Re: A day in the life
On Sun, Jul 20, 2003 at 04:07:58PM -0500, J.A. Terranson wrote: [ID experience at giant mega-corp casino] [ID experience at Jiffy-loob] If you patronize only corporate mega-stores, this is what you get. None of the (locally-owned) resturants I eat breakfast at do any loyalty card bullshit, they happily accept anonymous cash and the food is wonderful. The vendors at the local farmer's market take cash too. The local stores in the chain of bicycle stores I sometimes go to for tires and parts do sometimes ask me if I want to be on their buyers club thing, I just say no and that's fine with them. You need to shop at stores run by humans. If you have to patronize a mega-corp, stick up for yourself. They insist because it works on most people. There is no need to baaah along with the sheep. Eric
Re: MRAM, persistance of memory
On Thu, Jul 10, 2003 at 04:45:58PM +0200, Thomas Shaddack wrote: On Wed, 9 Jul 2003, Eric Murray wrote: I doubt it as well. DRAM also has power-off memory persistence and nearly everyone in security ignores that as well. But not the spooks : The FEI-374i-DRS is a data recovery system that captures and preserved digital data, in its original format, directly from the Dynamic Random Access Memory (DRAM) of Digital Telephone Answering Machines (DTAMs) .. The FEI-374i-DRS is an indispensable tool for forensic investigators required to evaluate residual audio and tag information retained in today's DRAM-based DTAMs. http://www.nomadics.com/374idrs.htm The system doesn't seem to be able to recover data from powered-off DRAM. [..] It's still interesting. It is impossible to get access to the voltage on the DRAM cell capacitors (at least if the chip is in its case and we can access only its pins). We can only see if it is in the range for H or L. And after a power-down (or even a sufficiently long period without a refresh of the given cell) the cell capacitor loses voltage steadily, reaching the level of L (or maybe H?) within at most couple seconds. I would not bet on that for sensitive data. See Peter Gutmans and Ross Anderson's papers on RAM memory remanance. Eric
Re: idea: brinworld meets the credit card
On Tue, Jul 08, 2003 at 12:16:36PM -0700, Major Variola (ret) wrote: Authentication is Something you have / know / are. [..] A picture glued into the card could be forged, but a smartcard (with more data area than a magstripe) could include a picture of the account holder, so a thief has no idea what to look like. But the vendor can check the encrypted smartcard face to the face on the phone or webcam. For high-value remote transactions, where you pay someone to check faces, this might be viable in a few years. In a few years after that, machines might be able to check faces more cheaply, as reliably. The live face-check with embedded digital photos is already standard practice on high-security building-entry cards (and passports?), with the guard comparing the card-embedded face to the one before him. Ubiquitous cameras will bring that face-check to remote transactions, reducing cost due to lower fraud. Thoughts? How does it allow the merchant to view the picture while preventing the thief from doing so? Saying it's encrypted is, at best, sweeping a very large problem under a small rug. Who holds the key? How does the card or the user authenticate a real merchant vs. a thief posing as a merchant? Those are the hard problems. No one in biometrics has yet been able to solve them in a general way. Eric
Re: [Brinworld] Car's data recorder convicts driver
On Mon, Jun 16, 2003 at 05:11:57PM -0400, John Kelsey wrote: ... It seems intuitively like the EDR ought to be about as valuable to the defense as the prosecution, right? E.g., the prosecutor says this guy was driving 120 miles an hour down the road while being pursued by the police, but the EDR says he'd never topped 70. There are creepy privacy implications in there somewhere, but the basic technology seems no more inherently Orwellian than, say, DNA testing--which seems to be a pretty good way of actually locking up the right guy now and then, rather than someone who looks kind-of like the guy who did it, and was seen in the area by an eyewitness and picked out of a police lineup. The types of problems with DNA testing such as state's refusal to allow testing of convicts when it might prove their innocence, and testing lab errors, would also apply to EDR boxes. I.e. states will contrive to use EDR records only when it proves their case, and data recovered will be subject to interpretation. You can bet that when EDRs become important as evidence, citizens won't be allowed to posess the means to read their own EDRs let alone write to them. Eric