From zenadsl6186 at zen.co.uk Thu Sep 3 00:56:03 2009 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 03 Sep 2009 00:56:03 +0100 Subject: Google news, UK and US versions Message-ID: <4A9F0613.7090708@zen.co.uk> I used to be able to get the US version of Google news when I entered www.google.com into the address bar of a browser - now it returns the same version of the news as www.google.uk. What gives? -- Peter Fairbrother From zenadsl6186 at zen.co.uk Thu Sep 3 01:10:15 2009 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 03 Sep 2009 01:10:15 +0100 Subject: Google news, UK and US versions In-Reply-To: <4A9F0613.7090708@zen.co.uk> References: <4A9F0613.7090708@zen.co.uk> Message-ID: <4A9F0967.2070107@zen.co.uk> Peter Fairbrother wrote: > I used to be able to get the US version of Google news when I entered > www.google.com into the address bar of a browser - now it returns the > same version of the news as www.google.uk. > > What gives? > > -- Peter Fairbrother > > Sorry, just being paranoid - they have changed it so that you get your own country news, and can get another country's version from a menu. Annoying though. -- Peter Fairbrother From nbohm at ernest.net Tue Sep 8 20:39:43 2009 From: nbohm at ernest.net (Nicholas Bohm) Date: Tue, 08 Sep 2009 20:39:43 +0100 Subject: ID Card Fail In-Reply-To: <4A816D39.4010205@ernest.net> References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> Message-ID: <4AA6B2FF.6040504@ernest.net> An HTML attachment was scrubbed... URL: From nbohm at ernest.net Wed Sep 9 11:50:39 2009 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 09 Sep 2009 11:50:39 +0100 Subject: ID Card Fail In-Reply-To: <4A816D39.4010205@ernest.net> References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> Message-ID: <4AA7887F.8010705@ernest.net> An HTML attachment was scrubbed... URL: From tony.naggs at googlemail.com Wed Sep 9 13:55:01 2009 From: tony.naggs at googlemail.com (Tony Naggs) Date: Wed, 9 Sep 2009 13:55:01 +0100 Subject: ID Card Fail In-Reply-To: <4AA7887F.8010705@ernest.net> References: <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> Message-ID: Hi 2009/9/9 Nicholas Bohm : > In response to my request for the public key of the UK Government PKI, CESG > have referred me to > web.archive.org/web/20070316055603/www.hmgpki.gov.uk/rootca.htm > > I would be grateful if some suitably qualified reader of this list could > have a look and let us know whether this does in fact provide the relevant > key. The web page carries the public keys for the UK government PKI Certificate Authority. (That is what the security certificates proclaim, I have no means to verify or dispute this.) [MS Windows includes a tool These certificates are used to signed departmental root certificates, which may then sign documents or descend through another level of root certificates. This is typical of PKI system, and is described in the HMG PKI documents, particularly: http://web.archive.org/web/20070316055636/http://www.hmgpki.gov.uk/documents/overview.pdf There are a number of issues that I see: 1. The Internet Archive "Wayback Machine" (i.e. archive.org) is not an obvious place for members of the public to look for the UK government's official PKI keys. 2. Since the "Wayback Machine" grabbed the www.hmgpki.gov.uk web pages on 16 March 2007 the source website is not publicly accessible - I get a "403 Forbidden" error. 3. Issues with the hmgpki site not being accessible include: the published keys expire in August 2014 and there is no means of getting the subsequent keys, the current list of revoked departmental keys is not accessible to the public. 4. Also the certificates include text from the issuer such as "By relying on this HMG PKI certificate, you accept the terms and conditions stated in the HMG PKI Relying Party Agreement available at www.hmgpki.gov.uk/Root/RPAgreement_L3.htm" This URL is not stored by the Internet Archive, so I have no idea how much or how little trust I'm supposed to put in the certificate. 5. As a potential user of UK government public keys to verify documents I would like to know, for example, which Home Office or "Indentity and Passport Service" keys I should expect in the signature chain for a passport. (Or at least how to recognise them.) Given only the ultimate HMG root certificate I cannot distinguish a valid passport from one signed by the Milk Monitoring Board. Cheers, Tony From tony.naggs at googlemail.com Wed Sep 9 14:02:21 2009 From: tony.naggs at googlemail.com (Tony Naggs) Date: Wed, 9 Sep 2009 14:02:21 +0100 Subject: ID Card Fail In-Reply-To: References: <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> Message-ID: Sorry, I hit 'Send' whilst I was still revising my last email. :-( 2009/9/9 Tony Naggs wrote: > [MS Windows includes a tool I meant to write that MS Windows includes a tool for inspecting security certificates: a. Save, for example, the "HMG Root CA RSA ARL" file to your PC. b. Ensure the file ends with .crl rather than .crl.txt c. Double click on the .crl file, select "Open" and then you can inspect details such as valid from/to dates. ttfn, Tony From igb at batten.eu.org Thu Sep 10 08:34:58 2009 From: igb at batten.eu.org (Ian Batten) Date: Thu, 10 Sep 2009 08:34:58 +0100 Subject: ID Card Fail In-Reply-To: <4AA7887F.8010705@ernest.net> References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> Message-ID: On 9 Sep 2009, at 11:50, Nicholas Bohm wrote: > web.archive.org/web/20070316055603/www.hmgpki.gov.uk/rootca.htm It's on archive.org because the website has ceased to exist, although the certificates link to from the archive are valid until 2014. However: downstairs-imac:Documents igb$ openssl x509 -in HMGRootCA_RSA.crt - inform DER -text -noout [...] X509v3 Certificate Policies: Policy: 1.2.826.0.1316.2.0.1.3.0 User Notice: Explicit Text: By relying on this HMG PKI certificate, you accept the terms and conditions stated in the HMG PKI Relying Party Agreement available at www.hmgpki.gov.uk/Root/RPAgreement_L3.htm Policy: 1.2.826.0.1316.2.0.1.2.0 User Notice: Explicit Text: By relying on this HMG PKI certificate, you accept the terms and conditions stated in the HMG PKI Relying Party Agreement available at www.hmgpki.gov.uk/Root/RPAgreement_L2.htm Given www.hmgpki.gov.uk doesn't exist any more, what force does that statement have? I presume this has gone into abeyance because the root certificate is hard to load into browsers and the government are instead using commercial certificates. That's not a bad decision, in many ways, but as ever the problem of setting end dates on certificates appropriately rears its ugly head. The evil that men do lives on, etc. ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From pwt at iosis.co.uk Thu Sep 10 09:17:06 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 10 Sep 2009 09:17:06 +0100 Subject: ID Card Fail In-Reply-To: References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> Message-ID: <4AA8B602.4000806@iosis.co.uk> Ian Batten wrote: > On 9 Sep 2009, at 11:50, Nicholas Bohm wrote: >> web.archive.org/web/20070316055603/ >> www.hmgpki.gov.uk/rootca.htm >> > It's on archive.org because the website has ceased to exist, although > the certificates link to from the archive are valid until 2014. > > However: > > downstairs-imac:Documents igb$ openssl x509 -in HMGRootCA_RSA.crt > -inform DER -text -noout > [...] > X509v3 Certificate Policies: > Policy: 1.2.826.0.1316.2.0.1.3.0 > User Notice: > Explicit Text: By relying on this HMG PKI > certificate, you accept the terms and conditions stated in the HMG PKI > Relying Party Agreement available at > www.hmgpki.gov.uk/Root/RPAgreement_L3.htm > > Policy: 1.2.826.0.1316.2.0.1.2.0 > User Notice: > Explicit Text: By relying on this HMG PKI > certificate, you accept the terms and conditions stated in the HMG PKI > Relying Party Agreement available at > www.hmgpki.gov.uk/Root/RPAgreement_L2.htm > > > Given www.hmgpki.gov.uk doesn't exist any > more, what force does that statement have? > > I presume this has gone into abeyance because the root certificate is > hard to load into browsers and the government are instead using > commercial certificates. That's not a bad decision, in many ways, but > as ever the problem of setting end dates on certificates appropriately > rears its ugly head. The evil that men do lives on, etc. A friend writes (after reading a forwarded copy of Nicholas' post about his request for the govt's public key): The correspondent has assumed that the UK would follow the German or French model of a hierarchical root of trust for its PKIs, with single government root CA. In the UK in 2003 Entrust Inc contracted by the eEnvoy for the National Root Certificate Authority hosted by CESG. I believe the NRCA underlies many government departments PKI systems but as non-federated group of CAs. So there is not one public key, but a whole collection of unrelated keys. One interesting discussion point is if the current plans for a central National Identity Register are broken up by a Conservative government, what will replace it. For efficient government one agency should electronically be able to trust another. Then in turn citizens cards like the Local Authority city cards or even the ENCT [bus pass in England] could be used for 3rd party authentication (depending on the level of risk). This would fit the Conservative ethos of authority being less centrally controlled. I believe Baroness Neville-Jones is looking at these issues. From roger at hayter.org Thu Sep 10 10:50:52 2009 From: roger at hayter.org (Roger Hayter) Date: Thu, 10 Sep 2009 10:50:52 +0100 Subject: ID Card Fail In-Reply-To: <4AA8B602.4000806@iosis.co.uk> References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> <4AA8B602.4000806@iosis.co.uk> Message-ID: In message <4AA8B602.4000806 at iosis.co.uk>, Peter Tomlinson writes >Ian Batten wrote: >> On 9 Sep 2009, at 11:50, Nicholas Bohm wrote: >>> web.archive.org/web/20070316055603/ >>>www.hmgpki.gov.uk/rootca.htm >>> >> It's on archive.org because the website has ceased to exist, although >>the certificates