the Nilson Report, 59 percent of Internet credit card purchases are made with Visa, 28 percent with Mastercard and 12 percent with American Express. Off line, Visa has a 51 percent share, compared with 25 percent for Mastercard and 17 percent for American Express. In part, the success of PC-based credit card readers hinges on how secure consumers feel about credit card transactions on the Web. While such devices in fact provide users more security than typical Internet transactions, surveys indicate that consumers are less concerned about entering their credit card data online than they used to be. One recent survey by Navidec, a consulting firm, indicated that 21 percent of Internet users worry about credit card security during transactions, about half the number that expressed such concerns in 1997. However, Paul Hughes, an analyst with the Yankee Group consulting firm, says that new Internet users might warm to these devices, given the trepidation with which many still approach online shopping in general. "That said, the credit card companies are going to have to do some creative marketing to drive these into the hands of consumers," he
Re: Ecash without a mint
Anonymous writes: Consider the following system, not yet completely practical, but perhaps with some more work it could be made so. Features: - A "mint" is used only to create the initial allocation of ecash. After that it is not needed. - Complete anonymity as with Chaum ecash. - No single point of failure, distributed public databases are used. - No secret keys to be lost or stolen. [...] The issued coin list is maintained as a hash tree and so the zero knowledge proofs of membership are (possibly, barely) feasible. The need for potentially cumbersome ZK proofs is one of the weak points of this proposal. Very interesting proposal. How communication and computationally intensive is the ZK proof as a function of the coin list length? Could the proof be used in a practical system? (I am thinking that the coin list will grow indefinately as more coins are used as the server nodes can't by design tell which coins are spent). This feature, of being able to receive money and immediately create new, unrelated coins, is the enhancement that allows us to do away with the mint. The mint is only needed to inject new coins into the system; otherwise the money supply stays constant. Couldn't one have a mintless method of injecting new coins into the system by using hashcash in a similar way to that proposed by Wei Dei in b-money [1]? ie. the protocol you describe includes the step that upon submitting a ZK proof of knowledge of blinding factor for one of the coins in the coin list your can at the same time submit a replacement fresh coin. A deposit step could be that upon submitting an n-bit hashcash token (a n-bit partial hash collision on a chosen string) you can also submit a new coin of the corresponding denomination. Appropriate values for n could be chosen using the mechanisms Wei suggests in b-money. Other questions: - is the ZK proof interactive? If so this would place communication restrictions on spending -- payer and payee would need to be simultaneously online. - what about propagation delays in updating the spent coin list -- can't have people reusing the ZK proof at different servers simultaneously to get more coins than they are due, or having the payer deposit it simultaneously with the payee. This could make the deposit step quite slow depending on network connectivity of servers. Adam [1] Wei Dei's b-money protocol: http://www.eskimo.com/~weidei/bmoney.txt
Re: Smart Cards with Chips encouraged
As someone involved in the US smartcard arena, a little more background is offered for those interest in this emerging technology.. I remember Ian, Adam, someone else and I talking about the card-in-a-floppy thing at CFP '96. Soulda, woulda, coulda, and all that... Cheers, RAH New Hardware Could Help Web Merchants Cut Fraud Credit card companies love the Internet, since they pocket a share of most e-commerce transactions. But like everything in the world of revolving credit, that love has limits. Stolen cards used to make purchases online, in particular, cost credit card issuers millions each year -- pushing the price of doing business on the Web higher for banks, merchants and, ultimately, users. Transaction fraud is important to credit card companies as are the liability issues. Credit card companies are in legal hot water over card holders payment of illegal internet activities such as gaming in states where gaming is not permited. In recent action on a case in California, a credit card user is sueing over $70,000 debt because the credit card company allowed them payment access to gaming services. So even as the major credit card companies and the banks that issue those cards explore ways to build Internet market share, they are also looking for creative ways to limit fraud. Consumer and merchant authentication is also high on the agenda. The recent launch of the American Express blue