From james2 at jfirth.net Thu Nov 4 09:49:19 2010 From: james2 at jfirth.net (James Firth) Date: Thu, 4 Nov 2010 09:49:19 -0000 Subject: Policy, legislation and ethics in the cloud Message-ID: <001101cb7c05$8e1b36e0$aa51a4a0$@net> I was invited to Google's London HQ. The conversation centred around politics, ethics, legislation and policy for a commercially available computing fabric which transcends national borders. I added information gleaned from my visit to a blog post I've been brewing. It might be of interest for some on this list. The elastic jurisdiction http://www.slightlyrightofcentre.com/2010/11/elastic-jurisdiction.html (Short URL: http://ejf.me/aZ ) "But in a domain where the fittest - and largest - survive, who's left batting for the consumer? And importantly, who's funding the organisation batting for the consumer?" ... "Putting fear, terrorism and copyright controls aside, we are now firmly in an era characterised by the fluidity of data, yet our laws still defer to national boundaries." ... "But I believe at least one company - Google - has developed a genuine cloud computer. Perhaps the world's first true globally-distributed "gigacomputer" (my tagline). A processing fabric acting to all intents and purposes as a single computer would, but whose physical processing and storage is genuinely abstracted from the programmer or end user, and distributed around the world. " James Firth From james at cloud9.co.uk Thu Nov 4 14:48:44 2010 From: james at cloud9.co.uk (James Fidell) Date: Thu, 04 Nov 2010 14:48:44 +0000 Subject: Verfied by Visa finally gets outed In-Reply-To: References: <-2462665368518280472@unknownmsgid> Message-ID: <4CD2C7CC.1000300@cloud9.co.uk> On 19/10/10 18:30, Paul Barnfather wrote: >> Just like they've been saying since its launch. Why they went for an >> embedded (IFRAMEd) approach when world+dog could see this masked the SSL >> certificate info from all but the most curious of visitors is still beyond >> me. > > I notice they're now claiming that the "personal assurance message" is > the approved way to ensure that VbV dialog box is genuine. Coming to this thread late... Some card issuers don't even appear to allow you to set the "personal assurance message". I did have once have a card that didn't have any way to set it. I assume the message was the same for all holders of that card. Another thing that irritates about VbV is that some card issuers, whilst being happy to issue a joint card for my wife, will not allow her to have a separate VbV password yet insist that I must not disclose my own password to anyone. When I asked one issuer about this they said that I would either have to enter the password for her whenever she wanted to buy anything online (not particularly helpful if we're not in the same place) or she would not be able to use the card for online purchases. James From richard at highwayman.com Tue Nov 9 14:13:03 2010 From: richard at highwayman.com (Richard Clayton) Date: Tue, 9 Nov 2010 14:13:03 +0000 Subject: Consultation on change to RIP interception definition Message-ID: There is a brand new consultation from the Home Office which aims to fix the deficiencies in UK interception law that were identified as a result of the Phorm debacle... ... viz: removing the defence of reasonably believing you have permission to intercept [modifying 3(1)] and giving the Interception of Communications Commissioner a new power to impose a civil penalty for intercepting without such permission [they think that maybe the police wouldn't be consistent -- and if BT broke the law again then there would be 52 parallel investigations, hmmm isn't this devolved so should be 47?]... The consultation only runs to the 7th December (no explanation is included as to why the normal timescale guidelines are not being adhered to -- which I wildly speculate is to beat the timetable for being dragged into court in Luxembourg) The consultation isn't yet on any of the myriad Home Office websites... doubtless cuts in webmasters are to blame for that, and it will turn up real soon now! (hello Simon!) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From zenadsl6186 at zen.co.uk Tue Nov 9 23:15:23 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 09 Nov 2010 23:15:23 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: <4CD9D60B.6010903@zen.co.uk> Richard Clayton wrote: > There is a brand new consultation from the Home Office which aims to fix > the deficiencies in UK interception law that were identified as a result > of the Phorm debacle... > > ... viz: removing the defence of reasonably believing you have > permission to intercept [modifying 3(1)] I don't think that was or is the real deficiency in interception law - the problem is more in a lack of enforcement. However as they will change 3(1) no matter what the consultation says (in my experience when they put out a consultation they have already mostly decided what they are going to do), I first ask whether the proposed change makes it a strict liability offence? In criminal law there is the element of "mens rea", the guilty mind, and in general someone with a reasonable belief that they are not doing something unlawful or illegal is not guilty of a crime. They added the bit about reasonable belief to 3(1) for some reason - does anyone know why? Is is about strict liability or something else? If the change doesn't make it a strict liability offence (and I wouldn't like to see that) but merely makes it much more the responsibility of the interceptor to ensure that they have permission to intercept (while the very occasional innocent failure would be covered by mens rea), that would be an acceptable change. Even better would be a requirement (as above) on the interceptor to ensure he has express permission to intercept, not just implicit permission, and that's express permission from both parties to the communication. That might actually be worth changing 3(1) for, to something like: 1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which is both? (a) a communication sent by a person who has expressly consented to the interception; and (b) a communication the intended recipient of which has expressly consented to the interception. But I'm not a Parliamentary Draftsman, and there are lots of possible pitfalls, I don't claim to have considered them all. For instance, should the permission be expressed directly to the interceptor, how obvious should it be, or how much will a general expressed permission do - I'd rather not have a permission hidden in a click-though agreement for games software allowing permission to intercept comms with my bank, thankyouverymuch. > and giving the Interception of Communications Commissioner a new power > to impose a civil penalty for intercepting without such permission [they > think that maybe the police wouldn't be consistent -- and if BT broke > the law again then there would be 52 parallel investigations, hmmm isn't > this devolved so should be 47?]... The real deficiency was and is in the lack of anyone to enforce the law - and the CC is the wrong person to do that, it's a criminal offence after all, not a civil one, and civil penalties are not appropriate. It's properly a Police function. Giving the CC the power to require the Police to bring a case, or at least prepare a case and present to to the DPP - might be a help. Better, it's quite common for the Police to go up to someone and say "what you are doing is illegal, please stop doing it" - the CC (or perhaps the Information Commissioner would be better?) could take on that role, issuing "cease and desist" notices. I for one am far more interested in seeing BT not doing interceptions than in seeing them punished for doing them. -- Peter Fairbrother From lists at internetpolicyagency.com Tue Nov 9 21:21:09 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 9 Nov 2010 21:21:09 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: In article , Richard Clayton writes >There is a brand new consultation from the Home Office which aims to fix >the deficiencies in UK interception law that were identified as a result >of the Phorm debacle... > >... viz: removing the defence of reasonably believing you have >permission to intercept [modifying 3(1)] > >and giving the Interception of Communications Commissioner a new power >to impose a civil penalty for intercepting without such permission [they >think that maybe the police wouldn't be consistent -- and if BT broke >the law again then there would be 52 parallel investigations, hmmm isn't >this devolved so should be 47?]... Too late to suggest they take a look at the doormat issues I suppose? (ie when does an email become no longer in transmission, in any sense) -- Roland Perry From fjmd1a at gmail.com Wed Nov 10 07:53:28 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Wed, 10 Nov 2010 07:53:28 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CD9D60B.6010903@zen.co.uk> References: <4CD9D60B.6010903@zen.co.uk> Message-ID: On 9 November 2010 23:15, Peter Fairbrother wrote: > > I don't think that was or is the real deficiency in interception law - the > problem is more in a lack of enforcement. However as they will change 3(1) > no matter what the consultation says (in my experience when they put out a > consultation they have already mostly decided what they are going to do), I > first ask whether the proposed change makes it a strict liability offence? Not if section 1 (the substantive offence) remains the same, eg s1(1): "(1)It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of?" The phrase "intentionally" is the required mental state. The change to 3 would mean that absence of lawful authority under 3 would be a strict element. -- Francis Davey From richard at highwayman.com Wed Nov 10 09:58:53 2010 From: richard at highwayman.com (Richard Clayton) Date: Wed, 10 Nov 2010 09:58:53 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: In article , Richard Clayton writes >There is a brand new consultation from the Home Office which aims to fix >the deficiencies in UK interception law that were identified as a result >of the Phorm debacle... [..] >The consultation isn't yet on any of the myriad Home Office websites... >doubtless cuts in webmasters are to blame for that, and it will turn up >real soon now! (hello Simon!) Now visible: -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From zenadsl6186 at zen.co.uk Wed Nov 10 10:27:45 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 10 Nov 2010 10:27:45 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CD9D60B.6010903@zen.co.uk> Message-ID: <4CDA73A1.2020807@zen.co.uk> Francis Davey wrote: > On 9 November 2010 23:15, Peter Fairbrother wrote: >> I don't think that was or is the real deficiency in interception law - the >> problem is more in a lack of enforcement. However as they will change 3(1) >> no matter what the consultation says (in my experience when they put out a >> consultation they have already mostly decided what they are going to do), I >> first ask whether the proposed change makes it a strict liability offence? > > Not if section 1 (the substantive offence) remains the same, eg s1(1): > > "(1)It shall be an offence for a person intentionally and without > lawful authority to intercept, at any place in the United Kingdom, any > communication in the course of its transmission by means of?" > > The phrase "intentionally" is the required mental state. I don't understand that. Suppose the action was intentional in that the person making it knew it would be an interception, rather than a mistake which had the effect of intercepting, is that enough for the "intentional" bit? And then if the person making the action had a good but mistaken reason to believe it was legal - is he then guilty? > The change to > 3 would mean that absence of lawful authority under 3 would be a > strict element. Or does that mean if the reason above was eg a mistaken belief that permission had been granted under 3(1), but in fact it had not, then he is automatically guilty? No mens rea required, so it's pretty nearly a strict liability offence? Does there have to be language in the revised 3 to make it so, or is mens rea assumed? Confused, -- Peter Fairbrother From igb at batten.eu.org Wed Nov 10 11:07:46 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 10 Nov 2010 11:07:46 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: On 10 Nov 2010, at 09:58, Richard Clayton wrote: > lawful-intercep/ripa-amend-effect-lawful-incep While searching on the website to try to deal with the mangling of the URL (looks like Turnpike is line folding on '-' a URL in text/plain, which my client then won't reassemble) I stumbled on this: http://www.homeoffice.gov.uk/about-us/freedom-of-information/released-information1/foi-archive-crime/12307_docs_used_prep_APPG_IMP/12307_1_docs_prep_APPG_IMP?view=Binary From lists at internetpolicyagency.com Wed Nov 10 11:41:14 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 10 Nov 2010 11:41:14 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: In article , Ian Batten writes >(looks like Turnpike is line folding on '-' a URL in text/plain, which my client then won't reassemble) OT: It is, but that's white space and should be ignored. Plus the <> delimiters give the client a massive hint where the end of the url is to be found. -- Roland Perry From richard at highwayman.com Wed Nov 10 13:04:24 2010 From: richard at highwayman.com (Richard Clayton) Date: Wed, 10 Nov 2010 13:04:24 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: In article , Ian Batten writes >On 10 Nov 2010, at 09:58, Richard Clayton wrote: > >> lawful-intercep/ripa-amend-effect-lawful-incep > >While searching on the website to try to deal with the mangling of the URL >(looks like Turnpike is line folding on '-' a URL in text/plain, which my >client >then won't reassemble) Appendix C of RFC 3986 may be of use to the Apple Mail developers; although they and others will find heuristics far more useful than standards documents, and (as in so many areas) nothing substitutes for experience and an open mind! -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From igb at batten.eu.org Wed Nov 10 13:54:18 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 10 Nov 2010 13:54:18 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: On 10 Nov 2010, at 09:58, Richard Clayton wrote: > In article , Richard Clayton > writes > >> There is a brand new consultation from the Home Office which aims to fix >> the deficiencies in UK interception law that were identified as a result >> of the Phorm debacle... > > [..] > >> The consultation isn't yet on any of the myriad Home Office websites... >> doubtless cuts in webmasters are to blame for that, and it will turn up >> real soon now! (hello Simon!) > > Now visible: > > lawful-intercep/ripa-amend-effect-lawful-incep> Given that potential value of an interception-based advertising proposition, and the investment that would be involved in setting it up, ?10K (page 5 (*)) is neither here nor there. The rest of the document describes a complex system of appeals and submissions to make sure that a CSP will realistically not even have to pay this piece of loose change if they don't want to. If the document made it clear that the penalty was ?10000 per customer (ie: install an illicit DPI capability on your million-customer ISP network, write a cheque for ten billion) then it would be one thing, but that's clearly not the intent. Another free pass for CSPs from the Home Office: pay at most ten grand, get a license to intercept. The reasons for not making it a criminal penalty are laughable, too: crimes that take place in multiple jurisdictions are hardly new or unique to RIPA, and if the response is to make them non-crimes then criminals just need to make sure they drive across a county boundary in the course of any fraud. There's no mechanism to stop CSPs from performing "illegal" interception so long as they continue to pay ?10K once in a while: there's no provision for injunctive relief, for example. The document makes it clear that the changes are being wrung at gunpoint by the EU, but has been written with the intent of giving the CSPs a soft ride. ?10K simply isn't a plausible penalty to modify their behaviour in any way, and because the penalities will be imposed without a public process there isn't even the PR shame of being convicted. It's also a load of regulator capture bollocks. For example, > If the IoCC decided not to impose a penalty he would have to inform the provider of his decision. He wouldn't have to tell the person who brought the complaint, though, or anyone else. So it's a secret tribunal which either "fines" the CSP in private, or doesn't fine them, also in private. > Having served the monetary penalty notice, the IoCC would be able to vary or cancel a monetary penalty, but he could not vary the notice in a way that would be detrimental to the provider, for example by increasing the penalty. How nice that the interests of the poor CSP are so protected. > It would be open to a CSP to ask the IoCC to vary or cancel any civil monetary penalty notice that is served. Again: regulator capture. Does the Home Office have the slightest interest in any party to this discussion other than making life easy for CSPs? ian (*) I would cite more accurately, but the new low-cost Home Office is saving electrons by not putting page or paragraph numbers in their documents, but it's the fifth page of the document. From zenadsl6186 at zen.co.uk Wed Nov 10 15:58:44 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 10 Nov 2010 15:58:44 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: <4CDAC134.2070402@zen.co.uk> Ian Batten wrote: > Richard Clayton wrote: >> >>> There is a brand new consultation from the Home Office which aims >>> to fix the deficiencies in UK interception law that were >>> identified as a result of the Phorm debacle... >> > lawful-intercep/ripa-amend-effect-lawful-incep> > > Given that potential value of an interception-based advertising > proposition, and the investment that would be involved in setting it > up, ?10K (page 5 (*)) is neither here nor there. I think you missed this bit: the ?10k is for unintentional interceptions, a new additional civil offense. It only applies to CSPs. AFAICS the criminal offence of intentional interception will continue as-is. Yes they have made a dog's dinner of the proposals, but I don't think it's quite as bad as you make out, and it isn't a license to intercept. As soon as the ISP is fined, or perhaps even as soon as the issue is raised by the IoCC, the ISP has to stop what it was doing, as it is now aware that what it was doing was/is interception, and if it continues it will be intentionally intercepting, which is a different, criminal not civil, offense, with prison terms attached. On one specific point, on Page 6 it says: "If the IoCC decided to impose a penalty, the IoCC could, in addition, serve an enforcement notice on the CSP requiring it to halt the interception that is the subject of the notice." I think the IoCC, and maybe any Crown Court as well, should be able to serve an enforcement notice without imposing a penalty. And I still think the Information Commissioner is a better person to deal with this, rather than the IoCC - maybe the IoCC should deal in cases when there may be an interception warrant involved, and the IC in other cases? The IoCC keeps his stuff secret, the IC doesn't. On another matter, there is one bit in the document I don't understand at all, it's in the first part, which deals with the granting of consent, page 3: " The current provisions do not provide the required clarity. This is because ?reasonable grounds for believing? is open to different interpretations. We intend to remove the ambiguity in section 3(1), and thereby ensure that the provision is consistent with the definition of ?consent? supplied by Article 5(1) of the E-Privacy Directive and Article 2(h) of the Data Protection Directive. The Directives make clear that consent to interceptions of electronic communications by persons other than users must be ?freely given specific and informed?. " The bit I don't understand is the "persons other than users" bit. I don't have a clue what they mean by that. Otherwise that part seems not-too-bad too, IF the changes actually do what they say they will. -- Peter Fairbrother From pwt at iosis.co.uk Wed Nov 10 16:54:56 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 10 Nov 2010 16:54:56 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: <4CDACE60.8080204@iosis.co.uk> Thunderbird makes the same mistake. Peter Roland Perry wrote: > In article , Ian > Batten writes > >> (looks like Turnpike is line folding on '-' a URL in text/plain, >> which my client then won't reassemble) > > OT: It is, but that's white space and should be ignored. Plus the <> > delimiters give the client a massive hint where the end of the url is > to be found. From iptv at gn.apc.org Wed Nov 10 17:39:10 2010 From: iptv at gn.apc.org (IPTV) Date: Wed, 10 Nov 2010 17:39:10 +0000 Subject: ITV News at Ten tonight (10 November 2010) In-Reply-To: <4CD2C7CC.1000300@cloud9.co.uk> References: <-2462665368518280472@unknownmsgid> <4CD2C7CC.1000300@cloud9.co.uk> Message-ID: <6.2.5.6.2.20101110145541.03adf108@gn.apc.org> ITN are broadcasting a report on the use of computer evidence in Operation Ore at 10pm this evening. ITN have obtained documents under FOI written inside police forces by officers who recorded concern about flaws in the computer evidence when the Operation was first launched. They have interviewed one ex-officer who tried to issue warnings at the beginning. I am asked for comments. The report is linked to a Court of Appeal hearing starting on Thursday 11 November in which a group of defendants hope to unseat the way computer records were used, and evidence of card fraud was suppressed. While not directly on the topic, this operation has in significant part been the driver for implementing RIPA part III and advocating further regulation, surveillance and data retention. Duncan Campbell IPTV Ltd Concorde House 18 Margaret Street Brighton BN2 1TS United Kingdom Phone : 01273 818045 +44 1273 818045 E-mail iptv at gn.apc.org From igb at batten.eu.org Wed Nov 10 19:48:32 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 10 Nov 2010 19:48:32 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDAC134.2070402@zen.co.uk> References: <4CDAC134.2070402@zen.co.uk> Message-ID: On 10 Nov 2010, at 15:58, Peter Fairbrother wrote: > Ian Batten wrote: >> Richard Clayton wrote: >>>> There is a brand new consultation from the Home Office which aims >>>> to fix the deficiencies in UK interception law that were identified as a result of the Phorm debacle... > >>> >> lawful-intercep/ripa-amend-effect-lawful-incep> >> Given that potential value of an interception-based advertising proposition, and the investment that would be involved in setting it up, ?10K (page 5 (*)) is neither here nor there. > > I think you missed this bit: the ?10k is for unintentional > interceptions, a new additional civil offense. It only applies to CSPs. AFAICS the criminal offence of intentional interception will continue as-is. But we've already seen that that legislation is regarded by the police as unenforceable: City of London Police originally said that as far as they're concerned RIPA only applies to the government, and all the arguments adduced by the consultation as to why it's not practical for the police to investigate "unintentional" interception apply equally to "intentional". The investigation into the Phorm debacle hasn't produced an outcome, hasn't been resourced and is going to be longer running, and with a less convincing outcome, than the company themselves. Under the new situation, you can put up a hooky DPI solution, claim you didn't realise it constituted interception (the defence BT would use in court, were it to get to court, which it won't) and be at most ?10K worse off. Given actually doing due diligence would cost more than that (get in a lawyer, a network architect for a week and you've spent that already) it's a free pass. Rather than finding out if something's actually going to transgress RIPA, you just close your eyes to the problem and plead ignorance if it goes wrong. Why spend ?20K when you're assured of only being fined ?10K? > > As soon as the ISP is fined, or perhaps even as soon as the issue is > raised by the IoCC, the ISP has to stop what it was doing, as it is now > aware that what it was doing was/is interception, and if it continues it > will be intentionally intercepting, which is a different, criminal not > civil, offense, with prison terms attached. Yes, as we've seen in the BT/Phorm debacle, it's a crime that the police and the DPP are keen to investigate with all speed and diligence. No, wait... ian From Andrew.Cormack at ja.net Wed Nov 10 20:15:39 2010 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 10 Nov 2010 20:15:39 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Richard Clayton > Sent: 09 November 2010 14:13 > To: UKcrypto at chiark.greenend.org.uk > Subject: Consultation on change to RIP interception definition > > There is a brand new consultation from the Home Office which aims to > fix > the deficiencies in UK interception law that were identified as a > result > of the Phorm debacle... > > ... viz: removing the defence of reasonably believing you have > permission to intercept [modifying 3(1)] Apologies if I'm missing something, but does the consultation document, or anything else, reveal what the proposed "changes to section 3(1)" actually are? As far as I can see the only statement is that they will "remove the ambiguity", which is nice, but if I'm going to comment on whether I agree with the proposed changes then I'd rather like to know what the new text will look like. I may be reading too much into the consultation document, but Peter's suggestion of deleting ", or which that person has reasonable grounds for believing," from 3(1) would only be one change, whereas the consultation doc refers to plural "changes". Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcott. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG From joel at jdh.myzen.co.uk Thu Nov 11 01:11:54 2010 From: joel at jdh.myzen.co.uk (joel at jdh.myzen.co.uk) Date: Thu, 11 Nov 2010 01:11:54 +0000 Subject: Consultation on change to RIP interception definition Message-ID: Andrew Cormack wrote : > Apologies if I'm missing something, but does the consultation document, or > anything else, reveal what the proposed "changes to section 3(1)" actually are? > As far as I can see the only statement is that they will "remove the ambiguity", > which is nice, but if I'm going to comment on whether I agree with the proposed > changes then I'd rather like to know what the new text will look like. I agree - it's pretty tough to argue with the objective of removing ambiguity, but the document doesn't actually make clear how this will be achieved. Joel From pwt at iosis.co.uk Thu Nov 11 08:04:03 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 11 Nov 2010 08:04:03 +0000 Subject: ITV News at Ten tonight (10 November 2010) In-Reply-To: <6.2.5.6.2.20101110145541.03adf108@gn.apc.org> References: <-2462665368518280472@unknownmsgid> <4CD2C7CC.1000300@cloud9.co.uk> <6.2.5.6.2.20101110145541.03adf108@gn.apc.org> Message-ID: <4CDBA373.1070607@iosis.co.uk> If you missed it (as I did), the clip is at: http://www.itv.com/news/paedophile-case-flaws08044 (I know very well a family where a young adult with quite severe Aspergers became involved in a ring who abused children and exchanged pictures - sadly he cannot make his own judgements and thus was easily led. The problem now is what can be done to help him when he finishes his sentence - I favour guiding him into a closed community where his undoubted skills in civil engineering can be harnessed to give him a satisfying but safe life as well as benefiting that community. If anyone on the list can offer advice, please contact me privately: peter at salendine.plus.com.) Peter IPTV wrote: > > ITN are broadcasting a report on the use of computer evidence in > Operation Ore at 10pm this evening. > > ITN have obtained documents under FOI written inside police forces by > officers who recorded concern about flaws in the computer evidence > when the Operation was first launched. They have interviewed one > ex-officer who tried to issue warnings at the beginning. I am asked > for comments. > > The report is linked to a Court of Appeal hearing starting on Thursday > 11 November in which a group of defendants hope to unseat the way > computer records were used, and evidence of card fraud was suppressed. > > While not directly on the topic, this operation has in significant > part been the driver for implementing RIPA part III and advocating > further regulation, surveillance and data retention. > > Duncan Campbell > > > IPTV Ltd > Concorde House > 18 Margaret Street > Brighton BN2 1TS > United Kingdom > > Phone : 01273 818045 +44 1273 818045 > > E-mail iptv at gn.apc.org > > > > From Andrew.Cormack at ja.net Thu Nov 11 09:01:03 2010 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 11 Nov 2010 09:01:03 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of joel at jdh.myzen.co.uk > Sent: 11 November 2010 01:12 > To: UK Cryptography Policy Discussion Group > Subject: RE: Consultation on change to RIP interception definition > > Andrew Cormack wrote : > > Apologies if I'm missing something, but does the consultation > document, or > > anything else, reveal what the proposed "changes to section 3(1)" > actually are? > > As far as I can see the only statement is that they will "remove the > ambiguity", > > which is nice, but if I'm going to comment on whether I agree with > the proposed > > changes then I'd rather like to know what the new text will look > like. > > I agree - it's pretty tough to argue with the objective of removing > ambiguity, but the document doesn't actually make clear how this will > be achieved. > > Joel Hmmm. It's tempting to reply to the HO's consultation question of "how will this affect CSPs?" by saying that it'll make 3(1) useless since, as discussed on the list last time around, the CSP will never know whether the "person" who indicated consent (however that's implemented) is still the "person" sitting at the keyboard. Not just the question of whether the "subscriber" has consented on behalf of all users of the account, but whether one user has handed the keyboard to another since clicking "I agree" :( Actually I'm struggling to think how a 3(1) that was dependent on the *fact* of whether that person had consented (which I think would be the effect of deleting the "reasonable belief" clause: Francis?) could ever be safely relied on by anyone. So maybe the net effect of the proposed change will actually be to delete the whole of 3(1)??? On another topic: does anyone know if Ireland has an equivalent of RIPA Pt III? http://www.independent.ie/national-news/anglo-chiefs-facing-quiz-on-missing-passwords-2413749.html Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcott. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG From pwt at iosis.co.uk Thu Nov 11 10:01:59 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 11 Nov 2010 10:01:59 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: <4CDBBF17.3070209@iosis.co.uk> Andrew Cormack wrote: > Hmmm. It's tempting to reply to the HO's consultation question of "how will this affect CSPs?" by saying that it'll make 3(1) useless since, as discussed on the list last time around, the CSP will never know whether the "person" who indicated consent (however that's implemented) is still the "person" sitting at the keyboard. Not just the question of whether the "subscriber" has consented on behalf of all users of the account, but whether one user has handed the keyboard to another since clicking "I agree" :( > > Actually I'm struggling to think how a 3(1) that was dependent on the *fact* of whether that person had consented (which I think would be the effect of deleting the "reasonable belief" clause: Francis?) could ever be safely relied on by anyone. So maybe the net effect of the proposed change will actually be to delete the whole of 3(1)??? It seems to me that the assumption will be that the owner of the account will have given consent on behalf of all users of the account (typically of that keyboard). So consent ought to be given in some secure manner (a) that is logged in a way that can be verified and, if the user wishes, changed, and (b) that, if consent has been given, ensures that an informative logo is always displayed in each browser window. Peter From lists at internetpolicyagency.com Thu Nov 11 12:38:11 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 11 Nov 2010 12:38:11 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDBBF17.3070209@iosis.co.uk> References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: In article <4CDBBF17.3070209 at iosis.co.uk>, Peter Tomlinson writes >It seems to me that the assumption will be that the owner of the >account will have given consent on behalf of all users of the account >(typically of that keyboard). So consent ought to be given in some >secure manner (a) that is logged in a way that can be verified and, if >the user wishes, changed, If the CSP was a PAYG (or free) wifi point, that would add a whole extra layer to the sign-up process. Plus all CSPs having to add some sort of permanently accessible account parameters. I now that the transparency is desirable, but worry about the implementation. >and (b) that, if consent has been given, ensures that an informative >logo is always displayed in each browser window. How would that work - the CSP intercepting every web page and adding something that he fondly believes every browser in the world would display? ps HTTP is not the only protocol on the Internet. -- Roland Perry From fjmd1a at gmail.com Thu Nov 11 12:44:43 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 11 Nov 2010 12:44:43 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: On 11 November 2010 09:01, Andrew Cormack wrote: > > > Actually I'm struggling to think how a 3(1) that was dependent on the *fact* of whether that person had consented (which I think would be the effect of deleting the "reasonable belief" clause: Francis?) could ever be safely relied on by anyone. So maybe the net effect of the proposed change will actually be to delete the whole of 3(1)??? > To answer this and Peter's question. At the moment the section 1(1) offence has two elements (that's how I read the "and"): first the action must be intentional, so accidentally or negligently permitting something that amounts to interception is not enough, the prosecution must prove intention. The crime is therefore one of specific intent (so for example could not be committed by someone too intoxicated to form the necessary intention). The intention obvious question is whether the acts intended are just the interception, or whether there needs to be intention to do so without lawful authority. My reading is that the two are separable (the "and"). There needs to be no intention to do the act without lawful authority. The second element is that the action is "without lawful authority". This looks to me like something that would have to be raised by the defence, but if raised would then have to be proved by the prosecution (caveat: I don't do crime, so someone else may know more about this than I). As things stand the second element also has a mental element in that if section 3(1) is relied on as a basis for lawful authority, the prosecution will need to prove both that (i) conditions (a) and (b) were not met and (ii) that the defendant had no reasonable ground for believing they were met. A mistaken and honest but unreasonable belief that (a) and (b) hold will not amount to lawful authority and so a defence based on such a belief and s3(1) would fail. There are circumstances where a genuine but unreasonable belief in a state of affairs is a good defence, for example in R v Williams (Gladstone) (1984) 78 Cr App R 276, where the defendant believed, unreasonably, that a police officer conducting an arrest was actually committing an assault and ran to the defence of the person being arrested. Removing "unreasonable belief" from s3(1) wouldn't emasculate it utterly - you would still be able to require the prosecution to prove that (a) and (b) weren't met - but it seriously reduces the scope of "lawful authority" and that part of the test then becomes one of strict liability. I hope that's clear and/or helpful. -- Francis Davey From james2 at jfirth.net Thu Nov 11 13:31:21 2010 From: james2 at jfirth.net (James Firth) Date: Thu, 11 Nov 2010 13:31:21 -0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDAC134.2070402@zen.co.uk> Message-ID: <007f01cb81a4$bade1f90$309a5eb0$@net> Ian Batten wrote: > Under the new situation, you can put up a hooky DPI solution, claim you > didn't realise it constituted interception (the defence BT would use in > court, were it to get to court, which it won't) and be at most ?10K > worse off. Given actually doing due diligence would cost more than > that (get in a lawyer, a network architect for a week and you've spent > that already) it's a free pass. Rather than finding out if something's > actually going to transgress RIPA, you just close your eyes to the > problem and plead ignorance if it goes wrong. Why spend ?20K when > you're assured of only being fined ?10K? It wasn't clear to me reading the consultation paper whether it was ?10k per offence. The situation to which you earlier referred I think involved up to 20,000 subscribers, so therefore the maximum possible fine would be ?200m. But I guess that's just wishful thinking on my part. James Firth From james2 at jfirth.net Thu Nov 11 13:41:53 2010 From: james2 at jfirth.net (James Firth) Date: Thu, 11 Nov 2010 13:41:53 -0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: <008501cb81a6$33fb69e0$9bf23da0$@net> Richard Clayton wrote: > and giving the Interception of Communications Commissioner a new power > to impose a civil penalty for intercepting without such permission > [they think that maybe the police wouldn't be consistent -- and if BT > broke the law again then there would be 52 parallel investigations, > hmmm isn't this devolved so should be 47?]