From ukcrypto at chiark.greenend.org.uk Fri Aug 1 14:02:45 2008 From: ukcrypto at chiark.greenend.org.uk (Richard Clayton) Date: Fri, 1 Aug 2008 14:02:45 +0100 Subject: Ernst & Young audit overlooks Phorm's violation of its own privacy policy Message-ID: <3GyeX7C1lwkIFAtf@highwayman.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been looking at deep packet inspection / targeted advertising company Phorm for the past couple of days and have found a clear and simple case of Phorm violating its own privacy policy in contradiction to Ernst & Young's audit of the company's systems. etc... I recommend reading the whole article :) For some time I (and others) have been pointing out that the Phorm ID can be obtained by any website that is visited (the Phorm system will attempt to remove it, but cannot succeed if the cookie value is transferred by https). This could lead to a trade (illegal under EU law of course) in matching Phorm IDs with other data... Hal Roberts has taken this further by pointing out that this explicitly infringes Phorm's own privacy policy -- as audited by Ernst and Young ! He does ask "How did Ernst & Young not find this problem?" and discusses the shortcomings of the audit process generally. However, one of the reasons that occurs to me is that when Ernst & Young audited the system it worked differently! We know that it used to use HTTP Referrer fields (because they leaked data into logs all over the Internet) ... but then Ernst & Young don't mention that failing either, so maybe Hal's meta-analysis is all that really matters: But the report is completely opaque, so all we have to rely on is Ernst & Young's reputation. For that reputation to be valid, though, there has to be a strong feedback mechanism that discredits Ernst & Young when it produces a faulty report. In practice, what's that pushback? Is there any history of such audits being disproved to the disparagement of the auditing firm? In the face of only a vague threat of some sort reputation loss, the strong, direct incentive to produce positive reports to generate more business will win every time. - -- richard richard.clayton @ h i g h w a y m a n . com "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBSJMJdZoAxkTY1oPiEQL0tQCePdNmW0BK6zjEy+irDW7/XcwAU7AAn1L+ pV8OsjrPAEXvKoR/rVtQ+eZu =+WEo -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Fri Aug 1 14:36:04 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Fri, 01 Aug 2008 14:36:04 +0100 Subject: Ernst & Young audit overlooks Phorm's violation of its own privacy policy In-Reply-To: <3GyeX7C1lwkIFAtf@highwayman.com> References: <3GyeX7C1lwkIFAtf@highwayman.com> Message-ID: <48931144.1020102@iosis.co.uk> Reminds me of PA, who fielded a team of management but not technical consultants, recently providing a document with technical content (content that was flawed) to DfT for the ENCTS project, a document that was published by DfT and then the ICO caused it to be withdrawn. Peter Richard Clayton wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > overlooks-phorms-violation-of-its-own-privacy-policy/> > > > I've been looking at deep packet inspection / targeted advertising > company Phorm for the past couple of days and have found a clear and > simple case of Phorm violating its own privacy policy in > contradiction to Ernst & Young's audit of the company's systems. > > etc... > > > I recommend reading the whole article :) > > For some time I (and others) have been pointing out that the Phorm ID > can be obtained by any website that is visited (the Phorm system will > attempt to remove it, but cannot succeed if the cookie value is > transferred by https). This could lead to a trade (illegal under EU law > of course) in matching Phorm IDs with other data... > > Hal Roberts has taken this further by pointing out that this explicitly > infringes Phorm's own privacy policy -- as audited by Ernst and Young ! > > He does ask "How did Ernst & Young not find this problem?" and discusses > the shortcomings of the audit process generally. > > However, one of the reasons that occurs to me is that when Ernst & Young > audited the system it worked differently! We know that it used to use > HTTP Referrer fields (because they leaked data into logs all over the > Internet) ... but then Ernst & Young don't mention that failing either, > so maybe Hal's meta-analysis is all that really matters: > > > But the report is completely opaque, so all we have to rely on is > Ernst & Young's reputation. For that reputation to be valid, though, > there has to be a strong feedback mechanism that discredits Ernst & > Young when it produces a faulty report. In practice, what's that > pushback? Is there any history of such audits being disproved to the > disparagement of the auditing firm? In the face of only a vague > threat of some sort reputation loss, the strong, direct incentive to > produce positive reports to generate more business will win every > time. > > > - -- > richard richard.clayton @ h i g h w a y m a n . com > > "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM > > -----BEGIN PGP SIGNATURE----- > Version: PGPsdk version 1.7.1 > > iQA/AwUBSJMJdZoAxkTY1oPiEQL0tQCePdNmW0BK6zjEy+irDW7/XcwAU7AAn1L+ > pV8OsjrPAEXvKoR/rVtQ+eZu > =+WEo > -----END PGP SIGNATURE----- > > > > From ukcrypto at chiark.greenend.org.uk Fri Aug 1 15:27:17 2008 From: ukcrypto at chiark.greenend.org.uk (Richard Clayton) Date: Fri, 1 Aug 2008 15:27:17 +0100 Subject: An incomplete PQ answer Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 22 July 2008 : Column WA230 Anti-terrorism, Crime and Security Act: Voluntary Retention of Data The Earl of Northesk asked Her Majesty's Government: How many grants they have given to telephone companies and internet service providers to assist them in the voluntary retention of data under Section 106 of the Anti-terrorism, Crime and Security Act 2001; and what has been the total annual value of such grants in each year since 2001. [HL4469] The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): Payments under Section 106 of the Anti-terrorism, Crime and Security Act 2001 (ATCSA) commenced after the code of practice for the retention of communications data was approved by Parliament in 2003, the first payments being in financial year 2004. In October 2007, the Data Retention (EC Directive) Regulations 2007 came into force and many former ATCSA grants payments are now made under those regulations. - -=-=-=-=-=- If you think this doesn't especially fully answer the question then you'd be right!! Lord West (actually of course someone less senior) dropped part of the answer between the his front door and the House. Expect more soon :) - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBSJMdRZoAxkTY1oPiEQKpEgCgpQAKXHNwghjXGKu73F26yMdVXn0AoI8h fSg+PHMZQVj7wMps/TeVk5uR =7qLX -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Fri Aug 1 15:33:38 2008 From: ukcrypto at chiark.greenend.org.uk (Richard Clayton) Date: Fri, 1 Aug 2008 15:33:38 +0100 Subject: UK implementation of Data Retention Directive Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Despite suggestions that the Communications Data Bill is all about implementing the Data Retention Directive (and not about black boxes in ISPs, centralised storage of comms data and so on), it turns out that the Home Office will be using a boring old statutory instrument to bring the Directive into effect (just as they did with the telcos last year). Expect a consultation Real Soon Now :) and the draft Bill to be delayed... However, Lord West seems to think that it will all be in force by the 1st April next year, which Brussels may be disappointed about, since their deadline is the 15th March! - -=-=-=-=-=-=-=- http://www.publications.parliament.uk/pa/ld200708/ldhansrd/text/80722w00 05.htm#80722w0005.htm_spmin4 22 July 2008 : Column WA246 The Earl of Northesk asked Her Majesty's Government: In light of the transposition of the data retention directive (2006/24/EC), as applied to telephone networks, into United Kingdom law by secondary legislation (SI 2007/2199), what plans they have to make similar provision in respect of the directive's application to the internet; and, if there are no plans for such implementation, how they intend to give legal force to these elements of the directive. [HL4464] The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): In October 2007, the Data Retention (EC Directive) Regulations 2007 came into force, completing the initial transposition of the European data retention directive. We plan to consult publicly before transposing the remainder of the directive to come into effect on 1 April 2009. - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBSJMewpoAxkTY1oPiEQJInQCeNyLPmCnZs+/O0BLEStGtURnUWwsAn2LY TodOAcGvHgpWx45WJHIwwgOI =tJZL -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Sat Aug 2 19:52:38 2008 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Sat, 2 Aug 2008 19:52:38 +0100 Subject: contract awarded for national ID card Message-ID: Does this mean that the introduction of ID cards is inevitable - even if we get a change of government? [1] http://www.computerweekly.com/Articles/2008/08/01/231727/thales-bags-18m- deal-for-national-id-card-scheme.htm and how is - if it is - the very accelerated consultation on allowing the SOS (not sure which) to change common and statuary law on data sharing associated? Mary Hawking [1] cancelling contracts is expensive - and may be impossible. I had the impression that some services were privatised in a bit of a rush to prevent subsequent governments reversing them when it was clear that the risk of change of government was probable - or highly probable. -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Sat Aug 2 20:56:34 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Sat, 02 Aug 2008 20:56:34 +0100 Subject: contract awarded for national ID card In-Reply-To: References: Message-ID: <4894BBF2.8040205@iosis.co.uk> Thanks to Mary for the link, but not that big a contract, which is in line with predictions that the scheme is fading away. But I heard on the radio that 3 contracts have been let - anyone help with the others? Peter Mary Hawking wrote: > Does this mean that the introduction of ID cards is inevitable - even > if we get a change of government? [1] > http://www.computerweekly.com/Articles/2008/08/01/231727/thales-bags-18m- > deal-for-national-id-card-scheme.htm > and how is - if it is - the very accelerated consultation on allowing > the SOS (not sure which) to change common and statuary law on data > sharing associated? > Mary Hawking > [1] cancelling contracts is expensive - and may be impossible. > I had the impression that some services were privatised in a bit of a > rush to prevent subsequent governments reversing them when it was > clear that the risk of change of government was probable - or highly > probable. From ukcrypto at chiark.greenend.org.uk Mon Aug 4 12:40:36 2008 From: ukcrypto at chiark.greenend.org.uk (Richard Clayton) Date: Mon, 4 Aug 2008 12:40:36 +0100 Subject: An incomplete PQ answer In-Reply-To: References: Message-ID: <0ID+ELC0qulIFAkm@highwayman.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Richard Clayton writes >22w0002.htm#80722w0002.htm_spmin0> the Home Office have now located the missing table of numbers... which are certainly of interest.... >22 July 2008 : Column WA230 > >Anti-terrorism, Crime and Security Act: Voluntary Retention of Data >The Earl of Northesk asked Her Majesty's Government: > > How many grants they have given to telephone companies and internet > service providers to assist them in the voluntary retention of data > under Section 106 of the Anti-terrorism, Crime and Security Act 2001; > and what has been the total annual value of such grants in each year > since 2001. [HL4469] > >The Parliamentary Under-Secretary of State, Home Office (Lord West of >Spithead): Payments under Section 106 of the Anti-terrorism, Crime and Security Act 2001 (ATCSA) commenced after the code of practice for the retention of communications data was approved by Parliament in 2003, the first payments being in financial year 2004. In October 2007, the Data Retention (EC Directive) Regulations 2007 came into force and many former ATCSA grants payments are now made under those regulations. Financial year Grant payments ATCSA EUDRD 2004 5 84,582 2005 2 770,800 2006 4 5,282,100 2007 10 5,714,045 2,632,450 2008 (to Jul) 5 2,283,695 1,788,859 *year to 01 July Figures in the last two columns are pounds sterling. - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBSJbqtJoAxkTY1oPiEQLRVQCgppdLqa/m9qy0z6NKaDDGIkphty8An2pD No5hfpmCNGc4MgvsGB9wZZZk =mNue -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Mon Aug 4 13:33:46 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Mon, 4 Aug 2008 13:33:46 +0100 Subject: An incomplete PQ answer In-Reply-To: <0ID+ELC0qulIFAkm@highwayman.com> References: <0ID+ELC0qulIFAkm@highwayman.com> Message-ID: <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> > > > 2007 10 5,714,045 2,632,450 So each grant is of the order of 700 grand. It depends on if the grants are capex one-off, capex on a depreciation basis or capex+opex, but for half a million quid a year over three years you could buy and operate a substantial fraction of a petabyte of disk in a MAID arrays, and a few hundred terabytes of conventional RAID (the power would get you). ian From ukcrypto at chiark.greenend.org.uk Mon Aug 4 14:14:28 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Mon, 4 Aug 2008 14:14:28 +0100 Subject: DNA database claims In-Reply-To: <7E3C4DD010E54D4381956FBD1440B661@wideboy> References: <20080731064611.30605.77634.Mailman@chiark.greenend.org.uk>

