Re: What good are smartcard readers for PCs
-- James A. Donald> > > Increasingly however, we see smartcard interfaces sold for > > PCs. What for, I wonder? On 24 Sep 2002 at 1:41, Bill Stewart wrote: > I'm not convinced that the number of people selling them is > closely related to the number of people buying; this could be > another field like PKIs where the marketeers and cool > business plans never succeeded at getting customers to use > them. On 24 Sep 2002 at 19:12, Peter Gutmann wrote: > Companies buy a few readers for their developers who write > software to work with the cards. [...] Eventually the > clients discover how much of a bitch they are to work with > [] users decide to live with software-only crypto until > the smart card scene is a bit more mature. > > Given that n_users >> n_card_vendors, this situation can keep > going for quite some time. I have found that the administrative costs of PKI are intolerable. End users do not really understand crypto, and so will fuck up. Only engineers can really control a PKI certificate, and for the most part they just do not. In principle the thingness of a smartcard should reduce administrative costs to a low level -- they should supposedly act like a purse, a key, a credit card, hence near zero user training required. The simulated thingness created by cryptographic cleverness should be manifested to the user as physical thingness of the card. Suppose, for example, we had working Chaumian digicash. Now imagine how much trouble the average end user is going to get into with backups, and with moving digicash from one computer to another. If all unused Chaumian tokens live in a smartcard, one might expect the problem to vanish. The purselike character of the card sustains the coin like character of Chaumian tokens. Of course if one has to supply the correct driver for the smart card, then the administration problem reappears. USB smartcard interfaces could solve this problem. Just plug them in, and bingo, it should just go. Ummh, wait a moment, go where, do what? What happens when one plugs in a USB smartcard interface? Still, making crypto embodied in smart cards intelligible to the masses would seem to be a soluble problem, even if not yet solved, whereas software only crypto is always going to boggle the masses. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG UpBeNFF1UW7r7Fw8pVMxQG+xJ3mwsngHIp62BxL6 4D+u3ZM5e1JbeYAKaQ4dhOQrlZ42vq05cfz83rnCZ
Re: What good are smartcard readers for PCs
On Tue, Sep 24, 2002 at 07:12:47PM +1200, Peter Gutmann wrote: > "James A. Donald" <[EMAIL PROTECTED]> writes: > > >Increasingly however, we see smartcard interfaces sold for PCs. What for, I > >wonder? A previous company I worked for made a secure smart-card reader chip/system that used smart cards to carry a user's private key and cert. The initial application was the SET electronic payment protocol. (all together now: yuck!) SET didn't take off, and not many of these were sold. Amex hyped up their 'blue' card & was giving out free readers for a while... until they discovered that the drivers were fatally broken (ha ha, it was done by a competitor of the company above, their product was shite). That, plus the fact that Amex couldn't get more than a few merchants to go along with it, doomed the project. They stopped giving out free smartcard readers pretty quickly. The company I work for now uses smart-cards in a K-of-N split key scheme to authenticate administrators of secure proxy servers. These are actually selling to real live customers and work just fine. Niche markets like these are the only place where smart card use will be growing in the near term, unless Larry Ellison and Scott "you have no privacy" McNealy get their fat government contracts for implementing the single signon surveilance state... Eric
Re: What good are smartcard readers for PCs
"James A. Donald" <[EMAIL PROTECTED]> writes: >Increasingly however, we see smartcard interfaces sold for PCs. What for, I >wonder? Companies buy a few readers for their developers who write software to work with the cards. They may even roll out a few in pilots, and put out a stack of press releases and print brochures advertising how hip they are for using smart cards. Eventually the clients discover how much of a bitch they are to work with (installation problems/buggy drivers/incompatibilities/not having your card when you need it/etc, not helped by the fact that smart card vendor after- sales support is the most client-hostile of any PC hardware type I know of) that users decide to live with software-only crypto until the smart card scene is a bit more mature. Given that n_users >> n_card_vendors, this situation can keep going for quite some time. Peter.
[international hacking] Jacking into chinaTV, hacking the Dalai Lama
Using its official Xinhua News Agency, the government released an extraordinary 1,100-word dispatch about the latest hacking incident, saying it had traced the illegal transmissions over the Sino Satellite, or Sinosat, system to a pirate broadcast operation in Taipei, Taiwan. In a separate incident, the manager of the Dalai Lama's computer network in Dharmsala, India, alleged that the Chinese government has tried to hack into it repeatedly over the past month with a special virus to steal information. http://ap.tbo.com/ap/breaking/MGA2SEPZH6D.html
Re: What good are smartcard readers for PCs
At 04:34 PM 09/23/2002 -0700, James A. Donald wrote: >The biggest application of smart cards that I know of are >anonymous phone minutes. They're also used for non-cellular phone minutes - Ladatel in Mexico is a big user, and I've worked with some British Telecom folks whose business cards are also 1-pound telephone smartcards. Supposedly Japan was a heavy user of the things for cheap vending machine payments. Another big usage is European satellite decoder keys; the low cost of smartcards is important because the codes keep getting cracked by commercial pirates. >Increasingly however, we see smartcard interfaces sold for PCs. >What for, I wonder? >Obviously end users are buying this stuff. What are they >buying smartcard readers for? I'm not convinced that the number of people selling them is closely related to the number of people buying; this could be another field like PKIs where the marketeers and cool business plans never succeeded at getting customers to use them. >Mondex, as far as I know, sank with very little trace. At least here in San Francisco, Mondex tried very very hard to find all the ways that smartcard payment systems could be user-friendly and not implement them. They didn't just shoot themselves in the foot, they went out looking for more feet to shoot at. A Starbucks two blocks from my office accepted Mondex as payments for coffee, which would seem to be ideal, especially since there was a Wells Fargo Bank branch two blocks from them with a big Mondex sign on the door. But you couldn't just walk into the bank, slap down some dead presidents, get your card, and go buy coffee. You walked up to the unmanned Mondex desk, which had paper forms and a phone that called some office that had somebody who would tell you how to fill out the forms and snail-mail them in to people along with your bank account information who would then snail-mail you your card, though once you'd done so I gather you could refill it easily. I don't remember if you had to have a Wells Fargo bank account to do it, or could get by with a Visa card instead - I think the former. I took my dead presidents down to a non-Starbucks for some regular joe.
