[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Patrick, it is far more secure to have the PIK printed and carried in your wallet True, unless someone steals your wallet, or you loose it. ... That's not a problem. The guy who gets your wallet still cannot log in because he doesn't have your secret Login ID. That would be true if the password could be longer. As it is now, there are about 100 millions combinations (users usually choose a word, that makes about 1 word, multiplied with 1 numbers = 100 millions), and thus it could be cracked in a few days. Someone could still your wallet, or take a photo of your PIKs, or simply copy the PIKs... and you would never know. So, sorry to say, the security of Pecunix log-in is not better than others. If the password could be longer (the maximum set to at least 20 characters), things would be entirely different. And even better if Sidd would put three passwords (and one PIK), as he said. But anyway, Sidd, also think at the Bedazzled log-in, with password images (those images can be copied only by someone with access to the computer, unlike a printed PIK). George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
On Monday, November 24, 2003, at 05:02 AM, FileMatrix wrote: That's not a problem. The guy who gets your wallet still cannot log in because he doesn't have your secret Login ID. That would be true if the password could be longer. As it is now, there are about 100 millions combinations (users usually choose a word, that makes about 1 word, multiplied with 1 numbers = 100 millions), and thus it could be cracked in a few days. Yes, you would need to set up an automated process to test those 100 million combinations by actually attempting to log in with each one. This also requires the ability to read the PIK prompt images. I'm not saying it's impossible or anything, just saying what's involved. It's interesting to note in this scenario that there is no way for the Pecunix system to lock out an account after too many failed login attempts, because it has no idea WHICH account to lock out. By the way George, for those of us hyper-secure paranoid tin foil hat types, you can always set up your Pecunix account to require PGP access. In this mode, Pecunix presents you with a challenge / response problem that only the holder of the private key can successfully answer. -- Patrick --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Drew, and password combintaions... That is exactly my problem: the password. Is too short. PGP encryption at login with Pecunix? I'll look into that... Joke: A hot babe is a secretary at a firm. Her boss thinks to something to attract her attention, and to intimidate her so she can see who's the boss. He goes to the secretary and asks her to create an email account for him. The secretary does everything she needs to create the account, and at the end she tells her boss to type in the password. The guy, full of himself, says You type it in! and adds The password is 'PENIS'. The secretary types the password and after a second begins to laugh out of control. The boss gets pissed and looks at the computer's monitor to see the reason, and reads 'Password too short'. Patrick, It's interesting to note in this scenario that there is no way for the Pecunix system to lock out an account after too many failed login attempts, because it has no idea WHICH account to lock out. Right! It would be nice for the system to also require the user ID (email address), and if there are too many failed log-ins (at least 10), the account could be locked for a day (or so). See how the cracks in the system come up? ;) you can always set up your Pecunix account to require PGP access I have to look to see how that works. George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Right! It would be nice for the system to also require the user ID (email address), and if there are too many failed log-ins (at least 10), the account could be locked for a day (or so). Damn, I just realized that's not possible because any idiot could lock any account by simply trying to log-in. Really bad for businesses! This thing requires a private user name. George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
From: Patrick Chkoreff [EMAIL PROTECTED] On Sunday, November 23, 2003, at 09:53 AM, Katz Global Media wrote: ... But why use tempest when there are dongles hanging out of the routers at the nocs for law enforcement to plug into? Yes but intercepting a message through a dongle doesn't help if the message is encrypted. Tempest lets them read a message as it is displayed on your computer screen after you decrypt it. PGP has a tempest prevention font, although I don't know if it is effective. - John --- http://cambist.net --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Sidd, This is a possibility, but of course that would be easy for a screen scraper to steal... I will look into this more. No need, I have a new idea (that works with images). Prepare to... bedazzled ;) I will make this like a whitepaper. If any of you FBI, NSA, CIA