Sunday Book Review > Goodbye to Privacy

[R.A. Hettinga]

The New York Times

April 10, 2005

Goodbye to Privacy
 By WILLIAM SAFIRE


 NO PLACE TO HIDE
By Robert O'Harrow Jr.
 348 pp. The Free Press. $26.

 CHATTER
Dispatches From the Secret World of Global Eavesdropping.
By Patrick Radden Keefe.
 300 pp. Random House. $24.95.

YOUR mother's maiden name is not the secret you think it is. That sort of
''personal identifier'' being used by banks, credit agencies, doctors,
insurers and retailers -- supposedly to protect you against the theft of
your identity -- can be found out in a flash from a member of the new
security-industrial complex. There goes the ''personal identifier'' that
you presume a stranger would not know, along with your Social Security
number and soon your face and DNA.

 In the past five years, what most of us only recently thought of as
''nobody's business'' has become the big business of everybody's business.
Perhaps you are one of the 30 million Americans who pay for what you think
is an unlisted telephone number to protect your privacy. But when you order
an item using an 800 number, your own number may become fair game for any
retailer who subscribes to one of the booming corporate data-collection
services. In turn, those services may be -- and some have been --
penetrated by identity thieves.

 The computer's ability to collect an infinity of data about individuals --
tracking every movement and purchase, assembling facts and traits in a
personal dossier, forgetting nothing -- was in place before 9/11. But among
the unremarked casualties of that day was a value that Americans once
treasured: personal privacy.

 The first civil-liberty fire wall to fall was the one within government
that separated the domestic security powers of the F.B.I. from the more
intrusive foreign surveillance powers of the C.I.A. The 9/11 commission
successfully mobilized public opinion to put dot-connection first and
privacy protection last. But the second fire wall crumbled with far less
public notice or approval: that was the separation between law enforcement
recordkeeping and commercial market research. Almost overnight, the law's
suspect list married the corporations' prospect list.

 The hasty, troubling merger of these two increasingly powerful forces
capable of encroaching on the personal freedom of American citizens is the
subject of two new books.

 Robert O'Harrow Jr.'s ''No Place to Hide'' might just do for privacy
protection what Rachel Carson's ''Silent Spring'' did for environmental
protection nearly a half-century ago. The author, a reporter for The
Washington Post, does not write in anger. Sputtering outrage, which
characterizes the writing of many of us in the anti-snooping minority, is
not O'Harrow's style. His is the work of a careful, thorough, enterprising
reporter, possibly the only one assigned to the privacy beat by a major
American newspaper. He has interviewed many of the major, and largely
unknown, players in the world of surveillance and dossier assembly, and
provides extensive source notes in the back of his book. He not only
reports their professions of patriotism and plausible arguments about the
necessity of screening to security, but explains the profitability to
modern business of ''consumer relationship management.''

 ''No Place to Hide'' -- its title taken from George W. Bush's post-9/11
warning to terrorists -- is all the more damning because of its
fair-mindedness. O'Harrow notes that many consumers find it convenient to
be in a marketing dossier that knows their personal preferences, habits,
income, professional and sexual activity, entertainment and travel
interests and foibles. These intimately profiled people are untroubled by
the device placed in the car they rent that records their speed and
location, the keystroke logger that reads the characters they type, the
plastic hotel key that transmits the frequency and time of entries and
exits or the hidden camera that takes their picture at a Super Bowl or
tourist attraction. They fill out cards revealing personal data to get a
warranty, unaware that the warranties are already provided by law. ''Even
as people fret about corporate intrusiveness,'' O'Harrow writes about a
searching survey of subscribers taken by Conde Nast Publications, ''they
often willingly, even eagerly, part with intimate details about their
lives.''

 Such acquiescence ends -- for a while -- when snoopers get caught spilling
their data to thieves or exposing the extent of their operations. The
industry took some heat when a young New Hampshire woman was murdered by a
stalker who bought her Social Security number and address from an online
information service. But its lobbyists managed to extract the teeth from
Senator Judd Gregg's proposed legislation, and the intercorporate trading
of supposedly confidential Social Security numbers has mushroomed. When an
article in The New York Times by John Marko

U.S. Seeks Access to Bank Records to Deter Terror

[R.A. Hettinga]

The New York Times

April 10, 2005

U.S. Seeks Access to Bank Records to Deter Terror
 By ERIC LICHTBLAU


ASHINGTON, April 9 - The Bush administration is developing a plan to give
the government access to possibly hundreds of millions of international
banking records in an effort to trace and deter terrorist financing, even
as many bankers say they already feel besieged by government antiterrorism
rules that they consider overly burdensome.

 The initiative, as conceived by a working group within the Treasury
Department, would vastly expand the government's database of financial
transactions by gaining access to logs of international wire transfers into
and out of American banks. Such overseas transactions were used by the
Sept. 11 hijackers to wire more than $130,000, officials said, and are
still believed to be vulnerable to terrorist financiers.

 Government officials said in interviews that the effort, which grew out of
a brief, little-noticed provision in the intelligence reform bill passed by
Congress in December, would give them the tools to track leads on specific
suspects and, more broadly, to analyze patterns in terrorist financing and
other financial crimes. They said they were mindful of privacy concerns
that such a system is likely to provoke and wanted to include safeguards to
prevent misuse of what would amount to an enormous cache of financial
records.

The provision authorized the Treasury Department to pursue regulations
requiring financial institutions to turn over "certain cross-border
electronic transmittals of funds" that may be needed in combating money
laundering and terrorist financing.

The plan for tracking overseas wire transfers is likely to intensify
pressure on banks and other financial institutions to comply with the
expanding base of provisions to fight money laundering, industry and
government officials agreed. The government's aggressive tactics since the
attacks of Sept. 11, 2001, have already caused something of a backlash
among banking compliance officers - and even some federal officials, who
say the effort has gone too far in penalizing the financial sector for
lapses and has effectively criminalized what were once seen as technical
violations.

The initiative, still in its preliminary stages, reflects heightened
concerns by administration and Congressional officials about the
government's ability to track and disrupt financing for terrorist
operations by Al Qaeda and other groups - an effort identified by President
Bush as a top priority in the campaign against terrorism.

 Terrorist money has been difficult to identify, much less seize, in part
because terror operations are conducted on relative shoestring budgets.
Planning and operations for the attacks on Sept. 11, 2001, were believed to
have cost Al Qaeda $400,000 to $500,000, with no unusual transactions
found, according to the 9/11 commission, and the 1998 embassy bombings in
East Africa cost only $10,000.

 While counterterrorism officials have made some inroads in tracking
terrorist money, clear successes have been few and sporadic, experts say,
and a number of recent reports have pointed up concerns about the
government's ability to deter and disrupt such financing.

 "I don't think we really have a full grasp of how to deal with the problem
yet," said Dennis M. Lormel, the former head of the Federal Bureau of
Investigation's terrorism-financing unit, who is now in the private sector.
"The framework is certainly getting better, but in general, we don't have
the full capability yet to get at the money."

The federal government has taken a number of aggressive steps since the
Sept. 11 attacks to disrupt terrorist financing. It has expanded its list
of terrorist-related groups banned from financial dealings with the United
States, it has set up new investigative offices to track terrorist
financing, and it has required more financial data and tighter compliance
from financial industries as part of the antiterrorism law known as the USA
Patriot Act and other measures.

Senior officials throughout the administration have emphasized repeatedly
that they want the financial sector to be a full partner in the stepped-up
efforts to deter terrorist financing.

 But in a letter in January to Treasury Department officials, 52 banking
associations around the country said that a "lack of clarity" by the
government in explaining what is expected of them in complying with
regulations to deter terrorist financing and money laundering has
"complicated, and in some cases undermined" those efforts.

The result, banking officials say, is that many banks, now in a defensive
mode, are sending the government far more reports than ever before on
"suspicious activities" by their customers - and potentially clogging the
system with irrelevant data - for fear of being penalized if they fail to
file the reports as required.

Some smaller c

Revising the Patriot Act

[R.A. Hettinga]

The New York Times

April 10, 2005
EDITORIAL

Revising the Patriot Act

When Attorney General Alberto Gonzales, who is not exactly a renowned civil
libertarian, says the Patriot Act may need some adjustments, it clearly has
serious problems. The act, which was rushed through Congress after the
Sept. 11 attacks, gives government too much power to invade the privacy of
ordinary Americans and otherwise trample on their rights. Congress, which
is now reviewing the act, should rewrite the parts that violate civil
liberties. But it is important to realize that most of the worst post-Sept.
11 abuses did not stem from the Patriot Act. If Congress wants to restore
the civil liberties Americans have lost in the last three and a half years,
it must also look more broadly at the problems that have emerged from the
war on terror.

After Sept. 11, Congress was in such a rush to pass the Patriot Act that,
disturbingly, many members did not even read it before they voted for it.
Fortunately, Congress made some of the most controversial provisions expire
by the end of 2005. Last week, it began a series of hearings on the act,
focusing on the parts that need to be reauthorized.

The debate over the Patriot Act is too often conducted in bumper stickers,
in part because the details are so arcane. Parts of the law are reasonable
law enforcement measures that have generated little controversy. But other
parts unquestionably go too far, and invite the F.B.I., the C.I.A. and the
White House to spy on Americans, and suppress political dissent, in
unacceptable ways.

Libraries and Medical Records Section 215, often called the "library
provision," is one of the most criticized parts of the act, with good
reason. It allows the government to demand library, medical, and other
records, and makes it a crime for the record holders to reveal that the
request was made. Section 215 is written far too broadly. It lets the
government seize an entire database - all the medical records of a
hospital, all of the files of an immigration group - when it is
investigating a single person. It also is far too invasive; it is hard to
believe the F.B.I. needs to monitor library book circulation. If the
searches are allowed, Section 215 should be tightened to give the
government access only to records of a specific person it has legitimate
reason to believe is involved in terrorism, not an entire database.

The "gag rule" that makes it illegal for the record holder to talk publicly
about the search also is disturbing, because it prevents the public from
knowing if the government is abusing these sweeping powers. If the gag rule
remains, it should be limited, so record holders can speak about the search
after a suitable period of time, or talk about it right away without
revealing who the target was.

Secret Searches Section 213, the "sneak and peek" provision, lets the
government search a person's home and delay telling him about it. These
delayed-notification searches fly in the face of the strong American
tradition that the government must announce when it is entering a home.
Delayed-notification searches were of questionable legality before the
Patriot Act, and Section 213 - which does not expire this year, but is
still generating considerable debate - clearly goes too far. At the very
least, it should apply only to terrorism cases, and not, as it now does, to
all investigations. It should also have clear guidelines for how long
notice can be delayed.

Secret searches are an area where focusing only on the Patriot Act misses
the larger picture of civil liberties violations. There is another law, the
Foreign Intelligence Surveillance Act, that allows a worse kind of secret
search - one in which, unlike the delayed notification of Section 213, the
subject may never be told about the search at all.

 One way for Congress to deal with searches under the Foreign Intelligence
Surveillance Act - as well as those under Sections 213 and 215 of the
Patriot Act - is to monitor them closely, which is not being done now.
Congressional staff members with appropriate security clearance should
review all requests for warrants or subpoenas, and should follow up on the
results of the searches. If the F.B.I., C.I.A. or other units of government
are using these tools to spy on Americans without sufficient justification,
Congress needs this information to rein them in.

Information Sharing Giving different units of government more power to
share information about suspected terrorists is a laudable goal, but the
Patriot Act's approach is flawed. It authorizes the F.B.I., the C.I.A., and
even the White House sweeping access to confidential information gathered
about Americans, including telephone and e-mail intercepts. The access is
not limited to officials working on terrorism. And it sweeps in
information, like confidential material acquired by grand juries, that has
always been

[p2p-hackers] Zooko's Triangle in action

[R.A. Hettinga]

--- begin forwarded text


Date: Wed, 20 Apr 2005 16:26:11 -0700
From: Tyler Close <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [p2p-hackers] Zooko's Triangle in action
Reply-To: Tyler Close <[EMAIL PROTECTED]>,
"Peer-to-peer development." <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]

Hi all,

A number of list members have built, or are building, p2p environments
where files or public keys are referred to by their hash. The common
wisdom seems to be that a petname system, as popularized by Zooko's
Triangle, can be used to make the human interface to this world of
computer/cryptography friendly identifiers. Given that, I thought list
members might be interested in the petname tool Firefox extension. The
petname tool is a fully functional petname system for SSL secured web
sites. It is compatible with existing HTTPS sites, so you can create a
petname for your bank. It really is Zooko's Triangle in action. You
can get it at:

http://petname.mozdev.org/

Tyler

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
___
p2p-hackers mailing list
[EMAIL PROTECTED]
http://zgp.org/mailman/listinfo/p2p-hackers
___
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Spying: Giving Out U.S. Names

[R.A. Hettinga]

  MSNBC.com

Spying: Giving Out U.S. Names
Newsweek


May 2 issue - The National Security Agency is not supposed to target
Americans; when a U.S. citizen's name comes up in an NSA "intercept," the
agency routinely minimizes dissemination of the info by masking the name
before it distributes the report to other U.S. agencies. But it's now clear
the agency disseminates thousands of U.S. names. U.N. ambassador nominee
John Bolton told a Senate confirmation hearing he had requested that U.S.
names be unmasked from NSA intercepts on a handful of occasions; the State
Department said he had made 10 such requests since 2001, and that the
department as a whole had made 400 similar requests over the same period.
But evidence is emerging that NSA regularly supplies uncensored intercepts,
including named Americans, to other agencies far more often than even many
top intel officials knew.

According to information obtained by NEWSWEEK, since January 2004 NSA
received-and fulfilled-between 3,000 and 3, 500 requests from other
agencies to supply the names of U.S. citizens and officials (and citizens
of other countries that help NSA eavesdrop around the world, including
Britain, Canada and Australia) that initially were deleted from raw
intercept reports. Sources say the number of names disclosed by NSA to
other agencies during this period is more than 10,000. About one third of
such disclosures were made to officials at the policymaking level; most of
the rest were disclosed to other intel agencies and, perhaps surprisingly,
only a small proportion to law-enforcement agencies. Civil libertarians
expressed dismay at the numbers. An official familiar with NSA procedures
insisted the agency maintains careful logs of all requests for U.S. names
and doles out such info only after agency officials are satisfied "that the
requester needs the information [and that it's] necessary to understand the
foreign intelligence or assess its importance."

-Mark Hosenball

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[p2p-hackers] ePOST: Secure, Severless Email

[R.A. Hettinga]

--- begin forwarded text


Date: Thu, 5 May 2005 15:09:15 -0500 (CDT)
From: Alan Mislove <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [p2p-hackers] ePOST: Secure, Severless Email
Reply-To: "Peer-to-peer development." <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]

As some of you may know, the FreePastry group at Rice University is
developing ePOST, a secure, decentralized, p2p email system. The service
is provided cooperatively by the user's desktop computers, and ePOST
provides better security and fault tolerance than existing email systems.
Email exchanged between ePOST users is cryptographically sealed and
authenticated and the service remains available even when traditional mail
servers have failed. ePOST gives users plenty of email storage (users can
use as much as they contribute of their own disk space). Moreover, users
don't have to entrust their email to a commercial provider, who may mine
thier data, target them with advertisement or start charging them once
they're hooked. ePOST has been running as the primary email system for
members of our group for over a year.

ePOST works by joining a peer-to-peer network running a personal IMAP and
SMTP server on your desktop, which is only for your email.  ePOST is
backward compatible with existing email systems, and your ePOST email
address works just like a normal email address - you can send and receive
messages from non-ePOST users.   Additionally, you can use your existing
email clients with ePOST, since ePOST provides standard IMAP and POP3
servers.

A few of other features of ePOST are:
- support for SSL connections
- a data durability layer called Glacier, providing durability with up to
  60% member node failures
- support for laptops and machines behind NATs
- support for networks with routing anomalies

More information about ePOST is available at http://www.epostmail.org/.

We now welcome additional ePOST users.  If you are interested in seting up
an ePOST account, please follow the installation instructions posted at
http://www.epostmail.org/install.html. Most ePOST users have set up mail
forwarding so that a copy of incoming mails are kept on their normal mail
server, in addition to being forwarded to their ePOST account.  We
recommend this setup until ePOST is no longer in beta status, although we
have not found an instance yet where using this backup was necessary to
recover a lost email.

Also, please let us know if you are interested in running a local ePOST
ring at your institution.  Running such a ring allows organizations to
ensure all overlay traffic remains internal to the organization, while
maintaining global connectivity.  More information on running an
organizational ring is available at http://www.epostmail.org/deploy.html.

We are currently collecting high-level statistics from all of the ePOST
nodes in our deployment for research purposes. These statistics concern
the number of overlay messages sent and the amount of data stored on disk.
We are not recording the plain text of emails, nor are we examining which
users are exchanging emails.  If the collection of statistics would
prevent you from using ePOST, please don't hesitate to contact us, and we
can turn these features off for you.

Thanks again for your help, and don't hesitate to ask us any questions,
comments, or suggestions,

Alan Mislove, Ansley Post, Andreas Haeberlen, and Peter Druschel

([EMAIL PROTECTED])
___
p2p-hackers mailing list
[EMAIL PROTECTED]
http://zgp.org/mailman/listinfo/p2p-hackers
___
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Devices detect caches of cash

[R.A. Hettinga]

CNN


Inventions developed for Immigration and Customs Enforcement

Wednesday, May 11, 2005 Posted: 12:43 PM EDT (1643 GMT)  Engineer Dennis
Kunerth uses a device to detect metal components that distinguish U.S.
currency from counterfeit bills, at the Idaho National Laboratory.


IDAHO FALLS, Idaho (AP) -- Ah, the smell of money -- there's nothing quite
like it. Some people, in fact, may soon be looking for ways to mask the
special odor.

Drug traffickers who ship profits abroad in suitcases are not apt to be
thrilled with some inventions developed by federal scientists at the Idaho
National Laboratory.

One sniffs the air -- it can pick up a stack of bills from about 10 feet
away -- for currency's chemical signature. Another beams electrons through
packages or luggage to detect trace metals in the green ink.

And a third project, not yet started, would scan serial numbers of
individual bills into a database.

It's unclear whether the legal system would view seized bills found through
the devices as admissible, and privacy advocates fear such inventions would
infringe on civil liberties if adopted.

The cash sniffer is actually a gas chromatograph about the size of a
cordless hand vacuum.

Here's how it works: Take a crisp $20 bill out of your wallet and put it up
to your nose. That sweet, slightly acidic aroma is actually microscopic
molecules of ink and paper landing on the nerve receptors inside your nose.

The device works in nearly the same way, but with much higher sensitivity.
Airborne molecules land on a sensor. If enough molecules are detected, the
device emits an alert.

The lab's lead scientist, Keith Daum, said a trained dog can do the same
thing -- even better -- but not consistently and not over a long period.

The other, about the size of a small airport X-ray scanner, looks for
elemental metals used in the green ink. Radioactive rays strike the metals
and turn into gamma rays, which are then measured by the machine. The more
gamma rays detected, the higher the volume of cash bills.

The machines were developed with funding from Immigration and Customs
Enforcement agency. Its parent, the Department of Homeland Security, is
analyzing them and submitting them to additional testing.

Of course, carrying cash -- even large amounts of it -- is not illegal;
though there is a limit of $10,000 in cash anyone may carry in or out of
the United States.

Still, intercepting large sums of money would at least put a dent in the
drug trade, argued lab spokesman Ethan Huffman.

"Money is always the incentive to bring drugs across the borders," Huffman
said. "If we can devise solutions to aid customs and border patrols in
stopping that, then that limits it."

The third device looks like a typical bill counter used by banks. On the
back of the machine, though, an add-on box about the size of a file folder
reads and stores the serial numbers of every bill it counts.

The machine is of little strategic value by itself. But if it was
distributed worldwide, and if there was a database of serial numbers, it
would become possible to trace money across the globe.

That worries people such as Melissa Ngo of the Washington-based Electronic
Privacy Information Center.

"This is just another step toward a complete lack of anonymity," Ngo said.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Plan to Let F.B.I. Track Mail in Terrorism Inquiries

[R.A. Hettinga]

The New York Times
May 21, 2005

Plan to Let F.B.I. Track Mail in Terrorism Inquiries

 By ERIC LICHTBLAU


WASHINGTON, May 20 - The F.B.I. would gain broad authority to track the
mail of people in terror investigations under a Bush administration
proposal, officials said Friday, but the Postal Service is already raising
privacy concerns about the plan.

The proposal, to be considered next week in a closed-door meeting of the
Senate Intelligence Committee, would allow the bureau to direct postal
inspectors to turn over the names, addresses and all other material
appearing on the outside of letters sent to or from people connected to
foreign intelligence investigations.

The plan would effectively eliminate the postal inspectors' discretion in
deciding when so-called mail covers are needed and give sole authority to
the Federal Bureau of Investigation, if it determines that the material is
"relevant to an authorized investigation to obtain foreign intelligence,"
according to a draft of the bill.

The proposal would not allow the bureau to open mail or review its content.
Such a move would require a search warrant, officials said.

The Intelligence Committee has not publicly released the proposal, but a
draft was obtained by The New York Times.

The provision is part of a broader package that also strengthens the
bureau's power to demand business records in intelligence investigations
without approval by a judge or grand jury.

The proposals reflect efforts by the administration and Senate Republicans
to bolster and, in some ways, broaden the power of the bureau to fight
terrorism, even as critics are seeking to scale back its authority under
the law known as the USA Patriot Act.

A debate over the government's terrorism powers is to begin in earnest at a
session of the Intelligence Committee on Thursday, in what is shaping up as
a heated battle over the balance between fighting terrorism and protecting
civil rights in the post-Sept. 11 era.

The F.B.I. has conducted mail covers for decades in criminal and national
security investigations. But the prospect of expanding its authority to
monitor mailings alarmed some privacy and civil rights advocates and caused
concerns among postal officials, as well. They said the proposal caught
them off guard.

"This is a major step," the chief privacy officer for the Postal Service,
Zoe Strickland, said. "From a privacy perspective, you want to make sure
that the right balance is struck between protecting people's mail and
aiding law enforcement, and this legislation could impact that balance
negatively."

The new proposal "removes discretion from the Postal Inspection Service as
to how the mail covers are implemented," Ms. Strickland said in an
interview. "I worry quite a bit about the balance being struck here, and
we're quite mystified as to how this got put in the legislation."

Officials on the Intelligence Committee said the legislation was intended
to make the F.B.I. the sole arbiter of when a mail cover should be
conducted, after complaints that undue interference from postal inspectors
had slowed operations.

"The F.B.I. would be able to control its own investigations of terrorists
and spies, and the postal service would have to comply with those
requests," said an aide to the Intelligence Committee who is involved in
the proposal but insisted on anonymity because the proposal remains
confidential.

"The postmaster general shouldn't be able to substitute his judgment for
that of the director of the F.B.I. on national security matters," the aide
said.

The proposal would generally prevent the post office from disclosing a mail
cover. It would also require the Justice Department to report to Congress
twice a year on the number of times the power had been used.

Civil rights advocates said they thought that the proposal went too far.

"Prison wardens may be able to monitor their prisoners' mail," said Lisa
Graves, senior counsel for the American Civil Liberties Union, "but
ordinary Americans shouldn't be treated as prisoners in their own country."

Marcia Hofmann, a lawyer for the Electronic Privacy Information Center, a
public interest group here, said the proposal "certainly opens the door to
abuse in our view."

"The Postal Service would be losing its ability to act as a check on the
F.B.I.'s investigative powers," Ms. Hofmann said.

Postal officials refused to provide a tally of mail covers, saying the
information was confidential. They said the Postal Service had not formally
rejected any requests from the bureau in recent years.

A tally in 2000 said the Postal Service conducted 14,000 mail covers that
year for a variety of law enforcement agencies, a sharp increase over the
previous year.

The program has led to sporadic reports of abuse. In the mid-1970's the
Church Committee, a Senate panel that documented C.I.A. abuses, faul

Credit-Card Firms Bank on New Ways To Counter Fraud

[R.A. Hettinga]

The Wall Street Journal

 May 24, 2005
 MONEY


Credit-Card Firms
 Bank on New Ways
 To Counter Fraud

By DAVID ENRICH
DOW JONES NEWSWIRES
May 24, 2005; Page D2


Credit cards are going high-tech in an effort to combat fraud, but some
banks and issuers fear the changes could make it harder for consumers to
reach for the plastic.

The next generation of credit and debit cards is squarely aimed at fighting
theft and fraud. These cards will run on paper-thin batteries and feature
liquid-crystal-display screens that frequently generate fresh card numbers.
The theory is that oft-changing card numbers will be useless to thieves who
intercept Internet transactions or get access to databases of card numbers.

A number of major banks and data-security firms have designed prototypes of
the new dynamic-number cards, but it isn't clear when they will be
available to consumers. Some industry officials expect to start testing the
cards with consumers later in 2005, and others say they could be ready for
production within a year.

Citigroup Inc., the world's largest issuer of credit cards, is one of the
leaders in the race to launch the new cards. Alonzo Ellis, the head of
information security at Citigroup Private Bank, confirmed that Citigroup,
of New York, is working on the new cards but wouldn't discuss details.
"It's almost there. It's pretty close to something that can be mass
produced," he said.

Representatives of several major card issuers declined to discuss new
technology they are developing, but Mr. Ellis said other banks --
recognizing that preventing fraud will cut their costs -- are scrambling to
incorporate new dynamic-number technology into their cards. "If you can
reduce your fraud percentage by a few points, that's real dollars," he said.

U.S. card issuers last year racked up about $788 million in losses from
credit-card theft and fraud, according to the Nilson Report, an industry
publication. That doesn't include losses stemming from fraudulent online or
phone transactions, which are estimated to have run into the billions of
dollars.

Compared with their peers overseas, U.S. banks and card issuers have been
slow to upgrade security. In Europe, computer chips are embedded in many
"smart" credit and debit cards, and some banks require customers to use
number-generating devices to access bank or credit-card information online.

In the U.S., card issuers have balked at those added levels of security.
They are expensive, and banks are reluctant to impose inconveniences on
American consumers, especially when it comes to their deeply ingrained
shopping habits.

As a result, there is a premium on high-security but easy-to-use cards that
allow consumers "to continue using their standard behavior patterns," said
David Watkins, the chief executive officer of QueueCard, one of several
firms working with card issuers to develop cards with changing numbers.

On some of the new cards, as many as 10 of the 16 digits on the front of
the card would appear in a digital screen and would automatically change
periodically -- perhaps every 60 seconds. For purchases over the Internet
or phone, users would supplement that number with a personal identification
number, or PIN. The system also is designed to enhance the security of
in-store transactions.

Other cards would require users to punch in a PIN on a touchpad on the card
every time they make an online or phone transaction. A screen on the card
would then produce a one-time password, which the user would enter along
with the credit-card number.

Patrick Gauthier, Visa USA's senior vice president of emerging-products
development, said card issuers will need to clear a number of "significant
hurdles" if the new cards are to win broad consumer acceptance. "Not the
least of the complications is to train the consumer on this new method of
shopping," he said.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Blair defends identity card plan

[R.A. Hettinga]

The BBC

Wednesday, 25 May, 2005, 15:23 GMT 16:23 UK

Blair defends identity card plan

ID cards are needed to stop the soaring costs of identity theft, Prime
Minister Tony Blair has said as plans for a national scheme were
reintroduced.

The plan is for cards to be phased in from 2008, and made compulsory later.

The Tories will join Lib Dems and some Labour MPs to oppose cards unless it
is "conclusively proved" they are needed.

Critics say the cost of the scheme has already risen since November, and
say Mr Blair has cited ID theft as other reasons have failed to win backing.

Passport costs

The Home Office will not put a figure on the cost of setting up the scheme,
saying it is commercially sensitive.

But the scheme will cost an estimated £584m to run every year - a cost of
£93 per card, compared with an estimated cost of £85 per card in November.

Ministers stress they have not yet decided what fees people would have to
pay for the cards.

ID CARDS BILL INCLUDES:
*   Covers whole UK
*   Establishes national ID register
*   Powers to issue ID cards
*   Ensures checks can be made against other databases to cross 
check
people's ID
*   Lists safeguards on the sort of data that can be held
*   New criminal offence of possessing false ID documents
*   Provides a power to make it compulsory in the future to register
and be issued with an ID cards


Discounts would be available to some card holders but Home Office Minister
Tony McNulty refused to speculate whether other people would have to pay
more than £93.

He said the latest cost estimate was more "robust" than the figure given
last November.

And he argued that 70% of the cost would be spent on new biometric
passports whether or not ID cards were introduced.

New protections?

The latest Identity Cards Bill was published on Wednesday but it contains
only "minor amendments" to the plans which were dropped when the election
was called.

Changes include giving more responsibilities to the watchdog charged with
overseeing the scheme and new checks on which government agencies can
access ID card information.


Mr McNulty said: "A secure compulsory national identity cards scheme will
help tackle illegal immigration, organised crime, ID fraud, terrorism and
will benefit all UK citizens."

The results of a trial involving 10,000 volunteers were also published.

It said most people enrolled successfully on all the different types of
biometric scheme.

But iris scan technology was less successful with black people and people
aged over 59, said the report.

Mr McNulty denied the scheme was discriminatory and stressed the trials
were not designed to test the technology.

"Those who know far more than I suggest that the technology is moving in
the right direction," he said.

'Machismo'

Earlier, the prime minister's spokesman said the longer the debate had run,
the more people had seen the benefits of ID cards.

"People are recognising that identity is just as valuable as possessions,"
he said, suggesting it could take 60 hours to restore a stolen identity.

The Conservatives initially voted for the ID card legislation in the last
Parliament but abstained in the key Commons vote.

They say the plans had to pass five tests, including whether the technology
works.

The Lib Dems say they are opposed to the plans in principle but spokesman
Mark Oaten seized on the latest cost figures.

"We have always argued this is a project that is going to run out of
control financially," he said.

Labour backbencher Neil Gerrard said opinion polls suggesting public
support for ID cards would change once people knew the costs and if the
scheme became compulsory.

Shami Chakrabarti, from civil rights group Liberty, urged MPs to reject
what she said was a "rehashed bill that is more about political machismo
than rational policy".

The group says Mr Blair is focusing on identity theft after trying to
justify the cards on the grounds of tackling terrorism, illegal immigration
and organised crime.

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Had to happen sooner or later: Trojan holds PC files for ransom

[R.A. Hettinga]

The BBC

|  Entertainment  |  Have Your Say  |  Week at a Glance
Wednesday, 25 May, 2005, 17:13 GMT 18:13 UK

Trojan holds PC files for ransom

A unique new kind of malicious threat which locks up files on a PC then
demands money in return for unlocking them has been identified.

The program, Trojan.Pgpcoder, installs itself on a vulnerable computer
after users visit certain websites.

It exploits a known vulnerability in Microsoft's Internet Explorer (IE).

Net security firm Symantec said the program had not spread quickly, but was
another example of rising criminal extortion activity on the net.

The malware - harmful software - was first identified by US net security
firm Websense.

Ransom note

The program, once it installs itself unbeknown to a user, triggers the
download of an encoder application which searches for common types of files
on a computer and networked drives to encrypt.


The threats on the net

 When a file is encrypted, usually for security and privacy purposes, it
can only be decrypted with specific instructions.

The trojan replaces a user's original files with locked up ones, so that
they are inaccessible. It then leaves a "ransom note" in a text file.

Instructions to release the files are only handed over when a ransom fee is
paid, according to Websense.

The electronic note left on the computer gives details of how to meet the
demands via an online account.

TROJAN.PGPCODER
*   Malicious website drops and runs a Trojan (downloader-aag)
*   Encoding program adds items to the Windows start-up registry
*   Creates a status file called "autosav.ini" with information on
the files that have been encoded
*   Creates a file called tmp.bat in the directory where it was run
to delete itself upon completion
*   Creates a file called "Attention!!!" with instructions on how to
get your files decoded
*   Sends an HTTP status request to the server it was downloaded 
from

 "This attack is yet another indicator of the growing trend of criminals
using technology for financial gain," said Kevin Hogan, senior manager at
web security firm Symantec.

"This Trojan horse is certainly an example of using cryptography for
malicious purposes.

"It is the equivalent of someone coming into your home, locking your
valuables in a safe and refusing to give you the combination."

But because it is classed as a trojan, it does not send itself out to
contacts that a user might have stored on a computer, like viruses. This
limits its ability spread around to high levels, "in the wild", said
Symantec.

Computer users are urged to ensure their anti-virus and security software
is up-to-date.

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

CIA Overseeing 3-Day War Game on Internet

[R.A. Hettinga]

Yahoo!

 CIA Overseeing 3-Day War Game on Internet
By TED BRIDIS, AP Technology Writer2 hours, 12 minutes ago

The CIA is conducting a secretive war game, dubbed "Silent Horizon," this
week to practice defending against an electronic assault on the same scale
as the Sept. 11 terrorism attacks.

The three-day exercise, ending Thursday, was meant to test the ability of
government and industry to respond to escalating Internet disruptions over
many months, according to participants. They spoke on condition of
anonymity because the CIA asked them not to disclose details of the
sensitive exercise taking place in Charlottesville, Va., about two hours
southwest of Washington.

The simulated attacks were carried out five years in the future by a
fictional alliance of anti-American organizations, including
anti-globalization hackers. The most serious damage was expected to be
inflicted in the war game's closing hours.

The national security simulation was significant because its premise - a
devastating cyberattack that affects government and parts of the economy
with the same magnitude as the Sept. 11, 2001, suicide hijackings -
contravenes assurances by U.S. counterterrorism experts that such
far-reaching effects from a cyberattack are highly unlikely. Previous
government simulations have modeled damage from cyberattacks more narrowly.

"You hear less and less about the digital Pearl Harbor," said Dennis
McGrath, who helped run three similar war games for the Institute for
Security Technology Studies at Dartmouth College. "What people call
cyberterrorism, it's just not at the top of the list."

The CIA's little-known Information Operations Center, which evaluates
threats to U.S. computer systems from foreign governments, criminal
organizations and hackers, was running the war game. About 75 people,
mostly from the CIA, gathered in conference rooms and reacted to signs of
mock computer attacks.

The government remains most concerned about terrorists using explosions,
radiation and biological threats. FBI Director Robert Mueller warned
earlier this year that terrorists increasingly are recruiting computer
scientists but said most hackers "do not have the resources or motivation
to attack the U.S. critical information infrastructures."

The government's most recent intelligence assessment of future threats
through the year 2020 said cyberattacks are expected, but terrorists "will
continue to primarily employ conventional weapons." Authorities have
expressed concerns about terrorists combining physical attacks, such as
bombings, with hacker attacks to disrupt communications or rescue efforts.

"One of the things the intelligence community was accused of was a lack of
imagination," said Dorothy Denning of the Naval Postgraduate School, an
expert on Internet threats who was invited by the CIA to participate but
declined. "You want to think about not just what you think may affect you
but about scenarios that might seem unlikely."

"Livewire," an earlier cyberterrorism exercise for the Homeland Security
Department and other federal agencies, concluded there were serious
questions about government's role during a cyberattack, depending on who
was identified as the culprit - terrorists, a foreign government or bored
teenagers.

It also questioned whether the U.S. government would be able to detect the
early stages of such an attack without significant help from private
technology companies.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The Secret Passages In CIA's Backyard Draw Mystery Lovers

[R.A. Hettinga]

The Wall Street Journal

 ?  May 27, 2005
 PAGE ONE

The Secret Passages
 In CIA's Backyard
 Draw Mystery Lovers
'Da Vinci Code' Has Many
 Trying to Decipher Secret
 Of the Kryptos Sculpture

By JOHN D. MCKINNON
Staff Reporter of THE WALL STREET JOURNAL
May 27, 2005; Page A1


LANGLEY, Va. -- The big mystery at the Central Intelligence Agency, sitting
in a sunny corner of the headquarters courtyard, begins this way:
"EMUFPHZLRFAXYUSDJKZLDKRNSHGNFIVJ."

That's the first line of the Kryptos sculpture, a 10-foot-tall, S-shaped
copper scroll perforated with 3-inch-high letters spelling out words in
code. Completed 15 years ago, Kryptos, which is Greek for "hidden," at
first attracted interest mainly from government code breakers who quietly
deciphered the easier parts without announcing their findings publicly.

Now, many mystery lovers around the world have joined members of the
national-security establishment in trying to crack the rest. So far,
neither amateurs nor pros have been able to do it.

The latest scramble was set off by "The Da Vinci Code," the thriller about
a modern-day search for the Holy Grail. On the book's dust jacket, author
Dan Brown placed clues that hint at Kryptos's significance. The main one is
a set of geographic coordinates that roughly locate the sculpture. (One of
the coordinates is off slightly, for reasons that Mr. Brown so far has kept
secret.) A game at www.thedavincicode.com1 suggests that Kryptos is a clue
to the subject of Mr. Brown's as-yet-unpublished next novel, "The Solomon
Key."