card, which comes with an embedded computer chip, is an example of both efforts. Since the card's chip can access a user's personal information, it will eliminate the hassle of typing in that data in every Web purchase -- and, American Express hopes, encourage people to use its card. At the same time, the chip limits the fraud by guaranteeing the shopper's identity and offering greater protection to the buyer's information during the transaction. The AMEX Blue Card is the start of a flood of bank smartcard initiatives. The smartcard "chip" opens up alternative business opportunities to banks, provide card market differentiation and establish a smartcard infrastructure. Loyalty, electronic purse, micropayments, authentication, security etc as well as desktop preferences, browser bookmarks and even software licensing will migrate to smartcard technology. Smartcards will also appear in internet appliances in the future as they do today in GSM mobile phones and satellite TV receivers. The cards also have very sophisticated crypto capabilities. We are constantly in process of overseas and domestic export applications addressing both hardware and software crypto issues. Those interested can check out smartcard industry sites such as www.smartcardforum.org or www.smartcardcentral.com as starting points. Both SUN and MSFT have sites dedicated smartcard OS and Visa has info on bank related smartcard standards. Ricki Boyle. smime.p7s
RE: more re Encryption Technology Limits Eased
-- [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED] wrote:] Subject: Re: more re Encryption Technology Limits Eased Bill Simpson said: - We just learned a few weeks ago that every copy of Windows has a secret NSA key. We don't know why. Remember the Lotus Notes secret NSA key fiasco that got us in trouble with the Swedish government? How can we ever compete, when nobody trusts our software? Just because I was in the middle of this and am personally sensitive to misinformation circulating about this, let me clarify the facts about this: Lotus Notes has since January '96 contained an NSA Public key. It has never been a secret. Lotus issued a press release about it at the RSA Conference that January and I posted a copy of that press release to cypherpunks. I also described it in a talk I gave at Lotusphere. It is there in support of the best deal we could negotiate with NSA whereby we were allowed to use 64 bit keys in the export version if we encrypted 24 of those bits under the NSA public key so that if they wanted to break a message they would only face a 40 bit workfactor. It is not used for communications between two copies of the domestic version of the product. The result was encryption that was as secure against the U.S. government as any that could legally be exported and more secure against other attackers. But no good deed ever goes unpunished. Periodically someone stumbles across that press release and reveals it as though it were some secret revelation. There was a PR problem in the Swedish press, and more recently when it was cited in a European Commission report on Echelon. --Charlie Kaufman I concur with Charlie. It was announced at the conference, and the press release was posted, and the issue discussed to death on cypherpunks. It led me to coin the term 'espionage enabled' to describe this class of weakened security (this was before I came to work for my current employer). I've been slightly bemused by the Swedish government's claims to have discovered some deep, dark secret. What it really shows is that government's failure to do due diligence. Peter Trei [EMAIL PROTECTED] Disclaimer: I am not speaking for my employer.
Re: Ecash without a mint
On Mon, Sep 20, 1999 at 03:46:39PM +0100, Adam Back wrote: How communication and computationally intensive is the ZK proof as a function of the coin list length? Could the proof be used in a practical system? The complexity is polylog in the number of coins, but unfortunately it is not practical yet because the (noninteractive) ZK proofs use generic ZK constructions rather than known efficient ZK proof systems (though the authors say they are working on a practical version). Couldn't one have a mintless method of injecting new coins into the system by using hashcash in a similar way to that proposed by Wei Dei in b-money [1]? I propose as an alternative to the above that (when it becomes practical) we use Sander and Ta-Shma's protocol as a subprotocol in b-money to obtain payer-payee unlinkability. (Payers and payees in b-money are pseudonyms, but in the basic protocol the pseudonyms can be linked by payer-payee relationships.) Each round the Sander-Ta-Shma protocol is run, and whoever wants to pay converts b-money into coins and send them to payees. Payees must convert coins back into b-money during the same round (the coin database is wiped between rounds). This way the size of the distributed database is minimized. BTW Sander and Ta-Shma's paper is available at http://www.icsi.berkeley.edu/~sander/publications/audit.ps.