guys read this list, get your popcorn and wait 'cause this method is TEMPEST-proof. Actually, I think only you guys will find the idea interesting (unless you already know about it :) ). For those who don't know, TEMPEST is a method to read whatever is displayed on a CRT monitor. So far, I've never heard this being possible on a TFT monitor. More information on this (and other security issues): www.tscm.com it is far more secure to have the PIK printed and carried in your wallet True, unless someone steals your wallet, or you loose it. Besides, most log-ins are (supposed to be) done from the personal computer (or a secured location). more than 8 are getting too difficult to remember Sure, but nobody forces people to use more characters. Anyway, the new method will disregard the memorizing issue. George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
displayed on a CRT monitor. So far, I've never heard this being possible on a TFT monitor. -BEGIN PGP SIGNED MESSAGE- check out the Kuhn / Anderson paper - google search should locate it easily. Monitor buyers should not assume that so-called low-radiation monitors, or even LCD screens, provide any Tempest protection; we found that some modern TFT-LCD laptop displays give clearer reception than many cathode ray tubes. being perfectly secure is perfectly impossible :) -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 iQEVAwUBP8CxeMyM0YPqVE7FAQF+lgf/WKk+BPygwgkF6+VLp3AU6fbjjJW5ZgiP m+GYvY5a4Gli/J35gWJAJpJ6DeSJn32bp4T/yRDshzGoPrA6Vc+w+FV9Ew9YQIMt 1OXah2TkWVlPcH3lz4xwjUE+13zvvrenHCEo8wVOgCXmfH8fdkeYfFi9BzKkmJyS ocfCtfQGmJeyE51qTfnen/w0z/ZutO1jVlmlSsNr7KCPnxPzXDFcBm0vSRYVOgSX DCXDVmsUVB8LS0auLdpHw11xj4/6x+nMD9FLiQylO4S6aabU/p9K8evFldS0MQvb NMZ18Ipzz53JVlDAtHh0ZU4z9U30vyI+DPBglcdxx2yttewWIRG6LQ== =YmvF -END PGP SIGNATURE- --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
No monitor is safe. Tempest is a Transient Electromagnetic Pulse Emanation signal receiver which means it is not really being used to pick up monitor radiation (although possible) but rather your signal eminating from the motherboard/processor itself which gives much more data than just a monitor. This gets amplified over wiring and piping in a structure. I have seen them setup in van at a 2-3 mile distance from the source. I suspect they can use them readily from a satellite now or by sticking a transmitter onto a water pipe and such things. But why use tempest when there are dongles hanging out of the routers at the nocs for law enforcement to plug into? http://www.iab.org/documents/docs/iab-plenaries/2003-07-vienna/slem.pdf http://news.com.com/2100-1023_3-213242.html Gordon www.katzglobal.com For those who don't know, TEMPEST is a method to read whatever is displayed on a CRT monitor. So far, I've never heard this being possible on a TFT monitor. More information on this (and other security issues): www.tscm.com --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
On Sunday, November 23, 2003, at 05:39 AM, FileMatrix wrote: it is far more secure to have the PIK printed and carried in your wallet True, unless someone steals your wallet, or you loose it. ... That's not a problem. The guy who gets your wallet still cannot log in because he doesn't have your secret Login ID. -- Patrick --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
On Sunday, November 23, 2003, at 09:53 AM, Katz Global Media wrote: ... But why use tempest when there are dongles hanging out of the routers at the nocs for law enforcement to plug into? Yes but intercepting a message through a dongle doesn't help if the message is encrypted. Tempest lets them read a message as it is displayed on your computer screen after you decrypt it. -- Patrick --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
check out the Kuhn / Anderson paper - google search should locate it easily. Monitor buyers should not assume that so-called low-radiation monitors, or even LCD screens, provide any Tempest protection; we found that some modern TFT-LCD laptop displays give clearer reception than many cathode ray tubes. Interesting! I was always a little fearful of laptop displays. I don't know why?! Probably I alwasy thought that there are some technological compromises made in order to make the monitor fit in that tiny space. I have a modern desktop TFT, but I'm looking forward for new technologies, like OLED, which should have an even smaller electrical signature. Gordon, Even if they pick up electrical signals from all the components of the computer, I see no way how that could be used, except for the signals from the keyboard (which I know is already used because the keyboard is a rather simple mechanism). George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Patrick, But the way Pecunix displays the PIKs makes it difficult if not impossible to copy and paste them. So maybe Pecunix could also display each PIK in pure text in a form somewhat like George suggests: 1-a 2-4 3-T 4-u 5-X 6-b 7-Q 8-N 9-e 10-j 11-Y 12-u 13-A 14-m 15-9 16-h Absolutely! Right now a Pecunix PIK uses the