... Ninth bullet point on page 6: "The sanction would have UK wide application" So either RIP(S) 2000 would be updated or is this just referring to Scottish-based CSPs who have some non-Scottish subscribers? James Firth From james2 at jfirth.net Thu Nov 11 13:54:40 2010 From: james2 at jfirth.net (James Firth) Date: Thu, 11 Nov 2010 13:54:40 -0000 Subject: Stumbled upon IMP FOI doc (WAS: Consultation on change to RIP interception definition) In-Reply-To: References: Message-ID: <008e01cb81a7$fd092e70$f71b8b50$@net> Ian Batten wrote: > On 10 Nov 2010, at 09:58, Richard Clayton wrote: > > > lawful-intercep/ripa-amend-effect-lawful-incep > > While searching on the website to try to deal with the mangling of the > URL (looks like Turnpike is line folding on '-' a URL in text/plain, > which my client then won't reassemble) I stumbled on this: > > http://www.homeoffice.gov.uk/about-us/freedom-of-information/released- > information1/foi-archive- > crime/12307_docs_used_prep_APPG_IMP/12307_1_docs_prep_APPG_IMP?view=Bin > ary Does anyone have any idea as to the date for this FOI-released document? Reading the references to "third party data" followed by reference to practical problems related to separating communications data from content this reminds me of the stretching of the definition of "communications data". Surely when traffic data for a third-party service is embedded in a protocol carried by a CSP then that CSP must treat the embedded protocol as content, not traffic data. Someone earlier spoke of the need to revisit the doormat, however a strict definition of traffic data may be necessary to avoid falling foul of the strict definition of traffic data in S15 of Directive 2002/58/EC: "(15) A communication may include any naming, numbering or addressing information provided by the sender of a communication or the user of a connection to carry out the communication. Traffic data may include any translation of this information by the network over which the communication is transmitted for the purpose of carrying out the transmission. Traffic data may, inter alia, consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to the location of the terminal equipment of the sender or recipient, to the network on which the communication originates or terminates, to the beginning, end or duration of a connection. They may also consist of the format in which the communication is conveyed by the network." James Firth From pwt at iosis.co.uk Thu Nov 11 14:06:03 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 11 Nov 2010 14:06:03 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: <4CDBF84B.6080009@iosis.co.uk> Roland Perry wrote: > In article <4CDBBF17.3070209 at iosis.co.uk>, Peter Tomlinson > writes >> It seems to me that the assumption will be that the owner of the >> account will have given consent on behalf of all users of the account >> (typically of that keyboard). So consent ought to be given in some >> secure manner (a) that is logged in a way that can be verified and, >> if the user wishes, changed, > > If the CSP was a PAYG (or free) wifi point, that would add a whole > extra layer to the sign-up process. Plus all CSPs having to add some > sort of permanently accessible account parameters. I now that the > transparency is desirable, but worry about the implementation. > >> and (b) that, if consent has been given, ensures that an informative >> logo is always displayed in each browser window. > > How would that work - the CSP intercepting every web page and adding > something that he fondly believes every browser in the world would > display? > > ps HTTP is not the only protocol on the Internet. My suggestion was slightly tongue in cheek, intended to lead to exactly the sort of analysis that Roland has done - in other words, the response to this consultation should be that obtaining consent from the end users simply isn't a practical solution, so the law needs to be framed to completely block those who want to snoop in this manner. However, there are global moves to create a common method to be far more secure online (an eID method) so long as you have your internet transactions secured with a user ID [1] digital certificate that is invoked by some specific action by the end user (e.g. with a password or by plugging in a physical token) at the start of such a session. Once we get that operating, authorising selective phorm-like 'enhancement' of the browsing experience could be possible (but the resulting advertising - sic - delivered would have to come from sources that have also signed up for the safe browsing technology). Peter [1] The ID doesn't have to be your official ID as known to government - you can have any handle that you want, and therefore be effectively anonymous (but of course the IP address of the terminal node will be available to the service used). From igb at batten.eu.org Thu Nov 11 14:14:59 2010 From: igb at batten.eu.org (Ian Batten) Date: Thu, 11 Nov 2010 14:14:59 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDBF84B.6080009@iosis.co.uk> References: <4CDBBF17.3070209@iosis.co.uk> <4CDBF84B.6080009@iosis.co.uk> Message-ID: <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> > > > However, there are global moves to create a common method to be far more secure online (an eID method) so long as you have your internet transactions secured with a user ID [1] digital certificate that is invoked by some specific action by the end user (e.g. with a password or by plugging in a physical token) at the start of such a session. Once we get that operating... The heat death of the universe will occur sooner. Why would anyone voluntarily sign up for such a scheme, which makes ID cards look positively cuddly? ian From pwt at iosis.co.uk Thu Nov 11 14:35:02 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 11 Nov 2010 14:35:02 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> References: <4CDBBF17.3070209@iosis.co.uk> <4CDBF84B.6080009@iosis.co.uk> <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> Message-ID: <4CDBFF16.40304@iosis.co.uk> Ian Batten wrote: >> However, there are global moves to create a common method to be far more secure online (an eID method) so long as you have your internet transactions secured with a user ID [1] digital certificate that is invoked by some specific action by the end user (e.g. with a password or by plugging in a physical token) at the start of such a session. Once we get that operating... >> > The heat death of the universe will occur sooner. Why would anyone voluntarily sign up for such a scheme, which makes ID cards look positively cuddly? You might have to in order to do business with some big, global online retailers - 'thin client' to go in your PC has been mentioned, but Chatham House Rule applies to the meeting at which the ID of the source was mentioned (i.e. I can't say who). Directgov, however, wants a method just for UK public sector services, but the more open concept of making this available to all online service providers has been indicated to them. And the US White House consulted this summer, asking for ideas for a general method to have safe online IDs. Peter From nbohm at ernest.net Thu Nov 11 14:49:23 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 11 Nov 2010 14:49:23 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDBFF16.40304@iosis.co.uk> References: <4CDBBF17.3070209@iosis.co.uk> <4CDBF84B.6080009@iosis.co.uk> <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> <4CDBFF16.40304@iosis.co.uk> Message-ID: <4CDC0273.5090107@ernest.net> On 11/11/2010 14:35, Peter Tomlinson wrote: > Ian Batten wrote: >>> However, there are global moves to create a common method to be far >>> more secure online (an eID method) so long as you have your internet >>> transactions secured with a user ID [1] digital certificate that is >>> invoked by some specific action by the end user (e.g. with a >>> password or by plugging in a physical token) at the start of such a >>> session. Once we get that operating... >>> >> The heat death of the universe will occur sooner. Why would anyone >> voluntarily sign up for such a scheme, which makes ID cards look >> positively cuddly? > You might have to in order to do business with some big, global online > retailers - 'thin client' to go in your PC has been mentioned, but > Chatham House Rule applies to the meeting at which the ID of the > source was mentioned (i.e. I can't say who). > > Directgov, however, wants a method just for UK public sector services, > but the more open concept of making this available to all online > service providers has been indicated to them. And the US White House > consulted this summer, asking for ideas for a general method to have > safe online IDs. A cynical way of looking at this is that the (UK) Government has failed in its attempt to get compulsory ID cards, and is now trying to get together a global alliance of governments and private sector bodies in order to make it impracticably inconvenient for citizens to do without the ID they crave. Even if this cynical view is justified (and it necessarily exaggerates the extent to which the UK or any other government is of one mind on the issue), I doubt if it will work. Only monopolies dare annoy their customers that much, and there just aren't enough of them to make it work. And getting them to agree on how to try is probably too hard anyway. Nicholas -- Contact and PGP key here From Andrew.Cormack at ja.net Thu Nov 11 14:52:49 2010 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 11 Nov 2010 14:52:49 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: Message-ID: Francis Thanks, that does answer my question and confirms my suspicion of what it would mean. And thanks for (telepathically) expressing my vague concern so precisely :-) So deleting the "reasonable belief" clause would mean that a deliberate interception lost its lawful authority under 3(1) as soon as it was shown that the *person* intercepted had not given their consent (e.g. because it was their spouse or parent, who pays the bill, who had done so). The ISP couldn't defend themselves by saying it was reasonable for them to take the subscriber's consent as applying to any user of that account/keyboard, because the remaining text would only leave the question of fact as to whether that person had consented. I wonder whether this was exactly why the original drafting included that phrase... In which case I wonder whether any ISP would take the risk of launching a behavioural advertising service even if it was genuinely opt-in, since they'd always be at the mercy of a second user of the account/keyboard saying that it wasn't them who opted in. Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcott. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Francis Davey > Sent: 11 November 2010 12:45 > To: UK Cryptography Policy Discussion Group > Subject: Re: Consultation on change to RIP interception definition > > On 11 November 2010 09:01, Andrew Cormack > wrote: > > > > > > > Actually I'm struggling to think how a 3(1) that was dependent on the > *fact* of whether that person had consented (which I think would be the > effect of deleting the "reasonable belief" clause: Francis?) could ever > be safely relied on by anyone. So maybe the net effect of the proposed > change will actually be to delete the whole of 3(1)??? > > > > To answer this and Peter's question. > > At the moment the section 1(1) offence has two elements (that's how I > read the "and"): first the action must be intentional, so accidentally > or negligently permitting something that amounts to interception is > not enough, the prosecution must prove intention. The crime is > therefore one of specific intent (so for example could not be > committed by someone too intoxicated to form the necessary intention). > > The intention obvious question is whether the acts intended are just > the interception, or whether there needs to be intention to do so > without lawful authority. My reading is that the two are separable > (the "and"). There needs to be no intention to do the act without > lawful authority. > > The second element is that the action is "without lawful authority". > This looks to me like something that would have to be raised by the > defence, but if raised would then have to be proved by the prosecution > (caveat: I don't do crime, so someone else may know more about this > than I). > > As things stand the second element also has a mental element in that > if section 3(1) is relied on as a basis for lawful authority, the > prosecution will need to prove both that (i) conditions (a) and (b) > were not met and (ii) that the defendant had no reasonable ground for > believing they were met. > > A mistaken and honest but unreasonable belief that (a) and (b) hold > will not amount to lawful authority and so a defence based on such a > belief and s3(1) would fail. > > There are circumstances where a genuine but unreasonable belief in a > state of affairs is a good defence, for example in R v Williams > (Gladstone) (1984) 78 Cr App R 276, where the defendant believed, > unreasonably, that a police officer conducting an arrest was actually > committing an assault and ran to the defence of the person being > arrested. > > Removing "unreasonable belief" from s3(1) wouldn't emasculate it > utterly - you would still be able to require the prosecution to prove > that (a) and (b) weren't met - but it seriously reduces the scope of > "lawful authority" and that part of the test then becomes one of > strict liability. > > I hope that's clear and/or helpful. > > -- > Francis Davey From pwt at iosis.co.uk Thu Nov 11 15:14:39 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 11 Nov 2010 15:14:39 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDC0273.5090107@ernest.net> References: <4CDBBF17.3070209@iosis.co.uk> <4CDBF84B.6080009@iosis.co.uk> <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> <4CDBFF16.40304@iosis.co.uk> <4CDC0273.5090107@ernest.net> Message-ID: <4CDC085F.9030503@iosis.co.uk> Nicholas Bohm wrote: > On 11/11/2010 14:35, Peter Tomlinson wrote: > >> Ian Batten wrote: >> >>>> However, there are global moves to create a common method to be far >>>> more secure online (an eID method) so long as you have your internet >>>> transactions secured with a user ID [1] digital certificate that is >>>> invoked by some specific action by the end user (e.g. with a >>>> password or by plugging in a physical token) at the start of such a >>>> session. Once we get that operating... >>>> >>>> >>> The heat death of the universe will occur sooner. Why would anyone >>> voluntarily sign up for such a scheme, which makes ID cards look >>> positively cuddly? >>> >> You might have to in order to do business with some big, global online >> retailers - 'thin client' to go in your PC has been mentioned, but >> Chatham House Rule applies to the meeting at which the ID of the >> source was mentioned (i.e. I can't say who). >> >> Directgov, however, wants a method just for UK public sector services, >> but the more open concept of making this available to all online >> service providers has been indicated to them. And the US White House >> consulted this summer, asking for ideas for a general method to have >> safe online IDs. >> > A cynical way of looking at this is that the (UK) Government has failed > in its attempt to get compulsory ID cards, and is now trying to get > together a global alliance of governments and private sector bodies in > order to make it impracticably inconvenient for citizens to do without > the ID they crave. Actually I don't see any sign of UK govt working with anybody else on this, and its only part of UK govt at the moment - the proposal (and the couple of OJEU notices put out to ask for information about methods offered, plus the G-Digital web site http://gdigital.direct.gov.uk) appear to be simply blinkered thinking. The private sector initiative that I referred to appears to be looking at the global scene, in the way that increasingly I see big internet players simply trying to rise above national interests because their interest is in business, everywhere. The USA federal initiative does, however, appear to be rather more open. Peter From igb at batten.eu.org Thu Nov 11 15:32:41 2010 From: igb at batten.eu.org (Ian Batten) Date: Thu, 11 Nov 2010 15:32:41 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDBFF16.40304@iosis.co.uk> References: <4CDBBF17.3070209@iosis.co.uk> <4CDBF84B.6080009@iosis.co.uk> <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> <4CDBFF16.40304@iosis.co.uk> Message-ID: <021D1216-A831-4CE5-9D1D-AECEC5D6B8E0@batten.eu.org> On 11 Nov 10, at 1435, Peter Tomlinson wrote: > Ian Batten wrote: >>> However, there are global moves to create a common method to be far more secure online (an eID method) so long as you have your internet transactions secured with a user ID [1] digital certificate that is invoked by some specific action by the end user (e.g. with a password or by plugging in a physical token) at the start of such a session. Once we get that operating... >>> >> The heat death of the universe will occur sooner. Why would anyone voluntarily sign up for such a scheme, which makes ID cards look positively cuddly? > You might have to in order to do business with some big, global online retailers Yes, because erecting massive hurdles to doing business in no way encourages competitors. But for companies that don't want to believe that, perhaps they could remind us how Microsoft "Passport" is doing? One is reminded of Marks and Spencers, who for many years refused to accept credit cards, for a whole range of implausible reasons, and refused to allow you to try clothes on, for similarly implausible reasons. You had to remember to take a cheque book and have time available to make a return trip if the clothes didn't fit or, alternatively, not go there in the first place. Over time, more and more people adopted the second approach, finding that the alleged merits of M&S's clothes weren't enough to justify the aggro, and Next, Benetton, BHS and others ate M&S's lunch in their various segments. Finally, sanity entered the M&S board room, and M&S both found that they _could_ accept credit card and they _could_ have some fitting rooms without the world ending. A "global online retailer" which won't let you give them money without signing up for an ID card scheme (because that's what it is) will lose business, because there's almost no such company which doesn't have competitors who don't have a death wish. ian From maryhawking at tigers.demon.co.uk Thu Nov 11 20:24:42 2010 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Thu, 11 Nov 2010 20:24:42 -0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDBBF17.3070209@iosis.co.uk> References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: Does the owner of the account have the legal authority to give consent on behalf of all users of that account, and if so, are there any requirements for the users to be informed of the consent ant what that consent implies for the users? Mary Hawking -----Original Message----- From: Peter Tomlinson [mailto:pwt at iosis.co.uk] Sent: 11 November 2010 10:02 To: UK Cryptography Policy Discussion Group Subject: Re: Consultation on change to RIP interception definition Andrew Cormack wrote: > Hmmm. It's tempting to reply to the HO's consultation question of "how will this affect CSPs?" by saying that it'll make 3(1) useless since, as discussed on the list last time around, the CSP will never know whether the "person" who indicated consent (however that's implemented) is still the "person" sitting at the keyboard. Not just the question of whether the "subscriber" has consented on behalf of all users of the account, but whether one user has handed the keyboard to another since clicking "I agree" :( > > Actually I'm struggling to think how a 3(1) that was dependent on the *fact* of whether that person had consented (which I think would be the effect of deleting the "reasonable belief" clause: Francis?) could ever be safely relied on by anyone. So maybe the net effect of the proposed change will actually be to delete the whole of 3(1)??? It seems to me that the assumption will be that the owner of the account will have given consent on behalf of all users of the account (typically of that keyboard). So consent ought to be given in some secure manner (a) that is logged in a way that can be verified and, if the user wishes, changed, and (b) that, if consent has been given, ensures that an informative logo is always displayed in each browser window. Peter From igb at batten.eu.org Thu Nov 11 20:47:10 2010 From: igb at batten.eu.org (Ian Batten) Date: Thu, 11 Nov 2010 20:47:10 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: On 11 Nov 2010, at 20:24, Mary Hawking wrote: > Does the owner of the account have the legal authority to give consent on > behalf of all users of that account, No. That was the line BT tried to take with Phorm, and there's not the beginning of a legal basis for it. If CSPs want to try this, they should put wording into contracts with their customers to attempt to impose obligations between their customers and unspecified third parties who are not signatories to the contract, and see how far it gets them. ian > and if so, are there any requirements > for the users to be informed of the consent ant what that consent implies > for the users? > > Mary Hawking > > > -----Original Message----- > From: Peter Tomlinson [mailto:pwt at iosis.co.uk] > Sent: 11 November 2010 10:02 > To: UK Cryptography Policy Discussion Group > Subject: Re: Consultation on change to RIP interception definition > > Andrew Cormack wrote: >> Hmmm. It's tempting to reply to the HO's consultation question of "how > will this affect CSPs?" by saying that it'll make 3(1) useless since, as > discussed on the list last time around, the CSP will never know whether the > "person" who indicated consent (however that's implemented) is still the > "person" sitting at the keyboard. Not just the question of whether the > "subscriber" has consented on behalf of all users of the account, but > whether one user has handed the keyboard to another since clicking "I agree" > :( >> >> Actually I'm struggling to think how a 3(1) that was dependent on the > *fact* of whether that person had consented (which I think would be the > effect of deleting the "reasonable belief" clause: Francis?) could ever be > safely relied on by anyone. So maybe the net effect of the proposed change > will actually be to delete the whole of 3(1)??? > It seems to me that the assumption will be that the owner of the account > will have given consent on behalf of all users of the account (typically > of that keyboard). So consent ought to be given in some secure manner > (a) that is logged in a way that can be verified and, if the user > wishes, changed, and (b) that, if consent has been given, ensures that > an informative logo is always displayed in each browser window. > > Peter > > > > > > From lists at internetpolicyagency.com Thu Nov 11 22:44:28 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 11 Nov 2010 22:44:28 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: In article , Mary Hawking writes >Does the owner of the account have the legal authority to give consent on >behalf of all users of that account, and if so, are there any requirements >for the users to be informed of the consent ant what that consent implies >for the users? Not for interception, but "subscriber" is the expression used in the anti-spam regulations (where consent is an issue) and perhaps that rubs off in other places in some people's minds. -- Roland Perry From pwt at iosis.co.uk Fri Nov 12 09:01:43 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 12 Nov 2010 09:01:43 +0000 Subject: European Parliament proposes tough behavioural ad rules Message-ID: <4CDD0277.1040907@iosis.co.uk> From Pinsent Masons in their weekly out-law newsletter: Adverts based on a web user's activity should carry a sign saying 'behavioural advertisement' and display a window explaining what information has been used to select that ad, a draft report by the European Parliament has said. More at http://www.out-law.com/page-11542 Peter From igb at batten.eu.org Fri Nov 12 09:46:25 2010 From: igb at batten.eu.org (Ian Batten) Date: Fri, 12 Nov 2010 09:46:25 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <4CDD0277.1040907@iosis.co.uk> References: <4CDD0277.1040907@iosis.co.uk> Message-ID: <8C5131CA-B4AE-469B-9C6C-96FF27746E91@batten.eu.org> On 12 Nov 2010, at 09:01, Peter Tomlinson wrote: > From Pinsent Masons in their weekly out-law newsletter: > > Adverts based on a web user's activity should carry a sign saying > 'behavioural advertisement' and display a window explaining what > information has been used to select that ad, a draft report by the > European Parliament has said. I suspect that the more sensible end of the advertising industry is having a facepalm moment over BT/Phorm, because the general air of sleaze (BT probably won't be prosecuted, but even the debate is something most advertising initiatives don't invite) is hard to shake off. Had BT not staged that initial trial, and denied knowledge of it to customers whose HTML was re-written, and had the Home Office not written what could be interpreted as a letter of comfort, the problem would have remained at the fringes. As things stand, the EU are flexing their muscles, and any advertising initiative that plays in this area starts on the back foot. ian From nbohm at ernest.net Fri Nov 12 11:37:52 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 12 Nov 2010 11:37:52 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: <4CDD2710.40202@ernest.net> On 11/11/2010 20:47, Ian Batten wrote: > On 11 Nov 2010, at 20:24, Mary Hawking wrote: > >> Does the owner of the account have the legal authority to give consent on >> behalf of all users of that account, > No. That was the line BT tried to take with Phorm, and there's not the beginning of a legal basis for it. If CSPs want to try this, they should put wording into contracts with their customers to attempt to impose obligations between their customers and unspecified third parties who are not signatories to the contract, and see how far it gets them. Quite right, of course. All the ISP can do is get the subscriber to promise to get (or that he has already got) authority from all other users to give their consent. Then if a user denies having given consent, the ISP has a claim against the subscriber for breach of the term, and might seek an indemnity against losses flowing from the lack of authority. But indemnities against criminal penalties are generally unenforceable as being against public policy, so it won't be much help. I'm not sure the law has tested whether that principle applies to civil penalties for criminal offences - quite possibly not. Maybe that's why a civil penalties regime is attractive! None of this helps with the case where a non-subscriber user actually does consent to something, and the consent gets treated as binding all other users. That would need some even more convoluted small print, of very doubtful efficacy if challenged under the unfair contract terms legislation. Nicholas -- Contact and PGP key here From igb at batten.eu.org Fri Nov 12 16:15:46 2010 From: igb at batten.eu.org (Ian Batten) Date: Fri, 12 Nov 2010 16:15:46 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <4CDD2710.40202@ernest.net> References: <4CDBBF17.3070209@iosis.co.uk> <4CDD2710.40202@ernest.net> Message-ID: <43FB0647-8F50-477E-8F6C-CD8EF5B80796@batten.eu.org> > > None of this helps with the case where a non-subscriber user actually > does consent to something, and the consent gets treated as binding all > other users. That would need some even more convoluted small print, of > very doubtful efficacy if challenged under the unfair contract terms > legislation. That was the point I tried to get over to BT when the threat was made of the 10000-strong Phorm trial. I was travelling a lot for work, so I asked BT to assure me that I would not be offered the Phorm trial, as I did not regard my children (who were, statistically, more likely to have encountered the initial greeting screen than my wife, by dint of their accessing a lot more webpages) as able to give informed consent to the Phorm interception regime. BT by that stage had moved to a position of trying to vary users' contracts on an initial click screen. The not-very-clueful BT person I was talking to said I would have to brief my children, as was "my responsibility" --- I asked whether they thought minor children were able to make contract variations on behalf of contract holders, and they appeared to say yes: that it was my responsibility to stop my children from consenting to things that constitute contractual changes, and BT would take as binding on my contractual relationship things that my children (or my cat, if I had a cat) clicked "yes" to. At which point I gave up, and got ADSL 2+ Annex M from O2, with whom I'm very happy. I could probably instead have encouraged my children to click "yes" to everything that BT offered and then seen them in court, ian From lists at internetpolicyagency.com Fri Nov 12 14:28:56 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 12 Nov 2010 14:28:56 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <4CDD0277.1040907@iosis.co.uk> References: <4CDD0277.1040907@iosis.co.uk> Message-ID: In article <4CDD0277.1040907 at iosis.co.uk>, Peter Tomlinson writes >From Pinsent Masons in their weekly out-law newsletter: > >Adverts based on a web user's activity should carry a sign saying >'behavioural advertisement' and display a window explaining what >information has been used to select that ad, a draft report by the >European Parliament has said. > >More at http://www.out-law.com/page-11542 The report calls on the Commission, among other things, to: prohibit the systematic, indiscriminate sending of text message advertisements to all mobile phone users within the coverage area of an advertising poster equipped with Bluetooth technology without their prior consent; Easily done by changing the definition of "public network" in existing law to include Bluetooth broadcasts. prohibit the content of private e-mails being read by a third party for advertising purposes; Isn't it already prohibited, for most purposes? require advertisements sent by e-mail to contain an automatic link enabling the recipient to refuse all further advertising Again, isn't this already the law (if the sending of the email was legal in the first place)? restrict online alcohol advertising to the websites of industry professionals, local authorities and tourist offices, Why is it OK for the council to advertise booze? Is this special pleading from the Champagne region? modify the limited liability regime for information society services in order to make the sale by search engines of registered brand names as advertising keywords subject to prior authorisation from the owner of the brand name in question As others trying to make public policy in this area are discovering - registered where and for what purpose? Will Lincoln Cathedral have to get permission from both a cheese and a car manufacturer to use its name as an advertising keyword? (Assuming the car is registered as a TM in the UK in the first place). -- Roland Perry From nbohm at ernest.net Sat Nov 13 11:25:14 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 13 Nov 2010 11:25:14 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: References: <4CDD0277.1040907@iosis.co.uk> Message-ID: <4CDE759A.8040303@ernest.net> On 12/11/2010 14:28, Roland Perry wrote: > In article <4CDD0277.1040907 at iosis.co.uk>, Peter Tomlinson > writes > >From Pinsent Masons in their weekly out-law newsletter: >> Adverts based on a web user's activity should carry a sign saying >> 'behavioural advertisement' and display a window explaining what >> information has been used to select that ad, a draft report by the >> European Parliament has said. >> >> More at http://www.out-law.com/page-11542 > The report calls on the Commission, among other things, to: > > prohibit the systematic, indiscriminate sending of text message > advertisements to all mobile phone users within the coverage > area of an advertising poster equipped with Bluetooth technology > without their prior consent; > > Easily done by changing the definition of "public network" in existing > law to include Bluetooth broadcasts. > > prohibit the content of private e-mails being read by a third > party for advertising purposes; > > Isn't it already prohibited, for most purposes? Gmail seems to read messages just after the recipient (so avoiding interception because the message has crossed the doormat) for the purpose of selecting adverts to show the recipient. That may be what this is aimed at. > require advertisements sent by e-mail to contain an automatic > link enabling the recipient to refuse all further advertising > > Again, isn't this already the law (if the sending of the email was legal > in the first place)? I didn't know it was the law (is it?), but just as one shouldn't reply to spam because it encourages the sender, so - a fortiori - one shouldn't visit the spammer's webpage, which could do even more harm. This therefore seems a clueless suggestion. > restrict online alcohol advertising to the websites of industry > professionals, local authorities and tourist offices, > > Why is it OK for the council to advertise booze? Is this special > pleading from the Champagne region? > > modify the limited liability regime for information society > services in order to make the sale by search engines of > registered brand names as advertising keywords subject to prior > authorisation from the owner of the brand name in question > > As others trying to make public policy in this area are discovering - > registered where and for what purpose? Will Lincoln Cathedral have to > get permission from both a cheese and a car manufacturer to use its name > as an advertising keyword? (Assuming the car is registered as a TM in > the UK in the first place). If there is liability for trademark infringement in such a case (and I seem to recall a recent decision in which a claimant failed), I do not see how the "limited liability regime for information society services" would provide a shield anyway. Nicholas -- Contact and PGP key here From joel at jdh.myzen.co.uk Sat Nov 13 12:32:20 2010 From: joel at jdh.myzen.co.uk (Joel Harrison) Date: Sat, 13 Nov 2010 12:32:20 -0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <4CDE759A.8040303@ernest.net> References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> Message-ID: <000001cb832e$d11d8c60$7358a520$@jdh.myzen.co.uk> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Nicholas Bohm > Sent: 13 November 2010 11:25 > To: UK Cryptography Policy Discussion Group > Subject: Re: European Parliament proposes tough behavioural ad rules > > On 12/11/2010 14:28, Roland Perry wrote: > > require advertisements sent by e-mail to contain an automatic > > link enabling the recipient to refuse all further advertising > > > > Again, isn't this already the law (if the sending of the email was > > legal in the first place)? > > I didn't know it was the law (is it?), but just as one shouldn't reply to spam > because it encourages the sender, so - a fortiori - one shouldn't visit the > spammer's webpage, which could do even more harm. > This therefore seems a clueless suggestion. It's (almost) required if the sender is relying on PECR reg. 22(3) rather than reg. 22(2). If the recipient has notified the sender that he consents to receiving the e-mails, there's no requirement to provide an unsubscribe mechanism (reg 22(2)). However, if the sender is relying on reg 22(3) (i.e. the sender has obtained the recipient's contact details through negotiations for sale of a product/service, and the communication is about similar products/services), reg 22(3)(c) requires that the recipient be given a "simple means" of refusing further e-mails at the time of each e-mail. The refusal mechanism must also be free of charge, other than the costs of transmitting the refusal. This doesn't explicitly require the inclusion of an automatic link in each e-mail (hence "almost"), but it's obviously the most straightforward way - I can see "log on to your account on our website, go to your account details and click 'unsubscribe'" as qualifying as "simple means". Joel From pwt at iosis.co.uk Sat Nov 13 12:37:01 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sat, 13 Nov 2010 12:37:01 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <4CDE759A.8040303@ernest.net> References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> Message-ID: <4CDE866D.7030005@iosis.co.uk> Nicholas Bohm wrote: > On 12/11/2010 14:28, Roland Perry wrote: > >> In article <4CDD0277.1040907 at iosis.co.uk>, Peter Tomlinson >> writes >> >From Pinsent Masons in their weekly out-law newsletter: >> >>> Adverts based on a web user's activity should carry a sign saying >>> 'behavioural advertisement' and display a window explaining what >>> information has been used to select that ad, a draft report by the >>> European Parliament has said. >>> >>> More at http://www.out-law.com/page-11542 >>> >> require advertisements sent by e-mail to contain an automatic >> link enabling the recipient to refuse all further advertising >> >> Again, isn't this already the law (if the sending of the email was legal >> in the first place)? >> > I didn't know it was the law (is it?), but just as one shouldn't reply > to spam because it encourages the sender, so - a fortiori - one > shouldn't visit the spammer's webpage, which could do even more harm. > This therefore seems a clueless suggestion. I suspect that it may be the law under the USA (?) CanSpam Act (which is what some emails refer to). Certainly with UK originated business-to-business sales and marketing emails it is now very common to see an Unsubscribe URL (which usually works) or, sometimes, an Unsubscribe email address (a much more clumsy way that usually requires you to reply from the mailbox to which the email was sent, not always convenient). (I get rather too much unsolicited but genuine B2B stuff, partly because my domain was registered a long time ago, partly because some rogue bulk emailers were for a while very persistent, and partly because of confusion with another domain name that is rather similar - the Unsubscribe link is now usually effective. And I get some B2C that are also quite genuine emails with Unsubscribe links, but. Hilary's Blinds has been a big nuisance...) And I do sometimes visit the spammer's web page, but with cookies and scripts turned off. However, we are considering here the unskilled consumer, so, given the amount of phishing that's going on, one would expect the miscreants to start using Unsubscribe links if people operating legally are forced to use them. This all tends to give support to the idea of having a safe online ID method, so that you get a warning about (or should be able to completely block) emails from sources that don't provide bona fide certificates from trusted providers - and then the miscreants will get into stealing certificates or persuading CAs to let them have certificates. (I'm still puzzled as to why Firefox/Kaspersky is telling me that lots of business and even public sector sites are using Kaspersky personal certificates for SSL.) Peter From ukcrypto at sourcetagged.ian.co.uk Sat Nov 13 14:59:10 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Sat, 13 Nov 2010 14:59:10 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <4CDE759A.8040303@ernest.net> References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> Message-ID: <8DD03F2B-F4FB-4C78-B488-BE07260DA14D@sourcetagged.ian.co.uk> On 13 Nov 2010, at 11:25, Nicholas Bohm wrote: > On 12/11/2010 14:28, Roland Perry wrote: > [snip] >> require advertisements sent by e-mail to contain an automatic >> link enabling the recipient to refuse all further advertising >> >> Again, isn't this already the law (if the sending of the email was >> legal >> in the first place)? > > I didn't know it was the law (is it?), but just as one shouldn't reply > to spam because it encourages the sender, so - a fortiori - one > shouldn't visit the spammer's webpage, which could do even more harm. > This therefore seems a clueless suggestion. > Indeed, that was my immediate thought too. What is needed is a mechanism for unsubscribes that is, from the point of view of the recipient, trustworthy. One possibility would be to have an "unsubscribe" link that goes to a trusted third party. This could either be an appropriate industry body (say the DMA for the UK), or a government department, or a specialist service provider. Funding for such would have to come respectively from either membership fees, a tax/duty or a subscription. There's an issue if these trusted third parties (TTP) were to proliferate too far - a consumer should be able to immediately recognise the TTP and that wouldn't be the case of there were hundreds of them. Ian From nbohm at ernest.net Sat Nov 13 15:00:04 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 13 Nov 2010 15:00:04 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <000001cb832e$d11d8c60$7358a520$@jdh.myzen.co.uk> References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> <000001cb832e$d11d8c60$7358a520$@jdh.myzen.co.uk> Message-ID: <4CDEA7F4.9070002@ernest.net> On 13/11/2010 12:32, Joel Harrison wrote: >> -----Original Message----- >> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- >> bounces at chiark.greenend.org.uk] On Behalf Of Nicholas Bohm >> Sent: 13 November 2010 11:25 >> To: UK Cryptography Policy Discussion Group >> Subject: Re: European Parliament proposes tough behavioural ad rules >> >> On 12/11/2010 14:28, Roland Perry wrote: >>> require advertisements sent by e-mail to contain an automatic >>> link enabling the recipient to refuse all further advertising >>> >>> Again, isn't this already the law (if the sending of the email was >>> legal in the first place)? >> I didn't know it was the law (is it?), but just as one shouldn't reply to > spam >> because it encourages the sender, so - a fortiori - one shouldn't visit > the >> spammer's webpage, which could do even more harm. >> This therefore seems a clueless suggestion. > It's (almost) required if the sender is relying on PECR reg. 22(3) rather > than reg. 22(2). I hadn't thought of PECR - thanks. > If the recipient has notified the sender that he consents to receiving the > e-mails, there's no requirement to provide an unsubscribe mechanism (reg > 22(2)). However, if the sender is relying on reg 22(3) (i.e. the sender has > obtained the recipient's contact details through negotiations for sale of a > product/service, and the communication is about similar products/services), > reg 22(3)(c) requires that the recipient be given a "simple means" of > refusing further e-mails at the time of each e-mail. The refusal mechanism > must also be free of charge, other than the costs of transmitting the > refusal. This doesn't explicitly require the inclusion of an automatic link > in each e-mail (hence "almost"), but it's obviously the most straightforward > way - I can see "log on to your account on our website, go to your account > details and click 'unsubscribe'" as qualifying as "simple means". Like most people, I get plenty of spam to which neither 22(2) nor 22(3) applies, and almost none to which either do apply. But it still often offers me unsubscribe links, which do indeed seem a handy mechanism for phishers. This stuff is no doubt well-intentioned, but I still think it's naive to the point of being clueless. Nicholas -- Contact and PGP key here From nbohm at ernest.net Sat Nov 13 15:02:45 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 13 Nov 2010 15:02:45 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <4CDE866D.7030005@iosis.co.uk> References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> <4CDE866D.7030005@iosis.co.uk> Message-ID: <4CDEA895.6030204@ernest.net> On 13/11/2010 12:37, Peter Tomlinson wrote: > Nicholas Bohm wrote: >> On 12/11/2010 14:28, Roland Perry wrote: >> >>> In article <4CDD0277.1040907 at iosis.co.uk>, Peter Tomlinson >>> writes >>> >From Pinsent Masons in their weekly out-law newsletter: >>> >>>> Adverts based on a web user's activity should carry a sign saying >>>> 'behavioural advertisement' and display a window explaining what >>>> information has been used to select that ad, a draft report by the >>>> European Parliament has said. >>>> >>>> More at http://www.out-law.com/page-11542 >>>> >>> require advertisements sent by e-mail to contain an automatic >>> link enabling the recipient to refuse all further advertising >>> >>> Again, isn't this already the law (if the sending of the email was >>> legal >>> in the first place)? >>> >> I didn't know it was the law (is it?), but just as one shouldn't reply >> to spam because it encourages the sender, so - a fortiori - one >> shouldn't visit the spammer's webpage, which could do even more harm. >> This therefore seems a clueless suggestion. > I suspect that it may be the law under the USA (?) CanSpam Act (which > is what some emails refer to). As Joel kindly points out, it's with us via PECR - see www.legislation.gov.uk/uksi/2003/2426/regulation/22/made > Certainly with UK originated business-to-business sales and marketing > emails it is now very common to see an Unsubscribe URL (which usually > works) or, sometimes, an Unsubscribe email address (a much more clumsy > way that usually requires you to reply from the mailbox to which the > email was sent, not always convenient). (I get rather too much > unsolicited but genuine B2B stuff, partly because my domain was > registered a long time ago, partly because some rogue bulk emailers > were for a while very persistent, and partly because of confusion with > another domain name that is rather similar - the Unsubscribe link is > now usually effective. And I get some B2C that are also quite genuine > emails with Unsubscribe links, but. Hilary's Blinds has been a big > nuisance...) > > And I do sometimes visit the spammer's web page, but with cookies and > scripts turned off. > > However, we are considering here the unskilled consumer, so, given the > amount of phishing that's going on, one would expect the miscreants to > start using Unsubscribe links if people operating legally are forced > to use them. This all tends to give support to the idea of having a > safe online ID method, so that you get a warning about (or should be > able to completely block) emails from sources that don't provide bona > fide certificates from trusted providers - and then the miscreants > will get into stealing certificates or persuading CAs to let them have > certificates. (I'm still puzzled as to why Firefox/Kaspersky is > telling me that lots of business and even public sector sites are > using Kaspersky personal certificates for SSL.) I'm all for other people having super duper online ID which is easily distinguished from all the useless ID one gets; but I object to being required to have it myself. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Sat Nov 13 15:36:09 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 13 Nov 2010 15:36:09 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <8DD03F2B-F4FB-4C78-B488-BE07260DA14D@sourcetagged.ian.co.uk> References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> <8DD03F2B-F4FB-4C78-B488-BE07260DA14D@sourcetagged.ian.co.uk> Message-ID: In article <8DD03F2B-F4FB-4C78-B488-BE07260DA14D at sourcetagged.ian.co.uk>, Ian Mason writes >What is needed is a mechanism for unsubscribes that is, from the point >of view of the recipient, trustworthy. One possibility would be to >have an "unsubscribe" link that goes to a trusted third party. This >could either be an appropriate industry body (say the DMA for the UK), >or a government department, or a specialist service provider. You seem to be describing an "Opt-out" scheme for email along the lines of the TPS (but more sophisticated in that it would be specific to particular senders). -- Roland Perry From lists at internetpolicyagency.com Sat Nov 13 14:24:46 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 13 Nov 2010 14:24:46 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: <4CDE759A.8040303@ernest.net> References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> Message-ID: <4cGFzwAu+p3MFAU1@perry.co.uk> In article <4CDE759A.8040303 at ernest.net>, Nicholas Bohm writes >> require advertisements sent by e-mail to contain an automatic >> link enabling the recipient to refuse all further advertising >> >> Again, isn't this already the law (if the sending of the email was legal >> in the first place)? > >I didn't know it was the law (is it?), See Joel's posting. > but just as one shouldn't reply to spam because it encourages the >sender, so - a fortiori - one shouldn't visit the spammer's webpage, >which could do even more harm. The link could just as easily be a mailto: And common sense must prevail - if it's the sort of spam which comes from clueless marketers in a real business, then "unsubscribing" might actually work. But the recipient should beware of replying to the remaining 'spam'. It's also one of those situations where the 'spammers' only have to be "lucky once", and your name goes on the lists, which are circulated an amplified. The fact you received one 'spam' means you may already be on one of the lists, so the damage is already done. -- Roland Perry From DaveHowe at gmx.co.uk Sun Nov 14 12:00:29 2010 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Sun, 14 Nov 2010 12:00:29 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> References: <4CDBBF17.3070209@iosis.co.uk> <4CDBF84B.6080009@iosis.co.uk> <5B696B6C-5F2B-40BD-938C-B4925A4129B1@batten.eu.org> Message-ID: <4CDFCF5D.3020107@gmx.co.uk> On 11/11/2010 14:14, Ian Batten wrote: >> >> >> However, there are global moves to create a common method to be far >> more secure online (an eID method) so long as you have your >> internet transactions secured with a user ID [1] digital >> certificate that is invoked by some specific action by the end user >> (e.g. with a password or by plugging in a physical token) at the >> start of such a session. Once we get that operating... > > The heat death of the universe will occur sooner. Why would anyone > voluntarily sign up for such a scheme, which makes ID cards look > positively cuddly? You give them a free burger once per month. Seriously, and sadly, that would be all it took. From ukcrypto at sourcetagged.ian.co.uk Sun Nov 14 18:27:22 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Sun, 14 Nov 2010 18:27:22 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> <8DD03F2B-F4FB-4C78-B488-BE07260DA14D@sourcetagged.ian.co.uk> Message-ID: On 13 Nov 2010, at 15:36, Roland Perry wrote: > In article <8DD03F2B-F4FB-4C78-B488- > BE07260DA14D at sourcetagged.ian.co.uk>, Ian Mason > writes >> What is needed is a mechanism for unsubscribes that is, from the >> point of view of the recipient, trustworthy. One possibility would >> be to have an "unsubscribe" link that goes to a trusted third >> party. This could either be an appropriate industry body (say the >> DMA for the UK), or a government department, or a specialist >> service provider. > > You seem to be describing an "Opt-out" scheme for email along the > lines of the TPS (but more sophisticated in that it would be > specific to particular senders). > -- After a fashion, yes, but what I was really proposing is a "cease and desist spamming" link where one would feel safe in clicking on said link. Ideally, this would be backed by effective sanctions for: 1) Not supplying such a link 2) Any abuse of the link. e.g. Using it to confirm and address and then sending further spam. 3) Failure to stop spamming Personally I strongly prefer "opt-in" with whacking great fines for non-compliance but we all know that ain't gonna happen. Ian From lists at internetpolicyagency.com Sun Nov 14 18:40:16 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 14 Nov 2010 18:40:16 +0000 Subject: European Parliament proposes tough behavioural ad rules In-Reply-To: References: <4CDD0277.1040907@iosis.co.uk> <4CDE759A.8040303@ernest.net> <8DD03F2B-F4FB-4C78-B488-BE07260DA14D@sourcetagged.ian.co.uk> Message-ID: In article , Ian Mason writes >>> What is needed is a mechanism for unsubscribes that is, from the >>>point of view of the recipient, trustworthy. One possibility would be >>>to have an "unsubscribe" link that goes to a trusted third party. >>>This could either be an appropriate industry body (say the DMA for >>>the UK), or a government department, or a specialist service provider. >> >> You seem to be describing an "Opt-out" scheme for email along the >>lines of the TPS (but more sophisticated in that it would be specific >>to particular senders). >> -- > >After a fashion, yes, but what I was really proposing is a "cease and >desist spamming" link where one would feel safe in clicking on said >link. Ideally, this would be backed by effective sanctions for: > >1) Not supplying such a link That's much the same as "failing to run an opt-in scheme" at the moment. If this is about otherwise well-meaning, but slightly over-enthusiastic and ill-educated marketers in real businesses in the UK, then a scheme like this has a chance of working, as well as giving that degree of comfort to the user. I don't now what the "industry body" would think about the cost of setting up a scheme for what is likely to be little genuine usage. In the mean time the criminals will just forge links into the system to make it look as if they are legitimate. >2) Any abuse of the link. e.g. Using it to confirm and address and then >sending further spam. That's surely a problem inside the "Industry Body", or are we talking about the classic gotcha with opt-out schemes that the shady people get a nice clean list of users? >3) Failure to stop spamming That's the status quo today. Where will the extra teeth come from, and why couldn't such newly found teeth be applied to an opt-in scheme? >Personally I strongly prefer "opt-in" with whacking great fines for >non-compliance but we all know that ain't gonna happen. Fining the criminals isn't easy, you have to catch them first. -- Roland Perry From otcbn at callnetuk.com Mon Nov 15 16:35:02 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Mon, 15 Nov 2010 16:35:02 +0000 Subject: Contactless bank cards Message-ID: <4CE16136.4060707@callnetuk.com> The banks aren't going to give up on this. Barclays has just sent one to my son, after he lost his old, contactful one. He didn't ask for a contactless one, naturally. -- Pete Mitchell From marcus at connectotel.com Mon Nov 15 17:06:04 2010 From: marcus at connectotel.com (Marcus Williamson) Date: Mon, 15 Nov 2010 17:06:04 +0000 Subject: Contactless bank cards In-Reply-To: <4CE16136.4060707@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> Message-ID: On Mon, 15 Nov 2010 16:35:02 +0000, you wrote: >The banks aren't going to give up on this. Barclays has just sent one to my son, after he lost his old, contactful one. He didn't ask for a contactless one, naturally. What's the technology behind it? A type of RFID? If so, what's to stop someone reading the card without your son knowing and/or making small transactions without his knowledge? regards Marcus From lists at internetpolicyagency.com Mon Nov 15 17:09:33 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 15 Nov 2010 17:09:33 +0000 Subject: Contactless bank cards In-Reply-To: <4CE16136.4060707@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> Message-ID: <9YRECJtNlW4MFA8T@perry.co.uk> In article <4CE16136.4060707 at callnetuk.com>, Peter Mitchell writes >The banks aren't going to give up on this. Were we expecting them to? >Barclays has just sent one to my son, after he lost his old, contactful one. >He didn't ask for a contactless one, naturally. Reportedly all new Barclaycards have the RFID chip now. ps Their latest "rollercoaster" advert seems to have been shot in the USA. Are they supplying the cards there as well? -- Roland Perry From david at jellybaby.net Mon Nov 15 17:12:13 2010 From: david at jellybaby.net (David Walters) Date: Mon, 15 Nov 2010 17:12:13 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> Message-ID: On Mon, Nov 15, 2010 at 5:06 PM, Marcus Williamson wrote: > On Mon, 15 Nov 2010 16:35:02 +0000, you wrote: > >>The banks aren't going to give up on this. Barclays has just sent one to my son, after he lost his old, contactful one. He didn't ask for a contactless one, naturally. > > What's the technology behind it? A type of RFID? Yes. > If so, what's to stop someone > reading the card without your son knowing and/or making small transactions without > his knowledge? Not much although the risk is partly mitigated by requiring a PIN every few transactions and capping individual transactions at ?15. I assume stolen or cloned credit cards are mostly used to withdraw cash or buy high value items that can be sold on which in theory you can't do with the data from the contactless bit. From lists at internetpolicyagency.com Mon Nov 15 17:49:53 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 15 Nov 2010 17:49:53 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> Message-ID: In article , Marcus Williamson writes >What's the technology behind it? A type of RFID? Yes. >If so, what's to stop someone reading the card without your son knowing >and/or making small transactions without his knowledge? Surely you'd have to set up some sort of "man in the middle" between the card and one of the Paywave terminals[1]. Wouldn't that be a bit tricky in real time? [1] Either a hacked one, or a normal one with some sort of "RFID simulator" held on the outside. -- Roland Perry From pwt at iosis.co.uk Mon Nov 15 18:38:54 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 15 Nov 2010 18:38:54 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> Message-ID: <4CE17E3E.9070707@iosis.co.uk> David Walters wrote: > On Mon, Nov 15, 2010 at 5:06 PM, Marcus Williamson > wrote: > >> On Mon, 15 Nov 2010 16:35:02 +0000, you wrote: >> >>> The banks aren't going to give up on this. Barclays has just sent one to my son, after he lost his old, contactful one. He didn't ask for a contactless one, naturally. >>> >> What's the technology behind it? A type of RFID? >> > > Yes. > >> If so, what's to stop someone >> reading the card without your son knowing and/or making small transactions without >> his knowledge? >> > Not much although the risk is partly mitigated by requiring a PIN > every few transactions and capping individual transactions at ?15. I > assume stolen or cloned credit cards are mostly used to withdraw cash > or buy high value items that can be sold on which in theory you can't > do with the data from the contactless bit. These dual interface bank cards use a single microprocessor chip, similar to the chips used in contact-only bank cards, but enhanced by having both contact and contactless interface. The contactless interface complies with ISO/IEC 14443, which is the same RF standard used by Oyster and by the UK national spec bus concessionary travel cards - but importantly the bank cards use a secure microprocessor, and most of the bus passes use the Mifare Classic memory chips (but newly issued bus passes and Oyster cards use the next generation Mifare DESFire). Can you carry out bank card contactless transactions by stealth, without the card holder knowing and without having an EMV terminal? I don't know - but certainly you can power up the card and talk to it. Time for the Cambridge crew to join this thread... Peter From zenadsl6186 at zen.co.uk Mon Nov 15 18:46:18 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Mon, 15 Nov 2010 18:46:18 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> Message-ID: <4CE17FFA.9020102@zen.co.uk> David Walters wrote: > On Mon, Nov 15, 2010 at 5:06 PM, Marcus Williamson > wrote: >> On Mon, 15 Nov 2010 16:35:02 +0000, you wrote: >> >>> The banks aren't going to give up on this. Barclays has just sent >>> one to my son, after he lost his old, contactful one. He didn't >>> ask for a contactless one, naturally. >> What's the technology behind it? A type of RFID? > > Yes. > >> If so, what's to stop someone reading the card without your son >> knowing and/or making small transactions without his knowledge? > > Not much although the risk whose risk? > is partly mitigated by requiring a PIN every few transactions and > capping individual transactions at ?15. I assume stolen or cloned > credit cards are mostly used to withdraw cash or buy high value items > that can be sold on which in theory you can't do with the data from > the contactless bit. Crook A sits beside machine doing ?10 transactions. He has a wireless connection to crook B, who wanders the busy Christmas shopping crowds with an antenna picking up signals and sending them to crook A .. e-pickpocketing! -- Peter Fairbrother From otcbn at callnetuk.com Mon Nov 15 22:24:07 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Mon, 15 Nov 2010 22:24:07 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> Message-ID: <4CE1B307.1070803@callnetuk.com> Roland Perry wrote on 15-11-10 17:49: > In article , Marcus > Williamson writes >> What's the technology behind it? A type of RFID? > > Yes. > >> If so, what's to stop someone reading the card without your son >> knowing and/or making small transactions without his knowledge? > > Surely you'd have to set up some sort of "man in the middle" between the > card and one of the Paywave terminals[1]. Presumably all you need is a dishonest retailer who is prepared to boost his turnover by executing an unauthorised transaction from someone's card every few minutes. The cardholder is unlikely to notice the rogue transaction on his bank statement; it is linked to a retail outlet he really has visited, so if he does notice it he probably reckons he really did do it and has since forgotten it. Especially since there will soon be hundreds of such transactions on his statement every month. In fact, thinking about it, I predict the next step: banks will soon stop listing card transactions under ?10 in value on the bank statement. Rather like phone companies don't itemise cheap calls. Once that's in place, we won't have to worry about these transactions at all. They'll be done "automagically", as IT fans like to say. Along with all those other *good* things. Has any bank customer ever *asked* the banks to make contactless card payments possible, I wonder? -- Pete Mitchell From marcus at connectotel.com Mon Nov 15 22:56:46 2010 From: marcus at connectotel.com (Marcus Williamson) Date: Mon, 15 Nov 2010 22:56:46 +0000 Subject: Contactless bank cards In-Reply-To: <4CE1B307.1070803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> Message-ID: On Mon, 15 Nov 2010 22:24:07 +0000, you wrote: >Has any bank customer ever *asked* the banks to make contactless card payments possible, I wonder? I asked the bank in December 2008 to deactivate the "contactless" system on my partner's Visa card, for security reasons. They refused to do so. The Visa "factsheet" about the contactless card can be found here: http://www.visaeurope.com/en/newsroom/factsheets.aspx regards Marcus From igb at batten.eu.org Tue Nov 16 07:31:36 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 16 Nov 2010 07:31:36 +0000 Subject: Contactless bank cards In-Reply-To: <4CE1B307.1070803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> Message-ID: > The cardholder is unlikely to notice the rogue transaction on his bank statement; it is linked to a retail outlet he really has visited, so if he does notice it he probably reckons he really did do it and has since forgotten it. Especially since there will soon be hundreds of such transactions on his statement every month. I'm not sure any of that's entirely right. Firstly, as I think Ross pointed out, the step change in the arms race with fraudsters was when they realised that by not putting the card through their own machine, rather just taking the details, they removed the point of correlation between multiple victims. Any attack which relies on a corrupt merchant actually processing the transactions leaves that point of connection, so unless the skimmers content themselves with a handful of transactions (which, at ?10 each, seems a rather small crime) it will only take two or three people to notice out of hundreds for the merchant to be caught. And as the fraud requires the active connivance of the merchant, it's going to be hard for them to get out of criminal liability. > In fact, thinking about it, I predict the next step: banks will soon stop listing card transactions under ?10 in value on the bank statement. Rather like phone companies don't itemise cheap calls. Phone companies do itemise cheap calls. They don't necessarily itemise free/bundled calls, although most will on request. ian From otcbn at callnetuk.com Tue Nov 16 08:40:40 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Tue, 16 Nov 2010 08:40:40 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> Message-ID: <4CE24388.9060803@callnetuk.com> Ian Batten wrote on 16-11-10 07:31: >> The cardholder is unlikely to notice the rogue transaction on his >> bank statement; it is linked to a retail outlet he really has >> visited, so if he does notice it he probably reckons he really did >> do it and has since forgotten it. Especially since there will soon >> be hundreds of such transactions on his statement every month. > > I'm not sure any of that's entirely right. Firstly, as I think Ross > pointed out, the step change in the arms race with fraudsters was > when they realised that by not putting the card through their own > machine, rather just taking the details, they removed the point of > correlation between multiple victims. Any attack which relies on a > corrupt merchant actually processing the transactions leaves that > point of connection, so unless the skimmers content themselves with a > handful of transactions (which, at ?10 each, seems a rather small > crime) Not to my son, who is paid minimum wage. And the skimmers can milk the golden goose by concentrating on easy targets who will never notice the fraud; drunks, students, doddery old ladies who didn't even know their card was contactless. My son didn't notice it was contactless until I pointed it out. > it will