Re: Ecash without a mint
How communication and computationally intensive is the ZK proof as a function of the coin list length? Could the proof be used in a practical system? According to the Crypto 99 paper, the ZK proof takes resources O(log^2(N)), where N is the number of coins issued. However they are vague about the details of the proof itself. They also mention an alternative way of proving list membership due to Benaloh and de Mare, which would be of order log(N), very efficient. (I am thinking that the coin list will grow indefinately as more coins are used as the server nodes can't by design tell which coins are spent). You can deal with this by starting up a new issued coin list periodically. Then the spender has to indicate which list his coin is in, which leaks info about the age of the coin, or everyone needs to exchange old coins for new ones when the lists change over. A similar idea can be used for the spent coin list. Couldn't one have a mintless method of injecting new coins into the system by using hashcash in a similar way to that proposed by Wei Dei in b-money [1]? ie. the protocol you describe includes the step that upon submitting a ZK proof of knowledge of blinding factor for one of the coins in the coin list your can at the same time submit a replacement fresh coin. A deposit step could be that upon submitting an n-bit hashcash token (a n-bit partial hash collision on a chosen string) you can also submit a new coin of the corresponding denomination. Appropriate values for n could be chosen using the mechanisms Wei suggests in b-money. Yeah, neat idea! With b-money, newly minted value goes directly into someone's account, but if it was used instead to create an anonymous coin you would have an accountless system. In that case you don't even need the mint for the initial phase. One problem though. For b-money, you have to expend resources equal in value to the money you generate. That means that if you wanted to re-create the U.S. money supply of a trillion dollars, you would have to waste a trillion dollars worth of computing cycles. Not exactly an attractive proposition. What you might want to do, then, is to let people convert other forms of money into these ecoins to get things going initially. Then use b-money to create more if they are needed over the long term. This way you avoid the huge startup costs with b-money. - is the ZK proof interactive? If so this would place communication restrictions on spending -- payer and payee would need to be simultaneously online. In the paper it is interactive, but they are presenting a Chaum style offline system which has the user's identity encoded in each coin such that it is revealed if you double spend. With an online system this is not necessary and then it looks like the ZK proof could be non interactive. - what about propagation delays in updating the spent coin list -- can't have people reusing the ZK proof at different servers simultaneously to get more coins than they are due, or having the payer deposit it simultaneously with the payee. This could make the deposit step quite slow depending on network connectivity of servers. Yes, clearly the network servers would need to have extreme connectivity by today's standards. There must be an atomic update step so that the coin recipient can know that he has deposited his coin successfully and got his replacement into the database before he ships the goods. This would have to happen every time anyone makes a purchase online. The volume of such transactions is mind boggling.
Re: Ecash without a mint
On Mon, 20 Sep 1999, Adam Back wrote: - is the ZK proof interactive? If so this would place communication restrictions on spending -- payer and payee would need to be simultaneously online. Interactive ZK proofs can be made non-interactive by generating an encoding of the information offered by the prover, and using the bits of the secure hash of that as the challenges by the provee. -Bram
Re: Ecash without a mint
On Mon, Sep 20, 1999 at 03:46:39PM +0100, Adam Back wrote: [1] Wei Dei's b-money protocol: http://www.eskimo.com/~weidei/bmoney.txt BTW, the correct URL is http://www.eskimo.com/~weidai/bmoney.txt.
Good crypto products?
Can anyone recommend a good product for encrypting information on the fly, meaning encrypt the file when you close it and decrypt it when you open it. It would also be nice if it would ask you whether you wanted the file you are just closing to be encrypted. That is, it builds a list as you use your computer, rather than requiring the user to be explicit up front. PGP requires too many steps to be truly useful here. Any suggestions? -R
Re: Secure Digital Memory Chip??
--- begin forwarded text Resent-Date: Mon, 20 Sep 1999 14:43:10 -0400 Date: Mon, 20 Sep 1999 11:28:35 -0700 (PDT) From: Peter A Pongracz-Bartha [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Secure Digital Memory Chip?? To: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] Resent-Sender: [EMAIL PROTECTED] Resent-Bcc: I think it was Scientific American within the last 2-3 months. I won't check right now, but it could be I really saw it in CACM, or IEEE/Computer instead. Basically a MEMS research project where you have a keyed pinblock that is driven by electronics, but can't be spoofed like existing smart card solutions. That is, you can't use fault-injection (via microwaves or other means) then analyze the resultant output to make it orders of magnitude easier to break the key. I'd like to see what Ron Rivest thinks of this. He's probably commented on it in a crypto list somewhere. Peter On Mon, 20 Sep 1999, Carlos Mora wrote: A friend of mine just mentioned that he had read in some paper about a "secure digital memory chip" or "secure miniature memory chip". -- Subcription/unsubscription/info requests: send e-mail with subject of "subscribe", "unsubscribe", or "info" to [EMAIL PROTECTED] Wear-Hard Mailing List Archive (searchable): http://wearables.blu.org --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Cracking the Code
[Excerpt from CATO Update, 20 Sept. 1999:] The Cato Institute released a new Cato Briefing Paper, "Strong Cryptography: The Global Tide of Change," as the Clinton administration was announcing a relaxation in controls on the export of encryption technology. In the paper, Arnold G. Reinhold writes that for years the U.S. government has struggled unsuccessfully to control the export of encryption. Those ineffectual controls adversely affect the competitive position of the U.S. software industry and national security. Despite the controls, powerful encryption products are increasingly available around the world. http://www.cato.org/pubs/briefs/bp-051es.html
Re: Ecash without a mint
On Mon, Sep 20, 1999 at 09:02:17PM +0200, Anonymous wrote: Yeah, neat idea! With b-money, newly minted value goes directly into someone's account, but if it was used instead to create an anonymous coin you would have an accountless system. In that case you don't even need the mint for the initial phase. The account-based aspect is what enables the contract enforcement in b-money. You would lose that by going to an accountless system. What is the advantage of not having accounts (other than payer-payee unlinkability, which can be obtained by using Sanders-Ta-Shma as the payment subprotocol of b-money)? One problem though. For b-money, you have to expend resources equal in value to the money you generate. That means that if you wanted to re-create the U.S. money supply of a trillion dollars, you would have to waste a trillion dollars worth of computing cycles. Not exactly an attractive proposition. Unfortunately it seems unavoidable unless you have a trusted party control the money supply. You'd have the same problem if you used gold as the money supply, for example. What you might want to do, then, is to let people convert other forms of money into these ecoins to get things going initially. Then use b-money to create more if they are needed over the long term. This way you avoid the huge startup costs with b-money. How do you propose letting people do this without having a trusted party? The only thing I can think of is broadcasting video clips of people burning their paper money, but it would be hard to verify the authenticity of the money being burnt.