digits 2-9 and the upper and lower case alphabet except for India, Lima, Oscar. That's 8+23+23 = 54 characters. Now, ignoring for a moment the fact that a PIK does not contain repeated characters, that's roughly O(54^16) possible PIKs, or about O(10^27). Your scheme would have exactly 10^16 possible PIKs because you would obviously have to allow repeated digits. It is also possible to increase the number of elements in the PIK to all 26 letters from English. This would give a total combinations number of 10^26. However, after some thoughts, I consider that the classic system with user name, password and Turing number is easier to use and, also, the current system is not more secure. Of course, the user name and password (one for each access level) should be generated by the system, randomly, 20 characters long (just small letters and digits). The user would be instructed to keep private the user name and all three passwords. The user would also be instructed to keep them in an encrypted file, and to copy and paste them in the log-in form. The method is both easy and secure. Of course, as you say, it seems most people preffer to print them and that would make it impossible for this method to work since it would require users to type long radom strings. But if you did this, you might want to list the letter prompts in alphabetical order to make it easier for users to search for the associated digit :), the thing with the alphabetical order is a real mystery to me, for a very long time. I mean, what the heck is alphabetical order? Some idiot thought vowels and consonants should be mixed and give the so called alphabetical order! What a silly thing! I have an artificial language on the workbench, and the letters I wrote are put like that because of the way they sound: the stronger and more different than the others a letter is, the more important it is (and gets a better place). The letters should be: tmbcrvzgjpdhnlfsaoieu, but this is only for languages that read as written (like romanian and russian, and most of latin). She understood it immediately, and instructed me to tell the list that if she can do it, anyone can. Yes, but she had someone show her how to do it... Robert, RoboForm Yes, I've heard of it, though never used it. I don't like to let my passwords on the hands of programs which can send them through the HTTP protocol (avoiding firewalls) to somebody. Opera has integrated such a module (to fill-in passwords). Viking, Regardless, *any* sign of Please click/copy the following link immeadiately in an official-looking email is a serious security breach. The first thing to do is to inform users of such behavior right after they create an account. It is better to put this comment than it is to let scammers send HTML emails with hidden URLs. Users should also be informed how the links will look like, for example they never include characters like @ and % Sidd, Evidence suggests otherwise George :) I was refering to beginners in computers. When I saw the log-in form I was puzzled for a few (tens of) seconds (and I'm no beginner). As Patrick pointed out, the idea is to print them I never print private information. I keep it in encrypted files. The existing password is too short, maximum 5 characters (plus the 4 from the system) are not enough. Pecunix will be modified to have only one PIK per account, but 3 different secret passwords... This is much better, but you should allow longer passwords. For E-gold, my password is formed from about 30 random charaters. If I wish to give my bookkeeper access to the read-only level I was thinking at the same issue. I didn't find the registration process to be a problem, just the PIK saving and log-in form. Two more things in the user agreement from Pecunix: 1. At some point it is stated that the minimum amount which can be spent is 0.0001 grams. Everywhere else it is specified grams *of fine gold*. 2. At some point there is something about acts of God. I don't think anyone could prove such acts in a court of law :) Thank you for the bounty, I got it. Pretty nifty this send money to an email method. Oh, and maybe you can find a good anti-key-logger program and put a link to it in the download page. Even if the PIKs are safe (for being images), the passwords are not. I was thinking to something else: isn't there any way to check using the browser (basically, your log-in page should do this) if there is any program (the key-logger) hooked to the keyboard handler, or a text screen harvester? If it is possible, the log-in form could tell users there is a security breach. George