only take two or three people to notice out of > hundreds for the merchant to be caught. For the reasons I stated above I do not believe that many customers will ever notice a rogue transaction a month after the event. And if someone does, how will he prove that he didn't authorise it? The banks, as we know, will deny that there is any possibility that the card is insecure, and will probably accuse the cardholder of fraud if he disagrees. Anyway, I don't think it is a good answer to say that the fraud will eventually be detected. By the time it has been detected, thousands of people will have been defrauded. The only customers who get their money back will be the ones who actually noticed phoney transactions; the vast majority will never know. > And as the fraud requires > the active connivance of the merchant, it's going to be hard for them > to get out of criminal liability. It needn't be the actual merchant doing it. It could be a dishonest till operator. You pocket cash out of the till, and make up the shortfall with phoney card transactions. All the merchant knows is that he has sold 1000 doughnuts today and taken a total of ?3,500 in cash and bank debits; he can't check how each doughnut was paid for. >> In fact, thinking about it, I predict the next step: banks will >> soon stop listing card transactions under ?10 in value on the bank >> statement. Rather like phone companies don't itemise cheap calls. > > Phone companies do itemise cheap calls. Mine (BT) doesn't list calls under 40p. > They don't necessarily > itemise free/bundled calls, although most will on request. Doing it only on request [on bank statements] is probably enough for many such frauds to succeed for a long time, since most people won't request it. -- Pete Mitchell From lists at internetpolicyagency.com Tue Nov 16 08:58:38 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 08:58:38 +0000 Subject: Contactless bank cards In-Reply-To: <4CE1B307.1070803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> Message-ID: <9QdEAmG+ek4MFA8L@perry.co.uk> In article <4CE1B307.1070803 at callnetuk.com>, Peter Mitchell writes >Has any bank customer ever *asked* the banks to make contactless >card payments possible, I wonder? Oyster auto-topup comes into that category, albeit at one remove. -- Roland Perry From david at jellybaby.net Tue Nov 16 09:08:55 2010 From: david at jellybaby.net (David Walters) Date: Tue, 16 Nov 2010 09:08:55 +0000 Subject: Contactless bank cards In-Reply-To: <4CE24388.9060803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> Message-ID: On Tue, Nov 16, 2010 at 8:40 AM, Peter Mitchell wrote: >> And as the fraud requires >> the active connivance of the merchant, it's going to be hard for them >> to get out of criminal liability. > > It needn't be the actual merchant doing it. It could be a dishonest till > operator. You pocket cash out of the till, and make up the shortfall with > phoney card transactions. All the merchant knows is that he has sold 1000 > doughnuts today and taken a total of ?3,500 in cash and bank debits; he > can't check how each doughnut was paid for. Many years ago I had a Saturday job in a fairly old fashioned pet shop (lots of loose pet food sold by the lb in paper bags) and even then the boss knew how much cash he had taken and how much had been on credit cards. Although he didn't know how many bags of rabbit food he had sold. >> They don't necessarily >> itemise free/bundled calls, although most will on request. > > Doing it only on request [on bank statements] is probably enough for many > such frauds to succeed for a long time, since most people won't request it. I don't think any of the card companies are doing that though? I still get fully itemised statements. From david at jellybaby.net Tue Nov 16 09:14:25 2010 From: david at jellybaby.net (David Walters) Date: Tue, 16 Nov 2010 09:14:25 +0000 Subject: Contactless bank cards In-Reply-To: <4CE1B307.1070803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> Message-ID: On Mon, Nov 15, 2010 at 10:24 PM, Peter Mitchell wrote: > Has any bank customer ever *asked* the banks to make contactless card > payments possible, I wonder? I've applied for and received a card which I wanted because it offered contactless payments. I've also attempted to get the large supermarkets with self service checkouts to accept contactless payments although getting through to them seems impossible. "We already accept credit cards" But then I'm also the kind of person that keeps receipts and checks statements, I even did it while I was a drunk student. I'm currently about ?180 up on transactions made in shops that have never arrived on my statement. Trying to query one of those is impossible. From lists at internetpolicyagency.com Tue Nov 16 09:28:28 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 09:28:28 +0000 Subject: Contactless bank cards In-Reply-To: <4CE24388.9060803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> Message-ID: In article <4CE24388.9060803 at callnetuk.com>, Peter Mitchell writes >>Any attack which relies on a >> corrupt merchant actually processing the transactions leaves that >> point of connection, so unless the skimmers content themselves with a >> handful of transactions (which, at ?10 each, seems a rather small >> crime) > >Not to my son, who is paid minimum wage. It's small to the criminal, not the victim. (I assume you don't mean that your son would be happy to defraud people ?10 at a time!) >> And as the fraud requires >> the active connivance of the merchant, it's going to be hard for them >> to get out of criminal liability. > >It needn't be the actual merchant doing it. It could be a dishonest >till operator. It's not clear to me how a merchant or till operator can "execute an unauthorised transaction". Won't the terminal simply refuse to process, if it's one of those random transactions where the punter needs a PIN? And I'm unsure whether it's technically possible to "skim" a paywave card and use that information to create a clone that can be used to buy things. >You pocket cash out of the till, and make up the shortfall with phoney >card transactions. All the merchant knows is that he has sold 1000 >doughnuts today and taken a total of ?3,500 in cash and bank debits; he >can't check how each doughnut was paid for. His EPOS system should tell him that. >>> In fact, thinking about it, I predict the next step: banks will >>> soon stop listing card transactions under ?10 in value on the bank >>> statement. Rather like phone companies don't itemise cheap calls. >> Phone companies do itemise cheap calls. > >Mine (BT) doesn't list calls under 40p. Maybe you need a different sort of bill - my BT bill starts at 0p (for some geographic calls) then 12p (for some short 0845 calls ) and so on, upwards. -- Roland Perry From nbohm at ernest.net Tue Nov 16 10:03:51 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Tue, 16 Nov 2010 10:03:51 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> Message-ID: <4CE25707.9020104@ernest.net> Is the answer to keep contactless cards in the same tinfoil wallet you should use for RFID passports? Nicholas -- Contact and PGP key here From otcbn at callnetuk.com Tue Nov 16 10:28:02 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Tue, 16 Nov 2010 10:28:02 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> Message-ID: <4CE25CB2.6040501@callnetuk.com> David Walters wrote on 16-11-10 09:08: > On Tue, Nov 16, 2010 at 8:40 AM, Peter Mitchell wrote: >>> And as the fraud requires >>> the active connivance of the merchant, it's going to be hard for them >>> to get out of criminal liability. >> It needn't be the actual merchant doing it. It could be a dishonest till >> operator. You pocket cash out of the till, and make up the shortfall with >> phoney card transactions. All the merchant knows is that he has sold 1000 >> doughnuts today and taken a total of ?3,500 in cash and bank debits;he >> can't check how each doughnut was paid for. > > Many years ago I had a Saturday job in a fairly old fashioned pet shop > (lots of loose pet food sold by the lb in paper bags) and even then > the boss knew how much cash he had taken and how much had been on > credit cards. You've missed the point. Of course he knew that, but it doesn't help him spot that something is wrong. I will try to explain the fraud again, which is (or used to be) common in retailing. Suppose you, as pet shop assistant, on one particular day sell ?200 worth of rabbit food, of which ?150 was paid for in cash and ?50 by card. In your pocket you have some stolen debit cards along with their PINs. So you steal ?50 cash from the till and make the total takings back up to ?200 by putting through ?50 worth of debit card transactions. You are ?50 richer, the card owners are collectively ?50 poorer. The shop owner never knows, his EPOS only shows him that he has received a total of ?200 in various forms. If he does a stock check he will find that ?200 worth of rabbit food has disappeared from his shelves, just as it should have done. The same fraud can be done even more easily with contactless cards where the PIN is not needed. It can't be detected by an EPOS unless every item is barcoded and scanned as it is sold, which in many retail outlets does not and cannot happen. Even if it does the shop assistant can sometimes work round it. > Although he didn't know how many bags of rabbit food he > had sold. > >>> They don't necessarily >>> itemise free/bundled calls, although most will on request. >> Doing it only on request [on bank statements] is probably enough for many >> such frauds to succeed for a long time, since most people won't request it. > > I don't think any of the card companies are doing that though? I still > get fully itemised statements. No. I was speculating on what they may choose to do in future. -- Pete Mitchell From otcbn at callnetuk.com Tue Nov 16 10:28:56 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Tue, 16 Nov 2010 10:28:56 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> Message-ID: <4CE25CE8.2050907@callnetuk.com> Roland Perry wrote on 16-11-10 09:28: > In article <4CE24388.9060803 at callnetuk.com>, Peter Mitchell > writes > >>> Any attack which relies on a >>> corrupt merchant actually processing the transactions leaves that >>> point of connection, so unless the skimmers content themselves with a >>> handful of transactions (which, at ?10 each, seems a rather small >>> crime) >> >> Not to my son, who is paid minimum wage. > > It's small to the criminal, not the victim. If the criminal is a shop assistant on minimum wage, then five fake transactions a day can double his income. >>> And as the fraud requires >>> the active connivance of the merchant, it's going to be hard for them >>> to get out of criminal liability. >> >> It needn't be the actual merchant doing it. It could be a dishonest >> till operator. > > It's not clear to me how a merchant or till operator can "execute an > unauthorised transaction". Won't the terminal simply refuse to process, > if it's one of those random transactions where the punter needs a PIN? Yes, but only in that special case. All other transactions will go through automatically. If the terminal refuses to process it without a PIN, the shop assistant simply cancels the transaction. No-one ever knows. I suppose the system could be set up to ring alarm bells whenever this happens, but will it be? > And I'm unsure whether it's technically possible to "skim" a paywave > card and use that information to create a clone that can be used to buy > things. I wasn't thinking of skimming and cloning but of remotely reading genuinecards in people's pockets or handbags. >> You pocket cash out of the till, and make up the shortfall with phoney >> card transactions. All the merchant knows is that he has sold 1000 >> doughnuts today and taken a total of ?3,500 in cash and bank debits; >> he can't check how each doughnut was paid for. > > His EPOS system should tell him that. How? >>>> In fact, thinking about it, I predict the next step: banks will >>>> soon stop listing card transactions under ?10 in value on the bank >>>> statement. Rather like phone companies don't itemise cheap calls. >>> Phone companies do itemise cheap calls. >> >> Mine (BT) doesn't list calls under 40p. > > Maybe you need a different sort of bill It doesn't matter what I personally need - I was simply pointing out that Ian's statement was incorrect. -- Pete Mitchell From igb at batten.eu.org Tue Nov 16 10:32:07 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 16 Nov 2010 10:32:07 +0000 Subject: Contactless bank cards In-Reply-To: <4CE24388.9060803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> Message-ID: >> , at ?10 each, seems a rather small >> crime) > > Not to my son, who is paid minimum wage. I don't mean to the victim, I mean to the perpetrators, given the complexity of the undertaking. To people interested in contactless cards, there's a tacit assumption that criminals will attack them if they are attackable. In reality, criminals will only attack them if the risk/reward and effort/reward outweighs other crimes they might commit: this is the sort of crime that implies rational actors, not people doin' thrill-seeker liquor store holdups with a "Born to Lose" tattoo on their chest. > > It needn't be the actual merchant doing it. It could be a dishonest till operator. You pocket cash out of the till, and make up the shortfall with phoney card transactions. All the merchant knows is that he has sold 1000 doughnuts today and taken a total of ?3,500 in cash and bank debits; he can't check how each doughnut was paid for. I can't think of any shop keeper who wouldn't spot that immediately. In small places, the till is separate to the pos system, so the till will come up short. In larger places, the pos system balances them separately. ian From fjmd1a at gmail.com Tue Nov 16 10:37:26 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Tue, 16 Nov 2010 10:37:26 +0000 Subject: Contactless bank cards In-Reply-To: <4CE25CB2.6040501@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: On 16 November 2010 10:28, Peter Mitchell wrote: > Suppose you, as pet shop assistant, on one particular day sell ?200 worth of > rabbit food, of which ?150 was paid for in cash and ?50 by card. In your > pocket you have some stolen debit cards along with their PINs. So you steal > ?50 cash from the till and make the total takings back up to ?200 by putting > through ?50 worth of debit card transactions. You are ?50 richer, the card > owners are collectively ?50 poorer. The shop owner never knows, his EPOS > only shows him that he has received a total of ?200 in various forms. If he > does a stock check he will find that ?200 worth of rabbit food has > disappeared from his shelves, just as it should have done. > I (as a lawyer) have been involved in cases of "double keying" where the assistant makes unauthorised cashback payments which they pocket - the customer being poorer and the retailer being unaware unless and until customers complain (after the fact it can be difficult to trace the assistant(s) involved). > The same fraud can be done even more easily with contactless cards where the > PIN is not needed. It can't be detected by an EPOS unless every item is > barcoded and scanned as it is sold, which in many retail outlets does not > and cannot happen. Even if it does the shop assistant can sometimes work > round it. > Actually my first worry on seeing these things advertised was something entirely legal. Along the lines of an unobtrusive sign saying "entrance fee ?5" or something like that. Auto charge people as they walk in (does contactless have that range? Or will it) and then have plausible deniability for a criminal charge. Obviously some customers will complain and have a reasonable argument for restitution of the sum taken, but who cares. More complex and similar scams involving relatively obscure surcharges and so on can also be carried out. -- Francis Davey From igb at batten.eu.org Tue Nov 16 10:38:52 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 16 Nov 2010 10:38:52 +0000 Subject: Contactless bank cards In-Reply-To: <4CE25CB2.6040501@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: > > Suppose you, as pet shop assistant, on one particular day sell ?200 worth of rabbit food, of which ?150 was paid for in cash and ?50 by card. In your pocket you have some stolen debit cards along with their PINs. So you steal ?50 cash from the till and make the total takings back up to ?200 by putting through ?50 worth of debit card transactions. Unless you can reliably operate the till in privacy, with the ability to pre-spot stupid customers, you're going to get caught. I assume some scam like this is behind the big sign at the pasty place in Euston Station that "if we don't give you a receipt, your food is free". You're going to need to pocket money as it comes over the counter, and not issue a receipt. You're going to have to do that without opening the till, because each time you do that it's logged (and you can't usually open the till without an open transaction). ian From igb at batten.eu.org Tue Nov 16 10:41:41 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 16 Nov 2010 10:41:41 +0000 Subject: Contactless bank cards In-Reply-To: <4CE25CE8.2050907@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> Message-ID: <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> >>> >> His EPOS system should tell him that. > > How? It breaks down transactions by payment type. It'll say "?300 cards, ?600 cash". And if there's not ?600 in the till, there's a problem. Oddly enough, large EPOS systems have been subject to attempted fraud before. The old favourite was getting a crooked till assistant to accept stolen cheques in exchange for cash from the till, which is the same route you're trying to use. > >>>>> In fact, thinking about it, I predict the next step: banks will >>>>> soon stop listing card transactions under ?10 in value on the bank >>>>> statement. Rather like phone companies don't itemise cheap calls. >>>> Phone companies do itemise cheap calls. >>> >>> Mine (BT) doesn't list calls under 40p. >> Maybe you need a different sort of bill > > It doesn't matter what I personally need - I was simply pointing out that Ian's statement was incorrect. If we're playing pedant, "There are phone companies that do itemise cheap calls". Vodafone do, for example: my bill is fully itemised, even though I make no off-contract calls. ian From lists at internetpolicyagency.com Tue Nov 16 10:39:54 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 10:39:54 +0000 Subject: Contactless bank cards In-Reply-To: <4CE25707.9020104@ernest.net> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE25707.9020104@ernest.net> Message-ID: In article <4CE25707.9020104 at ernest.net>, Nicholas Bohm writes >Is the answer to keep contactless cards in the same tinfoil wallet you >should use for RFID passports? There are metal business-card holders (often used as gifts) which would be ideal. -- Roland Perry From david at jellybaby.net Tue Nov 16 10:55:25 2010 From: david at jellybaby.net (David Walters) Date: Tue, 16 Nov 2010 10:55:25 +0000 Subject: Contactless bank cards In-Reply-To: <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> Message-ID: On Tue, Nov 16, 2010 at 10:41 AM, Ian Batten wrote: >>>> >>> His EPOS system should tell him that. >> >> How? > > It breaks down transactions by payment type. ?It'll say "?300 cards, ?600 cash". ?And if there's not ?600 in the till, there's a problem. ?Oddly enough, large EPOS systems have been subject to attempted fraud before. ?The old favourite was getting a crooked till assistant to accept stolen cheques in exchange for cash from the till, which is the same route you're trying to use. As Peter points out that requires the shop assistant to press the right button when taking payment. If someone buys ?3.50 of rabbit food and gives me cash then I can pocket it while putting through a card transaction and the till will still be correct. It requires a fair amount of slight of hand for the customer to not spot it, especially if they need change, although they are unlikely to be watching very closely. From igb at batten.eu.org Tue Nov 16 10:59:15 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 16 Nov 2010 10:59:15 +0000 Subject: Contactless bank cards In-Reply-To: <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> Message-ID: <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> On 16 Nov 2010, at 10:41, Ian Batten wrote: >>>> >>> His EPOS system should tell him that. >> >> How? > > It breaks down transactions by payment type. It'll say "?300 cards, ?600 cash". And if there's not ?600 in the till, there's a problem. Oddly enough, large EPOS systems have been subject to attempted fraud before. The old favourite was getting a crooked till assistant to accept stolen cheques in exchange for cash from the till, which is the same route you're trying to use. Oh, and by the way: ever wondered why shops are so keen on ".99" prices? Unless someone carries a lot of loose change, it means the till has to be opened for every transaction. Unless you operate a shop which prices everything in round pounds (round 10 pounds, probably, given that university cashpoints seem to be the last place on earth that issue fivers), people who pay cash (who you need for your fraud to work) are going to have to be prepared to either not have any change, take their change from the pile you keep beside the till or you're going to have to open the till. What transaction are you going to ring up to do that, exactly? At best, your scheme allows you to replace a transaction from a customer who pays the exact price and doesn't want a receipt with a hooky card transaction, until late in the evening when there isn't enough cash in the till and you get sacked. And even that's assuming you can spot people who are going to pay the exact amount before you ring it up on the till: in practice, people look at the amount and compare it with the shrapnel they want to get rid of. You'll have to find a way to say "that'll be ten quid mate" and take the money without opening the till, without anyone else (and shops with lone workers tend to have CCTV for H&S reasons) noticing. You might be able to do it if you're a sole proprietor, I guess. ian From igb at batten.eu.org Tue Nov 16 11:03:46 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 16 Nov 2010 11:03:46 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> Message-ID: On 16 Nov 2010, at 10:55, David Walters wrote: > It requires a fair amount of slight of hand for the > customer to not spot it, especially if they need change, although they > are unlikely to be watching very closely. It also requires that no-one, ever, looks at receipts or CCTV tapes. Because the receipt handed to the customer is evidence of the fraud. OK, after the fact they might realise that the card being skimmed isn't theirs, but will no-one, at all, notice? ian From david at jellybaby.net Tue Nov 16 11:12:57 2010 From: david at jellybaby.net (David Walters) Date: Tue, 16 Nov 2010 11:12:57 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> Message-ID: On Tue, Nov 16, 2010 at 11:03 AM, Ian Batten wrote: > On 16 Nov 2010, at 10:55, David Walters wrote: >> ?It requires a fair amount of slight of hand for the >> customer to not spot it, especially if they need change, although they >> are unlikely to be watching very closely. > > It also requires that no-one, ever, looks at receipts I don't think many customers take receipts for small value cash transactions. Even supermarkets [1] have stopped issuing them automatically. > or CCTV tapes. I'm fairly sure those are only looked at when there is already suspicion of a crime. > but will no-one, at all, notice? I think you are right that someone will notice sooner or later and that is where having the cap on contactless transactions helps. You can't make a perfect system but you can make one where the risks are high enough that they outweigh the rewards. But perhaps I'm just naive and will be very annoyed when I'm hit and the bank calls me a liar. [1] The Sainsburys Local I sometimes buy lunch from anyway. From matthew at pemble.net Tue Nov 16 10:49:53 2010 From: matthew at pemble.net (Matthew Pemble) Date: Tue, 16 Nov 2010 10:49:53 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: On 16 November 2010 10:38, Ian Batten wrote: > > I assume some scam like this is behind the big sign at the pasty place in Euston Station that "if we don't give you a receipt, your food is free". > You're going to need to pocket money as it comes over the counter, and not issue a receipt. I think the problem in this particular case is that it is difficult to estimate the difference between spoilage waste (because the food doesn't survive being heated that long) and food sold but not recorded as such. -- Matthew Pemble From ukcrypto at airburst.co.uk Tue Nov 16 11:11:22 2010 From: ukcrypto at airburst.co.uk (Mark Cottle) Date: Tue, 16 Nov 2010 11:11:22 -0000 Subject: Stumbled upon IMP FOI doc (WAS: Consultation on change to RIP interception definition) In-Reply-To: <008e01cb81a7$fd092e70$f71b8b50$@net> References: Message-ID: <4CE266DA.28329.54678D@ukcrypto.airburst.co.uk> On 11 Nov 2010 at 13:54, James Firth wrote: > Ian Batten wrote: > > > On 10 Nov 2010, at 09:58, Richard Clayton wrote: > > > > > lawful-intercep/ripa-amend-effect-lawful-incep > > > > While searching on the website to try to deal with the mangling of the > > URL I stumbled on this: > > > > http://www.homeoffice.gov.uk/about-us/freedom-of-information/released- > > information1/foi-archive- > > crime/12307_docs_used_prep_APPG_IMP/12307_1_docs_prep_APPG_IMP?view=Bin > > ary > > > Does anyone have any idea as to the date for this FOI-released document? > > > James Firth > > Document properties indicated it was created 9 November 2009. I don't know how reliable that is. It has the look of something assembled by the H.O. press office. From k.brown at bbk.ac.uk Tue Nov 16 13:56:33 2010 From: k.brown at bbk.ac.uk (ken) Date: Tue, 16 Nov 2010 13:56:33 +0000 Subject: Contactless bank cards In-Reply-To: <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> Message-ID: <4CE28D91.6080804@bbk.ac.uk> On 16/11/2010 10:59, Ian Batten wrote: > ... people who pay > cash (who you need for your fraud to work) are going to > have to be prepared to either not have any change, take > their change from the pile you keep beside the till... Both common in local pubs and cafes. Sometimes the bar staff stack up orders in their head, deliver the drinks, then collect the money afterwards from the customers in turn. Also you see cusomers leave money on the bar, walk off, and come back later to pick up the change. And cafes often have small plates where customers leave small change as tips, so there really is a pile of pennies beside the till. (though not, in England, pubs - isn't culture weird?) "A pint when you're ready, guv?" "Keep the change!" "One for yourself?". In more formal sit-down restaurants with waiter service the till is usually out of sight of the customers, so they have no idea what is cashed up. And in some places waiters carry around small bags of cash to make small change. Corner shops too. Its quite common for a few pennies either way to be ignored - if the bill comes to five pounds and a few pence they's say just give me a fiver, if its just less I might walk off without the change. And even people who check receipts carefully (I usually don't even take it) are likely to look at the amounts, not the payment method (assuming its even on there) It all depends on trust I suppose. These things work as long as the managers and staff and customers either know each other, or are willing to accept small discrepancies as the cost of doing that kind of business. And is probably the reason that the landlady of our local seems to spend hours every day going through the till and the till roll and the stocktake, just in case. From igb at batten.eu.org Tue Nov 16 14:11:38 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 16 Nov 2010 14:11:38 +0000 Subject: Contactless bank cards In-Reply-To: <4CE28D91.6080804@bbk.ac.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> <4CE28D91.6080804@bbk.ac.uk> Message-ID: <7EA9009B-E1EA-4258-BEC8-6EB14E54B1D9@batten.eu.org> On 16 Nov 10, at 1356, ken wrote: > On 16/11/2010 10:59, Ian Batten wrote: > > > ... people who pay > > cash (who you need for your fraud to work) are going to > > have to be prepared to either not have any change, take > > their change from the pile you keep beside the till... > > Both common in local pubs and cafes. Sometimes the bar staff stack up orders in their head, deliver the drinks, then collect the money afterwards from the customers in turn. But such places aren't doing much in the way of credit card transactions, so aren't targets for this. As soon as they are, they tend to get more formal systems. I noticed in a music venue I was in recently that the staff had tiny barcode readers and there was a barcode next to each item. > > Also you see cusomers leave money on the bar, walk off, and come back later to pick up the change. And cafes often have small plates where customers leave small change as tips, so there really is a pile of pennies beside the till. (though not, in England, pubs - isn't culture weird?) But you'd be pretty surprised if the cashier took money from the tip bowl to give you your change, wouldn't you? > > In more formal sit-down restaurants with waiter service the till is usually out of sight of the customers, so they have no idea what is cashed up. Doing a fraud that relies on the punters not checking their receipts in a restaurant would be an incredibly high-risk undertaking, as all sorts of people claim their meals against either expenses or tax. Restaurants are one of the places where people _do_ check receipts, either because they're claiming them or because they're going to divvy it up amongst friends. > > And is probably the reason that the landlady of our local seems to spend hours every day going through the till and the till roll and the stocktake, just in case. > When my wife was the business manager for a branch in Stratford-upon-Avon, a lot of her customers were restaurants and pubs. She said that she got a crash course in fraud from talking to the proprietors. The main fraud was far simpler than is being described here: you simply give your friends free food and drinks, or charge them only a notional sum. ian From tharg at gmx.net Tue Nov 16 14:30:57 2010 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Tue, 16 Nov 2010 15:30:57 +0100 Subject: Brussels 3rd Dec - Commission Data Retention conference http://www.dataretention2010.net Message-ID: <004001cb859a$e58668c0$b0933a40$@gmx.net> The issue is http://en.wikipedia.org/wiki/Telecommunications_data_retention#European_Unio n Brussels 3rd Dec : http://www.dataretention2010.net/ (the "Documentation" tab is currently blank, but try http://www.vorratsdatenspeicherung.de/images/Commission_Data-Retention-Discu ssion-Paper_10-2010.pdf) From lists at internetpolicyagency.com Tue Nov 16 14:59:43 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 14:59:43 +0000 Subject: Contactless bank cards In-Reply-To: <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> Message-ID: In article <975AA370-8E7E-46E4-A505-B6257A4DA449 at batten.eu.org>, Ian Batten writes >You'll have to find a way to say "that'll be ten quid mate" and take >the money without opening the till, without anyone else (and shops >with lone workers tend to have CCTV for H&S reasons) noticing. >You might be able to do it if you're a sole proprietor, I guess. Digressing slightly, but one of the corner shop convenience stores near me often appears to operate with the till draw open, giving change without ringing anything up. Not recommended for many reasons. -- Roland Perry From lists at internetpolicyagency.com Tue Nov 16 15:04:23 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 15:04:23 +0000 Subject: Contactless bank cards In-Reply-To: <4CE25CB2.6040501@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: In article <4CE25CB2.6040501 at callnetuk.com>, Peter Mitchell writes >The same fraud can be done even more easily with contactless cards >where the PIN is not needed. You seem to be assuming that somehow the thief has cloned one of these cards. We need to discuss the engineering of that, before speculating how such a cloned card might be exploited. -- Roland Perry From lists at internetpolicyagency.com Tue Nov 16 15:07:52 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 15:07:52 +0000 Subject: Contactless bank cards In-Reply-To: <4CE25CB2.6040501@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: In article <4CE25CB2.6040501 at callnetuk.com>, Peter Mitchell writes >So you steal ?50 cash from the till and make the total takings back up >to ?200 by putting through ?50 worth of debit card transactions. In most shops my observation (from the customer side of the till) is that to "put through" a card transaction you first need to ring up a sale on the till, and then link that transaction to the C&P terminal. You can't just "invent" a transaction out of thin air (the way you used to be able to with carbon paper receipts and the mechanical swipe machines). -- Roland Perry From lists at internetpolicyagency.com Tue Nov 16 15:11:26 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 15:11:26 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: <9dVUDsEe8p4MFAsN@perry.co.uk> In article , Francis Davey writes >Actually my first worry on seeing these things advertised was >something entirely legal. Along the lines of an unobtrusive sign >saying "entrance fee ?5" or something like that. Auto charge people as >they walk in (does contactless have that range? Or will it) I've never actually found a machine to try my card out upon. But the Oyster pads in London require the card to be pretty much out of a wallet and touching the surface. Similarly the RFID cards used on the buses in Nottingham. The technology is dozens of order of magnitude away from scanning the bus pass in the passenger's pocket as he gets on board. -- Roland Perry From lists at internetpolicyagency.com Tue Nov 16 15:15:56 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 15:15:56 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: In article , Matthew Pemble writes >> I assume some scam like this is behind the big sign at the pasty place in Euston Station that "if we don't give you a receipt, your food is >>free". >> You're going to need to pocket money as it comes over the counter, and not issue a receipt. > >I think the problem in this particular case is that it is difficult to >estimate the difference between spoilage waste (because the food >doesn't survive being heated that long) and food sold but not recorded >as such. It seems to be a common procedure in many places run by SSP (which is almost all shops on stations irrespective of the brand name on the door). The Pumpkin buffet at Nottingham Station has a similar sign, and most of what they sell is pre-packaged. -- Roland Perry From lists at internetpolicyagency.com Tue Nov 16 15:21:44 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 15:21:44 +0000 Subject: Contactless bank cards In-Reply-To: <4CE25CE8.2050907@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> Message-ID: In article <4CE25CE8.2050907 at callnetuk.com>, Peter Mitchell writes >If the criminal is a shop assistant on minimum wage, then five fake >transactions a day can double his income. And the cloned cards - they are free? >> And I'm unsure whether it's technically possible to "skim" a paywave >>card and use that information to create a clone that can be used to >>buy things. > >I wasn't thinking of skimming and cloning but of remotely reading >genuinecards in people's pockets or handbags. Oh really. Does the shop assistant have a ten foot diameter aerial and a megawatt transmitter, in order to read these cards? And you are expecting this fraud to take place by trying to read a card, from a random one of the people standing the queues??? >>> You pocket cash out of the till, and make up the shortfall with >>>phoney card transactions. All the merchant knows is that he has sold >>>1000 doughnuts today and taken a total of ?3,500 in cash and bank >>>debits; he can't check how each doughnut was paid for. >> His EPOS system should tell him that. > >How? Because the items are rung up by pressing buttons with "doughnut" written on them (this is why it takes so long, finding the right button) and then the assistant has to select "cash or card" to either open the drawer or activate the Card-pad. >>>>> In fact, thinking about it, I predict the next step: banks will >>>>> soon stop listing card transactions under ?10 in value on the bank >>>>> statement. Rather like phone companies don't itemise cheap calls. >>>> Phone companies do itemise cheap calls. >>> >>> Mine (BT) doesn't list calls under 40p. >> Maybe you need a different sort of bill > >It doesn't matter what I personally need It's a turn of phrase. >- I was simply pointing out that Ian's statement was incorrect. You sounded disappointed at only getting calls over 40p listed - or were you boasting that you've simplified your billing by accepting this restriction? Whichever it is, BT do have bills with all call itemised. -- Roland Perry From cybergibbons at gmail.com Tue Nov 16 15:24:02 2010 From: cybergibbons at gmail.com (Cybergibbons) Date: Tue, 16 Nov 2010 15:24:02 +0000 Subject: Contactless bank cards In-Reply-To: <9dVUDsEe8p4MFAsN@perry.