<7E3C4DD010E54D4381956FBD1440B661@wideboy> Message-ID: <00B104D6-83CF-4557-91F5-0CEAA7E447A2@batten.eu.org> >> > My take is that if an organisation is not at least 27001 compliant > (compliance should be attested by certification...), then it will > not be easy to attest that due care is being taken of the > information they hold - never mind any higher levels of assurance > that may be required. Quite so. One of my personal bugbears is people who claim to be compliant to a standard, but don't hold registration. If they're compliant, it shouldn't be hard to get registered. If they can't get registered, they aren't compliant. Moreover, it's one thing to be compliant on a given day. Registration carries with it an obligation to surveillance audit (twice per year in our case) and part of that audit is in turn an examination of the internal audit. People who claim unregistered compliance simply don't have that. We thought we were 27001 compliant. When the time came to actually do the work, we found that there were a whole host of things that we didn't do completely, that seemed trivial, but were actually hugely beneficial. As an example, correctly functioning management reporting. As another, robust measures of effectiveness. My next task is 25999, and again I've got agreement that although the driver is customers who want ``aligned to'', we're actually going to do registration. Partly because registration means you're on the front foot whenever the legitimacy of your management system is questioned. But mostly because if you're not registered, you're just making bold claims. But we're on the same page: 27001 doesn't prove an organisation has effective security, although it does prove that at least they're making some effort. Absence of 27001 however pretty much proves they don't care and can't be bothered. ian From ukcrypto at chiark.greenend.org.uk Mon Aug 4 20:09:53 2008 From: ukcrypto at chiark.greenend.org.uk (Richard Clayton) Date: Mon, 4 Aug 2008 20:09:53 +0100 Subject: An incomplete PQ answer In-Reply-To: <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org>, Ian Batten writes >> 2007 10 5,714,045 2,632,450 > >So each grant is of the order of 700 grand. In 2004 each grant was of the order of 16K... so what you're seeing is MUCH larger entities obtaining money for data retention. Note that this is in the run up to the time when the mobile companies and telcos had to move to retaining data for a year; whereas one might suspect that 2004 was all about tiny little ISPs ... ... since I have no inside information :) I can speculate along with everyone else :) > It depends on if the >grants are capex one-off, capex on a depreciation basis or capex+opex, capex one-off I believe -- again speaking from informed ignorance :) ... I believe that the opex is supposed to be covered by the "per request" that the authorities pay for making their 500K requests/annum. >but for half a million quid a year over three years you could buy and >operate a substantial fraction of a petabyte of disk in a MAID arrays, >and a few hundred terabytes of conventional RAID (the power would get >you). we're now sending 1.5E9 text messages/week... if you need to record time, date, source number, destination number, geographic location of source and destination and the byte-length (but not of course the content!) then that starts to mount up... and that's before counting phone calls, both fixed and mobile - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBSJdUAZoAxkTY1oPiEQJKzQCdEj95uESMlv9uvfJJ9H3AAN/9IeIAmQHO WEEDL1ffbdy2mbtf4F8N9MQC =x1q3 -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Mon Aug 4 20:46:16 2008 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Mon, 4 Aug 2008 20:46:16 +0100 Subject: U.S. Customs and Border Protection Message-ID: Http://www.cdt.org/security/20080716_CBP%20Search%20Policy.pdf This appears to allow US border controls to seize and/or copy any electronically held information with or without any grounds of suspicion. Questions 1. is this document genuine? The URL came from Computer Weekly, so I think it probably is. 2.If it is, what are the implications for any dealings in the USA, and how does one circumvent it? Mary Hawking -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Mon Aug 4 21:12:12 2008 From: ukcrypto at chiark.greenend.org.uk (Igor Mozolevsky) Date: Mon, 4 Aug 2008 21:12:12 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: References: Message-ID: 2008/8/4 Mary Hawking : > Questions > 1. is this document genuine? The URL came from Computer Weekly, so I think > it probably is. Whether they do, or have the capability to do so and whether they actually do it to every single traveller are different questions. I would guess they are certainly capable of copying the data, but making a mirror image of a hard drive is a lengthy process (due to slow platter to cache transfer speeds, remember that the interface speeds that the manufacturers state are only disc cache to bus transfer speeds). Having said that, you possibly won't be able to prevent them from having a good browse and make copies of whatever they feel is relevant, especially if they have nothing better to do with their time. > 2.If it is, what are the implications for any dealings in the USA, and how > does one circumvent it? Don't take your data with you, you can always pull whatever you need from your corporate net when you're there (in the States) - treat the data on the 'need to have now', instead of 'can have whenever', basis. -- Igor From ukcrypto at chiark.greenend.org.uk Tue Aug 5 00:56:43 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Tue, 5 Aug 2008 00:56:43 +0100 Subject: An incomplete PQ answer In-Reply-To: References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> Message-ID: > > we're now sending 1.5E9 text messages/week... if you need to record > > time, date, [4] > source number, [10] > destination number, [10] > geographic location of source and destination [10?] > and the byte-length [1] > (but not of course the content!) Probably about 4TB per year for the CDRs, 16TB per year if you wanted =20= to store the messages as well (although they're not all 160 bytes and =20= the text will compress). For voice and mobile, were I in the office =20 and it not 0045 I could get the volumes from our regulatory wonks, but =20= as a rough guess let's size it for 100m subscribers each making 10 =20 calls per day, so 7E9 CDRs per week each of about the same size, so =20 perhaps 20TB/year. Can we agree to a total of 40TB/year to store all =20= CDRs for voice plus the full text of every SMS plus 10% for luck? The underlying cost of the storage is around $1000/TB (based on an EMC =20= AX4 SATA array). None the less, if you gold plate, replicate, gold =20 plate again, plus government mark up, have twenty consultants dance =20 around the rack, you're not going to spend more than =A35000/TB capital, = =20 and as you can put the a couple of hundred TB your operating costs =20 will be trivial once you've paid for the electricity (about 50W/TB, so =20= say 1kWH/day/TB). So you can buy 40TB usable (say 80TB raw if you're replicating) for, =20 at the absolute, ludicrously inflated, maximum of =A3200K (I bought 40TB = =20 a couple of years ago, based around 500GB SATA spindles, plus some =20 exotic NAS heads and a load of replication software, and it cost less =20= than half that, so my contention that =A35K/TB includes replication =20 seems reasonable), and it'll cost at the outside =A34K/year to power --- = =20 that's assuming no spin-down, which is obvious nonsense. It'll fit =20= in half a rack. So why all the extra cash...? ian= From ukcrypto at chiark.greenend.org.uk Mon Aug 4 22:19:44 2008 From: ukcrypto at chiark.greenend.org.uk (Jeremy Henty) Date: Mon, 4 Aug 2008 22:19:44 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: References: Message-ID: <20080804211944.GA3035@omphalos.onepoint> On Mon, Aug 04, 2008 at 09:12:12PM +0100, Igor Mozolevsky wrote: > I would guess they are certainly capable of copying the data, but > making a mirror image of a hard drive is a lengthy process [...] > you possibly won't be able to prevent them from having a good browse > and make copies of whatever they feel is relevant, especially if > they have nothing better to do with their time. AIUI they now reserve the right to take away your laptop *indefinitely* and pass it onto *anyone*, so the fact that copying the data is laborious is irrelevant. (Please correct me if I'm wrong about this.) Regards, Jeremy Henty From ukcrypto at chiark.greenend.org.uk Tue Aug 5 02:28:10 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Tue, 5 Aug 2008 02:28:10 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: <20080804211944.GA3035@omphalos.onepoint> References: <20080804211944.GA3035@omphalos.onepoint> Message-ID: >> > AIUI they now reserve the right to take away your laptop > *indefinitely* and pass it onto *anyone* Travel with a freshly installed laptop. Upon arrival, plug into hotel DSL and download the data you need over your VPN. Prior to departure, wipe the data to your preferred standard (ranging from nothing, if you trust your home customs people, through to physical destruction of the disk, replacement of disk and re-installation from a DVD you downloaded and burnt when you arrived) and return with a clear conscience. Or just take a thin client and access your company network via Citrix / X / VNC / etc. ian From ukcrypto at chiark.greenend.org.uk Tue Aug 5 01:43:45 2008 From: ukcrypto at chiark.greenend.org.uk (IPTV) Date: Tue, 05 Aug 2008 01:43:45 +0100 Subject: An incomplete PQ answer Message-ID: <6.2.3.4.2.20080805014340.02cc4bd0@pop.gn.apc.org> > >So why all the extra cash...? > >ian The phone companies love to make profits. They charge the cops exorbitant sums for wee bits of data like a day's cellsite tables. So I'd factor in very large greed multiplier, which may confound a simple data assessment. [This is based on experience, by the way. I've done many cellsite analysis cases in the last five years, and a fair number of times the amount of data acquired has been minimised not for human rights reasons but because of the impact on the bottom line of police budgets.] Duncan From ukcrypto at chiark.greenend.org.uk Tue Aug 5 08:39:40 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Tue, 5 Aug 2008 08:39:40 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: References: Message-ID: <005801c8f6ce$6ec550a0$e57ea8c0@Jinja> Mary Hawking wrote: > Http://www.cdt.org/security/20080716_CBP%20Search%20Policy.pdf > This appears to allow US border controls to seize and/or copy any > electronically held information with or without any grounds of > suspicion. AFAIK it's genuine, and quite ironically the US is rumoured to have told US businessmen to be aware that foreign powers, especially China, may copy their data at border posts, according to The Register: http://www.theregister.co.uk/2008/07/21/cyberspy_olympics/ "Last month the department of Homeland Security privately warned government and key private-sector contacts of the cyber-security perils facing overseas travelers from foreign governments. Spying techniques outlined in the advisory, which wasn't made public, included copying the contents of laptop hard disks at border crossing or in hotel rooms" James Firth From ukcrypto at chiark.greenend.org.uk Tue Aug 5 08:44:23 2008 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Tue, 5 Aug 2008 08:44:23 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: References: Message-ID: <20080805084423.66eb4a2f@peterson.fenrir.org.uk> --Sig_/W78fLQJg8tsnOlwguJJdRbZ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 4 Aug 2008 20:46:16 +0100 Mary Hawking wrote: > Http://www.cdt.org/security/20080716_CBP%20Search%20Policy.pdf > This appears to allow US border controls to seize and/or copy any=20 > electronically held information with or without any grounds of=20 > suspicion. > Questions > 1. is this document genuine? The URL came from Computer Weekly, so I=20 > think it probably is. > 2.If it is, what are the implications for any dealings in the USA, and=20 > how does one circumvent it? Note that the use of these powers is less to do with actually storing the data on all devices passing through and much more to do with being able to annoy and harass people who are either viewed as suspicious or who object to the whole security theatre business and hence need to be made an example of. --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_/W78fLQJg8tsnOlwguJJdRbZ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iD8DBQFImATh9BNjUd4y5cURAhUZAKDFwSTlP8txQ+LiFWYxUJmImYurLACdE4nS FxV8yc/p0j3z4gOqEOcImnk= =zLpv -----END PGP SIGNATURE----- --Sig_/W78fLQJg8tsnOlwguJJdRbZ-- From ukcrypto at chiark.greenend.org.uk Tue Aug 5 08:44:04 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Tue, 5 Aug 2008 08:44:04 +0100 Subject: An incomplete PQ answer In-Reply-To: <6.2.3.4.2.20080805014340.02cc4bd0@pop.gn.apc.org> References: <6.2.3.4.2.20080805014340.02cc4bd0@pop.gn.apc.org> Message-ID: <2165496E-E47D-43F1-AF3C-C8D76826DC74@batten.eu.org> On 5 Aug 2008, at 01:43, IPTV wrote: > >> >> So why all the extra cash...? >> >> ian > > The phone companies love to make profits. They charge the cops > exorbitant sums for wee bits of data like a day's cellsite tables. > So I'd factor in very large greed multiplier, which may confound a > simple data assessment. That may set the price that a telco might demand for discharging its legal and regulatory obligations. It doesn't, however, set the price that the government has to pay (which could, in fact, be zero). It would be interesting to know how the eventual payment --- which should just be cost recovery --- is arbitrated. ian From ukcrypto at chiark.greenend.org.uk Tue Aug 5 09:02:59 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Tue, 5 Aug 2008 09:02:59 +0100 Subject: An incomplete PQ answer In-Reply-To: <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> Message-ID: <006301c8f6d1$adc0ca70$e57ea8c0@Jinja> Ian Batten wrote: > So each grant is of the order of 700 grand. It depends on if the > grants are capex one-off, capex on a depreciation basis or capex+opex, > but for half a million quid a year over three years you could buy and > operate a substantial fraction of a petabyte of disk in a MAID arrays, > and a few hundred terabytes of conventional RAID (the power would get > you). I think it's fairly safe to assume the grants are not just for storage. This leaked BT network diagram on The Register (re: Phorm) shows Passive Tap devices, which I assume would be used for legal wiretap of an IP steam and I can't see the ISPs stumping up for the cost of this architecture themselves. http://regmedia.co.uk/2008/02/29/architecture.jpg From ukcrypto at chiark.greenend.org.uk Tue Aug 5 09:20:37 2008 From: ukcrypto at chiark.greenend.org.uk (John Brazier) Date: Tue, 5 Aug 2008 09:20:37 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: <20080805084423.66eb4a2f@peterson.fenrir.org.uk> References: <20080805084423.66eb4a2f@peterson.fenrir.org.uk> Message-ID: <044401c8f6d4$240cfdf0$6c26f9d0$@co.uk> A confirmation: http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080103 030.html ATB JB -----Original Message----- From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of Brian Morrison Sent: 05 August 2008 08:44 To: ukcrypto@chiark.greenend.org.uk Subject: Re: U.S. Customs and Border Protection On Mon, 4 Aug 2008 20:46:16 +0100 Mary Hawking wrote: > Http://www.cdt.org/security/20080716_CBP%20Search%20Policy.pdf > This appears to allow US border controls to seize and/or copy any > electronically held information with or without any grounds of > suspicion. > Questions > 1. is this document genuine? The URL came from Computer Weekly, so I > think it probably is. > 2.If it is, what are the implications for any dealings in the USA, and > how does one circumvent it? Note that the use of these powers is less to do with actually storing the data on all devices passing through and much more to do with being able to annoy and harass people who are either viewed as suspicious or who object to the whole security theatre business and hence need to be made an example of. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From ukcrypto at chiark.greenend.org.uk Tue Aug 5 11:08:51 2008 From: ukcrypto at chiark.greenend.org.uk (Richard Clayton) Date: Tue, 5 Aug 2008 11:08:51 +0100 Subject: An incomplete PQ answer In-Reply-To: <006301c8f6d1$adc0ca70$e57ea8c0@Jinja> References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> <006301c8f6d1$adc0ca70$e57ea8c0@Jinja> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <006301c8f6d1$adc0ca70$e57ea8c0@Jinja>, James Firth writes >Ian Batten wrote: >> So each grant is of the order of 700 grand. It depends on if the >> grants are capex one-off, capex on a depreciation basis or capex+opex, >> but for half a million quid a year over three years you could buy and >> operate a substantial fraction of a petabyte of disk in a MAID arrays, >> and a few hundred terabytes of conventional RAID (the power would get >> you). > >I think it's fairly safe to assume the grants are not just for storage. >This leaked BT network diagram on The Register (re: Phorm) shows Passive Tap >devices, which I assume would be used for legal wiretap of an IP steam and I >can't see the ISPs stumping up for the cost of this architecture themselves. interception capability is paid for under s14 of RIP 2000 -- and I am not aware of any published figures about that... or indeed whether the conventions would allow a PQ on the topic >http://regmedia.co.uk/2008/02/29/architecture.jpg the impression has been given that Phorm is paying for the installation of kit at the ISPs (if indeed it is still plural!) -- so these numbers will be private (except of course Phorm's published accounts may give an indication...) - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBSJgms5oAxkTY1oPiEQL1uwCgulW4gf711RMc6C/YKVMTL1bF7C0AoIzj h0M7+4JxnrfPfVWyV6Zvf8nP =7mTB -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Tue Aug 5 11:22:20 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Tue, 5 Aug 2008 11:22:20 +0100 Subject: An incomplete PQ answer In-Reply-To: References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> <006301c8f6d1$adc0ca70$e57ea8c0@Jinja> Message-ID: <000301c8f6e5$27b0c8e0$e57ea8c0@Jinja> Richard Clayton wrote: > the impression has been given that Phorm is paying for the installation > of kit at the ISPs (if indeed it is still plural!) -- so these numbers > will be private (except of course Phorm's published accounts may give an > indication...) I was only referring to the non-Phorm items on the diagram, but thanks for the clarification on funding. James Firth From ukcrypto at chiark.greenend.org.uk Tue Aug 5 11:33:59 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Tue, 5 Aug 2008 11:33:59 +0100 Subject: An incomplete PQ answer In-Reply-To: <000301c8f6e5$27b0c8e0$e57ea8c0@Jinja> References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> <006301c8f6d1$adc0ca70$e57ea8c0@Jinja> <000301c8f6e5$27b0c8e0$e57ea8c0@Jinja> Message-ID: On 05 Aug 08, at 1122, James Firth wrote: > Richard Clayton wrote: >> the impression has been given that Phorm is paying for the >> installation >> of kit at the ISPs (if indeed it is still plural!) -- so these >> numbers >> will be private (except of course Phorm's published accounts may >> give an >> indication...) > > I was only referring to the non-Phorm items on the diagram, but > thanks for > the clarification on funding. By ``passive tap'' all it probably means is a mirror port on a switch. Hardly high-cost. ian From ukcrypto at chiark.greenend.org.uk Tue Aug 5 12:18:36 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Tue, 5 Aug 2008 12:18:36 +0100 Subject: An incomplete PQ answer In-Reply-To: References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org> <006301c8f6d1$adc0ca70$e57ea8c0@Jinja> <000301c8f6e5$27b0c8e0$e57ea8c0@Jinja> Message-ID: <000a01c8f6ed$0117fb10$e57ea8c0@Jinja> Ian Batten wrote: > By ``passive tap'' all it probably means is a mirror port on a > switch. Hardly high-cost. But scaled up to handle 10m connections, with configuration, audit etc. The mirror will only be for single authorised connections, which need to be cross-referenced against the account holder to find the current dynamic IP (if done at IP level). The cost will come in the size, scalability and configuration of the solution, not the cost of the raw equipment. From ukcrypto at chiark.greenend.org.uk Tue Aug 5 08:52:55 2008 From: ukcrypto at chiark.greenend.org.uk (Andrew Cormack) Date: Tue, 5 Aug 2008 08:52:55 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: <20080804211944.GA3035@omphalos.onepoint> References: <20080804211944.GA3035@omphalos.onepoint> Message-ID: <6ED388AA006C454BA35B0098396B9BFB03EE3A88@uxsrvr20.atlas.ukerna.ac.uk> As one data point, I recently entered the US to go to a conference and noone even asked whether I had a laptop (unlike arriving in Canada, when they did). Mind you I may have confused the Americans by immigrating by train! There were quite a few delegates around the conference who had brought 'vanilla' laptops and were using one of the methods suggested by others on this list. On the other hand I think those people/organisations were always quite cautious about travelling with company data. And presumably if a customs person at the border insists on having my laptop as a condition of entry, I could always change my mind about wanting to enter? Andrew -- Andrew Cormack, Chief Regulatory Adviser=20 JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, OX11 0SG, UK Phone: +44 (0) 1235 822302 Fax: +44 (0) 1235 822399=20 > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk=20 > [mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of=20 > Jeremy Henty > Sent: 04 August 2008 22:20 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: U.S. Customs and Border Protection >=20 > On Mon, Aug 04, 2008 at 09:12:12PM +0100, Igor Mozolevsky wrote: >=20 > > I would guess they are certainly capable of copying the data, but > > making a mirror image of a hard drive is a lengthy process [...] > > you possibly won't be able to prevent them from having a good browse > > and make copies of whatever they feel is relevant, especially if > > they have nothing better to do with their time. >=20 > AIUI they now reserve the right to take away your laptop > *indefinitely* and pass it onto *anyone*, so the fact that copying the > data is laborious is irrelevant. (Please correct me if I'm wrong > about this.) >=20 > Regards,=20 >=20 > Jeremy Henty=20 >=20 >=20 JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024=20 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG From ukcrypto at chiark.greenend.org.uk Tue Aug 5 15:08:42 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Tue, 5 Aug 2008 15:08:42 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: <6ED388AA006C454BA35B0098396B9BFB03EE3A88@uxsrvr20.atlas.ukerna.ac.uk> References: <20080804211944.GA3035@omphalos.onepoint> <6ED388AA006C454BA35B0098396B9BFB03EE3A88@uxsrvr20.atlas.ukerna.ac.uk> Message-ID: In article <6ED388AA006C454BA35B0098396B9BFB03EE3A88@uxsrvr20.atlas.ukerna.ac.uk>, Andrew Cormack writes >And presumably if a customs person at the border insists on having my >laptop as a condition of entry, I could always change my mind about >wanting to enter? By air, I would have thought that such a decision wasn't desirable/possible on the grounds that you can't catch a flight back on your own without first going landside, and if they are going to have to escort you staying airside (and getting a ticket/boarding pass etc) that's sufficiently inconvenient for them that they could easily decide they were going to search you anyway. I doubt it would have a happier outcome by train or car. This is unlikely to be a particularly USA thing. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Tue Aug 5 15:19:57 2008 From: ukcrypto at chiark.greenend.org.uk (Wendy M. Grossman) Date: Tue, 05 Aug 2008 15:19:57 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: References: <20080804211944.GA3035@omphalos.onepoint> <6ED388AA006C454BA35B0098396B9BFB03EE3A88@uxsrvr20.atlas.ukerna.ac.uk> Message-ID: <4898618D.1090206@pelicancrossing.net> It's all very well discussing the theoretical rights and wrongs of this policy, but the fact is that AFAICS it's always been the case that if you are crossing a border you and everything you are carrying are subject to inspection by both customs and immigration. Arguing about whether they have the right to examine your laptop seems to me about as sensible as arguing about whether they have the right to grill you about where you've been and where you're going. It may be unpleasant; it may even be unconstitutional. But the reality is that the average tired, stressed-out traveler faced with people with the authority to put him in jail is going to feel threatened enough to comply whether or not the policy is legal. As a *practical* matter I think one must assume that *all* national customs officials have this power. And although I agree that a laptop feels like an extension of your brain, it would be illogical and unlikely for a customs officer to do a strip search and then wait for a court order to check the contents of your laptop. If they suspect you and want to examine you, ISTM that rightly or wrongly you are at their mercy. See also people whose cars have been taken apart at the Canadian border by inspectors looking for drugs. They don't have to put it back together... I'm not saying it isn't scary; obviously it is. (As is the US's statement that it can impound your written notes, etc. - as someone who makes a living from the contents of my brain as scrawled all around me on pieces of paper, both physical and electronic, I find the prospect of having it all removed extremely alarming.) wg Roland Perry wrote: > In article > <6ED388AA006C454BA35B0098396B9BFB03EE3A88@uxsrvr20.atlas.ukerna.ac.uk>, > Andrew Cormack writes >> And presumably if a customs person at the border insists on having my >> laptop as a condition of entry, I could always change my mind about >> wanting to enter? > > By air, I would have thought that such a decision wasn't > desirable/possible on the grounds that you can't catch a flight back on > your own without first going landside, and if they are going to have to > escort you staying airside (and getting a ticket/boarding pass etc) > that's sufficiently inconvenient for them that they could easily decide > they were going to search you anyway. > > I doubt it would have a happier outcome by train or car. > > This is unlikely to be a particularly USA thing. From ukcrypto at chiark.greenend.org.uk Wed Aug 6 11:04:16 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 11:04:16 +0100 Subject: CC shared secret Message-ID: I just got an email (which seems to be genuine) from one of my credit card companies saying they have enroled me (unsolicited) in "Verified by Visa", and my password will be the answer to one of the "shared secrets" used during login to my online account with them. I wonder if that means they have a copy of that "shared secret answer" in the clear, in order to pass it to Visa - or are both organisations using the same one-way hash? Or is it something different, like the V-b-V dialogue when I make a purchase actually being "franchised" by my bank, with Visa not having the data at all? -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 11:11:56 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Wed, 06 Aug 2008 11:11:56 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: <489978EC.1090302@iosis.co.uk> Did they offer you the chance to log in somewhere and change the pwd? Peter Roland Perry wrote: > I just got an email (which seems to be genuine) from one of my credit > card companies saying they have enroled me (unsolicited) in "Verified > by Visa", and my password will be the answer to one of the "shared > secrets" used during login to my online account with them. > > I wonder if that means they have a copy of that "shared secret answer" > in the clear, in order to pass it to Visa - or are both organisations > using the same one-way hash? Or is