Gary Phillips, 27 years old, a Michigan computer programmer, started
researching Kryptos last year, hours after learning about its Da Vinci Code
connection. "Once it pulls you in, you just can't stop thinking about it,"
he says. Eventually, Mr. Phillips says, he let a struggling software
business go under and took a construction job so he would have more time
for solving Kryptos.
The CIA's copper Kryptos sculpture


The quest to solve the fourth and final passage of Kryptos's message has
spawned several Web sites -- including Mr. Phillips's -- as well as an
online discussion group that has more than 500 members. The discussion
group was founded by Gary Warzin, who heads Audiophile Systems Ltd. in
Indianapolis. He became fascinated with Kryptos after visiting the CIA in
2001. But after months of trying to crack the code on his own, Mr. Warzin
-- whose other hobbies include escaping from straitjackets -- decided he
needed help.

Kryptos devotees are intrigued by the three passages that have been
deciphered so far. They appear to offer clues to solving the sculpture's
fourth passage, and possibly to locating something buried.

Sculptor James Sanborn, Kryptos's creator, says he wrote or adapted all
three. The first reads, "Between subtle shading and the absence of light
lies the nuance of iqlusion." Jim Gillogly, a California computer
researcher believed to be the first person outside the intelligence world
to solve the first three parts, came up with the translation, which
includes the deliberate misspelling of the word illusion.

The second passage, more suggestive, reads in part, "It was totally
invisible. How's that possible? They used the Earth's magnetic field. The
information was gathered and transmitted undergruund to an unknown
location. Does Langley know about this? They should: it's buried out there
somewhere." That passage is followed by geographic coordinates that suggest
a location elsewhere on the CIA campus.

The third decoded passage is based on a diary entry by archaeologist Howard
Carter, on the day in 1922 when he discovered the tomb of the ancient
Egyptian King Tutankhamen. It reads in part, "With trembling hands I made a
tiny breach in the upper left-hand corner. And then, widening the hole a
little, I inserted the candle and peered in. The hot air escaping from the
chamber caused the flame to flicker, but presently details of the room
within emerged from the mist. Can you see anything?" Mr. Sanborn confirms
that the translations are accurate.

In addition to deliberate misspellings, there are letters slightly higher
than others on the same line. Other possible clues are contained in smaller
parts of the work scattered around the CIA grounds. Made of red granite and
sheets of copper, these are tattooed with Morse code that spells out
phrases like "virtually invisible" and "t is your position." In addition, a
compass needle carved onto one of the rocks is pulled off due north by a
lodestone that Mr. Sanborn placed nearby.

Those poring over the puzzle these days are thought to include
national-security workers as well as retirees, computer-game players and
cryptogram fans. Some devotees believe Kryptos holds profound significance
as a portal into the wisdom of the ancients.

More typical is Jennifer Bennett, a 27-year-old puzzle aficionado who works
as a poker-room supervisor near Seattle. She came across th

[Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

[R.A. Hettinga]

--- begin forwarded text


Date: Thu, 2 Jun 2005 14:18:42 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach
Bills
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

<http://www.eweek.com/print_article2/0,2533,a=153008,00.asp>

EWeek


Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
May 31, 2005
 By   Caron Carlson

Spurred by the ongoing flood of sensitive data breaches this spring, nearly
a dozen states may have breach notification laws on their books by summer.
In turn, makers of security software and companies in several other
industries are pressuring Capitol Hill for a federal law pre-empting the
states' measures.

In Congress, more than a half-dozen bills requiring a range of data
security measures and breach notification rules are pending, and at least
two more are slated for introduction in coming months.


These measures-including one under consideration by Rep. Cliff Stearns,
R-Fla., and one in the draft stages by Rep. Deborah Pryce,
R-Ohio-illustrate one of the most contentious questions in the debate:
Should there be a notification exemption for businesses that encrypt their
data?

Not surprisingly, industries for the most part are pushing for an
encryption exemption to notification, a safe harbor that is included in
California SB (Senate Bill) 1386, a notification law that went into effect
in July 2003. The growing security software industry, a major ally in this
effort, is trying to convince lawmakers that when encrypted data is stolen,
the theft poses no meaningful harm to consumers.

"If the data is encrypted, it's gibberish. They don't know what it is. They
can't use it," said Dan Burton, vice president of government affairs for
Entrust Inc.

Read more here about the theft of MCI data and its effect on the debate
over encryption.

Some data security experts contend, however, that an encryption safe harbor
could reduce data holders' incentives to implement strong protective
measures in the first place. Criticizing the California notification law,
Bruce Schneier, chief technology officer at Counterpane Internet Security
Inc., of Mountain View, Calif., said it lets data holders bypass disclosure
without necessarily protecting the data.


"You can encrypt the data with a trivial algorithm and get around [the
law]," Schneier said. "If you can get around a law by doing something
stupid, it's a badly written law."

Entrust supports an encryption exemption to notification but not without
other security requirements, said Chris Voice, CTO at the Addison, Texas,
company. "Like any technological approach, it's going to require more than
just encrypting the data," Voice said. "I think security controls will have
to be in place regardless."

Click here to read about anti-spyware bills moving to the Senate.

Even strong encryption theoretically can be broken, but it requires
resources and effort that thieves are highly unlikely to expend, advocates
of the safe harbor argue.

That argument does not appease consumer representatives. "We may not be
comfortable having our information out there, even in gibberish format,"
said Susanna Montezemolo, policy analyst at the Consumers Union, in
Washington. "Encryption shouldn't be the issue. We shouldn't have to define
potential harm and risk."

Acknowledging the political influence of the industries lobbying for the
safe harbor, however, Montezemolo said that a breach notification law with
a safe harbor is better than no law at all but that the safe harbor must be
narrowly tailored so as not to be an excuse for shoddy security.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
___
Clips mailing list
[EMAIL PROTECTED]
http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Paying Extra for Faster Airport Security

[R.A. Hettinga]

--- begin forwarded text


Date: Thu, 2 Jun 2005 20:40:26 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Paying Extra for Faster Airport Security
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

Security needs identity like a fish needs... well, you get the idea...

Cheers,
RAH
---


<http://online.wsj.com/article_print/0,,SB111767537888648936,00.html>

The Wall Street Journal

 June 2, 2005



Paying Extra for Faster Airport Security
Orlando Kicks Off Program
 Offering Quicker Screenings
 To Holders of Special Cards

By AVERY JOHNSON
Staff Reporter of THE WALL STREET JOURNAL
June 2, 2005; Page D3


Starting this month, air travelers in Orlando, Fla., can pay for a
high-tech card that promises to whisk them through the airport's security
lines.

Under the program, travelers who use Orlando International Airport and are
willing to pay a $79.95 annual fee will be able to register for a
government security screening, which includes fingerprints, iris scans, as
well as an application that asks for basic identity information. Travelers
who pass the screening -- and who will be subject to continuing checks
against government watch lists -- will then receive a special card that
permits them to use an express lane through airport security. That lane
expedites the screening process and frees cardholders from secondary
searches.

The program will be operated by New York-based Verified Identity Pass Inc.,
a private company run by Steven Brill, whose former ventures included Court
TV and The American Lawyer magazine. The program marks the first time a
private company has teamed up with the government to speed up airport
security lines. Yesterday, the Greater Orlando Aviation Authority board
awarded the contract for its new system to Verified Identity Pass's system,
opting for its prospectus over a proposal from Unisys Corp.

Enrollment will start June 21, and the company hopes to open a lane for
card holders as early as next month. The card will initially be good only
at the Orlando airport. The proposal says that in the second and third
years of the program, prices could climb by about $10 annually.

Orlando International is Florida's busiest airport, handling more than 31
million passengers last year.

Other airports and the Transportation Security Administration -- the
government office in charge of safeguarding transportation -- are watching
closely. After launching a similar, though smaller, test program for
frequent fliers in five airports last summer, the TSA is evaluating future
private-public partnerships depending on how the Orlando system works.
Other airports say they are studying the system and could submit their own
proposals to the TSA soon.

In its initial phase, the program in Orlando will accept as many as 30,000
travelers. Membership is open to anyone who clears the government watch
lists and is willing to pay. Most of the process of signing up takes place
online at www.Flyclear.com, but travelers still need to come into the
airport to get their iris images and fingerprints taken.

The TSA's own expedited checkpoint system, called the Registered Traveler
pilot program, is capped at 10,000 members and is available only to
frequent fliers who are invited by participating airlines. Signing up
requires thumb and index fingerprints, as well as paperwork and an iris
scan at the airports in Minneapolis, Houston, Boston, Washington's Reagan
airport and Los Angeles. The 10,000 people continue to be members for as
long as the program runs, and the TSA says it hasn't any plans to expand
the group of either passengers or participating airports in the near
future. Mr. Brill's program, though, expects to be able to synch up with
the five airports in the government's system in the fall.

Programs like these, as well as the TSA's Registered Traveler plan, have
been slow to get started. The Orlando program was initially expected to
launch in May, but got greenlighted yesterday. The rival Unisys proposal
had suggested linking up the card with a debit card for shopping, would
cost about $100 a year and said it would offer immediate use in the five
participating TSA airports.

The fast-lane system has been hampered by concerns about privacy and the
safety of personal information, as well as synchronized systems run by
different companies at different airports. Tim Sparapani, the legislative
counsel for privacy rights at the American Civil Liberties Union, says that
at least the government screeners are held accountable to privacy laws --
he takes issue with outsourcing the management of sensitive data such as
fingerprints to for-profit companies.

Mr. Brill says his system won on its pricing and privacy policies. It gives
customers guarantees about the safety of their personal information by
issuing a "warranty" for any breaches.

In addition, the card doesn&#

[Clips] Security Woes Don't Slow Reed's Push Into Data Collection

[R.A. Hettinga]

--- begin forwarded text


Date: Thu, 2 Jun 2005 23:45:21 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Security Woes Don't Slow Reed's Push Into Data Collection
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

<http://online.wsj.com/article_print/0,,SB111776210603150087,00.html>

The Wall Street Journal

 June 3, 2005
 HEARD ON THE STREET

Security Woes Don't Slow
 Reed's Push Into Data Collection

By DAVID PRINGLE
Staff Reporter of THE WALL STREET JOURNAL
June 3, 2005


LONDON -- News of security breaches at LexisNexis has thrust the
Internet-based data company's parent, publishing titan Reed Elsevier PLC,
into the spotlight and tossed around Reed's share price in the past few
months. Investors might want to prepare themselves for more of the same.

Far from backing off, Reed plans to push deeper into the business of
collecting personal data on individuals for sale to employers, banks,
lawyers and other clients -- the source of the problems at LexisNexis.

Reed's chief executive, Sir Crispin Davis, says he expects "significant"
opportunities to further expand the business in the U.S. in the next few
years. "It's a highly attractive, long-term growth opportunity," he says.
"This is a new, emerging industry, and it isn't, perhaps, too surprising
that we are facing these kinds of troubles."

Reed could soon be in the headlines again once investigators in the U.S.
determine how data brokers now owned by the London-based company allowed 59
security breaches, lifting such personal data as Social Security numbers,
addresses and driver's license records of 310,000 Americans over two years.

The Secret Service and the Federal Bureau of Investigation have searched
dozens of homes and computers as part of an investigation into the data
theft. Reed faces a suit seeking class-action status in federal court for
the Southern District of California that claims the company "trampled the
privacy interests and expectations of consumers."

But investors expect Reed to ride out this furor largely unscathed. Its
share price is up 11% in London this year, compared with a 6% rise in the
Dow Jones Stoxx 600 Media index for Europe. In 4 p.m. New York Stock
Exchange composite trading yesterday, Reed's American depositary receipts
were up 51 cents to $39.18, giving Reed a market capitalization of about
$23 billion.

Sir Crispin's push into the data-brokering market is part of his wider
strategy to turn the 125-year-old company into a high-tech business
offering database products covering everything from scientific papers to
industrial widgets to the academic performance of American schoolchildren.
Today, about 30% of the company's revenue comes from products that didn't
exist five years ago, almost all of them Internet-based. Sir Crispin wants
Internet operations to account for as much as 70% of revenue within five
years.

For investors in Reed, whose core business has long been publishing
thousands of scientific and business journals, this strategy means Reed is
becoming increasingly exposed to the risk of security breaches, technology
failures and regulatory intervention. It is telling that Reed hasn't
launched a data-brokering business in Europe, where the regulations
governing such activities are much tougher than in the U.S.

"It's a bit more risky," says Micha Zwaaf, an analyst with ABN Asset
Management in Amsterdam. Mr. Zwaaf, who recommends that ABN's funds buy
Reed stock, adds, "Those scientific journals have been around for 200
years, so the risk of something happening there is much smaller, but there
is no growth."

Mr. Zwaaf says he expects the investigation by U.S. law-enforcement
agencies to implicate weak security at some of Reed's customers rather than
problems at the company itself. At the same time, he argues that any move
by regulators to tighten restrictions on the sale of personal data would
give the industry more credibility and could actually be a boon to Reed.

Indeed, members of Congress are calling for laws mandating new security
measures in the wake of the LexisNexis thefts, as well as other recent
online security gaffes. Still, Chuck Richard, a New York-based analyst with
research firm Outsell Inc., says the people affected by these security
breaches aren't likely to have enough political clout to impose tough new
restrictions on Reed and others. "Controversial? Yes. Likely to be severely
curtailed? No," he says. Neither Outsell nor Mr. Richard owns Reed stock.
Mr. Richard doesn't rate the stock.

Investors' willingness to stick by the company will depend to a large
degree on their trust in Sir Crispin, a former Procter & Gamble Co.
executive who had no online experience before joining Reed. But in his six
years at the helm, he 

[Clips] The Word Crunchers

[R.A. Hettinga]

Even anonymous plaintext ain't so anonymous, boys and girls...

Cheers,
RAH

--- begin forwarded text


Date: Fri, 3 Jun 2005 23:30:57 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] The Word Crunchers
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

<http://www.nytimes.com/2005/06/05/books/review/05FRIE01.html?8bu=&emc=bu&pagewanted=print>

The New York Times
June 5, 2005

The Word Crunchers

 By DEBORAH FRIEDELL


In David Lodge's 1984 novel, ''Small World,'' a literature professor fond
of computer programming presents a novelist with a fantastic discovery: by
entering all the novelist's books into a computer, the professor can
determine the novelist's favorite word. The computer knows to ignore the
mortar of sentences -- articles, prepositions, pronouns -- to get to ''the
real nitty-gritty,'' Lodge writes, ''words like love or dark or heart or
God.'' But the computer's conclusion causes the novelist to shrink from
ever writing again. His favorite word, it finds, is ''greasy.''

Two decades later, Amazon.com, improving on its popular ''search inside the
book'' function, in April introduced a concordance program, whereby a click
of the mouse reveals a book's most frequently occurring words, ''excluding
common words.'' Further clicks reveal their contexts. And so we learn that
the nitty-gritty words appearing most frequently in the King James Bible
include ''God,'' ''Lord,'' ''shall'' and ''unto.'' The word that appears
most frequently in T. S. Eliot's ''Collected Poems'' is ''time'' -- ''There
will be time, there will be time'' -- while the word that turns up most
frequently in ''Extraordinary Golf,'' by Fred Shoemaker and Pete Shoemaker,
is, illuminatively, ''golf.''

Such computer tools have been centuries in the making. As the legend goes,
the first concordance -- of the Vulgate, completed in the early 13th
century -- required the labor of 500 Dominican friars. Even in more modern
times, those who began concordances knew that they might not live long
enough to see them completed. This was the case for the first directors of
the Chaucer concordance, which took 50 years before reaching publication in
1927.

In order to speed the process for his Wordsworth concordance, first
published in 1911, the scholar Lane Cooper required an army of Cornell
graduate students and faculty wives. It was a laborious undertaking,
involving glue, rubber stamps and a vastly intricate system of
cross-referenced 3-by-5 cards.

At the same time Cooper was mapping ''The Prelude,'' biologists at other
universities were discovering sex chromosomes. Indeed, in his description
of the alphabetization and arrangement involved in concordance-making,
Cooper calls to mind a profession that was only just beginning to exist. He
is a geneticist of language, isolating and mapping the smallest parts with
the confidence that they will somehow reveal the design of the whole.

In 1951, I.B.M. helped create an automated concordance that cataloged four
hymns by St. Thomas Aquinas. The scanning equipment was primitive. Words
still had to be hand-punched onto cards, programs for alphabetizing had to
be written, and many found the computers more trouble than they were worth.
Even with electronic assistance, indexing all of Aquinas took a million
man-hours and 30 years before it was finally completed in 1974.

Yet even as computers grew more sophisticated, some scholars resisted them.
In 1970, Stephen M. Parrish, an English professor, described how when he
''proposed to some of the Dante people at Harvard that they move to the
computer and finish the job in a couple of months, they recoiled in
horror.'' In their system, ''each man was assigned a block of pages to
index lovingly,'' and had been doing so contentedly for more than 25 years.
But eventually, of course, concordance makers joined the ranks of all the
other noble occupations gone.

Why did they labor so? Monks used concordances to ferret out connections
among the Gospels. Christian theologians relied on them in their quest for
proof that the Old Testament contained proleptic visions of the New. For
philologists, concordances provide a way of defining obscure words; if you
gather enough examples of a word in context, you may be able to divine its
meaning. Similarly, concordances help scholars attribute texts of uncertain
provenance by allowing them to see who might have used certain words in a
certain way. For readers, concordances can be a guide into a writer's mind.
''A glance at t

[Clips] Great Computer Skills Are a Must For Anyone Emulating Deep Throat

[R.A. Hettinga]

--- begin forwarded text


Date: Sun, 5 Jun 2005 23:00:05 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Great Computer Skills Are a Must For Anyone Emulating Deep
Throat
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

...meanwhile on that "Internet" thing, progress in modern snitchery
apparently proceeds apace...

Cheers,
RAH
Who damns Bill Gates to Hell for capitalizing the "I" in the Word spell
checker way back when...
---

<http://online.wsj.com/article_print/0,,SB111800810686151189,00.html>

The Wall Street Journal

 June 6, 2005
 PORTALS
By LEE GOMES


Great Computer Skills Are a Must
 For Anyone Emulating Deep Throat
June 6, 2005

A generation ago, the original Deep Throat had to rely on 2 a.m. meetings
at the bottom level of an underground garage to offer guidance to reporters
investigating Watergate. Today, he would probably use the Internet. But
whether he would be able to remain anonymous for three more decades would
depend on his computer skills. That's because the Web today remains a
confusing mixture of absolute privacy and shocking exposure, and most
laypeople -- including those with no aspirations to emulate Deep Throat --
don't know which is happening when.

Pieces of the Internet experience are secure from eavesdropping to an
extreme degree of certainty -- such as when you are communicating with your
bank. Those interactions are encrypted, or scrambled, and centuries of
mathematicians have worked to guarantee, as much as is humanly possible,
that some interloper won't be able to read them. When you fill in your
credit-card number on a Web commerce page and press "send," the contents of
that page are turned into a jumble of random characters that can be turned
back into your card number only at their destination. And the guarantee is
nearly absolute: No one, be they hackers or police investigators, will be
able to read what you are doing.

This veil of secrecy protects everyone, be they Web shoppers,
whistle-blowers or al Qaeda members. In fact, one of the great conundrums
of the Internet is that the same technology that makes it safe for Amazon
also makes it safe for child pornographers. Then again, the same thing is
true for other technologies, like electricity, which can be used by all.

But how do you know it is really "your bank" you are talking with, and not
a server in a former Soviet republic that has been set up as part of the
latest phishing scam to snatch credit-card numbers and passwords? Or how do
you know that the tape file with your credit-card number won't be left
lying on some shelf somewhere, for anyone to filch?

A decade ago, in the early days of the Internet, the patrons and boosters
of the Web pointed to the mature science of encryption as the answer to all
questions about the safety and security of doing business online. They
assumed that the main threat on the Internet would be the same threat over
which cryptographers for centuries had fretted -- someone trying to break
your code and read your messages.

But the real Web security problems have turned out to be far more prosaic:
overseas teenage criminal hackers or knuckleheaded practices by
data-storage companies. The industry is only now beginning to grapple with
them, and while bad things happen far less frequently than headlines might
suggest, vigilance is still required from all concerned. With a little bit
of effort, you shouldn't have to think twice about an eavesdropper ever
reading your emails. But you do need to be on guard against some phony
email claiming to be from Meg Whitman that is attempting to persuade you to
type in your eBay password.

While today's Deep Throat could sleep secure in the knowledge that no one
else could read his emails, he would still have to worry that someone would
know he was sending them. Whenever you are doing anything at all on the
Web, you are telling some other computer to send data to yours. You can't
go online without revealing the "IP number" of your machine any more than
you can buy something by mail order and not list an address or P.O. box.

If the machine you are communicating with keeps a log of what it is doing
-- and many of them do -- then it becomes a pretty simple matter to trace
the connection back to you. That's one way the record industry has been
able to go after music downloaders. They know the IP address to which a
bootleg MP3 was downloaded; they can then get a court order forcing your
Internet service provider to reveal your real-world name and address.
Potential Deep Throats should thus realize that determined investigators
equipped with subpoena powers can be as much of a formidable adversary
online as they are in the real world.

Still, if you are willing to inconvenience yourself a bit, you can greatly
increase the odds of preserving both your privacy

[Clips] Citigroup Says Data Lost On 3.9 Million Customers

[R.A. Hettinga]

--- begin forwarded text


Date: Mon, 6 Jun 2005 17:44:44 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Citigroup Says Data Lost On 3.9 Million Customers
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

<http://online.wsj.com/article_print/0,,SB111807147451351811,00.html>

The Wall Street Journal

 June 6, 2005 3:52 p.m. EDT
 MARKETS

Citigroup Says Data Lost
 On 3.9 Million Customers

A WALL STREET JOURNAL ONLINE NEWS ROUNDUP
June 6, 2005 3:52 p.m.


Citigroup Inc. said that computer tapes containing personal information on
about 3.9 million customers were lost by United Parcel Service Inc. while
in transit to a credit-reporting bureau.

The tapes contained names, Social Security numbers, account numbers and
payment history of CitiFinancial customers in the U.S., as well as clients
with closed accounts from its CitiFinancial retail-services unit. The tapes
didn't include any customer information from the New York financial-service
giant's auto, mortgage or any other Citigroup business, or its
CitiFinancial customers in Canada or Puerto Rico, the company said.

"There is little risk of the accounts being compromised because customers
have already received their loans, and no additional credit may be obtained
from CitiFinancial without prior approval of our customers, either by
initiating a new application or by providing positive proof of
identification," said Kevin Kessinger, executive vice president of
Citigroup's global consumer group, in a statement. Beginning in July, this
data will be transmitted electronically in encrypted form, he said.

"The likelihood of having the information compromised is very remote given
the type of equipment that is required to read it," Debby Hopkins,
Citigroup's chief operations and technology officer, said in an interview.
"Additionally, the information is not in a format that an untrained eye
would even know what to look for."

The tapes were lost during a routine shipment from a data center in
Weehawken, N.J., to a credit-reporting bureau in Texas. UPS confirmed that
it had misplaced one box containing the tapes. "We sincerely regret that
we've been unable to find this missing package," says Norman Black, a
spokesman for UPS in Atlanta. "We have conducted an exhaustive search and
there is no evidence or indication that it was stolen."

Citigroup began a companywide effort last year to eliminate the need to
physically ship data tapes. The bank similarly lost a batch of tapes last
summer in Singapore when a vendor didn't follow their prescribed policy.

Citigroup isn't alone. Time Warner Inc. and Ameritrade Holding Corp. both
recently had to notify customers that their personal information had been
lost in transit.

Meanwhile, Bank of America Corp. and Wachovia Corp., along with other major
banks, recently notified more than 100,000 customers that their accounts
and personal information may be at risk after former bank employees'
allegedly stole customers' private information. Separately, Bank of America
also lost computer backup tapes containing names and Social Security
numbers on about 1.2 million federal-government charge cards.

In all, millions of individuals have been affected. Most organizations have
been encouraging individuals to call credit-reporting agencies and put
fraud alerts on their files, though some companies have offered free
credit-report monitoring services for a limited time. Citigroup is offering
affected customers free credit monitoring for 90 days.

The latest breach highlights the vulnerability of corporate data-handling
procedures. While some of the recent data losses have been the result of
break-ins by computer hackers, the loss of computer tapes, as was the case
with Bank of America and Time Warner, reveals gaps in trucking, air
transport and other traditional logistical systems.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
___
Clips mailing list
[EMAIL PROTECTED]
http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] ECC registration is open

[R.A. Hettinga]

--- begin forwarded text


Date: Tue, 7 Jun 2005 07:39:34 -0400
To: "Philodox Clips List" <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] ECC registration is open
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]


--- begin forwarded text


From: Tanja Lange <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Tanja Lange <[EMAIL PROTECTED]>
Subject: ECC registration is open
Date: Tue, 7 Jun 2005 12:47:06 +0200
Organization: DTU

Dear colleague,
the registration for ECC 2005 is open. You can access the page either
directly via
http://www2.mat.dtu.dk/people/T.Lange/conf/ECC/reg/registration.php
or from the conference page

http://www.cacr.math.uwaterloo.ca/conferences/2005/ecc2005/announcement.html

Please remember to book your hotel as soon as possible as the number of rooms
is very limited due to a big event taking place the very same week.

Looking forward to seeing you in Copenhagen
Tanja

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
___
Clips mailing list
[EMAIL PROTECTED]
http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Christopher Hitchens: Terminal Futility

[R.A. Hettinga]

--- begin forwarded text


Date: Tue, 7 Jun 2005 13:43:19 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Christopher Hitchens: Terminal Futility
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

<http://slate.msn.com/toolbar.aspx?action=print&id=2120330>

Slate

fighting words
Terminal Futility
Routine airport security won't thwart jihadists, but it does inconvenience
and endanger the rest of us.
By Christopher Hitchens
Posted  Monday, June 6, 2005, at 1:02 PM PT


Is there anyone reading this column who would agree with Mark O. Hatfield
Jr., spokesman for the Transportation Security Administration, that in the
past year "the average peak wait time at [airport] checkpoints has dropped
a minute ... to about 12 minutes"? This is what he was cited as having
said, in a New York Times report of a confidential document from the
Department of Homeland Security. The last time I was at Dulles Airport, the
line for security began at the entrance to the terminal and wound itself in
several rope-line convolutions, like a clogged intestine, for about 40
minutes. I had allowed the usual two hours and was checking no luggage, but
this and other banana-republic conditions almost made me miss my plane. Nor
was it a "peak time." In any case, a passenger cannot know what a "peak
time" will be. Only the TSA knows how many people are booked on how many
flights at a given hour and can make provision of enough machines and
personnel. Or not, as the case may be.

So, Hatfield was telling me something that I didn't know. The rest of the
report, however, contains things that everyone does know to be true. We
learn that there is no real capacity to detect explosives, for example. And
we learn that, "If, say, a handgun were discovered, the terrorist would
have ample ability to retain control of it. TSA screeners are neither
expecting to encounter a real weapon nor are they trained to gain control
of it." Who hasn't worked that out?

I think I had also noticed that there are not enough plastic bins or tables
to line them up on, and that "X-ray machines that examine carry-on baggage
sit idle as much as 30 per cent of the time." The time elapsed between
Sept. 11, 2001, and today's writing (1,364 days) is only slightly less than
the time between Pearl Harbor and the unconditional surrender of Japan
(1,365 days). And airport security is still a silly farce that subjects the
law-abiding to collective punishment while presenting almost no deterrent
to a determined suicide-killer.

There is one mercy at least: One no longer sees people smiling and saying,
"Thank you" as their wheelchairs and their children are put through
pointless inspections. But the new form of servile abjection-standing in
sullen lines and just putting up with it-is hardly an improvement. One
sometimes wants to ask, "What's my name?" or, "To what database is this
connected" when someone has just asked for the third time for you to put
down a bag and produce a driver's license. But I think the fear of making
some inscrutable "no-fly" list may inhibit many people. There has never yet
been a hijacker who boarded a plane without taking the trouble to purchase
a ticket and carry an ID. Members of the last successful group were on a
"watch list," for all the difference that made. The next successful group
will not be on a watch list.

Flying from London to Washington the other day, I was told that I was no
longer required to take my computer out of its case. Apparently, there are
scanners that can see though soft cases as well as through the hardened lid
of a laptop (and apparently the United States hasn't managed to invest in
any of these scanners for its domestic airports). On the other hand, I was
asked if I had packed my own bags and if they had been under my control at
all times. This exceptionally stupid pair of questions-to which a terrorist
would have to answer "yes" by definition-is now deemed too stupid for U.S.
domestic purposes and stupid enough only for international travel. This
makes as much sense as diverting a full plane that carries a notorious
Islamist crooner, the artist formerly known as Cat Stevens, from one
airport to another.

Routines and "zero tolerance" exercises will never thwart determined
jihadists who are inventive and who are willing to sacrifice their lives.
That requires inventiveness and initiative. But airport officials are not
allowed to use their initiative. People who have had their names confused
with wanted or suspect people, and who have spent hours proving that they
are who they say they are, are nonetheless compelled to go through the
whole process every time, often with officials who have seen them before
and cleared them before, because the system that never seems to catch
anyon

[Clips] Private Eyes Fear Limits On Information Access

[R.A. Hettinga]

--- begin forwarded text


Date: Tue, 14 Jun 2005 11:52:02 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Private Eyes Fear Limits On Information Access
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

<http://www.washingtonpost.com/wp-dyn/content/article/2005/06/13/AR2005061301553_pf.html>

The Washington Post

washingtonpost.com
Private Eyes Fear Limits On Information Access

By Jonathan Krim
Washington Post Staff Writer
Tuesday, June 14, 2005; D01

Private investigators are working to blunt legislation that cracks down on
the active marketplace for Social Security numbers, telling Congress that
restricting access to the numbers will hurt their business and hamper their
investigations.

Several bills are moving through the Capitol to prevent identity thieves
from getting Social Security numbers to gain access to consumers' financial
accounts. In the past year, the Social Security numbers of tens of millions
of Americans have been exposed through personal data being lost, stolen or
hacked.

But private investigators contend that the rush to protect privacy goes too
far and would damage their ability to deliver valuable services, such as
locating people who skip out on debts, commit fraud or want to avoid
testifying in court.

In a lobbying blitz, trade associations representing roughly 40,000
licensed private investigators are exhorting their members to "please do
something, or we will have nothing" by writing to Congress and state
legislatures, many of which also are moving to curb the availability of
Social Security numbers.

Representatives of private investigator groups discussed lobbying strategy
last month with several data brokers -- companies that buy and sell
personal information -- at a meeting hosted by ChoicePoint Inc., one of the
country's largest such firms.

According to a summary of the meeting circulated to online news groups
frequented by private investigators, "PIs and data provider companies are
committed to a massive lobbying effort to educate our legislators on the
ill effects of truncating data to licensed investigators."

But the investigators also are worried about large data brokers themselves,
which routinely buy and sell personal data but have taken their own steps
to restrict access to Social Security numbers in the wake of breaches at
their firms.

Two of the largest, ChoicePoint and LexisNexis Group, now sell only partial
Social Security numbers to several types of businesses, including private
investigators.

"We think they can do their jobs without" full Social Security numbers,
said James Lee, chief marketing officer of ChoicePoint. He confirmed most
of the account of the lobbying meeting.

Private investigators also have other ways of profiting from their access
to such information. Some have ongoing subscriptions for data from brokers
and maintain Web sites offering to resell the data to the public. Most of
the subscription contracts prohibit such resale, and many data brokers now
are requiring private investigators and other clients to recertify their
credentials.

Brian P. McGuinness, president of the Baltimore-based National Council of
Investigation and Security Services, said the large data brokers that
decided to limit private investigators to partial Social Security numbers
were being "a bit disingenuous," and were simply trying to stave off
stricter regulation by Congress.

Instead, he said, the policy will make it harder for private eyes to
distinguish between people who have the same or similar names.

McGuinness said his group is hoping for an exception to limits on Social
Security numbers similar to one investigators enjoy in a 1994 law that
restricts the sale of driver's license data.

"There are some problem children in every profession," McGuinness said,
referring to investigators who indiscriminately resell data. His
organization supports legislation that would prohibit reselling of Social
Security numbers to the general public online, he said.

Other information brokers are not truncating Social Security numbers for
private investigators.

"I think they are an extension of law enforcement," said Terry Kilburn,
chief operating officer of Tracers Information Specialists Inc. of Florida,
which also advertises data available to the public on its Web site.

He said that because his firm has amassed and combined data from a variety
of public and private sources over many years -- including mega-brokers
such as ChoicePoint -- he is rarely bound by their resale restrictions.

For their part, the large data brokers say they support identity-theft
legislation but are working quietly with banks and other financial services
companies -- also the source of several recent breaches -- to shape the
bills.

Most of the bills introduced would require that organizations notify
customers if their info

[Clips] Visa Sets Antifraud-System Upgrade

[R.A. Hettinga]

--- begin forwarded text


Date: Tue, 14 Jun 2005 11:19:33 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] Visa Sets Antifraud-System Upgrade
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

<http://online.wsj.com/article_print/0,,SB111861457869157418,00.html>

The Wall Street Journal

 June 13, 2005
 MONEY


Visa Sets Antifraud-System Upgrade
New Tool Aims to Prevent
 Bogus Purchase Attempts
 Right at the Point of Sale

By DAVID BANK and DON CLARK
Staff Reporters of THE WALL STREET JOURNAL
June 13, 2005; Page B4


Visa USA disclosed details of a new technology for preventing fraudulent
credit-card transactions, a tool that is already helping limit losses
despite a rash of high-profile thefts of customer data.

The San Francisco-based credit-card association and its U.S. member banks
have been quietly using the new system, dubbed "advanced authorization,"
for the past year. Visa said the technology, which was formally announced
today, can identify as much as 40% of fraudulent transactions that might
have slipped through previous antifraud systems.

Card issuers face criminal tactics that go well beyond stealing credit
cards. Counterfeit cards, for example, can be created by scanning
information from customers' cards at stores or restaurants. More recently,
large volumes of credit-card numbers have fallen into the hands of computer
hackers or criminal gangs, which have used them for fraudulent online
transactions or to make counterfeit cards.

Antifraud systems help distinguish suspicious purchasing behavior, such as
one credit card being used in multiple states within minutes. Such a
pattern often can't be detected, however, until some purchases have been
made.

Visa says its new advanced-authorization system can stop more bogus
purchase attempts at the point of sale.

"We have the ability to stop the fraud on the first transaction," says Jean
Bruesewitz, Visa's senior vice president for processing and emerging
products.

The new technology provides card-issuing banks with a rating of a
transaction's potential for fraud, including whether a card number was part
of a reported security breach, Visa said. Besides evaluating whether
transactions fit an account-holder's past behavior, the system compares
transactions with data gathered across the entire Visa network for possible
connections to broader patterns of criminal behavior.

Some crooks, for example, set up bogus merchant accounts and test hundreds
of credit-card numbers for validity by attempting to charge nominal
transactions. The new authorization system is designed to spot and block
such behavior.

Ms. Bruesewitz said the additional analysis adds fewer than 600 nanoseconds
to the time required to process a transaction, even during peak seasons
when Visa might process as many as 6,000 transactions per second.

"The big difference is that this is done in real time as the transaction is
going through as opposed to after the fact," said Adam Frisch, an analyst
with UBS AG.

Card-issuing banks that have tested the system include Commerce Bancshares
Inc. Ken Ragan, an executive vice president of the bank holding company in
Kansas City, Mo., praised the greater precision in identifying suspicious
transactions. He said the system also generates relatively few "false
positives," erroneous alarms about purchasing activity that can generate
unnecessary calls to customers by antifraud analysts.

Visa USA processes roughly $1.3 trillion in transactions each year. Its
fraud rate stands at five cents per $100 in transaction value; Ms.
Bruesewitz said the new system could reduce that rate by two cents per $100
in transactions. About 10% of bogus transactions can be intercepted before
they are completed, she said, translating into a reduction of about $164
million in fraud-related losses over five years.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
___
Clips mailing list
[EMAIL PROTECTED]
http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Seagate announces encrypted laptop drives

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 22 Jun 2005 08:07:20 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Seagate announces encrypted laptop drives
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://arstechnica.com/news.ars/post/20050621-5019.html>

 Ars Technica

 Seagate announces encrypted laptop drives

 6/21/2005 4:02:56 PM, by Eric Bangeman


 For those reliant on laptops for work, data security can often be an issue,
 especially if the laptop is stolen. Various third-party encryption tools
 are available, but Seagate looks to one-up them with its new
 Hardware-Based Full Disc Encryption (FDE). Slated to begin shipping in
 2006, the drives automatically encrypt data as it is written to the drive.