link to from the archive are valid until 2014. >> >> However: >> >> downstairs-imac:Documents igb$ openssl x509 -in HMGRootCA_RSA.crt >>-inform DER -text -noout >> [...] >> X509v3 Certificate Policies: Policy: >>1.2.826.0.1316.2.0.1.3.0 >> User Notice: >> Explicit Text: By relying on this HMG PKI >>certificate, you accept the terms and conditions stated in the HMG PKI >>Relying Party Agreement available at >>www.hmgpki.gov.uk/Root/RPAgreement_L3.htm >> >> Policy: 1.2.826.0.1316.2.0.1.2.0 >> User Notice: >> Explicit Text: By relying on this HMG PKI >>certificate, you accept the terms and conditions stated in the HMG PKI >>Relying Party Agreement available at >>www.hmgpki.gov.uk/Root/RPAgreement_L2.htm >> >> >> Given www.hmgpki.gov.uk doesn't exist any >>more, what force does that statement have? >> >> I presume this has gone into abeyance because the root certificate is >>hard to load into browsers and the government are instead using >>commercial certificates. That's not a bad decision, in many ways, but >>as ever the problem of setting end dates on certificates appropriately >>rears its ugly head. The evil that men do lives on, etc. >A friend writes (after reading a forwarded copy of Nicholas' post about >his request for the govt's public key): > >The correspondent has assumed that the UK would follow the German or >French model of a hierarchical root of trust for its PKIs, with single >government root CA. >In the UK in 2003 Entrust Inc contracted by the eEnvoy for the >National Root Certificate Authority hosted by CESG. >I believe the NRCA underlies many government departments PKI systems >but as non-federated group of CAs. So there is not one public key, but >a whole collection of unrelated keys. One interesting discussion point >is if the current plans for a central National Identity Register are >broken up by a Conservative government, what will replace it. For >efficient government one agency should electronically be able to trust >another. Then in turn citizens cards like the Local Authority city >cards or even the ENCT [bus pass in England] could be used for 3rd >party authentication (depending on the level of risk). This would fit >the Conservative ethos of authority being less centrally controlled. I >believe Baroness Neville-Jones is looking at these issues. > Can I ask a couple of naive questions about the above? 1. Why should one government department need more certainty than the rest us in its day-to-day dealings? I.e. that Verisign or someone probably wouldn't issue a something.gov.uk certificate to a Russian phishing site. 2. Why should one government department know more about me than I care to tell it? Why should they want to be certain I am the same entity as someone with the same (or different) name dealing with another department, if we are not to have national ID scheme? I can live without the third party ID function for my bus pass. And I do realise their may be a need for government cryptography for secure, secret internal purposes. -- Roger Hayter From tony.naggs at googlemail.com Thu Sep 10 11:06:59 2009 From: tony.naggs at googlemail.com (Tony Naggs) Date: Thu, 10 Sep 2009 11:06:59 +0100 Subject: ID Card Fail In-Reply-To: References: <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> Message-ID: 2009/9/10 Ian Batten : > > On 9 Sep 2009, at 11:50, Nicholas Bohm wrote: > > web.archive.org/web/20070316055603/www.hmgpki.gov.uk/rootca.htm > > It's on archive.org because the website has ceased to exist, ... Ian, you are mistaken the website does exist - DNS finds the server - but it does not allow public access, giving the "403 Forbidden" error that I mentioned yesterday. ttfn, Tony From otcbn at callnetuk.com Thu Sep 10 13:25:51 2009 From: otcbn at callnetuk.com (Pete Mitchell) Date: Thu, 10 Sep 2009 13:25:51 +0100 Subject: ID Card Fail In-Reply-To: References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> <4AA8B602.4000806@iosis.co.uk> Message-ID: <4AA8F04F.4090403@callnetuk.com> Roger Hayter wrote on 10-09-09 10:50: > 2. Why should one government department know more about me than I care > to tell it? Why should they want to be certain I am the same entity as > someone with the same (or different) name dealing with another > department, if we are not to have national ID scheme? We *are* to have a national ID scheme, what makes you think we are not? And the government is preparing to make sharing of personal data between its departments completely routine. -- Pete Mitchell From pwt at iosis.co.uk Thu Sep 10 13:55:42 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 10 Sep 2009 13:55:42 +0100 Subject: ID Card Fail In-Reply-To: <4AA8F04F.4090403@callnetuk.com> References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> <4AA8B602.4000806@iosis.co.uk> <4AA8F04F.4090403@callnetuk.com> Message-ID: <4AA8F74E.9070301@iosis.co.uk> Pete Mitchell wrote: > Roger Hayter wrote on 10-09-09 10:50: >> 2. Why should one government department know more about me than I >> care to tell it? Why should they want to be certain I am the same >> entity as someone with the same (or different) name dealing with >> another department, if we are not to have national ID scheme? > > We *are* to have a national ID scheme, what makes you think we are > not? And the government is preparing to make sharing of personal data > between its departments completely routine. Maybe I posted a note about this before, but if so here it is again. Recently I was at an IAAC [1] WG where a person from Ministry of Justice (sounds like a pop group) passed an opinion to the effect that they don't think the population have any "theological objection" to sharing of our personal data across al govt depts. We broke for coffee shortly after, and MoJ person left during that break. After the break we decided not to go there... 'Theological" has nothing whatsover to do with it, but more important is that several people present had very strong objections to this data sharing, based on our status as citizens in a common law country. We seem to be creeping towards a civil law structure but without a specific decision to go there. Nicholas, care to comment? Peter [1] Information Assurance Advisory Council From Ross.Anderson at cl.cam.ac.uk Thu Sep 10 14:48:28 2009 From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson) Date: Thu, 10 Sep 2009 14:48:28 +0100 Subject: ID Card Fail Message-ID: Peter Tomlinson wrote: > Recently I was at an IAAC [1] WG where a person from Ministry of Justice (sounds like a pop group) passed an opinion to the effect that they don't think the population have any "theological objection" to sharing of our personal data across al govt depts. As it happens, I just this morning gave a talk on this at Anglia. The majority of UK citizens, according to repeated opinion polls, object to the proposition that their personal health information should be collected and mae available for research without their consent. Most people are prepared to say yes if asked, but most will object if not asked. In October last year the European Court of Justice agreed. In I V Finland it ruled that you have the right to restrict your medical records to the clinicians directly involved in your care. This is actually a show-stopper. The government cannot fix it with the majority; to escape it a UK government would have to withdraw from the Council of Europe, repeal the Human Rights Act, and quite possibly leave the EU. Let's face it, it's not going to happen. Instead, public sector organisations should obey the law - even if they don't like it - and plan to develop future systems (and if need be redevelop existing ones) to be ECHR-compliant. That means, quite simply, that sensitive information cannot be shared without consent except in specific and narrowly-defined circumstances, as discussed in FIPR's 2006 report on Children's Databases and elaborated in judgments since (Finland, Marper etc) Ross From nbohm at ernest.net Thu Sep 10 19:14:38 2009 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 10 Sep 2009 19:14:38 +0100 Subject: ID Card Fail In-Reply-To: <4AA8F74E.9070301@iosis.co.uk> References: <4A7C3EA2.1702.D6C449@davidh.spidacom.co.uk> <2db6d9920908070951o68eb97c8qa891990fedda1c2b@mail.gmail.com> <732076a80908071214j411477e6yd6d1d15ce1571c9d@mail.gmail.com> <20090807204106.2f558604@peterson.fenrir.org.uk> <732076a80908071905j2a91b8ado677bb18138d59705@mail.gmail.com> <20090808083623.GR17800@davros.org> <732076a80908080923g74a89369rc61e61c926d54830@mail.gmail.com> <2A78E759-3442-40A9-B95D-D7EC7BB2E313@batten.eu.org> <4A7ECBB7.3040303@ernest.net> <4A816D39.4010205@ernest.net> <4AA7887F.8010705@ernest.net> <4AA8B602.4000806@iosis.co.uk> <4AA8F04F.4090403@callnetuk.com> <4AA8F74E.9070301@iosis.co.uk> Message-ID: <4AA9420E.7090107@ernest.net> An HTML attachment was scrubbed... URL: From casparb at microsoft.com Fri Sep 11 19:06:12 2009 From: casparb at microsoft.com (Caspar Bowden) Date: Fri, 11 Sep 2009 19:06:12 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) Message-ID: <2298D4476FA2F44591690E423F07C37B2F91B52F06@EA-EXMSG-C333.europe.corp.microsoft.com> Govt. does right thing shock... http://news.bbc.co.uk/2/hi/technology/8249792.stm -- Caspar Bowden +44 (0) 7801 881371 -------------- next part -------------- An HTML attachment was scrubbed... URL: From wendyg at pelicancrossing.net Fri Sep 11 19:47:45 2009 From: wendyg at pelicancrossing.net (Wendy M. Grossman) Date: Fri, 11 Sep 2009 19:47:45 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) In-Reply-To: <2298D4476FA2F44591690E423F07C37B2F91B52F06@EA-EXMSG-C333.europe.corp.microsoft.com> References: <2298D4476FA2F44591690E423F07C37B2F91B52F06@EA-EXMSG-C333.europe.corp.microsoft.com> Message-ID: <4AAA9B51.3010503@pelicancrossing.net> Caspar Bowden wrote: > Govt. does right thing shock... > > http://news.bbc.co.uk/2/hi/technology/8249792.stm > You wanna petition re key escrow policy...start one! wg From j.s.tyne at btinternet.com Sat Sep 12 09:48:30 2009 From: j.s.tyne at btinternet.com (John) Date: Sat, 12 Sep 2009 09:48:30 +0100 Subject: Evidence Eliminator Tested Message-ID: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> Without knowing the settings I can't offer any detail, but the MG Rover report states in the conclusion of the dedicated chapter XXIV entitled Evidence Eliminator, "that data could not be recovered and so it was impossible to assess the importance of the material deleted." I have sent this information because in the legal groups there has been much speculation and uncertainty about the forensic recovery of data after deletion using EE. I see now that forensic imaging is not all it is cracked up to be. John Tyne Lake District -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Sat Sep 12 13:03:51 2009 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 12 Sep 2009 13:03:51 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> Message-ID: In article <8D7D87A9F6FE43019ABC1DF7125B3C2A at image3>, John writes >Without knowing the settings I can't offer any detail, but the MG Rover >report states in the conclusion of the dedicated chapter XXIV entitled >Evidence Eliminator,? "that?data could not be recovered and so it was >impossible to assess the importance of the material deleted."