it something different, like the > V-b-V dialogue when I make a purchase actually being "franchised" by > my bank, with Visa not having the data at all? From ukcrypto at chiark.greenend.org.uk Wed Aug 6 11:18:22 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Wed, 6 Aug 2008 11:18:22 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: <006601c8f7ad$c3681400$e57ea8c0@Jinja> Roland Perry wrote: > I just got an email (which seems to be genuine) from one of my credit > card companies saying they have enroled me (unsolicited) in "Verified by > Visa", and my password will be the answer to one of the "shared secrets" > used during login to my online account with them. > > I wonder if that means they have a copy of that "shared secret answer" > in the clear, in order to pass it to Visa - or are both organisations > using the same one-way hash? Or is it something different, like the > V-b-V dialogue when I make a purchase actually being "franchised" by my > bank, with Visa not having the data at all? As far as I am aware, the authentication is actually done by your bank, the transaction being proxied by the Verified by Visa architecture. The architecture and mechanism is called 3D, and the issuing bank must support a 3D Secure interface. Google of 3D and Verified by Visa may yield more details. James Firth From ukcrypto at chiark.greenend.org.uk Wed Aug 6 11:29:26 2008 From: ukcrypto at chiark.greenend.org.uk (Nicholas Bohm) Date: Wed, 06 Aug 2008 11:29:26 +0100 Subject: CC shared secret In-Reply-To: <006601c8f7ad$c3681400$e57ea8c0@Jinja> References: <006601c8f7ad$c3681400$e57ea8c0@Jinja> Message-ID: <48997D06.9010409@ernest.net> James Firth wrote: > Roland Perry wrote: >> I just got an email (which seems to be genuine) from one of my credit >> card companies saying they have enroled me (unsolicited) in "Verified by >> Visa", and my password will be the answer to one of the "shared secrets" >> used during login to my online account with them. >> >> I wonder if that means they have a copy of that "shared secret answer" >> in the clear, in order to pass it to Visa - or are both organisations >> using the same one-way hash? Or is it something different, like the >> V-b-V dialogue when I make a purchase actually being "franchised" by my >> bank, with Visa not having the data at all? > > As far as I am aware, the authentication is actually done by your bank, the > transaction being proxied by the Verified by Visa architecture. The reflects my experience; but if the authentication fails to recognise my password (or the required characters from it), it merely requires me to reset it, and then accepts the use of the reset password. So not very stringent. (In fact I think this may reflect the corresponding Mastercard process, rather than Visa; but same difference probably.) Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285 (+44 1279 870285) Mobile 07715 419728 (+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From ukcrypto at chiark.greenend.org.uk Wed Aug 6 11:47:03 2008 From: ukcrypto at chiark.greenend.org.uk (Michael Simpson) Date: Wed, 6 Aug 2008 11:47:03 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> On 8/6/08, Roland Perry wrote: > I just got an email (which seems to be genuine) from one of my credit card > companies saying they have enroled me (unsolicited) in "Verified by Visa", > and my password will be the answer to one of the "shared secrets" used > during login to my online account with them. > > I wonder if that means they have a copy of that "shared secret answer" in > the clear, in order to pass it to Visa - or are both organisations using the > same one-way hash? Or is it something different, like the V-b-V dialogue > when I make a purchase actually being "franchised" by my bank, with Visa not > having the data at all? > -- > Roland Perry Davey Winder did a piece on this in PCPro this month mike From ukcrypto at chiark.greenend.org.uk Wed Aug 6 11:51:01 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 11:51:01 +0100 Subject: CC shared secret In-Reply-To: <489978EC.1090302@iosis.co.uk> References: <489978EC.1090302@iosis.co.uk> Message-ID: In article <489978EC.1090302@iosis.co.uk>, Peter Tomlinson writes >Did they offer you the chance to log in somewhere and change the pwd? They point to a webage that describes the scheme, which does give "account management" options to change the VbV password (aka shared secret), but it seems likely from their description that the two are inextricably linked and changing one changes both. That's one reason that perhaps the VbV system is "franchised" with the query being done in realtime back to the bank every time I make a purchase. Or is the *whole* Visa scheme just a franchise, with merchants having to have a credit-authorising dialogue with the relevant bank rather than a central Visa-branded clearing house? With CC data theft headline news again today, I just feel I'd like to know *where* my data is being held. If the mechanism's suitably secure, then having the same password might even be an advantage, as it's one fewer thing to have to remember. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 11:59:24 2008 From: ukcrypto at chiark.greenend.org.uk (Wendy M. Grossman) Date: Wed, 06 Aug 2008 11:59:24 +0100 Subject: CC shared secret In-Reply-To: References: <489978EC.1090302@iosis.co.uk> Message-ID: <4899840C.3040608@pelicancrossing.net> Roland Perry wrote: > In article <489978EC.1090302@iosis.co.uk>, Peter Tomlinson > writes >> Did they offer you the chance to log in somewhere and change the pwd? > > They point to a webage that describes the scheme, which does give > "account management" options to change the VbV password (aka shared > secret), but it seems likely from their description that the two are > inextricably linked and changing one changes both. That's one reason > that perhaps the VbV system is "franchised" with the query being done in > realtime back to the bank every time I make a purchase. Hmm. It's so long since I was directed to sign up for VfV that I can no longer remember how it was done, but I *know* I chose my own password for it. > > Or is the *whole* Visa scheme just a franchise, with merchants having to > have a credit-authorising dialogue with the relevant bank rather than a > central Visa-branded clearing house? Which would imply yes, that banks do it differently from each other. Mine is on a Barclaycard, if that helps. > > With CC data theft headline news again today, I just feel I'd like to > know *where* my data is being held. > > If the mechanism's suitably secure, then having the same password might > even be an advantage, as it's one fewer thing to have to remember. What frosts me is that adding VfV to the list of hoops you have to jump through to put through a purchase doesn't make the bank any less likely to decide the transaction is dubious and stop your card. wg From ukcrypto at chiark.greenend.org.uk Wed Aug 6 13:46:34 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 13:46:34 +0100 Subject: CC shared secret In-Reply-To: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> Message-ID: <86ee7ELq0ZmIFAOM@perry.co.uk> In article <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com>, Michael Simpson writes >Davey Winder did a piece on this in PCPro this month > > Oddly, I can only see the text of that (and then only the first page) from the Google cache. PCPro's own page seems to be blank... But the nail has been hit on the head! Luckily, my "memorable name" is nothing to do with anything else in my life, but I'm glad others think the scheme of sharing this password between different functions is a bit odd. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 13:50:24 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 13:50:24 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: <4898618D.1090206@pelicancrossing.net> References: <20080804211944.GA3035@omphalos.onepoint> <6ED388AA006C454BA35B0098396B9BFB03EE3A88@uxsrvr20.atlas.ukerna.ac.uk> <4898618D.1090206@pelicancrossing.net> Message-ID: <6awfTvLQ4ZmIFANM@perry.co.uk> In article <4898618D.1090206@pelicancrossing.net>, Wendy M. Grossman writes >Arguing about whether they have the right to examine your laptop seems >to me about as sensible as arguing about whether they have the right to >grill you about where you've been and where you're going. There's also the advice to "never volunteer information" as it might get you into an unintended scrape. Hence, apparently, the answer to a question "do you have the right time" should be either "yes" or "no" and not "ten minutes to two" because the latter might not be correct. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 13:54:40 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 13:54:40 +0100 Subject: CC shared secret In-Reply-To: <4899840C.3040608@pelicancrossing.net> References: <489978EC.1090302@iosis.co.uk> <4899840C.3040608@pelicancrossing.net> Message-ID: In article <4899840C.3040608@pelicancrossing.net>, Wendy M. Grossman writes >What frosts me is that adding VfV to the list of hoops you have to jump >through to put through a purchase doesn't make the bank any less likely >to decide the transaction is dubious There's the other aspect which is that if the transaction is rejected as "suspicious" (not because any of the passwords were wrong, just a purchase outside what they say is your normal pattern) then they don't tell the cardholder that their card *may* have been compromised. Which is odd because surely the only plausible scenario that it's "not you" making the purchase in such circumstances is that the card *has* been compromised, and shouldn't you be warned? > and stop your card. IME they just refuse the charge, but don't do anything else, and especially don't stop the card, or issue a new card proactively. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 13:56:06 2008 From: ukcrypto at chiark.greenend.org.uk (Wendy M. Grossman) Date: Wed, 06 Aug 2008 13:56:06 +0100 Subject: CC shared secret In-Reply-To: <86ee7ELq0ZmIFAOM@perry.co.uk> References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> Message-ID: <48999F66.7030508@pelicancrossing.net> I'm getting the same problem - blank page except for the menus, etc. Is this PC Pro's hint that we need to register to read anything? wg Roland Perry wrote: > In article > <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com>, Michael > Simpson writes >> Davey Winder did a piece on this in PCPro this month >> >> > > Oddly, I can only see the text of that (and then only the first page) > from the Google cache. PCPro's own page seems to be blank... > > But the nail has been hit on the head! Luckily, my "memorable name" is > nothing to do with anything else in my life, but I'm glad others think > the scheme of sharing this password between different functions is a bit > odd. From ukcrypto at chiark.greenend.org.uk Wed Aug 6 13:59:47 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 13:59:47 +0100 Subject: An incomplete PQ answer In-Reply-To: <6.2.3.4.2.20080805014340.02cc4bd0@pop.gn.apc.org> References: <6.2.3.4.2.20080805014340.02cc4bd0@pop.gn.apc.org> Message-ID: In article <6.2.3.4.2.20080805014340.02cc4bd0@pop.gn.apc.org>, IPTV writes >The phone companies love to make profits. They charge the cops >exorbitant sums for wee bits of data like a day's cellsite tables. So >I'd factor in very large greed multiplier, which may confound a simple >data assessment. Whereas if you speak to the departments inside telcos doing the daily work, they make a loss in terms of the profit-centre calculations that are done. Scraping some numbers from a database "for intelligence purposes" is one thing, but putting it all into a form that's acceptable to a court as evidence may be another. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 15:04:23 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Wed, 06 Aug 2008 15:04:23 +0100 Subject: CC shared secret In-Reply-To: <48999F66.7030508@pelicancrossing.net> References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> <48999F66.7030508@pelicancrossing.net> Message-ID: <4899AF67.4080908@iosis.co.uk> I also get the blank page - and I don't accept cookies unless I have to, so could be that they will not open the box unless you take their cookies. Peter Wendy M. Grossman wrote: > I'm getting the same problem - blank page except for the menus, etc. > Is this PC Pro's hint that we need to register to read anything? > > wg > > Roland Perry wrote: >> In article >> <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com>, >> Michael Simpson writes >>> Davey Winder did a piece on this in PCPro this month >>> >>> >> >> Oddly, I can only see the text of that (and then only the first page) >> from the Google cache. PCPro's own page seems to be blank... >> >> But the nail has been hit on the head! Luckily, my "memorable name" >> is nothing to do with anything else in my life, but I'm glad others >> think the scheme of sharing this password between different functions >> is a bit odd. > > > From ukcrypto at chiark.greenend.org.uk Wed Aug 6 15:17:50 2008 From: ukcrypto at chiark.greenend.org.uk (Igor Mozolevsky) Date: Wed, 6 Aug 2008 15:17:50 +0100 Subject: CC shared secret In-Reply-To: <4899AF67.4080908@iosis.co.uk> References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> <48999F66.7030508@pelicancrossing.net> <4899AF67.4080908@iosis.co.uk> Message-ID: 2008/8/6 Peter Tomlinson : > I also get the blank page - and I don't accept cookies unless I have to, so > could be that they will not open the box unless you take their cookies. Just read it through google cache. -- Igor From ukcrypto at chiark.greenend.org.uk Wed Aug 6 15:20:12 2008 From: ukcrypto at chiark.greenend.org.uk (Igor Mozolevsky) Date: Wed, 6 Aug 2008 15:20:12 +0100 Subject: CC shared secret In-Reply-To: <006601c8f7ad$c3681400$e57ea8c0@Jinja> References: <006601c8f7ad$c3681400$e57ea8c0@Jinja> Message-ID: 2008/8/6 James Firth : > > The architecture and mechanism is called 3D, and the issuing