 Seagate will offer hardware-based full disc encryption technology on its
 new Momentus FDE family of hard drives, providing the industry's strongest
 protection against unauthorized access to data on stolen or retired
 notebook PCs. FDE technology requires only a user key to encrypt all data,
 not just selected files or partitions, on the drive.

 FDE uses Triple DES to do the job and will be available on its Momentus
 5400 2.5" hard drives for laptops in sizes ranging from 40GB to 120GB.
 Seagate also claims the drives will have performance identical to other
 5400 rpm drives without the built-in encryption. Pricing has not been
 announced, but expect to pay a premium for the FDE drives.

 These drives should prove very popular in certain industries, especially
 with defense contractors and others who deal with sensitive or classified
 information. Even if a laptop with an FDE drive is stolen or retired
 without the drives being wiped, the data on there will be unreadable
 without the user key. Data recovery services will still be able to pull the
 raw data from drives, although it too will be encrypted. Maybe the IT
 department over at Los Alamos will invest in a few of these babies-then
 they won't have to worry if one of their drives disappears.


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [Clips] dell keylogger

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 22 Jun 2005 14:03:01 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: Re: [Clips] dell keylogger
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Date: Wed, 22 Jun 2005 09:14:00 -0700
  To: "R.A. Hettinga" <[EMAIL PROTECTED]>
  From: Vinnie Moscaritolo <[EMAIL PROTECTED]>
  Subject: Re: [Clips] dell keylogger

  HOAX
  see http://www.schneier.com/blog/archives/2005/06/dell_keyboard_l.html



  At 10:53 AM -0400 6/22/05, R.A. Hettinga wrote:
  >--- begin forwarded text
  >
  >
  >  Delivered-To: [EMAIL PROTECTED]
  >  Date: Wed, 22 Jun 2005 10:51:53 -0400
  >  To: Philodox Clips List <[EMAIL PROTECTED]>
  >  From: "R.A. Hettinga" <[EMAIL PROTECTED]>
  >  Subject: [Clips] dell keylogger
  >  Reply-To: [EMAIL PROTECTED]
  >  Sender: [EMAIL PROTECTED]
  >
  >  <http://c0x2.de/lol/lol.html>
  >
  >  chromance.de dell keylogger
  >
  >  Mirrored by iBabes.org - Babevoting
  >
  >
  >
  >  I was opening up my almost brand new Dell 600m laptop, to replace a broken
  >  PCMCIA slot riser on the motherboard. As soon as I got the keyboard off, I
  >  noticed a small cable running from the keyboard connection underneath a
  >  piece of metal protecting the motherboard.
  >
  >  ever it may deserve respect for its usefulness and antiquity,
  >[predicting the end of the world] has not been found agreeable to
  >experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'


  --

  Vinnie Moscaritolo  ITCB-IMSH
  PGP: 3F903472C3AF622D5D918D9BD8B100090B3EF042
  ---

 --- end forwarded text


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Urban Legends Reference Pages: Computers (Keyboard Loggers)

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 22 Jun 2005 14:05:46 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Urban Legends Reference Pages: Computers (Keyboard Loggers)
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.snopes.com/computer/internet/dellbug.asp?print=y>


 http://www.snopes.com/computer/internet/dellbug.asp
 Keyboard Loggers

 Claim:   Account claims Dell is selling computers with keyboard loggers
 installed at the behest of the Department of Homeland Security.

 Status:   False.

 Example:   [Collected on the Internet, 2005]


 I was opening up my almost brand new Dell 600m laptop, to replace a broken
 PCMCIA slot riser on the motherboard. As soon as I got the keyboard off, I
 noticed a small cable running from the keyboard connection underneath a
 piece of metal protecting the motherboard.

  I figured "No Big Deal", and continued with the dissasembly. But when I
 got the metal panels off, I saw a small white heatshink-wrapped package.
 Being ever-curious, I sliced the heatshrink open. I found a little circuit
 board inside.

  Being an EE by trade, this piqued my curiosity considerably. On one side
 of the board, one Atmel AT45D041A four megabit Flash memory chip.

  On the other side, one Microchip Technology PIC16F876 Programmable
 Interrupt Controller, along with a little Fairchild Semiconductor CD4066BCM
 quad bilateral switch.

  Looking further, I saw that the other end of the cable was connected to
 the integrated ethernet board.

  What could this mean? I called Dell tech support about it, and they said,
 and I quote, "The intregrated service tag identifier is there for assisting
 customers in the event of lost or misplaced personal information." He then
 hung up.

  A little more research, and I found that that board spliced in between the
 keyboard and the ethernet chip is little more than a Keyghost hardware
 keylogger.

  [Rest of article here].


 Origins:   Given the prevalent public fear of governmental snooping into
 private activity, the discovery that personal computers were being sold
 with devices that enabled the Department of Homeland Security (DHS) to
 monitor keystrokes would have a rather chilling effect. Most of us now use
 computers in so many different facets of our lives, from personal
 correspondence to shopping, that recording and analyzing everything we
 typed on one would provide a great deal of information about us.

  Although furtive eavesdropping on computer activity is certainly possible,
 the specific tale presented above is nothing more than an example of
 "government conspiracy" type hoaxlore. It originally appeared on
 www.chromance.de (from which it has since been removed, although it remains
 mirrored elsewhere), a site which carried several other obvious hoaxes. The
 graphics for the article were lifted from another site's page about
 commercial keyboard loggers, and the purported letter from the Department
 of Homeland Security appears to be an altered version of someone else's
 example of correspondence from the DHS.

 Last updated:   17 June 2005



 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] ChoicePoint Curtails Business, Changes Methods to Protect Data

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 24 Jun 2005 11:49:02 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] ChoicePoint Curtails Business,
Changes Methods to Protect Data
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/0,,SB111957007176668246,00.html>

 The Wall Street Journal

  June 24, 2005


 ChoicePoint Curtails Business,
  Changes Methods to Protect Data

 By ANN CARRNS and VALERIE BAUERLEIN
 Staff Reporters of THE WALL STREET JOURNAL
 June 24, 2005


 ChoicePoint Inc. is sharply curtailing one line of business and making
 significant changes in the way it shares much of its electronic data, in an
 effort to avoid incidents like the data breach disclosed earlier this year
 in which criminals obtained personal information on about 145,000 people.

 The Alpharetta, Ga., data concern will electronically mask sensitive
 information such as Social Security numbers in its reports, such as
 background checks provided to companies on new employees. ChoicePoint is
 also taking steps to severely reduce its business in providing data to
 private investigators, collection agencies and some small financial
 concerns.

 The moves come in the wake of the high profile data breach at ChoicePoint,
 in which criminals posed as legitimate small businesses to illegally obtain
 data, and similar recent incidents involving other companies. The data
 losses have heightened concerns dramatically about identity theft -- in
 which an individual's personal information is used to fraudulently open
 credit-card accounts or apply for loans -- and helped spur congressional
 hearings into whether further laws are needed to protect sensitive personal
 data.

 ChoicePoint, which has troves of personal data about nearly every American
 adult gleaned from sources such as business clients and public records,
 also has begun providing free annual copies to consumers of its "personal
 public records" searches, even though the company says it isn't yet
 required to do so by law.

 "We believe that individuals should be able to see the information that's
 available about them," said Mr. James Lee, the company's chief marketing
 officer.

 The company's personal public records searches provide a broad range of
 details about individuals, such as any criminal history; property owned,
 such as houses, cars and boats; professional licenses held; businesses
 owned, and any sanctions lodged against the holder.

 ChoicePoint has been offering the reports free since March but hasn't
 widely publicized the service. Consumers may, however, go to
 www.choicetrust.com, the Web site for the company's consumer division, to
 print out an application, which they can complete and mail to ChoicePoint,
 along with documentation of their identity and address. The company then
 mails the report to the individual. The process can take several weeks.

 ChoicePoint says it is restricting the type of information provided to
 certain small business clients, including private investigators and
 collection agencies. Those customers and "nonbank" financial institutions,
 such as check-cashing concerns, will no longer have access to reports
 containing an individual's full Social Security number and similarly
 sensitive data.

 ChoicePoint expects that those changes will make their offerings far less
 attractive to that market and likely cost the company between $15 million
 and $20 million in annual revenue, or about 2% of its annual sales, said
 Mr. Lee.


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] FINCEN's SARs: IRS probing possible data security breaches

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 24 Jun 2005 20:08:37 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] FINCEN's SARs: IRS probing possible data security breaches
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://reuters.myway.com/article/20050624/2005-06-24T203656Z_01_N24203433_RTRIDST_0_NEWS-SECURITY-USA-DATA-DC.html>

 My Way News

 IRS probing possible data security breaches

 Jun 24, 4:36 PM (ET)


  By Caroline Drees, Security Correspondent

 WASHINGTON (Reuters) - The Internal Revenue Service is investigating
 whether unauthorized people gained access to sensitive taxpayer and bank
 account information but has not yet exposed any privacy breaches, an
 official said on Friday.

 The U.S. tax agency -- whose databases include suspicious activity reports
 from banks about possible terrorist or criminal transactions -- launched
 the probe after the Government Accountability Office said in April that the
 IRS "routinely permitted excessive access" to the computer files.

 The GAO team was able to tap into the data without authorization, and
 gleaned information such as bank account holders' names, social security
 numbers, transaction values, and any suspected terrorist activity. It said
 the data was at serious risk of disclosure, modification or destruction.

 "There is no evidence that anyone who was not authorized accessed the data
 outside the GAO," said Sheri James, a spokeswoman for the Treasury's
 Financial Crimes Enforcement Network (FinCEN), which is working with the
 IRS to address the concerns of the GAO, the investigative arm of Congress.

 "The assessment remains ongoing at this time," James said.

 IRS officials were not immediately available for comment.

 FinCEN is responsible for administering the Bank Secrecy Act, under which
 banks must file suspicious activity reports on transactions they believe
 could be linked to money laundering or terrorism financing. The IRS stores
 this data for FinCEN.

 As their name suggests, these reports are filed based on suspicions, not
 necessarily proof, and the vast majority never lead to investigations or
 prosecutions.

 Unauthorized access to the information held by the IRS raises concerns
 about the privacy rights and civil liberties of innocent banking clients as
 well as ordinary taxpayers.

 >From October, when FinCEN rolls out a new computer system called BSA
 Direct, the agency will for the first time take control of all BSA data
 from filing to dissemination, which it hopes will significantly bolster
 data security.

 Taxpayer data will remain with the IRS, which the Treasury says is
 addressing its "computer security deficiencies."

 Concerns about privacy violations through weak computer security are
 mounting in the United States, where a string of companies this year have
 reported stolen or misappropriated customer data, including Bank of America
 Corp., ChoicePoint Inc. and Reed Elsevier .

 Since ChoicePoint announced in February that it mistakenly sold 145,000
 consumer profiles to a ring of identity thieves, dozens of other
 organizations, from banks to universities, have announced security breaches
 of their own.


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] WPES 2005: Deadline extension (June 30)

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 25 Jun 2005 09:20:49 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] [p2p-hackers] WPES 2005: Deadline extension (June 30)
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Delivered-To: [EMAIL PROTECTED]
  Date: Sat, 25 Jun 2005 13:48:41 +0200 (CEST)
  From: Sabrina De Capitani di Vimercati <[EMAIL PROTECTED]>
  To: [EMAIL PROTECTED]
  Subject: [p2p-hackers] WPES 2005: Deadline extension (June 30)
  Reply-To: [EMAIL PROTECTED],
"Peer-to-peer development." <[EMAIL PROTECTED]>
  Sender: [EMAIL PROTECTED]


[Apologies if you receive multiple copies of this message]

 CALL FOR PAPERS

4th WORKSHOP ON PRIVACY IN THE ELECTRONIC SOCIETY
  Alexandria, VA, USA - November 7, 2005
  Sponsored by ACM SIGSAC
Held in association with 12th ACM CCS 2005

http://wpes05.dti.unimi.it

  
  Due to several requests the deadline is extended to June 30, 2005 (firm)
  

  The need for privacy-aware policies, regulations, and techniques has
  been widely recognized. This workshop discusses the problems of
  privacy in the global interconnected societies and possible
  solutions. The 2005 Workshop, held in conjunction with the ACM CCS
  conference, is the fourth in a yearly forum for papers on all the
  different aspects of privacy in today's electronic society.

  The workshop seeks submissions from academia and industry presenting
  novel research on all theoretical and practical aspects of electronic
  privacy, as well as experimental studies of fielded systems. We
  encourage submissions from other communities such as law and business
  that present these communities' perspectives on technological
  issues. Topics of interest include, but are not limited to:


  - anonymity, pseudonymity, and unlinkability
  - business model with privacy requirements
  - data protection from correlation and leakage attacks
  - electronic communication privacy
  - information dissemination control
  - privacy-aware access control
  - privacy in the digital business
  - privacy enhancing technologies
  - privacy policies
  - privacy and anonymity in Web transactions
  - privacy threats
  - privacy and human rights
  - privacy and confidentiality management
  - privacy in the electronic records
  - privacy in health care and public administration
  - public records and personal privacy
  - privacy and virtual identity
  - personally identifiable information
  - privacy policy enforcement
  - privacy and data mining
  - relationships between privacy and security
  - user profiling
  - wireless privacy
  - economics of privacy

  PAPER SUBMISSIONS
  Submitted papers must not substantially overlap papers that have been
  published or that are simultaneously submitted to a journal or a
  conference with proceedings. Submissions should be at most 15 pages
  excluding the bibliography and well-marked appendices (using 11-point
  font and reasonable margins on letter-size paper), and at most 20
  pages total. Committee members are not required to read the
  appendices, and so the paper should be intelligible without them. Like
  last year, we plan to accept some of the submissions as full papers
  (15 pages), and we may accept some others as abstracts (3 pages) if
  they represent novel or interesting work that is not as developed.

  Papers are to be submitted electronically via the online submission
  system (http://www.softconf.com/start/CCS05-WEPS/submit.html). Through
  this form, you will be requested to upload the file of your paper (in
  PDF or portable postscript format). Do NOT upload files formatted for
  word processing packages (e.g., Microsoft Word or WordPerfect
  files). Submissions not meeting these guidelines risk rejection
  without consideration of their merits. Papers must be received by the
  deadline of June 24, 2005 in order to be considered. Notification of
  acceptance or rejection will be sent to authors by August 8,
  2005. Authors of accepted full papers must guarantee that their paper
  will be presented at the workshop. Accepted papers will be published
  by the ACM in a conference proceedings



  GENERAL CHAIR
  Vijay Atluri
  Rutgers University, USA
  email: [EMAIL PROTECTED]


PROGRAM CHAIRS
  Sabrina De Capitani di Vimercati   Roger Dingledine
  University of MilanThe Free Haven Project, USA
  email: [EMAIL PROTECTED]   email: [EMAIL PROTECTED]


  IMPORTANT DATES
  Paper Submission due:June 30, 2005 (NEW)
  Acceptance notification: August 8, 2005
  

[Clips] A Radical Tool To Fight ID Theft

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 6 Jul 2005 16:12:29 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] A Radical Tool To Fight ID Theft
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/0,,SB112060885609977982,00.html>

 The Wall Street Journal

  July 6, 2005
  MONEY

 A Radical Tool
  To Fight ID Theft
 U.S. Is Allowing Some Fraud Victims
  To Obtain New Social Security Numbers

 By CHRISTOPHER CONKEY
 Staff Reporter of THE WALL STREET JOURNAL
 July 6, 2005; Page D1


 As companies roll out a growing variety of tools to combat identity theft,
 some Americans are taking a more radical step: changing their Social
 Security number.

 Traditionally, trading in an old number for a new one is something
 attempted in only the most extreme circumstances. Not only does the Social
 Security Administration demand heavy, documented proof of hardship -- but
 it also means that an individual must then track down every bank, utility,
 credit-card association and government agency that might have the old
 number on file, and persuade them to use the new one.

 Despite the obstacles, in the 11-month period ended in March, roughly 1,000
 people were issued new Social Security numbers for reasons of identity
 theft. While the Social Security Administration started keeping statistics
 on the specific reasons people are issued new numbers only last year,
 consumer advocates expect the number of identity-theft-related requests to
 increase. Last year, the agency received 75,000 allegations of Social
 Security number "misuse," up from just 11,000 in 1998.

 Social Security numbers can be particularly valuable assets in the hands of
 a criminal. With little more than a valid Social Security number and street
 address, a thief can often fraudulently open credit-card accounts or apply
 for loans in someone else's name, severely damaging his credit record.

 People who change their number are hoping not only to cut off their
 assailant, but also to make a fresh start with a clean credit history. Many
 people, though, are frustrated to discover that it doesn't solve their
 problems. In fact, some privacy advocates, government officials and
 consumers who have been through the ordeal warn that it can actually make
 matters worse in some circumstances.

 WRONG NUMBER?

 Some identity-theft victims change their Social Security
 number, but it's a tough task:

 Experts advise against it in most cases, saying it creates new problems,
 extra work and lots of explaining to banks and other institutions.

 Changing numbers isn't easy; considerable evidence is required to persuade
 the government you really need it.

 Even if you get a new number, the old one won't be deleted.

 Getting creditors to use the new number is a significant hassle that can
 take years.

 Identity theft affects nearly 5% of the adult population, according to the
 Federal Trade Commission, costing businesses and individuals a combined $53
 billion annually. Last year, the FTC received 246,000 reports of identity
 theft, nearly triple the number received in 2001.

 Concern is particularly high right now following a spate of recent security
 breaches, which compromised the data records of some 50 million people and
 left many more wondering whether they were affected. The scandals have
 implicated institutions ranging from ChoicePoint Inc., a data broker, to
 Bank of America Corp., to the University of California at Berkeley.

 People who have gotten new Social Security numbers report mixed results.
 Scott Lewis, an X-ray technician from Wintersville, Ohio, changed his
 number a few years ago to untangle his identity from a repeat
 drunken-driving offender who at one point faced murder charges.

 Mr. Lewis first noticed a problem during a job search: Several times he was
 told he was a top candidate for a job, but then would never hear back.
 Finally, "one manager picked up the phone and said, 'You're an unsavory
 character, don't ever call here again,' " Mr. Lewis says. He did a
 background check on himself and discovered that, because of a clerical
 error -- a sheriff's office in Ohio had mistyped the arrested man's Social
 Security number, putting in Scott Lewis's instead -- his identity was being
 confused. At the advice of a prosecutor, he got the SSA to change his
 number. "That was the beginning of a big mistake," he says. "By doing that,
 I now had no credit history, so I can't get credit, and it appears that I'm
 using a fraudulent Social Security number."

 Even people who have had more success offer warnings. Ted Wern, a
 30-year-old corporate attorney in Chicago, changed his number in 2000 after
 someone started impersonating him and racked up large charges on credit
 c

[Clips] Swiss introduce e-post

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 7 Jul 2005 09:28:01 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Swiss introduce e-post
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.theregister.co.uk/2005/07/06/swiss_e_post/print.html>

 The Register


  Biting the hand that feeds IT
 The Register » Internet and Law » eCommerce »

 Swiss introduce e-post
 By Jan Libbenga (libbenga at yahoo.com)
 Published Wednesday 6th July 2005 11:34 GMT

 Swiss Post has bought the Zurich-based firm SwissSign
 (http://www.swisssign.com), which specialises in digital encryption, to
 introduce registered e-post. Its new incaMail communication platform will
 permit letters with signature or registered letters to be displayed
 electronically in a legally-binding form.

 The digital postmark will act as a guarantee of delivery, Swiss Post says.
 The sender would be required to attach a signature to the contents and the
 sender would receive proof that the message was delivered.

 Swiss Post and the Swiss Federal Court have already agreed to conduct a
 pilot project. The pilot - called JusLink - serves to install incaMail as
 an electronic delivery platform for the exchange of documents between
 attorneys and courts.

 Traditional post offices would still have a role to play in the digital
 revolution, despite a decline in the volume of traditional letters of 16
 per cent by 2010. The post office network would function as registration
 offices to verify the identification of applicants.
 Related stories

 Sending data by email: a govt licence to print money
 
(http://www.theregister.co.uk/2005/05/05/commercial_data_sent_by_email_liable_for_vat/)

 PGP makes email encryption easier
 (http://www.theregister.co.uk/2003/09/15/pgp_makes_email_encryption_easier/)
 German postie punts pilfered parcels on eBay
 (http://www.theregister.co.uk/2004/04/23/ebay_germany_postman/)


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

[R.A. Hettinga]

At 1:16 PM -0400 7/8/05, Perry E. Metzger wrote:
>I seem to have gotten that one drastically wrong. Thanks for the
>more accurate figures.

Don't worry. I would bet that identity theft will more than make up for it
soon enough, as transaction settlement times converge to instantaneity.

*That's* potentially *infinite* risk to the *consumer*, which is an
interesting proposition.

Cheers,
RAH

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Looking for crypto iButton specs

[R.A. Hettinga]

--- begin forwarded text


 From: [EMAIL PROTECTED] (Peter Gutmann)
 To: [EMAIL PROTECTED]
 Subject: Looking for crypto iButton specs
 Date: Tue, 12 Jul 2005 00:56:35 +1200
 Sender: [EMAIL PROTECTED]

 During a recent discussion about secure crypto device bootstrap and
 attestation capabilities, I realised that of the three devices for which this
 was implemented and for which documentation was available (Fortezza, IBM 4758,
 and Dallas Crypto iButton), I either don't have any documentation for the
 Crypto iButton or I've filed it under something sufficiently misleading that I
 can't find it any more.  So:

 Does anyone still have the documentation for the DS1954 Crypto iButton?  Note
 that I specifically mean the DS1954 Crypto iButton before its Javafuxation,
 which removed the very nice crypto security model and crypto transaction
 processing/scripting capability.  Dallas systematically excised any traces of
 the pre-Javafuxated version from databooks and web pages, so it'd be a case of
 someone having a copy archived somewhere.  It was a very nice design and I'd
 like to have some record of it outside the summary I put in my Godzilla
 security tutorial.

 (If whoever did the design is reading this, I'd be interested in hearing from
 them as well).

 Peter.

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: the limits of crypto and authentication

[R.A. Hettinga]

At 2:48 PM -0700 7/12/05, Bill Stewart wrote:
>It'd be nice if good crypto and authentication methods
>could create a market for improved products

It can, it does, and it's called significantly reduced risk-adjusted
transaction cost in financial econ-speak. Maybe the marketing droids need
to come up with a 50's-era "secret" ingredient, a cryptographic
"Floristan(tm)", but frankly, I don't think they're going to have to.

Frankly, however, I think that reduced transaction costs creates
*dis*economies of scale by reducing barriers to market entry and thus
firm-size, and reducing proprietary anything to fungible graded commodities
traded in so-called (see your Econ 51 textbook) perfectly competitive
markets, instead of monopolistic competition (brands, trademarks, patents
and other artifacts of batch-driven industrial production), which is what
we have today. Think of it as the financial equivalent of grey-goo, or,
better, blood-music, or whatever.

Linux vs Novel/MS-DOS/Unix(tm) for instance, or, again better, IETF-esque
protocols replacing various proprietary secret-sauce bit-slinging methods.

BTW, Perry, I think that as we get to online instantaneity for every
transaction, we eventually converge to pre-underwritten pre-encrypted
pre-authenticated quasi-anonymous unique value-bits circulating on public
networks: internet bearer financial cryptography protocols, in other words.

Cheers,
RAH
"But you *knew* I was gonna say *that*, right?"
-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: mother's maiden names...

[R.A. Hettinga]

At 12:26 PM -0400 7/13/05, Perry E. Metzger wrote:
>Why do banks not collect simple biometric information like photographs
>of their customers yet?

Some do.

Cambridge Trust puts your picture on the back of your VISA card, for
instance. They have for more than a decade, maybe even two.

Cheers,
RAH

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] As Identity Theft Moves Online, Crime Rings Mimic Big Business

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 13 Jul 2005 12:54:49 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] As Identity Theft Moves Online,
Crime Rings Mimic Big Business
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/0,,SB112121800278184116,00.html>

 The Wall Street Journal

  July 13, 2005
  U.S. BUSINESS NEWS


 Fraud Inc.
  As Identity Theft Moves Online,
  Crime Rings Mimic Big Business
 Russian-Led Carderplanet
  Steals Account Numbers;
  Mr. Havard Hits ATMs
 'Common Punk' to 'Capo'

 By CASSELL BRYAN-LOW
 Staff Reporter of THE WALL STREET JOURNAL
 July 13, 2005; Page A1


 At 19 years old, Douglas Cade Havard was honing counterfeiting skills he
 learned in online chat rooms, making fake IDs in Texas for underage college
 students who wanted to drink alcohol.

 By the age of 21, Mr. Havard had moved to England and parlayed those skills
 to a lucrative position at Carderplanet.com, one of the biggest
 multinational online networks trafficking in stolen personal data. Having
 reached a senior rank in the largely Russian and Eastern European
 organization, he was driving a $57,000 Mercedes and spending hundreds of
 dollars on champagne at clubs and casinos.

 Now 22, Mr. Havard is in a Leeds prison cell, having pleaded guilty to
 charges of fraud and money laundering. The Carderplanet network has been
 shut down.

 As other similar groups thrive and proliferate, Mr. Havard's case provides
 a rare insight into the underground marketplace for stolen information, a
 surging white-collar crime of the 21st century. It affects as many as 10
 million Americans at a price tag of $55 billion to American business and
 individuals, according to industry and government studies.

 While banks typically compensate customers for fraudulent losses, victims
 can spend hundreds of hours repairing the havoc wreaked on their personal
 records and finances and often end up paying legal fees to do so.
 Sometimes, ID-theft victims are forced to pay off the debt racked up in
 their name by fraudsters. In the most insidious cases, they are arrested
 for crimes committed by the person who stole their identity.

 Most identity theft still occurs offline, through stolen cards or rings of
 rogue waiters and shop clerks in cahoots with credit-card forgers. But as
 Carderplanet shows, the Web offers criminals more efficient tools to
 harvest personal data and to communicate easily with large groups on
 multiple continents. The big change behind the expansion of identity theft,
 law-enforcement agencies say, is the growth of online scams.

 Police are finding well-run, hierarchical groups that are structured like
 businesses. With names such as Carderplanet, Darkprofits and Shadowcrew,
 these sites act as online bazaars for stolen personal information. The
 sites are often password-protected and ask new members to prove their
 criminal credentials by offering samples of stolen data.

 Shadowcrew members stole more than $4 million between August 2002 and
 October 2004, according to an indictment of 19 of the site's members
 returned last October by a federal grand jury in Newark, N.J. The
 organization comprised some 4,000 members who traded at least 1.5 million
 stolen credit-card numbers, the indictment says.

 The organizations often are dominated by Eastern European and Russian
 members. With their abundance of technical skills and dearth of jobs,
 police say, those countries provide a rich breeding ground for identity
 thieves. One of Carderplanet's founders was an accomplished Ukrainian
 hacker who went by the online alias "Script," a law-enforcement official
 says. As with many of its peers, the Carderplanet site was mainly in
 Russian but had a dedicated forum for English speakers.

 One English speaker was Mr. Havard. He was arrested in Leeds in June 2004
 after allegedly stealing millions of dollars from bank accounts in the
 United Kingdom and the U.S. The charges against him have been detailed in
 hearings in the Leeds Crown Court, where Mr. Havard recently pleaded
 guilty. Last month, he was sentenced by a British judge to six years in
 prison. His U.K. lawyer, Graham Parkin, says Mr. Havard "accepts his role."

 Mr. Havard grew up in an upper-middle-class neighborhood in north Dallas.
 The son of a well-off entrepreneur who founded a local
 health-care-technology company, he attended a private high school and then
 Southern Methodist University before dropping out in the summer of 2002
 after his freshman year.

 Mr. Havard began honing his criminal skills as a tall, heavy-set teenager.
 He started using computers at a young age because of writing difficulties,
 his lawyers say. He learned about making fake IDs in online discussion
 forums.

 In February 2002, Dallas police arrested the

[Clips] Bellovin, et al., in WSJ: Where the Dangers Are

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sun, 17 Jul 2005 21:14:39 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Bellovin, et al., in WSJ: Where the Dangers Are
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/0,,SB112128442038984802,00.html>

 The Wall Street Journal

  July 18, 2005
  THE JOURNAL REPORT: TECHNOLOGY

 Information Security
  Where the Dangers Are

 By DAVID BANK and RIVA RICHMOND
 Staff Reporters of THE WALL STREET JOURNAL
 July 18, 2005


 In the world of cybercrime, the bad guys are getting smarter -- and more
 ambitious.

 In recent months, hackers have carried out a flurry of increasingly
 sophisticated attacks, highlighting the vulnerability of key computer
 networks around the world.

 Criminals penetrated the database of CardSystems Solutions Inc., nabbing up
 to 200,000 Visa, MasterCard, American Express and Discover card numbers and
 potentially exposing tens of millions more. Leading high-tech companies in
 Israel allegedly planted surveillance software on the computers of their
 business rivals. British security officials warned of a computer attack
 aimed at stealing sensitive information from banks, insurers and other
 parts of that country's "critical infrastructure."1 THE JOURNAL REPORT?See
 the complete Technology report2.

 ON GUARD
 What new threats do cyber criminals pose? How can computer security be
 improved? Listen to WSJ reporter David Bank's interview3 with Steven
 Bellovin, professor of computer science at Columbia University and a
 longtime researcher at AT&T Labs.

 JOIN THE DISCUSSION

 Cybersecurity experts discuss how to keep personal data and information
 safe in the tech world. Readers can join the discussion4 or submit
 questions.

 Security experts fear things will only get worse. As technology gets more
 complex, more vulnerabilities are springing up in computer networks -- and
 more criminals, terrorists and mischief makers are rushing to exploit them.

 "What people can do on computer networks and what they can find on them has
 increased tenfold from a few years ago," says Bill Hancock, chief security
 officer of Savvis Inc., a major Internet-service provider. Infiltrating
 those machines and using them for evil intent is easier than ever, he says.

 Some of the threats are well known; home-computer users for years have
 battled viruses and spam and more recently have been barraged with spyware,
 adware and fraudsters "phishing" for sensitive information. Less visible is
 the constant probing of corporate networks by would-be intruders seeking
 trade secrets or competitive intelligence, and the data breaches caused by
 disgruntled or dishonest insiders.

 Meanwhile, government authorities report that hackers are stepping up
 attempts to attack critical systems such as water, electricity, finance,
 transportation and communications. Last year, the Department of Homeland
 Security prepared a worst-case cyberdisaster scenario where criminals broke
 into financial-services facilities.

 Twenty million credit cards were canceled, automated teller machines failed
 nationwide, payroll checks couldn't be delivered, and computer malfunctions
 caused a weeklong shutdown of pension and mutual-fund companies. "Citizens
 no longer trust any part of the U.S. financial system," the scenario
 concluded.

 Here's a look at the threats the security experts worry about the most --
 and what businesses and consumers can do to protect themselves.

 TARGETED ATTACKS

 The mass mailings of worms and viruses that clogged email in-boxes and
 corporate networks in recent years have given way to less visible but more
 dangerous attacks aimed at specific business and government targets.

 In many cases, these invasions involve a Trojan -- malicious software that
 hides inside another, innocuous program. Once planted on a victim's
 computer system, the Trojan can, among other things, steal information at
 will and send it back to a criminal. Trojans that are customized for a
 specific target are particularly dangerous, since conventional antivirus
 programs are designed to spot and block previously identified threats.

 "Because these things are one-off, the virus scanners do not recognize them
 at all," says Bryan Sartin, director of technology for Ubizen, a unit of
 Cybertrust Inc. of Herndon, Va.

 Criminals use a variety of methods to get Trojans onto their targets'
 systems. Often, they trick employees at a targeted company into installing
 the software. In the Israeli case, law-enforcement officials discovered
 that the alleged perpetrators gave victims floppy disks containing
 seemingly legitimate business proposals. The disks contained Trojans that
 used "key logger" software to record what users typed, and then t

[Clips] Venona Ten Years Later: Lessons for Today

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sun, 17 Jul 2005 22:44:19 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Venona Ten Years Later: Lessons for Today
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.hnn.us/articles/12812.html>


 History News Network

 July 17, 2005


 7-18-05: News at Home

 Venona Ten Years Later: Lessons for Today
 By Steven T. Usdin
  Mr. Usdin, senior editor, BioCentury Publications, is the author of
 forthcoming book Engineering Communism: How Two Americans Spied For Stalin
 and Founded The Soviet Silicon Valley, Yale University Press).


 Ten years ago, on July 11, 1995, the U.S. intelligence community held an
 extraordinary press conference at CIA headquarters to break the seal on one
 of the most closely held secrets of the Cold War. The world learned that
 starting in 1946 American cryptologists had cracked Soviet codes and read
 portions of thousands of messages Soviet intelligence operatives sent each
 other during World War II. Most of the cables decrypted in a program that
 came to be known as Venona, one of numerous codenames used to cloak its
 existence, were sent or received by the Soviet head of foreign intelligence.

 Just as the ability to read Stalin's spymaster's correspondence
 dramatically altered the course of the Cold War, public release of the
 cables a half-century later altered our understanding of the dynamics of
 the conflict between the USSR and the West. Coupled with revelations from
 Soviet bloc archives, release of data gathered in the Venona program led to
 dramatic reassessments of decades of history. The revelations reverberated
 worldwide as members of the British, Australian and, above all, American
 communist parties who had protested their innocence were exposed as spies
 and liars. Two generations of Americans for whom the innocence of Julius
 Rosenberg and Alger Hiss was an article of faith were compelled to
 reconsider their mockery of those who had warned about widespread Communist
 espionage.

 Venona not only produced lessons about the past -- it also illuminated
 issues that governments and the public are grappling with today, including
 the risks and benefits of the disclosure of intelligence, the dangers of
 bureaucratic tunnel vision, and the ease with which ordinary people will
 commit crimes to advance Utopian ideologies.

 Venona was made possible because in 1942--during the darkest days of the
 war in Russia, when everything, including skilled manpower, was in short
 supply--Soviet code clerks produced and distributed to agents around the
 globe thousands of duplicate copies of "one-time" pads used to encrypt
 communications. As is clear from the name, the code tables were supposed to
 be used only once, and if this simple precaution had been heeded, the
 encryption system would have been impenetrable. But with Germans at the
 gates of Stalingrad, punctilious adherence to apparently arcane security
 rules must have seemed an unaffordable luxury. The chances of the shortcut
 being detected must have seemed vanishingly small.

 The Venona secrets were disclosed at the July 1995 press conference largely
 as a result of prodding from the late Senator Daniel Patrick Moynihan, who
 learned of the program when he headed the Commission on Protecting and
 Reducing Government Secrecy. The story of how a combination of
 extraordinary luck and tremendous talent led a small team working at a
 former girls' boarding school outside Washington, D.C. to detect and
 exploit the opportunity presented by the replicated one-time pads has been
 described in several books, notably Harvey Klehr and John Earl Haynes's
 Venona: Decoding Soviet Espionage in America (Yale University Press, 2000).

 That first batch of Venona decrypts released a decade ago included cables
 between Pavel Fitin, the Soviet head of foreign intelligence, and his
 officers in New York describing the espionage activities of an American
 engineer codenamed "Liberal" who worked for the U.S. Army Signal Corps.
 These cables were among the first that the Army Security Agency (ASA),
 which was later folded into the National Security Agency, partially
 decrypted and shared with the FBI. It took the FBI a couple of years to
 discover that Rosenberg was Liberal, and another four decades for the
 National Security Agency to share with the American public the documents
 that removed all doubt that he was a spy.

 A 1956 internal memo to FBI Director J. Edgar Hoover revealed three major
 reasons why the Bureau didn't reveal its smoking-gun evidence during the
 Rosenbergs' 1951 trial. There was a fear that disclosing the existence of
 the Venona program could help the Russians minimize the damage to its U.S.
 spy networks. Although Hoover didn't know it at the time, this concern was
 largely unwar

[Clips] AmEx next to give CardSystems the ax

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 20 Jul 2005 18:50:04 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] AmEx next to give CardSystems the ax
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://money.cnn.com/2005/07/19/news/fortune500/digital_security_americanexpress.reut/>

 CNN


 AmEx next to give CardSystems the ax
 Credit-card company says it will stop using payment processor at center of
 data breach controversy.
 July 19, 2005: 6:59 PM EDT


  CHICAGO (Reuters) - American Express Co., one of the three biggest U.S.
 credit-card companies, said Tuesday that it would no longer use payment
 processor CardSystems Solutions Inc., which is at the center of a
 controversy over a massive data breach.

  Details of up to 40 million payments cards, including names, account
 numbers and expiration dates, are believed to have been taken out of a
 database system run by CardSystems -- the biggest such privacy violation
 ever reported.