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: On 16 November 2010 15:11, Roland Perry wrote: > I've never actually found a machine to try my card out upon. But the Oyster > pads in London require the card to be pretty much out of a wallet and > touching the surface. Similarly the RFID cards used on the buses in > Nottingham. The technology is dozens of order of magnitude away from > scanning the bus pass in the passenger's pocket as he gets on board. There's a world of difference between the range of the readers used on barriers and the maximum possible range using specialist equipment. The barrier readers have a deliberately short range to avoid swiping by mistake and also to stop reliance on the pretty poor anti-collision in the Mifare cards. -- Andrew From lists at internetpolicyagency.com Tue Nov 16 16:51:23 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 16 Nov 2010 16:51:23 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: In article , Cybergibbons writes >> I've never actually found a machine to try my card out upon. But the Oyster >> pads in London require the card to be pretty much out of a wallet and >> touching the surface. Similarly the RFID cards used on the buses in >> Nottingham. The technology is dozens of order of magnitude away from >> scanning the bus pass in the passenger's pocket as he gets on board. > >There's a world of difference between the range of the readers used on >barriers and the maximum possible range using specialist equipment. >The barrier readers have a deliberately short range to avoid swiping >by mistake and also to stop reliance on the pretty poor anti-collision >in the Mifare cards. As Peter seems to be using the standard shop-terminal in his scenario, he's postulating that he can trigger a card in someone's pocket from many feet away, and have that respond loudly enough that the standard terminal can hear it. Thinking about it some more, isn't he going to have to amplify/relay the signals coming out of the terminal, as well, because the card has to be able to "hear" the terminal's chatter as well as the terminal hearing the card's. -- Roland Perry From ukcrypto at sourcetagged.ian.co.uk Tue Nov 16 17:41:47 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Tue, 16 Nov 2010 17:41:47 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: On 11 Nov 2010, at 20:47, Ian Batten wrote: > > On 11 Nov 2010, at 20:24, Mary Hawking wrote: > >> Does the owner of the account have the legal authority to give >> consent on >> behalf of all users of that account, > > No. That was the line BT tried to take with Phorm, and there's > not the beginning of a legal basis for it. If CSPs want to try > this, they should put wording into contracts with their customers > to attempt to impose obligations between their customers and > unspecified third parties who are not signatories to the contract, > and see how far it gets them. > > ian On the face of it that seems sane and straightforward. However, law is not always sane and straightforward. Under certain circumstances in English law third parties to contracts do have some rights and powers to interfere with the contract. It is not beyond belief that the courts could extend this concept in the name of equity to impose obligations on a third party. Unlikely, but not beyond belief. It would require a very tight and specific case to persuade a court to do so, but once it had happened I can see the idea creeping to cover more. For instance, I've signed many an NDA that requires me to impose conditions of confidentiality on third parties where I have a power to do so. I can quite see a court saying that if a third party, who was familiar with NDAs, came into possession of confidential information from me, knew that it was likely to be under NDA and I failed to impose said conditions on that third party, that a condition of confidentiality ought to have reasonably been inferred by said third party and therefore they a duty under the NDA contract despite not being a party to it. T'other Ian From ukcrypto at sourcetagged.ian.co.uk Tue Nov 16 17:46:25 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Tue, 16 Nov 2010 17:46:25 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> Message-ID: <729CF33C-8148-4E32-B4D0-555830394C00@sourcetagged.ian.co.uk> On 15 Nov 2010, at 17:49, Roland Perry wrote: >> >> without his knowledge? > > Surely you'd have to set up some sort of "man in the middle" > between the card and one of the Paywave terminals[1]. Wouldn't that > be a bit tricky in real time? > No, search for "MIG in the middle". Ian From jon+ukcrypto at unequivocal.co.uk Tue Nov 16 16:39:33 2010 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Tue, 16 Nov 2010 16:39:33 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: <20101116163933.GL535@snowy.squish.net> On Tue, Nov 16, 2010 at 03:07:52PM +0000, Roland Perry wrote: > In most shops my observation (from the customer side of the till) is > that to "put through" a card transaction you first need to ring up a > sale on the till, and then link that transaction to the C&P terminal. > You can't just "invent" a transaction out of thin air (the way you used > to be able to with carbon paper receipts and the mechanical swipe > machines). Oh, well in small retailers my observation, and also as I understand it, reality, is that the merchant terminal is usually not connected to the till and you can put any number of transactions through without the till knowing anything about it. From marcus at connectotel.com Tue Nov 16 20:49:25 2010 From: marcus at connectotel.com (Marcus Williamson) Date: Tue, 16 Nov 2010 20:49:25 +0000 Subject: Contactless bank cards In-Reply-To: <729CF33C-8148-4E32-B4D0-555830394C00@sourcetagged.ian.co.uk> References: <4CE16136.4060707@callnetuk.com> <729CF33C-8148-4E32-B4D0-555830394C00@sourcetagged.ian.co.uk> Message-ID: On Tue, 16 Nov 2010 17:46:25 +0000, you wrote: >No, search for "MIG in the middle". Ah, that must be Kent Ertegrul of Phorm infamy... http://en.wikipedia.org/wiki/Kent_Ertugrul From clive at davros.org Tue Nov 16 20:26:20 2010 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 16 Nov 2010 20:26:20 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: <20101116202620.GA66606@davros.org> Roland Perry said: > You can't just "invent" a transaction out of thin air (the way you used > to be able to with carbon paper receipts and the mechanical swipe > machines). Apropos of nothing in particular, I was in Madeira a few weeks ago. On our evening of arrival I used my credit card twice. The first time, for a few tens of euros, the machine was chip-and-pin. The second time, for several hundred euros, the seller used a paper multi-part form, placed it over my card, and ran a pen over it several times to impress the details on to the form. I haven't seen that in *years*. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From tony.naggs at googlemail.com Wed Nov 17 01:49:27 2010 From: tony.naggs at googlemail.com (Tony Naggs) Date: Wed, 17 Nov 2010 01:49:27 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: On 16 November 2010 10:37, Francis Davey wrote: > Actually my first worry on seeing these things advertised was > something entirely legal. Along the lines of an unobtrusive sign > saying "entrance fee ?5" or something like that. Auto charge people as > they walk in (does contactless have that range? Or will it) and then > have plausible deniability for a criminal charge. Obviously some > customers will complain and have a reasonable argument for restitution > of the sum taken, but who cares. Contactless credit cards are very similar to Oyster cards, and standard readers have range of 2cm to 5cm or so. The radio power from the reader is powering the chip in the card. Actually the electric field carries the power, and as this follows an inverse square rule extending the range significantly is hard (requiring lots of copper and current). The Oyster card equivalents in Japan (Suica for local services in Tokyo) are also used for small payments at booths and vending machines for snacks & newspapers. This worked very well when I visited, and in the nearly 10 years it has been operating I have not heard of any major fraud incidents. Possible defenses include keeping your credit cards in a screened tin or wallet, or carrying detectors that light a warning LED when a field of the appropriate frequency is detected. Cheers, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From maryhawking at tigers.demon.co.uk Wed Nov 17 06:08:17 2010 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Wed, 17 Nov 2010 06:08:17 -0000 Subject: Contactless bank cards In-Reply-To: <9dVUDsEe8p4MFAsN@perry.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: <8D4C40BA964F435FAF6D5B60A74AAD1C@MaryPC> How robust is the RFID chip? At NEC, there are, apparently, electromagnets somewhere - and if you have one of those individually programmed hotel door cards, they get wiped - and have to be re-programmed before you can get into your room again. What would wipe an Oyster card? Mary Hawking -----Original Message----- From: Roland Perry [mailto:lists at internetpolicyagency.com] Sent: 16 November 2010 15:11 To: ukcrypto at chiark.greenend.org.uk Subject: Re: Contactless bank cards In article , Francis Davey writes >Actually my first worry on seeing these things advertised was >something entirely legal. Along the lines of an unobtrusive sign >saying "entrance fee ?5" or something like that. Auto charge people as >they walk in (does contactless have that range? Or will it) I've never actually found a machine to try my card out upon. But the Oyster pads in London require the card to be pretty much out of a wallet and touching the surface. Similarly the RFID cards used on the buses in Nottingham. The technology is dozens of order of magnitude away from scanning the bus pass in the passenger's pocket as he gets on board. -- Roland Perry From pwt at iosis.co.uk Wed Nov 17 07:17:43 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 17 Nov 2010 07:17:43 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> Message-ID: <4CE38197.2060403@iosis.co.uk> Tony Naggs wrote: > > On 16 November 2010 10:37, Francis Davey > wrote: > > Actually my first worry on seeing these things advertised was > something entirely legal. Along the lines of an unobtrusive sign > saying "entrance fee ?5" or something like that. Auto charge people as > they walk in (does contactless have that range? Or will it) and then > have plausible deniability for a criminal charge. Obviously some > customers will complain and have a reasonable argument for restitution > of the sum taken, but who cares. > > > Contactless credit cards are very similar to Oyster cards, and standard > readers have range of 2cm to 5cm or so. The radio power from the reader > is powering the chip in the card. Actually the electric field carries the > power, and as this follows an inverse square rule extending the range > significantly is hard (requiring lots of copper and current). > I always understood that using a coil in the card means that it is the magnetic component that transmits the power (a relatvely large area coil is used in nearly all ISO 14443 cards such as Oyster, the bus passes, and the contactless interface of these new style bank cards). In normal use, once you get away from very close proximity with the reader's aerial coil [1], I also understand that the power that can be transferred effectively falls off with the 4th power of distance [2] [3]. Peter [1] When very close, the model is that of an electrical transformer, albeit a rather lossy one. [2] I'm not here considering those atypical configurations suggested for snooping - e.g. beaming power to the card, detecting its response by monitoring the electrical field component. [3] There are two parts to the standard interface designs: in both terminal and card, a coil is used for both transmit and receive functions. The card transmits by changing the load that it imposes on the received field; the terminal receives by detecting the changing load on the transmitted field. From pwt at iosis.co.uk Wed Nov 17 07:22:37 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 17 Nov 2010 07:22:37 +0000 Subject: Contactless bank cards In-Reply-To: <8D4C40BA964F435FAF6D5B60A74AAD1C@MaryPC> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <8D4C40BA964F435FAF6D5B60A74AAD1C@MaryPC> Message-ID: <4CE382BD.2060501@iosis.co.uk> Mary, are you sure that you are not thinking about mag stripe hotel cards? Like mag stripe transport tickets, electromagnets can corrupt those. However, very simple chip memory cards (not capable of having any authentication handshake) might be corrupted by interference effects from electronic equipment or even from the RF field generated by a spark. Peter Mary Hawking wrote: > How robust is the RFID chip? > At NEC, there are, apparently, electromagnets somewhere - and if you have > one of those individually programmed hotel door cards, they get wiped - and > have to be re-programmed before you can get into your room again. > What would wipe an Oyster card? > > Mary Hawking > > -----Original Message----- > From: Roland Perry [mailto:lists at internetpolicyagency.com] > Sent: 16 November 2010 15:11 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: Contactless bank cards > > In article > , Francis > Davey writes > >> Actually my first worry on seeing these things advertised was >> something entirely legal. Along the lines of an unobtrusive sign >> saying "entrance fee ?5" or something like that. Auto charge people as >> they walk in (does contactless have that range? Or will it) >> > > I've never actually found a machine to try my card out upon. But the > Oyster pads in London require the card to be pretty much out of a wallet > and touching the surface. Similarly the RFID cards used on the buses in > Nottingham. The technology is dozens of order of magnitude away from > scanning the bus pass in the passenger's pocket as he gets on board. > From igb at batten.eu.org Wed Nov 17 08:54:08 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 17 Nov 2010 08:54:08 +0000 Subject: Contactless bank cards In-Reply-To: <20101116163933.GL535@snowy.squish.net> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> Message-ID: > > Oh, well in small retailers my observation, and also as I understand > it, reality, is that the merchant terminal is usually not connected to > the till and you can put any number of transactions through without > the till knowing anything about it. > But the purported fraud runs round in circles. We start off with, so far as I can say, an attack where the active party rings up a transaction to credit card but takes cash from the customer. They pocket the cash and then balance the books by making a fraudulent charge on someone's contactless card. I, and others, think this won't work for more than a few hours because the till will be short of cash. That the credit card terminal isn't linked to the till, as is indeed the case in small shops, makes the fraud harder, not easier: someone would have to ring credit transactions to balance the cash being stolen and, rather than being able to do so by hitting one button on the till, they'd have to use the unlinked machine. Keying the transaction. Without being spotted. Moreover, the whole point about contactless cards is that they are faster. I've used Suica (== Oyster) in Tokyo to pay for food and drink: every shop that does small transactions and is close to a station (ie, every shop) has them linked to their tills. If they weren't linked to the till, so you have to trigger a separate transaction by keying the details into a separate machine, the advantage of contactless evaporates. If someone's going to have to key details, then slotting the card into the machine is the least of anyone's problems. So I suspect that contactless cards will only operate in thin transaction machines (those hooked to a till, with no means to initiate a transaction other than from the till) rather than as standalone devices. ian From igb at batten.eu.org Wed Nov 17 09:01:19 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 17 Nov 2010 09:01:19 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: <61AF1DCB-DFD0-41FA-B1B2-06F3FCD96D9E@batten.eu.org> > > For instance, I've signed many an NDA that requires me to impose conditions of confidentiality on third parties where I have a power to do so. I can quite see a court saying that if a third party, who was familiar with NDAs, came into possession of confidential information from me, knew that it was likely to be under NDA and I failed to impose said conditions on that third party, that a condition of confidentiality ought to have reasonably been inferred by said third party and therefore they a duty under the NDA contract despite not being a party to it. I'd be stunned if that line of reasoning were to work. The whole point about NDAs is that they are contracts between two parties. The argument "you" (I realise you're talking specultatively) are advancing is the argument of those crappy confidentiality boilerplates on email: that you should be obligated to someone else's confidentiality agreement in the event that they fail to deal with it themselves. Confidentiality is the responsibility of the parties involved in the NDA, and no-one else. In your hypothetical scenario, the problem resides with you: you signed a contract saying you wouldn't disclose information to people on whom you did not impose a similar agreement, and you failed. The people you signed the NDA with don't need to piss about suing third parties with speculative arguments, they can just sue you for breaching the NDA. ian From bakeryworms at gmail.com Wed Nov 17 07:58:36 2010 From: bakeryworms at gmail.com (mark sowerby) Date: Wed, 17 Nov 2010 07:58:36 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: Hi, Would that be a duty derived from the NDA or would it be a common law duty that they should infer from knowledge of the NDAs existance? Best Regards Mark On 16 Nov 2010 17:42, "Ian Mason" wrote: On 11 Nov 2010, at 20:47, Ian Batten wrote: > > On 11 Nov 2010, at 20:24, Mary Hawking wrote: > >>... On the face of it that seems sane and straightforward. However, law is not always sane and straightforward. Under certain circumstances in English law third parties to contracts do have some rights and powers to interfere with the contract. It is not beyond belief that the courts could extend this concept in the name of equity to impose obligations on a third party. Unlikely, but not beyond belief. It would require a very tight and specific case to persuade a court to do so, but once it had happened I can see the idea creeping to cover more. For instance, I've signed many an NDA that requires me to impose conditions of confidentiality on third parties where I have a power to do so. I can quite see a court saying that if a third party, who was familiar with NDAs, came into possession of confidential information from me, knew that it was likely to be under NDA and I failed to impose said conditions on that third party, that a condition of confidentiality ought to have reasonably been inferred by said third party and therefore they a duty under the NDA contract despite not being a party to it. T'other Ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From fjmd1a at gmail.com Wed Nov 17 09:12:21 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Wed, 17 Nov 2010 09:12:21 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: On 17 November 2010 07:58, mark sowerby wrote: > Hi, > Would that be a duty derived from the NDA or would it be a common law duty > that they should infer from knowledge of the NDAs existance? > To inject some legal knowledge on this specific point: equity (that is a branch of English law) has long recognised an action for "breach of confidence". If information is give to you which has the quality of confidence (so is the kind of thing you know you ought to keep confidential) in circumstances where there was an obligation to keep it confidential, then you have a duty to keep that confidence. If you breach it, a claim in equity may be made against you. This has nothing to do with any contractual relationship. The main use of an NDA is partly legal (to make it clear that an obligation of confidence was intended) and partly practical (so that the signer knows they are supposed to keep it confidential). This equitable development long pre-dates the common use of NDA's and has really next to nothing to do with contracts. A contract can certainly state that any third party has power over aspects of the contract. Quite a standard thing with arbitration and similar clauses where the parties to the contract permit a third party to determine disputes. Many contracts import information or values set by independent third parties who know nothing of them (eg bank rates). There's nothing odd about such a situation. -- Francis Davey From david at jellybaby.net Wed Nov 17 09:12:46 2010 From: david at jellybaby.net (David Walters) Date: Wed, 17 Nov 2010 09:12:46 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> Message-ID: On Wed, Nov 17, 2010 at 8:54 AM, Ian Batten wrote: > Moreover, the whole point about contactless cards is that they are faster. ?I've used Suica (== Oyster) in Tokyo to pay for food and drink: every shop that does small transactions and is close to a station (ie, every shop) has them linked to their tills. ?If they weren't linked to the till, so you have to trigger a separate transaction by keying the details into a separate machine, the advantage of contactless evaporates. ?If someone's going to have to key details, then slotting the card into the machine is the least of anyone's problems. ?So I suspect that contactless cards will only operate in thin transaction machines (those hooked to a till, with no means to initiate a transaction other than from the till) rather than as standalone devices. That isn't the case. I've made contactless transactions in places where the card terminal isn't linked to the till. Most National Trust tea rooms and my local Indian takeaway for example. David From igb at batten.eu.org Wed Nov 17 10:13:18 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 17 Nov 2010 10:13:18 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> Message-ID: <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> > If you > breach it, a claim in equity may be made against you. And to the person to whom you gave the information? I thought not. > A contract can certainly state that any third party has power over > aspects of the contract. At their discretion, though. I could frame a contract in which I and my counter-party agree that if we have a dispute, we'll ask Francis Davey to adjudicate. But if we phone you up and demand an hour of your time, and you tell us to get stuffed, the contract between us can't compel you. A contract can of course refer to third parties, but surely it can't bind them to courses of action? Otherwise my wife and I have just signed a contract which says you're going to give us all your money. ian From fjmd1a at gmail.com Wed Nov 17 10:41:03 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Wed, 17 Nov 2010 10:41:03 +0000 Subject: Consultation on change to RIP interception definition In-Reply-To: <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: On 17 November 2010 10:13, Ian Batten wrote: > And to the person to whom you gave the information? ?I thought not. > They may well be in breach of confidence as well. It would depend on the circumstances. The point is it has nothing to do with any contractual agreement - which is a parallel consideration. > > At their discretion, though. ?I could frame a contract in which I and my counter-party agree that if we have a dispute, we'll ask Francis Davey to adjudicate. ?But if we phone you up and demand an hour of your time, and you tell us to get stuffed, the contract between us can't compel you. ? A contract can of course refer to third parties, but surely it can't bind them to courses of action? ?Otherwise my wife and I have just signed a contract which says you're going to give us all your money. > Yes of course. I don't see that I could have implied otherwise. As a general rule a stranger to a contact cannot be bound by it. There are some specific exceptions (such as privity of estate which allows tenants and landlords to be bound by an agreement made by earlier parties to the same lease). An ISP could certainly add a clause to its standard terms that permitted infants (or machines or animals)' actions to modify the agreement, so that a customer's children clicking a "YES" button could, if the contract were properly drafted, permit the ISP to do things it could otherwise not have done. The risk falling on the customer to make sure it did not happen unless they wished it to. Whether that is *fair* in the various senses of fair that are used in contract law, and in particular in consumer contact law, is another matter. It might be void for unfairness. That would depend on the circumstances. Whether it could amount to consent for any purpose (such as RIPA or the DPA or whatever) is doubtful I expect. -- Francis Davey From lists at internetpolicyagency.com Wed Nov 17 11:57:57 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 11:57:57 +0000 Subject: Contactless bank cards In-Reply-To: <20101116163933.GL535@snowy.squish.net> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> Message-ID: <+wjEolnFN84MFAfx@perry.co.uk> In article <20101116163933.GL535 at snowy.squish.net>, Jon Ribbens writes >> In most shops my observation (from the customer side of the till) is >> that to "put through" a card transaction you first need to ring up a >> sale on the till, and then link that transaction to the C&P terminal. >> You can't just "invent" a transaction out of thin air (the way you used >> to be able to with carbon paper receipts and the mechanical swipe >> machines). > >Oh, well in small retailers my observation, and also as I understand >it, reality, is that the merchant terminal is usually not connected to >the till and you can put any number of transactions through without >the till knowing anything about it. As the terminal isn't touched by the merchant (unless it's a cordless one) how do they instruct it to initiate a transaction. Meanwhile, is there any such thing as a cordless (handheld, like in a restaurant) paywave terminal? -- Roland Perry From lists at internetpolicyagency.com Wed Nov 17 12:06:49 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 12:06:49 +0000 Subject: Contactless bank cards In-Reply-To: <729CF33C-8148-4E32-B4D0-555830394C00@sourcetagged.ian.co.uk> References: <4CE16136.4060707@callnetuk.com> <729CF33C-8148-4E32-B4D0-555830394C00@sourcetagged.ian.co.uk> Message-ID: In article <729CF33C-8148-4E32-B4D0-555830394C00 at sourcetagged.ian.co.uk>, Ian Mason writes >> Surely you'd have to set up some sort of "man in the middle" >>between the card and one of the Paywave terminals[1]. Wouldn't that >>be a bit tricky in real time? > >No, search for "MIG in the middle". On one hand, are you being ironic? "One case history that unfortunately turns out to be unfounded is the story of the `Mig-in-the-middle' attack, pp 19-20... in September 2001, I learned from a former employee of the South African Communications Security Agency that the story is apocryphal." On the other... I'm seeking to understand what sort of technology you could surrupticiously invoke near someone's wallet, and also near a paywave terminal (and of course in between) which would provide a suitably faked conversation that the card could be debited. -- Roland Perry From lists at internetpolicyagency.com Wed Nov 17 12:10:56 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 12:10:56 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> Message-ID: In article , David Walters writes >I've made contactless transactions in places where the card terminal >isn't linked to the till. Most National Trust tea rooms and my local >Indian takeaway for example Less than a tenner? Those are mighty cheap places to eat :) -- Roland Perry From jon+ukcrypto at unequivocal.co.uk Wed Nov 17 12:20:31 2010 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 17 Nov 2010 12:20:31 +0000 Subject: Contactless bank cards In-Reply-To: <+wjEolnFN84MFAfx@perry.co.uk> References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> Message-ID: <20101117122031.GA2834@snowy.squish.net> On Wed, Nov 17, 2010 at 11:57:57AM +0000, Roland Perry wrote: > In article <20101116163933.GL535 at snowy.squish.net>, Jon Ribbens > writes >> Oh, well in small retailers my observation, and also as I understand >> it, reality, is that the merchant terminal is usually not connected to >> the till and you can put any number of transactions through without >> the till knowing anything about it. > > As the terminal isn't touched by the merchant (unless it's a cordless > one) how do they instruct it to initiate a transaction. My observation is that the terminal certainly is touched by the merchant, because they press buttons on it to enter the amount to be debited. Yes there are also integrated tills/terminals where they just press one button and it activates the terminal automatically, but I have seen that more often in larger shops or chains, whereas in small independent shops they tend to have the non-integrated type that the bank sells/rents to you when you open your merchant account. From david at jellybaby.net Wed Nov 17 12:30:24 2010 From: david at jellybaby.net (David Walters) Date: Wed, 17 Nov 2010 12:30:24 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> Message-ID: On Wed, Nov 17, 2010 at 12:10 PM, Roland Perry wrote: > In article , > David Walters writes >> >> I've made contactless transactions in places where the card terminal isn't >> linked to the till. Most National Trust tea rooms and my local Indian >> takeaway for example > > Less than a tenner? The contactless limit was raised to to ?15 about a year ago. The cynic in me thinks it will keep increasing until there is significant, to the banks, fraud and then they will freeze it and let inflation push the criminals elsewhere. > Those are mighty cheap places to eat :) I've always thought of National Trust tea rooms as fairly expensive places but they can just about manage a couple of cakes and teas for under ?15. Lunch for the whole family requires prior approval from the bank manager. From chl at clerew.man.ac.uk Wed Nov 17 13:20:34 2010 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Wed, 17 Nov 2010 13:20:34 -0000 Subject: Contactless bank cards In-Reply-To: <4CE24388.9060803@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> Message-ID: On Tue, 16 Nov 2010 08:40:40 -0000, Peter Mitchell wrote: > Not to my son, who is paid minimum wage. And the skimmers can milk the > golden goose by concentrating on easy targets who will never notice the > fraud; drunks, students, doddery old ladies who didn't even know their > card was contactless. My son didn't notice it was contactless until I > pointed it out. How easy would it be to snip through the pickup loop on the card, without otherwise destroying the card's functionality? -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From lists at internetpolicyagency.com Wed Nov 17 14:28:12 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 14:28:12 +0000 Subject: Contactless bank cards In-Reply-To: <20101117122031.GA2834@snowy.squish.net> References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> Message-ID: In article <20101117122031.GA2834 at snowy.squish.net>, Jon Ribbens writes >>> Oh, well in small retailers my observation, and also as I understand >>> it, reality, is that the merchant terminal is usually not connected to >>> the till and you can put any number of transactions through without >>> the till knowing anything about it. >> >> As the terminal isn't touched by the merchant (unless it's a cordless >> one) how do they instruct it to initiate a transaction. > >My observation is that the terminal certainly is touched by the >merchant, because they press buttons on it to enter the amount to be >debited. We clearly live in parallel universes, because I've never seen a merchant do that (other than for a cordless terminal). And I always take a close interest in what's going on with C&P transactions. >Yes there are also integrated tills/terminals where they just press >one button and it activates the terminal automatically, but I have >seen that more often in larger shops or chains, whereas in small >independent shops they tend to have the non-integrated type that >the bank sells/rents to you when you open your merchant account. Admittedly, I don't use a CC in small independent shops very often. But I did once report an off-licence for grabbing my card and swiping it behind the counter, as well as asking me to use the PIN pad. (The CC company issued me a new card immediately, and the shop went out of business about a year later). -- Roland Perry From david at jellybaby.net Wed Nov 17 14:46:25 2010 From: david at jellybaby.net (David Walters) Date: Wed, 17 Nov 2010 14:46:25 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> Message-ID: On Wed, Nov 17, 2010 at 1:20 PM, Charles Lindsey wrote: > On Tue, 16 Nov 2010 08:40:40 -0000, Peter Mitchell > wrote: > >> Not to my son, who is paid minimum wage. And the skimmers can milk the >> golden goose by concentrating on easy targets who will never notice the >> fraud; drunks, students, doddery old ladies who didn't even know their card >> was contactless. My son didn't notice it was contactless until I pointed it >> out. > > How easy would it be to snip through the pickup loop on the card, without > otherwise destroying the card's functionality? Probably very easy. The loop is about 3mm from the top and bottom of the card and 5mm from the sides. A small cut would probably do the job and could be well away from the magnetic strip or chip. I'd test it if I could reliably pay with the thing, the sandwich shop reader was broken at lunchtime today. David From Andrew.Cormack at ja.net Wed Nov 17 14:50:42 2010 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 17 Nov 2010 14:50:42 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: Sorry to come back to this, but I've been trying to make sense (again, lacking any draft amended text) of what might constitute an "unintentional unlawful interception". And failing, so I hope someone here can help. The Act defines "A person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he- (a)so modifies or interferes with the system, or its operation, (b)so monitors transmissions made by means of the system, or (c)so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system, as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication." Presumably an "intentional" interception is one where I make the modification or do the monitoring deliberately? So is an unintentional interception one where I do it by mistake, or where I do nothing and it just happens? E.g. 1) postmaster attempts to re-direct a mis-addressed e-mail and puts a typo in the To: address? 