bank must > support a 3D Secure interface. > I've recently been wondering how easy it would be for a malicious site to overlay their own controls over the 3D secure frame and store the password... -- Igor From ukcrypto at chiark.greenend.org.uk Wed Aug 6 15:37:35 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 15:37:35 +0100 Subject: CC shared secret In-Reply-To: <4899AF67.4080908@iosis.co.uk> References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> <48999F66.7030508@pelicancrossing.net> <4899AF67.4080908@iosis.co.uk> Message-ID: In article <4899AF67.4080908@iosis.co.uk>, Peter Tomlinson writes >>>> >>> >>> Oddly, I can only see the text of that (and then only the first >>>page) from the Google cache. PCPro's own page seems to be blank.. >I also get the blank page - and I don't accept cookies unless I have >to, so could be that they will not open the box unless you take their >cookies. It's not a cookie issue - I've also tried it with a browser that accepts cookies. Nor is it a log-in issue. I suspect their website's broken :( -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 16:26:14 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Wed, 06 Aug 2008 16:26:14 +0100 Subject: CC shared secret In-Reply-To: References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> <48999F66.7030508@pelicancrossing.net> <4899AF67.4080908@iosis.co.uk> Message-ID: <4899C296.5030402@iosis.co.uk> Have now got 3 pages from Google's cache with a directed search of site pcpro.co.uk - but pages 2 and 3 came from hits on macuser.pcpro. Page 3 is on another topic. There are also pages 4 and 5, but they didn't come up. Peter Igor Mozolevsky wrote: > 2008/8/6 Peter Tomlinson : > >> I also get the blank page - and I don't accept cookies unless I have to, so >> could be that they will not open the box unless you take their cookies. >> > > Just read it through google cache. > > > -- > Igor > > > > From ukcrypto at chiark.greenend.org.uk Wed Aug 6 17:14:39 2008 From: ukcrypto at chiark.greenend.org.uk (Igor Mozolevsky) Date: Wed, 6 Aug 2008 17:14:39 +0100 Subject: CC shared secret In-Reply-To: <4899C296.5030402@iosis.co.uk> References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> <48999F66.7030508@pelicancrossing.net> <4899AF67.4080908@iosis.co.uk> <4899C296.5030402@iosis.co.uk> Message-ID: 2008/8/6 Peter Tomlinson : > Have now got 3 pages from Google's cache with a directed search of site > pcpro.co.uk - but pages 2 and 3 came from hits on macuser.pcpro. Page 3 is > on another topic. There are also pages 4 and 5, but they didn't come up. inurl:security-without-a-smile page 5 looks like it's a dud Cheers, -- Igor From ukcrypto at chiark.greenend.org.uk Wed Aug 6 18:16:35 2008 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Wed, 06 Aug 2008 18:16:35 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: On Wed, 06 Aug 2008 11:04:16 +0100, Roland Perry wrote: > I just got an email (which seems to be genuine) from one of my credit > card companies saying they have enroled me (unsolicited) in "Verified by > Visa", and my password will be the answer to one of the "shared secrets" > used during login to my online account with them. > > I wonder if that means they have a copy of that "shared secret answer" > in the clear, in order to pass it to Visa - or are both organisations > using the same one-way hash? Or is it something different, like the > V-b-V dialogue when I make a purchase actually being "franchised" by my > bank, with Visa not having the data at all? I subscribed long ago to the corrresponding MasterCard scheme. It all seems to me to be pretty secure - the only problem being that very few merchants have yet agreed to implement it, so you still run the usual risks when using such merchants. The other oddity is that they (Natrwest/RBS in my case) have outsourced the operation to a gang called CYCOTA somewhere in San Francisco, and it is the CYCOTA certificate that you see when you make the secure website connection. So I have to assume (and IMO it is a reasonable assumption) that CYCOTA are running a properly secured outfit (i.e. at least as secure as Natwest/RBS, and surely more secure than Amazon and the like). The way it works is this. When you give your Card Number to the Merchant, and they attempt to verify it through the usual channels, they get told that the card is signed up to VbV (or rather the corresponding Mastercard thing). They then transfer you to the CYCOTA site (whose certificate you then see) and you negotiate with CYCOTA using your password/secrets/whatever (quite convenient actually, because they exhibit your secret to you, to prove that they know something that the merchant does not know, but you know that they know; so you can choose the secret in a way that reminds you which of your various passwords you need to give them). When they are convinced you are who you say you are, then they inform the merchant accordingly. Your passwprd, secret, etc never go through the merchant's site, and you do not have to disclose the magic number on the back of the card. -- Charles�H.�Lindsey�---------At�Home,�doing�my�own�thing------------------------ Tel:�+44�161�436�6131� ��Web:�http://www.cs.man.ac.uk/~chl Email:�chl@clerew.man.ac.uk��Snail:�5�Clerewood�Ave,�CHEADLE,�SK8�3JU,�U.K. PGP:�2C15F1A9��Fingerprint:�73�6D�C2�51�93�A0�01�E7�65�E8�64�7E�14�A4�AB�A5 From ukcrypto at chiark.greenend.org.uk Wed Aug 6 19:55:48 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 6 Aug 2008 19:55:48 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: In article , Charles Lindsey writes >Your passwprd, secret, etc never go through the merchant's site, and >you do not have to disclose the magic number on the back of the card. But to go back to my original question, presumably you *are* disclosing it to CYOCOTA, and maybe they have a copy of everyone's secret so they can check they match. Or does CYOCTA contact each cardholder's bank in real time with a copy of the secret asking "does this match"? And hopefully throwing away its copy of the shared secret afterwards. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed Aug 6 20:05:51 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Wed, 6 Aug 2008 20:05:51 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: <000001c8f7f7$736b6520$e57ea8c0@Jinja> Roland Perry wrote: > Or does CYOCTA contact each cardholder's bank in > real time with a copy of the secret asking "does this match"? Yes. CYOCTA and Verified by Visa are only the conduits for merchants. They work out the issues using the first 4 digits from the card and proxy the authentication. https://partnernetwork.visa.com/vpn/global/category.do?userRegion=1&category Id=85&documentId=117 James Firth From ukcrypto at chiark.greenend.org.uk Wed Aug 6 22:46:17 2008 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Wed, 6 Aug 2008 22:46:17 +0100 Subject: CC shared secret In-Reply-To: References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> <48999F66.7030508@pelicancrossing.net> <4899AF67.4080908@iosis.co.uk> Message-ID: <20080806224617.2bc4cf1f@peterson.fenrir.org.uk> --Sig_/GJIdfOzRpqgGTvt5dkgQCzn Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 6 Aug 2008 15:37:35 +0100 Roland Perry wrote: > It's not a cookie issue - I've also tried it with a browser that accepts= =20 > cookies. Nor is it a log-in issue. I suspect their website's broken :( Do you suppose that Smile bank reached for their lawyers? --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_/GJIdfOzRpqgGTvt5dkgQCzn Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iD8DBQFImhu89BNjUd4y5cURAhWgAKCQDp5xiacbOtyofxMzlOoIo8OUIACeMBAC lZJcr/EqbPY8C2hRa2CEkRw= =PKFF -----END PGP SIGNATURE----- --Sig_/GJIdfOzRpqgGTvt5dkgQCzn-- From ukcrypto at chiark.greenend.org.uk Thu Aug 7 11:34:33 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Thu, 7 Aug 2008 11:34:33 +0100 Subject: CC shared secret In-Reply-To: <000001c8f7f7$736b6520$e57ea8c0@Jinja> References: <000001c8f7f7$736b6520$e57ea8c0@Jinja> Message-ID: <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> As if by magic, a story published in The Register today: Net shoppers bullied into being Verified by Visa http://www.theregister.co.uk/2008/08/07/verified_by_visa_compulsion/ "When shoppers make purchases online with participating retailers they are typically taken to a website run by the card-issuing bank, where they are asked to submit a VbyV or SecureCode password to proceed with the purchase." James Firth From ukcrypto at chiark.greenend.org.uk Thu Aug 7 11:34:14 2008 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Thu, 07 Aug 2008 11:34:14 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: On Wed, 06 Aug 2008 19:55:48 +0100, Roland Perry wrote: > In article , Charles Lindsey > writes >> Your passwprd, secret, etc never go through the merchant's site, and >> you do not have to disclose the magic number on the back of the card. > > But to go back to my original question, presumably you *are* disclosing > it to CYOCOTA, and maybe they have a copy of everyone's secret so they > can check they match. Or does CYOCTA contact each cardholder's bank in > real time with a copy of the secret asking "does this match"? And > hopefully throwing away its copy of the shared secret afterwards. I think you have to trust CYCOTA to the same extent that you trust your Bank. I think (from what I remember) they hand you over to your Bank if you claim to have forgotten your password, but I do not know whether they interact directly with your Bank for each transaction. (Actually, a sensible implementation would be to keep a cache of data for frequentlky used cards, and to contact the Bank in other cases). -- Charles�H.�Lindsey�---------At�Home,�doing�my�own�thing------------------------ Tel:�+44�161�436�6131� ��Web:�http://www.cs.man.ac.uk/~chl Email:�chl@clerew.man.ac.uk��Snail:�5�Clerewood�Ave,�CHEADLE,�SK8�3JU,�U.K. PGP:�2C15F1A9��Fingerprint:�73�6D�C2�51�93�A0�01�E7�65�E8�64�7E�14�A4�AB�A5 From ukcrypto at chiark.greenend.org.uk Thu Aug 7 11:32:58 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 7 Aug 2008 11:32:58 +0100 Subject: CC shared secret In-Reply-To: <20080806224617.2bc4cf1f@peterson.fenrir.org.uk> References: <82abd3a70808060347l5368b064s1f9ee323451bf350@mail.gmail.com> <86ee7ELq0ZmIFAOM@perry.co.uk> <48999F66.7030508@pelicancrossing.net> <4899AF67.4080908@iosis.co.uk> <20080806224617.2bc4cf1f@peterson.fenrir.org.uk> Message-ID: In article <20080806224617.2bc4cf1f@peterson.fenrir.org.uk>, Brian Morrison writes >> It's not a cookie issue - I've also tried it with a browser that accepts >> cookies. Nor is it a log-in issue. I suspect their website's broken :( > >Do you suppose that Smile bank reached for their lawyers? Looking increasingly likely, and the Google cache version has been flushed away now as well. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu Aug 7 15:22:37 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Thu, 7 Aug 2008 15:22:37 +0100 Subject: =?iso-8859-1?Q?The_Times:_Cloned_e-passports_fiasco_renews_calls_for_=A34?= =?iso-8859-1?Q?.7bn_ID_card_scheme_to_be_axed?= In-Reply-To: <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> References: <000001c8f7f7$736b6520$e57ea8c0@Jinja> <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> Message-ID: <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja> The Times: Cloned e-passports fiasco renews calls for =A34.7bn ID card = scheme to be axed http://www.timesonline.co.uk/tol/news/politics/article4474143.ece "After The Times disclosed that new passports could be cloned and manipulated in minutes and would then be accepted as genuine, MPs also = gave warning of serious implications for the security of the Government's = =A34.7 billion identity card scheme." From ukcrypto at chiark.greenend.org.uk Thu Aug 7 12:31:35 2008 From: ukcrypto at chiark.greenend.org.uk (ken) Date: Thu, 07 Aug 2008 12:31:35 +0100 Subject: CC shared secret In-Reply-To: <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> References: <000001c8f7f7$736b6520$e57ea8c0@Jinja> <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> Message-ID: <489ADD17.5000403@bbk.ac.uk> James Firth wrote: > As if by magic, a story published in The Register today: > > Net shoppers bullied into being Verified by Visa > > http://www.theregister.co.uk/2008/08/07/verified_by_visa_compulsion/ You'd almost think that someone who writes for the Reg reads this list :-) From ukcrypto at chiark.greenend.org.uk Thu Aug 7 15:47:40 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Thu, 07 Aug 2008 15:47:40 +0100 Subject: =?ISO-8859-1?Q?Re=3A_The_Times=3A_Cloned_e-passports_f?= =?ISO-8859-1?Q?iasco_renews_calls_for_=A34=2E7bn_ID_card_s?= =?ISO-8859-1?Q?cheme_to_be_axed?= In-Reply-To: <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja> References: <000001c8f7f7$736b6520$e57ea8c0@Jinja> <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja> Message-ID: <489B0B0C.9030007@iosis.co.uk> James Firth wrote: > The Times: Cloned e-passports fiasco renews calls for �4.7bn ID card scheme > to be axed > > http://www.timesonline.co.uk/tol/news/politics/article4474143.ece > > "After The Times disclosed that new passports could be cloned and > manipulated in minutes and would then be accepted as genuine, MPs also gave > warning of serious implications for the security of the Government's �4.7 > billion identity card scheme." Yesterday's articles - start at: http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece and there are two more articles linked to that - pointed out that there are two stages to the protection, and only one has been broken. The other stage involves a global public key server, so how long before a bogus key pair is generated and the public key inserted into the server? Peter From ukcrypto at chiark.greenend.org.uk Thu Aug 7 16:23:17 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Thu, 7 Aug 2008 16:23:17 +0100 Subject: =?iso-8859-1?Q?RE:_The_Times:_Cloned_e-passports_fiasco_renews_calls_for_?