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Dear George, FileMatrix wrote: But the way Pecunix displays the PIKs makes it difficult if not impossible to copy and paste them. So maybe Pecunix could also display each PIK in pure text in a form somewhat like George suggests: 1-a 2-4 3-T 4-u 5-X 6-b 7-Q 8-N 9-e 10-j 11-Y 12-u 13-A 14-m 15-9 16-h Absolutely! This is a possibility, but of course that would be easy for a screen scraper to steal... I will look into this more. It is also possible to increase the number of elements in the PIK to all 26 letters from English. This would give a total combinations number of 10^26. Yes, but there is a very good reason for leaving out the Zero, One, Oscar, Lima, India, characters... they can be easily confused, depending on the font the user chooses, and this creates a larger customer service work load, sorting out can't log in queries. The user would be instructed to keep private the user name and all three passwords. The user would also be instructed to keep them in an encrypted file, and to copy and paste them in the log-in form. The method is both easy and secure. Of course, as you say, it seems most people preffer to print them and that would make it impossible for this method to work since it would require users to type long radom strings. George, your suggestion assumes that everyone only ever logs in from their own computer where they have access to these encrypted files. Sure you could carry them on a portable disc, but when using your account from an insecure computer (such as an internet café) it is far more secure to have the PIK printed and carried in your wallet. The Pecunix system is still by far the most secure default login, but your suggestions degrade the security substantially. I was refering to beginners in computers. When I saw the log-in form I was puzzled for a few (tens of) seconds (and I'm no beginner). Perhaps your puzzlement was caused by the very fact that you are not a beginner George. You had a preconceived idea about what to expect and it was different. Remember beginners find everything about the computer puzzling, even e-mail, but they work it out. As one becomes more familiar with computers, one develops certain expectations, and perhaps is irritated or frustrated if something one is not familiar with is presented. This seems to be especially so if you consider yourself to be tech-savvy. I know I sometimes suffer from this. As I pointed out before, it is invariably the tech-savvy or experienced user who complains about the Pecunix login system, not the beginner, who usually asks if he is not sure. Beginners are used to not knowing what to do with their computers and are generally more willing to click the help button. The existing password is too short, maximum 5 characters (plus the 4 from the system) are not enough. It is generally accepted that 8 character passwords are sufficient security, and for a user on the move, not always using the same computer, more than 8 are getting too difficult to remember. Oh, and maybe you can find a good anti-key-logger program and put a link to it in the download page. Even if the PIKs are safe (for being images), the passwords are not. We can think about that. Remember, even if the keylogger stole your password, it still doesn't have the full picture and your account is safe. I was thinking to something else: isn't there any way to check using the browser (basically, your log-in page should do this) if there is any program (the key-logger) hooked to the keyboard handler, or a text screen harvester? If it is possible, the log-in form could tell users there is a security breach. If it were possible it would require running a program (such as activex) from the browser... a definitely BAD idea. Regards, Sidd. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
James, Me either. Email is an insecure medium, I said a few weeks ago something about a service to check PGP signatures and at that time I also said about emails not having clickable URLs. If the currency operator informs the users about never including clickable URLs in the emails they send, most users are protected. This would be a good feature in Sidd's system, as he said Pecunix sends emails to users. Here is an example of how the signed emails could look like: Email content - If you would like to verify that we (company X) are the sender of this email, please copy (without the quotes) and paste the link between the following qoutes in the address bar of your Internet browser: ww.checkingservice.com. Please make sure to add a w character before the link. At that location you will see a form in which you have to paste this entire email, then click the Check button. The checking service will then check the digital signature of the email and display to you who signed the email, namely us (company X). - For pecunix, ww.checkingservice.com should, of course, be ww.pecunix.com/money.refined...ref.pgpsignature Sidd, Pecunix gives you 3 different access levels to your one account. I guess there are 3 different passwords, one for each level, right? By the way, on the Downloads page from Pecunix, there is a link to http://winpt.org/. WinPT doesn't exist anymore. And what's with http://www.siddley.net/? It has no links, not even a contact email address?! George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Sidd, I just created a Pecunix account. The system is great, it has a lot of features, and I was intrigued by the way the Turing number became