? >? >I have sent this information because in the legal groups there has been >much speculation and uncertainty?about the?forensic recovery of?data >after deletion using EE.?I see now that forensic imaging is not all it >is cracked up to be It might depend what you are trying to show. It would seem, for example, that EE has not covered its own tracks to the extent that there's no evidence it was used for this purpose! -- Roland Perry From casparb at microsoft.com Sat Sep 12 13:10:21 2009 From: casparb at microsoft.com (Caspar Bowden) Date: Sat, 12 Sep 2009 13:10:21 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsilbe for.....) In-Reply-To: <4AAA9B51.3010503@pelicancrossing.net> References: <2298D4476FA2F44591690E423F07C37B2F91B52F06@EA-EXMSG-C333.europe.corp.microsoft.com> <4AAA9B51.3010503@pelicancrossing.net> Message-ID: <2298D4476FA2F44591690E423F07C37B2F91B52F50@EA-EXMSG-C333.europe.corp.microsoft.com> >>Caspar Bowden wrote: >> Govt. does right thing shock... > >> http://news.bbc.co.uk/2/hi/technology/8249792.stm >You wanna petition re key escrow policy...start one! Well, having thought about... - I know from having personally explained PK to more than a hundred journalists that it was very hard to get the media interested when it was a live issue. It is at the opposite end of the abstraction spectrum of human interest to the Turing tragedy. - AFAIK the only reasonably self-contained description of the affair is still http://www.cyber-rights.org/reports/yacb.pdf. It is naff to start a petition in support of one's own paper. Publication delays meant that it ends on a cliffhanger, which as we know was resolved by Tony Blair saying "key escrow is not the answer" (AFAIK he didn't actually - when checked against delivery), about 6-9 months after the US reached the same conclusion, to my best assessment. -- Caspar Bowden From DaveHowe at gmx.co.uk Sat Sep 12 13:21:48 2009 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Sat, 12 Sep 2009 13:21:48 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> Message-ID: <4AAB925C.5050206@gmx.co.uk> John wrote: > Without knowing the settings I can't offer any detail, but the MG Rover > report states in the conclusion of the dedicated chapter XXIV entitled > Evidence Eliminator, "that data could not be recovered and so it was > impossible to assess the importance of the material deleted." > > I have sent this information because in the legal groups there has been > much speculation and uncertainty about the forensic recovery of data > after deletion using EE. I see now that forensic imaging is not all it > is cracked up to be. > > > John Tyne > Lake District have a few points here, really. First, EE is massively overhyped - the authors have gained a dubious reputation from the deliberate use of spam, adware and similar techniques to promote their product, and it is no better (and in some cases, worse) than free alternatives. second, you can get the same functionality (for free!) by downloading and using the following: http://www.ccleaner.com/ http://eraser.heidi.ie/ and it will do a better job. Next, on modern drives (and you can safely consider anything with more than 200gb "modern" in this context) data overwritten even once with zeros is effectively unretrievable - certainly it has never been demonstrated by a competent researcher, even theoretically. If your adversary has enough resources that he *can* do this, then you have much bigger problems than a piece of software is going to fix. Finally, *None* of the wiping tools work properly on flash based media - so thumbdrives, thumbnail storage cards (used in cams and mobile phones pretty much universally these days) and so on, due to wear evening. it is possible to exercise the card after a write (using the "wipe free space" functionality of eraser, for example) to overwrite dead data deliberately, but that will shorten the life of the card noticeably. If you really really want your thumbdrives and other flash media to be secure from search though, just replace them frequently - they are cheap enough, although you might have difficulty disposing of them securely of course (thumbnail media can be destroyed safely by a zap in the microwave, provided you also place a glass of water in there and use fairly short exposures) -OR- (and to bring it back more into the realm of ukcrypto) encrypt the storage media in the first place, which can be done cheaply or even for free (see http://www.truecrypt.org/ for example) and just leaves you key management and provable spoilage in case of future seizure to worry about :) From DaveHowe at gmx.co.uk Sat Sep 12 13:26:55 2009 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Sat, 12 Sep 2009 13:26:55 +0100 Subject: Evidence Eliminator Tested In-Reply-To: References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> Message-ID: <4AAB938F.3040508@gmx.co.uk> Roland Perry wrote: > It might depend what you are trying to show. It would seem, for example, > that EE has not covered its own tracks to the extent that there's no > evidence it was used for this purpose! Indeed. is there not at least one case where the use of privacy software was itself considered the proof that the offender had "something to hide"? ok, the one a quick google found - http://www.theregister.co.uk/2005/05/25/pgp_admissable_child_abuse_case/ - was from America, but I seem to recall at least one English case too? One of the many reasons I like 7zip - while the pgp package could be considered suspect, who can consider having a zipfile tool on their pcs these days suspicious? From peter at pmsommer.com Sat Sep 12 15:19:16 2009 From: peter at pmsommer.com (Peter Sommer) Date: Sat, 12 Sep 2009 15:19:16 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> Message-ID: <4AABADE4.4000507@pmsommer.com> The aim of forensic imaging is to preserve a disk (or other data media) in the state it was at a particular time. A copy, which includes all the sectors of a disk including those that might appear to be empty, is created. Among other things, it optimises the opportunities for data receovery while not risking any form of contamination of the original. Since you can copy the resulting image, several people can work on the task simultaneously and independently - copies can also go to defence teams. But forensic imaging has nothing directly to do with data recovery; it simply makes any subsequent attempts at doing so more likely to be forensically sound as it can be checked. Evidence Eliminator-type products aim to do more than simply overwrite unused sectors - they claim to have knowledge of all the parts of a disk in which indicators of the activity of its users may be found - the browser cache, cookies swap file, hibernation file, most recently used lists, the registry, restore points etc. (and there's more in Vista/7) Successive versions of Windows have different such features or adopt them differently or hold data in different places. Too agressive a use of such products, even if good, result in a significant drop in regular performance. To the extent that the EE-type product is inadequate or poorly used, there are opportunities for forensic examiners to locate material that some-one has thought was thoroughly deleted - or at the least enough indicators to embarass the deleter. I have no special knowledge of the Phoenix 4/5... Peter Sommer John wrote: > Without knowing the settings I can't offer any detail, but the MG > Rover report states in the conclusion of the dedicated chapter XXIV > entitled Evidence Eliminator, "that data could not be recovered and > so it was impossible to assess the importance of the material deleted." > > I have sent this information because in the legal groups there has > been much speculation and uncertainty about the forensic recovery > of data after deletion using EE. I see now that forensic imaging is > not all it is cracked up to be. > From DaveHowe at gmx.co.uk Sat Sep 12 18:02:31 2009 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Sat, 12 Sep 2009 18:02:31 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <4AABADE4.4000507@pmsommer.com> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> <4AABADE4.4000507@pmsommer.com> Message-ID: <4AABD427.7090204@gmx.co.uk> Peter Sommer wrote: > The aim of forensic imaging is to preserve a disk (or other data media) > in the state it was at a particular time. A copy, which includes all > the sectors of a disk including those that might appear to be empty, is > created. Among other things, it optimises the opportunities for data > receovery while not risking any form of contamination of the original. > Since you can copy the resulting image, several people can work on the > task simultaneously and independently - copies can also go to defence > teams. But forensic imaging has nothing directly to do with data > recovery; it simply makes any subsequent attempts at doing so more > likely