2) postmaster does nothing, but a system fault results in all mails coming to him (yes, I've been there) 3) network manager runs a wireless sniffer to check a problem with his own network and picks up a packet from next door? 4) user turns on wifi card and receives packets from lots of wifi networks in addition to his own? 5) network manager uploads latest firmware to a network switch, thereby clearing its memory and turning it (for a while) into a broadcast hub? All seem to satisfy most of the requirements of the definition, but even a civil penalty seems a bit harsh for most of them... Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcott. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG From matthew at pemble.net Wed Nov 17 15:10:11 2010 From: matthew at pemble.net (Matthew Pemble) Date: Wed, 17 Nov 2010 15:10:11 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: On 17 November 2010 14:50, Andrew Cormack wrote: > Sorry to come back to this, but I've been trying to make sense (again, lacking any draft amended text) of what might constitute an "unintentional unlawful interception". And failing, so I hope someone here can help. Does the current wording of the Act make it a strict liability offence? If not, then there must be mens rea. So, logically, you must have intended to implement the interception (or be negligent as to whether your act implemented an interception.) Therefore, for it to have been "unintentionally unlawful", what could apply? * A sincere but incorrect belief that the intention was lawful (including presentation to a techie of an apparently legal warrant that had been incorrectly processed)? * An attempt to implement a lawful interception (either through warrant or LBPR) which was incorrectly but not negligently applied and resulting in a too-wide or otherwise non-approved interception? Something else? > 1) postmaster attempts to re-direct a mis-addressed e-mail and puts a typo in the To: address? > 2) postmaster does nothing, but a system fault results in all mails coming to him (yes, I've been there) > 3) network manager runs a wireless sniffer to check a problem with his own network and picks up a packet from next door? > 4) user turns on wifi card and receives packets from lots of wifi networks in addition to his own? > 5) network manager uploads latest firmware to a network switch, thereby clearing its memory and turning it (for a while) into a broadcast hub? I think all these, but particularly 2 and 5, lack any mens rea. > All seem to satisfy most of the requirements of the definition, but even a civil penalty seems a bit harsh for most of them... I would think that 5, depending on the organisation's change management procedures, might be worth a strong word from their manager. Otherwise it all (unless the email in 1 was especially sensitive) falls into the "shit happens" category of IT issues. M. -- Matthew Pemble From lists at internetpolicyagency.com Wed Nov 17 15:24:40 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 15:24:40 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: In article , Andrew Cormack writes >The Act defines >"A person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he- >(a)so modifies or interferes with the system, or its operation, >(b)so monitors transmissions made by means of the system, or >(c)so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system, >as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended >recipient of the communication." > >Presumably an "intentional" interception is one where I make the modification or do the monitoring deliberately? So is an unintentional >interception one where I do it by mistake There was some discussion, when the Bill was being debated, about someone picking up a telephone extension (in a home, typically) and therefore "unintentionally" hearing the conversation. No doubt we could find analogies for this on data networks (indeed, the Goggle wifi sniffing is perhaps in this category). -- Roland Perry From jon+ukcrypto at unequivocal.co.uk Wed Nov 17 15:28:21 2010 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 17 Nov 2010 15:28:21 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> Message-ID: <20101117152821.GC2834@snowy.squish.net> On Wed, Nov 17, 2010 at 02:28:12PM +0000, Roland Perry wrote: > We clearly live in parallel universes, because I've never seen a > merchant do that (other than for a cordless terminal). And I always take > a close interest in what's going on with C&P transactions. You must indeed truly be living in a parallel dimension if your world does not contain stand-alone PDQ machines. Plus I guess you've never been to a restaurant. http://www.barclaycard.co.uk/business/existing-customers/mypdq/ From Andrew.Cormack at ja.net Wed Nov 17 15:38:11 2010 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 17 Nov 2010 15:38:11 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: Hi Matthew > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Matthew Pemble > Sent: 17 November 2010 15:10 > To: UK Cryptography Policy Discussion Group > Subject: Re: Consultation on change to RIP interception definition > ("unintentional interception") > > On 17 November 2010 14:50, Andrew Cormack > wrote: > > Sorry to come back to this, but I've been trying to make sense > (again, lacking any draft amended text) of what might constitute an > "unintentional unlawful interception". And failing, so I hope someone > here can help. > > Does the current wording of the Act make it a strict liability > offence? If not, then there must be mens rea. So, logically, you must > have intended to implement the interception (or be negligent as to > whether your act implemented an interception.) The mens rea for the current offence seems to be in s1(1) "It shall be an offence for a person INTENTIONALLY and without lawful authority to intercept,.." I presume that means both intention to do the action, and intention as to its outcome. So I was interpreting the new "unintentional interception" idea as deleting or modifying at least one of those "intentions"? If it removes both then it does start to look like a strict liability offence, which is scary given the breadth of the definition of "make available" that this list have come up with in the past :( > Therefore, for it to have been "unintentionally unlawful", what could > apply? > > * A sincere but incorrect belief that the intention was lawful > (including presentation to a techie of an apparently legal warrant > that had been incorrectly processed)? Seems even harsher on the techie than my examples below :( > * An attempt to implement a lawful interception (either through > warrant or LBPR) which was incorrectly but not negligently applied and > resulting in a too-wide or otherwise non-approved interception? The consultation paper specifically addresses the question of a mistake in implementing a warrant, and says that's ok. I very much hope that also applies to LBPR and "provision of service" (s3(3)) lawful interception, but the consultation paper is silent on those. And if so, it really doesn't seem to leave much, hence my puzzlement > Something else? > > > 1) postmaster attempts to re-direct a mis-addressed e-mail and puts a > typo in the To: address? > > 2) postmaster does nothing, but a system fault results in all mails > coming to him (yes, I've been there) > > 3) network manager runs a wireless sniffer to check a problem with > his own network and picks up a packet from next door? > > 4) user turns on wifi card and receives packets from lots of wifi > networks in addition to his own? > > 5) network manager uploads latest firmware to a network switch, > thereby clearing its memory and turning it (for a while) into a > broadcast hub? > > I think all these, but particularly 2 and 5, lack any mens rea. They all fail the *current* mens rea, but all but 2 are intentional acts with unintended consequences. So there is some mens rea > > All seem to satisfy most of the requirements of the definition, but > even a civil penalty seems a bit harsh for most of them... > > I would think that 5, depending on the organisation's change > management procedures, might be worth a strong word from their > manager. Otherwise it all (unless the email in 1 was especially > sensitive) falls into the "shit happens" category of IT issues. I very much agree (though I've come across switches where a short period of hubbishess is the only option). I'm just worried that this is being presented as a quick fix and I can see an awful lot of ways it might have unintended consequences. Andrew > M. > > -- > Matthew Pemble From Andrew.Cormack at ja.net Wed Nov 17 15:41:36 2010 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 17 Nov 2010 15:41:36 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry > Sent: 17 November 2010 15:25 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: Consultation on change to RIP interception definition > ("unintentional interception") > > In article , Andrew > Cormack writes > >The Act defines > >"A person intercepts a communication in the course of its transmission > by means of a telecommunication system if, and only if, he- > >(a)so modifies or interferes with the system, or its operation, > >(b)so monitors transmissions made by means of the system, or > >(c)so monitors transmissions made by wireless telegraphy to or from > apparatus comprised in the system, > >as to make some or all of the contents of the communication available, > while being transmitted, to a person other than the sender or intended > >recipient of the communication." > > > >Presumably an "intentional" interception is one where I make the > modification or do the monitoring deliberately? So is an unintentional > >interception one where I do it by mistake > > There was some discussion, when the Bill was being debated, about > someone picking up a telephone extension (in a home, typically) and > therefore "unintentionally" hearing the conversation. How about an iPad that gives up its DHCP lease but keeps on using the address? (http://www.net.princeton.edu/announcements/ipad-iphoneos32-stops-renewing-lease-keeps-using-IP-address.html) And now the idea is specifically to prohibit "unintentional" interception :( > No doubt we could > find analogies for this on data networks (indeed, the Goggle wifi > sniffing is perhaps in this category). I was trying to avoid mentioning that one ;) Andrew > -- > Roland Perry From igb at batten.eu.org Wed Nov 17 15:47:47 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 17 Nov 2010 15:47:47 +0000 Subject: Contactless bank cards In-Reply-To: <20101117152821.GC2834@snowy.squish.net> References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> Message-ID: <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> On 17 Nov 2010, at 15:28, Jon Ribbens wrote: > On Wed, Nov 17, 2010 at 02:28:12PM +0000, Roland Perry wrote: >> We clearly live in parallel universes, because I've never seen a >> merchant do that (other than for a cordless terminal). And I always take >> a close interest in what's going on with C&P transactions. > > You must indeed truly be living in a parallel dimension if your world > does not contain stand-alone PDQ machines. Indeed. I paid for a prescription (phone doctor about infected finger at 9, appointment at 0915, at pharmacist by 0930, home by 0945 --- that's the NHS we need!) this morning at the machine was standalone. I'm not quite sure where Roland shops, but he must never visit anything other than airport duty frees and large multiples... ian From lists at internetpolicyagency.com Wed Nov 17 15:51:31 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 15:51:31 +0000 Subject: Contactless bank cards In-Reply-To: <20101117152821.GC2834@snowy.squish.net> References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> Message-ID: In article <20101117152821.GC2834 at snowy.squish.net>, Jon Ribbens writes >> We clearly live in parallel universes, because I've never seen a >> merchant do that (other than for a cordless terminal). And I always take >> a close interest in what's going on with C&P transactions. > >You must indeed truly be living in a parallel dimension if your world >does not contain stand-alone PDQ machines. What do you mean by "stand-alone"? I covered the cordless terminals. >Plus I guess you've never been to a restaurant. I've not seen a cordless terminal outside of a restaurant (or pub etc). Wouldn't a shopkeeper rubbing one against random strangers' inside pockets look a bit strange? (Assuming they have a paywave enabled one). >http://www.barclaycard.co.uk/business/existing-customers/mypdq/ Ah, that's a cordless terminal. I'm sure there are some vulnerabilities somewhere, but could we please concentrate on feasible scenarios? -- Roland Perry From lists at internetpolicyagency.com Wed Nov 17 16:10:11 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 16:10:11 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: In article , Andrew Cormack writes >How about an iPad that gives up its DHCP lease but keeps on using the address? >(http://www.net.princeton.edu/announcements/ipad-iphoneos32-stops-renewing-lease-keeps-using-IP-address.html) I think I heard about a related problem on one of the UK's GSM data networks many years ago. If a handset dropped off, and another came online and was given the same IP address, it would start receiving (mainly streaming iirc) data that was originally intended for the first handset. And (on a much longer timescale) I could imagine someone with a static IP address and an MX server disappearing (but their DNS entries remaining), and their IP address being reassigned to another subscriber, who might start receiving some "wrong" emails (mainly Spam, but I don't see an exemption for intercepting those) if he sets up an MX server. Oh, and the same again when a Domain registration lapses, and someone else registers it. -- Roland Perry From lists at internetpolicyagency.com Wed Nov 17 16:15:50 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 16:15:50 +0000 Subject: Contactless bank cards In-Reply-To: <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> Message-ID: In article <3601464F-220D-4D16-978E-79A3A7027C7D at batten.eu.org>, Ian Batten writes > >On 17 Nov 2010, at 15:28, Jon Ribbens wrote: > >> On Wed, Nov 17, 2010 at 02:28:12PM +0000, Roland Perry wrote: >>> We clearly live in parallel universes, because I've never seen a >>> merchant do that (other than for a cordless terminal). And I always take >>> a close interest in what's going on with C&P transactions. >> >> You must indeed truly be living in a parallel dimension if your world >> does not contain stand-alone PDQ machines. > >Indeed. I paid for a prescription (phone doctor about infected finger >at 9, appointment at 0915, at pharmacist by 0930, home by 0945 --- >that's the NHS we need!) this morning at the machine was standalone. Do you mean "cordless"? I've covered those. > I'm not quite sure where Roland shops, but he must never visit >anything other than airport duty frees and large multiples... I've seen cordless units in eateries, I've never seen one elsewhere. Is a "stand-alone" unit something different? -- Roland Perry From ukcrypto at sourcetagged.ian.co.uk Wed Nov 17 16:18:46 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Wed, 17 Nov 2010 16:18:46 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <729CF33C-8148-4E32-B4D0-555830394C00@sourcetagged.ian.co.uk> Message-ID: On 17 Nov 2010, at 12:06, Roland Perry wrote: > In article > <729CF33C-8148-4E32-B4D0-555830394C00 at sourcetagged.ian.co.uk>, Ian > Mason > writes >>> Surely you'd have to set up some sort of "man in the middle" >>> between the card and one of the Paywave terminals[1]. Wouldn't that >>> be a bit tricky in real time? >> >> No, search for "MIG in the middle". > > On one hand, are you being ironic? > > "One case history that unfortunately turns out to be unfounded > is the story of the `Mig-in-the-middle' attack, pp 19-20... in > September 2001, I learned from a former employee of the South > African Communications Security Agency that the story is > apocryphal." > > On the other... I'm seeking to understand what sort of technology you > could surrupticiously invoke near someone's wallet, and also near a > paywave terminal (and of course in between) which would provide a > suitably faked conversation that the card could be debited. The actual "MIG in the middle" attack may or may not be apocryphal but the attack method certainly is not. I'm having difficulty with your difficulty grasping how this is possible. With your background I can't see why you haven't immediately seen how to do this. You take a briefcase, in it you place the front end of contactless card reader, you interface this to a suitable radio modem. You stick a corresponding radio modem in a box that can be placed in adequate proximity to a paywave terminal. You interface to that second radio modem the airside interface of a contactless card (or a suitable simulation thereof). You arrange your interfacing so that it is transparent except for the tiny delay between endpoints. You then walk around a crowded public place like a railway station placing your briefcase in adequate proximity to lots of shoulder bags/handbags/whatever that probably contain paywave cards. From jon+ukcrypto at unequivocal.co.uk Wed Nov 17 16:53:51 2010 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 17 Nov 2010 16:53:51 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> Message-ID: <20101117165351.GJ2834@snowy.squish.net> On Wed, Nov 17, 2010 at 04:15:50PM +0000, Roland Perry wrote: > Do you mean "cordless"? I've covered those. No you haven't, you just said "except if it's cordless" without explaining why they don't count for whatever it is we're talking about. > Is a "stand-alone" unit something different? I meant "stand-alone" as in "not relying on a till to enable the transaction". I don't see how it matters if the terminal's connection to the bank is wired, WiFi, bluetooth, GSM or whatever. As to how you could connect a victim's contactless card to a terminal that is "far away", surely it is not hard to conceive of a device which you hold near the card which does nothing but receive and transmit to the card, and then forward this conversation on via, e.g. WiFi, to a terminal further away - even assuming that for some reason you couldn't put a wireless PDQ terminal in your pocket. From Ian.Johnson at uwe.ac.uk Wed Nov 17 16:39:49 2010 From: Ian.Johnson at uwe.ac.uk (Ian Johnson) Date: Wed, 17 Nov 2010 16:39:49 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> Message-ID: <82C40FACE9C14B9B9C3644C5DA49AC42@pingu> On Behalf Of Roland Perry: > Sent: 17 November 2010 16:16 > > Do you mean "cordless"? I've covered those. > I've seen cordless units in eateries, I've never seen one elsewhere. > > Is a "stand-alone" unit something different? I'm another that can't see the source of confusion. I use an old fashioned motorcycle garage. They don't even have a till, just handwritten bills. C&P m/c on counter - wired (power/phone). If you pay by card the owner types in the amount, you authenticate. A toy shop in Tenby I use has a card machine that again isn't connected to tills in any way. On holiday this year the wife was paying at one till, I at another - The total was put through as a single transaction (at a 3rd location). Ian From lists at internetpolicyagency.com Wed Nov 17 20:04:45 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 17 Nov 2010 20:04:45 +0000 Subject: Contactless bank cards In-Reply-To: <20101117165351.GJ2834@snowy.squish.net> References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> Message-ID: In article <20101117165351.GJ2834 at snowy.squish.net>, Jon Ribbens writes >No you haven't, you just said "except if it's cordless" without >explaining why they don't count for whatever it is we're talking >about. In previous postings, I doubted whether there were any Paywave cordless terminals, and wondered about merchants rubbing such terminals against random victims. >> Is a "stand-alone" unit something different? > >I meant "stand-alone" as in "not relying on a till to enable the >transaction". I don't see how it matters if the terminal's connection >to the bank is wired, WiFi, bluetooth, GSM or whatever. Because you still have to make a data connection between a card in someone's pocket the other side of the shop, and the paywave pad on this terminal. >As to how you could connect a victim's contactless card to a terminal >that is "far away", surely it is not hard to conceive of a device >which you hold near the card which does nothing but receive and >transmit to the card, and then forward this conversation on via, >e.g. WiFi, to a terminal further away - That's the problem I have (and also my answer to Ian Mason's enquiry). How to make something which imitates an RFID card over a two-way data link. >even assuming that for some reason you couldn't put a wireless PDQ >terminal in your pocket. See "rubbing against victims" above. -- Roland Perry From cybergibbons at gmail.com Wed Nov 17 20:45:11 2010 From: cybergibbons at gmail.com (Cybergibbons) Date: Wed, 17 Nov 2010 20:45:11 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> Message-ID: On 17 November 2010 20:04, Roland Perry wrote: >> As to how you could connect a victim's contactless card to a terminal >> that is "far away", surely it is not hard to conceive of a device >> which you hold near the card which does nothing but receive and >> transmit to the card, and then forward this conversation on via, >> e.g. WiFi, to a terminal further away - > > That's the problem I have (and also my answer to Ian Mason's enquiry). How > to make something which imitates an RFID card over a two-way data link. It's perfectly possible to relay RFID communications over a distance. It's easy to demonstrate this using two RFID readers with PN53x chips in them - one reads the card, the other emulates it. http://www.libnfc.org/documentation/examples/nfc-relay If you use USB, the latency and unpredictability causes issues with some card readers - this doesn't work to relay to TFL readers for example. However, you can use any microprocessor to perform the relay to avoid this, and use an RF link instead of wires. -- Andrew From igb at batten.eu.org Wed Nov 17 22:36:02 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 17 Nov 2010 22:36:02 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> Message-ID: <44890BA9-B15B-4568-AA81-46C0BFB662A2@batten.eu.org> On 17 Nov 2010, at 16:15, Roland Perry wrote: > > Is a "stand-alone" unit something different? It isn't cordless, for a start off: mains power, and a hardline telephone. ian From igb at batten.eu.org Wed Nov 17 23:16:31 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 17 Nov 2010 23:16:31 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: > > And (on a much longer timescale) I could imagine someone with a static IP address and an MX server disappearing (but their DNS entries remaining), and their IP address being reassigned to another subscriber, who might start receiving some "wrong" emails (mainly Spam, but I don't see an exemption for intercepting those) if he sets up an MX server. Many years ago, I managed to accidentally pull off a much more spectacular variation of this, which presumably would see me in chokey for decades these days. Some part of the US Government started it (honest, guv). They presumably had an internal mail server which offered final delivery and an external-facing system which was somewhat hardened (this is the mid-90s, so something like Gauntlet might have been in use). This was before split-horizon DNS servers were common, so they simply published: whatever.gov. in mx 20 external.whatever.gov. whatever.gov. in mx 10 internal.whatever.gov. external.whatever.gov. in a 4.5.6.7 ;;; a globally routable IP number internal.whatever.gov. in a 192.168.1.1 ;;; RFC1918 private IP number This is neat, they must have thought. Instead of having to configure that pesky external system, the MX records mean it all just works: senders try to contact the internal system, fail and fall back to the external system, but the external system looks for a lower MX preference, finds it and relays the mail. Of course, if the sender happens to have a mail server on 192.168.1.1 it'll probably break, but what are the chances, right? So they've been pretty silly. Next up steps Batten, who is asked to write a config file for a Cisco to advertise his employer's networks to his ISP, because (at the time) that was how they wanted it done. But the rule to filter out our internal networks was wrong, so as well as advertising our CIDR blocks (17 Class C addresses: those were the days, eh?) we also advertised 10/8, 172.16/12 and 192.168/16. And the final piece of silliness in this trifecta of cocking it up was someone at PSI who neglected to filter RFC1918 from advertisements and everyone else in the world ever who happily propagated it over BGP. Over the following days, our firewall logs lit up with endless hammering at 192.168.1.1 port 25 (we had at least correctly written the firewall rules to block all incoming RFC1918 and 127/8). In the end we got sufficiently fed up with the alerts to bring a machine up on that IP number in a new DMZ, to have a look at what the traffic looked like. And there it was. Once we looked at the MX records for the traffic we were seeing it all fell into place, and was easy to fix. I trust ISPs don't propagate routes for RFC1918 any more... ian From colinthomson1 at o2.co.uk Thu Nov 18 00:24:11 2010 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Thu, 18 Nov 2010 00:24:11 -0000 Subject: Contactless bank cards In-Reply-To: <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com><82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> Message-ID: <33155F948BCC452199313A31BC47931C@your41b8d18ede> Ian, I think you inhabit a different world from mine. I use the stores of three three different supermarket chains who operate in my town, all of which open the till on credit card transactions to allow the vendors copy of the cc receipt to be placed in the till. I've been in supermarkets where this doesn't happen, but far more often in supermarkets where it does, and I don't believe that the supermarkets will pay the extra cost of changing the till system to avoid opening the cash drawer when they change the card reader to operate contactless without pins. In an ideal world where all the retailers ensure that the cash drawer is not opened for card transactions (except those using cash-back) your argument might be valid; but I don't live in that ideal world, and neither do most people. M. > > On 16 Nov 2010, at 10:41, Ian Batten wrote: > > Oh, and by the way: ever wondered why shops are so keen on ".99" prices? Unless > someone carries a lot of loose change, it means the till has to be opened for every > transaction. Unless you operate a shop which prices everything in round pounds > (round 10 pounds, probably, given that university cashpoints seem to be the last > place on earth that issue fivers), people who pay cash (who you need for your fraud > to work) are going to have to be prepared to either not have any change, take their > change from the pile you keep beside the till or you're going to have to open the till. > What transaction are you going to ring up to do that, exactly? > > At best, your scheme allows you to replace a transaction from a customer who pays > the exact price and doesn't want a receipt with a hooky card transaction, until late in > the evening when there isn't enough cash in the till and you get sacked. And even > that's assuming you can spot people who are going to pay the exact amount before > you ring it up on the till: in practice, people look at the amount and compare it with > the shrapnel they want to get rid of. You'll have to find a way to say "that'll be ten > quid mate" and take the money without opening the till, without anyone else (and > shops with lone workers tend to have CCTV for H&S reasons) noticing. You might be > able to do it if you're a sole proprietor, I guess. > > ian > From colinthomson1 at o2.co.uk Thu Nov 18 00:46:53 2010 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Thu, 18 Nov 2010 00:46:53 -0000 Subject: Contactless bank cards In-Reply-To: <9dVUDsEe8p4MFAsN@perry.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: > I've never actually found a machine to try my card out upon. But the > Oyster pads in London require the card to be pretty much out of a wallet > and touching the surface. Similarly the RFID cards used on the buses in > Nottingham. The technology is dozens of order of magnitude away from > scanning the bus pass in the passenger's pocket as he gets on board. > -- > Roland Perry Well Roland, I usually understand "orders of magnitude" as decimal ones, But even if I were to assume that you meant binary orders of magnitude (which would usually suggest to me an intention to mislead, but let us assume that although you meant binary you had no such intention) "dozens" means a factor of at least 2 to the 24th, or something a bit bigger that 2 times 10 to the 7. If I guess that there's an inverse square law in there somewhere, I get something over 1.4 times 10 cubed on the distance - and I have happily waved my oyster card at more than a centimetre from the reader on buses in London (it seemed to need to be closer on tubes, I guess because the S/N ration is lower in tube stations). So I guess that dozens of orders of magnitude technology change suggests at readability at something like 14 metres, which is quite a bit more than the distance from my shirt pocked to the reader when I board a bus. If your orders of magnitude are honest decimal ones, and not binary ones as I have cynically assumed, it comes to such an enormous distance that I don't want to contemplate it. So I think you are probably wrong in your assertion. M?cheal From pwt at iosis.co.uk Thu Nov 18 07:05:03 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 18 Nov 2010 07:05:03 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: <4CE4D01F.3010703@iosis.co.uk> Roland Perry wrote: >> The technology is dozens of order of magnitude away from >> scanning the bus pass in the passenger's pocket as he gets on board. >> >> There IS a longer distance scanning technology, but it depends on changing to a self-powered token instead of an unpowered smart device that needs the associated terminal to provide the smart device's power [1]. There is also a risk that mobile phone based methods using NFC technology will wake up the tokens when the field strength from the terminal is lower than needed to wake up an ordinary smart card - but with NFC you should be getting a message on the phone's screen (and maybe a squeal as well) to show that a value transaction has taken place. Peter [1] Be-In Be-Out (BiBo) and Check-In Be-Out (Cibo). See DfT research report: http://www.dft.gov.uk/rmd/project.asp?intProjectID=12490 From lists at internetpolicyagency.com Thu Nov 18 08:08:53 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 08:08:53 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: In article , Tom Thomson or was it Michael? writes >> I've never actually found a machine to try my card out upon. But the >> Oyster pads in London require the card to be pretty much out of a wallet >> and touching the surface. Similarly the RFID cards used on the buses in >> Nottingham. The technology is dozens of order of magnitude away from >> scanning the bus pass in the passenger's pocket as he gets on board. >> -- >> Roland Perry > >Well Roland, I usually understand "orders of magnitude" as decimal >ones, But even if I were to assume that you meant binary orders of >magnitude (which would usually suggest to me an intention to mislead, >but let us assume that although you meant binary you had no such >intention) "dozens" means a factor of at least 2 to the 24th, or >something a bit bigger that 2 times 10 to the 7. If I guess that >there's an inverse square law in there somewhere, Apparently it's an inverse 4th power, and the Nottingham bus passes have to be held pretty much *on* the reader[1] - no more than a millimetre of air gap is acceptable. [1] Which is quite tiresome when you have several senior citizens boarding, who seem to find the technology difficult, and it takes a while for them to position their cards exactly right. -- Roland Perry From lists at internetpolicyagency.com Thu Nov 18 08:14:11 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 08:14:11 +0000 Subject: Contactless bank cards In-Reply-To: <4CE4D01F.3010703@iosis.