  Some fraud tied to the breach has been detected.

  Judy Tanzer, a spokeswoman at American Express (Research), said the
 company would end its relationship with CardSystems beginning in October.
 She declined to comment further.

  American Express is the second big credit-card company to end its business
 relationship with Tuscon-based CardSystems.

  On Monday, Visa USA sent a letter to 11 banks that issue Visa-branded
 cards and use CardSystems to process payments informing them it was
 "terminating its approval of CardSystems Solutions, Inc. as a Visa
 processor and third-party agent."

  Visa USA gave the 11 banks until October to find a new company to handle
 the transactions.

  A spokeswoman at MasterCard International, the second biggest credit card
 group behind Visa, said it was giving CardSystems until Aug. 31 to bring
 itself into compliance with its security rules.

  MasterCard spokeswoman Sharon Gamsin read a statement saying: "We are not
 aware of any deficiencies in its system that are incapable of being
 remediated."

  She said MasterCard was monitoring the process closely and, so far,
 CardSystems appeared to be on track. But she said that, if the company
 failed to meet the deadline for full compliance, its relationship with
 MasterCard was "at risk."

  In June, CardSystems Solutions, which processes credit cards for 115,000
 U.S. merchants, revealed it had mishandled customer data by storing data on
 customers -- in violation of Visa and MasterCard's security standards.

  It also said it had "identified a potential security incident" serious
 enough to prompt it to contact the Federal Bureau of Investigation (FBI).

  CardSystems Solutions, which has been in business for about 15 years, is
 not publicly traded. Its owners include Camden Partners, a Baltimore-based
 private equity firm, which invested $9.3 million in the Tucson company last
 year.

  According to CardSystems' Web site, it processes more than $15 billion
 annually in transaction made online and with credit card issuers Visa,
 MasterCard, American Express and Discover, which is owned by investment
 bank Morgan Stanley (Research).


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Soft cash in, hard cash out

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 22 Jul 2005 08:10:17 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Soft cash in, hard cash out
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]



 <http://www.newscientist.com/channel/info-tech/mg18725091.800>

  Soft cash in, hard cash out

  * 23 July 2005
  * From New Scientist Print Edition.
  * Dana Mackenzie
  * Dana Mackenzie is a science writer based in Santa Cruz, California


 MONEY makes the world go around, but not always as conveniently as one
 might wish. There's never enough cash in your wallet; the coins in your
 purse only weigh you down. Then there is the pile of bank cards to squeeze
 in, and as if that weren't enough, store cards just keep multiplying.

 But that is all set to change. A raft of new technologies is appearing that
 will suck up that cash and dump it into a handy electronic device,
 liberating our pockets from crumpled notes, jangling change and wads of
 cards. These electronic alternatives are promising to bring about an
 explosion in the number of ways of paying for things and perhaps usher in
 currencies that work quite differently from dollars, pounds and euros.

 We are already used to paying with credit or debit cards rather than
 cheques or cash. But what if you want to make a payment online that is as
 anonymous as cash? An international system now being developed could do the
 trick. Other times you might buy goods with your frequent-flier miles. Or
 if you commute every day, you might use a payment card that will net you a
 discount on your next subway ride. You might even choose a payment system
 that's designed to benefit your community. And because it will all be
 computerised, the pain of managing all these accounts will be handled
 automatically.

 Today most currencies are issued by national central banks. But there is no
 fundamental reason it must be this way. Anyone can legally issue a
 currency. All it needs to make it work is a large enough community of
 people who respect its value. For that to happen, there have to be
 safeguards against counterfeiting - for an electronic currency this means
 cryptographic protection.

 And what about the hardware that will make wallets, purses and cards
 obsolete? In Japan, millions of people are already getting a taste of
 electronic cash in the form of a service run by the cellphone operator NTT
 DoCoMo. The company sells handsets with built-in wireless electronic
 payment systems for small cash transactions. It looks as though in the near
 future the mobile phone will double as a personal banking device, keeping
 track of your money and maintaining order in your electronic wallet.
 The coming of cards

 Is it really possible that the way we pay for things will change so
 dramatically that the need for cash might completely evaporate? The story
 of credit cards suggests that this is not a pipe dream. Just two
 generations ago, they did not exist: they arrived in the US only in 1958,
 the UK had to wait another eight years, and Australia eventually caught up
 in 1974. Yet worldwide, there are now more than 1.7 billion credit cards in
 circulation. Credit cards, and their younger siblings debit cards, dominate
 our payment habits.

 But they are no longer alone. Other payment options have begun to appear on
 the scene, and some have many key attributes of an alternative currency.
 Take frequent-flyer miles. As well as buying flights, AirMiles "earned"
 with British Airways can be used to pay for shopping at Sainsbury's
 supermarkets in the UK. Frequent-flyer miles given to Cathay Pacific
 passengers can even be used to pay for surgery at one private hospital in
 Thailand.

 While credit cards are used mainly for large or medium-value purchases,
 other options are starting to appear for "micropayments" down to just a few
 pence. In Hong Kong, a smart card called Octopus, which was designed to
 speed access to public transport systems, has since 2000 also been accepted
 in shops as a way to buy low-value items like newspapers and drinks. And in
 London, the Oyster card now widely used to pay for journeys on London's
 buses and underground trains will soon go on trial in a similar system.

 Yet despite the high-tech alternatives, cash has proved remarkably hard to
 dislodge from our lives. In the mid-1990s there were high hopes for e-money
 systems such as Mondex and Visa Cash, but they failed to catch on. At the
 time, it was argued that electronic money was more convenient than cash.
 But it turned out that most people did not agree.

 Perhaps these attempts were too ambitious. "One thing that Mondex did wrong
 was that it tried to be everywhere," says Jean Camp of Harvard University,
 the president of the International Financial Cryptography Association. On
 the

[Clips] Credit Data Firm Might Close

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 22 Jul 2005 10:46:45 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Credit Data Firm Might Close
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465_pf.html>

 The Washington Post

 washingtonpost.com
 Credit Data Firm Might Close
 After Databases Hacked, Customers Cancel Contracts

 By Jonathan Krim
 Washington Post Staff Writer
 Friday, July 22, 2005; D02

 The head of a payment processing firm that was infiltrated by computer
 hackers, exposing as many as 40 million credit card holders to possible
 fraud, told Congress yesterday that his company is "facing imminent
 extinction" because of its disclosure of the breach and industry's reaction
 to it.

 "As a result of coming forward, we are being driven out of business," John
 M. Perry, chief executive of CardSystems Solutions Inc., told a House
 Financial Services Committee subcommittee considering data-protection
 legislation. He said that if his firm is forced to shut down, other
 financial companies will think twice about disclosing such attacks.

 Visa USA Inc. and American Express Co. recently announced after
 investigating the breach at CardSystems' Tucson, Ariz., facility that they
 would no longer allow the firm to process transactions made with their
 cards.

 Atlanta-based CardSystems is one of several firms that serve as a
 little-known hub in the nation's commerce system, transferring payments
 between the banks of credit card-using consumers and the banks of the
 merchants where purchases are made.

 Perry called the decisions by Visa and American Express draconian and said
 that unless Visa reconsiders, CardSystems would close and put 115 people
 out of work. CardSystems handles only a small percentage of American
 Express transactions, while Visa accounts for a large part of its business.

 Perry said closing his company could disrupt the ability of merchants to
 complete transactions, since it might take time for them to arrange for
 alternate payment processors. For that reason, Visa said it is not cutting
 off the company until Oct. 31.

 While Perry said his company is doing everything it can to ensure that such
 a breach never occurs again, Visa said it could not overlook that
 CardSystems knowingly violated contractual requirements for how long credit
 card data were supposed to be stored and how they were secured.

 Rosetta Jones, a Visa USA spokeswoman, said after the hearing that the
 credit card giant also has had difficulty getting sufficient information
 from CardSystems since the breach occurred. Nonetheless, at the urging of
 Rep. Rick Renzi (R-Ariz)., Visa agreed to another meeting with CardSystems
 before it severs ties with the firm.

 Neither Perry nor representatives of the major credit card companies could
 explain at the hearing why an audit of CardSystems in 2003 did not address
 its computer vulnerabilities or its practice of retaining some data for
 research purposes.

 Of the 40 million credit card numbers in CardSystems' data banks, roughly
 240,000 are known to have been downloaded in May by the hackers, who
 implanted malicious computer code into the company's network last fall to
 gain access to the information.

 The files did not contain Social Security numbers, driver's license data or
 other personal information frequently targeted by identity thieves.

 Perry said that he knows of no purloined credit card numbers that were used
 fraudulently, although MasterCard -- which first announced the breach to
 the public last month -- said that "a small number" of card numbers were
 misused.

 Law enforcement agencies, including the FBI, are investigating the incident.

 Subcommittee members, while condemning the data breaches that have exposed
 millions of consumers to possible fraud or identity theft in the past year,
 disagreed on what Congress should do about it.

 "The CardSystems incident is a spectacular failure" of private industry to
 effectively secure personal data, Rep. Carolyn B. Maloney (D-N.Y.) said in
 urging greater regulation. "We need to provide the legal structure to fix
 it."

 In response, Rep. Tom Price (R-Ga.), admonished members against "greater
 regulation and greater penalties, which is oftentimes the knee-jerk
 reaction" to problems.

 With numerous House and Senate bills already introduced to address identity
 fraud and theft, and several more being prepared, both parties expect
 legislative action.

 Most bills would require disclosure of breaches, though the industry
 supports limiting notification to cases in which there is significant risk
 that the data could be used for fraud or identity theft.

 Representatives of the credit card companies 

[Clips] "Clippre": Police ask for tough new powers

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 22 Jul 2005 19:43:26 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] "Clippre": Police ask for tough new powers
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 Here we go again...

 >They also want to make it a criminal offence for suspects to refuse to
 >cooperate in giving the police full access to computer files by refusing
 >to disclose their encryption keys.

 Cheers,
 RAH
 

 <http://www.guardian.co.uk/print/0,3858,5245014-117079,00.html>

   The Guardian

 Police ask for tough new powers

 PM told of need for three-month detention of suspects and crackdown on
websites
 Alan Travis and Richard Norton-Taylor
 Friday July 22, 2005


 Police last night told Tony Blair that they need sweeping new powers to
 counter the terrorist threat, including the right to detain a suspect for
 up to three months without charge instead of the current 14 days.

 Senior officers also want powers to attack and close down websites, and a
 new criminal offence of using the internet to prepare acts of terrorism, to
 "suppress inappropriate internet usage".

 They also want to make it a criminal offence for suspects to refuse to
 cooperate in giving the police full access to computer files by refusing to
 disclose their encryption keys.

 The police would also like to see much clearer information given to the
 public about the threat level, the creation of a specialist border security
 agency and further discussions about the use of phonetap evidence in
 terrorist cases.

 The Association of Chief Police Officers published its list of 11 further
 changes in the law it wants after meeting Mr Blair and security services
 chiefs yesterday.

 MI5 and MI6 wanted yesterday's meeting to discuss Britain's entire
 counter-terrorism strategy and how to fill the intelligence gaps exposed by
 the London bombings.

 Whitehall officials confirmed that, as reported in yesterday's Guardian,
 the security and intelligence agencies want a new system of plea
 bargaining. Convicted terrorists would be given lighter sentences if they
 supplied information before their trials.

 Suspects would be given the chance to provide information in
 "intelligence-only" interviews and none of the information would be used
 against them in trials.

 Officials also said MI5 was "in principle" in favour of the product of
 phone taps being used as evidence in trials. What has not been resolved is
 who would pay for the resources needed to transcribe the tapes in a way
 that would satisfy defence lawyers, according to counter-terrorism sources.

 The prime minister has said he is willing to consider any "gaps in the law"
 that police and security chiefs identify as a result of the London attacks.

 Ken Jones, the chairman of Acpo's terrorism committee and Sussex chief
 constable, said: "The evolving nature of the current threat from
 international terrorism demands that those charged with countering the
 threat have the tools they need to do the job.

 "Often there is a need to intervene and disrupt at an early stage those who
 are intent on terrorist activity, in order to protect the public. Clearly
 our legislation must reflect the importance of such disruptive action."

 The most controversial of the police proposals is the demand to be able to
 hold without charge a terrorist suspect for three months instead of 14
 days. An Acpo spokesman said the complexity and scale of counter-terrorist
 operations means the 14-day maximum is often insufficient.

 "The complexities and timescales surrounding forensic examination of
 [crime] scenes merely add to the burden and immense time pressures on
 investigating officers," he said. Three-month periods would help to ensure
 the charge could be sustained in court.

 Other powers police told Mr Blair they needed include:

 · Terror suspects to give compulsory answers to questions similar to
 obligations on company directors in fraud trials;

 · A duty on the private sector to install protective security in designated
 locations;

 · Putting private security staff at the disposal of the police in the
 immediate aftermath of an outrage;

 · New generation CCTV cameras at ports and airports.

 The police sought extra funding for a regional network of Special Branch
 officers and a further £45m to ensure national coverage for the new
 generation CCTV cameras, which scan number plates and alert intercept teams.

 "The terrorist attacks in London on July 7 and today provide an opportunity
 for us to reflect on our systems and practices to ensure they are
 sufficient to counter such unprecedented events," Mr Jones said.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>

Privacy Guru Locks Down VOIP

[R.A. Hettinga]

--- begin forwarded text


 Date: Wed, 27 Jul 2005 08:12:53 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject:  Privacy Guru Locks Down VOIP


 --- begin forwarded text


  Date: Wed, 27 Jul 2005 12:44:43 +0200
  From: Eugen Leitl <[EMAIL PROTECTED]>
  To: [EMAIL PROTECTED]
  Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
  Subject: Privacy Guru Locks Down VOIP
  User-Agent: Mutt/1.5.9i
  Sender: [EMAIL PROTECTED]

  http://wired.com/news/print/0,1294,68306,00.html

  Privacy Guru Locks Down VOIP
  By Kim Zetter

  Story location: http://www.wired.com/news/technology/0,1282,68306,00.html

  10:20 AM Jul. 26, 2005 PT

  First there was PGP e-mail. Then there was PGPfone for modems. Now Phil
  Zimmermann, creator of the wildly popular Pretty Good Privacy e-mail
  encryption program, is debuting his new project, which he hopes will do for
  internet phone calls what PGP did for e-mail.

  Zimmermann has developed a prototype program for encrypting voice over
  internet protocol, or VOIP, which he will announce at the BlackHat security
  conference in Las Vegas this week.

  Like PGP and PGPfone, which he created as human rights tools for people
around
  the world to communicate without fear of government eavesdropping, Zimmermann
  hopes his new program will restore some of the civil liberties that have been
  lost in recent years and help businesses shield themselves against corporate
  espionage.

  VOIP, or internet telephony, allows people to speak to each other through
  their computers using a microphone or phone. But because VOIP uses broadband
  networks to transmit calls, conversations are vulnerable to eavesdropping in
  the same way that e-mail and other internet traffic is open to snoops.
  Attackers can also hijack calls and reroute them to a different number.

  Few people consider these risks, however, when they switch to VOIP.

  "Years ago, people kind of stumbled into e-mail without really thinking about
  security," Zimmermann said. "I think that what's happening today with VOIP is
  that we're kind of stumbling into it (as well) without thinking about
  security." People don't think about it, he said, because they're used to
phone
  calls being secure on the regular phone system -- known as the Public
Switched
  Telephone Network.

  "The PSTN is like a well-manicured neighborhood, (while) the internet is like
  a crime-ridden slum," Zimmermann said. "To move all of our phone calls from
  the PSTN to the internet seems foolish without protecting it."

  Interest in VOIP is growing rapidly because the user pays less for the
service
  and pays no long-distance toll charges. Some services are free. According to
  one recent survey, 11 million people worldwide use a subscription VOIP
  service, compared to only 5 million in 2004, and at least another 35 million
  use free VOIP services. That leaves a lot of people potentially open to
  eavesdropping.

  It's not as easy to eavesdrop on VOIP as it is to intercept and read e-mail.
  Phone conversations aren't stored or backed up where an attacker can access
  them, so the conversations have to be captured as they occur.

  But a program available for free on the internet already allows intruders to
  do just that. Using the tool, someone with access to a local VOIP network
  could capture traffic, convert it to an audio file and replay the voice
  conversation. The program is called Voice Over Misconfigured Internet
  Telephones, a name clearly chosen for its catchy acronym -- VOMIT.

  Bruce Schneier, chief technology officer of Counterpane Internet Security and
  author of the Crypto-Gram newsletter, said that the need for VOIP encryption
  is a given.

  "If you're concerned about eavesdropping, then encryption is how you defend
  against it," he said. "And it's not that hard to do. It's just a matter of
  writing the code."

  But David Endler, chairman of the VOIP Security Alliance industry group and
  director of security research at TippingPoint, said a protocol for encrypting
  and protecting VOIP data already exists and companies are starting to make
  VOIP phones that support the protocol. But he said that people typically
don't
  enable the encryption option.

  "Probably because we're not seeing attacks yet," he said.

  He said most users are less concerned with eavesdropping than with having
VOIP
  service that provides the same quality and reliability that they expect from
  regular phone service.

  "Some people can see clearly that there's a need for this, and others wonder
  if anyone cares about protecting phone calls," Zimmermann said. "But
those are
  the same people who wondered why anyone would want to protect e-mail. I think
  as people gain experience with VOIP they're going to 

[Clips] All your routers are belong to us

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 27 Jul 2005 22:57:32 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] All your routers are belong to us
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Date: Wed, 27 Jul 2005 18:49:47 -0700
  From: "Major Variola (ret)" <[EMAIL PROTECTED]>
  Organization: GLODO PSYOPS
  To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
  Subject: All your routers are belong to us
  Sender: [EMAIL PROTECTED]

  Take da subway, its da bomb




  LAS VEGAS--Cisco Systems has taken legal action to keep a researcher
  from further discussing a hack into its
  router software.

  The networking giant and Internet Security Systems jointly filed a
  request Wednesday for a temporary restraining order
  against Michael Lynn and the organizers of the Black Hat security
  conference. The motion came after Lynn showed in a
  presentation how attackers could take over Cisco routers--a problem that
  he said could bring the Internet to its knees.

  The filing in U.S. District Court for the Northern District of
  California asks the court to prevent Lynn and Black Hat from
  "further disclosing proprietary information belonging to Cisco and ISS,"
  said John Noh, a Cisco spokesman.

  "It is our belief that the information that Lynn presented at Black Hat
  this morning is information that was illegally obtained
  and violated our intellectual property rights," Noh added.

  Lynn decompiled Cisco's software for his research and by doing so
  violated the company's rights, Noh said.

  The legal moves came Wednesday afternoon, only hours after Lynn gave the
  talk at the Black Hat security conference here.
  Lynn told the audience that he had quit his job as a researcher at ISS
  to deliver the presentation, after ISS had decided to pull
  the session. Notes on the vulnerability and the talk, "The Holy Grail:
  Cisco IOS Shellcode and Remote Execution," were
  removed from the conference proceedings, leaving a gap in the thick
  book.

  Lynn outlined how to run attack code on Cisco's Internetwork Operating
  System by exploiting a known security flaw in IOS.
  The software runs on Cisco routers, which make up the infrastructure of
  the Internet. A widespread attack could badly hurt
  the Internet, he said.

  The actual flaw he exploited for his attack was reported to Cisco and
  has been fixed in recent releases of IOS, experts
  attending Black Hat said.

  The ISS research team, including Lynn, on Monday decided to cancel the
  presentation, Chris Rouland, chief technology
  officer at ISS, said in an interview. "It wasn't ready yet," he said.
  Lynn resigned from ISS on Wednesday morning and
  delivered the presentation anyway, Rouland added.

  Lynn presented ISS research while he was no longer an employee, Rouland
  said.

  Adding to the controversy, a source close to the Black Hat organization
  said that it wasn't ISS and Lynn who wanted to
  cancel the presentation, but Cisco. Lynn was asked to give a different
  talk, one on Voice over Internet Protocol security, the
  source said.

  But ISS' Rouland said there "was never a VoIP presentation" and that
  Wednesday's session was supposed to be cancelled
  altogether.

  "The research is very important, and the underlying work is important,
  but we need to work with Cisco to determine the full
  impact," Rouland said.






  Previous Next

  Cisco was involved in pulling the presentation, a source close to the
  company said. The networking giant had discussions
  with ISS and they mutually agreed that the research was not yet fully
  baked, the source said.

  The demonstration on Wednesday showed an attack on a directly connected
  router, not a remote attack over the Internet.
  "You could bring down your own router, but not a remote one," Rouland
  said.

  One Black Hat attendee said he was impressed with Lynn's presentation.
  "He got a shell really easy and showed a basic
  outline how to do it. A lot of folks have said this could not be done,
  and he sat up there and did it," said Darryl Taylor, a
  security researcher. "Shell" is a command prompt that gives control over
  the operating system.

  Noh said that Lynn's presentation did not disclose information about a
  new security vulnerability or new security flaws. "His
  research explored possible ways to expand the exploitation of existing
  vulnerabilities affecting routers," the Cisco spokesman
  said.

  Cisco has patched several flaws in IOS over the past year. Last year,
  the San Jose, Calif., networking giant said that part of
  the IOS source code had been stolen, raising fears of more security bugs
  being found.

  On W

[Clips] Hackers Hit Microsoft Windows Genuine Advantage

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 1 Aug 2005 22:34:52 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Hackers Hit Microsoft Windows Genuine Advantage
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.informationweek.com/story/showArticle.jhtml?articleID=166403976>

 InformationWeek > Security >


 Genuine Advantage was supposed to block users from pirating Windows, but
 hackers defeated the program in a matter of days.
  By The Associated Press


  Days after Microsoft launched a new anti-piracy program, hackers have
 found a way to get around it.

 The software company's new program, called Windows Genuine Advantage,
 requires computer users to go through a process validating that they're
 running a legitimate copy of the Windows operating system before
 downloading any software updates except for security patches.

 But the check can be bypassed by entering a simple JavaScript command in
 the Web browser's address bar and hitting the "Enter" key. When that's
 done, the validation does not run and the user is taken directly to the
 download.

 Microsoft said it was investigating and that the glitch was not a security
 vulnerability.

 The hack appears only to work when a computer user is trying to download
 software through the Windows Update service. Some software, such as
 Microsoft's AntiSpyware beta, isn't available there but can be found
 elsewhere on microsoft.com.

 Such downloads also require validation, but the hack does not appear to
 work. On Friday, attempts to download the antispyware program resulted in a
 server error, with a message that read, "It appears that our activation
 servers are not functioning properly."

 All Windows users, even those with pirated copies, can still download
 security patches. For any other software updates, Microsoft now requires
 computer users to validate that their computers aren't running counterfeit
 copies of Windows.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] "Clippre": Leaving a trail of tech

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 1 Aug 2005 22:38:26 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] "Clippre": Leaving a trail of tech
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.newsday.com/news/nationworld/world/ny-woside0802,0,6663269,print.story?coll=ny-top-headlines>



 Newsday.com:

 Leaving a trail of tech

 Cell phones and the encryption of files on computers are tools authorities
 now focus on in tracking terror


  BY MARK HARRINGTON
  STAFF CORRESPONDENT

  August 2, 2005

  LONDON --  He may have skipped Britain on an ordinary rail ticket amid the
 country's highest level of security since World War II, but it was not long
 before authorities picked up his signal, literally.

  By the time they seized him in Rome on Friday, Hamdi Issac, also known as
 Osman Hussain -- one of the suspects in London's failed July 21 bombings --
 had made a call to Saudi Arabia, scattered a trail across Europe and even
 tried to throw authorities off his track by changing the electronic chip in
 his cell phone, according to an Italian anti-terror chief yesterday.

  But even as authorities in London celebrated a series of technological
 successes in the complex probe of the city's terror attacks last month,
 they were asking for more powers.

  In a move reminiscent of the fast-track treatment received by the USA
 Patriot Act following the Sept. 11 attacks in 2001, Parliament is expected
 to swiftly weigh a number of anti-terror measures, including legislation
 that would make it a crime for anyone to withhold access codes to computer
 files that have been encrypted. Sentences of up to 10 years in prison are
 reported to be on the table, though any such measure would have to wait
 until Parliament reconvenes in the fall.

  The call for stiffer anti-encryption laws comes as investigators have
 gained unprecedented insight into the movement and training of suspects
 through cell phones and computers.

  In a televised news briefing in Rome yesterday, Italian anti-terror chief
 Carlo De Stefano described in surprising detail the path of suspected
 bomber Issac as he entered Italy and traveled around the country before
 being captured by authorities over the weekend.

  "You always have this evolving technological struggle between
 counterterrorism forces and the terrorist," said Jeremy Binnie, an analyst
 with the London-based Jane's Terrorism and Insurgency Center, describing
 why authorities are pushing for tougher rules. The law "makes sense if
 authorities are trying to gather evidence and they think the information is
 crucial and can't get it otherwise."

  But Peter Neumann, an international anti-terrorism expert at King's
 College in London, wondered whether tougher laws would simply push
 increasingly sophisticated terrorists to means other than encrypted files
 to hide evidence. He suggested that Issac's apparent failure to understand
 the trail he was leaving behind with his cell phone use is relatively
 uncommon among generally more techno-savvy Islamic terrorists.

  One of the suspects in the July attacks here, he said, has acknowledged
 using Internet tutorials to learn the techniques of bomb-making. While a
 London Metropolitan Police spokeswoman declined to comment, Neumann said it
 is increasingly common for terrorists to plan attacks and outline
 techniques on Web pages that are set up and taken down in a matter of
 hours, before police can discover or trace them. "It's a very fluid system
 and very effective," he said.

  Encryption technology is commonly available and relatively easy to use,
 Neumann noted, but it is still considered sophisticated. "The big irony of
 these movements is that while they are very medieval in ideology, they are
 also very modern in employing technology," Neumann said.

  Still, legislation that would try to force users to unlock access codes
 may not prove particularly effective if it is enacted for Britain alone.
 "National legislation doesn't strike me as something very useful" unless
 the effort is undertaken across Europe, he said.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar

[Clips] Online ID Thieves Exploit Lax ATM Security

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Tue, 2 Aug 2005 09:41:54 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Online ID Thieves Exploit Lax ATM Security
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/0,,SB112295453682902381,00.html>

 The Wall Street Journal

  August 2, 2005


 Online ID Thieves
  Exploit Lax ATM Security

 DOW JONES NEWSWIRES
 August 2, 2005


 Online identity thieves are exploiting lax cash-machine security to bilk
 banks out of as much as a million dollars a month each, a report from
 research firm Gartner Inc. shows.

 According to the report, which is scheduled for release today, fraudsters
 are increasingly gathering consumer automated-teller-machine information
 with "phishing" scams and hacker programs for capturing keystrokes, which
 they are using to make fake cards and empty consumer bank accounts.

 Gartner said thieves are taking advantage of the fact that as many as half
 of banks don't check special, difficult-to-steal security codes that are
 hidden on ATM cards' magnetic strips before dispensing cash, Gartner says.
 Attackers even trade information online about which banks don't check the
 codes.

 "They're phishing for the account number and PIN. That's all they need to
 create a counterfeit card," said Gartner analyst Avivah Litan. In phishing
 scams, fraudsters use deceptive email and Web sites to trick people into
 divulging sensitive financial information.

 ATM fraud is emerging as a major new problem for banks. Losses are
 approaching those from credit-card fraud, a Gartner survey of 5,000
 consumers found. The firm estimates ATM fraud resulted in $2.75 billion in
 losses in the year ended May 2005, compared with $2.9 billion for
 credit-card fraud and $3.5 billion for fraudulent checking-account
 transfers.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[fc-announce] CFP FC'06: Financial Cryptography and Data Security

[R.A. Hettinga]

--- begin forwarded text


 To: [EMAIL PROTECTED]
 From: Avi Rubin <[EMAIL PROTECTED]>
 Subject: [fc-announce] CFP FC'06: Financial Cryptography and Data Security
 Sender: [EMAIL PROTECTED]
 Date: Tue, 2 Aug 2005 13:58:29 -0400

 
 Call for Papers

  FC'06: Financial Cryptography and Data Security
   http://fc06.ifca.ai/

  Tenth International Conference
   February 27 to March 2, 2006
   Anguilla, British West Indies

  Submissions Due Date: October 17, 2005

 Program Chairs: Giovanni Di Crescenzo (Telcordia)
  Avi Rubin (Johns Hopkins University)

 General Chair: Patrick McDaniel (Penn State University)

 Local Arrangements Chair: Rafael Hirschfeld (Unipay Technologies)

 At its 10th year edition, Financial Cryptography and Data Security
 (FC'06) is a well established and major international forum for
 research, advanced development, education, exploration, and debate
 regarding security in the context of finance and commerce. We will
 continue last year's augmentation of the conference title and expansion
 of our scope to cover all aspects of securing transactions and systems.
 These aspects include a range of technical areas such as: cryptography,
 payment systems, secure transaction architectures, software systems and
 tools, user and operator interfaces, fraud prevention, secure IT
 infrastructure, and analysis methodologies. Our focus will also
 encompass financial, legal, business and policy aspects. Material both
 on theoretical (fundamental) aspects of securing systems, on secure
 applications and real-world deployments will be considered.

 The conference goal is to bring together top cryptographers,
 data-security specialists, and scientists with economists, bankers,
 implementers, and policy makers. Intimate and colorful by tradition,
 the FC'06 program will feature invited talks, academic presentations,
 technical demonstrations, and panel discussions. In addition, we will
 celebrate this 10th year edition with a number of initiatives, such as:
 especially focused session, technical and historical state-of-the-art
 panels, and one session of surveys.

 This conference is organized annually by the International Financial
 Cryptography Association (IFCA).

 Original papers, surveys and presentations on all aspects of financial
 and commerce security are invited. Submissions must have a visible
 bearing on financial and commerce security issues, but can be
 interdisciplinary in nature and need not be exclusively concerned with
 cryptography or security. Possible topics for submission to the various
 sessions include, but are not limited to:

 Anonymity and Privacy   Microfinance and
 AuctionsMicropayments
 Audit and Auditability  Monitoring, Management and
 Authentication and  Operations
 Identification, including   Reputation Systems
 Biometrics  RFID-Based and Contactless
 Certification and   Payment Systems
 Authorization   Risk Assessment and
 Commercial CryptographicManagement
 ApplicationsSecure Banking and Financial
 Commercial Transactions and Web Services
 Contracts   Securing Emerging
 Digital Cash and PaymentComputational Paradigms
 Systems Security and Risk
 Digital Incentive and   Perceptions and Judgments
 Loyalty Systems Security Economics
 Digital Rights Management   Smart Cards and Secure
 Financial Regulation andTokens
 Reporting   Trust Management
 Fraud Detection Trustability and
 Game Theoretic Approaches toTrustworthiness
 SecurityUnderground-Market Economics
 Identity Theft, Physhing andUsability and Acceptance of
 Social Engineering  Security Systems
 Infrastructure Design   User and Operator Interfaces
 Legal and Regulatory Issues Voting system security

   Submission Instructions

 Submission Categories

 FC'06 is inviting submissions in four categories: (1) research papers,
 (2) systems and applications presentations, (3) panel sessions, (4)
 surveys. For all accepted submissions, at least one author must attend
 the conference and present the work.

 Research Papers

 Research papers should describe novel scientific contributions to the
 field, and they will be subject to rigorous peer review. Papers can be
 a maximum of 15 pages in length (including references and appendices),
 and accepted submissions will be published in full in the conference
 proceedings.

 Systems and Application Presentations

 Submissions in this category should describe novel or successful
 systems with an emphasis on secure digital commerce applications.
 Presentations may concern commercial systems, academi

[Clips] Apple adopts controversial security chip

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 3 Aug 2005 12:21:15 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Apple adopts controversial security chip
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.vnunet.com/vnunet/news/2140687/apple-embraces-controversial>

 VNUNet


 Apple adopts controversial security chip

 Trusted Platform Module limits OS X to Macs, but could do more
  Tom Sanders in California, vnunet.com 03 Aug 2005

 Developer preview models of Apple's forthcoming Intel-powered
 computer contain a security chip that has come under fire for its ability
 to compromise the privacy of users.

 Apple recently started shipping Developer Transition Kits that help
 developers test and prepare software for the switch to the Intel-powered
 computers next year. The kit contains a version of OS X for Intel, and a
 Mac computer featuring an Intel processor.

 The computer features a security chip called the Trusted Platform Module
 (TPM), an open industry standard governed by the not-for-profit Trusted
 Computing Group which develops security standards.

 The chip's inclusion with the Apple hardware does not come as a complete
 surprise. It has been previously suggested that Apple could use the TPM to
 prevent computer users installing the OS X operating system on a non-Mac
 computer.

 "The TPM is going to be the barrier for moving the Mac software to any PC,"
 Martin Reynolds, a research fellow at analyst firm Gartner told vnunet.com.

 Each TPM chip contains an encrypted serial number that allows the operating
 system to verify whether it is running on Apple hardware.

 Hackers could in theory forge the serial number, according to Reynolds,
 fooling the software into believing that it is running on Mac hardware even
 when it is not.

 The security chips are currently included with some PCs for the enterprise
 market from IBM/Lenovo and HP. They use the TPM to security store passwords
 or encrypt data.

 The upcoming Windows Vista relies on the TPM for a technology dubbed Secure
 Startup, which blocks access to the computer if the content of the hard
 drive is compromised.

 This prevents a laptop thief from swapping out the hard drive, or booting
 the system from a floppy disk to circumvent security features.

 Reynolds suggested that in the future software developers could use the
 chip as an anti-piracy device. The vendor would link the TPM identification
 number to the software registration key.

 However, the TPM has also gained notoriety because it is seen as a way to
 invade user privacy. The identifying number built into the chip could be
 used to limit the fair use of digital media by enforcing digital rights
 management technologies, or to track users online.

 But Reynolds insisted that the fear of such scenarios is overstated, and
 that privacy-infringing schemes are uncovered sooner or later at great
 expense to the computer maker.

 "There are things that manufacturers could do with the TPM that are very
 much against the interests of the user. But, in practice, manufacturers
 have found that it is best not to do that," he said.

 Apple did not respond to questions about the TPM in time for this story's
 posting.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Escaping Password Purgatory

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 3 Aug 2005 15:27:20 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Escaping Password Purgatory
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.forbes.com/2005/08/03/usps-password-casestudy-cx_de_0803password_print.html>

 Forbes


 Computer Hardware Software
 Escaping Password Purgatory
 David M. Ewalt,  08.03.05, 3:00 PM ET

 There's a story in the biblical Book of Judges about two warring Semitic
 tribes, the Ephraimites and the Gileadites. In the wake of a great battle,
 the Gileadites set up a blockade to catch escaping enemies and asked anyone
 passing by to pronounce the word "shibboleth." The Ephraimites couldn't
 wrap their tongues around the password and were thus exposed, captured and
 put to the sword.

 As far as we know, nobody's ever been executed for typing the wrong
 password to their e-mail account. But it's likely there have been a few IT
 guys who've considered that option. Managing forgotten passwords is a huge
 problem for IT departments, often consuming massive amounts of worker time
 and company money. But software that gives users just a single sign on
 could save the day.

 Keeping track of passwords might not have been a big deal when you only had
 to remember one or two of them. But increasingly, users are saddled with so
 many shibboleths that they can't keep track. "I think I have passwords for
 over 47 different applications both internal and external that I access,
 and I've acquired those IDs and passwords over several years," says Wayne
 Grimes, manager of customer care operations for the U.S. Postal Service.

 Three years ago, the USPS was getting pounded by the password problem. "Our
 help desk was getting overwhelmed with password reset requests," says
 Grimes. The service has about 235,000 users who access more than 700
 internal applications, each of which requires a separate ID and password.
 That meant that some users were forced to keep track of dozens of different
 accounts. Strict security measures at the Postal Service required regular
 password changes and forced users to select nonobvious passwords, which are
 harder to remember.

 Before long, users were lost in a sea of their own passwords, and
 inevitably they'd lose track of them. Once that happened, they'd call the
 help desk, to the tune of 30,000 calls per month for password resets.

 That kind of call volume can weigh down any IT department, but the USPS had
 another problem to deal with. Since it outsources its help desk, each and
 every call to the service provider incurred a charge, and before long
 password-reset costs ballooned to millions of dollars. And all the while,
 user productivity suffered since people couldn't access applications until
 their passwords were reset.

 It's a problem across all industries. According to Forrester Research, up
 to 30% of all help-desk calls are password-reset requests.

 To cut down on those costs, the USPS created a self-service Web site and
 set up a phone line with voice-recognition software, either one of which
 lets users reset passwords on their own. But that didn't cut down on the
 number of passwords users had to keep track of, nor did it reduce the total
 number of reset requests.