to be forensically sound as it can be checked. Indeed so. it used to be that people were concerned about Guttmann recovery (which of course can't be done on forensic images, but only one a raw disk) but it is now accepted that because modern disks *require* error recovery to read and write reliably, any difference in remnant saturation is likely to be due to the changes in state of nearby data blocks, instead of previous incarnations of the data - rendering Magnetic force microscopy all but useless. > Evidence Eliminator-type products aim to do more than simply overwrite > unused sectors - they claim to have knowledge of all the parts of a disk > in which indicators of the activity of its users may be found - the > browser cache, cookies swap file, hibernation file, most recently used > lists, the registry, restore points etc. (and there's more in > Vista/7) Successive versions of Windows have different such features > or adopt them differently or hold data in different places. Too > agressive a use of such products, even if good, result in a significant > drop in regular performance. again, agreed. caches are there for the very good reason that they accelerate access to pages, and histories make typing urls easier by the autocomplete process. similarly, lists of "last accessed" files in popular office packages can make it easier to pull up the last thing you worked on when you wish to resume work. Again though, the free product CCleaner appears to be as effective as the commercial product, and lacks both the aggressive advertising (via email/nntp spam and popunder windows) and the phone-home behavour reported of EE. as has been mentioned already though, the product is unfortunately named. A product called "Personal Document Privacy Protection" could have had the same benefits but without the implication that you are concealing the evidence of a crime. > To the extent that the EE-type product is inadequate or poorly used, > there are opportunities for forensic examiners to locate material that > some-one has thought was thoroughly deleted - or at the least enough > indicators to embarass the deleter. or indeed, to the extent that the issue isn't known and the solutions not known (to the average user) I imagine it comes as a horrible shock just how much an experienced investigator (or your kids, or your wife in certain circumstances) can pull from browsing history and recent file history... From bdm at fenrir.org.uk Sat Sep 12 18:34:23 2009 From: bdm at fenrir.org.uk (Brian Morrison) Date: Sat, 12 Sep 2009 18:34:23 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <4AABD427.7090204@gmx.co.uk> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> <4AABADE4.4000507@pmsommer.com> <4AABD427.7090204@gmx.co.uk> Message-ID: <20090912183423.3b7b722e@peterson.fenrir.org.uk> On Sat, 12 Sep 2009 18:02:31 +0100 Dave Howe wrote: > Indeed so. it used to be that people were concerned about Guttmann > recovery (which of course can't be done on forensic images, but only one > a raw disk) but it is now accepted that because modern disks *require* > error recovery to read and write reliably, any difference in remnant > saturation is likely to be due to the changes in state of nearby data > blocks, instead of previous incarnations of the data - rendering > Magnetic force microscopy all but useless. Always nice to know that sometimes technological process works for us and not against. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From otcbn at callnetuk.com Sun Sep 13 13:00:27 2009 From: otcbn at callnetuk.com (Pete Mitchell) Date: Sun, 13 Sep 2009 13:00:27 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) In-Reply-To: <2298D4476FA2F44591690E423F07C37B2F91B52F06@EA-EXMSG-C333.europe.corp.microsoft.com> References: <2298D4476FA2F44591690E423F07C37B2F91B52F06@EA-EXMSG-C333.europe.corp.microsoft.com> Message-ID: <4AACDEDB.5010605@callnetuk.com> Caspar Bowden wrote on 11-09-09 19:06: > > > Govt. does right thing shock... > > http://news.bbc.co.uk/2/hi/technology/8249792.stm For once in my life I agree with Peter Tatchell: that Turing deserves an apology no more than the thousands of other people who were treated the same way and worse. Actually, though, rather than any apology, I'd like politicians to learn the lessons of the past, and be compelled to apply them to the present. To be forever reminded how disgusting and dishonourable it is to pander to the masses by enacting personal moral prejudices into law. -- Pete Mitchell From davidh at spidacom.co.uk Sun Sep 13 16:03:06 2009 From: davidh at spidacom.co.uk (David Hansen) Date: Sun, 13 Sep 2009 16:03:06 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) In-Reply-To: <4AACDEDB.5010605@callnetuk.com> References: <2298D4476FA2F44591690E423F07C37B2F91B52F06@EA-EXMSG-C333.europe.corp.microsoft.com>, <4AACDEDB.5010605@callnetuk.com> Message-ID: <4AAD17BA.5656.E2FFB1@davidh.spidacom.co.uk> On 13 Sep 2009 at 13:00, Pete Mitchell wrote: > > http://news.bbc.co.uk/2/hi/technology/8249792.stm > > Actually, though, rather than any apology, I'd like politicians to > learn the lessons of the past, and be compelled to apply them to the > present. That is the key point. It is very easy for some party politician to "apologise" for something they were not responsible for which happened long ago and that sort of "apology" is largely empty. It appears very much harder for them to apply the lessons of the past to their actions today. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From rl.hird at orpheusmail.co.uk Sun Sep 13 16:25:04 2009 From: rl.hird at orpheusmail.co.uk (Roger Hird) Date: Sun, 13 Sep 2009 16:25:04 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) In-Reply-To: <4AAD17BA.5656.E2FFB1@davidh.spidacom.co.uk> References: <4AACDEDB.5010605@callnetuk.com> <4AAD17BA.5656.E2FFB1@davidh.spidacom.co.uk> Message-ID: <509a333343rl.hird@orpheusmail.co.uk> In article <4AAD17BA.5656.E2FFB1 at davidh.spidacom.co.uk>, David Hansen wrote: > That is the key point. It is very easy for some party politician to > "apologise" for something they were not responsible for which happened > long ago and that sort of "apology" is largely empty. > It appears very much harder for them to apply the lessons of the past > to their actions today. Utterly off topic, I know, but it struck me years ago that if people who weren't in any way responsible for things can apologise for them, then I could apologise to everyone for everything - and save a lot of bother about demands for apologies - so one Sunday afternoon, all those years ago, I put aside 30 or 40 seconds to apologise to everyone, for everything that has ever been done. All apologies since, such as Mr Brown's, have thus been quite unnecessary and a complete waste of time. -- Roger Hird rl.hird at orpheusmail.co.uk Website: http://roger.hird.orpheusweb.co.uk From signup at bealoid.co.uk Sun Sep 13 22:22:58 2009 From: signup at bealoid.co.uk (signup at bealoid.co.uk) Date: Sun, 13 Sep 2009 22:22:58 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> Message-ID: <20090913222258.13846u9y0v2tdbwg@webmail01.purplecloud.com> Quoting John : > Without knowing the settings I can't offer any detail, but the MG > Rover report states in the conclusion of the dedicated chapter XXIV > entitled Evidence Eliminator, "that data could not be recovered and > so it was impossible to assess the importance of the material > deleted." > > I have sent this information because in the legal groups there has > been much speculation and uncertainty about the forensic recovery of > data after deletion using EE. I see now that forensic imaging is not > all it is cracked up to be. You need to use threat models to decide if software like heidi's eraser / dban / etc are effective. A single overwrite of the whole disc is probably enough to render any data on it unrecoverable. Be aware of sectors marked as bad (which may contain data and not be overwritten), of Host Protected Partitions, etc. More overwrites, using pseudo-random data, isn't going to hurt anything. It may make your method complaint with some standards, and may make a service you offer more desirable to your customers. It'll make it look like you take data-deletion more seriously if you announce you're using some obscure standard and doing many overwrites. Please don't say you're doing the "Gutmann Method" - it's a clear sign you don't really know what you're doing. I kind of feel a bit sorry for Peter Guttman, that so many people have so badly misunderstood his paper, and happily mangle his message when they're selling software. All of this only applies to whole disc deletions. Once you start not over-writing the whole disc, and start over-writing only slack space or deleted files then all bets are off. Don't forget that this report doesn't mean EE was tested, merely that someone used EE and someone else didn't recover data from the disc. We have no idea what methods were used to try to recover data, or what the budget was. From signup at bealoid.co.uk Sun Sep 13 22:37:34 2009 From: signup at bealoid.co.uk (signup at bealoid.co.uk) Date: Sun, 13 Sep 2009 22:37:34 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <4AAB925C.5050206@gmx.co.uk> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> <4AAB925C.5050206@gmx.co.uk> Message-ID: <20090913223734.11043xvldilvolk4@webmail01.purplecloud.com> Quoting Dave Howe : > -OR- > > (and to bring it back more into the realm of ukcrypto) encrypt the > storage media in the first place, which can be done cheaply or even for > free (see http://www.truecrypt.org/ for example) and just leaves you key > management and provable spoilage in case of future seizure to worry about :) Disc encryption is worryingly poor. Cross-platform encryption is tricky. (For some values of tricky.) Forcing users to have another password, and a good one this time, is tricky. Some software needs the user to have admin privs. Some vendors are hopeless. EG http://www.engadget.com/2006/09/06/new-lacie-safe-hard-drive-trying-to-be-safer/ LaCie drive needs a fingerprint to access, but data is