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <4CE4D01F.3010703@iosis.co.uk> Message-ID: <3p3WuwLTBO5MFA3x@perry.co.uk> In article <4CE4D01F.3010703 at iosis.co.uk>, Peter Tomlinson writes >There is also a risk that mobile phone based methods using NFC >technology will wake up the tokens when the field strength from the >terminal is lower than needed to wake up an ordinary smart card - but >with NFC you should be getting a message on the phone's screen (and >maybe a squeal as well) to show that a value transaction has taken place. One of the difficulties of RFID is multiple cards. I know that a door-entry RFID which I have interferes with my Oyster, for example. I wonder what will happen when people have multiple pay-wave cards in the wallet? -- Roland Perry From lists at internetpolicyagency.com Thu Nov 18 08:18:37 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 08:18:37 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> Message-ID: In article , Cybergibbons writes >It's perfectly possible to relay RFID communications over a distance. > >It's easy to demonstrate this using two RFID readers with PN53x chips >in them - one reads the card, the other emulates it. >http://www.libnfc.org/documentation/examples/nfc-relay > >If you use USB, the latency and unpredictability causes issues with >some card readers - this doesn't work to relay to TFL readers for >example. However, you can use any microprocessor to perform the relay I don't really understand what you mean by "any microprocessor" >to avoid this, and use an RF link instead of wires. An RF link with more bandwidth than USB, presumably? Or is it just "less latency per packet"? -- Roland Perry From pwt at iosis.co.uk Thu Nov 18 08:20:25 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 18 Nov 2010 08:20:25 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: <4CE4E1C9.1080807@iosis.co.uk> Roland Perry wrote: > In article , Tom > Thomson or was it Michael? writes >>> I've never actually found a machine to try my card out upon. But the >>> Oyster pads in London require the card to be pretty much out of a >>> wallet >>> and touching the surface. Similarly the RFID cards used on the buses in >>> Nottingham. The technology is dozens of order of magnitude away from >>> scanning the bus pass in the passenger's pocket as he gets on board. >>> -- >>> Roland Perry >> >> Well Roland, I usually understand "orders of magnitude" as decimal >> ones, But even if I were to assume that you meant binary orders of >> magnitude (which would usually suggest to me an intention to mislead, >> but let us assume that although you meant binary you had no such >> intention) "dozens" means a factor of at least 2 to the 24th, or >> something a bit bigger that 2 times 10 to the 7. If I guess that >> there's an inverse square law in there somewhere, > > Apparently it's an inverse 4th power, and the Nottingham bus passes > have to be held pretty much *on* the reader[1] - no more than a > millimetre of air gap is acceptable. > > [1] Which is quite tiresome when you have several senior citizens > boarding, who seem to find the technology difficult, and it takes a > while for them to position their cards exactly right. Not all bus ticket machines are the same. I'm fairly certain that the Nottingham bus machines will soon be replaced. Peter From pwt at iosis.co.uk Thu Nov 18 08:21:59 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 18 Nov 2010 08:21:59 +0000 Subject: Contactless bank cards In-Reply-To: <3p3WuwLTBO5MFA3x@perry.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <4CE4D01F.3010703@iosis.co.uk> <3p3WuwLTBO5MFA3x@perry.co.uk> Message-ID: <4CE4E227.40407@iosis.co.uk> Roland Perry wrote: > In article <4CE4D01F.3010703 at iosis.co.uk>, Peter Tomlinson > writes >> There is also a risk that mobile phone based methods using NFC >> technology will wake up the tokens when the field strength from the >> terminal is lower than needed to wake up an ordinary smart card - but >> with NFC you should be getting a message on the phone's screen (and >> maybe a squeal as well) to show that a value transaction has taken >> place. > > One of the difficulties of RFID is multiple cards. I know that a > door-entry RFID which I have interferes with my Oyster, for example. I > wonder what will happen when people have multiple pay-wave cards in > the wallet? They will have to take out of the wallet the card that they want to use (some people already report that problem). Peter From igb at batten.eu.org Thu Nov 18 08:24:40 2010 From: igb at batten.eu.org (Ian Batten) Date: Thu, 18 Nov 2010 08:24:40 +0000 Subject: Contactless bank cards In-Reply-To: <3p3WuwLTBO5MFA3x@perry.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <4CE4D01F.3010703@iosis.co.uk> <3p3WuwLTBO5MFA3x@perry.co.uk> Message-ID: <49976CE3-39AA-4ABF-A405-A2DB19DB83F4@batten.eu.org> > > One of the difficulties of RFID is multiple cards. I know that a door-entry RFID which I have interferes with my Oyster, for example. I wonder what will happen when people have multiple pay-wave cards in the wallet? My father can attest to the fact that Oyster scanners get upset if you have a Birmingham "Freedom Pass" in the same holder as the Oyster Card. The Oyster reader reads the Birmingham card, thinks it's an uninitialised or otherwise hooky Oyster card and aborts the transaction. The set of people who have multiple Oyster-alikes (most commonly, I suspect, regular visitors to London who have a Oyster and their home town's Oyster-alike) is only going to grow. ian From lists at internetpolicyagency.com Thu Nov 18 08:23:27 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 08:23:27 +0000 Subject: Contactless bank cards In-Reply-To: <44890BA9-B15B-4568-AA81-46C0BFB662A2@batten.eu.org> References: <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <44890BA9-B15B-4568-AA81-46C0BFB662A2@batten.eu.org> Message-ID: In article <44890BA9-B15B-4568-AA81-46C0BFB662A2 at batten.eu.org>, Ian Batten writes >> Is a "stand-alone" unit something different? > >It isn't cordless, for a start off: mains power, and a hardline telephone. But you aren't going to run round the room with a cord-attached terminal, rubbing it on people's pockets. So the usage mode is different. The attack would rely upon one of these "RF-bridges" between a device held onto a concealed terminal, and something that you are running round the room with. And you are probably restricted to having an accomplice rubbing up against random strangers, because someone who is in the act of paying will have his wallet in his hand (to give you the cash that you then pocket) and will probably notice you trying to get close enough to the wallet with the "remote" end of such a bridge. -- Roland Perry From lists at internetpolicyagency.com Thu Nov 18 08:28:28 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 08:28:28 +0000 Subject: Contactless bank cards In-Reply-To: <33155F948BCC452199313A31BC47931C@your41b8d18ede> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CE8.2050907@callnetuk.com> <82379AD8-F5F7-433F-8966-633D54BB8162@batten.eu.org> <975AA370-8E7E-46E4-A505-B6257A4DA449@batten.eu.org> <33155F948BCC452199313A31BC47931C@your41b8d18ede> Message-ID: In article <33155F948BCC452199313A31BC47931C at your41b8d18ede>, Tom Thomson writes >In an ideal world where all the retailers ensure that the cash >drawer is not opened for card transactions (except those using >cash-back) your argument might be valid; but I don't live in that >ideal world, and neither do most people. One of the associated problems (which I do see in the field) with tills that don't open the drawer for a credit card transaction, is that when the cashier closes the drawer by accident before giving a customer his change or cashback, they have to wait until the next cash (not card) transaction comes along before being able to rectify the situation. Perhaps they could also call some sort of manager to sort it out, but when I've seen this happen they seem to prefer to keep the hapless/ changeless customer hanging around waiting. In the old days, manual tills used to have a "No Sale" they could ring up - no doubt covering a multitude of sins. -- Roland Perry From lists at internetpolicyagency.com Thu Nov 18 09:07:42 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 09:07:42 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: In article , Ian Batten writes >Some part of the US Government started it (honest, guv). They >presumably had an internal mail server which offered final delivery and >an external-facing system which was somewhat hardened (this is the >mid-90s, so something like Gauntlet might have been in use). This >was before split-horizon DNS servers were common, so they simply published: > >whatever.gov. in mx 20 external.whatever.gov. >whatever.gov. in mx 10 internal.whatever.gov. >external.whatever.gov. in a 4.5.6.7 ;;; a globally routable IP number >internal.whatever.gov. in a 192.168.1.1 ;;; RFC1918 private IP number > >This is neat, they must have thought. Instead of having to configure >that pesky external system, the MX records mean it all just works: >senders try to contact the internal system, fail and fall back to the >external system, but the external system looks for a lower MX >preference, finds it and relays the mail. Of course, if the sender >happens to have a mail server on 192.168.1.1 it'll probably break, but >what are the chances, right? Hmm, I've got an internal mail server on 192.168.1.x, where I deliberately chose x not to be "1". >we also advertised 10/8, 172.16/12 and 192.168/16 ... > I trust ISPs don't propagate routes for RFC1918 any more... As the available free pool of IPv4 diminishes, the RIRs are taking a much closer look at what they call "noise" in /8's that they receive from IANA and which were supposed to be previously unregistered (and hence unused/unannounced). Geoff Huston at APNIC has done much of this, if you want the gory details. There was a surprising (or perhaps unsurprising, depending on your point of view) traffic floating around looking for 1.1.1.1 and 1.2.3.4 when they examined 1/8 (that's 1-slash-eight) about a year ago. This week he's fingered 42.105.57/24 which is apparently running at a megabit a second if you listen to it. In general, yes I do think ISPs have much better filters today (for private address space, unallocated space; and as a superset, space that isn't assigned by them[1]) but it's never perfect. [1] Just in case one of their customers starts announcing some space they shouldn't be. -- Roland Perry From lists at internetpolicyagency.com Thu Nov 18 10:07:34 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 10:07:34 +0000 Subject: Contactless bank cards In-Reply-To: <4CE4E227.40407@iosis.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <4CE4D01F.3010703@iosis.co.uk> <3p3WuwLTBO5MFA3x@perry.co.uk> <4CE4E227.40407@iosis.co.uk> Message-ID: In article <4CE4E227.40407 at iosis.co.uk>, Peter Tomlinson writes >> One of the difficulties of RFID is multiple cards. I know that a >>door-entry RFID which I have interferes with my Oyster, for example. I >>wonder what will happen when people have multiple pay-wave cards in >>the wallet? >They will have to take out of the wallet the card that they want to use >(some people already report that problem). Actually, there's an anti-fraud measure here staring us in the face... Just keep your paywave card in your wallet next to one that interferes with it. -- Roland Perry From cybergibbons at gmail.com Thu Nov 18 10:09:07 2010 From: cybergibbons at gmail.com (Cybergibbons) Date: Thu, 18 Nov 2010 10:09:07 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> Message-ID: On 18 November 2010 08:18, Roland Perry wrote: > In article , > Cybergibbons writes >> If you use USB, the latency and unpredictability causes issues with >> some card readers - this doesn't work to relay to TFL readers for >> example. However, you can use any microprocessor to perform the relay > > I don't really understand what you mean by "any microprocessor" Sorry - I meant you can use any simple microprocessor such as an AVR or MSP430 to perform the communication between the two PN53x. >> to avoid this, and use an RF link instead of wires. > > An RF link with more bandwidth than USB, presumably? Or is it just "less > latency per packet"? It's a question of latency - by the time the data leaves the reader, goes through some kind of USB interface, back to the PC, through an application on the PC, back down to another USB interface and into the emulator, the latency is high and unpredictable. Using something far more simple and ditching USB keeps the latency low and predictable. -- Andrew From lists at internetpolicyagency.com Thu Nov 18 10:19:01 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 10:19:01 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> Message-ID: In article , Cybergibbons writes >>> If you use USB, the latency and unpredictability causes issues with >>> some card readers - this doesn't work to relay to TFL readers for >>> example. However, you can use any microprocessor to perform the relay >> >> I don't really understand what you mean by "any microprocessor" > >Sorry - I meant you can use any simple microprocessor such as an AVR >or MSP430 to perform the communication between the two PN53x. > >>> to avoid this, and use an RF link instead of wires. >> >> An RF link with more bandwidth than USB, presumably? Or is it just "less >> latency per packet"? > >It's a question of latency - by the time the data leaves the reader, >goes through some kind of USB interface, back to the PC, through an >application on the PC, back down to another USB interface and into the >emulator, the latency is high and unpredictable. > >Using something far more simple and ditching USB keeps the latency low >and predictable. If this is a proposal for an attack in random persons in the same shop as the crooks [you need one behind the till, and another out scouting for cards] (I think that's how it was supposed to play out) then you'd need something a bit more physically elegant than a laptop to be pressing up against the victims. So you'd suggest some sort of custom hardware built around the chips you mention, and with a fairly high bandwidth RF connection between them? -- Roland Perry From colinthomson1 at o2.co.uk Thu Nov 18 12:52:49 2010 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Thu, 18 Nov 2010 12:52:49 -0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com><9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: <3FA159DD7F4949A0A5A35EFFC527991B@your41b8d18ede> Sgr?obh Roland Perry 18 November 2010 08:09 > In article , Tom > Thomson or was it Michael? writes Actually it's M?cheal, not Michael. And Tom arose because you English can't pronounce M?cheal, much less decline it. From ukcrypto at sourcetagged.ian.co.uk Thu Nov 18 13:39:03 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Thu, 18 Nov 2010 13:39:03 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> Message-ID: <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> On 18 Nov 2010, at 00:46, Tom Thomson wrote: >> I've never actually found a machine to try my card out upon. But the >> Oyster pads in London require the card to be pretty much out of a >> wallet >> and touching the surface. Similarly the RFID cards used on the >> buses in >> Nottingham. The technology is dozens of order of magnitude away from >> scanning the bus pass in the passenger's pocket as he gets on board. >> -- >> Roland Perry > > Well Roland, I usually understand "orders of magnitude" as decimal > ones, But even if I were to assume that you meant binary orders of > magnitude (which would usually suggest to me an intention to > mislead, but let us assume that although you meant binary you had > no such intention) "dozens" means a factor of at least 2 to the > 24th, or something a bit bigger that 2 times 10 to the 7. If I > guess that there's an inverse square law in there somewhere, I get > something over 1.4 times 10 cubed on the distance - and I have > happily waved my oyster card at more than a centimetre from the > reader on buses in London (it seemed to need to be closer on tubes, > I guess because the S/N ration is lower in tube stations). So I > guess that dozens of orders of magnitude technology change suggests > at readability at something like 14 metres, which is quite a bit > more than the distance from my shirt pocked to the reader when I > board a bus. If your orders of magnitude are honest decimal ones, > and not binary ones as I have cynically assumed, it comes to such > an enormous distance that I don't want to contemplate it. So I > think you are probably wrong in your assertion. > > M?cheal > If we want to put this into perspective with some real world results there's a paper here where a reading range of 25 cm was achieved with USD 110 worth of hardware. This paper is 4 years old and may not even represent the state of the art at the time. Ian From igb at batten.eu.org Thu Nov 18 14:51:19 2010 From: igb at batten.eu.org (Ian Batten) Date: Thu, 18 Nov 2010 14:51:19 +0000 Subject: Contactless bank cards In-Reply-To: <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> Message-ID: <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> > > If we want to put this into perspective with some real world results there's a paper here where a reading range of 25 cm was achieved with USD 110 worth of hardware. This paper is 4 years old and may not even represent the state of the art at the time. Perhaps not. But did you notice the slight flaw in using this surreptitiously? It's in section 2.4: ``A necessary condition for an increased range is a larger antenna. Theoretical analysis ([Lee03]) shows that for a desired range, r, the optimal antenna diameter is -------------- next part -------------- A non-text attachment was scrubbed... Name: kw-usenix06-forhtml-img2.gif Type: image/gif Size: 152 bytes Desc: not available URL: -------------- next part -------------- r. We wanted to demonstrate a reading range of 25-30 cm.'' They used a 39cm diameter copper tube loop to get 25cm. Assuming that for the attack we're talking about a metre would be a more credible range, you're not going to be inconspicuous with a metre-plus diameter copper loop tucked under your shirt. Especially as the paper says "We built the loop antenna from 5/16 inch cooking gas copper tube", and even then it wasn't rigid enough: "The tube is tied to a solid non flexible wooden tablet, in order to maintain its shape and to avoid inductance changes under mechanical deformation forces." ian From ukcrypto at sourcetagged.ian.co.uk Thu Nov 18 16:05:18 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Thu, 18 Nov 2010 16:05:18 +0000 Subject: Contactless bank cards In-Reply-To: <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com><4CE24388.9060803@callnetuk.com><4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> Message-ID: On 18 Nov 2010, at 14:51, Ian Batten wrote: >> >> If we want to put this into perspective with some real world >> results there's a paper here > usenix06/index.html> where a reading range of 25 cm was achieved >> with USD 110 worth of hardware. This paper is 4 years old and may >> not even represent the state of the art at the time. > > Perhaps not. But did you notice the slight flaw in using this > surreptitiously? It's in section 2.4: ``A necessary condition for > an increased range is a larger antenna. Theoretical analysis > ([Lee03]) shows that for a desired range, r, the optimal antenna > diameter is r. We wanted to > demonstrate a reading range of 25-30 cm.'' > > They used a 39cm diameter copper tube loop to get 25cm. Assuming > that for the attack we're talking about a metre would be a more > credible range, you're not going to be inconspicuous with a metre- > plus diameter copper loop tucked under your shirt. Especially as > the paper says "We built the loop antenna from 5/16 inch cooking > gas copper tube", and even then it wasn't rigid enough: "The tube > is tied to a solid non flexible wooden tablet, in order to maintain > its shape and to avoid inductance changes under mechanical > deformation forces." > > ian > Granted. Note however that this type of antenna does not have to be a circle; rectangles, even long thin ones, work too. However, even in circular form it would easily fit the "Entrance ?5" scenario posited by Nick (I think) where it could be concealed in a premise's entrance, or disguised as one of the loop antenna used in shop entrances for theft prevention, which we all walk past and ignore every day. In practice, I think this is probably a greater threat than purse surfing or whatever moniker we come up with for it. T'other Ian From lists at internetpolicyagency.com Thu Nov 18 16:06:05 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 16:06:05 +0000 Subject: Contactless bank cards In-Reply-To: <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> Message-ID: <8WIkR3ct7U5MFAUe@perry.co.uk> In article <0EFE4206-66FB-444F-89E7-6ACC006B0194 at batten.eu.org>, Ian Batten writes >> If we want to put this into perspective with some real world results there's a paper here >usenix06/index.html> where a reading range of 25 cm was achieved with USD 110 worth of hardware. This paper is 4 years old and may not even >>represent the state of the art at the time. > >Perhaps not. But did you notice the slight flaw in using this surreptitiously? It's in section 2.4: ``A necessary condition for an increased >range is a larger antenna. Theoretical analysis ([Lee03]) shows that for a desired range, r, the optimal antenna diameter is > > r. We wanted to demonstrate a reading range of 25-30 cm.'' > >They used a 39cm diameter copper tube loop to get 25cm. They also say that 35cm is as far as they think its possible to get (others they cite say 40-50cm, but it looks like 40cm requires 4amps at 12 volts). And also: "We are about half-way toward a full-blown implementation of a relay-attack." Four years on... did they ever get there? And the power supply required is a battery the size and weight of a brick (they only mention that it's easy to source) and isn't included in the $100 cost. (They are about ?35 each). So it's probably more evidence that the theory's fine, but I do feel it proves the point I originally made (and which has attracted some criticism). I'm also not inclined to think that the solution is susceptible to Moores Law, more likely to "Fusion Power Law", which is basically that if the physics is that difficult, you'll constantly be living in hope, but a few years away from a prototype that's actually useful. -- Roland Perry From cybergibbons at gmail.com Thu Nov 18 16:23:33 2010 From: cybergibbons at gmail.com (Cybergibbons) Date: Thu, 18 Nov 2010 16:23:33 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> Message-ID: On 18 November 2010 10:19, Roland Perry wrote: >> Using something far more simple and ditching USB keeps the latency low >> and predictable. > > If this is a proposal for an attack in random persons in the same shop as > the crooks [you need one behind the till, and another out scouting for > cards] (I think that's how it was supposed to play out) then you'd need > something a bit more physically elegant than a laptop to be pressing up > against the victims. So you'd suggest some sort of custom hardware built > around the chips you mention, and with a fairly high bandwidth RF connection > between them? No need for high bandwidth really, it's just when you put a PC and USB in the way, it's very unpredictable. I can set up a link with low enough latency between two ChipCon SoC systems, and they cost less than ?10 each. I can relay a card using two readily available readers speaking to a third with a PC in the middle. Joining the two together is all that needs to be done - I don't think this is at all outside the realms of possibility. There's no need for massive read distances either. The Touchatag reader I have hear can work with a Oyster card from about 45mm away. People can pickpocket wallets, they can easily get a small reader close enough. -- Andrew From lists at internetpolicyagency.com Thu Nov 18 17:28:21 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 17:28:21 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> Message-ID: In article , Ian Mason writes >However, even in circular form it would easily fit the "Entrance ?5" >scenario posited by Nick (I think) where it could be concealed in a >premise's entrance, or disguised as one of the loop antenna used in >shop entrances for theft prevention, which we all walk past and ignore >every day. But will be discovered as soon as one person challenges their credit card bill. It's not the kind of thing a rogue minimum wage employee is going to set up. >In practice, I think this is probably a greater threat than purse >surfing or whatever moniker we come up with for it. Purse surfing is a good name. -- Roland Perry From lists at internetpolicyagency.com Thu Nov 18 17:33:41 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 18 Nov 2010 17:33:41 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> Message-ID: <3U+GxCf1NW5MFA0v@perry.co.uk> In article , Cybergibbons writes >On 18 November 2010 10:19, Roland Perry wrote: >>> Using something far more simple and ditching USB keeps the latency low >>> and predictable. >> >> If this is a proposal for an attack in random persons in the same shop as >> the crooks [you need one behind the till, and another out scouting for >> cards] (I think that's how it was supposed to play out) then you'd need >> something a bit more physically elegant than a laptop to be pressing up >> against the victims. So you'd suggest some sort of custom hardware built >> around the chips you mention, and with a fairly high bandwidth RF connection >> between them? > >No need for high bandwidth really, it's just when you put a PC and USB >in the way, it's very unpredictable. I can set up a link with low >enough latency between two ChipCon SoC systems, and they cost less >than ?10 each. So we know how much bandwidth, the article quoted earlier simply said "fast". >There's no need for massive read distances either. The Touchatag >reader I have hear can work with a Oyster card from about 45mm away. That range isn't consistent with anything quoted so far. Is the Oyster card special (not representative) or has your reader been tweaked? >People can pickpocket wallets, they can easily get a small reader >close enough. So we should all equip ourselves with a pair of interfering cards? -- Roland Perry From ukcrypto at sourcetagged.ian.co.uk Fri Nov 19 02:48:22 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Fri, 19 Nov 2010 02:48:22 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> Message-ID: <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> On 18 Nov 2010, at 17:28, Roland Perry wrote: > In article C66FBA4E9CA6 at sourcetagged.ian.co.uk>, Ian Mason > writes > >> However, even in circular form it would easily fit the "Entrance >> ?5" scenario posited by Nick (I think) where it could be concealed >> in a premise's entrance, or disguised as one of the loop antenna >> used in shop entrances for theft prevention, which we all walk >> past and ignore every day. > > But will be discovered as soon as one person challenges their > credit card bill. It's not the kind of thing a rogue minimum wage > employee is going to set up. No, it requires corporate fraud, sadly the norm nowadays. I've been in trouble for being the "one honest man" before now - no names, no pack drill. Nick's scenario is the most realistic threat - "Admission ?5.00". I realise that you and Jennifer would never stumble into a low dive like that; unless you were with me, or Goodwins, or Oliver, or many of the other reprobates that you know. :=) > >> In practice, I think this is probably a greater threat than purse >> surfing or whatever moniker we come up with for it. > > Purse surfing is a good name. It has a ring, better still, it has a slightly salacious note. I don't know why, but it does. I expect to be cited correctly. ;-) [Fx, Homer voice: Mmmmm, purse surfing] > -- > Roland Perry > From ukcrypto at sourcetagged.ian.co.uk Fri Nov 19 03:08:37 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Fri, 19 Nov 2010 03:08:37 +0000 Subject: Contactless bank cards In-Reply-To: <3U+GxCf1NW5MFA0v@perry.co.uk> References: <4CE25CB2.6040501@callnetuk.com> <20101116163933.GL535@snowy.squish.net> <+wjEolnFN84MFAfx@perry.co.uk> <20101117122031.GA2834@snowy.squish.net> <20101117152821.GC2834@snowy.squish.net> <3601464F-220D-4D16-978E-79A3A7027C7D@batten.eu.org> <20101117165351.GJ2834@snowy.squish.net> <3U+GxCf1NW5MFA0v@perry.co.uk> Message-ID: On 18 Nov 2010, at 17:33, Roland Perry wrote: > In article > , > Cybergibbons writes >> On 18 November 2010 10:19, Roland Perry >> wrote: >>>> Using something far more simple and ditching USB keeps the >>>> latency low >>>> and predictable. >>> >>> If this is a proposal for an attack in random persons in the same >>> shop as >>> the crooks [you need one behind the till, and another out >>> scouting for >>> cards] (I think that's how it was supposed to play out) then >>> you'd need >>> something a bit more physically elegant than a laptop to be >>> pressing up >>> against the victims. So you'd suggest some sort of custom >>> hardware built >>> around the chips you mention, and with a fairly high bandwidth RF >>> connection >>> between them? >> >> No need for high bandwidth really, it's just when you put a PC and >> USB >> in the way, it's very unpredictable. I can set up a link with low >> enough latency between two ChipCon SoC systems, and they cost less >> than ?10 each. > > So we know how much bandwidth, the article quoted earlier simply > said "fast". > >> There's no need for massive read distances either. The Touchatag >> reader I have hear can work with a Oyster card from about 45mm away. > > That range isn't consistent with anything quoted so far. Is the > Oyster card special (not representative) or has your reader been > tweaked? > >> People can pickpocket wallets, they can easily get a small reader >> close enough. > > So we should all equip ourselves with a pair of interfering cards? Yes! There was a seminal article (which I can't quickly find a citation for) which posited, and produced, a card which was designed to collide with any RFID card. To explain, RFID cards are supposed to do 'bit by bit' collision; if two cards are in the field of a reader they are supposed to co- operate, if one forces a 'one' when the other tries to force a 'zero' one of them gives way, thus two cards can be in the same RF field but only one of them gets read. If you play against the rules you can foul the field and ensure that no card is readable. Ian From richard at highwayman.com Thu Nov 18 23:35:53 2010 From: richard at highwayman.com (Richard Clayton) Date: Thu, 18 Nov 2010 23:35:53 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: <+tks9OCZhb5MFAmc@highwayman.com> In article , Ian Batten writes >I trust ISPs don't propagate routes for RFC1918 any more... all the time :( at present [4pm, as measured at RIPE] AS6067 is announcing 10.100.100.100/30 AS6067 is based in Middlesbrough... ... if you want to see a further list of current specious announcements see: http://www.cymru.com/BGP/bogons.html -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From ukcrypto at sourcetagged.ian.co.uk Fri Nov 19 03:22:16 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Fri, 19 Nov 2010 03:22:16 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: <+tks9OCZhb5MFAmc@highwayman.com> References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> <+tks9OCZhb5MFAmc@highwayman.com> Message-ID: <9C3B3F86-596F-4AF6-B9AB-F6D4D7BB93CD@sourcetagged.ian.co.uk> On 18 Nov 2010, at 23:35, Richard Clayton wrote: > In article , Ian > Batten writes > >> I trust ISPs don't propagate routes for RFC1918 any more... > > all the time :( > > at present [4pm, as measured at RIPE] > > AS6067 is announcing 10.100.100.100/30 > > AS6067 is based in Middlesbrough... > > ... if you want to see a further list of current specious > announcements > see: > http://www.cymru.com/BGP/bogons.html > > -- > richard Richard > Clayton > > Those who would give up essential Liberty, to purchase a little > temporary > Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 > Nov 1755 Ah, well. We all claim to be that which we are not. Especially if we are in our cups, which most men who post on the wee hours are, justly or not, suspected of. Bedtime...... ;-) Ian From lists at internetpolicyagency.com Fri Nov 19 08:22:15 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 19 Nov 2010 08:22:15 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> Message-ID: In article , Roland Perry writes >> I trust ISPs don't propagate routes for RFC1918 any more... > >As the available free pool of IPv4 diminishes, the RIRs are taking a >much closer look at what they call "noise" in /8's that they receive >from IANA and which were supposed to be previously unregistered (and >hence unused/unannounced). Geoff Huston at APNIC has done much of this, >if you want the gory details. Geoff's speaking about this (again) at the Rome RIPE meeting, as I type. The webcast and slides should be available online. He says there's 100megabits on 1.1.1.1 at the moment, and nearly a gigabit peak on the whole /8. http://ripe61.ripe.net/programme/meeting-plan/plenary-6/ (It's named ipv6, but plenty of v4 stuff included). And "Private networks leak like crazy..." he says! -- Roland Perry From lists at internetpolicyagency.com Fri Nov 19 08:23:42 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 19 Nov 2010 08:23:42 +0000 Subject: Contactless bank cards In-Reply-To: <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> Message-ID: In article <52A14F4F-82AB-4087-8B0E-0CA298DD1316 at sourcetagged.ian.co.uk>, Ian Mason writes >> But will be discovered as soon as one person challenges their credit >>card bill. It's not the kind of thing a rogue minimum wage employee is >>going to set up. > >No, it requires corporate fraud, sadly the norm nowadays. Thread drift, then. The attack we started off with was a minimum wage till operator doing a shuffle with ?10 notes and hoping the till balanced at the end of the day. >I've been in trouble for being the "one honest man" before now - no >names, no pack drill. > >Nick's scenario is the most realistic threat - "Admission ?5.00". They'll still get complaints pretty quickly, or are we expecting something like Premium Rate scams - set up the phone line at 5.01pm on a Friday and disappear with the cash a 8.59am on Monday? Phonepayplus