 So the USPS deployed v-GO password-management software from Passlogix. The
 first time users log into the system, they give the v-GO software all of
 the individual log-ins they want managed. After that, they can forget
 them-all those different passwords are safely stored in an encrypted file
 on the user's computer. From then on, any time the user clicks on a Web
 site, program or database that requires its own user ID and password, the
 software issues the proper credentials, all in the background, without the
 user having to lift a finger or remember a word. It will even handle
 regularly scheduled password changes, automatically updating account
 details.

 That means users only need to remember one master password, which they're
 not likely to forget. "V-GO really helps the end user manage their IDs and
 passwords for all the different applications that they need access to,"
 says Grimes. "Personally, I don't know how I could live without it." After
 the changes were made, the number of password reset calls to the USPS help
 desk dropped from 30,000 per month to under 5,000.

 Critics of single-sign-on software-which is developed by companies ranging
 from startup Passlogix to giants like Sun Microsystems (nasdaq: SUNW - news
 - people ), Verisign (nasdaq: VRSN - news  - people ) and Computer
 Associates (nyse: CA - news  - people )-say that they're less secure. If
 anyone gets a hold of your master login, they can access countless other
 accounts. Bu

[Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 4 Aug 2005 09:33:22 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] At Online Stores, Sniffing Out Crooks Is a Matter of Survival
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/0,,SB112311786883304593,00.html>

 The Wall Street Journal

  August 4, 2005
  PAGE ONE


 At Online Stores,
  Sniffing Out Crooks
  Is a Matter of Survival
 Mr. Kugelman Gets Scammed
  By a Web-Site Customer;
  A $3,077 Platinum Chain

 By MITCHELL PACELLE
 Staff Reporter of THE WALL STREET JOURNAL
 August 4, 2005; Page A1


 LYNBROOK, N.Y. -- Six years ago, Neil Kugelman found himself puzzling over
 the very first customer to arrive at the Web site he had launched to sell
 jewelry online.

 The order: a $496 men's diamond ring. The North Carolina address didn't
 match the address tied to the credit card. The shipping address was
 different still. Mr. Kugelman tried to telephone the customer, but the
 number didn't work. His email bounced back. He was no expert on fraud, but
 neither was he born yesterday. He spiked the order.

 "Our first order -- order No. 1 -- was fraudulent," he marvels.

 Since then, as family-controlled Goldspeed.com Inc. grew from a basement
 start-up to a 10-person operation that fills more than 50,000 orders a
 year, Mr. Kugelman has taught himself to regard each and every customer as
 a potential online crook -- and with good reason. He says fraudulent orders
 have risen to a staggering 30% of the total, up from just 5% when he
 started.

 Over the years, Mr. Kugelman, 44 years old, got so good at sniffing out the
 cons that just 0.5% of his sales were lost to fraud. But a run-in he had
 seven months ago with a cagey crook who ordered $8,384 of flashy jewelry --
 and stuck him with his largest fraud loss ever -- has left him worried that
 the bad guys are now gaining the upper hand. The tale of Mr. Kugelman's
 unsuccessful effort to discover the fraud, despite his suspicions, shows
 the increasing perils faced by the burgeoning online retail industry.

 For Mr. Kugelman and other Internet retailers, ferreting out bogus orders
 is a matter of survival. When a crook uses a stolen credit card in a
 traditional store, and the store follows proper procedures, the
 card-issuing bank usually swallows the loss. For online retailers, the
 tables are turned. Credit-card association rules dictate that merchants who
 accept charges from cyberspace, a riskier endeavor, must also shoulder the
 risk of fraud.

 When Mr. Kugelman began peddling everything from pearl earrings to thick
 gold chains over the Internet in 1998, his biggest problem was simple
 credit-card fraud: the use of stolen account numbers. The bogus orders were
 often glaringly obvious. Fraudsters ordered big and requested next-day
 shipping. They left fake phone numbers. They placed odd orders, such as for
 two engagement rings. Mr. Kugelman designed a computer system to screen
 incoming orders for such red flags and to bounce suspicious ones into human
 hands.

 Over time, the crooks got better. More of them stole whole identities,
 using purloined personal information to set up entirely new credit-card
 accounts. They used untraceable cellular phones, and avoided making
 oversized orders. When Mr. Kugelman phoned them with questions, they didn't
 get rattled. He fine-tuned his system, incorporating proprietary scoring
 guidelines based on such information as what kind of jewelry is ordered and
 from what part of the country the order originates.

 Late last year, he says, the fraudsters upped the ante. All of a sudden,
 Goldspeed.com was getting orders that showed no obvious signs of fraud on
 his computer-screening system, but seemed suspicious nonetheless. On Jan.
 9, for example, when a customer placed separate orders on the same day, he
 thought "something looked wrong."

 A Vincenza Wells of Detroit had ordered a $1,199 Aqua Master men's diamond
 watch. Four minutes later, the same customer ordered a $1,259 men's diamond
 and tanzanite ring. The Bank One Visa credit-card number she supplied was
 good for the full amount, and she had provided the validation code from the
 back of the card. Visa's address verification system showed a match.

 But the order's size, and the strange two-step ordering, had Mr. Kugelman's
 radar up. The next day, he called the card issuer, J.P. Morgan Chase & Co.,
 which had acquired Bank One. He says a bank representative confirmed that
 the name, address and phone number on the order matched the bank's own
 account information, except for one small detail about the address.

 Mr. Kugelman called his customer, who explained the disparity to his
 satisfaction. Mr. Kugelman called back the bank representative with the
 revis

[Clips] How to Exit the Matrix

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 4 Aug 2005 15:48:10 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] How to Exit the Matrix
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  To: [EMAIL PROTECTED]
  From: [EMAIL PROTECTED]
  Date: 1 Aug 2005 23:27:41 -
  Subject: How to Exit the Matrix
  Sender: [EMAIL PROTECTED]

  Network Forensics Evasion: How to Exit the Matrix
  https://n4ez7vf37i2yvz5g.onion/howtos/ExitTheMatrix/
  Tor (tor.eff.org) required

  "Privacy and anonymity have been eroded to the point of non-existence in
 recent years. In fact, in many workplaces, employers spy on and control
 their employees Internet access, and this practice is widely considered to
 be acceptable. How we got to a legal state where this is allowed, I'm not
 quite sure. It seems to stem from an underlying assumption that while you
 are at work, you are a slave - a single unit of economic output under the
 direct and total control of your superiors. I believe this view is wrong.
 This document seeks to provide the means to protect your right to privacy
 and anonymous net access anywhere, even under the most draconian of
 conditions - including, but not limited to, criminal investigation. "So
 what are you saying? That I can dodge bullets?" "No.. What I am trying to
 tell you is that when you're ready, you won't have to.""

 --- end forwarded text


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Phil Zimmermann defends his VoIP crypto

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 5 Aug 2005 12:07:11 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Phil Zimmermann defends his VoIP crypto
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://blogs.zdnet.com/Ou/?p=87>

  | George Ou | ZDNet.com

 8/5/2005
  Phil Zimmermann defends his VoIP crypto

 -Posted by George Ou @ 2:06 am
 Security
  Infrastructure

 In response to my last blog "Does Phil Zimmermann need a clue on VoIP?",
 Phil Zimmermann writes this letter defending his recent VoIP demonstration.
 The reason why they (Skype) can make a PKI work so seamlessly is because
 they have a proprietary closed system, where they control everything- the
 servers, the clients, the service provider (namely, Skype), the protocol,
 everything.  If I had that luxury, I could make a PKI work too.  Where PKI
 runs into trouble is when you try to make it work in a heterogeneous
 environment with different service providers with competing interests.  The
 trust model becomes unwieldy.  That's what killed PKI based email
 encryption schemes like PEM and MOSS.  And it has effectively paralyzed
 S/MIME too, because no one uses S/MIME to encrypt their email, despite
 S/MIME's massive deployment advantage owing to its inclusion in Microsoft
 products.  S/MIME requires a PKI to be up and running before you can use
 it, which means the "activation energy" is too high.  That's why
 essentially all the encrypted email in the world today is encrypted with
 PGP, or other OpenPGP products, which require little activation energy.
 My secure VoIP protocol also requires almost no activation energy, so I
 expect it to do well.  The other VoIP client features that make Skype so
 adaptable to NAT/firewall environments can be implemented in any VoIP
 client, even one that uses my crypto protocol.  The VoIP client I used in
 my prototype was not even mine, it was an open source VoIP client I found
 on the Internet.  I just added my crypto protocol to it for prototyping.
 For a real product, I plan to license a mature full-featured commercial
 VoIP client and add my crypto to that.  I'll make sure it has all the
 NAT/firewall traversal features it needs before I license it.
 I'm surprised you built your case on Skype's non-PKI features, and then
 used that to suggest I haven't a clue.  I don't claim my core competency is
 building the best VoIP client, which is why I'll use someone else's VoIP
 client as a starting point. But I've been thinking about trust models, key
 management, and PKI since before there were any PKIs.  I've picked up at
 least one or two clues along the way.  Maybe more than the makers of
 PKI-based email encryption standards that have been so easily swept aside
 by PGP.
 Regards,
 Phil

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Does Phil Zimmermann need a clue on VoIP?

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 5 Aug 2005 12:06:24 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Does Phil Zimmermann need a clue on VoIP?
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://blogs.zdnet.com/Ou/?p=86>

 | George Ou | ZDNet.com

 8/4/2005
  Does Phil Zimmermann need a clue on VoIP?

 -Posted by George Ou @ 11:52 am
 Security
  Infrastructure

 Updated: 8/5/2005 @ 4:06 am Phil Zimmermann of PGP fame, a legend in the
 cryptography world, was cooking up a new secure VoIP brew at last week's
 Black Hat conference-but could he be just a little bit out of touch?  As
 much as I respect the man's intellectual prowess and his contribution to
 the field of cryptography, I don't think I can say the same about his
 product design skills.  Product design and product marketing is less about
 intellectual prowess than understanding the needs of the average human
 user.  When I read about Zimmermann's recent VoIP demonstration at Black
 Hat, it made me doubt his product design skills even more.
 Phil Zimmermann criticizes existing VoIP cryptographic solutions for
 relying on PKI.  Given the fact that Zimmermann's PGP technology has always
 been an alternative to PKI based technologies, one can expect a bit of a
 natural bias against PKI-based solutions.  Just about every other
 PKI-alternative cryptography company has gone as far as declaring PKI dead
 even tough PKI has been thriving for the last decade with E-Commerce
 leading the charge in a massive global PKI implementation.  I've personally
 designed and deployed many PKI solutions for large corporations for all
 sorts of security applications ranging from remote VPN access to wireless
 LAN security, and I can attest that the technology is simple, scalable, and
 reliable.  It's an undeniable fact that any solution that promises to
 bypass PKI always end up being more trouble than it's worth.
 One of the biggest recent successes in VoIP or any application class is the
 phenomenon of Skype.  Skype has managed to gain more users in a single year
 than all of the other VoIP software solutions put together; at last count,
 there were about 148 million downloads of Skype.  Millions of people use it
 every day without even knowing that they are using PKI technology with
 1024-bit RSA keys for secure authentication and 256-bit military grade AES
 encryption.  While other vendors talk the talk about cryptography and how
 nice it would be if only people would use it, Skype actually deployed the
 biggest secure VoIP communications scheme ever using a seamless PKI
 implementation.  Most people just never knew it because Skype spent less
 time talking about it than implementing it.  Looking at Zimmermann's
 PKI-less VoIP cryptography scheme, I doubt it will be as seamless a
 solution.
 On the connectivity side, Zimmermann's demonstration at Black Hat showed
 why Skype still reigns supreme over everyone else.  As a matter of fact,
 Zimmermann's demo almost never left the ground because of router traversal
 problems.  While firewall and router traversal problems aren't uncommon
 among most VoIP solutions, it is one of the biggest impediments (next to
 inadequate or missing microphones on the modern personal computer) to the
 success of VoIP.  The reason Skype exploded onto the scene was that they
 alone understood that the average computer user is in no mood to mess with
 firewall rules, port triggers, and NAT traversal problems and
 probably doesn't even know or care what I'm talking about.  Skype wrapped
 their entire VoIP payload into a simple firewall- and NAT-friendly packet
 and used the power of peer-to-peer technology to make Skype work under any
 environment.  All the complexity is hidden under the hood and even grandma
 can now use PC telephony.
 Skype has set the gold standard for ease-of-use and seamless security.
 Any VoIP solution from this point forward that fails to meet this standard
 will be dead on arrival.  Although it may be too early to tell how
 Zimmermann's solution will fare in the end, it certainly doesn't appear to
 be off to a good start.  Maybe I'm being a bit harsh on a solution that is
 still a work in progress or maybe Zimmerman thinks I'm way off base.  Phil
 if you're reading this and you want to tell me I'm wrong and why, I'll be
 more than happy to post your reply.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 

[Clips] Knowing me, knowing you

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 5 Aug 2005 15:08:12 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Knowing me, knowing you
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.guardian.co.uk/print/0,3858,5254923-103572,00.html>

Guardian |

 Knowing me, knowing you

 George Orwell would be shocked at the popular support for the spread of
 surveillance technology, writes Victor Keegan
 Victor Keegan
 Thursday August 4, 2005

 Guardian Unlimited
 There is not much doubt now that the world has entered the age of
 surveillance - with the UK at the leading edge. Britain now has over 4
 million CCTV cameras in operation, the guardian angels of a secular
 society. If a referendum were to be held in the wake of the terrorists'
 attacks recommending cameras on every street it would probably be carried
 overwhelmingly. This is slightly surprising, not just because of the
 long-term implications for civil liberties, but because video cameras do
 not seem to have acted as a deterrent to terrorists, even though they have
 made it easier to identify them afterwards, whether dead or alive.

 The main means of tracking terrorist suspects down has been the monitoring
 of mobile phone conversations. Not only can operators pinpoint users to
 within yards of their location by "triangulating" the signals from three
 base stations, but - according to a report in the Financial Times - the
 operators (under instructions from the authorities) can remotely install
 software onto a handset to activate the microphone even when the user is
 not making a call. Who needs an ID card when they can do that already?

 On top of all this official scrutiny, there is a growing fashion for mutual
 personal surveillance from the millions of "smart" phones with built-in
 cameras and video functions that are getting more powerful by the week. It
 won't be long, doubtless, before miniaturised cameras will be embedded in
 spectacles enabling footage to be sent on the hoof to a remote website for
 archival purposes.

 Technology has undoubtedly helped terrorists get organised. The internet is
 a source for fundamentalist proselytising, information about activities
 such as bomb making and links to like-minded people, while mobile phones
 provide constant communication and, in some instances, detonators.

 Technology also offers unprecedented ways to track criminals down. But each
 advance in technological detection produces a counter-reaction from
 terrorists. Just as there has been a move away from laundering money
 through the international banking system (towards cash transactions)
 because of improved governmental monitoring, so the events of the past
 month could persuade terrorists to abandon mobile phones in favour of more
 primitive forms of communication such as one-to-one conversations.

 As technology continues to advance at a breathtaking pace, the future scope
 for finding out who we are is quite awesome. The current issue of Business
 Week lists the ways in which we can be uniquely identified from DNA and
 radio frequency identification tabs (RFID) to body odour, breath or saliva.
 There are even scientists working on "gait recognition" so future video
 cameras can pick us out from the way we walk in a crowd.

 The danger from all this is that few people will object as long as there is
 a serious threat of terrorism. But once (if?) the threat subsides, the
 infrastructure of surveillance will remain. Then it might not be the police
 reconstructing a fuzzy image from a crowd to catch a terrorist but an
 employee of the imaging company extorting money from someone found in a
 compromising position. As one Business Week contributor observed: "We get
 most of our security from liberty." If George Orwell were alive now (21
 years after the London he depicted in 1984) he would be astonished by the
 fact that the sort of surveillance he feared is supported not by a
 government imposing it from above on an unwilling population but by a
 groundswell of popular support. That's not a problem at the moment. But it
 will be in future, either if we sign away civil liberties permanently in
 response to a temporary emergency or if the cost of installing the
 infrastructure becomes so huge that it erodes our personal prosperity.
 Either way, Bin Laden would have won.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http:

[Clips] The summer of PKI love

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 11 Aug 2005 15:10:52 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] The summer of PKI love
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html>

 InfoWorld


 The summer of PKI love
 Dartmouth College's PKI Deployment Summit showed public key infrastructure
 moving forward
 Strategic Developer,  By   Jon Udell   ?
 August 10, 2005


 The annual  PKI Deployment Summit at Dartmouth College is becoming a summer
 tradition. Universities differ from other large enterprises in ways that
 make them  bellwethers for IT's future. University user populations are
 transient, platform monocultures cannot be imposed, and collaboration
 across institutional borders is mission-critical. These are excellent
 circumstances in which to evolve methods of identity  management that will
 also meet the requirements of corporations as they increasingly outsource,
 connect with customers through  the Web, and engage with partners in
 federations of Web services.


 One reason for PKI's slow uptake has been the lack of two kinds of
 portability. It hasn't been easy to move cryptographic  keys from one
 machine to another, or to use credentials issued by one institution at
 another. But as we learned at the summit,  there's been progress on both
 fronts. Growing adoption of hardware tokens is making cryptographic
 identities independent of  machines. And emerging trust bridges are
 enabling those identities to be federated among universities, the federal
 government,  and industry.

 On the token front, we're still unfortunately waiting for the ideal key
 storage device. USB tokens, smart cards, and cell  phones are all
 candidates, and the pros and cons of these options form a complex matrix.
 Universities tend to prefer the USB  approach because the tokens work with
 PCs and Macs that can't easily be outfitted with card readers.

 No matter what flavor of device, however, the deployment procedure is
 critical. This year, several summit attendees talked  about moving away
 from a model in which the token caches keys that are also stored elsewhere,
 to a model in which keys are  generated directly on the token and are
 stored only there. If you lose your token, you have to reregister for a new
 one and  get freshly minted keys. Work-arounds are painful experiences that
 people won't lightly inflict on themselves a second time.

 It sounds draconian, and indeed is, but the benefits are twofold. It
 virtually eliminates password sharing, which, as I mentioned  last year, is
 otherwise rampant. And the required in-person registration is a  ceremony
 that helps users understand what the token means and how to use it.

 On the trust front, a number of initiatives are under way. A handful of
 universities and resource providers have been using  the Internet2
 consortium's  Shibboleth to enable users at one institution to access
 online resources at another. In March, that trust network was formalized as
 the  InCommon Federation.

 Shibboleth isn't PKI-based, but it can be bridged to PKI systems, and trust
 bridges were a hot topic this year. Dartmouth's  Scott Rea gave a status
 report on the  Higher Education Bridge Certification Authority. Peter
 Alterman, from the National Institutes of Health, described the  Federal
 Bridge Certification Authority. Cybertrust's Russ Weiser presented  Secure
 Access for Everyone, which focuses on the biopharmaceutical industry. And
 Jim Jokl, from the University of Virginia, showed how to leverage grid
 networks as a trust fabric by exploiting the  Globus Toolkit's intrinsic
 PKI.

 Once these and other bridges can cross-certify, token-borne credentials
 issued by one will be recognized -- subject to appropriate  policy mapping
 -- by the others. A year ago that seemed far-fetched, but the picture is
 coming into focus.



 Jon Udell is lead analyst and blogger in chief at  the InfoWorld Test Center.


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[pre

[Clips] Peppercoin Secures $8 Million in Venture Funding

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 17 Aug 2005 14:31:40 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Peppercoin Secures $8 Million in Venture Funding
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]



 From: Peppercoin, Inc. [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, August 17, 2005 11:38 AM
 To: 
 Subject: Peppercoin Secures $8 Million in Venture Funding


 
<http://rs6.net/tn.jsp?t=c4afcobab.0.mismf8n6.foladxn6.544&p=http%3A%2F%2Fwww.peppercoin.com%2F>

 News & Updates

 August 17, 2005

 Greetings,
 Over the last year, Peppercoin has worked closely with financial services
 institutions to develop the leading solution for small payments. The
 successful close of our recent funding round validates our vision - to
 enable convenient and profitable credit and debit card use for small
 payments.
 Peppercoin Secures $8 Million in Venture Funding to Drive Adoption of
 Card-Based Small Payments
 Leading Small Payments Company's President is Named Chief Executive Officer
 WALTHAM, Mass.-August 17, 2005-Peppercoin, a payments technology company
 that enables profitable new business models for low-priced digital content
 and physical goods, today announced it has secured $8 million in funding.
 The financing round, led by venture capital firm Wall Street Technology
 Partners, includes previous investor Pod Holding and a large, Boston-based
 institutional investment adviser; several private individuals returned to
 participate in the round as well. Peppercoin also announced that Mark
 Friedman has been named president and chief executive officer. As
 president, Friedman forged strong ties with the financial institutions,
 including First Data and Chase, that have helped drive adoption of
 Peppercoin's Small Transaction Suite.
 "Wall Street Technology Partners invests in companies that reshape their
 markets," said WSTP Partner Adam Lichtenstein. "Peppercoin is an exciting
 investment because the company has quickly seized a leadership role in
 establishing the 'small payments' category, and is working collaboratively
 with the large, established financial institutions that operate today's
 credit and debit payment systems. We are impressed by the company's
 seasoned team, and the progress they have made in garnering merchant
 adoption of their service and generating interest in the transition from
 cash to card."
 "Since Pod Holding first invested in Peppercoin's initial funding round, we
 have been impressed with the company's ability to continually surpass its
 stated business and technical goals," said Peter Lawrence, founding partner
 of Pod Holding. "The management team's progressive, agile approach to small
 payments has led to superior technology that appeals to leading financial
 services companies, and as a result we have strengthened our partnership
 with the company."
 "Wall Street Technology Partners and our existing investors are validating
 Peppercoin's business model as we continue to sign new merchants and build
 strong relationships with the leading global payments companies," said Mark
 Friedman, president and CEO of Peppercoin. "Merchants embrace our product
 as they find it provides an engine for revenue growth. Similarly, financial
 services entities value the increased payment volumes our offering brings
 them. We will be rolling out several advanced capabilities in coming months
 which enable a blend of prepaid, subscription, pay-as-you-go and post-paid
 merchant offerings."
 Consumers are demonstrating a clear and growing preference to use their
 credit and debit cards for physical, digital and mobile purchases of all
 sizes. Each year, consumers in the United States make more than 350 billion
 transactions of less than $5, representing $1.32 trillion in aggregate
 revenue. This presents a significant growth opportunity for the credit and
 debit card market, and Peppercoin is at the forefront in providing a
 solution that allows merchants and financial services institutions to
 card-enable their transactions, capture a larger market share with flexible
 business models, and drive new revenue streams. Over the past year,
 Peppercoin has realized success with merchants and financial services firms
 such as First Data, Chase Merchant Services, and SunTrust Bank.
 About Wall Street Technology Partners
 About Wall Street Technology Partners Wall Street Technology Partners LP
 (WSTP) is a New York-based technology fund founded in 2000. The fund
 invests in mid-to-late stage US-based technology and media companies across
 a wide industry spectrum, including software applications, servers and
 storage, semiconductors, wireless, energy, telecom systems and enterprise
 and carrier networks. WSTP has in excess of $125 million of cap

[Clips] [MTNews] CRYPTO-Server 6.3

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 22 Aug 2005 15:57:56 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] [MTNews] CRYPTO-Server 6.3
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Date: Mon, 22 Aug 2005 12:47:49 -0700
  To: [EMAIL PROTECTED]
  From: MacTech News Moderator <[EMAIL PROTECTED]>
  Subject: [MTNews] CRYPTO-Server 6.3
  Sender: <[EMAIL PROTECTED]>

  This message comes to you from MacTech News -- the Mac(tm) OS Technical
  News and Info server.  See below for more info on this list (including
  sub/unsub details).
  __


  CRYPTOCard LAUNCHES CRYPTO-Server 6.3 FOR MAC OS X TO MAKE IT SIMPLE FOR
  "TIGER" USERS TO GAIN TWO-FACTOR ATM-STYLE AUTHENTICATED ACCESS TO
  DESKTOPS, LAPTOPS, AND APACHE WEB SERVER

  CRYPTO-Server 6.3 for OS X provides "Tiger" Users With Simple Authenticated
  Access To Desktops-Even If They Are Not Connected To The Network

  CRYPTOCard (http://www.cryptocard.com/), a leading authentication
  developer, today launched CRYPTO-Server 6.3 for OS X, the authentication
  solution designed to make it simple to positively identify all Tiger users
  attempting LAN, VPN (Apple or Cisco), or Web-based (Apache) access.
  Specifically designed to fully integrate with Tiger's newly-developed
  support for smart card environments, CRYPTO-Server 6.3 couples something in
  the user's possession (a multi-function smart card, USB token, hardware
  token, or software token), with something the user knows (their PIN) to
  provide secure, enterprise-class LAN, Web, and remote ATM-style
  One-PIN-and-You’re-In’ authenticated access that mirrors the look and feel
  of the OS X logon  ensuring that the technology is simple for Tiger users
  to utilize. CRYPTO-Server 6.3's "Fast User Switching" functionality also
  makes it simple for multiple Tiger users to securely access the Mac, using
  smart cards or tokens  in a stand-alone or networked environment.

  "Understanding that an organization cannot guarantee a system security if
  it cannot positively authenticate each individual user, CRYPTOCard has
  developed a fully-integrated authentication solution specifically designed
  for Tiger," commented Malcolm MacTaggart, President & CEO, CRYPTOCard
  Corporation. "CRYPTO-Server 6.3 now makes it simple for Tiger users,
  particularly in the traditional Mac strongholds of the health, legal,
  higher education, and printing/publishing/multimedia sectors, to provide
  true ATM-style One-PIN-and-You’re-In’ enterprise-class strong user
  authentication for LAN, VPN, Web, or remote system access," MacTaggart
  continued. "To meet the needs of U.S Federal customers, CRYPTOCard's Smart
  Card readers support the U.S Federal Smart Cards (CAC & PIV)  and the
  drivers are pre-installed in Tiger."

  "The breakthrough features in Mac OS X Tiger are enabling innovation across
  a diverse range of developers and markets," said Ron Okamoto, Apple's vice
  president of Worldwide Developer Relations. "We’re thrilled that CRYPTOCard
  is taking advantage of Tiger to deliver easy-to-use enterprise class
  authentication solutions."

  Incorporating CRYPTOCard's familiar ATM-style logon, that has proven to
  eliminate the user resistance usually encountered when organizations
  attempt to implement an additional layer of security, CRYPTO-Server 6.3 for
  OS X generates a one-time password for every log-on attempt, making stolen
  credentials useless to hackers while simultaneously ensuring Tiger users do
  not have to memorize complicated credentials  significantly reducing the
  help-desk costs associated with resetting forgotten passwords, and the
  obvious security risk resulting from users writing down their passwords.

  CRYPTO-Server's remote access functionality offers support for Apple's VPN
  Server, with the same "One-PIN-and-You’re-In." experience, however, if
  hardware tokens are employed, no additional software is required on the
  client side  CRYPTOCard's two-factor-authentication is ready to go,
  "out-of-the-box." CRYPTO-Server 6.3's CRYPTO-Web component also makes it
  simple for Tiger users to utilize the exact same ATM-style log-on protocol
  to positively authenticate themselves to Apache and IIS Websites, right
  down to the page level. And, with almost 75 percent (or more than 13
  million) of the world's web servers running on Apache, CRYPTO-Server 6.3
  for OS X represents a significant advance in authentication technology for
  the web medium.

  CRYPTO-Server 6.3 for OS X provides administrators with centralized
  authentication and management capability, emphasizing ease-of-use and tight
  integration with Apple'

[Clips] RSA Security Sees Hope in Online Fraud

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Tue, 23 Aug 2005 09:01:29 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] RSA Security Sees Hope in Online Fraud
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.technologyreview.com/articles/05/08/ap/ap_082205.0.asp>

 Technology Review


 TechnologyReview.com

  RSA Security Sees Hope in Online Fraud
  By Brian Bergstein   August 22, 2005




  AP Technology Writer

 BEDFORD, Mass. (AP) -- It was a Friday afternoon for the computer
 encryption folks at RSA Security Inc., and summertime greenery filled the
 countryside view from Art Coviello's office.

 Even so, the RSA chief could have been excused if he didn't seem relaxed.

 RSA had just announced its second straight set of quarterly results that
 didn't dazzle Wall Street analysts, and RSA's stock was flirting with a
 52-week low.

 But Coviello shrugged it off. Analysts, schmanalysts. More importantly, he
 said, lots of factors are about to turn in RSA's favor, namely the need for
 more secure, traceable financial transactions in a world beset by online
 fraud and identity theft.

 "The whole thing's moving a lot more slowly than it ought to," Coviello
 said. "We've got to keep pounding and pounding until we reach a tipping
 point, and we will take advantage of it."

 The lack of an obsession over quarterly results isn't the only unusual
 thing about RSA, which still bears the marks of an academic past despite
 being a $300 million company with 1,200 employees and customers in
 government, banking and health care.

 RSA is named for three Massachusetts Institute of Technology professors,
 Ron Rivest, Adi Shamir and Len Adelman. Though they are no longer involved
 with the company they founded in 1986, their invention of a seminal method
 of cryptography set the tone for the company and is crucial in online
 commerce.

 Today RSA is perhaps best known for staging a prestigious annual security
 conference and for selling 20 million little devices that display a
 six-digit code computer users must type to gain access to computer
 networks. The code, which changes every minute as determined by an
 RSA-created algorithm, is unique to each "SecureID" token, making it
 useless to a snoop.

 The requirement that users enter the code in addition to a password is
 known as two-factor authentication, an approach that figures to gain ground
 over simple passwords as more and more sensitive data move online.

 Indeed, RSA's sales of authentication products jumped 16 percent last year,
 as RSA's overall profits more than doubled, to $35 million. E-Trade
 Financial Corp. and America Online Inc. began offering SecureID devices to
 some customers over the past year. The Associated Press also uses the
 tokens for network access.

 "It is the Kleenex or Q-Tip of two-factor identification," said Gregg
 Moskowitz, an analyst with the Susquehanna Financial Group. "SecureID is
 the brand name."

 But wide deployment in consumer applications has come slowly.

 In theory, every institution that does business on a Web site could
 increase its security by offering its users RSA tokens.

 But practically, it would be a nightmare to have 20 different devices with
 their own codes. And banks apparently don't trust one another enough to
 accept a competitor's authentication token.


 RSA hopes to smash such hang-ups by acting as an intermediary, launching a
 new "hosted" service this fall in which its servers will check whether a
 consumer entered the proper token code -- even if the token was made by an
 RSA rival -- then relay the "yea" or "nay" back to the bank. RSA already
 provides such a service for companies' internal access control, but has yet
 to offer it for consumer applications.


 Investors will be watching closely. Although Coviello is confident that
 wider trends in access control -- such as rampant identity theft and abuse
 of Social Security numbers -- should play to RSA's strengths, he
 acknowledges that RSA needs to do more to push the market rather than wait
 for it.

 That means RSA has to be much more than the company known for
 authentication tokens -- a product that some analysts say is coming down in
 price because of competition. RSA also hopes to expand its sales of
 software and security consulting services, where heftier rivals such as
 VeriSign Inc. and International Business Machines Corp. also lurk.

 "When you consider all the identity theft that is taking place now, the
 challenge for RSA is to monetize that," Moskowitz said. "It's easier said
 than done."

 RSA believes one key differentiator can be its research arm, including the
 eight people in "RSA Labs," a group so focused 

RE: Another entry in the internet security hall of shame....

[R.A. Hettinga]

At 9:42 AM -0400 8/25/05, Trei, Peter wrote:
>Self-signed certs are only useful for showing that a given
>set of messages are from the same source - they don't provide
>any trustworthy information as to the binding of that source
>to anything.

Oddly enough, the same could be said for a hierarchically signed certificate.

;-)

Cheers,
RAH

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] DVD Jon hacks Media Player file encryption

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 2 Sep 2005 16:43:11 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] DVD Jon hacks Media Player file encryption
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.theregister.com/2005/09/02/dvd_jon_mediaplayer/print.html>

 The Register

 Biting the hand that feeds IT
 The Register » Software » Developer »

 DVD Jon hacks Media Player file encryption
 By Gavin Clarke in San Francisco (gavin.clarke at theregister.co.uk)
 Published Friday 2nd September 2005 06:40 GMT

 Norway's best known IT export, DVD Jon, has hacked encryption coding in
 Microsoft's Windows Media Player, opening up content broadcast for the
 multimedia player to alternative devices on multiple platforms.

 Jon Lech Johansen has reverse engineered
 (http://nanocrew.net/index.php?s=microsoft) a proprietary algorithm, which
 is used to wrap Media Player NSC files and ostensibly protect them from
 hackers sniffing for the media's source IP address, port or stream format.
 He has also made a decoder available.

 Johansen doesn't believe there is a good reason to keep the NSC files
 encrypted, because once you open the file with Media Player to start
 viewing the stream, the IP address and port can be revealed by running the
 netstat network utility that is included with most operating systems.

 The hacker hopes his move will make content streamed to Media Player more
 widely available to users of alternative players on non-Windows platforms.

 Johansen achieved notoriety when he was tried and re-tried in a Norwegian
 court for creating a utility that enabled him to play DVDs on his Linux PC.
 Prosecutors, acting in the interests of the beloved US Motion Picture
 Association of America (MPAA), argued he had acted illegally by
 distributing his DeCSS tool to others via the internet. This, the
 prosecution, claimed, made it easier to pirate DVDs.

 However, the court ruled in his favor, saying he had not broken the law in
 bypassing DVD scrambling codes that had stopped him from using his PC to
 play back DVDs.

 Earlier this year Johansen developed a work around to bypass digital rights
 management (DRM) technology in Apple Computer's iTunes.

 His latest hack was done to make Media Player content available to the open
 source VideoLAN Client (VLC) streaming media player. VLC is available for
 download to 12 different operating systems and Linux distributions and has
 seen more than six million downloads to Mac. Apple is even pre-loading VLC
 on some Macs destined for high schools in Florida.

 Johansen told The Register he'd acted following requests for NSC support in
 VLC. One developer
 (http://sidequest.org/weblog/archives/2005/08/multicast_from.html) is
 already hard at work integrating Johansen's decoder into the VLC.

 Johansen said: "Windows Media Player is not very good and Windows and Mac
 users should not be forced to use it to view such [NSC] streams."

 The NSC file contains information about the stream, such as the name and
 address of the stream server. When the file is opened in Media Player, the
 file is decoded and then connected to the stream server specified.

 Johansen said claims made by companies like Cisco Systems, who ship
 products with NSC support, that the encoding he cracked protects the media
 don't make much sense. "It's more likely that the purpose is to prevent
 competing media players from supporting the NSC format," he observed.
 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] New [chip & pin] technology may increase identity theft

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Tue, 6 Sep 2005 14:55:23 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] New technology may increase identity theft
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://news.com.com/2102-1029_3-5850138.html?tag=st.util.print>



  New technology may increase identity theft

  By Reuters
 
http://news.com.com/New+technology+may+increase+identity+theft/2100-1029_3-5850138.html


  Story last modified Mon Sep 05 16:35:00 PDT 2005


 New technology could increase rather than solve the problem of identity
 theft and fraud, a British criminologist said Monday.

  Identity cards and chip and pin technology for credit cards will force
 fraudsters to be more creative and are unlikely to alleviate the problem,
 said Emily Finch, of the University of East Anglia in England.

  Dependence on technology was leading to a breakdown in individual
 vigilance, which experts believe is one of the best ways to prevent fraud
 and identity theft, Finch said.

  "There is a worrying assumption that advances in technology will provide
 the solution to identity theft whereas it is possible that they may
 actually aggravate the problem," she told the British Association science
 conference.

  "Fraudsters adapt their behavior to suit the circumstances," she said.

  Finch, who interviewed criminals about why and how they commit crimes and
 the impact new technology is likely to have on them, found fraudsters were
 tenacious and would change their methods to elude new security measures.

  "Studying the way that individuals disclose sensitive information would be
 far more valuable in preventing identity fraud than the evolution of
 technologically advanced but ultimately fallible measures to prevent misuse
 of personal information after it has been obtained," she added.

  Data from the U.S. Federal Trade Commission Identity Theft Survey Report
 released two years ago showed that 4.6 percent of 4,000 randomly selected
 people questioned in a poll had been the victim of some form of identity
 theft in the past year.

  Finch said fraud and identify theft was not always done for financial
 reasons. Sometimes people wanted to start again with a new identity.



 Identity cards could potentially increase fraudulent behavior, she warned.
 In June, the British government introduced legislation for national
 identity cards, saying they would counter terrorism, crime and illegal
 immigration. But critics say the scheme is expensive, unnecessary and
 intrusive.

  "What fraudsters know about is human nature," Finch said. "And they adapt
 to things like the Internet which provides an absolutely fantastic base to
 access personal information."