= =?iso-8859-1?Q?=A34.7bn_ID_card_scheme_to_be_axed?= In-Reply-To: <489B0B0C.9030007@iosis.co.uk> References: <000001c8f7f7$736b6520$e57ea8c0@Jinja> <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja> <489B0B0C.9030007@iosis.co.uk> Message-ID: <011201c8f8a1$852867e0$7f7fa8c0@Jinja> > =20 The Times has run a flurry of articles relating to IT security = implications and data privacy of late, including a piece that effectively concludes = no data is safe: Don't be naive: computers will never be secure Hackers will always beat security systems http://www.timesonline.co.uk/tol/comment/columnists/guest_contributors/ar= tic le4474092.ece The Telegraph is also chipping in, with a series of "expos=E9s" on RIPA = and recently flight manifest data. Not to suggest that this is politically motivated in any way, but are = the conservatives positioning themselves as protectors of civil rights in a digital age, along David Davis' lines (despite his off-script action)? Radio 4 this morning reminded me of a Russian proverb: "Dwell on the past and you=92ll lose an eye. Forget the past and = you=92ll lose both eyes." I very much see this as relevant to anti-terrorism efforts and related civil/digital privacy rights. It's very easy for the government to say = they must collect and analyse a lot of personal communications data (else we = may lose an eye), however if we do continue down this path... we may lose = both. From ukcrypto at chiark.greenend.org.uk Thu Aug 7 16:27:56 2008 From: ukcrypto at chiark.greenend.org.uk (Wendy M. Grossman) Date: Thu, 07 Aug 2008 16:27:56 +0100 Subject: =?ISO-8859-1?Q?Re=3A_The_Times=3A_Cloned_e-passports_f?= =?ISO-8859-1?Q?iasco_renews_calls_for_=A34=2E7bn_ID_card_s?= =?ISO-8859-1?Q?cheme_to_be_axed?= In-Reply-To: <011201c8f8a1$852867e0$7f7fa8c0@Jinja> References: <000001c8f7f7$736b6520$e57ea8c0@Jinja> <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja> <489B0B0C.9030007@iosis.co.uk> <011201c8f8a1$852867e0$7f7fa8c0@Jinja> Message-ID: <489B147C.3050102@pelicancrossing.net> James Firth wrote: >> > > The Times has run a flurry of articles relating to IT security implications > and data privacy of late, including a piece that effectively concludes no > data is safe: Gee, I' ve been saying that for years. :) > > Don't be naive: computers will never be secure > Hackers will always beat security systems > http://www.timesonline.co.uk/tol/comment/columnists/guest_contributors/artic > le4474092.ece > > The Telegraph is also chipping in, with a series of "expos�s" on RIPA and > recently flight manifest data. This isn't only recent, though. The Telegraph during its Connected period (1997-2001) published a lot of complaints about RIPA etc. wg From ukcrypto at chiark.greenend.org.uk Wed Aug 6 15:22:48 2008 From: ukcrypto at chiark.greenend.org.uk (Tom Thomson) Date: Wed, 6 Aug 2008 15:22:48 +0100 Subject: CC shared secret In-Reply-To: References: <489978EC.1090302@iosis.co.uk> <4899840C.3040608@pelicancrossing.net> Message-ID: > > and stop your card. > > IME they just refuse the charge, but don't do anything else, and > especially don't stop the card, or issue a new card proactively. In my experience they call me and ask me whether the transaction was originated by me. If I say no they stop the card and send me a new one (with a different number, of course). If I say yes they don't stop the card. If they can't contact me quickly they go into a spin, trying to contact me by all sorts of routes. M. From ukcrypto at chiark.greenend.org.uk Wed Aug 6 12:17:07 2008 From: ukcrypto at chiark.greenend.org.uk (Andy Cunningham) Date: Wed, 6 Aug 2008 12:17:07 +0100 Subject: CC shared secret In-Reply-To: <4899840C.3040608@pelicancrossing.net> References: <489978EC.1090302@iosis.co.uk> <4899840C.3040608@pelicancrossing.net> Message-ID: <20080806111707.GA4206@andy-yvonne.demon.co.uk> On Wed, Aug 06, 2008 at 11:59:24AM +0100, Wendy M. Grossman wrote: >> Or is the *whole* Visa scheme just a franchise, with merchants having >> to have a credit-authorising dialogue with the relevant bank rather >> than a central Visa-branded clearing house? > > Which would imply yes, that banks do it differently from each other. > Mine is on a Barclaycard, if that helps. It's a franchise, but there are multiple providers. I'm not clear on how the various redirections take place. > What frosts me is that adding VfV to the list of hoops you have to jump > through to put through a purchase doesn't make the bank any less likely > to decide the transaction is dubious and stop your card. VbV can be integrated with other risk analysis tools. Whether or not a given bank chooses to implement this level of sophistication will depend on their mitigation strategy for fraud losses. Andy From ukcrypto at chiark.greenend.org.uk Tue Aug 5 12:48:35 2008 From: ukcrypto at chiark.greenend.org.uk (Igor Mozolevsky) Date: Tue, 5 Aug 2008 12:48:35 +0100 Subject: U.S. Customs and Border Protection In-Reply-To: <044401c8f6d4$240cfdf0$6c26f9d0$@co.uk> References: <20080805084423.66eb4a2f@peterson.fenrir.org.uk> <044401c8f6d4$240cfdf0$6c26f9d0$@co.uk> Message-ID: 2008/8/5 John Brazier : > A confirmation: > > http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080103 > 030.html That's going to make some people at the Congress very happy, given their recent "Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel" review... -- Igor From ukcrypto at chiark.greenend.org.uk Tue Aug 5 01:05:05 2008 From: ukcrypto at chiark.greenend.org.uk (Duncan Campbell) Date: Tue, 05 Aug 2008 01:05:05 +0100 Subject: An incomplete PQ answer In-Reply-To: References: <0ID+ELC0qulIFAkm@highwayman.com> <2DA38795-0604-466B-B47D-D5B7C47D0515@batten.eu.org>

Message-ID: <6.2.3.4.2.20080805010046.02cc5800@pop.gn.apc.org> > >So why all the extra cash...? > >ian The phone companies love to make profits. They charge the cops exorbitant sums for wee bits of data like a day's cellsite tables. So I'd factor in very large greed multiplier, which may confound a simple data assessment. [This is based on experience, by the way. I've done many cellsite analysis cases in the last five years, and a fair number of times the amount of data acquired has been minimised not for human rights reasons but because of the impact on the bottom line of police budgets.] Duncan From ukcrypto at chiark.greenend.org.uk Thu Aug 7 17:11:00 2008 From: ukcrypto at chiark.greenend.org.uk (Wendy M. Grossman) Date: Thu, 07 Aug 2008 17:11:00 +0100 Subject: CC shared secret In-Reply-To: References: <489978EC.1090302@iosis.co.uk> <4899840C.3040608@pelicancrossing.net> Message-ID: <489B1E94.6010803@pelicancrossing.net> Tom Thomson wrote: >>> and stop your card. >> IME they just refuse the charge, but don't do anything else, and >> especially don't stop the card, or issue a new card proactively. > > In my experience they call me and ask me whether the transaction was > originated by me. If I say no they stop the card and send me a new one > (with a different number, of course). If I say yes they don't stop the > card. > > If they can't contact me quickly they go into a spin, trying to contact me > by all sorts of routes. > This is my experience with Barclaycard. However, *meantime* they block any further transactions, and usually this happens before they've contacted me, so I don't know what's going on. wg From ukcrypto at chiark.greenend.org.uk Thu Aug 7 17:21:05 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 7 Aug 2008 17:21:05 +0100 Subject: =?iso-8859-1?q?The_Times=3A_Cloned_e-passports_fiasco_renews_calls_for_=A3?= =?iso-8859-1?q?4=2E7bn_ID_card_scheme_to_be_axed?= In-Reply-To: <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja> References: <000001c8f7f7$736b6520$e57ea8c0@Jinja> <00a401c8f879$30ea6ca0$7f7fa8c0@Jinja> <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja> Message-ID: In article <00f801c8f899$0cc71ec0$7f7fa8c0@Jinja>, James Firth writes >"After The Times disclosed that new passports could be cloned and >manipulated in minutes and would then be accepted as genuine I don't really follow the earlier assertion that the batch of stolen passports was "worthless" (without the chip being properly programmed). Who has a reader for them anyway? The last return flight I went on, although my passport was checked by immigration officials each end who might have, the airlines who are supposed to check that the right people are getting on the plane [1] failed at both ends. At the departing gate the girl didn't look at my passport, coming back it wasn't even opened. [1] Reporting details of passengers in advance is useless if different people get on board. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu Aug 7 17:26:29 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 7 Aug 2008 17:26:29 +0100 Subject: CC shared secret In-Reply-To: References: <489978EC.1090302@iosis.co.uk> <4899840C.3040608@pelicancrossing.net> Message-ID: In article , Tom Thomson writes >> IME they just refuse the charge, but don't do anything else, and >> especially don't stop the card, or issue a new card proactively. > >In my experience they call me and ask me whether the transaction was >originated by me. If I say no they stop the card and send me a new one >(with a different number, of course). If I say yes they don't stop the >card. > >If they can't contact me quickly they go into a spin, trying to contact me >by all sorts of routes. That's interesting, because I hadn't found anyone with a *refused* charge that had happened to. Sometimes with accepted but unusual charges. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu Aug 7 17:26:56 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 7 Aug 2008 17:26:56 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: In article , Charles Lindsey writes >I think you have to trust CYCOTA to the same extent that you trust your >Bank. What worries me about this whole thing is that the card companies want us to keep the secrets secret, and then invent ways that to a casual observer might appear to be leaking the secret to third parties. So who else might they think we are supposed to know to trust? -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu Aug 7 17:49:18 2008 From: ukcrypto at chiark.greenend.org.uk (Ross Anderson) Date: Thu, 07 Aug 2008 17:49:18 +0100 Subject: CC shared secret Message-ID: Roland: > I just got an email (which seems to be genuine) from one of my credit > card companies saying they have enroled me (unsolicited) in "Verified by > Visa", and my password will be the answer to one of the "shared secrets" > used during login to my online account with them. I have come across an interesting and potentially quite unpleasant pair of features. The RBS is one of the banks at which I maintain an account, and as with my other banks I've been very careful not to set up a password with them for phone and Internet banking, because of the liability transfer that gets kicked off (see Bohm, Brown and Gladman). Last week their credit card people wrote to me asking me to call them at once to verify a suspicious transaction. I did so and the lady at the call centre demanded my password. I explained that I had been careful never to set one. She brusquely contradicted me, told me I'd set one, said it might be my mother's maiden name, and told me 'its' first and last letters - which were indeed the first and last letters of my mother's maiden name. I protested and she said she would not speak to me any more as I 'had refused the security questions'. It looks like the RBS has decided to deal with the refuseniks and the can't-be-bothered-niks by simply giving us all passwords, whether we consented or not. The second disfeature with the RBS is that when I attempted a few weeks ago to use one of their cards to buy a ticket from Easyjet, the Easyjet website insisted I pick a password for their equivalent of VbV. I phoned their call centre and asked if I could get a card that did not have this feature enabled. Not even the supervisor to whom I eventually spoke seemed able to understand what I was on about, let alone help. People who use their Coutts brand seem to have better luck but speaking to someone who understands the bank's own systems doesn;t seem to be an option for us proles. It really does seem like a race to the bottom, doesn't it? Pretty soon we'll all be asked for our mothers' maiden names whenever we shop, and when stuff goes wrong it'll all be our fault Ross From ukcrypto at chiark.greenend.org.uk Thu Aug 7 17:54:59 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Thu, 07 Aug 2008 17:54:59 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: <489B28E3.1060400@iosis.co.uk> Ross Anderson wrote: > see Bohm, Brown and Gladman Is that a new legal firm? Peter From ukcrypto at chiark.greenend.org.uk Thu Aug 7 18:11:03 2008 From: ukcrypto at chiark.greenend.org.uk (Nicholas Bohm) Date: Thu, 07 Aug 2008 18:11:03 +0100 Subject: CC shared secret In-Reply-To: <489B28E3.1060400@iosis.co.uk> References: <489B28E3.1060400@iosis.co.uk> Message-ID: <489B2CA7.1030206@ernest.net> Peter Tomlinson wrote: > Ross Anderson wrote: >> see Bohm, Brown and Gladman > Is that a new legal firm? More fun to be an old illegal one; but no, it's just the same old firm: http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/ Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285 (+44 1279 870285) Mobile 07715 419728 (+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From ukcrypto at chiark.greenend.org.uk Thu Aug 7 21:06:31 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Thu, 07 Aug 2008 21:06:31 +0100 Subject: CC shared secret In-Reply-To: <489B2CA7.1030206@ernest.net> References: <489B28E3.1060400@iosis.co.uk> <489B2CA7.1030206@ernest.net> Message-ID: <489B55C7.6040304@iosis.co.uk> Nicholas Bohm wrote: > Peter Tomlinson wrote: >> Ross Anderson wrote: >>> see Bohm, Brown and Gladman >> Is that a new legal firm? > More fun to be an old illegal one; but no, it's just the same old firm: > > http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/ > > Nicholas Thanks. Have saved it and will read it. Peter From ukcrypto at chiark.greenend.org.uk Thu Aug 7 21:19:47 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 7 Aug 2008 21:19:47 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: In article , Ross Anderson writes >Last week their credit card people wrote to me asking me to call them >at once to verify a suspicious transaction. I did so and the lady at >the call centre demanded my password. I explained that I had been >careful never to set one. She brusquely contradicted me, told me I'd >set one, said it might be my mother's maiden name, and told me 'its' >first and last letters - which were indeed the first and last letters >of my mother's maiden name. This is symptomatic of my main worry in this thread. Did that lady have your [let's assume you had supplied it previously just for a moment] shared secret on the screen in front of her in the clear? Isn't that a big risk. Or is it so difficult to type in a name you give them and get it right, that they have to use the human being rather than a computer to check it's correct? >I protested and she said she would not speak to me any more as I 'had >refused the security questions'. > >It looks like the RBS has decided to deal with the refuseniks and the >can't-be-bothered-niks by simply giving us all passwords, whether we >consented or not. So you *have* told RBS your mother's maiden name in some other context? -- Roland Perry From ukcrypto at chiark.greenend.org.uk Fri Aug 8 09:09:02 2008 From: ukcrypto at chiark.greenend.org.uk (Ross Anderson) Date: Fri, 08 Aug 2008 09:09:02 +0100 Subject: Eric Moechel's comments on the Times article Message-ID: Eric asked me to post this to the list; he trid and it bounced Ross From: q/marauder To: ukcrypto@chiark.greenend.org.uk James Firth wrote: > The Times: Cloned e-passports fiasco renews calls for £4.7bn ID card scheme > to be axed > > http://www.timesonline.co.uk/tol/news/politics/article4474143.ece > > "After The Times disclosed that new passports could be cloned and > manipulated in minutes and would then be accepted as genuine, MPs also gave > warning of serious implications for the security of the Government's £4.7 > billion identity card scheme." Both articles on the "cloning" of British passports show a decent amount of flaws in reporting. http://www.timesonline.co.uk/tol/news/politics/article4474143.ece http://www.timesonline.co.uk/tol/news/politics/article4474143.ece - - There was no passport cloning but "passport invalidating". And that could only work because the British have the worst security implementation in the passport RFID system EU-wide. That is because they were AFAIK the earliest adapters in EU. There is no active authentication in UK passports yet AFAIK which is crucial for preventing cloning the data to another RFID. Works with an embedded secret key on a non readable zone on the chip. The first info the reading machine gets is a public key that is used to encrypt traffic. The secret key hidden in the RFIDs hardware is used to decrypt that. So you may get access to the data, you can copy them and put them on another chip. But that will be discovered immediately when controlled by a passport reader. There can't be any communication between clone chip and machine. The clone chip does not have the embedded secret key to decrypt the initial data. "Active authentication" is mandatory here in AT. - similar in the "Osama" case. ICAOs "golden reader" is just a tool to test chip _functionality_. They are introducing a wholly new standard, so the problem is interoperability. The "golden reader" _does not_ perform security checks, it is not a passport reading machine that can verify a signature. If the young person with Bin Laden's image on the chip travelled to Austria the passport would show up as compromised by the reading machine. Bearing. an another signature than the so called "Country Signer Certificate" from UK. - - Here we are at the PKI/PKD question. Austrian federal printing agency officials told me yesterday that they have long exchanged keys with the British. A PKI/PKD would be practical to have, but the whole thing works as well bilaterally they said. Public keys are exchanged on diplomat channels, via couriers. Germany showed open reservation to a PKI/PKD, Austrian officials just said they were currently not participating and would not comment on the future. Such a global database - hosted in Singapore - is not such a good idea, quite many in Europe should think. Imagine if somebody managed to upload a certificate that looked like one of the [inevitable] follow-up certificates of - say - the Federal Republic of Germany. But belonged to the Democrat Republic of Transnistria or somebody else? Otherwise I am not happy at all with a technology that is based on shortwave communication such as the passport chips. There is a very simple, effective, cheap and dirty attack scenario possible on an ancient analogue layer. ;) For those who read German here are more details Äpfel, Birnen, Pässe und Bin Laden http://futurezone.orf.at/hardcore/stories/298481/ cu Erich M. From ukcrypto at chiark.greenend.org.uk Fri Aug 8 12:33:54 2008 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Fri, 08 Aug 2008 12:33:54 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: On Thu, 07 Aug 2008 17:26:56 +0100, Roland Perry wrote: > In article , Charles Lindsey > writes >> I think you have to trust CYCOTA to the same extent that you trust your >> Bank. > > What worries me about this whole thing is that the card companies want > us to keep the secrets secret, and then invent ways that to a casual > observer might appear to be leaking the secret to third parties. So who > else might they think we are supposed to know to trust? Well I did complain to Natwest/RBS when I first saw the CYCOTA certificate, but they did confirm that CYCOTA were their appointed agents. CYCOTA seem to be able to go to the trouble of including the correct bank's logo on the page they exhibit, so surely it would not be beyond the wit of man to arrange for them to exhibit a certificate traceable to the relevant bank. All it needs is a specially constructed key pair with short expiry (so there is little rist in letting CYCOTA have the private key), itself signed by one of the bank's better known keys which in turn would be signed by the usual Verifraud clowns. One of my complaints about the whole SSL certificate system is that you are offered no choice of which ultimate CA the certificate relies on - you just get whoever the site in question chose to patronize. It would have been far better for each site to get itself certified by more than one CA, and to present certificates from them all. Then I could safely tell my browser not to recognize Verifraud. -- Charles�H.�Lindsey�---------At�Home,�doing�my�own�thing------------------------ Tel:�+44�161�436�6131� ��Web:�http://www.cs.man.ac.uk/~chl Email:�chl@clerew.man.ac.uk��Snail:�5�Clerewood�Ave,�CHEADLE,�SK8�3JU,�U.K. PGP:�2C15F1A9��Fingerprint:�73�6D�C2�51�93�A0�01�E7�65�E8�64�7E�14�A4�AB�A5 From ukcrypto at chiark.greenend.org.uk Fri Aug 8 14:35:13 2008 From: ukcrypto at chiark.greenend.org.uk (Igor Mozolevsky) Date: Fri, 8 Aug 2008 14:35:13 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: 2008/8/8 Charles Lindsey : > CYCOTA seem to be able to go to the trouble of including the correct bank's > logo on the page they exhibit, so surely it would not be beyond the wit of > man to arrange for them to exhibit a certificate traceable to the relevant > bank. All it needs is a specially constructed key pair with short expiry (so > there is little rist in letting CYCOTA have the private key), itself signed > by one of the bank's better known keys which in turn would be signed by the > usual Verifraud clowns. Displaying relevant bank logo is simple, you just need to do a BIN lookup, whereas masquerading as a part of someone else's domain is a lot more difficult, especially if EV certs are involved. Incidentally, is it an EV cert that CYCOTA, et al present or is it a plain cert, does anyone know (none of my CC cards are 3d obsucred)? Cheers, -- Igor From ukcrypto at chiark.greenend.org.uk Tue Aug 12 13:26:49 2008 From: ukcrypto at chiark.greenend.org.uk (John Lamb) Date: Tue, 12 Aug 2008 13:26:49 +0100 Subject: CC shared secret In-Reply-To: References: Message-ID: <20080812122649.GA8639@olann.net> On Fri, Aug 08, 2008 at 02:35:13PM +0100, Igor Mozolevsky wrote: > Displaying relevant bank logo is simple, you just need to do a BIN > lookup, whereas masquerading as a part of someone else's domain is a > lot more difficult, especially if EV certs are involved. Incidentally, > is it an EV cert that CYCOTA, et al present or is it a plain cert, > does anyone know (none of my CC cards are 3d obsucred)? I don't have a Mastercard, but I know Verified by Visa sends you to the generically named securesuite.co.uk, owned by CYOTA INC. The cert is not EV. Perhaps they will upgrade when it expires in October. This is Nationwide's help page hosted on their site: https://www.securesuite.co.uk/nationwide/tdsecure/help.jsp The Demo part of the FAQ is reassuring - note the pop up VbV window with no address bar or padlock visible! https://www.securesuite.co.uk/nationwide/docs/demo.jsp Also, to add to your feeling of confidence in the site, http://www.securesuite.co.uk/ doesn't load and https://www.securesuite.co.uk/ returns an empty page. Maybe this is why googling for it turns up lots of people concerned they are being phished. A bit of googling and URL guessing turns up some other banks on it: https://www.securesuite.co.uk/mbnabusiness/docs/demo.jsp https://www.securesuite.co.uk/rbs/docs/demo.jsp https://www.securesuite.co.uk/natwest/docs/demo.jsp Plus a special commendation for HBOS and their flash demo: https://www.securesuite.co.uk/hbos/docs/demo.jsp And the FAQ pages make some interesting browser recommendations: https://www.securesuite.co.uk/hbos/docs/faq.jsp#General_questions7 > Halifax Secure requires the use of Windows Microsoft� Internet > Explorer 5.5, 6.0 and 7.0, Windows Netscape� 7.1 and 7.2, Windows AOL > � 9, Windows Firefox� 1.0 and Macintosh Safari�. https://www.securesuite.co.uk/nationwide/docs/faq.jsp#General_Questions5 > In order to get the most out of the Verified by Visa (VbV) Service. > Visa recommend the following browsers: IE 7.0, IE 6.0, FireFox > 2.0.0.2, FireFox 1.5, AOL9 and MAC-Safari 2.0.4.. VbV will work with > the following browsers, but some of the information may not display > correctly: FireFox 1.0.2, IE 5.5, NS 7.2, MAC Safari 1.3 and NS 8.1.2. From ukcrypto at chiark.greenend.org.uk Wed Aug 13 13:28:03 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Wed, 13 Aug 2008 13:28:03 +0100 Subject: BBC NEWS | Business | Device 'steals chip-and-pin data' Message-ID: <5EC46854-2001-4999-A38B-7CAA2F9383B4@batten.eu.org> --Apple-Mail-2--194884570 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit http://news.bbc.co.uk/1/hi/business/7557956.stm --Apple-Mail-2--194884570 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: 7bit

http://news.bbc.co.uk/1/hi/business/7557956.stm

--Apple-Mail-2--194884570-- From ukcrypto at chiark.greenend.org.uk Wed Aug 13 13:55:06 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Wed, 13 Aug 2008 13:55:06 +0100 Subject: BBC NEWS | Business | Device 'steals chip-and-pin data' In-Reply-To: <5EC46854-2001-4999-A38B-7CAA2F9383B4@batten.eu.org> References: <5EC46854-2001-4999-A38B-7CAA2F9383B4@batten.eu.org> Message-ID: <48A2D9A9.1090901@iosis.co.uk> Ian Batten wrote: > > http://news.bbc.co.uk/1/hi/business/7557956.stm > Modifying C&P readers to log transaction information is not news, because it was happening a year or so ago (and in a filling station near me), but breaking the PINpad encryption might be. However, they may have just tapped into the keypad contacts (supposed to be a sealed unit, but you could replace it with a modified one if you worked hard enough at it). Birmingham police had a dedicated bank card fraud unit at least ten years ago. Peter From ukcrypto at chiark.greenend.org.uk Wed Aug 13 14:21:17 2008 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Wed, 13 Aug 2008 14:21:17 +0100 Subject: BBC NEWS | Business | Device 'steals chip-and-pin data' In-Reply-To: <48A2D9A9.1090901@iosis.co.uk> References: <5EC46854-2001-4999-A38B-7CAA2F9383B4@batten.eu.org>, <48A2D9A9.1090901@iosis.co.uk> Message-ID: <48A2EDDD.910.B96327F@davidh.spidacom.co.uk> On 13 Aug 2008 at 13:55, Peter Tomlinson wrote: > Birmingham police had a dedicated bank card fraud unit at least ten > years ago. Wasn't that about the time that the police/Home Office had the "bright" idea of transferring this sort of investigation to the banks? If it wasn't so serious it would be comical. The bank steals your money, the police couldn't care less and tell you that you must ask the bank to investigate itself. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Wed Aug 13 14:43:20 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Wed, 13 Aug 2008 14:43:20 +0100 Subject: Criminals hijack terminals to swipe Chip-and-PIN data | The Register Message-ID: <42786BEA-0D8F-4127-BA51-1DD8B02D4453@batten.eu.org> --Apple-Mail-2--190367643 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit http://www.theregister.co.uk/2008/08/13/counterfeit_pin_terminal_arrests/ --Apple-Mail-2--190367643 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: 7bit

http://www.theregister.co.uk/2008/08/13/counterfeit_pin_terminal_arrests/