Re: Ecash without a mint
At 1:52 PM -0700 on 9/20/99, Wei Dai wrote: Unfortunately it seems unavoidable unless you have a trusted party control the money supply. Yes. In business, they call this quaint phenomenon "financial intermediation". ;-). Seriously, if you have *lots* of intermediaries in competition, the situation is *quite* stable and very robust, which is the whole point of free banking. Cheers, RAH - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: fc00 boat charter
Let's see if the fc00 list is up yet. I bet it isn't... At 3:52 PM -0400 on 9/20/99, Declan McCullagh wrote, on cypherpunks: Just maybe. Depends on how long it takes -- I can't justify an overwhelming amount of time away from the office. Seems to me there'd be a huge difference in terms of time and cost from Boston and Miami. (Heck, how about Norfolk or somewhere in MD/VA near DC?) Quite a long haul from either place, in fact, and I'd rather *sail*, anyway :-). Of course, booking a block of cruise-ship rooms out of Miami, or San Juan, or St. Thomas even, might not be a bad thing. Can't really expect it to park in Anguilla for a week, though, as Ryan notes below. I've been kicking around the idea of boat-cabin-as-hotel-room ever since we started the Financial Cryptography conference; you can't look down on the brilliant turquoise water of Sandy Ground from the cliff near the InterIsland by Raffi's and *not* imagine sitting on the the world's greatest back porch, Rum-something-or-other in hand, watching the sun go down. We could never make it work out, for one reason or another. This year, however, a friend on our Boston harbor round-the-cans crew owns 50-footer for charter out of Virgin Gorda, and some of that crew, and some sailing FCXX regulars, and I, have been kicking around the idea pretty seriously between tacks and climbs to the next high side. I've got 5 to 8 people so far, I think, which probably fills the boat at the high side of *that*, though people will probably sign on and drop off. We're probably looking at two weeks on the boat, with various people dropping in and out at various locations. We haven't figured out whether we'd start in the BVIs or end there, though. And, of course, the idea is to park on Sandy Ground for the conference no matter what we do. I have to be on Anguilla some part of the weekend before and/or after, but, besides that, it doesn't matter to me, when or where we sail at all :-). I can see it now... Do the conference in the AM, and sail a bit in the PM... Yes, boys and girls, there *is* a reason I invented the conference with *no* afternoon sessions... :-). Chartering a sailboat on Saint Martin/Maarten (the island is French/Dutch and has a nice, big runway with lots of direct flights to Europe and the States) and sailing over to Anguilla is pretty straightforward, and the only reason we're even thinking about sailing a boat, overnight, out of sight of land, all the way across the Gut from the Virgins is, well, because we *can*, :-), having a boat full of sailing "ringers", as it were. But, however you want do it, FC00 is in the middle of the Carribbean high season, so getting your boat chartered should be done quickly, if it's still even possible. Cheers, RAH At 3:52 PM -0400 on 9/20/99, Declan McCullagh wrote, on cypherpunks: Just maybe. Depends on how long it takes -- I can't justify an overwhelming amount of time away from the office. Seems to me there'd be a huge difference in terms of time and cost from Boston and Miami. (Heck, how about Norfolk or somewhere in MD/VA near DC?) -Declan At 05:25 9/19/1999 -0700, Ryan Lackey wrote: Would anyone be interested in potentially chartering a boat (or block-booking on a cruise) from a major East Coast city (probably Boston, NYC, Miami) to Anguilla for fc00? It'll certainly not be a cost savings over flying, but would be far more fun. This idea came up last year, but didn't happen. (a cruise would presumably terminate in Sint Maarten, which is an 8 nm ferry away; a chartered boat could hang around and be housing...) There are also possibilities for getting group airfare from SFO to cruise port in the US... -- [EMAIL PROTECTED] http://www.venona.com/rdl/ 1024D/4096g 0xD2E0301F B8B8 3D95 F940 9760 C64B DE90 07AD BE07 D2E0 301F - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
RE: Smart Cards with Chips encouraged