  She also has doubts about chip and pin technology which allows consumers
 to punch in a personal number rather than use a signature for credit and
 debit card purchases.

  Instead of watching an individual punch in the code and stealing the card,
 criminals are snatching credit card application forms and getting new cards
 and numbers, she added.


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] MIT Conference On REAL ID Act Is Postponed And Augmented By Online Discussion

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 8 Sep 2005 12:27:09 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] MIT Conference On REAL ID Act Is Postponed And Augmented By
  Online Discussion
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Date: Thu, 08 Sep 2005 12:03:51 -0400
  From: Daniel Greenwood <[EMAIL PROTECTED]>
  User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
  To: [EMAIL PROTECTED]
  Subject: MIT CONFERENCE ON REAL ID ACT IS POSTPONED AND AUGMENTED BY ONLINE
   DISCUSSION

  Please be advised that the public forum originally scheduled for
  Wednesday, September 14, 2005 to address the REAL ID Act of 2005 has
  been postponed. This has become necessary because many of the people
  interested in the forum are from the homeland security and first
  responder communities, and their focus is now squarely on the ongoing
  efforts to recover from Hurricane Katrina.

  In place of the September 14th public forum, the MIT Media Lab and the
  MIT E-Commerce Architecture Program will be organizing an online forum
  to start a conversation about the REAL ID Act of 2005. This online forum
  will be an ongoing, asynchronous event lasting from Monday, September
  19, 2005 through Friday, September 23, 2005.  This online discussion
  will include presentation by leaders in the field, policy experts and
  governmental officials who will give deeper background on the status and
  issues related to REAL ID.  There will also be an opportunity for all
  registrants to participate in a dialog with the speakers and each
  other.  Additional details about the online forum will be available
  shortly at http://ecitizen.mit.edu/realid.html.  Please register at that
  web site between now and September 19th in order to participate in this
  web-based discussion.

  Finally, there will be a physical meeting at MIT to discuss the REAL ID
  Act of 2005 on Thursday, November 17, 2005. The upcoming online forum
  will provide an excellent opportunity to design this event so as to
  provide the maximum benefit for the people who will be attending this
  gathering.

  In the meantime, please continue to use the registration feature on the
  website to let us know if you are interested in participating in the
  online forum or attending the November meeting. Also be sure to check
  the website periodically for additional details.

  Regards,

  Daniel J. Greenwood,
  MIT Media Lab, Smart Cities Group
  MIT E-Commerce Architecture Program

 --- end forwarded text


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] The ghost of Cypherpunks

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 10 Sep 2005 15:51:08 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] The ghost of Cypherpunks
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  To: [EMAIL PROTECTED]
  Subject: The ghost of Cypherpunks
  Organization: Interhack Corporation
  From: Matt Curtin <[EMAIL PROTECTED]>
  Date: Sat, 10 Sep 2005 15:29:41 -0400
  User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp,
berkeley-unix)
  Sender: [EMAIL PROTECTED]

  Slashdot has published Isaac Jones' review of my book describing how
  we killed 56-bit DES, Brute Force: Cracking the Data Encryption
  Standard.  The followup has been curiously devoid of mention of the
  Cypherpunks, a critical force in the Crypto Wars and to whom I
  dedicated the book.


 
http://books.slashdot.org/books/05/09/08/1653245.shtml?tid=93&tid=172&tid=231&tid=95&tid=6

  Did the Cypherpunks have their heyday and that's it?

  --
  Matt Curtin,  author of  Brute Force: Cracking the Data Encryption Standard
  Founder of Interhack Corporation  +1 614 545 4225 http://web.interhack.com/

 --- end forwarded text


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The cost of online anonymity

[R.A. Hettinga]

--- begin forwarded text


 Date: Sun, 11 Sep 2005 17:02:13 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: The cost of online anonymity

 <http://news.bbc.co.uk/1/low/programmes/click_online/4227578.stm>

 The BBC

 Friday, 9 September 2005, 18:03 GMT 19:03 UK

 The cost of online anonymity
 By Dan Simmons
  Reporter, BBC Click Online

 In the second report looking at privacy and the internet, Dan Simmons
 examines whether it is possible to be totally anonymous and asks if this is
 really a desirable thing.
  In London's Speaker's Corner, the right to freedom of expressions has been
 practised by anyone who cares to turn up for centuries.

  But in countries where free speech is not protected by the authorities,
 hiding your true identity is becoming big business.

  Just as remailers act as a go-between for e-mail, so there are services
 through which you can surf the web anonymously.

  After 10 years in the business, Anonymizer has two million active users.
 The US government pays it to promote the service in China and Iran in order
 to help promote free speech.

  But these programs are becoming popular in the West too.

  The software encrypts all your requests for webpages. Anonymizer's servers
 then automatically gather the content on your behalf and send it back to
 you.

  No humans are involved and the company does not keep records of who
 requests what.

  However, there is some censorship. Anonymizer does not support anonymous
 uploading to the web, and it blocks access to material that would be
 illegal under US law.

 No to censorship

  For the last five years, Ian Clarke has been working on a project to offer
 complete anonymity.

  Founder and co-ordinator of Freenet, Ian Clarke says: "Our goal was to
 provide a system whereby people could share information over the internet
 without revealing their identity and without permitting any form of
 government censorship."

  The system is called the Free Network Project, or Freenet. A Chinese
 version has been set up to help dissidents speak out there.

  "We believe that the benefits of Freenet, for example for dissidents in
 countries such as China, Saudi Arabia, Iran, far outweigh the dangers of
 paedophilia or terrorist information being distributed over the system"
 Ian Clarke, Freenet

 Challenges of anonymous surfing
  Freenet encourages anonymous uploading of any material.  Some users of the
 English version believe it is so secure they have used it to confess to
 crimes they have committed, or to their interest in paedophilia.

  Each user's computer becomes a node in a decentralised file-storing
 network. As such they give up a small portion of their hard disk to help
 the system hold all the information and as with anonymous surfing,
 everything is encrypted, with a military grade 128-bit algorithm.

  The storage is dynamic, with files automatically moved between computers
 on the network or duplicated. This adds to the difficulty of determining
 who might be storing what.

  Even if a user's computer is seized, it can be impossible for experts to
 determine what the owner was doing on Freenet.

  But such strenuous efforts to protect identity have two side effects.

  Firstly, pages can take 10 minutes or more to download, even on a 2Mbbps
 broadband connection.

  Secondly, the information is so well encrypted it is not searchable at the
 moment. Forget Google, your only option is to scroll through the indexes
 provided.

  It is hoped usability of the service will improve when it is re-launched
 later this year.

 Ethical issues

  But those are the least of our problems, according to some experts, who
 think Freenet is a dangerous free-for-all.

  Digital evidence expert at the London School of Economics, Peter Sommer
 says: "A few years ago I was very much in favour of libertarian computing.

  "What changed my mind was the experience of acting in the English courts
 as a computer expert and examining large numbers of computers from really
 nasty people, who were using precisely the same sort of technology in order
 to conceal their activities.

  "I think that creates an ethical dilemma for everyone who wants to
 participate in Freenet.

  "You are giving over part of your computer, it will be in encrypted form,
 you will not know what you are carrying, but some of it is going to be
 seriously unpleasant.  Are you happy with that?"

  What worries many, is that Freenet is a lawless area.

  It can be used for many good things, like giving the oppressed a voice,
 but users can also preach race-hatred or share child pornography with
 complete impunity.

  Peter Sommer says: "Ian [Clarke] is placing a powerful tool in the hands
 of other people. He's like an armaments manufacturer.

  "Guns can be used for all sorts of good purposes but you know perfe

Re: MIT talk: Special-Purpose Hardware for Integer Factoring

[R.A. Hettinga]

At 12:29 PM -0400 9/14/05, Steven M. Bellovin wrote:

>TODAY * TODAY * TODAY * WEDNESDAY, Sept. 14 2005

So, I saw this here at Farquhar Street at 14:55EST, jumped in the shower,
thus missing the train 13:20 train at Rozzy Square :-), instead took the
bus, and then the T, and got to MIT's New Funny-Looking Building about
16:40 or so, and saw the last few slides, asking the first, and only,
question, because the grad-students shot out of there at relativistic
velocity, probably so they wouldn't miss their dinner, or something...

The upshot, to me, was that 1024-bit RSA keys are, for Nobody Special
Anywhere, probably as DED as DES, for certain keys but probably not all
without way too much money, but that things start to go sideways for this
box somewhere south of 2kbit keysize, and so this is not TEOTWAWKI,
key-wise.

"Unless someone comes up with in algorithmic improvement." Of course. :-).

Cheers,
RAH
Who went, obviously, to poke him about Micromint and hash-collisions, for
fun, and who *did* have fun, as a result, in a dead-horse-beating kind of
way...


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Microsoft Scraps Old Encryption in New Code

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 16 Sep 2005 10:01:23 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Microsoft Scraps Old Encryption in New Code
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.eweek.com/print_article2/0,1217,a=160307,00.asp>

 EWeek


 Microsoft Scraps Old Encryption in New Code
 September 15, 2005
  By Paul F. Roberts

 Microsoft is banning certain cryptographic functions from new computer
 code, citing increasingly sophisticated attacks that make them less secure,
 according to a company executive.

 The Redmond, Wash., software company instituted a new policy for all
 developers that bans functions using the DES, MD4, MD5 and, in some cases,
 the SHA1 encryption algorithm, which is becoming "creaky at the edges,"
 said Michael Howard, senior security program manager at the company, Howard
 said.


 MD4 and MD5 are instances of the Message Digest algorithm that was
 developed at MIT in the early 1990s and uses a cryptographic hash function
 to verify the integrity of data.

 The algorithms are used to create digital signatures and check the
 integrity of information passed within Microsoft Corp.'s products.


 DES (Data Encryption Standard) is a cipher that is used to encrypt
 information that is used in many networking protocols.

 All three algorithms show signs of "extreme weakness" and have been banned,
 Howard said.

 Microsoft is recommending using the Secure Hash Algorithm (SHA)256
 encryption algorithm and AES (Advanced Encryption Standard) cipher instead,
 he said.

 The change is part of a semi-yearly update to Microsoft's Secure
 Development Lifecycle policies by engineers within Microsoft's Security
 Business & Technology Unit.

 To read more about the importance of encryption, click here.

 Developers who use one of the banned cryptographic functions in new code
 will have it flagged by automated code scanning tools and will be asked to
 update the function to something more secure, Howard said.

 Eventually, the company will also remove vulnerable cryptographic functions
 from older code, though that will take longer, he said.

 "Threats are constantly evolving, so it's important to stay one step
 ahead," he said.

 "It's about time," added Bruce Schneier of Counterpane Security Inc.

 Microsoft should have ended use of DES, MD4 and MD5 "years ago," and is
 only being prudent in doing so now, Schneier said.

 However, the company's "case by case" approach to banning SHA1 is more
 aggressive, considering that theoretical attacks on that algorithm only
 appeared in February, Schneier said.


 The theoretical attacks on SHA0 and SHA1 were developed by Chinese
 researchers and have some experts predicting that those algorithms will
 soon be considered too vulnerable to rely on.

 The NIST (National Institute of Standards and Technology) has scheduled a
 workshop in October to discuss alternatives to SHA1.

 Using vulnerable encryption algorithms could expose sensitive data in
 Microsoft systems. But attacks on those algorithms are still unlikely,
 given other, easier to exploit holes in the software, Schneier said.

 "There's just so much that's worse," he said of the other security holes.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] NSA SME-PED - the handheld for spooks

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 16 Sep 2005 10:19:33 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] NSA SME-PED - the handheld for spooks
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.gizmag.com/go/4601/>


 gizmag Article:


 NSA SME-PED - the handheld for spooks

 (link to this article)

 September 16, 2005 The United States National Security Agency (NSA) is
 planning to build its own secure wireless handset capable of voice and data
 communications over public networks, including CDMA, GSM and Wi-Fi.

 The handset which is currently going under the name of "secure mobile
 environment - portable electronic device," (SME-PED) is a secure wireless
 product that will provide users with voice and data communications
 supporting security levels up to Top Secret, as well as e-mail
 communications supporting security levels up to Secret.

 The SME-PED also provides Personal Digital Assistant (PDA) functionality.
 The SME-PED will provide the U.S. Department of Defense (DoD) and other
 U.S. Government users with a converged voice and e-mail communications
 device similar to commercially available devices such as BlackBerry,
 SideKick and Treo 650. Two companies have been awarded US$18 million dollar
 multi-year contracts to develop the SME-PED.

 One of the companies awarded the contract (the name of the other company
 has not yet been released) is L-3 Communications via its subsidiary, L-3
 CS-East, an industry leader in designing, developing and manufacturing Type
 1 Secure Telephony terminals for the U.S. DoD.

 "We are thrilled to have been selected by the NSA to develop the SME-PED,"
 said Greg Roberts, president of L-3 CS-East. "SME-PED continues L-3's
 legacy of developing leading-edge, high assurance communications products
 for use by the U.S. Government. L-3 CS-East will leverage recent
 investments in cryptographic technology as well as our experience and
 expertise in applying the U.S. Government's Future Narrow Band Digital
 Terminal (FNBDT) and High Assurance Internet Protocol Interoperability
 Specification (HAIPIS) protocols while executing this critical program."

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Contactless payments and the security challenges

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sun, 18 Sep 2005 10:39:58 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Contactless payments and the security challenges
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?Q=BF_WEBART_171100>


 Principia

 The Membership Organisation For IT Professionals
 A division of the National Computing Centre


 Contactless payments and the security challenges

 David Birch reports on the latest developments in contactless payment
 systems and reviews the associated security implications.

  The announcement of schemes such as MasterCard's Paypass, American Express
 ExpressPay and Visa's contactless initiatives is a sign that contactless
 smart cards are moving out of mass transit (e.g. London's Oyster card) and
 into the mass market. Indeed, Datamonitor have forecast that the market for
 these 'payment tokens' will grow at 47 per cent per annum over the next
 five years [1]. The international payment schemes' interest is obvious. At
 a time when it's hard to explain to a consumer why a contact smart card
 (such as the 'chip and PIN' payment cards being deployed around the world)
 is better than a magnetic stripe card, payment tokens immediately
 differentiate themselves by offering a completely different (and
 significantly more convenient) consumer experience.

  Why? Because the token needs only to be waved close to the terminal. In
 many cases, it will work fine while still in a bag or briefcase providing
 it is close enough to the terminal. The distance depends on the type of
 device used; the type of 'proximity interface' chip being discussed in this
 article will work up to a few centimetres from the terminals.

  With advances in chip and antenna technology, payment tokens now have
 almost identical functionality to contact smart cards, including high
 strength cryptographic functions, and can even be in a 'dual interface'
 package sporting both contact and contactless interfaces. RFID technology,
 while new to consumer payments, has actually been out in the field for some
 time. Mass transit was one of the driving sectors. Operators in Hong Kong,
 London, Paris, Washington and Taipei, amongst others, already have millions
 of tokens in place using the same technology and many other cities are
 planning similar schemes. Their switch to RFID based tokens has three main
 drivers:
*   Lower lifetime cost of ownership - for commercial use, the
 initial cost of RFID readers is already price comparable to motorised
 contact readers. The elimination of all moving parts, however,
 significantly improves reliability and operational reader life reducing the
 overall life cycle cost of ownership. The inherent vandal proof properties
 are also ideal for unattended vending or payments, delivering overall
 improved system availability.

*   Faster transaction times - for historical reasons, and because 
of
 their origin in the mass transit sector (which needs high throughput at
 gates), the interfaces to RFID chips are many times faster than the
 interfaces to chip contact smart cards.

*   Flexible form factors - as it operates remotely from the reader,
 the physical size and shape of the token is unimportant. Many tokens come
 in the traditional bank card form; others have been built into consumer
 goods like Swatch watches, pagers or key fobs.


  So momentum is building, and even industry observers historically bullish
 about using tokens for payment (e.g. the author [2]) have been surprised by
 the speed of deployment. The reason might be that while the rational
 reasons for choosing tokens for payments (e.g. speed, lifetime cost of
 ownership) are good, the irrational reason is even better; they're
 interesting, particularly because of the flexible form factor.

  Of the various forms factors noted above, two token-carrying devices seem
 to stand out; the key fob and the mobile phone. Whether you are waving your
 keys at a petrol pump before you fill up your car or in Burger King to pay
 for your meal, using the bunch of keys you already have in your hand
 instead of getting out your wallet makes this a clear proposition. But we
 all have our mobile phones with us all the time as well, and the phone
 (unlike the keys) can be used to manage the payment account in various
 ways, a synergy that is sure to be exploited.

  Nokia have said that they think payment tag technology is better than
 Bluetooth or Infra-red for mobile payments [3] and, in Japan, NTT DoCoMo
 and Sony have formed a joint venture (FeliCa Networks) to develop a version
 of the Sony FeliCa contactless chip for embedding into mobile phones and to
 operate the FeliCa platform for m-commerce [4]. For many consumers,

[Clips] RUXCON 2005 Update

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 19 Sep 2005 10:56:52 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] RUXCON 2005 Update
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Delivered-To: [EMAIL PROTECTED]
  Date: Mon, 19 Sep 2005 10:27:07 +
  To: undisclosed-recipients: ;
  User-Agent: Mutt/1.5.6+20040907i
  From: [EMAIL PROTECTED] (RUXCON Call for Papers)
  Subject: RUXCON 2005 Update
  Sender: [EMAIL PROTECTED]

  Hi,

  RUXCON is quickly approaching yet again. This e-mail is to bring you up
  to date on the latest developments on this years conference.

  Our speakers list is complete [1] and our timetable has been finalised
  [2]. Below is a list of presentations for RUXCON 2005 (in order of
  acceptance):

 1. Breaking Mac OSX - Ilja Van Sprundel & Neil Archibald
 2. Binary protection schemes - Andrew Griffiths
 3. Using OWASP Guide 2.0 for Deep Penetration Testing - Andrew van
  der Stock
 4. Black Box Web Application Penetration Testing - David Jorm
 5. Long Filename, Long Parameter, Malformed Data. Another Day,
  Another Vulnerability. Same Bug, Different App. - Brett Moore
 6. Computer Forensics: Practise and Procedure - Adam Daniel
 7. Poker Paranoia - Sean Burford
 8. Moving towards the Artificial Hacker - Ashley Fox
 9. Attack automation - Roelof Temmingh
10. Electronic Evidence - a Law Enforcement Perspective - Jason
  Beckett
11. Beyond NX: An attackers guide to anti-exploitation technology for
  Windows - Ben Nagy
12. Crypto Rodeo - Amy Beth Corman
13. Trust Transience: Post Intrusion SSH Hijacking - Metlstorm
14. Attacking WiFi with traffic injection - Cedric "Sid" Blanche
15. Securing Modern Web Applications - Nik Cubrilovic
16. Malware Analysis - Nicolas Brulez
17. Deaf, Dumb and Mute: Defeating Network Intrusion Detection Systems
 (NIDS) - Christian Heinrich

  As in previous years, there will be activities and competitions, which
  allow attendees to have fun, win prizes, and socialise, all while
  enjoying a cold beer on an Australian summers day.

  Some activities which will be held during the conference include:

* Capture the flag
* Reverse engineering
* Exploit development
* Chilli eatoff
* Trivia

  This will be the third year in a row in which we've brought a quality
  conference to the Australian computer security community.

  Hope to see you there.

  Regards,

  RUXCON Staff
  http://www.ruxcon.org.au

  [1] http://www.ruxcon.org.au/2005-presentations.shtml
  [2] http://www.ruxcon.org.au/2005-timetable.shtml

   ___
  Do not post admin requests to the list. They will be ignored.
  Macos-x-server mailing list  ([EMAIL PROTECTED])
  Help/Unsubscribe/Update your Subscription:
  http://lists.apple.com/mailman/options/macos-x-server/rah%40shipwright.com

  This email sent to [EMAIL PROTECTED]

 --- end forwarded text


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RFID Payments

[R.A. Hettinga]

I've got Dave's updated article here, for them as wants it...


Cheers,
RAH

--- begin forwarded text


 Subject: RFID Payments
 Date: Mon, 19 Sep 2005 17:21:14 +0100
 From: "Dave Birch" <[EMAIL PROTECTED]>
 To: <[EMAIL PROTECTED]>, "Bob Hettinga" <[EMAIL PROTECTED]>,
"Ian Grigg" <[EMAIL PROTECTED]>

 John (and Bob and Ian),

 Thanks for the interest in the article, which I really appreciate.  I can
 safely say I had no idea that NCC IT Advisor was so widely read!

 >
http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?Q=BF_WEBART171100
 >
 >  Interesting article,

 Thanks, much appreciated.

 > but despite the title, there seems to be no
 >  mention of any of the actual security (or privacy) challenges involved
 >  in deploying massive RFID payment systems.

 Please find enclosed an updated draft of a longer version, which I hope
 helps to stimulate this debate further.

 >E.g. I can extract money
 >  from your RFID payment tag whenever you walk past, whether you
 >  authorized the transaction or not.

 You can extract a transaction, certainly.  But not money: the only place the
 money can go to is a merchant acquiring account (if you're talking about
 Visa, MC, Amex schemes).

 > And even assuming you wanted it
 >  this way, if your Nokia phone has an RFID chip in it, who's going to
 >  twist the arms of all the transit systems and banks and ATM networks
 >  and vending machines and parking meters and supermarkets and
 >  libraries?

 Transit is a special case, so let's put that to one side for a second.

 As for banks, supermarkets etc: they're already installing the terminals.

 > Their first reaction is going to be to issue you an RFID
 >  themselves, and make you juggle them all,

 Just like your existing payment cards.

 >rather than agreeing that
 >  your existing Nokia RFID will work with their system.

 No, not really.  Your Nokia phone will become your Visa or MC card and
 therefore work with the terminals.

 Things may develop in a different direction in the world of NFC, but that's
 a different issue (ie, phone as POS terminal rather than phone as card).

 >If you lose
 >  your cellphone, you can report it gone (to fifty different systems),
 >  and somehow show them your new Motorola RFID, but how is each of them
 >  going to know it's you, rather than a fraudster doing denial of
 >  service or identity theft on you?

 Very good point, and this will have to be addressed.

 >  Then there's the usual "tracking people via the RFIDs they carry"
 >  problem, which was not just ignored -- they claimed the opposite:

 Remote tracking is a non-issue with these schemes, the range is too short.
 I'll track the tag on your shirt rather than your card.

 >  "This kind of solution provides privacy, because the token ID is
 >  meaningless to anyone other than the issuing bank which can map that
 >  ID to an actual account or card number."  That is only true once --
 >  til anyone who wants to correlates that token ID "blob" with your
 >  photo on the security camera,

 Or the loyalty card I used in the transaction.  But your point is correct:
 using my MasterCard keyfob gives me privacy from the clerk etc, but of
 course it is not designed to be impervious to correlated data fusion.

 > your license plate number (and the RFIDs
 >  in each of your Michelin tires), the other RFIDs you're carrying, your
 >  mobile phone number, the driver's license they asked you to show, the
 >  shipping address of the thing you just bought, and the big database on
 >  the Internet where Equifax will turn a token ID into an SSN (or vice
 >  verse) for 3c in bulk.

 That's a different kind of privacy.  I am not claiming that the payment
 tokens being introduced provide any kind of anonymity.  Nor do they and nor,
 as far as I am aware, will it ever be one of their design goals.

 >  The article seems to have a not-so-subtle flavor of boosterspice.

 Absolutely.  I love contactless payments.

 >  Anybody got a REAL article on contactless payments and security
 >  challenges?

 Please let me have a copy as I'm interested in anything around this topic.

 And thanks again for taking the trouble to comment: I genuinely do value the
 input.

 Best regards,
 Dave Birch.

 --
 -- David Birch, Director, Consult Hyperion 
 --
 -- Tweed House, 12 The Mount, Guildford GU2 4HN, UK
 -- voice +44 (0)1483 468672, fax +44 (0)8701 338610
 --
 -- Digital Identity 6, 25th/26th October 2005 





--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Un

[Clips] [MTNews] CRYPTOCard DEMONSTRATES CRYPTO-Server 6.3

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 19 Sep 2005 15:04:54 -0400
 To: "Philodox Clips List" <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] [MTNews] CRYPTOCard DEMONSTRATES CRYPTO-Server 6.3
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Date: Mon, 19 Sep 2005 09:59:24 -0700
  To: [EMAIL PROTECTED]
  From: MacTech News Moderator <[EMAIL PROTECTED]>
  Subject: [MTNews] CRYPTOCard DEMONSTRATES CRYPTO-Server 6.3
  Sender: <[EMAIL PROTECTED]>

  This message comes to you from MacTech News -- the Mac(tm) OS Technical
  News and Info server.  See below for more info on this list (including
  sub/unsub details).
  __


  CRYPTOCard DEMONSTRATES CRYPTO-Server 6.3 FOR OS X AT APPLE EXPO IN PARIS:
  CRYPTO-Server 6.3 SETS NEW STANDARD IN FULLY-INTEGRATED TWO-FACTOR
  AUTHENTICATION FOR "PANTHER" AND "TIGER" USERS  PROVIDES ATM-STYLE ACCESS
  TO DESKTOPS, LAPTOPS, AND APACHE WEB SERVERS

  Fully Compatible With "Tiger's" Support For Smart Cards, CRYPTO-Server 6.3
  For OS X Provides Simple Authenticated Access To Desktops-Even If The User
  Is Not Connected To The Network!


  PARIS, FRANCE, September 19, 2005  CRYPTOCard (http://www.cryptocard.com/),
  a leading authentication developer, will demonstrate CRYPTO-Server 6.3 for
  OS X, the authentication solution designed to make it simple to positively
  identify all Panther and Tiger users attempting LAN, VPN (Apple or Cisco),
  or Web-based (Apache) access, at the Apple Expo (booth 22) in Paris from
  September 20th through 24th. Specifically designed to fully integrate with
  Tiger's robust support for smart card environments, CRYPTO-Server 6.3
  couples something in the user's possession (a multi-function smart card,
  USB token, hardware token, or software token), with something the user
  knows (their PIN) to provide secure, enterprise-class LAN, Web, and remote
  ATM-style One-PIN-and-You’re-In’ authenticated access that mirrors the look
  and feel of the OS X logon  ensuring that the technology is simple for
  Tiger and Panther users to utilize. CRYPTO-Server 6.3's "Fast User
  Switching" functionality also makes it simple for multiple Tiger users to
  securely access the Mac, using smart cards or tokens  in a stand-alone or
  networked environment.

  Incorporating CRYPTOCard's familiar ATM-style logon, that has proven to
  eliminate the user resistance usually encountered when organizations
  attempt to implement an additional layer of security, CRYPTO-Server 6.3 for
  OS X generates a one-time password for every log-on attempt, making stolen
  credentials useless to hackers while simultaneously ensuring Tiger and
  Panther users do not have to memorize complicated credentials
  significantly reducing the help-desk costs associated with resetting
  forgotten passwords, and the obvious security risk resulting from users
  writing down their passwords.

  "Understanding that an organization cannot guarantee a system security if
  it cannot positively authenticate each individual user, CRYPTOCard has
  developed a fully-integrated authentication solution specifically designed
  for Tiger and Panther," commented Malcolm MacTaggart, President & CEO,
  CRYPTOCard Corporation. "CRYPTO-Server 6.3 now makes it simple for Tiger
  and Panther users, particularly in the traditional Mac strongholds of the
  health, legal, higher education, and printing/publishing/multimedia
  sectors, to provide true ATM-style One-PIN-and-You’re-In’ enterprise-class
  strong user authentication for LAN, VPN, Web, or remote system access."

  CRYPTOCard's CRYPTO-Logon feature makes it easy for OS X users attempting
  to gain secure LAN, Web, or remote access to the system to authenticate
  themselves to the CRYPTO-Server by simply inserting their smart card and
  entering their PIN. To log off, the user simply removes their smart card to
  lock the desktop. CRYPTO-Server 6.3 for OS X's "Fast User Switching"
  functionality makes it simple for multiple users to utilize CRYPTOCard's
  familiar ATM-style protocol to gain authenticated access via the same
  computer in stand-alone and, or, in network environments.

  CRYPTO-Server's remote access functionality offers support for Apple's VPN
  Server, with the same "One-PIN-and-You’re-In." experience, however, if
  hardware tokens are employed, no additional software is required on the
  client side  CRYPTOCard's two-factor-authentication is ready to go,
  "out-of-the-box." CRYPTO-Server 6.3's CRYPTO-Web component also makes it
  simple for Tiger users to utilize the exact same ATM-style log-on protocol
  to positively authenticate themselves to Apache and IIS Websites, right
  down to the page level. And, with almos

[Clips] NSA granted Net location-tracking patent

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 22 Sep 2005 11:47:03 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] NSA granted Net location-tracking patent
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://news.com.com/2102-7348_3-5875953.html?tag=st.util.print>

 CNET News


  NSA granted Net location-tracking patent

  By Declan McCullagh

  Story last modified Wed Sep 21 13:49:00 PDT 2005


 The National Security Agency has obtained a patent on a method of figuring
 out an Internet user's geographic location.

 Patent 6,947,978, granted Tuesday, describes a way to discover someone's
 physical location by comparing it to a "map" of Internet addresses with
 known locations.

 The NSA did not respond Wednesday to an interview request, and the patent
 description talks only generally about the technology's potential uses. It
 says the geographic location of Internet users could be used to "measure
 the effectiveness of advertising across geographic regions" or flag a
 password that "could be noted or disabled if not used from or near the
 appropriate location."

 Other applications of the geo-location patent, invented by Stephen Huffman
 and Michael Reifer of Maryland, could relate to the NSA's signals
 intelligence mission--which is, bluntly put, spying on the communications
 of non-U.S. citizens.

 "If someone's engaged in a dialogue or frequenting a 'bad' Web site, the
 NSA might want to know where they are," said Mike Liebhold, a senior
 researcher at the Institute for the Future who has studied geo-location
 technology. "It wouldn't give them precision, but it would give them a clue
 that they could use to narrow down the location with other intelligence
 methods."

 The NSA's patent relies on measuring the latency, meaning the time lag
 between computers exchanging data, of "numerous" locations on the Internet
 and building a "network latency topology map." Then, at least in theory,
 the Internet address to be identified can be looked up on the map by
 measuring how long it takes known computers to connect to the unknown one.



 The technique isn't foolproof. People using a dial-up connection can't be
 traced beyond their Internet service provider--which could be in an
 different area of the country--and it doesn't account for proxy services
 like Anonymizer.

 Geo-location, sometimes called "geo-targeting" when used to deliver
 advertising, is an increasingly attractive area for Internet businesses.
 DoubleClick has licensed geo-location technology to deliver
 location-dependent advertising, and Visa has signed a deal to use the
 concept to identify possible credit card fraud in online orders.

 Digital Envoy holds a patent on geo-location, and Quova, a privately held
 firm in Mountain View, Calif., holds three more, one shared with Microsoft.

 "It's honestly not clear that there's anything special or technically
 advanced about what they're describing," Quova Vice President Gary Jackson
 said, referring to the NSA's patent. "I'd have to have our technical guys
 read it, but I don't think it impacts us in any way."

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Controversial security chip goes mobile

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 28 Sep 2005 14:40:08 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Controversial security chip goes mobile
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.vnunet.com/articles/print/2142876>

 VNUNet

 Phone makers seek to further lock down handsets
 Controversial security chip goes mobile
 Tom Sanders at CTIA Wirless in San Francisco, vnunet.com 28 Sep 2005

 The Trusted Computing Group (TCG) is working on specifications for a
 security chip that could show up in mobile phones by the end of next year.

 The initiative to make handsets more secure has broad support from phone
 manufacturers, carriers and semiconductor makers.

 But the plans have been sharply criticised by consumer advocacy group the
 Electronic Frontier Foundation as an effort to further limit consumers in
 what they can do with their mobile phones.

 At the CTIA Wireless IT and Entertainment tradeshow in San Francisco, the
 TCG spoke publicly about the initiative for the first time, and unveiled 11
 applications that the security chip seeks to enable.

 These include authentication, digital rights management, Sim-lock,
 controlling software downloads and software use, and the protection of user
 data and privacy.

 "The mobile platform is being driven to more value-added solutions such as
 access control, e-commerce and content delivery," said Brian Berger,
 marketing chairman at the TCG. "Then hardware security becomes even more
 important."

 A mobile phone is susceptible in theory to the same threats that face
 computers, he added, including viruses and denial of service attacks.
 Berger argued that security technology embedded on a chip could prevent
 such attacks from reaching the handset.

 The TCG is a non-profit organisation which defines security standards for
 the high tech industry, including the Trusted Platform Module (TPM)
 security chip for desktops and laptop.

 It also offers a standard for secure networks, and is working on a security
 chip specifications for servers.

 The mobile chip will be similar to the TPM, which is deployed in several
 enterprise systems and is expected to be used in the Intel powered Apple
 computers that will start shipping next year.

 In Apple's case the chip ensures that its OS X operating system is running
 only on Apple hardware. The chip also allows for the secure storage of
 passwords and enables the encryption of data.

 One of its more controversial elements is that it can be used for digital
 rights management, limiting which web pages users can print or what digital
 content they can play.

 Specifications for the mobile security standard are expected in the first
 half of 2006. The first proof of concept handsets are to follow later that
 year, Berger predicted. He also expects the technology to be integrated
 into other components of the phone.

 A mobile phone group within the TCG will work on defining the
 specifications of the standard. Members of the group include France
 Telecom, Vodafone, IBM, Philips, Nokia and Motorola.

 Nokia hopes to reduce the cost of developing the technology by working
 through the standards body, while an open standard will also lead several
 manufacturers to make the chip which in turn will keep down the price.

 "The big benefit is a reduction in the cost of security functionality,"
 said Janne Uusilehto, head of product security technologies at Nokia.

 He predicted that the technology will cost $5 at most, meaning that the
 consumer would end up paying an additional $15 to $25 when buying the phone.

 The Electronic Frontier Foundation, a non profit group that aims to protect
 the digital rights of individuals, slammed the initiative.

 "This enables the carriers to further control their end users," Seth
 Schoen, staff technologist with the organisation, told vnunet.com.
 "Cellphones are already a disappointment to users."

 He insisted that it is the business models used by mobile operators that
 determine what users can do with their devices, rather than technology.
 Schoen predicted that the security technology will only worsen these
 limitations.

 Many of the user cases that the TCG presented can be looked at from two
 different angles, according to Schoen.

 A secure Sim-lock, for instance, is designed to render the device useless
 to a thief after the operator has disabled the account. But it will also
 prevent the user from switching to a competing operator.

 The secure software feature can prevent spyware and other malware from
 being installed on the device, but can also limit the user to buying
 software only from carrier-approved stores.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 US

[Clips] Schwarzenegger signs law to punish phishing

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 30 Sep 2005 23:29:12 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Schwarzenegger signs law to punish phishing
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.msnbc.msn.com/id/9547692/print/1/displaymode/1098/>

 MSNBC.com

 Schwarzenegger signs law to punish phishing
 California law first of its kind in the United States
 Reuters
 Updated: 9:32 p.m. ET Sept. 30, 2005


 SAN FRANCISCO - California Gov. Arnold Schwarzenegger signed a bill Friday
 making Internet "phishing" identity theft scams punishable by law.

 The bill, advanced by state Sen. Kevin Murray, is the first of its kind in
 the United States and makes "phishing" - getting people to divulge personal
 information via e-mail by representing oneself as a business without the
 approval or authority of the business - a civil violation.

 Victims may seek to recover actual damages or $500,000 for each violation,
 depending upon which is greater. Phishing often involves the use of names
 of legitimate banks, retailers and financial institutions to convince
 recipients of bogus e-mail offers to respond.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Venona not all decrypted?

[R.A. Hettinga]

I just heard that the Venona intercepts haven't all been decrypted, and
that the reason for that was there "wasn't enough budget to do so".

Is that "not enough budget" to apply the one-time pads they already have,
or is that the once-and-futile exercise of "decrypting" ciphertext with no
one-time pad to go with it?

Cheers,
RAH


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Can writing software be a crime?

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 5 Oct 2005 12:56:53 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Can writing software be a crime?
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.theregister.co.uk/2005/10/04/secfocus_keyloggers/print.html>

 The Register

 Biting the hand that feeds IT
 The Register » Security » Spyware »

 Can writing software be a crime?
 By Mark Rasch, SecurityFocus (MarkRasch at solutionary.com)
 Published Tuesday 4th October 2005 10:05 GMT

 Can writing software be a crime? A recent indictment in San Diego,
 California indicates that the answer to that question may be yes. We all
 know that launching certain types of malicious code - viruses, worms,
 Trojans, even spyware or sending out spam - may violate the law. But on
 July 21, 2005 a federal grand jury in the Southern District of California
 indicted 25 year old Carlos Enrique Perez-Melara for writing, advertising
 and selling a computer program called "Loverspy," a key logging program
 designed to allow users to capture keystrokes of any computer onto which it
 is installed. The indictment raises a host of questions about the
 criminalization of code, and the rights of privacy for users of the
 Internet and computers in general.