fixed that (I think) by putting the money into quarantine to give some chance of reclaiming it for the customers. Paypal does much the same these days for new traders and some sectors. Maybe Paywave could have a similar scheme - although surely the banks have to refund the customers whatever, so it's a choice that's internal to the banking system. >I realise that you and Jennifer would never stumble into a low dive >like that; unless you were with me, or Goodwins, or Oliver, or many of >the other reprobates that you know. :=) I think I'm going to use the "two card trick". As I have two different Barclaycards, presumably this will happen anyway. ps A paywave and an Oyster presumably don't interfere, because Barclays have a card with both. -- Roland Perry From slewis at frontier.co.uk Thu Nov 18 15:11:47 2010 From: slewis at frontier.co.uk (Sergei Lewis) Date: Thu, 18 Nov 2010 15:11:47 +0000 Subject: Contactless bank cards In-Reply-To: <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> Message-ID: At 14:51 18/11/2010, Ian Batten wrote: >"The tube is tied to a solid non flexible wooden tablet, in order to >maintain its shape and to avoid inductance changes under mechanical >deformation forces." Sounds like an advertising sandwich board to me. See plenty of minimum-wage students standing around wearing those around tube stations... ;) -- Sergei Lewis From david at jellybaby.net Fri Nov 19 09:14:33 2010 From: david at jellybaby.net (David Walters) Date: Fri, 19 Nov 2010 09:14:33 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> Message-ID: On Fri, Nov 19, 2010 at 8:23 AM, Roland Perry wrote: > ps A paywave and an Oyster presumably don't interfere, because Barclays have > a card with both. No, they interfere. AIUI the Barclaycard Onepulse only has one chip and one aerial. I've got one that doesn't work any more which I'll take apart when I've got some nail varnish remover and a jam jar. From pwt at iosis.co.uk Fri Nov 19 09:30:21 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 19 Nov 2010 09:30:21 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> Message-ID: <4CE643AD.4060603@iosis.co.uk> Roland Perry wrote: > ps A paywave and an Oyster presumably don't interfere, because > Barclays have a card with both. To labour the point a little, the interference discussed here has two sources: (1) When more than one card responds to the terminal's RF field . There is a provision in the 14443 standard for anti-collision processing, but the characteristics of the interface between card and terminal are such that anti-collision may fail, or the terminal may not even implement the function. (And the rule breaking blocker card would no doubt be designed to start shouting continuously as soon as it has enough power to start up, rather than simply indicate that its there and waiting.) (2) Having two cards in very close proximity to each other (e.g. in a closed wallet) affects the electrical characteristics of the RF circuitry of both cards, so that data comms may well be compromised, or it may even compromise the ability of the cards to collect enough power to operate. Where there is more than one application hosted on one card, then that card will wait for an application select - and then only one app will become active - or the card may be programmed to pre-select one app, leaving the terminal to ask if it wants to see if another app is present. (TfL is now in the position where it will soon have to cope with 3 different on-card apps: Oyster, ITSO, EMV. Oyster and ITSO are both just data areas, but in the DESFire cards currently being issued these require app select; EMV is a microprocessor-based application.) The carrier frequency used in the power transfer and data comms is 13.56 MHz, but the aerial coil in the card is NOT tuned to that frequency. It is resonant at a rather higher frequency. The aerial coil in the terminal is tuned to something very near 13.56 MHz - but the presence of the card changes the exact resonant frequency of the terminal's aerial coil. I don't know anyone who has been able to create an exact mathematical model for this somewhat approximate technology. As I wrote in a July 2003 paper, having (as expected) found that different designers make different decisions about both card and terminal aerial coil characteristics: (I) have realised that those developing 14443 made unwarranted assumptions about the circuitry used around the two coils involved: card aerial coil and terminal aerial coil. One statement made to me is that it is assumed that the card?s coil will be tuned to around 15 to 17 MHz, and the terminal?s coil to 13.56 MHz. Another statement is that adjusting the tuning of the terminal?s aerial coil changes the characteristics - you tune for maximum range but accept a blind spot close to the terminal, or you tune for no blind spot and the range reduces. In practice it sems that card manufacturers try to make the resonant frequency of the aerial coil as high as possible (over 20 MHz), while maintaining power collecting performance. Some cards indeed use as large an area of coil as is reliably possible from a durability point of view, others have a very small coil (which is why we can have adequate performance from very small form factors). Peter From igb at batten.eu.org Fri Nov 19 10:06:34 2010 From: igb at batten.eu.org (Ian Batten) Date: Fri, 19 Nov 2010 10:06:34 +0000 Subject: Contactless bank cards In-Reply-To: References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> Message-ID: > > Phonepayplus fixed that (I think) by putting the money into quarantine to give some chance of reclaiming it for the customers. Paypal does much the same these days for new traders and some sectors. Maybe Paywave could have a similar scheme - although surely the banks have to refund the customers whatever, so it's a choice that's internal to the banking system. The studio gym I go to spent their first year having the wait 30 days for payment: it was apparently standard practice for their processing company when dealing with new companies in the leisure sector. I also presume that part of the Ts and Cs for merchants is using the equipment as issued: collecting payments in a scenario which can only be executed by high-powered antennae with in-line amplifiers clearly breaches that. ian From otcbn at callnetuk.com Fri Nov 19 10:19:57 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Fri, 19 Nov 2010 10:19:57 +0000 Subject: Contactless bank cards In-Reply-To: <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> Message-ID: <4CE64F4D.4020505@callnetuk.com> Ian Mason wrote on 19-11-10 02:48: > > On 18 Nov 2010, at 17:28, Roland Perry wrote: > >> In article >> , Ian >> Mason writes >> >>> However, even in circular form it would easily fit the "Entrance ?5" >>> scenario posited by Nick (I think) where it could be concealed in a >>> premise's entrance, or disguised as one of the loop antenna used in >>> shop entrances for theft prevention, which we all walk past and >>> ignore every day. >> >> But will be discovered as soon as one person challenges their credit >> card bill. It's not the kind of thing a rogue minimum wage employee is >> going to set up. > > No, it requires corporate fraud, sadly the norm nowadays. I've been in > trouble for being the "one honest man" before now - no names, no pack > drill. Me too. And the banks will collude: "I'm sorry sir, our cards are entirely secure against fraud, so you must have agreed to that transaction. After all you admit you were in the Streatham Hill Spearmint Rhino Gentlemen's Club on that date. If you prefer, we can check that with your wife ..." > Nick's scenario is the most realistic threat - "Admission ?5.00". I agree - and one can think of many variations on it. The ethics are similar to the procedure whereby insurance or utility companies set up "continuous credit card authorities" on the basis of your presumed consent to some 3pt type deep in the bowels of their web site, and if you protest they say "But it's there on the T&Cs page ... " -- Pete Mitchell From otcbn at callnetuk.com Fri Nov 19 10:22:20 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Fri, 19 Nov 2010 10:22:20 +0000 Subject: Contactless bank cards In-Reply-To: <4CE643AD.4060603@iosis.co.uk> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> <4CE643AD.4060603@iosis.co.uk> Message-ID: <4CE64FDC.9090007@callnetuk.com> Peter Tomlinson wrote on 19-11-10 09:30: > Roland Perry wrote: >> ps A paywave and an Oyster presumably don't interfere, because >> Barclays have a card with both. > To labour the point a little, the interference discussed here has two > sources: > I don't understand all this - is it OK just to cut the wire loop instead, or would that disable the card entirely (including the chip)? -- Pete Mitchell From pwt at iosis.co.uk Fri Nov 19 10:51:16 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 19 Nov 2010 10:51:16 +0000 Subject: Contactless bank cards In-Reply-To: <4CE64FDC.9090007@callnetuk.com> References: <4CE16136.4060707@callnetuk.com> <4CE1B307.1070803@callnetuk.com> <4CE24388.9060803@callnetuk.com> <4CE25CB2.6040501@callnetuk.com> <9dVUDsEe8p4MFAsN@perry.co.uk> <2D3A2407-3A22-49A9-B637-30180BC104E5@sourcetagged.ian.co.uk> <0EFE4206-66FB-444F-89E7-6ACC006B0194@batten.eu.org> <52A14F4F-82AB-4087-8B0E-0CA298DD1316@sourcetagged.ian.co.uk> <4CE643AD.4060603@iosis.co.uk> <4CE64FDC.9090007@callnetuk.com> Message-ID: <4CE656A4.9010001@iosis.co.uk> Peter Mitchell wrote: > Peter Tomlinson wrote on 19-11-10 09:30: >> Roland Perry wrote: >>> ps A paywave and an Oyster presumably don't interfere, because >>> Barclays have a card with both. >> To labour the point a little, the interference discussed here has two >> sources: > I don't understand all this - is it OK just to cut the wire loop > instead, or would that disable the card entirely (including the chip)? Assuming that they don't have a loop integrity detector that is checked when you use the contact interface, it is very likely that cutting the loop will not stop the chip working in contact mode. But the very fact that we are discussing this might make the card issuers put in a detector... Peter From steve at greenend.org.uk Tue Nov 23 15:25:13 2010 From: steve at greenend.org.uk (Stephen Early) Date: Tue, 23 Nov 2010 15:25:13 +0000 Subject: Administrivia; please do not reply Message-ID: <4CEBDCD9.10008@greenend.org.uk> It has been alleged that the ukcrypto mailing list is broken. If you can see this, then it is not! Stephen Early UKcrypto mailing list administrator From jim at openrightsgroup.org Fri Nov 26 10:44:02 2010 From: jim at openrightsgroup.org (Jim Killock) Date: Fri, 26 Nov 2010 10:44:02 +0000 Subject: Consultation on change to RIP interception definition ("unintentional interception") In-Reply-To: <9C3B3F86-596F-4AF6-B9AB-F6D4D7BB93CD@sourcetagged.ian.co.uk> References: <4CDBBF17.3070209@iosis.co.uk> <0202628D-2600-4B85-8D83-01C818D09A92@batten.eu.org> <+tks9OCZhb5MFAmc@highwayman.com> <9C3B3F86-596F-4AF6-B9AB-F6D4D7BB93CD@sourcetagged.ian.co.uk> Message-ID: <71BEBC9D-AE17-4E1D-9D19-800086AE2C19@openrightsgroup.org> Thought you folks might be interested in this response ORG had today. we complained about the deadline, lack of publication and lack of civil society consultation. The Home Office is still refusing to meet civil society groups. Yesterday, a group of privacy advocates including ORG, Privacy International, Genewatch, Archrights, No2ID and Justice wrote asking for a meeting and proper consultation. Dear Jim, Thank you for your further email on this subject. We apologise if you have had some difficulty in accessing the consultation on the Home Office website. It can be found at http://homeoffice.gov.uk/about-us/consultations/. We have also extended the consultation until 17th December to enable those who may have encountered difficulties in responding to do so. As you will note in the consultation we have undertaken to make changes to the Regulation of Investigatory Powers Act 2000 to remedy defects in the way in which the E-Privacy and Data Protection Directives were transposed into UK law. The proposed changes do not alter the principles of the Directives in question and consultation took place when those Directives were originally transposed into UK law, albeit defectively, as we now recognise. Consequently, we are carrying out a short, targeted consultation. We are focusing on those parties directly affected by the changes to the extent that those parties would be subject to the civil sanction or directly concerned with it, or are directly responsible, where lawful interception is taking place, for ensuring that consent has been obtained to the interception. There is a clear distinction between changes we are enjoined to make, having agreed to do so, and changes, for example, which are being proposed for the E-Privacy Directive on which the Department for Business, Innovation and Skills are consulting. Notwithstanding that we decided, in the interests of transparency, to publish the consultation on the Home Office?s website. Given the need to amend legislation rapidly and having been referred to the European Court of Justice the consultation period is necessarily short, and consequently it is not possible to meet every party that shows an interest in this subject. In the limited time we have we are focussing our face to face engagement on those parties to whom we sent our consultation directly, which does not include civil society groups. We would of course welcome any official response that you would like to make to the consultation. The minister responsible for these issues in the first instance is Baroness Neville-Jones. I trust that assists and clarifies our position. Kind regards, The RIPA Team -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Sat Nov 27 17:53:58 2010 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Sat, 27 Nov 2010 18:53:58 +0100 Subject: RIPA metastases to Trinidad (including Pt.3) Message-ID: <000001cb8e5c$12836ed0$378a4c70$@gmx.net> http://www.ttparliament.org/publications.php?mid=28 &id=581 Opinions on where burden of proof rests in S.16? http://www.ttparliament.org/legislations/b2010h22.pdf Anyone noticed any other countries legislating RIP Pt.3 analogs (or near clones as here)? Caspar -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Sat Nov 27 18:29:39 2010 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Sat, 27 Nov 2010 19:29:39 +0100 Subject: RIPA (including Pt.3) metastases to Trinidad (2010), Ghana (2010) and Jamaica (2006) Message-ID: <000001cb8e61$0f70e560$2e52b020$@gmx.net> http://www.nita.gov.gh/UserFiles/ElectroncInvestigationandInterception.pdf http://www.moj.gov.jm/laws/statutes/Interception%20of%20Communications%20Act .pdf looks like https://secure.wikimedia.org/wikipedia/en/wiki/Key_disclosure_law needs some updating.... From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Caspar Bowden (travelling private e-mail) Sent: 27 November 2010 18:54 To: ukcrypto at chiark.greenend.org.uk Subject: RIPA metastases to Trinidad (including Pt.3) http://www.ttparliament.org/publications.php?mid=28 &id=581 Opinions on where burden of proof rests in S.16? http://www.ttparliament.org/legislations/b2010h22.pdf Anyone noticed any other countries legislating RIP Pt.3 analogs (or near clones as here)? Caspar -------------- next part -------------- An HTML attachment was scrubbed... URL: From otcbn at callnetuk.com Sun Nov 28 18:02:35 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Sun, 28 Nov 2010 18:02:35 +0000 Subject: Nominet as official police censors Message-ID: <4CF2993B.6040402@callnetuk.com> http://www.nominet.org.uk/policy/issuegroups/current/domainsassociatedwithcrime/ "Dealing with domain names used in connection with criminal activity [Issue Champion: Serious and Organised Crime Agency] Nominet does not currently have any clear obligation in its registrant Terms and Conditions that a domain name should not be used in connection with any activity that would constitute an offence under UK Criminal law. The group will discuss whether proposals should be put forward to change Nominet's Terms and Conditions to give a contractual basis to suspend domains where Nominet has reasonable grounds to believe they are being used to commit a crime (e.g. a request from an identified UK Law Enforcement Agency)" Notice the assumption that a police request alone is sufficient evidence to take down a website. That already seems to be standard Nominet practice: from the briefing document "... There are increasing expectations from Law Enforcement Agencies that Nominet and its members will respond quickly to reasonable requests to suspend domain names being used in association with criminal activity and Nominet has been working with them in response to formal requests." What an excellent way of enforcing a police officer's personal interpretation of (say) the Obscene Publications Act, without having to trouble the courts. I look forward to the disappearance of all DH Lawrence study sites. -- Pete Mitchell From lists at internetpolicyagency.com Sun Nov 28 22:04:23 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 28 Nov 2010 22:04:23 +0000 Subject: Nominet as official police censors In-Reply-To: <4CF2993B.6040402@callnetuk.com> References: <4CF2993B.6040402@callnetuk.com> Message-ID: In article <4CF2993B.6040402 at callnetuk.com>, Peter Mitchell writes >Notice the assumption that a police request alone is sufficient >evidence to take down a website. That already seems to be standard >Nominet practice: from the briefing document "... There are increasing >expectations from Law Enforcement Agencies that Nominet and its members >will respond quickly to reasonable requests to suspend domain names >being used in association with criminal activity and Nominet has been >working with them in response to formal requests." > >What an excellent way of enforcing a police officer's personal >interpretation of (say) the Obscene Publications Act, without having to >trouble the courts. I look forward to the disappearance of all DH >Lawrence study sites. It's currently going to be sites which are associated with a wide range of scams, but if you think there should be measures to prevent it being used for back-door content censorship, then now's the time to join in with Nominet's policy process. It would be reasonably easy to have a policy where the "criminal activity" was defined by a particular subset of criminal acts. You could start with fraud, and work from there. But maybe not this kind of fraud: "Officer! This publication isn't nearly as obscene as it claims to be. I've been scammed, close them down immediately". -- Roland Perry From brian at thejohnsons.co.uk Sun Nov 28 22:57:21 2010 From: brian at thejohnsons.co.uk (Brian L Johnson) Date: Sun, 28 Nov 2010 22:57:21 +0000 Subject: Nominet as official police censors Message-ID: Fitwatch -- brianlj -original message- Subject: Re: Nominet as official police censors From: Roland Perry Date: 28/11/2010 10:10 pm In article <4CF2993B.6040402 at callnetuk.com>, Peter Mitchell writes >Notice the assumption that a police request alone is sufficient >evidence to take down a website. That already seems to be standard >Nominet practice: from the briefing document "... There are increasing >expectations from Law Enforcement Agencies that Nominet and its members >will respond quickly to reasonable requests to suspend domain names >being used in association with criminal activity and Nominet has been >working with them in response to formal requests." > >What an excellent way of enforcing a police officer's personal >interpretation of (say) the Obscene Publications Act, without having to >trouble the courts. I look forward to the disappearance of all DH >Lawrence study sites. It's currently going to be sites which are associated with a wide range of scams, but if you think there should be measures to prevent it being used for back-door content censorship, then now's the time to join in with Nominet's policy process. It would be reasonably easy to have a policy where the "criminal activity" was defined by a particular subset of criminal acts. You could start with fraud, and work from there. But maybe not this kind of fraud: "Officer! This publication isn't nearly as obscene as it claims to be. I've been scammed, close them down immediately". -- Roland Perry From pwt at iosis.co.uk Mon Nov 29 07:15:21 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 29 Nov 2010 07:15:21 +0000 Subject: Nominet as official police censors In-Reply-To: <4CF2993B.6040402@callnetuk.com> References: <4CF2993B.6040402@callnetuk.com> Message-ID: <4CF35309.2020804@iosis.co.uk> Peter Mitchell wrote: > What an excellent way of enforcing a police officer's personal > interpretation of (say) the Obscene Publications Act, without having > to trouble the courts. I look forward to the disappearance of all DH > Lawrence study sites. Thus putting yet another cost burden on students, as they would have to buy the books and the commentaries on the books... (A friend's daughter is studying DHL as part of an English Lit degree - like so many others, she is having to work hard in a minimum wage job to fund her studies without taking on even more "student debt" - DHL book text is available on line FOC for study purposes, so I assume other books in the same genre are similarly available.) Peter From igb at batten.eu.org Mon Nov 29 08:49:57 2010 From: igb at batten.eu.org (Ian Batten) Date: Mon, 29 Nov 2010 08:49:57 +0000 Subject: Nominet as official police censors In-Reply-To: <4CF35309.2020804@iosis.co.uk> References: <4CF2993B.6040402@callnetuk.com> <4CF35309.2020804@iosis.co.uk> Message-ID: On 29 Nov 10, at 0715, Peter Tomlinson wrote: > Peter Mitchell wrote: >> What an excellent way of enforcing a police officer's personal interpretation of (say) the Obscene Publications Act, without having to trouble the courts. I look forward to the disappearance of all DH Lawrence study sites. > Thus putting yet another cost burden on students, as they would have to buy the books and the commentaries on the books... (A friend's daughter is studying DHL as part of an English Lit degree - like so many others, she is having to work hard in a minimum wage job to fund her studies without taking on even more "student debt" - DHL book text is available on line FOC for study purposes, so I assume other books in the same genre are similarly available.) For those that think the police acting as censors of academic study is fanciful, let us consider University of Central England (previously Birmingham Polytechnic, now Birmingham Metropolitan University. Peter Knight is an absolute hero of this, because he and the senate went toe-to-toe with the police (and the wikipedia article, below, doesn't come close to describing just how toe-to-toe it was, from what one hears locally): > In 1998, the university was involved in controversy when a book by photographer Robert Mapplethorpe, Mapplethorpe (2002), was confiscated. A final year undergraduate student was writing a paper on Mapplethorpe's work and intended to illustrate the paper with a few photographs. She took the photographs to the local chemist to be developed and the chemist informed West Midlands Police because of the unusual nature of the images. The police confiscated the library book from the student and informed the university that the book would have to be destroyed. If the university agreed to the destruction, no further action would be taken. > The university Vice-Chancellor, Dr Peter Knight, took the view?supported by the Senate?that the book was a legitimate book for the university library to hold and that the action of the police was a serious infringement of academic freedom. The Vice-Chancellor was interviewed by the police, under caution, with a view to prosecution under the terms of the Obscene Publications Act, which defines obscenity as material that is likely to deprave and corrupt. The police focused on one particular image, 'Jim and Tom, Sausalito 1977', which depicts one man urinating into the mouth of another. > After the interview with the Vice-Chancellor, a file was sent to the Crown Prosecution Service as the Director of Public Prosecutions (DPP) has to take the decision as to whether or not to proceed with a trial. After a delay of about six months, the affair came to an end when the DPP informed Dr Knight that no action would be taken as "there was insufficient evidence to support a successful prosecution on this occasion". The original book was returned, in a slightly tattered state, and restored to the university library.[54] From lists at internetpolicyagency.com Mon Nov 29 08:50:33 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 29 Nov 2010 08:50:33 +0000 Subject: Nominet as official police censors In-Reply-To: <4CF35309.2020804@iosis.co.uk> References: <4CF2993B.6040402@callnetuk.com> <4CF35309.2020804@iosis.co.uk> Message-ID: In article <4CF35309.2020804 at iosis.co.uk>, Peter Tomlinson writes >> What an excellent way of enforcing a police officer's personal >>interpretation of (say) the Obscene Publications Act, without having >>to trouble the courts. I look forward to the disappearance of all DH >>Lawrence study sites. >Thus putting yet another cost burden on students, as they would have to >buy the books and the commentaries on the books... (A friend's daughter >is studying DHL as part of an English Lit degree - like so many others, >she is having to work hard in a minimum wage job to fund her studies >without taking on even more "student debt" - DHL book text is available >on line FOC for study purposes, so I assume other books in the same >genre are similarly available.) And even if the DH Lawrence .uk censorship straw man did come to pass, what makes you think that the content wouldn't be available on a website that didn't have a .uk domain name? For example, bibliomania.com has a section with Lady Chatterley's lover. -- Roland Perry From lists at internetpolicyagency.com Mon Nov 29 08:50:33 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 29 Nov 2010 08:50:33 +0000 Subject: Nominet as official police censors In-Reply-To: <4CF35309.2020804@iosis.co.uk> References: <4CF2993B.6040402@callnetuk.com> <4CF35309.2020804@iosis.co.uk> Message-ID: In article <4CF35309.2020804 at iosis.co.uk>, Peter Tomlinson writes >> What an excellent way of enforcing a police officer's personal >>interpretation of (say) the Obscene Publications Act, without having >>to trouble the courts. I look forward to the disappearance of all DH >>Lawrence study sites. >Thus putting yet another cost burden on students, as they would have to >buy the books and the commentaries on the books... (A friend's daughter >is studying DHL as part of an English Lit degree - like so many others, >she is having to work hard in a minimum wage job to fund her studies >without taking on even more "student debt" - DHL book text is available >on line FOC for study purposes, so I assume other books in the same >genre are similarly available.) And even if the DH Lawrence .uk censorship straw man did come to pass, what makes you think that the content wouldn't be available on a website that didn't have a .uk domain name? For example, bibliomania.com has a section with Lady Chatterley's lover. -- Roland Perry From matthew at pemble.net Mon Nov 29 10:43:38 2010 From: matthew at pemble.net (Matthew Pemble) Date: Mon, 29 Nov 2010 10:43:38 +0000 Subject: Nominet as official police censors In-Reply-To: References: <4CF2993B.6040402@callnetuk.com> <4CF35309.2020804@iosis.co.uk> Message-ID: On 29 November 2010 08:50, Roland Perry wrote: > > And even if the DH Lawrence .uk censorship straw man did come to pass, what > makes you think that the content wouldn't be available on a website that > didn't have a .uk domain name? For example, bibliomania.com has a section > with Lady Chatterley's lover. Sorry, isn't that what Cleanfeed is for? M -- Matthew Pemble From lists at internetpolicyagency.com Mon Nov 29 10:58:49 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 29 Nov 2010 10:58:49 +0000 Subject: Nominet as official police censors In-Reply-To: References: <4CF2993B.6040402@callnetuk.com> <4CF35309.2020804@iosis.co.uk> Message-ID: In article , Matthew Pemble writes >> And even if the DH Lawrence .uk censorship straw man did come to pass, what >> makes you think that the content wouldn't be available on a website that >> didn't have a .uk domain name? For example, bibliomania.com has a section >> with Lady Chatterley's lover. > >Sorry, isn't that what Cleanfeed is for? Aren't some anti-phishing add-ins a bit like a cient-implemented Cleanfeed? Hmm; anti-porn toolbar, sounds like it might catch on. -- Roland Perry From jim at openrightsgroup.org Mon Nov 29 15:27:56 2010 From: jim at openrightsgroup.org (Jim Killock) Date: Mon, 29 Nov 2010 15:27:56 +0000 Subject: Fwd: URGENT Re: Meeting request re RIPA review References: <20030AFC286D1D4A98623051A22827DC0180BC88BF0E@OTIVEMB1001.hoconf.net> Message-ID: Dear all, If anyone here would be interested in coming to a meeting with the Home Office about the RIPA interception review, please let me know Thank you Jim Begin forwarded message: > From: "RIPA - Consent and Sanction Consultation" > Date: 29 November 2010 14:27:06 GMT > To: "'Jim Killock'" > Subject: NOT PROTECTIVELY MARKED RE: NOT PROTECTIVELY MARKED RE: URGENT Re: Meeting request re RIPA review > > NOT PROTECTIVELY MARKED > Dear Mr Killock > > Further to your enquiry we have reflected on your request and would like to invite representatives of civil society groups to discuss the RIPA consultation document. Naturally, it will not be possible to meet everyone but we could meet 8-10 representative bodies (of no more than 10 people). You wrote on behalf of or together with a number of bodies to Baroness Neville-Jones. If there are groups beyond those you have already included in your correspondence that we might consider inviting then please let us know. > > When we have finalised the list we will return to the invitees with a view to holding a meeting on Monday or Tuesday next week. > > As we previously advised the consultation has been extended to 17 December. > > Regards > > RIPA Team > > -----Original Message----- > From: Jim Killock [mailto:jimkillock at googlemail.com] On Behalf Of Jim Killock > Sent: 26 November 2010 16:55 > To: RIPA - Consent and Sanction Consultation > Subject: Re: NOT PROTECTIVELY MARKED RE: URGENT Re: Meeting request re RIPA review > > Dear RIPA team, > > I wrote to Pauline Neville Jones yesterday, in a joint letter from ourselves, copied below. I am still appalled that you are not seeking to engage with the public and civil society on this. You state: > > "We are focusing on those parties directly affected by the changes to the extent that those parties would be subject to the civil sanction or directly concerned with it, or are directly responsible, where lawful interception is taking place, for ensuring that consent has been obtained to the interception." > > I would like to know in what way, for instance, the tens of thousands of BT customers whose communications were illegally intercepted are not "directly affected" by this change to the law; or indeed, anyone who might be an ISP customer and wish to seek redress. > > The fact that you do not seem to take the view that this has wide repercussions for the public who therefore deserve to be consulted is extremely concerning. > > I again request a meeting, at which all civil society groups can attend and engage with you. > > Thank you, > > Jim Killock > > > Jim Killock > Executive Director > Open Rights Group > +44 (0) 7894 498 127 > Skype: jimkillock > http://twitter.com/jimkillock > http://www.openrightsgroup.org/ > > > http://www.openrightsgroup.org/ourwork/reports/letter-to-pauline-neville-jones-re-ripa-consultation > > Pauline Neville-Jones > Home Office > 2 Marsham Street 25 November 2010 > London SW1P 4DF > Dear Pauline Neville-Jones, > > RIPA Consultation > > Your Department recently issued a consultation on changes to RIPA, which we believe are very important to UK privacy regulation. These changes are meant to answer deficiencies in regulation of private interception of communications, such as took place to tens of thousands of BT customers in the trials of advertising technology from the company Phorm.[i] > > Unfortunately, your Department issued this consultation with only one month to respond, instead of the usual three months as indicated in government guidelines, and did not inform and are refusing to meet civil society groups. We have no doubt that industry groups have been both met and informed. > > The guidelines, maintained by BIS, state: > > Moreover, deviation from the Code will, at times, be unavoidable when running a formal, written, public consultation. It is recommended that departments be open about such deviations, stating the reasons for the deviation and what measures will be employed to make the exercise as effective as possible in the circumstances.[ii] > > To our knowledge none of this has happened. > > We would therefore like to ask you firstly to extend the deadline for the consultation by at least a month to allow civil society groups to respond properly, and secondly to instruct your officials to give civil society groups the same level of access as industry groups on this matter. Please could you also instruct your Department to advertise the Consultation on their website. > > Finally, given the urgency of this, we would like you to instruct your Department to arrange a meeting with your officials as soon as possible to discuss this matter before the consultation is closed. > > Yours sincerely, > > Jim Killock, Open Rights Group > Simon Davies, Privacy International > Phil Booth, No2ID > Terri Dowty, ARCHRights > Dr Eric Metcalfe, Justice > Helen Wallace, Genewatch > > > > > > > > ********************************************************************** > This email and any files transmitted with it are private and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please return it to the address > it came from telling them it is not for you and then delete it from your system. > > This email message has been swept for computer viruses. > ********************************************************************** > > The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free. > Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ross.Anderson at cl.cam.ac.uk Tue Nov 30 20:27:55 2010 From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson) Date: Tue, 30 Nov 2010 20:27:55 +0000 Subject: Debate on privavy and health IT in The Economist Message-ID: There's an online debate at www.economist.com on whether the efficiency gains of health IT will outweigh the privacy costs. The discussants are well-chosen: Microsoft in the one corner, facing Deborah Peel, America's leading health privacy activist. I imagine some list members will want to join in: http://www.economist.com/debate/debates/overview/189 Ross