--Apple-Mail-2--190367643-- From ukcrypto at chiark.greenend.org.uk Wed Aug 13 14:48:02 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Wed, 13 Aug 2008 14:48:02 +0100 Subject: Certificate Providers Message-ID: <8CB6770A-B02E-455E-9558-E98A581B9D6E@batten.eu.org> Has anyone had good or bad experiences with companies that sell cheap =20= certificates? I'm about to pay =A340/year or something to get a simple =20= certificate for mail.batten.eu.org from COMODO (an EssentialSSL) =20 certificate and the 90 day trial has worked fine with every browser =20 I've tried (except one in a gym, not my usual, which turned out to =20 have its clock set to 2006 to match the decor). Any other suggestions? ian From ukcrypto at chiark.greenend.org.uk Wed Aug 13 15:12:07 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Wed, 13 Aug 2008 15:12:07 +0100 Subject: Certificate Providers In-Reply-To: <8CB6770A-B02E-455E-9558-E98A581B9D6E@batten.eu.org> References: <8CB6770A-B02E-455E-9558-E98A581B9D6E@batten.eu.org> Message-ID: <008601c8fd4e$93c1b0c0$e57ea8c0@Jinja> Ian Batten wrote: > Has anyone had good or bad experiences with companies that sell cheap > certificates? I'm about to pay =A340/year or something to get a = simple > certificate for mail.batten.eu.org from COMODO (an EssentialSSL) > certificate and the 90 day trial has worked fine with every browser > I've tried (except one in a gym, not my usual, which turned out to > have its clock set to 2006 to match the decor). Any other = suggestions? >=20 > ian Until this year I used Trustico's RapidSSL without issues, which = currently is only =A39 http://www.trustico.co.uk/ I've been lapse and haven't renewed this year, I'm considering a = wildcard option. From ukcrypto at chiark.greenend.org.uk Wed Aug 13 15:20:33 2008 From: ukcrypto at chiark.greenend.org.uk (James Firth) Date: Wed, 13 Aug 2008 15:20:33 +0100 Subject: Certificate Providers In-Reply-To: <008601c8fd4e$93c1b0c0$e57ea8c0@Jinja> References: <8CB6770A-B02E-455E-9558-E98A581B9D6E@batten.eu.org> <008601c8fd4e$93c1b0c0$e57ea8c0@Jinja> Message-ID: <008701c8fd4f$bf93b030$e57ea8c0@Jinja> > Ian Batten wrote: > > Has anyone had good or bad experiences with companies that sell = cheap > > certificates? I'm about to pay =A340/year or something to get a = simple > > certificate for mail.batten.eu.org from COMODO (an EssentialSSL) > > certificate and the 90 day trial has worked fine with every browser > > I've tried (except one in a gym, not my usual, which turned out to > > have its clock set to 2006 to match the decor). Any other = suggestions? > > > > ian >=20 Will quickly add that it depends on which devices you want to access = your email before choosing a certificate. The RapidSSL AFAIK isn't widely supported on mobile devices, the Geotrust "QuickSSL Premium" is better supported. From ukcrypto at chiark.greenend.org.uk Wed Aug 13 15:33:29 2008 From: ukcrypto at chiark.greenend.org.uk (Igor Mozolevsky) Date: Wed, 13 Aug 2008 15:33:29 +0100 Subject: Certificate Providers In-Reply-To: <008701c8fd4f$bf93b030$e57ea8c0@Jinja> References: <8CB6770A-B02E-455E-9558-E98A581B9D6E@batten.eu.org> <008601c8fd4e$93c1b0c0$e57ea8c0@Jinja> <008701c8fd4f$bf93b030$e57ea8c0@Jinja> Message-ID: 2008/8/13 James Firth : >> Ian Batten wrote: >> > Has anyone had good or bad experiences with companies that sell cheap >> > certificates? I'm about to pay =A340/year or something to get a simpl= e >> > certificate for mail.batten.eu.org from COMODO (an EssentialSSL) >> > certificate and the 90 day trial has worked fine with every browser >> > I've tried (except one in a gym, not my usual, which turned out to >> > have its clock set to 2006 to match the decor). Any other suggestions= ? optimumssl at US$14.99 per year - you get it pretty much instantly as well = :) From ukcrypto at chiark.greenend.org.uk Wed Aug 13 15:33:00 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Wed, 13 Aug 2008 15:33:00 +0100 Subject: BBC NEWS | Business | Device 'steals chip-and-pin data' In-Reply-To: <48A2EDDD.910.B96327F@davidh.spidacom.co.uk> References: <5EC46854-2001-4999-A38B-7CAA2F9383B4@batten.eu.org>, <48A2D9A9.1090901@iosis.co.uk> <48A2EDDD.910.B96327F@davidh.spidacom.co.uk> Message-ID: <48A2F09C.8010208@iosis.co.uk> David Hansen wrote: > On 13 Aug 2008 at 13:55, Peter Tomlinson wrote >> Birmingham police had a dedicated bank card fraud unit at least ten >> years ago. >> > Wasn't that about the time that the police/Home Office had the "bright" > idea of transferring this sort of investigation to the banks? If it > wasn't so serious it would be comical. The bank steals your money, the > police couldn't care less and tell you that you must ask the bank to > investigate itself. Not far off the truth, David. Twice about 10 years ago I listened to the Brummy police talking about it to an industry group, and the police attitude was that the bankers had deployed such an insecure mag stripe system that they should solve the problem - but the boys in blue from Brum carried on working at catching people for a while. Peter From ukcrypto at chiark.greenend.org.uk Thu Aug 14 08:41:25 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 14 Aug 2008 08:41:25 +0100 Subject: Data Retention Consultation Message-ID: I don't think anyone's mentioned this yet: http://www.homeoffice.gov.uk/documents/cons-2008-transposition "This is the final phase of the transposition of Directive 2006/24/EC on retaining data generated through electronic communications or public communications networks. "The aim of this directive is to ensure that certain data is retained so that public authorities can investigate, detect and prosecute crime. "This consultation is necessary to ensure the law includes internet access, internet telephone service, and internet mail. "Consultation closes 31 October 2008." News reporting from Guardian and BBC do the usual "council snooper" bit, conflating the requirement to retain data (this Directive) with the power to ask for disclosure (our friend RIPA). -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu Aug 14 09:00:36 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Thu, 14 Aug 2008 09:00:36 +0100 Subject: Data Retention Consultation In-Reply-To: References: Message-ID: <48A3E624.9080207@iosis.co.uk> Roland Perry wrote: > News reporting from Guardian and BBC do the usual "council snooper" > bit, conflating the requirement to retain data (this Directive) with > the power to ask for disclosure (our friend RIPA). And in general the media have not made it clear that message content is not to be retained, but section 4 of the consultation does make that clear. Peter From ukcrypto at chiark.greenend.org.uk Thu Aug 14 11:12:02 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 14 Aug 2008 11:12:02 +0100 Subject: C&P tampering Message-ID: url tell most of the story, but no mention of the failure of the supposed "tamper proof" "tamper evident" nature of these terminals. Something I've been sceptical of since Day 1. And once again a reporting hot-spot (many frauds from one village, at a petrol station) shows that better statistics gathering could at least nip more of these escapades in the bud. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu Aug 14 15:24:08 2008 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Thu, 14 Aug 2008 15:24:08 +0100 Subject: BBC NEWS | Business | Device 'steals chip-and-pin data' In-Reply-To: <48A2EDDD.910.B96327F@davidh.spidacom.co.uk> References: <5EC46854-2001-4999-A38B-7CAA2F9383B4@batten.eu.org> <48A2D9A9.1090901@iosis.co.uk> <48A2EDDD.910.B96327F@davidh.spidacom.co.uk> Message-ID: In article <48A2EDDD.910.B96327F@davidh.spidacom.co.uk>, David Hansen writes >> Birmingham police had a dedicated bank card fraud unit at least ten >> years ago. > >Wasn't that about the time that the police/Home Office had the "bright" >idea of transferring this sort of investigation to the banks? If it >wasn't so serious it would be comical. The bank steals your money, the >police couldn't care less and tell you that you must ask the bank to >investigate itself. I think you are confusing two different things. Dedicated Cheque and Plastic Crime Unit (DCPCU) - which is police run but funded by the banks - was set up in 2002. Last year a completely different initiative commenced - to have customers report individual card fraud direct to the banks not the police. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu Aug 14 15:43:31 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Thu, 14 Aug 2008 15:43:31 +0100 Subject: Oyster, Mifare hack, and something stronger Message-ID: <48A44493.1050002@iosis.co.uk> If you missed last night's (Wednesday) Ch4 News re Oyster and the Mifare hack, you can watch it by going to http://www.channel4.com/news/watchlisten/video/. Click on "Watch again" and the player window that opens up allows you to choose Part 3 of the programme. What they didn't say was that the national spec (ITSO, but they didn't use the name) mandates that, out of the box, all the terminal equipment and systems have to be able to handle a number of card technologies, with different security functions. As I now know after talking to Ch4, they didn't say that because the people they consulted didn't tell them that although they ought to have done. There are other things that they got arse backwards as well (again they were misled), so this one will run and run. Peter From ukcrypto at chiark.greenend.org.uk Fri Aug 15 09:53:22 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Fri, 15 Aug 2008 09:53:22 +0100 Subject: Bruce Schneier on How to Get Cybersecurity Right Message-ID: <48A54402.4000300@iosis.co.uk> http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securitymatters_0807 Its repeated in his monthly Crypto-Gram for August: http://www.schneier.com/crypto-gram-0808.html In the USA his prescription has some chance of working. Not so here until we have taken some essential preliminary steps. Peter From ukcrypto at chiark.greenend.org.uk Thu Aug 14 08:53:19 2008 From: ukcrypto at chiark.greenend.org.uk (Kevin Townsend) Date: Thu, 14 Aug 2008 08:53:19 +0100 (BST) Subject: Data Retention Consultation In-Reply-To: References: Message-ID: <1594.192.168.1.68.1218700399.mail@www.quantumlabs.org> I blogged it yesterday... :-) http://www.quantasecurity.com/article.php?s=5&a=2043 > I don't think anyone's mentioned this yet: > > http://www.homeoffice.gov.uk/documents/cons-2008-transposition > > "This is the final phase of the transposition of Directive 2006/24/EC on > retaining data generated through electronic communications or public > communications networks. > > "The aim of this directive is to ensure that certain data is retained so > that public authorities can investigate, detect and prosecute crime. > > "This consultation is necessary to ensure the law includes internet > access, internet telephone service, and internet mail. > > "Consultation closes 31 October 2008." > > News reporting from Guardian and BBC do the usual "council snooper" bit, > conflating the requirement to retain data (this Directive) with the > power to ask for disclosure (our friend RIPA). > -- > Roland Perry > > -- kevtownsend@googlemail.com www.quantumlabs.org www.quantasecurity.com kevtownsend (Skype) +44 121 288 1211 (Skype) +44 1626 854125 (land line) From ukcrypto at chiark.greenend.org.uk Fri Aug 22 07:24:44 2008 From: ukcrypto at chiark.greenend.org.uk (Ian Batten) Date: Fri, 22 Aug 2008 07:24:44 +0100 Subject: BBC NEWS | UK | Questions asked after data loss Message-ID: <7461DAE4-1E94-48D3-B884-F2DC95813471@batten.eu.org> http://news.bbc.co.uk/1/hi/uk/7575989.stm From ukcrypto at chiark.greenend.org.uk Fri Aug 22 08:10:00 2008 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Fri, 22 Aug 2008 08:10:00 +0100 Subject: Questions asked after data loss (Ian Batten) In-Reply-To: <20080822064702.8666.68655.Mailman@chiark.greenend.org.uk> References: <20080822064702.8666.68655.Mailman@chiark.greenend.org.uk> Message-ID: <2dRneFDIZmrIFwF6@tigers.demon.co.uk> >From: Ian Batten >Date: Fri, 22 Aug 2008 07:24:44 +0100 > > > >http://news.bbc.co.uk/1/hi/uk/7575989.stm > The question that never seems to be asked is why the information needed to be on a memory stick or other portable devices in the first place. As a GP, my practice has just installed secure remote access ( from 'Awayfrommydesk' which uses logmein with a few more bells & whistles for the NHS). If the company consultant had a need for access outside the office, why not secure remote access? Or am I displaying my ignorance here? Mary Hawking -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Fri Aug 22 08:13:13 2008 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Fri, 22 Aug 2008 08:13:13 +0100 Subject: BBC NEWS | UK | Questions asked after data loss In-Reply-To: <7461DAE4-1E94-48D3-B884-F2DC95813471@batten.eu.org> References: <7461DAE4-1E94-48D3-B884-F2DC95813471@batten.eu.org> Message-ID: <48AE6709.5080105@iosis.co.uk> Ian Batten wrote: > http://news.bbc.co.uk/1/hi/uk/7575989.stm One of the flaws in large parts of the public sector, also applying to some of its acolytes, is the divide between management and implementation. Over some 8 years now I have several times rubbed up against PA over its failure to understand information security (including data protection implications) in relation to the utility of public services using certain ICT methods. Now one of the tasks that I have is working with a very small trade association, in the course of which we were involved in the development of the ENCTS (bus passes in England to you), where a misleading document called the Plain English Guide was published by DfT - the source was PA. In one of its first pro-active actions, the ICO ensured that the document was altered to remove misleading advice to LAs that might well have resulted in personal data of pass holders being stored in the chip in the passes in a way that was insecure. PA are management consultants in the area with which we were concerned, not technical. Peter From ukcrypto at chiark.greenend.org.uk Fri Aug 22 09:34:22 2008 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Fri, 22 Aug 2008 09:34:22 +0100 Subject: BBC NEWS | UK | Questions asked after data loss In-Reply-To: <7461DAE4-1E94-48D3-B884-F2DC95813471@batten.eu.org> References: <7461DAE4-1E94-48D3-B884-F2DC95813471@batten.eu.org> Message-ID: <48AE881E.10404.4AC079@davidh.spidacom.co.uk> On 22 Aug 2008 at 7:24, Ian Batten wrote: > http://news.bbc