Fisher International has been shipping their Smarty smartcard reader in a floppy for years. The Smarty was an evolution of Fisher's SafeBoot token, also in a floppy form factor. I received a free SafeBoot kit at the 1994 or 1995 RSA conference. --Lucky Green [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Hettinga Sent: Monday, September 20, 1999 07:27 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Digital Bearer Settlement List Subject: IP: Smart Cards with Chips encouraged I remember Ian, Adam, someone else and I talking about the card-in-a-floppy thing at CFP '96. Soulda, woulda, coulda, and all that... Cheers, RAH --- begin forwarded text From: [EMAIL PROTECTED] Date: Mon, 20 Sep 1999 08:50:44 -0500 To: [EMAIL PROTECTED] Subject: IP: Smart Cards with Chips encouraged Cc: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Source: New York Times http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html September 20, 1999 By BOB TEDESCHI New Hardware Could Help Web Merchants Cut Fraud Credit card companies love the Internet, since they pocket a share of most e-commerce transactions. But like everything in the world of revolving credit, that love has limits. Stolen cards used to make purchases online, in particular, cost credit card issuers millions each year -- pushing the price of doing business on the Web higher for banks, merchants and, ultimately, users. So even as the major credit card companies and the banks that issue those cards explore ways to build Internet market share, they are also looking for creative ways to limit fraud. The recent launch of the American Express blue card, which comes with an embedded computer chip, is an example of both efforts. Since the card's chip can access a user's personal information, it will eliminate the hassle of typing in that data in every Web purchase -- and, American Express hopes, encourage people to use its card. At the same time, the chip limits the fraud by guaranteeing the shopper's identity and offering greater protection to the buyer's information during the transaction. The key to these features is a piece of computer hardware that, until now, has been foreign to the desktop: a credit card reading device. Starting in November, blue card owners will be able to obtain such a device, which they will be able to plug into their PC's, enabling them to swipe the card at home much like a sales clerk would at a retail store. Other credit card issuers are exploring similar technologies. One company that makes a card-reading device for personal computers, UTM Systems, recently announced that four major U.S. banks affiliated with both Visa and Mastercard International will begin distributing its system free to consumers before the end of the year. UTM's founder and chief executive, Robert Lee, declined to name the banks, but said they served "well over 10 million customers." The device, which costs the card issuers $6 a unit, is simple. When a user is ready to make an online purchase, the credit or debit card is placed in the UTM card reader, which is inserted into a floppy disk drive. A small window then appears on screen, asks for a personal identification number and sends the encrypted information to the retail site. When the transaction is complete, the window disappears. David Robertson, president of the Nilson Report, a credit card industry newsletter, predicted that credit card companies would be aggressive in spreading such technologies. "American Express is the first, but you'll see everyone start to do this by the end of the first quarter of next year," he said. "It's inevitable." From the standpoint of fraud prevention, card issuers have great incentive to promote the devices, he said. Issuers lose roughly 8 cents for every $100 in online sales to fraudulent card use -- "slightly higher than the market at large, but it's growing," Robertson said. "The industry has been fabulously successful at pushing fraud down in general," he added. "But that just highlights the liability associated with the Internet." Which is not to say that Visa, American Express and Mastercard are stepping lightly into the electronic frontier. Each has begun major Internet-related advertising efforts, of which Visa's is the most aggressive. According to the Nilson Report, 59 percent of Internet credit card purchases are made with Visa, 28 percent with Mastercard and 12 percent with American Express. Off line, Visa has a 51 percent share, compared with 25 percent for Mastercard and 17 percent for American Express. In part, the success of PC-based credit card readers hinges on how secure consumers feel about credit card transactions on the Web. While such devices in fact provide users more security than typical Internet transactions, surveys indicate that consumers