not encrypted, thus taking drive out of enclosure beats it http://www.h-online.com/security/Enclosed-but-not-encrypted--/features/110136 "adverts claim 128-bit AES hardware encryption [...] The IM7206 merely uses AES encryption when saving the RFID chip's ID in the controller's flash memory. The company explained that actual data encryption is based on a proprietary algorithm." - and that proprietary algorithm? XOR It's great to see all staff at local NHS trusts using encrypted thumb drives. It's a bit worrying to see how many have short (less than 9 character) passwords, with a shift-key only used for the first couple of characters. From lists at internetpolicyagency.com Mon Sep 14 08:41:02 2009 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 14 Sep 2009 08:41:02 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <20090913222258.13846u9y0v2tdbwg@webmail01.purplecloud.com> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> <20090913222258.13846u9y0v2tdbwg@webmail01.purplecloud.com> Message-ID: <1ByN5RQOOfrKFAN3@perry.co.uk> In article <20090913222258.13846u9y0v2tdbwg at webmail01.purplecloud.com>, signup at bealoid.co.uk writes >Don't forget that this report doesn't mean EE was tested, merely that >someone used EE and someone else didn't recover data from the disc. We >have no idea what methods were used to try to recover data, or what the >budget was. ... is the only pragmatic conclusion we can draw. -- Roland Perry From igb at batten.eu.org Mon Sep 14 09:11:48 2009 From: igb at batten.eu.org (Ian Batten) Date: Mon, 14 Sep 2009 09:11:48 +0100 Subject: Evidence Eliminator Tested In-Reply-To: <20090913222258.13846u9y0v2tdbwg@webmail01.purplecloud.com> References: <8D7D87A9F6FE43019ABC1DF7125B3C2A@image3> <20090913222258.13846u9y0v2tdbwg@webmail01.purplecloud.com> Message-ID: <5FA8D7C4-7E18-4BBC-AE8D-1E11D9BE6237@batten.eu.org> On 13 Sep 09, at 2222, signup at bealoid.co.uk wrote: > Quoting John : > >> Without knowing the settings I can't offer any detail, but the MG >> Rover report states in the conclusion of the dedicated chapter XXIV >> entitled Evidence Eliminator, "that data could not be recovered >> and so it was impossible to assess the importance of the material >> deleted." >> >> I have sent this information because in the legal groups there has >> been much speculation and uncertainty about the forensic recovery >> of data after deletion using EE. I see now that forensic imaging is >> not all it is cracked up to be. > > You need to use threat models to decide if software like heidi's > eraser / dban / etc are effective. > > A single overwrite of the whole disc is probably enough to render > any data on it unrecoverable. Be aware of sectors marked as bad > (which may contain data and not be overwritten), of Host Protected > Partitions, etc. > > More overwrites, using pseudo-random data, isn't going to hurt > anything. For some value of pseudo-random. I can be confident that an endless sequence of zeros, or some other fixed pattern, is information free. If I read the disk back on another machine to confirm that it contains the pattern I wrote then modulo subversion of the disk drive firmware (not a trivial risk, of course) I'm good to go. [[ An obvious strategy would be for the disk to have more capacity than is advertised, and use the spare space to squirrel away `interesting' blocks that can be retrieved using a special driver: if I'm worried about that, physical destruction is the only route. ]] If I deployed some strategy that the disk drive firmware could not predict to pass back fake results, though, such as writing successive blocks of the output from some shift register or repeated results of X(n)=(X(n-1)^a)%m for prime a and m forming a generator, then I'm also good to go. What would be very, very bad would be to use: dd if=/dev/urandom of=/dev/rdsk/c0t0d0s2 bs=1024k (or /dev/random) because I have absolutely no way to confirm that the data I'm writing is not derived from what I'm overwriting, nor that the disk has really taken the blocks and is going to write them to the surface. ian From amidgley at gmail.com Mon Sep 14 11:09:26 2009 From: amidgley at gmail.com (Adrian Midgley) Date: Mon, 14 Sep 2009 11:09:26 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) In-Reply-To: <509a333343rl.hird@orpheusmail.co.uk> References: <4AACDEDB.5010605@callnetuk.com> <4AAD17BA.5656.E2FFB1@davidh.spidacom.co.uk> <509a333343rl.hird@orpheusmail.co.uk> Message-ID: <140bfd110909140309l7f32199i6554d207e623f3d6@mail.gmail.com> Was that actually the masses who wanted to maintain the laws in question though? I assumed it was the church that set it off. -- Adrian Midgley http://www.defoam.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Mon Sep 14 15:10:27 2009 From: igb at batten.eu.org (Ian Batten) Date: Mon, 14 Sep 2009 15:10:27 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) In-Reply-To: <140bfd110909140309l7f32199i6554d207e623f3d6@mail.gmail.com> References: <4AACDEDB.5010605@callnetuk.com> <4AAD17BA.5656.E2FFB1@davidh.spidacom.co.uk> <509a333343rl.hird@orpheusmail.co.uk> <140bfd110909140309l7f32199i6554d207e623f3d6@mail.gmail.com> Message-ID: On 14 Sep 09, at 1109, Adrian Midgley wrote: > Was that actually the masses who wanted to maintain the laws in > question though? If you held a referendum tomorrow on the topic of rescinding rights for gays, especially gay men, you'd find it would be extraordinarily popular. Perhaps not >50%, but I would want long-ish odds to bet on a liberal outcome. You're a GP in Exeter, aren't you? How much support did Adrian Rogers have? He managed quite a decent vote in 1997, on a platform that was almost exclusively about homosexuality. Like the death penalty, it's something where the legislature is significantly more liberal than the general public. ian From k.brown at bbk.ac.uk Wed Sep 16 12:05:13 2009 From: k.brown at bbk.ac.uk (ken) Date: Wed, 16 Sep 2009 12:05:13 +0100 Subject: Verified by Visa & unknown URLs [was: Re: Co-op Bank and Verified by Visa] In-Reply-To: <7e5092ca0906180619j419ac5a1s1a4e0145d6cd61b5@mail.gmail.com> References: <4A025081-A09A-438E-B334-54956F14E156@ravenbrook.com> <4A3A2F20.3040608@ernest.net> <7e5092ca0906180619j419ac5a1s1a4e0145d6cd61b5@mail.gmail.com> Message-ID: <4AB0C669.608@bbk.ac.uk> This is now raising its ugly head here. Many moons ago, Andrew T wrote: > Of the four banks I mentioned, there is nothing > to identify themselves to me outside of my name > being in the username - which I have already > provided. One of them uses the domain > "securesite.co.uk" - but I have no way of telling > this as the VbV guidelines are to embed the app so > that you cannot inspect the URL. > > I realise these are specific implementation > issues, but on the whole, > banks seem to have made a hash of it. We have some "kiosk" computers in a public area which can be used by any passer-by with no authentication. They provide some rather limited function through web pages. The powers that be decided that students or prospective students ought to be able to use these machines to pay us money by credit card. (They like being paid money) So they got the IT people to allow communication between these machines and Secpay, but no other remote network location. Of course almost as soon as that happened we started getting complaints from payers who were being redirected to verification websites that our computers were not able to access. Someone tried asking Visa or the banks what URLs or IP addresses might be used, but apparently got the brush-off. So they are now asking IT to enable web browsing to any remote HTTPS site. Presumably they think there is some magic in HTTPS that makes a website "secure". Plenty of "issues" in this. Not only do very few, (even among IT "professionals") have much idea of security or cryptopgraphy, but those few aren't in the loop when management decisions are made. That's probably as true of the banks as of a university. And the fundamental flaw of "Verified by Visa" and similar schemes is that someone you have never heard of and have no way of authenticating asks you for secrets you have shared with your bank, probably after signing an agreement not to reveal them to any third party. Banks are now demanding that their customers do things that they were demanding they didn't do only a couple of years ago. And that most people find indistinguishable from the things that phishers and spammers ask them to do. So the banks are training their customers to behave insecurely. (I'm sure we could solve our local problem by proxying HTTP and IP and only allowing access to sites we've seen before and verify the certificate of. But not by the start of term...) From k.brown at bbk.ac.uk Wed Sep 16 12:07:33 2009 From: k.brown at bbk.ac.uk (ken) Date: Wed, 16 Sep 2009 12:07:33 +0100 Subject: An apology for key escrow policy would be nice too (and something this govt *was* responsile for.....) In-Reply-To: <509a333343rl.hird@orpheusmail.co.uk> References: <4AACDEDB.5010605@callnetuk.com> <4AAD17BA.5656.E2FFB1@davidh.spidacom.co.uk> <509a333343rl.hird@orpheusmail.co.uk> Message-ID: <4AB0C6F5.2040605@bbk.ac.uk> Roger Hird wrote: > Utterly off topic, I know, but it struck me years ago that if people who > weren't in any way responsible for things can apologise for them, then I > could apologise to everyone for everything - and save a lot of bother > about demands for apologies - so one Sunday afternoon, all those years > ago, I put aside 30 or 40 seconds to apologise to everyone, for everything > that has ever been done. All apologies since, such as Mr Brown's, have > thus been quite unnecessary and a complete waste of time. The Prime Minister wasn't making a personal apology though. He was apologising on behalf of the British government. Which, as Nicholas reminded us a few days ago presents itself as a single legal person with some sort of continuing identity that outlives the individual office-holders. The officer on watch is speaking for the ship. From lists at internetpolicyagency.com Wed Sep 16 14:37:16 2009 