Re: NSA Suite B Cryptography
Excerpt from Fact Sheet on NSA Suite B Cryptography http://www.nsa.gov/ia/industry/crypto_suite_b.cfm NSA has determined that beyond the 1024-bit public key cryptography in common use today, rather than increase key sizes beyond 1024-bits, a switch to elliptic curve technology is warranted. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom Inc. covering a variety of elliptic curve technology. Under the license, NSA has a right to sublicense vendors building equipment or components in support of US national security interests. Does this prevent free software interoperability with Suite B standards? It potentially could be used to block non-US vendors, certainly anyone who is in the US Government's disfavor, but it seems to me that even with no further intentional action by the NSA it would preclude software under the GPL and maybe FOSS in general in countries in which the patents are valid. -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
I probably wasted more time than anybody on this crazy topic, and in particular: 1. I keep `Hall of Shame` site of such unprotected login pages (even got me a DigiCrime title: Inter-Net Fraud League Commissioner!) 2. With others, we develop TrustBar, an improved security indicator toolbar for FireFox, which also tries to protect users of unprotected login pages, e.g. by automatically redirecting to protected pages when found. Some results/observations: 1. Few companies that had a dialog with me said their marketing/site design folks insist on login via the homepage, claiming this is so much better for consumers compared to a separate login page. I see this as a very very extreme case of `usability beats security`. 2. Same companies also claimed that using SSL on homepage is too much overhead. Extreme case of `performance beats security`. 3. One company responded (to my warning of their unprotected login and the fact I'm going to add them to `hall of shame`) by legal threats. Typical case of `pay lawyers a lot, to avoid doing things right`. 4. One company sent me coupons for free trades. Rare example, I'm afraid... -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA Suite B Cryptography
Sidney Markowitz wrote: Excerpt from Fact Sheet on NSA Suite B Cryptography http://www.nsa.gov/ia/industry/crypto_suite_b.cfm NSA has determined that beyond the 1024-bit public key cryptography in common use today, rather than increase key sizes beyond 1024-bits, a switch to elliptic curve technology is warranted. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom Inc. covering a variety of elliptic curve technology. Under the license, NSA has a right to sublicense vendors building equipment or components in support of US national security interests. Does this prevent free software interoperability with Suite B standards? It potentially could be used to block non-US vendors, certainly anyone who is in the US Government's disfavor, but it seems to me that even with no further intentional action by the NSA it would preclude software under the GPL and maybe FOSS in general in countries in which the patents are valid. When questioned about this at IETF (the NSA presented on this stuff) they said that the licence they had purchased would cover open source s/w. But yes, it could be that the NSA has to approve of the particular piece of s/w. Incidentally, why the focus on GPL? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA Suite B Cryptography
Sidney Markowitz wrote: Excerpt from Fact Sheet on NSA Suite B Cryptography http://www.nsa.gov/ia/industry/crypto_suite_b.cfm NSA has determined that beyond the 1024-bit public key cryptography in common use today, rather than increase key sizes beyond 1024-bits, a switch to elliptic curve technology is warranted. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom Inc. covering a variety of elliptic curve technology. Under the license, NSA has a right to sublicense vendors building equipment or components in support of US national security interests. Does this prevent free software interoperability with Suite B standards? It potentially could be used to block non-US vendors, certainly anyone who is in the US Government's disfavor, but it seems to me that even with no further intentional action by the NSA it would preclude software under the GPL and maybe FOSS in general in countries in which the patents are valid. I didn't read it that way at all. AFAICS, the NSA has acquired the licences it needs to deliver (have delivered) software to its government customers. As all the government customers will need to use approved software anyway, it will be acquired on some approved list, and the licences will be automatically extended. Anyone outside the national security market will need to negotiate separately with Certicom if they need to use it. This represents a big subsidy to Certicom, but as they are a Canadian company it is harder to argue against on purely statist grounds. Which is to say, NSA solved its problem and it is nothing to do with FOSS. The big question (to me perhaps) is where and how far the Certicom patents are granted. If they are widely granted across the world then the software standards won't spread as there won't be enough of an initial free market to make it bloom (like happened to RSA). But if for example they are not granted in Europe then Europeans will get the free ride on NSA DD and this will cause the package to become widespread, which will create the market in the US. Of course predicting the future is tough... iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Lloyds steps up online security (SecureID)