 Like many nations, the United States has laws prohibiting the surreptitious
 eavesdropping of conversations. The federal law prohibits the
 "interception" of such communications while "in transmission," as well as
 the disclosure of the contents of any such unlawfully intercepted
 communications. Under federal law there are three exceptions to this. The
 first is where you are the government and you have either a Title III court
 order, a FISA court order, or what is called a "national security letter"
 permitting such interceptions. The second exception is where you are the
 "provider of communications facilities" and the interception is "in the
 ordinary course of business" and for particular stated purposes. Finally,
 the third exception is in situations where you have obtained the consent of
 at least one of the parties to the communication.

 Thus, at least under federal law, it is legal to record a conversation, an
 e-mail, an internet communication if one and only one of the parties to the
 communication has given actual or implied consent to the "interception" or
 recording. Indeed, it is for this reason that most entities have "computer
 use policies" which explain that use of corporate computer systems implies
 their consent to monitoring of communications.
 Loverspy and EmailPI

 Carlos Enrique Perez-Melara developed, advertised and sold a spyware
 program called alternatively "Loverspy" or "E-Mail PI" on websites known as
 lover-spy.com or emailpi.com. They were sold for $89, and were advertised
 to be used to surreptitiously spy on anyone. The idea was that you would
 buy the Trojan program, e-mail it to your target (disguised in a greeting
 card) which would then cause the Trojan to be installed on any computer the
 purchaser directed it to - assuming the "victim" was dumb enough to open a
 greeting card from an ex-spouse.

 Once installed, the Trojan gave the attacker full access to the victim's
 computer by logging keystrokes, capturing e-mail, capturing websites
 visited, and even allowing remote access to things like webcams and
 microphones. Thus, the software had several different components. First, it
 was able to be installed surreptitiously as a Trojan. Second, it had both a
 key logger or e-mail logging functionality. Third, it acted as a remote
 control client, similar to programs like MS Terminal Server or Remote User,
 or commercial software like GoToMy PC.

 The government has prosecuted people under the federal wiretap laws for
 using keystroke loggers, most notably the indictment last year of Larry Lee
 Ropp, who at the time was an employee of Bristol West Insurance Group /
 Coast National Insurance company. Ropp installed physical key loggers onto
 his employers' computers to obtain evidence to support his assertion that
 the company was ripping off their customers. That case was dismissed when
 the federal judge ruled that the physical key logger, installed between the
 keyboard and the computer, did not capture communications "in interstate or
 foreign commerce" but rather captured them locally.

 The Perez-Melara case, in comparison, represents the first time the
 government has attempted to prosecute the developer of a software that can
 be used for both lawful purposes (surreptitiously monitoring conversations
 with the consent of one party, or with the "implied" consent of an employee
 or a minor) or for unlawful purposes (eavesdropping without the consent of
 either party

[Clips] Homeland Security privacy chief quits

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 7 Oct 2005 13:05:10 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Homeland Security privacy chief quits
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.boston.com/news/nation/washington/articles/2005/09/30/homeland_security_privacy_chief_quits?mode=PF>

 The Boston Globe

 Homeland Security privacy chief quits

 By Sara Kehaulani Goo and Spencer S. Hsu, Washington Post  |  September 30,
 2005

 WASHINGTON -- Nuala O'Connor Kelly, who won praise for protecting
 Americans' privacy rights at the Department of Homeland Security but drew
 criticism for her office's lack of independence, stepped down yesterday
 after two years as the department's first chief privacy officer.

 The ombudsman-like job was created by Congress in 2002 to uphold the
 Privacy Act within a department that launched a series of ambitious
 security programs that affect millions of people, including airline
 travelers, truck drivers, and foreign visitors.

 Many groups that advocate greater privacy protections feared the chief
 privacy officer could have become a rubber stamp for the administration's
 homeland security agenda, but they credited O'Connor Kelly with
 establishing an office that won respect within and outside the
 administration.

 Former and current colleagues said O'Connor Kelly used a combination of her
 forceful personality and support of Tom Ridge, the department's first
 secretary, to ensure that her staff of 400 employees held its own inside
 the department.

 ''O'Connor Kelly has done a commendable job as Homeland Security's first
 chief privacy officer considering the limited independence of the job as it
 was created by Congress," said Barry Steinhardt, director of the American
 Civil Liberties Union's Technology and Liberty Project said in a statement.
 ''But even as strong a privacy officer as O'Connor Kelly could only do so
 much with the powers that she was given."

 O'Connor Kelly has accepted a position as head of privacy issues for
 General Electric Co.

 Maureen Cooney, her chief of staff, has been named acting chief privacy
 officer.
 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Fingerprint Matches Come Under More Fire As Potentially Fallible

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 7 Oct 2005 13:24:14 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Fingerprint Matches Come Under More Fire As Potentially
Fallible
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/SB112864132376462238.html>

 The Wall Street Journal

  October 7, 2005
  SCIENCE JOURNAL
  By SHARON BEGLEY



 Fingerprint Matches
  Come Under More Fire
  As Potentially Fallible
 October 7, 2005; Page B1

 Fingerprint examiners would probably be happy if they never heard the name
 "Brandon Mayfield" again, but for researchers who study the scientific
 basis for fingerprint identification Mr. Mayfield is the gift that keeps on
 giving.

 Mr. Mayfield is the Portland, Ore., lawyer and Muslim convert whose prints
 the FBI matched to those taken from a suspicious bag near one of the 2004
 Madrid train bombings. When Spanish police insisted the prints didn't match
 Mr. Mayfield's -- and eventually linked them to an Algerian living in Spain
 -- the FBI conceded the error and apologized to the jailed Mr. Mayfield.

 Since such an error is supposed to be impossible (an FBI handbook says, "Of
 all the methods of identification, fingerprinting alone has proved to be
 both infallible and feasible"), the case has achieved a certain notoriety.
 So when scientists recently tested fingerprint IDs, they told examiners one
 set of prints were from Mr. Mayfield and the other set from the Madrid
 bombings. "We told them we were trying to understand what went wrong in
 that case," says Itiel Dror of Britain's University of Southampton, who did
 the study with student David Charlton. "Could they please look at the
 prints and tell us where the examiners had gone wrong."

 One examiner said he couldn't tell if the pair matched. Three said the pair
 did not match and helpfully pointed out why. The fifth examiner insisted
 the prints -- notorious for not matching -- did match.

 Give that one a gold star.

 Unbeknown to the examiners, the prints were not from Madrid and Mr.
 Mayfield. They were pairs that each examiner had testified in recent
 criminal cases came from the same person. The three who told the scientists
 that their pair didn't match therefore reached a conclusion opposite to the
 one they had given in court; another expressed uncertainty, whereas in
 court he had been certain. Prof. Dror will present the study later this
 month at the Biometrics 2005 meeting in London.

 A study this small would hardly show up on scientists' radar screens. But
 it comes at a time when traditional forensic sciences -- analysis of bite
 marks, bullets, hair, handwriting and fingerprints -- are facing skepticism
 over the validity of their core claim: that when two marks are not
 observably different, they were produced by the same person or thing.

 Michael Saks of Arizona State University, Tempe, argues that the claim
 lacks "theoretical and empirical foundation." There is no basic science
 that predicts how often marks that match on some number of characteristics
 actually come from different people, as there is for DNA typing. And data
 on the frequency of false matches are sparse.

 It isn't just fingerprints. Last month the FBI announced that its lab would
 no longer try to match bullets by the trace elements they contain. Although
 the FBI "still firmly supports the scientific foundation of bullet lead
 analysis," the bureau said, "neither scientists nor bullet manufacturers
 are able to definitively attest to the significance of an association made
 between bullets."

 That decision may be the first move toward what Prof. Saks calls "the
 coming paradigm shift in forensic science." For too long, he argues,
 forensic science has been excused from rigorous research on how frequently
 attributes (ridges and whorls in fingerprints, trace amounts of tin or
 antimony in bullets) vary and on the probability that marks with identical
 attributes come from different people or objects.

 In the most serious break with rigorous science, forensic science often
 regards the very notion of probability as anathema. The International
 Association for Identification, the largest forensic group, says testifying
 about "possible, probable or likely identification shall be deemed ...
 conduct unbecoming." Only 100% certainty will do. The pioneers of DNA
 typing, in contrast, calculated the probability of false matches, making
 DNA the most scientific forensic science.

 The unsupported, and unscientific, claim of infallibility is being tested
 in Massachusetts' highest court, which last month heard an appeal on the
 admissibility of fingerprints. Defense lawyers argued that the technique
 falls short of the standard 

[Clips] Lloyds steps up online security (SecureID)

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 14 Oct 2005 10:44:32 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Lloyds steps up online security (SecureID)
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://news.bbc.co.uk/1/low/business/4340898.stm>

 The BBC

 Friday, 14 October 2005, 10:46 GMT 11:46 UK

 Lloyds steps up online security

 Lloyds TSB is to trial a new security system for online banking customers,
 in an attempt to beat internet fraud.

 About 30,000 customers will receive keyring-sized security devices, which
 generate a six-digit code to be used alongside usernames and passwords.

 The code, which changes every 30 seconds, could help fight fraudsters who
 hack people's PCs or use "phishing" emails to steal login details.

 Similar systems are already in use in Asia, Scandinavia and Australia.

 Password sniffers

 Until now, Lloyds TSB has used a two-stage system for identifying its
 customers.

 First, users must enter a username and password. Then, on a second screen,
 they are asked to use drop-down menus to choose three letters from a
 self-chosen memorable piece of information.

 The aim of using menus rather than the keyboard has been to defeat
 so-called "keyloggers", tiny bits of software which can be used by hackers
 who have breached a PC's security to read every key pressed and thus sniff
 out passwords.

  "There's no hiding the fact that fraud is on the increase"
 Matthew Timms, Lloyds TSB


 But newer keyloggers now also take screenshots, which can reveal the entire
 memorable word after the bank's website has been used just a few times.

 Alternatively, fraudsters use "phishing" emails, which tempt customers to
 log onto a fake banking website and enter their details.

 Lloyds says that about £12m was lost to this kind of scam in 2004 - but it
 warns that attacks are multiplying fast.

 One-time deal

 The bank says it is guaranteeing that they will not suffer from losses even
 if their PCs are compromised, as long as they have not - for instance -
 given their password away intentionally.

 This stance contrasts with warnings from some other banks - notably HSBC -
 that in future customers could be held responsible if they do not keep
 security up to date on their machines.

 But Lloyds also hopes that its trial system could effectively toughen up
 customer access - regardless of the state of their computer.

 The customers testing Lloyds TSB's new system will press a button on their
 device to generate a new six-digit number every time they log on.

 They will do the same every time they need to confirm a transaction,
 instead of simply repeating their password.

 Lloyds TSB hopes the move will mean keyloggers and phishing emails will not
 have time to use any details they collect.

 "Fraudsters are becoming increasingly cunning with their tactics, and
 there's no hiding the fact that fraud is on the increase," said Matthew
 Timms, Lloyds TSB's internet banking director.

 Other banks are trying different devices, and Mr Timms acknowledged that
 the keyring-style token would probably not be the final format.

 "The journey we're on will probably end up as a card which can do both
 internet banking and card-not-present (credit card) transactions," he said.



 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Bypassing the Password Prompt

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 17 Oct 2005 20:02:26 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Bypassing the Password Prompt
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.washingtonpost.com/wp-dyn/content/article/2005/10/15/AR2005101500178_pf.html>

 The Washington Post

 washingtonpost.com
 Bypassing the Password Prompt

 By Mike Musgrove
 Washington Post Staff Writer
 Sunday, October 16, 2005; F07

 So many passwords, so little memory. In a digital era where everybody can
 access everything from bank information to vacation photos online,
 passwords are everywhere and many folks in the plugged-in world are finding
 they have more than they can remember.

 Password-management software, designed to give people a safe place to stash
 all those secret codes, has become a mini-industry unto itself. For Mac
 users, Apple has even built a password-stashing program, called Keychain,
 into the operating system.

 Security expert Bruce Schneier, the author of a free program for Windows
 users, got so tired of having to keep a lot of seldom-used passwords in his
 head that he designed a digital-locker program that he gives away at his
 security-focused blog, http://www.schneier.com/ .

 Schneier says his program, which is basically a notepad locked under its
 own password, uses "military-level" encryption. "Basically, the idea is
 that you could hand this file to your worst enemy, and he still couldn't
 get to your passwords," he said.

 Just don't come complaining to him if you forget the password that you use
 to open the program because he has no way to access it.

 Schneier's program requires users to copy and paste their password from his
 program to any password-protected application or Web site. For users
 looking to reclaim a few more precious seconds from their daily Web
 routine, there's another program that makes things even a little easier.

 A security widget from Siber Systems Inc., a small software company in
 Fairfax, automates the process of logging on to password-protected Web
 sites. Click on your "Hotmail" entry in the program, for example, and
 RoboForm will automatically enter your information and log you in to the
 Web-based e-mail program. If you like, the program will even randomly
 generate a password for you, all the better for protecting that valuable
 info locked up at your online stock account.

 Siber Systems marketing executive Bill Carey says that the program, which
 will also stash your credit card information and fill it out when you make
 purchases online, has been downloaded 6 million times since its launch in
 2001. The company offers a free trial version of the software at
 http://www.roboform.com/ ; the full version costs $29.95.

 Sometimes Web users can circumvent the process of having to use a password
 at all. For Web surfers who don't want to register at pesky news sites that
 want your e-mail address and demographic information, one site,
 http://www.bugmenot.com , is a clearinghouse for bogus accounts. It'll set
 you up with cheeky fake names and passwords -- like "[EMAIL PROTECTED]"
 and "death_to_logons" -- that already work on the site you're trying to
 access.

 Though Bugmenot.com is primarily a handy way to avoid registering at a news
 site -- the site lists washingtonpost.com as an offender -- it also pitches
 itself as a social movement for those who find it annoying that such Web
 sites ask for personal information. The site has a petition online, a
 protest "to demonstrate the pointless nature of forced Web site
 registration schemes and the dubious demographic data they collect."

 By signing the petition, Bugmenot.com users vow to create a fake account at
 one of the "top ten offending sites" on Nov. 13, which the site dubs
 "Internet Advertiser Wakeup Day."

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Estonians vote in world's first nationwide Internet election

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 17 Oct 2005 20:11:31 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Estonians vote in world's first nationwide Internet election
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.siliconvalley.com/mld/siliconvalley/news/editorial/12903730.htm?template=contentModules/printstory.jsp>

 The San Jose Mercury News

 Posted on Fri, Oct. 14, 2005?

 Estonians vote in world's first nationwide Internet election




 TALLINN, Estonia (AP) - This tiny former Soviet republic nicknamed
 ``e-Stonia'' because of its tech-savvy population is breaking new ground in
 digital democracy.

 This week, Estonia became the first country in the world to hold an
 election allowing voters nationwide to cast ballots over the Internet.

 Fewer than 10,000 people, or 1 percent of registered voters, participated
 online in elections for mayors and city councils across the country, but
 officials hailed the experiment conducted Monday to Wednesday as a success.

 Election officials in the country of 1.4 million said they had received no
 reports of flaws in the online voting system or hacking attempts.

 But critics say the fact that no problems emerged shouldn't give people
 comfort that Internet voting is safe from hacks, identity fraud and vote
 count manipulation. Potential attackers, they say, may simply wait until
 Internet voting is more widely used -- by which time it would be harder to
 stop.

 In the United States, the Pentagon canceled an Internet voting plan for
 military and overseas citizens in 2004 because of security concerns. Plans
 for large-scale voting in Britain have also been dropped.

 ``The benefits don't come anywhere near the risks,'' said Jason Kitcat, an
 online consultant and researcher at the University of Sussex, England.
 ``It's a waste of money and a waste of government energy.''

 He acknowledged that Estonia's system was the most secure to date, but said
 no system was ``good enough for a politically binding election.''

 Thousands of people voted online in Democratic primaries in Arizona in 2000
 and Michigan in 2004. The city of Geneva, Switzerland, has held several
 online referendums, the first in January 2003.

 But Estonia is the first to extend it to voters nationwide, experts said.

 ``They have the perfect population size to do something like this,'' said
 Thad Hall, a University of Utah political scientist and co-author of a book
 on Internet voting. ``As they have success, people will start to copy their
 success.''

 Estonia has the most advanced information infrastructure of any formerly
 communist eastern European state.

 It gave the Linux-based voting system a trial run in January, when about
 600 people voted online in a referendum in the capital, Tallinn. The plan
 is to allow online voting in the next parliamentary elections in 2007.

 ``I believe this is the future,'' said Mait Sooaru, director of an Estonian
 information logistics company who cast his electronic ballot Monday. ``It
 was easy and pretty straightforward.''

 To cast an online ballot, voters need a special ID card, a $24 device that
 reads the card and a computer with Internet access. Some 80 percent of
 Estonian voters have the ID cards, which have been used since 2002 for
 online access to bank accounts and tax records.

 Election committee officials said the ID card system had proven effective
 and reliable and dismissed any security concerns with using it for the
 online ballot.

 Arne Koitmae, of Parliament's elections department, said Internet voting
 would make it easier for people in remote rural locations to vote.

 Election officials said only 9,317 people out of 1.06 million registered
 voters opted to vote online. Estonians were also given the option of voting
 by mail and in person on Sunday.

 Koitmae said many ID card users still lack the reading device, which
 explains the low turnout of online voting.


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the wor

[Clips] Sleuths Crack Tracking Code Discovered in Color Printers

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 19 Oct 2005 15:28:33 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Sleuths Crack Tracking Code Discovered in Color Printers
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663_pf.html>

 The Washington Post

 washingtonpost.com
 Sleuths Crack Tracking Code Discovered in Color Printers

 By Mike Musgrove
 Washington Post Staff Writer
 Wednesday, October 19, 2005; D01

 It sounds like a conspiracy theory, but it isn't. The pages coming out of
 your color printer may contain hidden information that could be used to
 track you down if you ever cross the U.S. government.

 Last year, an article in PC World magazine pointed out that printouts from
 many color laser printers contained yellow dots scattered across the page,
 viewable only with a special kind of flashlight. The article quoted a
 senior researcher at Xerox Corp. as saying the dots contain information
 useful to law-enforcement authorities, a secret digital "license tag" for
 tracking down criminals.

 The content of the coded information was supposed to be a secret, available
 only to agencies looking for counterfeiters who use color printers.

 Now, the secret is out.

 Yesterday, the Electronic Frontier Foundation, a San Francisco consumer
 privacy group, said it had cracked the code used in a widely used line of
 Xerox printers, an invisible bar code of sorts that contains the serial
 number of the printer as well as the date and time a document was printed.

 With the Xerox printers, the information appears as a pattern of yellow
 dots, each only a millimeter wide and visible only with a magnifying glass
 and a blue light.

 The EFF said it has identified similar coding on pages printed from nearly
 every major printer manufacturer, including Hewlett-Packard Co., though its
 team has so far cracked the codes for only one type of Xerox printer.

 The U.S. Secret Service acknowledged yesterday that the markings, which are
 not visible to the human eye, are there, but it played down the use for
 invading privacy.

 "It's strictly a countermeasure to prevent illegal activity specific to
 counterfeiting," agency spokesman Eric Zahren said. "It's to protect our
 currency and to protect people's hard-earned money."

 It's unclear whether the yellow-dot codes have ever been used to make an
 arrest. And no one would say how long the codes have been in use. But Seth
 Schoen, the EFF technologist who led the organization's research, said he
 had seen the coding on documents produced by printers that were at least 10
 years old.

 "It seems like someone in the government has managed to have a lot of
 influence in printing technology," he said.

 Xerox spokesman Bill McKee confirmed the existence of the hidden codes, but
 he said the company was simply assisting an agency that asked for help.
 McKee said the program was part of a cooperation with government agencies,
 competing manufacturers and a "consortium of banks," but would not provide
 further details. HP said in a statement that it is involved in
 anti-counterfeiting measures and supports the cooperation between the
 printer industry and those who are working to reduce counterfeiting.

 Schoen said that the existence of the encoded information could be a threat
 to people who live in repressive governments or those who have a legitimate
 need for privacy. It reminds him, he said, of a program the Soviet Union
 once had in place to record sample typewriter printouts in hopes of
 tracking the origins of underground, self-published literature.

 "It's disturbing that something on this scale, with so many privacy
 implications, happened with such a tiny amount of publicity," Schoen said.

 And it's not as if the information is encrypted in a highly secure fashion,
 Schoen said. The EFF spent months collecting samples from printers around
 the world and then handed them off to an intern, who came back with the
 results in about a week.

 "We were able to break this code very rapidly," Schoen said.

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.co

[Clips] Bruce Schneier talks cyber law

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 19 Oct 2005 23:33:54 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Bruce Schneier talks cyber law
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.theregister.co.uk/2005/10/19/schneier_talks_law/print.html>

 The Register

 Biting the hand that feeds IT
 The Register » Security » Network Security »

 Original URL: http://www.theregister.co.uk/2005/10/19/schneier_talks_law/
 Bruce Schneier talks cyber law
 By John Oates in Vienna (john.oates at theregister.co.uk)
 Published Wednesday 19th October 2005 10:01 GMT

 RSA Europe 2005 ISPs must be made liable for viruses and other bad network
 traffic, Bruce Schneier, security guru and founder and CTO of Counterpane
 Internet Security, told The Register yesterday.

 He said: "It's about externalities - like a chemical company polluting a
 river - they don't live downstream and they don't care what happens. You
 need regulation to make it bad business for them not to care. You need to
 raise the cost of doing it wrong." Schneier said there was a parallel with
 the success of the environmental movement - protests and court cases made
 it too expensive to keep polluting and made it better business to be
 greener.

 Schneier said ISPs should offer consumers "clean pipe" services: "Corporate
 ISPs do it, why don't they offer it to my Mum? We'd all be safer and it's
 in our interests to pay.

 "This will happen, there's no other possibility."

 He said there was no reason why legislators do such a bad job of drafting
 technology laws. Schneier said short-sighted lobbyists were partly to
 blame. He said much cyber crime legislation was unnecessary because it
 should be covered by existing laws - "theft is theft and trespass is still
 trespass".

 But Schneier conceded that getting international agreements in place would
 be very difficult and that we remain at risk from the country with the
 weakest laws - in the same way we remain at risk from the least
 well-protected computer on the network.
 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Read two biometrics, get worse results - how it works

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 19 Oct 2005 23:32:55 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Read two biometrics, get worse results - how it works
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.theregister.co.uk/2005/10/19/daugman_multi_biometrics/print.html>

 The Register

 Biting the hand that feeds IT
 The Register » Internet and Law » Digital Rights/Digital Wrongs »

 Original URL:
http://www.theregister.co.uk/2005/10/19/daugman_multi_biometrics/
 Read two biometrics, get worse results - how it works
 By John Lettice (john.lettice at theregister.co.uk)
 Published Wednesday 19th October 2005 14:47 GMT

 A regular correspondent (thanks, you know who you are) points us to some
 calculations by John Daugman, originator of the Daugman algorithms for iris
 recognition. These ought to provide disturbing reading for Home Office
 Ministers who casually claim that by using multiple biometrics
 (http://www.theregister.co.uk/2005/10/17/mcnulty_fingers_id_problem/)
 you'll get a better result than by using just the one. Although that may
 seem logical, it turns out that it it isn't, necessarily.

 Daugman presents
 (http://www.cl.cam.ac.uk/users/jgd1000/combine/combine.html) the two rival
 intuitions, then does the maths. On the one hand, a combination of
 different tests should improve performance, because more information is
 better than less information. But on the other, the combination of a strong
 test with a weak test to an extent averages the result, so the result
 should be less reliable than if one were relying solely on the strong test.
 (If Tony McNulty happens to be with us, we suggest he fetches the ice pack
 now.)

 "The key to resolving the apparent paradox," writes Daugman, "is that when
 two tests are combined, one of the resulting error rates (False Accept or
 False Reject rate) becomes better than that of the stronger of the two
 tests, while the other error rate becomes worse even than that of the
 weaker of the tests. If the two biometric tests differ significantly in
 their power, and each operates at its own cross-over point, then combining
 them gives significantly worse performance than relying solely on the
 stronger biometric.

 This is of particular relevance to the Home Office's current case for use
 of multiple biometrics, because its argument is based on the use of three
 types of biometric, fingerprint, facial and iris, which are substantially
 different in power.

 Daugman produces the calculations governing the use of two hypothetical
 biometrics, one with both false accept and false reject rates of one in
 100, and the second with the two rates at one in 1,000. On its own,
 biometric one would produce 2,000 errors in 100,000 tests, while biometric
 two would produce 200. You can treat the use of two biometrics in one of
 two ways - the subject must be required to pass both (the 'AND' rule) or
 the subject need only pass one (the 'OR' rule). Daugman finds that under
 either rule there would be 1,100 errors, i.e. 5.5 times more errors than if
 the stronger test were used alone.

 He concludes that a stronger biometric is therefore better used alone than
 in combination, but only when both are operating at their crossover points.
 If the false accept rate (when using the 'OR' rule) or the false reject
 rate (when using the 'AND' rule) is brought down sufficiently (to "smaller
 than twice the crossover error rate of the stronger test", says Daugman)
 then use of two can improve results. If we recklessly attempt to put a
 non-mathemetical gloss on that, we could think of the subject having to
 pass two tests (in the case of the 'AND') rule of, say, facial and iris.
 Dropping the false reject rate of the facial test (i.e. letting more people
 through) in line with Daugman's calculations would produce a better result
 than using iris alone, but if the facial system rejects fewer people
 wrongly, then it will presumably be accepting more people wrongly.

 Which suggests to us that simply regarding a second or third biometric as a
 fall back to be used only if earlier tests fail constructs a scenario where
 the combined results will be worse than use of the single stronger test,
 because in such cases the primary biometric test would have to be
 sufficiently strong to stand on its own, because you won't always be using
 the second or third test.

 The deployment of biometric testing equipment in the field is also likely
 to have a confusing effect on relative error rates, because environmental
 factors will tend to impact the different tests to different degrees. Poor
 lighting may have an effect on iris and facial but not on fingerprint,
 while the aircon breaking down may produce greasy fingers and puffy red
 faces, but leave

How ATM fraud nearly brought down British banking

[R.A. Hettinga]

--- begin forwarded text


 Date: Sat, 22 Oct 2005 01:58:34 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: How ATM fraud nearly brought down British banking

 <http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/print.html>

 The Register

 Biting the hand that feeds IT
 The Register » Security » Identity »

 Original URL: http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
 How ATM fraud nearly brought down British banking
 By Charles Arthur (feedback at theregister.co.uk)
 Published Friday 21st October 2005 09:52 GMT

 This is the story of how the UK banking system could have collapsed in the
 early 1990s, but for the forbearance of a junior barrister who also
 happened to be an expert in computer law - and who discovered that at that
 time the computing department of one of the banks issuing ATM cards had
 "gone rogue", cracking PINs and taking money from customers' accounts with
 abandon.

 The reason you're hearing it now is that, with Chip and PIN cards finally
 in widespread use in the UK, the risk of the ATM network being abused as it
 was has fallen away. And now that junior barrister, Alistair Kelman, wanted
 to get paid for thousands of pounds of work that he did under legal aid,
 when he was running a class action on behalf of more than 2,000 people who
 had suffered "phantom withdrawals" from their bank accounts. What you're
 about to read comes from the documents he submitted last week to the High
 Court, pursuing his claim to payment.

 "Phantom withdrawals" were a big mystery when the banks and building
 societies began to join their ATM networks together in the 1980s. Kelman at
 that time was a barrister (who argues cases in front of a judge, rather
 than only slogging away in legal chambers) specialising in intellectual
 property law. He got interested in computing in the 1980s when the National
 Computing Centre asked him to advise the Midland Bank on its computer
 system.

 What quickly became clear was that the law needed a system to provide proof
 that events had happened so that legal cases could be made. You might say
 that "the computer debited the account", but to a barrister (and more
 importantly, a judge) that's not enough. Did the computer do it at random?
 In that case it's like a tree branch falling - an accident. Or did a person
 program it to do so? In which case the person must be able to testify about
 the precise circumstances when a debit could happen. Sounds daft, but the
 law rests on proving each step of an argument irrefutably.

 In February 1992 Kelman got a call from Sheila MacKenzie, head of the
 Consumers' Association (which publishes Which? magazine), who said that
 members were complaining by the dozen about phantom withdrawals, and was he
 interested? Kelman was, and met MacKenzie, with two of the association's
 members, Mr and Mrs McConville from Liverpool, who had had a number of
 phantom withdrawals from their Barclays account. They already had a
 solicitor, but needed someone with computer expertise in the law to make
 their case. Kelman at this time was able to charge £1,750 per hour - each
 hour being broken into six-minute chunks. Oh, and don't forget VAT too.
 That's £206.62 per six minutes.

 He showed his value pretty quickly, pointing out that banks must have a
 legal mandate to debit someone's account. If they take it away from a
 customer without a mandate, they must refund it. So the legal point of
 phantom withdrawals hinged on the question: if a PIN is typed into an ATM
 with a card that matches an account number, is that a mandate by the
 customer for the bank to debit their account?

 As long as you didn't breach the terms of the contract by leaving your card
 lying around (which would give implicit authority for use), then you, as
 the customer, could simply say that the withdrawal was not mandated, and
 demand your cash back.

 How could the banks respond? They'd have to give all the phantom withdrawal
 money back where they could not show that the customer had typed in the PIN
 - unless, that is, they claimed that their systems were infallible. Yes,
 only by going where no computer system had ever gone before could the banks
 deny that phantom withdrawals were (1) taking place and (2) their
 responsibility to refund.

 You'd think it would be open and shut. You haven't dealt much with banks,
 have you? Kelman took the case on legal aid and decided to bundle up more
 than 2,000 peoples' cases into a single class action against all the high
 street banks taking part in the ATM network. He trawled newsgroups for
 information on how crackers might decode ATM cards.

 He also met two key people in the course of his research. The first, early
 on, was Andrew Stone, an ex-con who had been done for fraud, who claimed to
 had take

[PracticalSecurity] Anonymity - great technology but hardly used

[R.A. Hettinga]

--- begin forwarded text


 Date: Mon, 24 Oct 2005 23:31:34 +0200
 To: [EMAIL PROTECTED]
 From: Hagai Bar-El <[EMAIL PROTECTED]>
 Subject: [PracticalSecurity] Anonymity - great technology but hardly used
 Sender: [EMAIL PROTECTED]

 Hello,

 I wrote a short essay about anonymity and pseudonymity being
 technologies that are well advanced but seldom used.

 Following are excerpts from the essay that can be found at:
 http://www.hbarel.com/Blog/entry0006.html

 In spite of our having the ability to establish anonymous surfing,
 have untraceable digital cash tokens, and carry out anonymous
 payments, we don't really use these abilities, at large. If you are
 not in the security business you are not even likely to be aware of
 these technical abilities.

 If I may take a shot at guessing the reason for the gap between what
 we know how to do and what we do, I would say it's due to the overall
 lack of interest of the stakeholders. Fact probably is, most people
 don't care that much about anonymity, and most of the ones who do,
 are not security geeks who appreciate the technology and thus trust
 it. So, we use what does not require mass adoption and do not use what does.

 Anonymous browsing is easy, because it does not need an expensive
 infrastructure that requires a viable business model behind it;
 fortunately. A few anonymity supporters run TOR servers on their
 already-existent machines, anonymity-aware users run TOR clients and
 proxy their browsers through them, and the anonymity need is met. The
 onion routing technology that TOR is based on is used; not too often,
 but is used. The problem starts with systems that require a complex
 infrastructure to run, such as anonymous payment systems.

 As much as some of us don't like to admit it, most consumers do not
 care about the credit card company compiling a profile of their money
 spending habits. Furthermore, of the ones who do, most are not
 security engineers and thus have no reason to trust anonymity schemes
 they don't see or feel intuitively (as one feels when paying with
 cash). The anonymous payment systems are left to be used primarily by
 the security-savvy guys who care; they do not form a mass market.

 I believe that for anonymity and pseudonymity technologies to survive
 they have to be applied to applications that require them by design,
 rather than to mass-market applications that can also do (cheaper)
 without. If anonymity mechanisms are deployed just to fulfill the
 wish of particular users then it may fail, because most users don't
 have that wish strong enough to pay for fulfilling it. An example for
 such an application (that requires anonymity by design) could be
 E-Voting, which, unfortunately, suffers from other difficulties. I am
 sure there are others, though.


 Regards,
 Hagai.


 ___
 PracticalSecurity mailing list
 [EMAIL PROTECTED]
 http://hbarel.com/mailman/listinfo/practicalsecurity_hbarel.com

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] Disney 'Screener' DVDs to Use Dolby Encryption Technology

[R.A. Hettinga]

"And *where* do we put the CCD?"
  -- Number one answer in a "Top Ten" quiz at the FC2K rump-session to a
description of a certain "Mickey Mouse" projector protocol...

Cheers,
RAH
-
--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Tue, 25 Oct 2005 10:06:40 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Disney 'Screener' DVDs to Use Dolby Encryption Technology
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/SB113014664939177401.html?mod=djemMM>

 The Wall Street Journal

  October 24, 2005 9:39 a.m. EDT

 Disney 'Screener' DVDs to Use
  Dolby Encryption Technology
 By WILL DALEY
 DOW JONES NEWSWIRES
 October 24, 2005 9:39 a.m.

 BURBANK, Calif. -- Walt Disney Co. said it will use encryption technology
 from Dolby Laboratories Inc. in the 2005 "screener" DVDs it provides to
 people who vote on movie awards.

 Disney will use technology from Dolby unit Cinea, which provides copy
 protection and piracy tracking for DVDs.

 "This process offers maximum protection for our films, while allowing key
 members of the Academy, BAFTA [British Academy of Film and Television
 Arts], and a few other select organizations the opportunity to view these
 contenders in the comfort of their own homes," Walt Disney Studios Chairman
 Dick Cook said in a statement early Monday.

 Last year, authorities charged a Chicago-area man on allegations he copied
 movies from videocassettes he received from a member of the Academy of
 Motion Picture Arts and Sciences who had received screener tapes.

 Cinea's method includes the S-View DVD player and encryption technology.
 The DVD player also plays standard DVDs.

 In collaboration with the Academy of Motion Picture Arts and Sciences and
 the Bafta, its British counterpart, Cinea has distributed the DVD players
 to nearly 12,000 of the collective voting members, according to the press
 release.

 Cinea encrypts each disc with a code unique to each member, and the disc
 delivered to each member will play only on the Cinea DVD player registered
 by that member. A Cinea encrypted disc cannot be viewed on any other DVD
 player or computer.

 Disney said it is exploring the possibility of incorporating Cinea's
 security technology into its entire post-production process.


 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] US spy agency's patents under security scrutiny

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 29 Oct 2005 08:19:44 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] US spy agency's patents under security scrutiny
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.newscientist.com/article.ns?id=dn8223&print=true>

 New Scientist

 US spy agency's patents under security scrutiny
 17:45 27 October 2005
 NewScientist.com news service
Paul Marks

 The hyper-secretive US National Security Agency - the government's
 eavesdropping arm - appears to be having its patent applications
 increasingly blocked by the Pentagon. And the grounds for this are for
 reasons of national security, reveals information obtained under a freedom
 of information request.

 Most Western governments can prevent the granting (and therefore
 publishing) of patents on inventions deemed to contain sensitive
 information of use to an enemy or terrorists. They do so by issuing a
 secrecy order barring publication and even discussion of certain inventions.

 Experts at the US Patent and Trademark Office perform an initial security
 screening of all patent applications and then army, air force and navy
 staff at the Pentagon's Defense Technology Security Administration (DTSA)
 makes the final decision on what is classified and what is not.

 Now figures obtained from the USPTO under a freedom of information request
 by the Federation of American Scientists show that the NSA had nine of its
 patent applications blocked in the financial year to March 2005 against
 five in 2004, and none in each of the three years up to 2003.

 Keeping secrets

 This creeping secrecy is all the more surprising because as the US
 government's eavesdropping and code-breaking arm - which is thought to
 harness some of the world's most powerful supercomputers to decode
 intercepted communications - the NSA will have detailed knowledge of what
 should be kept secret and what should not. So it is unlikely to file
 patents that give away secrets.

 Bruce Schneier, a cryptographer and computer security expert with
 Counterpane Internet Security in California, finds the development
 "fascinating".