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 16 Sep 2009 14:37:16 +0100 Subject: Verified by Visa & unknown URLs [was: Re: Co-op Bank and Verified by Visa] In-Reply-To: <4AB0C669.608@bbk.ac.uk> References: <4A025081-A09A-438E-B334-54956F14E156@ravenbrook.com> <4A3A2F20.3040608@ernest.net> <7e5092ca0906180619j419ac5a1s1a4e0145d6cd61b5@mail.gmail.com> <4AB0C669.608@bbk.ac.uk> Message-ID: In article <4AB0C669.608 at bbk.ac.uk>, ken writes >Banks are now demanding that their customers do things that they were >demanding they didn't do only a couple of years ago. And that most >people find indistinguishable from the things that phishers and >spammers ask them to do. So the banks are training their customers to >behave insecurely. I'm sitting at a conference at a prestigious International organisation where in order to use the wifi you have to "allow" a certificate exception. [They appear to using a certificate for 1.1.1.1 rather than a more sensible IP address] -- Roland Perry From rich at annexia.org Thu Sep 24 13:16:32 2009 From: rich at annexia.org (Richard Jones) Date: Thu, 24 Sep 2009 13:16:32 +0100 Subject: Contactless VISA cards Message-ID: <20090924121632.GA22723@annexia.org> My bank in their infinite wisdom decided to expire my old VISA card early and issue me with a new "contactless" one. It has a logo similar to this (but smaller): http://images.pcworld.com/news/graphics/129377-2505p026-2b.jpg I'm dubious about important documents like this which can be read remotely. Are their known risks? How far away can they be read (in reality)? Is the crypto on these serious and independently assessed? Should I buy a tinfoil wallet / hat / coat? Rich. -- Richard Jones Red Hat From tony.naggs at googlemail.com Thu Sep 24 13:50:04 2009 From: tony.naggs at googlemail.com (Tony Naggs) Date: Thu, 24 Sep 2009 13:50:04 +0100 Subject: Contactless VISA cards In-Reply-To: <20090924121632.GA22723@annexia.org> References: <20090924121632.GA22723@annexia.org> Message-ID: Hi 2009/9/24 Richard Jones wrote: > My bank in their infinite wisdom decided to expire my old VISA card > early and issue me with a new "contactless" one. > > It has a logo similar to this (but smaller): > > http://images.pcworld.com/news/graphics/129377-2505p026-2b.jpg > > I'm dubious about important documents like this which can be read > remotely. ?Are their known risks? Nothing reported, so far. > How far away can they be read (in > reality)? Commercial readers typically have range of 2cm to 5cm, maybe up to 10cm in theory if the chip used only needs a little power. Getting beyond 10cm is difficult - the card is powered by the magnetic field from the reader, and high powered directional antenna (with a suitably sensitive radio receiver!) would damage cards that that inadvertently got too close. >?Is the crypto on these serious and independently assessed? The cards use standard crypto, I would expect Triple DES, SHA and RSA. The card specifications are here, I have not read them recently: http://www.emvco.com/specifications.aspx?id=21 I am not certain whether it is a requirement, but I would expect all chips used for these cards to have been independently to standards specified by CESG (GCHQ) or another nation's equivalent: http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/joint_int_lib.shtml > Should I buy a tinfoil wallet / hat / coat? Copper foil in your wallet works, otherwise something like: https://shop.foebud.org/product_info.php?pName=rfid-card-protection-case-p-51&cName=stoprfid-c-30 or https://shop.foebud.org/product_info.php?pName=rfidkartenschutzhuelle-p-178&cName=stoprfid-c-30 Actually that metal case seems to be identical (other than the logo) to the one, (advertised to me this morning in an insert from Amazon), at www.vistaprint.co.uk Hope that helps. Regards, Tony From pwt at iosis.co.uk Thu Sep 24 15:22:39 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 24 Sep 2009 15:22:39 +0100 Subject: Contactless VISA cards In-Reply-To: <20090924121632.GA22723@annexia.org> References: <20090924121632.GA22723@annexia.org> Message-ID: <4ABB80AF.2020601@iosis.co.uk> Visa payWave and Mastercard PayPass are almost identical, and the standard rule is that you can carry out a limited number of small payments (about 10) without having to switch over to using the contact interface and entering the PIN, or alternatively you can pay out an aggregate of up to about ?80 (in less than 10 transactions) without using the PIN. The transaction in the UK is governed by EMV specifications, so simply reading the card (or sniffing the transaction with a card reader) doesn't allow a payment transaction to happen. As it happens, yesterday I was talking to a Visa person, and others were asking him questions - the topic was public transport ticketless travel, which TfL in London are trying to implement as an alternative to the current Oyster transaction technology, and at least one PTE would like to deploy. It is clear that the rules for payment transactions in public transport are being developed at the moment, but the card companies are saying that risk sharing agreements will be entered into with the public transport operators, so that the PIN will never be needed for low value public transport transactions. This is fine when there is one 'operator' - in London that is the operating company working on behalf of TfL as far as payment is concerned, but in other areas the arrangement is likely to be more complex. Quite what the business rules will be is still being discussed. e.g. who do you call when things go wrong? And how do you get home late at night if you are adamant that your card should work but the system says 'No'? Otherwise, I agree with Tony N's response. But personally I deplore the unsolicited distribution of these cards that have additional contactless payment interfaces - it needs the customer to give give prior approval Peter Richard Jones wrote: > My bank in their infinite wisdom decided to expire my old VISA card > early and issue me with a new "contactless" one. > > It has a logo similar to this (but smaller): > > http://images.pcworld.com/news/graphics/129377-2505p026-2b.jpg > > I'm dubious about important documents like this which can be read > remotely. Are their known risks? How far away can they be read (in > reality)? Is the crypto on these serious and independently assessed? > Should I buy a tinfoil wallet / hat / coat? > > Rich. > > From otcbn at callnetuk.com Thu Sep 24 16:54:02 2009 From: otcbn at callnetuk.com (Pete Mitchell) Date: Thu, 24 Sep 2009 16:54:02 +0100 Subject: Contactless VISA cards In-Reply-To: <4ABB80AF.2020601@iosis.co.uk> References: <20090924121632.GA22723@annexia.org> <4ABB80AF.2020601@iosis.co.uk> Message-ID: <4ABB961A.9030902@callnetuk.com> Peter Tomlinson wrote on 24-09-09 15:22: > Visa payWave and Mastercard PayPass are almost identical, and the > standard rule is that you can carry out a limited number of small > payments (about 10) without having to switch over to using the contact > interface and entering the PIN, or alternatively you can pay out an > aggregate of up to about ?80 (in less than 10 transactions) without > using the PIN. The transaction in the UK is governed by EMV > specifications, so simply reading the card (or sniffing the transaction > with a card reader) doesn't allow a payment transaction to happen. What is it that triggers the transaction then? Presumably something the retailer does? -- Pete Mitchell From pwt at iosis.co.uk Thu Sep 24 18:29:08 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 24 Sep 2009 18:29:08 +0100 Subject: Contactless VISA cards In-Reply-To: <4ABB961A.9030902@callnetuk.com> References: <20090924121632.GA22723@annexia.org> <4ABB80AF.2020601@iosis.co.uk> <4ABB961A.9030902@callnetuk.com> Message-ID: <4ABBAC64.40700@iosis.co.uk> Pete Mitchell wrote: > Peter Tomlinson wrote on 24-09-09 15:22: >> Visa payWave and Mastercard PayPass are almost identical, and the >> standard rule is that you can carry out a limited number of small >> payments (about 10) without having to switch over to using the >> contact interface and entering the PIN, or alternatively you can pay >> out an aggregate of up to about ?80 (in less than 10 transactions) >> without using the PIN. The transaction in the UK is governed by EMV >> specifications, so simply reading the card (or sniffing the >> transaction with a card reader) doesn't allow a payment transaction >> to happen. > What is it that triggers the transaction then? Presumably something > the retailer does? Its an EMV transaction, so the retail terminal operates over the contactless interface rather like the more traditional payment transaction using the contact interface - but without the step that asks for the PIN. Contactless terminals compliant with ISO/IEC 14443 repeatedly poll for a card or other device, and also create the field that powers the card. But I expect that an EMV terminal in a shop retail environment may well only generate the field and poll when told that a transaction is required, whereas a public transport ticketing terminal such as on a station gate line has the field always on and is always polling when nothing is otherwise happening. The range between terminal and card is short because the coil in the terminal's read head and the coil in the card form a loose coupled transformer, with the power transferred dropping off very rapidly as the distance between terminal and card gets larger. The terminal can of course have the field strength set low enough to make it necessary for the card to be placed on the read head or within 1 cm or so of its surface. Peter From csecrime at echini.co.uk Fri Sep 25 00:25:03 2009 From: csecrime at echini.co.uk (Chris Sundt) Date: Fri, 25 Sep 2009 00:25:03 +0100 Subject: Contactless VISA Cards Message-ID: <4ABBFFCF.9000009@echini.co.uk> I may be displaying my ignorance here, but from what has been said it would appear that anyone can make purchases within limits on such a card provided it is in their possession. What redress do I have if I lose the card or it is stolen and someone decides to use it