unnecessary. The difficult part is the login. No way for a beginner to complete the registration and log-in process. Here are my suggestions: 1. Create the PIKs like this: put 16 letters one after another, each followed by a random digit. For example: T0-M1-B2-C3-R4-V5-Z6-G7-J8-P9-D0-H1-N2-L3-F4-S5; here you have 16 random digits, which means there is a 2 / 10^16 average probability to crack the PIK by brute force. When an account is created, display all three PIKs as text to allow users to copy and paste them into their (encrypted) files, without having to type such complex strings in order to save them. When the user logs-in, randomly choose (say) 5 letters and ask the user to enter (through the combo-box, which in this case is much easier to navigate since it has just 10 items) from the PIK, the digit right after the associated letter. For example, for letter T, the user has to enter 0, for M it's 1. Write how the user has to log-in, in the log-in form (don't make the user go to the help page). Implement this method at least for the read-only and limited access levels. If you don't implement it for the full access level then make the default log-in with the limited access level. 2. At the end of the registration process, display all user information in an edit-box and put a button to copy the text to the clipboard, so that the user could save it into a file: --- * User name = ... * User address = ... * Account name = ... * Password = ... * Full access PIK = ... * Limited access PIK = ... * Read-only access PIK = ... * Secret information = ... * Log-in URL = ... * PGP signature check URL = --- 3. In the merchant tools section it is very difficult to copy the HTML code (since the cursor doesn't work in the edit-box). I think a button to copy the code to the clipboard is required. 4. Have you thought at the rebilling / payment request idea discussed a few weeks ago? (I know it is extremely complex.) George Hara --- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
I just created a Pecunix account. The system is great ... No way for a beginner to complete the registration and log-in process. This seems to be the general consesus of Pecunix. I haven't had a chance to personally check it out though - hopefully this weekend. It seems kind of ironic that a system designed to protect the un-tech savy from their own security ignorance is too complicated for un-tech savy users to properly use. Viking Coder http://www.2cw.org/?VikingCoder --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
On Friday, November 21, 2003, at 10:44 AM, FileMatrix wrote: ... Here are my suggestions: ... Sidd: George makes some intriguing suggestions here. But just to focus on one small point for a moment, George mentioned that he would like the ability to copy and paste his PIKs into an encrypted file. This never occurred to me because I printed out my PIKs and read them off a piece of paper whenever I log in. But the way Pecunix displays the PIKs makes it difficult if not impossible to copy and paste them. So maybe Pecunix could also display each PIK in pure text in a form somewhat like George suggests: 1-a 2-4 3-T 4-u 5-X 6-b 7-Q 8-N 9-e 10-j 11-Y 12-u 13-A 14-m 15-9 16-h That would let the user copy and paste the PIKs with NO other changes to the login system. Later you might want to consider the merits of George's suggestion to reduce the combo boxes to just the digits 0 - 9, but this is an entirely separate and optional issue. T0-M1-B2-C3-R4-V5-Z6-G7-J8-P9-D0-H1-N2-L3-F4-S5 By the way, George, although this approach would simplify choosing from the combo boxes, you are definitely cutting the probability sample space if you do this. But whether that matters or not is another question. Right now a Pecunix PIK uses the digits 2-9 and the upper and lower case alphabet except for India, Lima, Oscar. That's 8+23+23 = 54 characters. Now, ignoring for a moment the fact that a PIK does not contain repeated characters, that's roughly O(54^16) possible PIKs, or about O(10^27). Your scheme would have exactly 10^16 possible PIKs because you would obviously have to allow repeated digits. Now cutting the number of PIKs by a factor of 10^11 may not be a serious concern because you need both a PIK and a secret login name to log into a Pecunix account. So 10^16 may be quite enough PIKs, especially if it simplifies the user interface (considerably!) and poses no real threat to security. By the way, I have not yet shown my wife how to log into my Pecunix account, though I've been meaning to do so. (Hmm, maybe I better just give her read-only access for now so she doesn't run out and buy drapes with it. :-) I'll let everyone know how she reacts to the process. George wrote: At the end of the registration process, display all user information in an edit-box and put a button to copy the text to the clipboard, so that the user could save it into a file: --- * User name = ... * User address = ... * Account name = ... * Password = ... * Full access PIK = ... * Limited access PIK = ... * Read-only access PIK = ... * Secret information = ... * Log-in URL = ... * PGP signature check URL = --- VERY nice suggestion, George. Again Sidd, all of this could be done with NO other fundamental changes to the system. But George, I honestly think that most ordinary users will just PRINT OUT their PIKs, exactly as I did because I was trying to be as ordinary as possible and then assess how secure I felt with that. Your method of pasting into an file, encrypted or not, is probably something only a sophisticated user would do. Most users will just want to press Print and then keep the sheets in their briefcase or something. However, cutting down the combo boxes to just the digits 0-9 could very well make the system feel a lot easier to use. But if you did this, you might want to list the letter prompts in alphabetical order to make it easier for users to search for the associated digit: B2-C3-D0-F4-G7-H1-J8-L3-M1-N2-P9-R4-S5-T0-V5-Z6 I note here that it seems that George has cleverly not used vowels, perhaps to avoid accidentally spelling out an offensive word in the login prompt sequence? :-) Anyway, a random login prompt sequence chosen from the PIK above might be: H: (combo 0-9) N: (combo 0-9) Z: (combo 0-9) D: (combo 0-9) That might be nice. -- Patrick http://fexl.com --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
On Friday, November 21, 2003, at 12:24 PM, Viking Coder wrote: I just created a Pecunix account. The system is great ... No way for a beginner to complete the registration and log-in process. This seems to be the general consesus of Pecunix. I haven't had a chance to personally check it out though - hopefully this weekend. As I promised I just showed my wife how to log into my Pecunix account. I did not take her through the new account creation process, though, which I admit is more difficult than merely logging in. It seems kind of ironic that a system designed to protect the un-tech savy from their own security ignorance is too complicated for un-tech savy users to properly use. So I asked my wife what she thought about that whole PIK / combo box process. She understood it immediately, and instructed me to tell the list that if she can do it, anyone can. But certainly creating a new account is a horse of a different color, I'll admit. -- Patrick --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Sidd, Pecunix is just *too* good to be convenient for heavy users ;o) By the way, how about adding a routine that calls Open2Exchange to convert pecunix into e-gold? It would be a neat extension of the GoldCart Pecunix ... trio and you's get to collect fees three times (Merchants would just pass the fees on to customers and are unlikely to mind too much). Patrick, A neat little program that could help most users is 'RoboForm' (sorry no URL, but google should do). It immediately defeats keyloggers because the program knows which access card goes with which URL. In this way you only need to remember a few main passwords you use to access Roboform, which knows all the rest. It saves us *a lot* of time and beats having dozens of encrypted notpad-like files scattered amon the O/S files. Cheers, Robert. budget privacy website hosting http://www.cyberica.net start a profitable online business http://www.cyberfrontier.biz budget domain registrations http://www.u2planet.com --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: Gold-Cart Article... trusting e-gold/delayed payments
Robert, JP, Robert B.Z. wrote: Pecunix is just *too* good to be convenient for heavy users ;o) That's why we have such excellent automation Robert. I guess I am a heavy user of Pecunix but I rarely log in to the web interface... It is all done automatically by my account system backend, transaction history, payments, everything. Robert B.Z. wrote: By the way, how about adding a routine that calls Open2Exchange to convert pecunix into e-gold? [EMAIL PROTECTED] wrote: So you could say . it's Sidd's pecunix system combined with Sidd's dgc-dgc system amalgamated directly in to Sidd's pecunix system. Hence, I encourage Sidd to urgently integraate metal-escrow's dgc-dgc system DIRECTLY IN TO pecunix. (The reason I address you specifically Sidd is you're the most can-do IG operator.) Thanks JP... You guys are too fast for me! First Robert asks for Gold-Cart 2 days before I release it, now this... It is in the pipeline, but I have a life too :) (I also read Dowd, excellent). Look for some big changes over the next few months. The next big thing is over at Open2exchange coming in a couple of weeks time... I think you will all love it, and it will help us to deal with the logistics of Robert/JP's idea above. Next year we will see some dramatic enhancements in Pecunix functionality, and of course the escrow facility built into Gold-Cart... also, stay tuned to get into the action, private placement investment in many of these ventures will be offered on PVCSE. Right now I'm off to go and have some weekend time with my family :) See y'all Monday. Regards, Sidd. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