Re: What good are smartcard readers for PCs
At 01:41 AM 9/24/02 -0700, Bill Stewart wrote: >They're also used for non-cellular phone minutes - >Ladatel in Mexico is a big user, and I've worked with some >British Telecom folks whose business cards are also >1-pound telephone smartcards. Good lord, they only weigh mere grams here in the states :-)
Re: Random Privacy
On Sat, 21 Sep 2002 13:15:18 -0700, AARG!Anonymous <[EMAIL PROTECTED]> writes: > On the contrary, TCPA/Palladium can solve exactly this problem. It allows > the marketers to *prove* that they are running a software package that > will randomize the data before storing it. And because Palladium works > in opposition to their (narrowly defined) interests, they can't defraud > the user by claiming to randomize the data while actually storing it > for marketing purposes. Yup.. This bit I agree with (in contrary to the other reply to your message). There are still issues over the correctness of that aforementioned randomizing package; is it correctly designed and implemented. AFAIK Pd would let a user know it was being run. > Ironically, those who like to say that Palladium "gives away root on your > computer" would have to say in this example that the marketers are giving > away root to private individuals. In answering their survey questions, > you in effect have root privileges on the surveyor's computers, by this > simplistic analysis. This further illustrates how misleading is this > characterization of Palladium technology in terms of root privileges. Actually, I'd exactly call Palladium as being root over my machine, maybe a part of my machine (a Tor/NUB/whatever), but root.. It could be claimed that I have a choice as to whether or not I wish to run the 'other' software. However, I've always had that choice (the power switch). Its still root. The idea I believe is that I'm supposed to be mollified by the idea (as you suggest) that I can get root on someone elses machine, to control what they can and can't do.. However, little is said that the reverse applies to me; someone has root on *my* machine. Now, that might not be bad, if it weren't for the power inbalance between me and them. Why do I have a 'bonus saver' card for 3 grocery store chains? Why am I stuck with draconian EULA's that promise nothing and take away everything. Scott
Re: Best Windows XP drive encryption program?
at Monday, September 23, 2002 10:35 PM, Curt Smith <[EMAIL PROTECTED]> was seen to say: > http://www.drivecrypt.com/dcplus.html > DriveCrypt Plus does everything you want. I believe it may > have descended from ScramDisk (Dave Barton's disk encryption > program). It has. Basically, the author of Scramdisk took the NT version, added some XP support, a couple of new algos and launched it as a commercial, closed source product. The boot-time protection was requested repeatedly on the SD usenet forum (with several good discussions of different approaches) and it wasn't much of a surprise that it turned up in the commercial product. Personally, I think it is excellent and completely trustworthy - I just won't use it on principle as I don't run closed-source crypto. I am sticking with my (purchased) copy of SD4NT for now on W2K, and waiting on the SD4Linux project to produce something usable for that boot partition.
Re: Best Windows XP drive encryption program?
at Monday, September 23, 2002 10:35 PM, Curt Smith <[EMAIL PROTECTED]> was seen to say: > http://www.drivecrypt.com/dcplus.html > DriveCrypt Plus does everything you want. I believe it may > have descended from ScramDisk (Dave Barton's disk encryption > program). As an aside - Dave Barton? Shaun Hollingworth was the author of SD as far as I know. I can't remember exactly, but seem to recall Dave Barton did a delphi wrapper around some of the SD function calls...
Re: What good are smartcard readers for PCs
> Increasingly however, we see smartcard interfaces sold for PCs. > What for, I wonder? You'll see them used to carry certificates for digital signatures in business applications. A firm I used to work for, eOriginal, Inc., uses them for document signing under the American electronic signature legislation, to do things like fully electronic mortgages, resellable on the secondary market. They've been using a PKCS11 interface provided by Baltimore Technologies' KeyTools Pro, but other implementations exist, of course. It's certainly no huge end-user PKI rollout, though. As far as user authentication goes in a corporate environment (say, for authentication on a VPN tunnel), I'm unclear on how a digital certificate locked with a password is any more secure than your standard SecureID token backed by a password; both rely on knowledge-based and possession-based security. Random number generation versus NP-hard problem is the only difference. (Though I know a guy who broke some early generations of the SecureID randomizer after watching the sequence for about 10 minutes.) - John Stoneham
Re: What good are smartcard readers for PCs
On Monday 23 September 2002 06:34 pm, James A. Donald wrote: > So I did a google search for web pages selling "chipdrive > extern" (the most popular smartcard interface for PCs) Seems > like this is big business -- that huge numbers of these widgets > are made and sold. yet most of the web pages seemed curiously > vague as to what anyone was buying them for. I tried that search. In the first 4 pages, I found only European sites offering the readers for sale. Several sites had dead links where the specs for the readers were supposed to be. Where are the US vendors? Are smartcard readers sold at CompUSA? I'd actually like to give one a spin with FreeS/WAN if I could find one actually for sale.