to make purchases which will, presumably, be charged to my account? How do I prove I did not make the purchases? Chris Sundt From pwt at iosis.co.uk Fri Sep 25 07:44:39 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 25 Sep 2009 07:44:39 +0100 Subject: Contactless VISA Cards In-Reply-To: <4ABBFFCF.9000009@echini.co.uk> References: <4ABBFFCF.9000009@echini.co.uk> Message-ID: <4ABC66D7.3020006@iosis.co.uk> Chris Sundt wrote: > I may be displaying my ignorance here, but from what has been said it > would appear that anyone can make purchases within limits on such a > card provided it is in their possession. What redress do I have if I > lose the card or it is stolen and someone decides to use it to make > purchases which will, presumably, be charged to my account? How do I > prove I did not make the purchases? Totally agree. On Wednesday at the GMPTE conference about transport, where there was a session on Visa payWave, questions awere asked about the particular environment of direct bank payment for public transport (e.g. at a London Underground gate) and the answer was that the rules are still being discussed. In public transport there should be both a bank record and a transport operator record, and the transport operator will share some of the risk for payments made to them. In the general case of using your contactless card at retail outlets, I have not heard anyone telling us how the risks will be managed (which includes how we can prove we didn't do it). Personally, if one of these cards is mailed to me, I will claim that I did not agree to the change and will ask for an old type card. But can those of you who got one tell us if there is an activation process that you have to follow before the contactless interface is enabled? Peter From Piete.Brooks at cl.cam.ac.uk Fri Sep 25 06:02:48 2009 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Fri, 25 Sep 2009 06:02:48 +0100 Subject: Contactless VISA Cards Message-ID: > What redress do I have if I lose the card or it is stolen and someone > decides to use it to make purchases which will, presumably, be charged > to my account? What happens if you lose your wallet with some cash in it? From pwt at iosis.co.uk Fri Sep 25 08:51:05 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 25 Sep 2009 08:51:05 +0100 Subject: Contactless VISA Cards In-Reply-To: References: Message-ID: <4ABC7669.4060705@iosis.co.uk> Piete Brooks wrote: >> What redress do I have if I lose the card or it is stolen and someone >> decides to use it to make purchases which will, presumably, be charged >> to my account? >> > What happens if you lose your wallet with some cash in it? Its not often that I carry ?80 in my wallet. (You can offer sympathy if you wish.) Peter From clifford at astro.ox.ac.uk Fri Sep 25 09:30:01 2009 From: clifford at astro.ox.ac.uk (Neil Clifford) Date: Fri, 25 Sep 2009 09:30:01 +0100 Subject: Contactless VISA Cards In-Reply-To: References: Message-ID: <8DAB0E68-6BE1-42D2-A854-D53B8370FA59@astro.ox.ac.uk> On 25 Sep 2009, at 06:02, Piete Brooks wrote: > What happens if you lose your wallet with some cash in it? Can I choose the limits on this contactless card myself and vary them according to the environment I'm in as I can with the cash I carry on me? From nbohm at ernest.net Fri Sep 25 10:13:45 2009 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 25 Sep 2009 10:13:45 +0100 Subject: Contactless VISA Cards In-Reply-To: References: Message-ID: <4ABC89C9.9090207@ernest.net> An HTML attachment was scrubbed... URL: From otcbn at callnetuk.com Fri Sep 25 10:26:26 2009 From: otcbn at callnetuk.com (Pete Mitchell) Date: Fri, 25 Sep 2009 10:26:26 +0100 Subject: Contactless VISA Cards In-Reply-To: <4ABC66D7.3020006@iosis.co.uk> References: <4ABBFFCF.9000009@echini.co.uk> <4ABC66D7.3020006@iosis.co.uk> Message-ID: <4ABC8CC2.6050403@callnetuk.com> Peter Tomlinson wrote on 25-09-09 07:44: > Personally, if one of these cards is mailed to me, I will claim that I > did not agree to the change and will ask for an old type card. But can > those of you who got one tell us if there is an activation process that > you have to follow before the contactless interface is enabled? I raised this on the list back in November-December 2007, when my bank (Halifax) mailed me an unsolicited Paywave card (as part of a pilot scheme, they later told me). That card could be "activated" merely by using it for a retail purchase and keying in the PIN. [I'm not sure whether "activated" is the appropriate word here; if you can use it for a purchase straightaway then it already *is* active IMO.) Like you, I did not want the card and in fact cut it up immediately. Unfortunately Halifax had simultaneously disabled my old card, without telling me, which caused me considerable embarrassment when the card was swallowed by an ATM a few days later. They really are an awful bank. -- Pete Mitchell From davidh at spidacom.co.uk Fri Sep 25 12:21:24 2009 From: davidh at spidacom.co.uk (David Hansen) Date: Fri, 25 Sep 2009 12:21:24 +0100 Subject: Contactless VISA Cards In-Reply-To: <4ABC8CC2.6050403@callnetuk.com> References: <4ABBFFCF.9000009@echini.co.uk>, <4ABC66D7.3020006@iosis.co.uk>, <4ABC8CC2.6050403@callnetuk.com> Message-ID: <4ABCB5C4.16952.E58D13@davidh.spidacom.co.uk> On 25 Sep 2009 at 10:26, Pete Mitchell wrote: > They really are an awful bank. All banks (and building societies) are awful. They know that they are the top dog and can jerk anyone around as much as they like. Plebs have no power to keep them in check. It got worse some years ago when the UK government gave them the power to collect excessive information for their marketing departments, supposedly to make banking more secure but in reality to make it less secure. That indicated that banks had control of government and this was confirmed when Mr Darling mortgaged everyone, without their permission, in order to allow banksters to continue paying themselves the fat bonuses and pensions to which they felt they were entitled, no matter how badly they ran the banks. The only thing us plebs can do is to develop alternatives, for example local currency systems. Then banks and the officials/party politicians they control can be left to wither slowly. At the moment these currency systems tend to be fairly simple and can be paper based. However, cryptography could play a part in securing the more advanced ones as they develop. Years ago the Home Office asked on this list which organisations people trusted. It was the usual top-down approach, which also involved asymetric trust relationships. Banks were one of the options. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From richard at lamont.me.uk Fri Sep 25 11:01:16 2009 From: richard at lamont.me.uk (Richard Lamont) Date: Fri, 25 Sep 2009 11:01:16 +0100 Subject: Contactless VISA cards In-Reply-To: <20090924121632.GA22723@annexia.org> References: <20090924121632.GA22723@annexia.org> Message-ID: <4ABC94EC.9080308@lamont.me.uk> Richard Jones wrote: > My bank in their infinite wisdom decided to expire my old VISA card > early and issue me with a new "contactless" one. On Saturday I received a letter from Barclaycard saying they were going to replace my card with a contactless one. However, the letter gave an 0800 number I could ring to opt out and keep my current card. I rang it and it worked. -- Richard Lamont http://www.lamont.me.uk/ OpenPGP Key ID: 0xBD89BE41 Fingerprint: CE78 C285 1F97 0BDA 886D BA78 26D8 6C34 BD89 BE41 From rich at annexia.org Fri Sep 25 16:13:01 2009 From: rich at annexia.org (Richard Jones) Date: Fri, 25 Sep 2009 16:13:01 +0100 Subject: Contactless VISA Cards In-Reply-To: <4ABC66D7.3020006@iosis.co.uk> References: <4ABBFFCF.9000009@echini.co.uk> <4ABC66D7.3020006@iosis.co.uk> Message-ID: <20090925151301.GA31171@annexia.org> On Fri, Sep 25, 2009 at 07:44:39AM +0100, Peter Tomlinson wrote: > Personally, if one of these cards is mailed to me, I will claim that I > did not agree to the change and will ask for an old type card. But can > those of you who got one tell us if there is an activation process that > you have to follow before the contactless interface is enabled? Not one that I'm aware of, at least, my bank didn't tell me to do anything except sign the card. Having said that, I don't think I've ever seen a retailer who takes these sorts of payments either, so I can't test the contactless element of the card. Rich. -- Richard Jones Red Hat From roger at hayter.org Fri Sep 25 17:27:35 2009 From: roger at hayter.org (Roger Hayter) Date: Fri, 25 Sep 2009 17:27:35 +0100 Subject: Contactless VISA Cards In-Reply-To: <4ABC7669.4060705@iosis.co.uk> References: <4ABC7669.4060705@iosis.co.uk> Message-ID: In message <4ABC7669.4060705 at iosis.co.uk>, Peter Tomlinson writes >Piete Brooks wrote: >>> What redress do I have if I lose the card or it is stolen and someone >>> decides to use it to make purchases which will, presumably, be charged >>> to my account? >>> >> What happens if you lose your wallet with some cash in it? >Its not often that I carry ?80 in my wallet. (You can offer sympathy if you wish.) Indeed. ISTR about 37 years ago my bank encouraged me to accept a credit card, avoiding the risk to me of theft being one of the main selling points. -- Roger Hayter From david at jellybaby.net Fri Sep 25 16:20:37 2009 From: david at jellybaby.net (David Walters) Date: Fri, 25 Sep 2009 16:20:37 +0100 Subject: Contactless VISA Cards In-Reply-To: <20090925151301.GA31171@annexia.org> References: <4ABBFFCF.9000009@echini.co.uk> <4ABC66D7.3020006@iosis.co.uk> <20090925151301.GA31171@annexia.org> Message-ID: <52ade1970909250820p5ced8c19ufbf4e921fddef9c2@mail.gmail.com> On Fri, Sep 25, 2009 at 4:13 PM, Richard Jones wrote: > Having said that, I don't think I've ever seen a retailer who takes > these sorts of payments either, so I can't test the contactless > element of the card. I've managed to make contactless payments in Caffe Nero and National Trust tea rooms. The later can be fun as the staff don't really understand the terminal and look very confused. David From cybergibbons