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Fri, 14 Oct 2005 10:44:32 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Lloyds steps up online security (SecureID) Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://news.bbc.co.uk/1/low/business/4340898.stm The BBC Friday, 14 October 2005, 10:46 GMT 11:46 UK Lloyds steps up online security Lloyds TSB is to trial a new security system for online banking customers, in an attempt to beat internet fraud. About 30,000 customers will receive keyring-sized security devices, which generate a six-digit code to be used alongside usernames and passwords. The code, which changes every 30 seconds, could help fight fraudsters who hack people's PCs or use phishing emails to steal login details. Similar systems are already in use in Asia, Scandinavia and Australia. Password sniffers Until now, Lloyds TSB has used a two-stage system for identifying its customers. First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called keyloggers, tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. There's no hiding the fact that fraud is on the increase Matthew Timms, Lloyds TSB But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times. Alternatively, fraudsters use phishing emails, which tempt customers to log onto a fake banking website and enter their details. Lloyds says that about £12m was lost to this kind of scam in 2004 - but it warns that attacks are multiplying fast. One-time deal The bank says it is guaranteeing that they will not suffer from losses even if their PCs are compromised, as long as they have not - for instance - given their password away intentionally. This stance contrasts with warnings from some other banks - notably HSBC - that in future customers could be held responsible if they do not keep security up to date on their machines. But Lloyds also hopes that its trial system could effectively toughen up customer access - regardless of the state of their computer. The customers testing Lloyds TSB's new system will press a button on their device to generate a new six-digit number every time they log on. They will do the same every time they need to confirm a transaction, instead of simply repeating their password. Lloyds TSB hopes the move will mean keyloggers and phishing emails will not have time to use any details they collect. Fraudsters are becoming increasingly cunning with their tactics, and there's no hiding the fact that fraud is on the increase, said Matthew Timms, Lloyds TSB's internet banking director. Other banks are trying different devices, and Mr Timms acknowledged that the keyring-style token would probably not be the final format. The journey we're on will probably end up as a card which can do both internet banking and card-not-present (credit card) transactions, he said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA Suite B Cryptography
Ian G wrote: Which is to say, NSA solved its problem and it is nothing to do with FOSS. If you wrote a Suite B program and distributed it under a BSD license after getting a sub-license for the patent from the NSA, presumably I could take that code, modify it, and then in order to use or distribute my modified code I would have to obtain my own sublicense from the NSA. I could do that as long as I met whatever criteria the NSA has for granting sublicenses. My guess is that at a minimum the program would have to be available for free or for sale to the US government for some purpose that allows it to be considered as being in support of US national security interests. It would make no sense for the NSA to grant a sublicense to you that allowed to you grant me a license to produce possibly proprietary code that infringes the patent and is not in support of US national security interests. So, yes, under those assumptions BSD-like licenses would not be excluded, with the understanding that in addition to the copyright terms allowing free use of the code there would also be patent restrictions affecting the use. As you say, the NSA's solution to their problem has nothing to do with FOSS, and it doesn't specifically exclude FOSS. But it will preclude GPL software that will interoperate with Suite B from being distributed in countries that recognize the patents. Unless, I suppose the NSA is able to say that any use of the patent in open source software can be considered in support of US national security interests and therefore the sublicense can be propagated as long as the source remains available. In other words, if they include a GPL-like provision that the patent license will stay with the code as long as it is distributed under GPL. That would be an interesting twist. -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]