 "It's surprising that the Pentagon is becoming more secretive than the NSA.
 While I am generally in favour of openness in all branches of government,
 the NSA has had decades of experience with secrecy at the highest levels,"
 Schneier told New Scientist. "The fact that the Pentagon is classifying
 things that the NSA believes should be public is an indication of how much
 secrecy has crept into government over the past few years."

 However, at another level, the Pentagon appears to be relaxing slightly: it
 seems to be loosening its post 9/11 grip on the ideas of private inventors,
 with the number having patents barred on the grounds of national security
 halving in the last year.

 In the financial year to 2004, DTSA imposed 61 secrecy orders on private
 inventors, a number that had been climbing inexorably since 9/11. But up to
 the end of financial 2005, only 32 inventors had "secrecy orders" imposed
 on their inventions.

 Overall, the figures obtained by the FAS reveal 106 new secrecy orders were
 imposed on US inventions to March 2005, while 76 others were rescinded. So
 there are now 4915 secrecy orders in effect - some of which have been in
 effect since the 1930s.
 Related Articles
Patents gagged in the name of national security
http://www.newscientist.com/article.ns?id=mg18725075.800
09 July 2005
Transforming US Intelligence edited by Jennifer E Sims and 
Burton
 Gerber
http://www.newscientist.com/article.ns?id=mg18725182.100
24 September 2005
Hand over your keys
http://www.newscientist.com/article.ns?id=mg16922735.200
13 January 2001
 Weblinks
Invention secrecy activity, Federation of American Scientists
http://www.fas.org/sgp/othergov/invention/stats.html
US Department of Defense
http://www.defenselink.mil/
US National Security Agency
http://www.nsa.gov/

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-

[Clips] Security 2.0: FBI Tries Again To Upgrade Technology

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 31 Oct 2005 07:29:37 -0500
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Security 2.0: FBI Tries Again To Upgrade Technology
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://online.wsj.com/article_print/SB113072498332683907.html>

 The Wall Street Journal

  October 31, 2005

 Security 2.0:
  FBI Tries Again
  To Upgrade Technology
 By ANNE MARIE SQUEO
 Staff Reporter of THE WALL STREET JOURNAL
 October 31, 2005; Page B1

 As the fifth chief information officer in as many years at the Federal
 Bureau of Investigation, Zalmai Azmi faces a mystery: How to create a
 high-tech system for wide sharing of information inside the agency, yet at
 the same time stop the next Robert Hanssen.

 Mr. Hanssen is the rogue FBI agent who was sentenced to life in prison for
 selling secret information to the Russians. His mug shot -- with the words
 "spy, traitor, deceiver" slashed across it -- is plastered on the walls of
 a room at FBI headquarters where two dozen analysts try to track security
 breaches.

 Mr. Hanssen's arrest in February 2001, and his ability to use the agency's
 archaic system to gather the information he sold, led FBI officials to want
 to "secure everything" in their effort to modernize the bureau, Mr. Azmi
 says. But then, investigations after the Sept. 11 terrorist attacks showed
 that FBI agents had information about suspected terrorists that hadn't been
 shared with other law-enforcement agencies. So then "we said, 'Let's share
 everything,'" Mr. Azmi says.

 Since then, the FBI spent heavily to upgrade its case-management system,
 from one that resembled early versions of personal computers -- green type
 on a black computer screen, requiring a return to the main menu for each
 task -- to a system called Virtual Case File, which was supposed to use
 high-speed Internet connections and simple point-and-click features to sort
 and analyze data quickly.

 But after four years and $170 million, the dueling missions tanked the
 project. FBI Director Robert Mueller in April pulled the plug on the much
 ballyhooed technology amid mounting criticism from Congress and feedback
 from within the bureau that the new system wasn't a useful upgrade of the
 old, rudimentary system. As a result, the FBI continues to use older
 computer systems and paper documents remain the official record of the FBI
 for the foreseeable future.

 Highlighting the agency's problems is the recent indictment of an FBI
 analyst, Leandro Aragoncillo, who is accused of passing secret information
 to individuals in the Philippines. After getting a tip that Mr. Aragoncillo
 was seeking to talk to someone he shouldn't have needed to contact, the FBI
 used its computer-alert system to see what information the analyst had
 accessed since his hiring in 2004, a person familiar with the probe said.
 The system didn't pick up Mr. Aragoncillo's use of the FBI case-management
 system as unusual because he didn't seek "top secret" information and
 because he had security clearances to access the information involved, this
 person said.

 The situation underscores the difficulties in giving analysts and FBI
 agents access to a broad spectrum of information, as required by the 9/11
 Commission, while trying to ensure rogue employees aren't abusing the
 system. It's up to Mr. Azmi to do all this -- without repeating the
 mistakes of Virtual Case File.

 Much is at stake: FBI agents and analysts are frustrated by the lack of
 technology -- the FBI finished connecting its agents to the Internet only
 last year -- and Mr. Mueller's legacy depends on the success of this
 effort. The FBI director rarely appears at congressional hearings or news
 conferences without his chief information officer close by these days.

 An Afghan immigrant, the 43-year-old Mr. Azmi fled his native country in
 the early 1980s after the Soviet invasion. After a brief stint as a car
 mechanic in the U.S., he enlisted in the Marines in 1984 and spent seven
 years mainly overseas. A facility for languages -- he speaks five -- helped
 him win an assignment in the Marines working with radio communications and
 emerging computer technologies.

 When he returned to the U.S., he joined the U.S. Patent and Trademark
 Office as a project manager developing software and hardware solutions for
 patent examiners. He attended college and graduate school at night,
 obtaining a bachelor's degree in information systems from American
 University and a master's degree in the same field from George Washington
 University, both in Washington, D.C. Afterward, he got a job at the Justice
 Department in which he helped upgrade technology for U.S. attorneys across
 the country.

 That is wher

[Clips] Sony's "DRM" Rootkit

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 31 Oct 2005 18:43:40 -0500
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Sony's "DRM" Rootkit
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 Click the link for pics.

 Cheers,
 RAH
 ---

 
<http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html>


 Mark's Sysinternals Blog
 Monday, October 31, 2005

 Sony, Rootkits and Digital Rights Management Gone Too Far
 Last week when I was testing the latest version of RootkitRevealer (RKR) I
 ran a scan on one of my systems and was shocked to see evidence of a
 rootkit. Rootkits are cloaking technologies that hide files, Registry keys,
 and other system objects from diagnostic and security software, and they
 are usually employed by malware attempting to keep their implementation
 hidden (see my "Unearthing Rootkits" article from the June issue of Windows
 IT Pro Magazine for more information on rootkits). The RKR results window
 reported a hidden directory, several hidden device drivers, and a hidden
 application:


 Given the fact that I'm careful in my surfing habits and only install
 software from reputable sources I had no idea how I'd picked up a real
 rootkit, and if it were not for the suspicious names of the listed files I
 would have suspected RKR to have a bug. I immediately ran Process Explorer
 and Autoruns to look for evidence of code that would activate the rootkit
 each boot, but I came up empty with both tools. I next turned to LiveKd, a
 tool I wrote for Inside Windows 2000 and that lets you explorer the
 internals of a live system using the Microsoft kernel debugger, to
 determine what component was responsible for the cloaking.

 Rootkits that hide files, directories and Registry keys can either execute
 in user mode by patching Windows APIs in each process that applications use
 to access those objects, or in kernel mode by intercepting the associated
 kernel-mode APIs. A common way to intercept kernel-mode application APIs is
 to patch the kernel's system service table, a technique that I pioneered
 with Bryce for Windows back in 1996 when we wrote the first version of
 Regmon. Every kernel service that's exported for use by Windows
 applications has a pointer in a table that's indexed with the internal
 service number Windows assigns to the API. If a driver replaces an entry in
 the table with a pointer to its own function then the kernel invokes the
 driver function any time an application executes the API and the driver can
 control the behavior of the API.

 It's relatively easy to spot system call hooking simply by dumping the
 contents of the service table: all entries should point at addresses that
 lie within the Windows kernel; any that don't are patched functions.
 Dumping the table in Livekd revealed several patched functions:


 I listed one of the intercepting functions and saw that it was part of the
 Aries.sys device driver, which was one of the images I had seen cloaked in
 the $sys$filesystem directory:


 Armed with the knowledge of what driver implemented the cloaking I set off
 to see if I could disable the cloak and expose the hidden processes, files,
 directories, and Reegistry data. Although RKR indicated that the
 \Windows\System32\$sys$filesystem directory was hidden from the Windows
 API, it's common for rootkits to hide directories from a directory listing,
 but not to prevent a hidden directory from being opened directly. I
 therefore checked to see if I could examine the files within the hidden
 directory by opening a command prompt and changing into the hidden
 directory. Sure enough, I was able to enter and access most of the hidden
 files:


 Perhaps renaming the driver and rebooting would remove the cloak, but I
 also wanted to see if Aries.sys was doing more than cloaking so I copied it
 to an uncloaked directory and loaded it into IDA Pro, a powerful
 disassembler I use in my exploration of Windows internals. Here's a
 screenshot of IDA Pro's disassembly of the code that calculates the entries
 in the system service table that correspond to the functions it wants to
 manipulate:


 I studied the driver's initialization function, confirmed that it patches
 several functions via the system call table and saw that its cloaking code
 hides any file, directory, Registry key or process whose name begins with
 "$sys$". To verify that I made a copy of Notepad.exe named $sys$notepad.exe
 and it disappeared from view. Besides being indiscriminate about the
 objects it cloaks, other parts of the Aries code show a lack of
 sophistication on the part of the programmer. It's never safe to unload a
 driver that patches the system call table since some thread might be just
 about to execute the first instruction of a hooked func

[Clips] Sony to Help Remove its DRM Rootkit

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 2 Nov 2005 23:18:30 -0500
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Sony to Help Remove its DRM Rootkit
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
<http://www.betanews.com/article/print/Sony_to_Help_Remove_its_DRM_Rootkit/1130965475>

 BetaNews |

 Sony to Help Remove its DRM Rootkit
  By Nate Mook, BetaNews
 November 2, 2005, 4:04 PM
 When Mark Russinovich was testing his company's security software last
 week, he came across a disturbing find: a Sony BMG CD he purchased from
 Amazon had secretly installed DRM software on his PC and used "rootkit"
 cloaking methods to hide it. With the story sweeping across the Net, Sony
 is attempting to clean up its mess.
 DRM, or digital rights management, is nothing new to CDs. Record companies
 began employing software to prevent users from easily transferring tracks
 to a PC after the explosion of file sharing activity that followed
 Napster's debut in 1999. But for the most part, the DRM was quite
 rudimentary and only required the pressing of the "shift" key to bypass.

  Not so with Sony's latest batch of CDs from Switchfoot, Van Zant and
 others. Using technology developed by British software company First 4
 Internet, the CDs limit the number of copy-protected backups that can be
 made. To enforce the restriction, software and drivers are installed
 without a user's knowledge when the CD is accessed.
 Russinovich first discovered a hidden directory and several hidden device
 drivers -- none of which would show up in Windows Explorer. He soon found
 the driver responsible for the cloaking, which was designed to hide every
 file and location that begins with: $sys$.
 After tracing the rouge software back to his recently purchased Van Zant
 CD, Russinovich attempted to uninstall the DRM, but to no avail.
 "I didn't find any reference to it in the Control Panel's Add or Remove
 Programs list, nor did I find any uninstall utility or directions on the CD
 or on First 4 Internet's site. I checked the EULA and saw no mention of the
 fact that I was agreeing to have software put on my system that I couldn't
 uninstall," he wrote on his company's blog. "Now I was mad."
 When he forcibly removed the software and registry entries by hand,
 Russinovich found his CD player was no longer functional. Further advanced
 registry hacking fixed the problem, but he noted that the vast majority of
 computer users would simply "cripple their computer" if they tried to
 delete the First 4 Internet DRM.
 Although cloaking files and not providing a method of removal is not
 dangerous in and of itself, the case sparked a flurry of discussion online.
 Most users agreed that the actions of Sony and First 4 Internet
 questionable at best, and security experts warned of potential threats. For
 example, a virus writer could simply hide files by naming them using the
 $sys$ prefix.
 For its part, First 4 Internet claimed the technology was only found on CDs
 from earlier this year and said it had created new methods to hide the DRM.
 Nonetheless, the company has decided to issue a patch to eliminate the
 cloaking and "allay any unnecessary concerns."
 The patch will be made available for download from Sony BMG's Web site,
 with another offered directly to antivirus vendors. The DRM software will
 not be removed, however, only uncovered; that means users will still be
 unable to delete it without risk of rendering their CD drive inoperable.
 Customers must contact Sony BMG support for removal instructions.
 "While I believe in the media industry's right to use copy protection
 mechanisms to prevent illegal copying, I don't think that we've found the
 right balance of fair use and copy protection, yet," said Russinovich.
 "This is a clear case of Sony taking DRM too far."

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] The "Other" Ester: Anonymity-- Here Today, Gone Tomorrow

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 7 Nov 2005 14:43:46 -0500
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] The "Other" Ester: Anonymity-- Here Today, Gone Tomorrow
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 <http://www.release1-0.com/freshproduce/article.cfm?serialnum=FRP200511042301>


 Anonymity: Here Today, Gone Tomorrow
 Esther Dyson

 It's ironic that the Web once seemed to promise individuals new
 opportunities to explore the world without showing their face. Instead, it
 is turning out to be a powerful force against anonymity. Most information
 about people's online actions is traceable - if someone with resources
 cares to go to the trouble. But there will be much more to this trend than
 the familiar fear of governments spying on innocent victims, or even
 they-asked-for-it dissidents. The bigger questions revolve around the
 tolerance of societies for diversity and recognition of the human capacity
 for change.

 A free membership to Release 1.0 is required to view this item.
 Login below or register to join our community.
  User name:

  Password:



 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Fwd: [silk] For years US eavesdroppers could read encrypted messages without the least difficulty

[R.A. Hettinga]

Begin forwarded message:

From: Eugen Leitl <[EMAIL PROTECTED]>
Date: December 29, 2007 9:16:49 AM EST
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [silk] For years US eavesdroppers could read encrypted  
messages without the least difficulty


From: Gautam John <[EMAIL PROTECTED]>
Subject: [silk] For years US eavesdroppers could read encrypted messages
without the least difficulty
To: [EMAIL PROTECTED]
Date: Sat, 29 Dec 2007 19:38:28 +0530
Reply-To: [EMAIL PROTECTED]


Sat, 29 Dec 2007 04:02:00
By Ludwig De Braeckeleer

(OhMyNews) -- For decades, the US National Security Agency (NSA) has
been reading effortlessly ultra sensitive messages intercepted from
all parts of the world. This extraordinary feat was not the
consequence of the work of some genius cyber mathematician. Nor was it
the result of the agency dominance in the field of super computers,
which allegedly have outpaced their most direct rivals by orders of
magnitude. The truth is far simpler and quite troubling. The game was
rigged.

For half a century, Crypto AG, a Swiss company located in Zug, has
sold to more than 100 countries the encryption machines their
officials rely upon to exchange their most sensitive economic,
diplomatic and military messages. Crypto AG was founded in 1952 by the
legendary (Russian born) Swedish cryptographer Boris Hagelin. During
World War II, Hagelin sold 140,000 of his machine to the US Army.

"In the meantime, the Crypto AG has built up long standing cooperative
relations with customers in 130 countries," states a prospectus of the
company. The home page of the company Web site says, "Crypto AG is the
preferred top-security partner for civilian and military authorities
worldwide. Security is our business and will always remain our
business."

And for all those years, US eavesdroppers could read these messages
without the least difficulty. A decade after the end of WWII, the NSA,
also known as No Such Agency, had rigged the Crypto AG machines in
various ways according to the targeted countries. It is probably no
exaggeration to state that this 20th century version of the "Trojan
horse" is quite likely the greatest sting in modern history.

In effect, US intelligence had spies in the government and military
command of all these countries working around the clock without ever
risking the possibility of being unmasked.

An Old and Venerable Company

In the aftermath of the Islamic revolution, Iran, quite
understandably, would no longer trust encryption equipment provided by
companies of NATO countries.

The Swiss reputation for secrecy and neutrality lured Iranians to
Crypto AG, an old and venerable company. They never imagined for a
moment that, attached to the encrypted message, their Crypto machines
were transmitting the key allowing the de scri ption of messages they
were sending. The scheme was perfect, undetectable to all but those
who knew where to look.

Crypto AG, of course, denied the allegations as "pure invention." In
1994, the company issued a message in the Swiss press, stating that
"manipulation of Crypto AG equipment is absolutely excluded."

On the Wikipedia page of Crypto AG, one can read: "Crypto AG rejected
these accusations as pure invention, asserting in a press release that
in March 1994, the Swiss Federal Prosecutor's Office initiated a
wide-ranging preliminary investigation against Crypto AG, which was
completed in 1997. The accusations regarding influence by third
parties or manipulations, which had been repeatedly raised in the
media, proved to be without foundation."

However, meetings between a NSA cryptographer and Crypto AG personnel
to discuss the design of new machines have been factually established.
The story was also confirmed by former employees and is supported by
company documents. Boris Hagelin is said to have acted out of
idealism. What is certain is that the deal for Crypto AG was quite
juicy. In return for rigging their machines, Crypto AG is understood
to have been granted export licenses to all entities controlled by the
NSA.

Early Hints

A book published in 1977 by Ronald Clark (The Man Who Broke Purple:
The Life of Colonel William F. Friedman) revealed that William F.
Friedman, another Russian-born genius in the field of cryptography (he
deciphered the Japanese code in World War II) and onetime special
assistant to the NSA director, had visited Boris Hagelin in 1957.
Friedman and Hagelin met at least on two other occasions. Clark was
urged by the NSA not to reveal the existence of these meetings for
national security reasons. In 1982, James Bamford confirmed the story
in his book on the NSA: The Puzzle Palace. The operation was codenamed
the "Boris project." In effect, Friedman and Hagelin had reached an
agreement that was going to pave the way to cooperation of Crypto AG
with the NSA.

Despite these very obvious hints, countries such as Iran, Iraq and
Libya continued using the Crypto AG machines for encrypting their
messages. And so d

[Mycolleagues] (Fwd) Call for Papers and W orkshops: 4th International Conference on Globa l E-Security (ICGeS’08)

[R.A. Hettinga]

Begin forwarded message:

From: [EMAIL PROTECTED]
Date: January 15, 2008 1:11:13 PM EST
To: [EMAIL PROTECTED]
Subject: [Mycolleagues] (Fwd) Call for Papers and Workshops: 4th  
International Conference on Global E-Security (ICGeS’08)


Apologize for cross posting

4th International Conference on Global E-Security (ICGeS´08)
23-25 June 2008
London, England
http://www.uel.ac.uk/icges

The conference proceedings will be published as a volume of
LNCS series from Springer.

Following the successful, ICGeS-07 in April 2007, we have much
pleasure in announcing the 4th International Conference on Global
E-Security (ICGeS-08).

The Annual International Conference on Global e-Security (ICGeS)
is an established platform in which security issues can be examined
from several global perspectives through dialogue between
academics, students, government representatives, chief executives,
security professonals, and research scientists from the United
Kingdom and from around the globe.

ICGeS provides an ideal and unique venue for researchers and
practitioners to engage in debate on variuos security related issues,
including the measures governments must take to protect the
security of information on the Internet, the implications of cyber-
crime in large corporations and individuals, and how cyber-crime can
be addressed.

The widespread use of the Internet has created a global platform for
the exchange of ideas, goods and services; the benefits of which are
enormous. However, it has also created boundless opportunities for
cyber-crime. As an increasing number of large organisations and
individuals use the Internet and its satelite mobile technologies, they
are increasingly vulnerable to cyber-crime threats. It is therefore
paramount that the security industry raise its game to combat these
threats. This is an issue of global importance as law enforcement
agencies all over the world are struggling to cope.

This conference aims to attract an International audience to provide
a forum for the dissemination of research accomplishments and
promote interaction and collaboration between the researchers and
practitioners in the security field; to meet and discuss current and
future e-security needs and issues.

Refereed full papers will be considered for publication in the new
international Journal of Electronic Security and Digital
Forensics, IJESDF published by Inderscience,
http://www.inderscience.com.


Topics of interest include, but are not limited to:-

 ·eGovernments, eEurope/European Directives,
   mGovernment
·Information security
·Computer forensics
·Anti-forensics
·Computer risks & their assessment
·Hidden data
·Criminal data mining
·Computational immunology
·Cybercrime detection and analysis
·Network security
·Criminal network analysis
·Attack pattern recognition
·Strategic Approaches to Security
·Security in Mobile Platforms
·Authentication authorisations
·Internet security and web security
·E-commerce/ ebusiness security issues
·Security Policies and Procedures
·Cyber Legislation
·Cyber War
·Digital Cities
·Security Requirements Engineering
·Cryptographic Algorithms & Protocols
·Software agents/Artificial intelligence

 The committee is particularly interested in hearing about relevant
case studies and "best practise" on any of the above.


Workshops
There are 7 workshops at this years conference these are;
*   Cyber criminology
*   VoIP
*   Bioinformatics and DNA
*   Biometrics
*   IT Governance
*   Integration, convergenece and transparency for networks
   and systems for security operations
*   Wireless Security

Paper Submission:

Authors should submit a paper in English of about 8 A4 pages, up to
5000 words. The program committee will review all papers and the
contact author of each paper will be notified of the result, by email.
Submitted papers have to be original, containing new and original
results and should clearly indicate the nature of its
technical/scientific contribution, and the problems, domains or
environments to which it is applicable. The paper must be carefully
checked for correct grammar and spelling.
Authors should upload their paper/s at ICGeS-08 Submission
Submission implies the willingness of at least one of the authors to
register and present the paper at the conference. All papers will be
"blind" peer reviewed by at least two independent referees. All
accepted papers will be included in the conference proceedings that
will be published and distributed during the conference. The camera-
ready version is limited to 8 (eight) pages for full papers and 4 (four)
pages for poster presentations.
Authors are invited to submit their electronic soft-copy of the paper
inMS Words format. Authors Instructions in a form of sample page
is available in PDF-format and in MS-Word format .
Refereed full papers will be considered for publication in the
International Journal of Electronic Security and Digital Forensics

Important Dates:

Full Paper and Poster Submission
15th February 2008

Workshop Submiss

MUSIC'08 CFP

[R.A. Hettinga]

Begin forwarded message:

From: "Yu Chen" <[EMAIL PROTECTED]>
Date: January 21, 2008 5:40:26 PM EST
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [Mycolleagues] MUSIC'08 CFP

(Apologies for multiple copies. Appreciated if you can forward to  
potentially interested persons)




2008 International Workshop on Multimedia Security in Communication  
(MUSIC'08)

In Conjunction with ChinaCom'08

Beijing, China, August 25 - 27, 2008

http://home.simula.no/~yanzhang/MUSIC/



The rapid development of communication techniques allows us to  
transmit more than text/binary data in real time. Due to unique  
characteristics of multimedia content, such as large data volumes,  
interactive operations, and requires real-time responses, the problems  
multimedia security need to address are different from text/binary  
data security. Furthermore, multimedia security is highly services- 
dependable. Different services require different methods for content  
transmission or distribution, paying, interaction, etc.


This workshop aims to bring together research work covering various  
aspects of multimedia security in emerging services. The services may  
work in the following environment: Internet, mobile TV, IPTV, IMS,  
VoIP, P2P, sensor network, network convergence, etc. The paper may  
focus on architecture construction, algorithm designing or hardware  
implementation. Both review paper and technical paper are expected.


This workshop solicits papers reporting recent unpublished works in  
the general area of multimedia security. The topics include but not  
limited to:


Security threats to multimedia content in new services
Security model for new services
Lightweight multimedia encryption for services
Information hiding in multimedia content
Multimedia forensics
Secure multimedia adaptation
Multimedia copy tracking
Multimedia content authentication
Multimedia content filtering
Secure payment for services
Key management/distribution
User authentication in services
Biometric Security
Intrusion detection/prevention
Network filtering
Secure set-top box
Secure Smart Cards
Secure SIM card
Secure telecom/broadcast convergence
Secure mobile/Internet convergence
Interoperable DRM systems
Conditional access systems
Security protocols or standards
Denial-of-Service (DoS) attacks in multimedia application

Submission
=

The submission should be done according to the guidelines on http://www.chinacom.org/ 
. The revised or extended versions of the accepted and presented  
papers will be published in the special issue of International Journal  
of Security and Communication Network (SCN) http://www3.interscience.wiley.com/journal/114299116/home 
 or International Journal of Universal Computer Science (JUCS)  
(pending) http://www.jucs.org/jucs_info/aims.


Important Dates
===

Submission deadline: March 31, 2008
Notification date:May 15, 2008
Camera-ready due: May 31, 2008
Conference dates:  August 25-27, 2008

Organizing Committee
=

General Chair:  Dr. Stefanos Gritzalis
   University of the Aegean, Greece
   Email: [EMAIL PROTECTED]

General Co-Chair: Dr. Yan Zhang
   Simula Research Laboratory, Norway
   Email: [EMAIL PROTECTED]

TPC Chair:   Dr. Shiguo Lian
   France Telecom R&D Beijing Center, China
   Email: [EMAIL PROTECTED]

TPC Co-Chair: Dr. Yu Chen
  SUNY - Binghamton, USA
  Email: [EMAIL PROTECTED]

Technical Committee
=

Sasan Adibi, University of Waterloo, CA
Khalil El-Khatib, University of Ontario Institute of Technology, CA
Jiankun Hu, RMIT University, Australia
Yuan Dong, Beijing University of Posts and Telecommunications, China
Ala Al-Fuqaha, Western Michigan University, USA
Weifeng Chen, California University of Pennsylvania, USA
El-Sayed El-Alfy, King Fahd University of Petroleum and Minerals,  
Saudi Arabia

Jiwu Huang, Sun Yat-Sen University, China
Zhiquan Wang, Nanjing University of Science and Technology, China
Giovanni Bodini, University of Rome Tor Vergata, Italy
Noureddine BOUDRIGA, University of the 7th of November at Carthage,  
Tunisia
Andreas U. Schmidt, Fraunhofer-Institute for Secure Information  
Technology (SIT), Germany

Zhili Sun, University of Surrey, UK
Frank Y. Shih, New Jersey Institute of Technology, USA
Mark Stamp, San Jose State University, USA
Xin Wang, ContentGuard, Inc., USA
Chun-Shien Lu, Academia Sinica, Taiwan
Peter Reiher, University of California, Los Angeles, USA
Tarek BEJAOUI, University of Carthage, Tunisia
Jianhong Zhang, North China University of Technology, China
Xiamu Niu, Harbin Institute of Technology (HIT), China
Esther P

Own a piece of the crypto wars

[R.A. Hettinga]

If Sameer autographed it, it would probably worth much more.

:-)

Cheers,
RAH
--

Creative  
Destruction


Creative Destruction
Sameer Parekh

« ICON Aircraft Launches | Main | "Angie" »

Own a piece of the crypto wars

Back in the day, it was illegal to export cryptographic software.

The solution for my company, C2Net Software, Inc., was to develop an  
offshore development team and have them develop the software there.  
Other companies developed different strategies. Most opted to sell  
broken products to their overseas customers. One other company cared  
about the security of their customers. That company was PGP.


PGP chose a different strategy however. They published their source  
code as a book. The book was then exported, the contents of that book  
were then scanned in, and then a completely legal international  
version of PGP was born.


More details of the story.

Some may associate this PGP scanning effort with the track 'round and  
round'. That association is not without reason. They may also remember  
a sign that said, "This is the cypherpunks party tent. If you wish to  
sleep, remove your tent from the area. Have a nice day (+ night)".  
That sign, btw, lives on.


In any case, I was going through all my boxes trying to decide what I  
should keep, toss, or sell, and I found my very own copy of the  
infamous PGP 5.0 source code book. NIB! (Well actually there was no  
box. But still shrinkwrapped. So NIB.)


I decided that the bulk was too much for me to handle moving into a  
tiny little NYC apartment. So ebay it is.

Hopefully it will find a nice loving home.

PGP 5.0 Source Code Books:



Posted by Sameer on June 14, 2008 4:41 PM | Permalink

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

REVIEW: "The dotCrime Manifesto", Phillip Hallam-Baker (was Re: [RISKS] Risks Digest 25.22))

[R.A. Hettinga]

On Jul 8, 2008, at 2:21 PM, RISKS List Owner wrote:


Date: Thu, 03 Jul 2008 11:06:12 -0800
From: Rob Slade <[EMAIL PROTECTED]>
Subject: REVIEW: "The dotCrime Manifesto", Phillip Hallam-Baker

BKDCRMNF.RVW   20080317

"The dotCrime Manifesto", Phillip Hallam-Baker, 2008, 0-321-50358-9,
U$29.99/C$32.99
%A   Phillip Hallam-Baker dotcrimemanifesto.com [EMAIL PROTECTED]
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2008
%G   978-0-321-50358-9 0-321-50358-9
%I   Addison-Wesley Publishing Co.
%O   U$29.99/C$32.99 416-447-5101 fax: 416-443-0948 800-822-6339
%O  http://www.amazon.com/exec/obidos/ASIN/0321503589/robsladesinterne
 http://www.amazon.co.uk/exec/obidos/ASIN/0321503589/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321503589/robsladesin03-20
%O   Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   415 p.
%T   "The dotCrime Manifesto: How to Stop Internet Crime"

In the preface, the author notes that network and computer crime is a
matter of people, not of technology.  However, he also notes that
changes to the network infrastructure, as well as improvements in
accountability, would assist in reducing user risk on the net.

Section one enlarges on the theme that people are more important than
machines or protocols.  Chapter one looks at the motive for Internet  
crime

(money, just like non-computer crime), and repeats the motifs of the
preface.  The text goes on to list various categories and examples of
network fraud.  The content of chapter two is very interesting, but  
it is

hard to find a central thread.  Overall it appears to be saying that
computer criminals are not the masterminds implied by media  
portrayals, but

that the problem of malfeasance is growing and needs to be seriously
addressed.  What Hallam-Baker seems to mean by "Learning from  
Mistakes," in
chapter three, is that security professionals often rely too much on  
general
principles, rather than accepting a functional, if imperfect,  
solution that
reduces the severity of the problem.  Chapter four presents the  
standard (if
you'll pardon the expression) discussion of change and the  
acceptance of new
technologies.  A process for driving change designed to improve the  
Internet

infrastructure is proposed in chapter five.

Section two examines ways to address some of the major network crime  
risks.
Chapter six notes the problems with many common means of handling  
spam.
SenderID and SPF is promoted in chapter seven (without expanding the  
acronym

to Sender Policy Framework anywhere in the book that I could find).
Phishing, and protection against it, is discussed in chapter eight.   
Chapter

nine is supposed to deal with botnets, but concentrates on trojans and
firewalls (although I was glad to see a mention of "reverse  
firewalls," or

egress scanning, which is too often neglected).

Section three details the security tools of cryptography and trust.   
Chapter
ten outlines some history and concepts of cryptography.  Trust, in  
chapter
eleven, is confined to the need for aspects of public key  
infrastructure

(PKI).

Section four presents thoughts on accountability.  Secure transport,  
in
chapter twelve, starts with thoughts on SSL (Secure Sockets Layer),  
and then
moves to more characteristics of certificates and the Extended  
Verification
certificates.  (The promotion of Verisign, infrequent and somewhat  
amusing
in the earlier chapters is, by this point in the book, becoming  
increasingly
annoying.  The author is also starting to make more subjective  
assertions,
such as boosting the trusted computing platform initiative.)  Domain  
Keys
Identified Mail (DKIM) is the major technology promoted in support  
of secure
messaging, in chapter thirteen.  Chapter fourteen, about secure  
identity,
has an analysis of a variety of technologies.  (The recommendations  
about
technologies are supported even less than before, and the work now  
starts to
sound rather doctrinaire.)  It may seem rather odd to talk about  
secure
names as opposed to identities, but Hallam-Baker is dealing with  
identifiers

such as email addresses and domain names in chapter fifteen.  Chapter
sixteen looks at various considerations in regard to securing  
networks,
mostly in terms of authentication.  Random thoughts on operating  
system,
hardware, or application security make up chapter seventeen.  The  
author

stresses, in chapter eighteen, that the law, used in conjunction with
security technologies, can help in reducing overall threat levels.   
Chapter
nineteen finishes off the text with a proposed outline of action  
that recaps

the major points.

Hallam-Baker uses a dry wit well, and to good effect in the book.  The
humour supports and reinforces the points being made.  So does his
extensive and generally reliable knowledge of computer technology and
history.  In certain areas the author is either less knowledgeable or
careless in his wording, and, unfortunately, the effe

Re: road toll transponder hacked

[R.A. Hettinga]

On Aug 27, 2008, at 7:10 AM, [EMAIL PROTECTED] wrote:


The relationship to this list may then be thin
excepting that the collection and handling of
such data remains of substantial interest.


Actually, it points to cash settlement of road tolls.

Most likely digital bearer transaction settlement, in the long run.

But y'all knew I'd say that, right?

:-)

Cheers,
RAH

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Tromboning: Internet Traffic Begins to Bypass the U.S.

[R.A. Hettinga]

"Tromboning". That's a word I've been looking for.

Tromboning is what happens when I send packets between the Cable &  
Wireless DSL line and the Caribbean Cable cablemodem on the other side  
of the living room in Seafeathers Bay -- via New York (and  
Washington), and/or Miami (and Washington), and/or Atlanta (and  
Washington), not to mention Washington.


Too bad little countries like Anguilla don't permit third-party  
peering between competing internet service providers. After all, that  
kind of latency is just... unacceptable. ;-)


A geodesic internetwork sees um, latency, as damage, &c.


Evidently not just anyone can stick two links together using one box  
and three ethernet cards, or whatever, or the Internet Gets Broken.


Geeze, to paraphrase Grace Slick, I wish I knew BGP.

(Though, like Grace was at the time, I'm too burned-out a dog these  
days to learn those new tricks. Easier to doze off on the veranda  
watching the weather go by.)


Cheers,
RAH
---




New York Times

August 30, 2008

Internet Traffic Begins to Bypass the U.S.
By JOHN MARKOFF

SAN FRANCISCO — The era of the American Internet is ending.

Invented by American computer scientists during the 1970s, the  
Internet has been embraced around the globe. During the network’s  
first three decades, most Internet traffic flowed through the United  
States. In many cases, data sent between two locations within a given  
country also passed through the United States.


Engineers who help run the Internet said that it would have been  
impossible for the United States to maintain its hegemony over the  
long run because of the very nature of the Internet; it has no central  
point of control.


And now, the balance of power is shifting. Data is increasingly  
flowing around the United States, which may have intelligence — and  
conceivably military — consequences.


American intelligence officials have warned about this shift. “Because  
of the nature of global telecommunications, we are playing with a  
tremendous home-field advantage, and we need to exploit that edge,”  
Michael V. Hayden, the director of the Central Intelligence Agency,  
testified before the Senate Judiciary Committee in 2006. “We also need  
to protect that edge, and we need to protect those who provide it to  
us.”


Indeed, Internet industry executives and government officials have  
acknowledged that Internet traffic passing through the switching  
equipment of companies based in the United States has proved a  
distinct advantage for American intelligence agencies. In December  
2005, The New York Times reported that the National Security Agency  
had established a program with the cooperation of American  
telecommunications firms that included the interception of foreign  
Internet communications.


Some Internet technologists and privacy advocates say those actions  
and other government policies may be hastening the shift in Canadian  
and European traffic away from the United States.


“Since passage of the Patriot Act, many companies based outside of the  
United States have been reluctant to store client information in the  
U.S.,” said Marc Rotenberg, executive director of the Electronic  
Privacy Information Center in Washington. “There is an ongoing concern  
that U.S. intelligence agencies will gather this information without  
legal process. There is particular sensitivity about access to  
financial information as well as communications and Internet traffic  
that goes through U.S. switches.”


But economics also plays a role. Almost all nations see data networks  
as essential to economic development. “It’s no different than any  
other infrastructure that a country needs,” said K C Claffy, a  
research scientist at the Cooperative Association for Internet Data  
Analysis in San Diego.


“You wouldn’t want someone owning your roads either.”

Indeed, more countries are becoming aware of how their dependence on  
other countries for their Internet traffic makes them vulnerable.  
Because of tariffs, pricing anomalies and even corporate cultures,  
Internet providers will often not exchange data with their local  
competitors. They prefer instead to send and receive traffic with  
larger international Internet service providers.


This leads to odd routing arrangements, referred to as tromboning, in  
which traffic between two cites in one country will flow through other  
nations. In January, when a cable was cut in the Mediterranean,  
Egyptian Internet traffic was nearly paralyzed because it was not  
being shared by local I.S.P.’s but instead was routed through European  
operators.


The issue was driven home this month when hackers attacked and  
immobilized several Georgian government Web sites during the country’s  
fighting with Russia. Most of Georgia’s access to the global network  
flowed through Russia and T