at gmail.com Fri Sep 25 18:00:25 2009 From: cybergibbons at gmail.com (Andrew T) Date: Fri, 25 Sep 2009 18:00:25 +0100 Subject: Contactless VISA Cards In-Reply-To: <20090925151301.GA31171@annexia.org> References: <4ABBFFCF.9000009@echini.co.uk> <4ABC66D7.3020006@iosis.co.uk> <20090925151301.GA31171@annexia.org> Message-ID: <7e5092ca0909251000v2034cdd4r749684e324ce9c8@mail.gmail.com> They've incorporated a clever security feature into the cards, being that the only thing you could buy with these is 10 copies of the Evening Standard. Has anyone seen the terminals in place anywhere else? Why are they going to considerable expense replacing contact cards with hybrid contact/contactless? I've not seen a good analysis of the many security implications of such a system: * How does a user ensure that the terminal is genuine? I know that an Oyster reader is an Oyster reader. I know my buildings card reader is my companie's card reader. But how do I know if some guy on the street is genuine or not? * How are the funds transferred from the terminal to the vendor's account? Is each payment signed? * Is there any reconciliation performed at all? Andrew On 25/09/2009, Richard Jones wrote: > On Fri, Sep 25, 2009 at 07:44:39AM +0100, Peter Tomlinson wrote: >> Personally, if one of these cards is mailed to me, I will claim that I >> did not agree to the change and will ask for an old type card. But can >> those of you who got one tell us if there is an activation process that >> you have to follow before the contactless interface is enabled? > > Not one that I'm aware of, at least, my bank didn't tell me to do > anything except sign the card. > > Having said that, I don't think I've ever seen a retailer who takes > these sorts of payments either, so I can't test the contactless > element of the card. > > Rich. > > -- > Richard Jones > Red Hat > > -- Sent from my mobile device Andrew From tony.naggs at googlemail.com Fri Sep 25 18:40:58 2009 From: tony.naggs at googlemail.com (Tony Naggs) Date: Fri, 25 Sep 2009 18:40:58 +0100 Subject: Evening Standard & contactless cards Message-ID: Hi 2009/9/25 Andrew T wrote: > They've incorporated a clever security feature into the cards, being > that the only thing you could buy with these is 10 copies of the > Evening Standard. The "Standard card" or "Eros Reward Card" (older cards, I think) is not a credit card, just a way of prepaying the publisher for the newspaper. The card has a serial number (also readable by magnetic stripe) and some rewritable memory to countdown credit & limit to 1 paper per day, security is probably minimal. Most likely the cheapest contactless chips used with white &/or black lists on the terminal. The incentive to customers is that each the newspaper purchased this way is initially half price, 25p rather than 50p. The offered way of topping up is as a monthly subscription: a ?3/mo direct debit (approx 15p a copy) or ?5/mo via SMS. https://www.eroscard.co.uk/ I have not seen any signs saying that the Evening Standard's card readers also work with contactless credit cards. I cannot see the point as the card processing fee for each transaction are similar to debit cards, and so would be unlikely to be offered in combination with the discounted cover price. Regards, Tony From pwt at iosis.co.uk Fri Sep 25 21:01:15 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 25 Sep 2009 21:01:15 +0100 Subject: Contactless VISA Cards In-Reply-To: <7e5092ca0909251000v2034cdd4r749684e324ce9c8@mail.gmail.com> References: <4ABBFFCF.9000009@echini.co.uk> <4ABC66D7.3020006@iosis.co.uk> <20090925151301.GA31171@annexia.org> <7e5092ca0909251000v2034cdd4r749684e324ce9c8@mail.gmail.com> Message-ID: <4ABD218B.9080102@iosis.co.uk> Andrew, There is a confusion here. The Standard Card (previously Eros Card) is a private scheme run by the London Evening Standard, using their own network of contactless readers. Interestingly, transactions with the new Standard Card go through a lot faster than with the Eros Card. An online transaction over GSM link was used for the Eros Card, but I think the transactions with the Standard Card are off-line. I think there was value for 10 newspapers in the original distribution, and then you top up with an online payment transaction (debit or credit card). As for terminals for bank contactless cards, there are indeed very few. Last year I was given (as were others at the same conference) a list of Mastercard PayPass retailers in central London, but never found one because I just wasn't motivated to do that (wrong type of retailer and /or wrong place - but I had also received a Mastercard card with ?10 in it's account, time limited). Peter Andrew T wrote: > They've incorporated a clever security feature into the cards, being > that the only thing you could buy with these is 10 copies of the > Evening Standard. > > Has anyone seen the terminals in place anywhere else? Why are they > going to considerable expense replacing contact cards with hybrid > contact/contactless? > > I've not seen a good analysis of the many security implications of > such a system: > * How does a user ensure that the terminal is genuine? I know that an > Oyster reader is an Oyster reader. I know my buildings card reader is > my companie's card reader. But how do I know if some guy on the street > is genuine or not? > * How are the funds transferred from the terminal to the vendor's > account? Is each payment signed? > * Is there any reconciliation performed at all? > > Andrew > > On 25/09/2009, Richard Jones wrote: > >> On Fri, Sep 25, 2009 at 07:44:39AM +0100, Peter Tomlinson wrote: >> >>> Personally, if one of these cards is mailed to me, I will claim that I >>> did not agree to the change and will ask for an old type card. But can >>> those of you who got one tell us if there is an activation process that >>> you have to follow before the contactless interface is enabled? >>> >> Not one that I'm aware of, at least, my bank didn't tell me to do >> anything except sign the card. >> >> Having said that, I don't think I've ever seen a retailer who takes >> these sorts of payments either, so I can't test the contactless >> element of the card. >> >> Rich. >> >> -- >> Richard Jones >> Red Hat >> >> >> > > From pwt at iosis.co.uk Fri Sep 25 21:04:19 2009 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 25 Sep 2009 21:04:19 +0100 Subject: Contactless VISA Cards In-Reply-To: <4ABC89C9.9090207@ernest.net> References: <4ABC89C9.9090207@ernest.net> Message-ID: <4ABD2243.4060100@iosis.co.uk> Nicholas Bohm wrote: > Piete Brooks wrote: >>> What redress do I have if I lose the card or it is stolen and someone >>> decides to use it to make purchases which will, presumably, be charged >>> to my account? >>> >> What happens if you lose your wallet with some cash in it? >> > Everyone knows where they stand with cash. Are bank customers being > told that losing a contactless card is the same as losing cash (at > least until they notice the loss and cancel it)? Nobody has explained the conditions (or rather the variation to the conditions caused by adding the contactless interface, except for the 10 transactions / ?80 rule that kicks in a contact interface transaction with PIN) to me, or, apparently, to lots of other people. Peter From lists at internetpolicyagency.com Sat Sep 26 23:24:10 2009 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 26 Sep 2009 23:24:10 +0100 Subject: Contactless VISA Cards In-Reply-To: References: Message-ID: In article , Piete Brooks writes >> What redress do I have if I lose the card or it is stolen and someone >> decides to use it to make purchases which will, presumably, be charged >> to my account? > >What happens if you lose your wallet with some cash in it? I paid my airport parking (~?40) the other day simply by inserting a credit card. No PIN requested. This has been a feature of many such car parks for as long as I can remember them having payment machines (rather than a man in a cabin [2]) - circa 20 years. Rather more recently (perhaps a year) that particular car park has taken to reading the numberplate on entry and printing it on the ticket. I suspect this is a revenue-protection exercise [1] rather than capturing which car the credit card skimmer might have been driving. Lots of railway ticket machines used to accept cards without a PIN, but have now largely been converted to C&P. Meanwhile, if you have auto-topup on an Oyster card, it will continue to empty your bank account for as long as someone uses it, having stolen it from you. [1] Charges in such car parks are sufficiently non-linear that I suspect it's possible for regular users acting in concert to "game" it. [2] In Derbyshire recently I was astonished to have to seek out a man-in-a-cabin to thrust ?1.50 at in order to buy a pay-and-display car park ticket a few weeks ago. He then refused to take more than ?1 on the grounds that because the nearby shops were about to close I couldn't possibly want to stop more than an hour. He was right (albeit 50p poorer). -- Roland Perry From igb at batten.eu.org Sun Sep 27 10:39:16 2009 From: igb at batten.eu.org (Ian Batten) Date: Sun, 27 Sep 2009 10:39:16 +0100 Subject: Contactless VISA Cards In-Reply-To: References: Message-ID: <304F0834-7C2F-4764-9E17-9922BCEE5E58@batten.eu.org> On 26 Sep 2009, at 23:24, Roland Perry wrote: > In article , Piete Brooks > writes >>> What redress do I have if I lose the card or it is stolen and >>> someone >>> decides to use it to make purchases which will, presumably, be >>> charged >>> to my account? >> >> What happens if you lose your wallet with some cash in it? > > I paid my airport parking (~?40) the other day simply by inserting a > credit card. No PIN requested. This has been a feature of many such > car parks for as long as I can remember them having payment machines > (rather than a man in a cabin [2]) - circa 20 years. Indeed, the same's true of every car-park I use that takes credit cards. And the French motorway toll system. And I think (it's been a while since I used it) the M6 Toll north of Birmingham. ian