From pgut001 at cs.auckland.ac.nz Fri Oct 1 12:04:20 2010 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Sat, 02 Oct 2010 00:04:20 +1300 Subject: Register of Electors by internet In-Reply-To: <4C9E33D5.7020303@iosis.co.uk> Message-ID: Peter Tomlinson writes: >which immediately offers me: > > https://www.registerbyinternet.com/Bristol/default.aspx > >and Kaspersky IS chokes on the digital certificate, because the issuer isn't >included in its base set of trusted certificate providers. When I try and connect there I get a year-old (i.e. not hurriedly-replaced) Verisign cert. Peter. From zenadsl6186 at zen.co.uk Fri Oct 1 16:04:25 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 01 Oct 2010 16:04:25 +0100 Subject: Register of Electors by internet In-Reply-To: References: Message-ID: <4CA5F879.9030206@zen.co.uk> Peter Gutmann wrote: > Peter Tomlinson writes: > >> which immediately offers me: >> >> https://www.registerbyinternet.com/Bristol/default.aspx >> >> and Kaspersky IS chokes on the digital certificate, because the issuer isn't >> included in its base set of trusted certificate providers. > > When I try and connect there I get a year-old (i.e. not hurriedly-replaced) > Verisign cert. Yes, I think it's likely to be a real site, for some value of "real". But I think that misses one point, which is why there is a centralised site for electoral registration at all. AIUI these registers are kept by the local councils, not centrally. Why can't the Councils just do it themselves? Why have a third party do it? I don't know the details of the thinking behind this, if any, but it seems on the face of it to be yet another centralising information grab by someone. And that's bad, for the reasons we all know - a centralised database contains all the data, so it's the one best place to look if you want to be able to access any particular data, or all the data. Security nightmare. -- Peter Fairbrother (slightly drunk, hope this is clear) From ukcrypto at sourcetagged.ian.co.uk Fri Oct 1 16:36:08 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Fri, 1 Oct 2010 16:36:08 +0100 Subject: Register of Electors by internet In-Reply-To: <4CA5F879.9030206@zen.co.uk> References: <4CA5F879.9030206@zen.co.uk> Message-ID: <6AEB2E44-79BA-407B-A7CF-E82B74B0758E@sourcetagged.ian.co.uk> On 1 Oct 2010, at 16:04, Peter Fairbrother wrote: > Peter Gutmann wrote: >> Peter Tomlinson writes: >>> which immediately offers me: >>> >>> https://www.registerbyinternet.com/Bristol/default.aspx >>> >>> and Kaspersky IS chokes on the digital certificate, because the >>> issuer isn't >>> included in its base set of trusted certificate providers. >> When I try and connect there I get a year-old (i.e. not hurriedly- >> replaced) >> Verisign cert. > > Yes, I think it's likely to be a real site, for some value of "real". > > > > But I think that misses one point, which is why there is a > centralised site for electoral registration at all. > > AIUI these registers are kept by the local councils, not centrally. > Why can't the Councils just do it themselves? Why have a third > party do it? > > I don't know the details of the thinking behind this, if any, but > it seems on the face of it to be yet another centralising > information grab by someone. > > And that's bad, for the reasons we all know - a centralised > database contains all the data, so it's the one best place to look > if you want to be able to access any particular data, or all the data. There has been a centralised on-line electoral register since at least the late eighties. I know this because I saw it being used from a police incident room to background check hotel residents prior to and during a Conservative party conference. > > Security nightmare. > > > > > -- Peter Fairbrother > > (slightly drunk, hope this is clear) > From david at jellybaby.net Fri Oct 1 16:21:32 2010 From: david at jellybaby.net (David Walters) Date: Fri, 1 Oct 2010 16:21:32 +0100 Subject: Register of Electors by internet In-Reply-To: <4CA5F879.9030206@zen.co.uk> References: <4CA5F879.9030206@zen.co.uk> Message-ID: On Fri, Oct 1, 2010 at 4:04 PM, Peter Fairbrother wrote: > But I think that misses one point, which is why there is a centralised site > for electoral registration at all. > > AIUI these registers are kept by the local councils, not centrally. Why > can't the Councils just do it themselves? Why have a third party do it? The reverse question is why have every council re-invent the wheel and build their own site at tax payer expense. > I don't know the details of the thinking behind this, if any, but it seems > on the face of it to be yet another centralising information grab by > someone. I don't think that is the motivation of the Electoral Reform Society when they created Electoral Reform Services but I'm perhaps just naive. From marcus at connectotel.com Sat Oct 2 09:56:00 2010 From: marcus at connectotel.com (Marcus Williamson) Date: Sat, 02 Oct 2010 10:56:00 +0200 Subject: Register of Electors by internet In-Reply-To: References: <4CA5F879.9030206@zen.co.uk> Message-ID: On Fri, 1 Oct 2010 16:21:32 +0100, you wrote: >The reverse question is why have every council re-invent the wheel and >build their own site at tax payer expense. It seems that a number of councils are using this same system: https://www.registerbyinternet.com/test From lists at internetpolicyagency.com Wed Oct 6 09:46:25 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 6 Oct 2010 09:46:25 +0100 Subject: Man jailed over computer password refusal Message-ID: A teenager has been jailed for 16 weeks after he refused to give police the password to his computer...Drage was convicted of failing to disclose an encryption key... http://www.bbc.co.uk/news/uk-england-11479831 -- Roland Perry From nbohm at ernest.net Wed Oct 6 12:15:48 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 06 Oct 2010 12:15:48 +0100 Subject: Man jailed over computer password refusal In-Reply-To: References: Message-ID: <4CAC5A64.1050802@ernest.net> On 06/10/2010 09:46, Roland Perry wrote: > A teenager has been jailed for 16 weeks after he refused to give > police the password to his computer...Drage was convicted of > failing to disclose an encryption key... > > http://www.bbc.co.uk/news/uk-england-11479831 A sentence of 16 weeks may be a good bargain compared with what he might have got for a substantive offence if there were evidence hje had committed one. Perhaps more interesting is the fact that he might have claimed (but apparently didn't) that following the removal of his computer but before the service of any notice under RIPA, he had destroyed his only record of a password of a length and kind that made it impracticable to memorize (e.g. ten groups of five alphanumeric characters, the sort of thing often enough found in licence activation keys etc). The burden of proof that he was lying might have been hard to discharge. One wonders how long it will take before we start seeing such defences in the wild. Nicholas -- Contact and PGP key here From lists at barnfather.net Wed Oct 6 12:59:10 2010 From: lists at barnfather.net (Paul Barnfather) Date: Wed, 6 Oct 2010 12:59:10 +0100 Subject: Man jailed over computer password refusal In-Reply-To: <4CAC5A64.1050802@ernest.net> References: <4CAC5A64.1050802@ernest.net> Message-ID: > A sentence of 16 weeks may be a good bargain compared with what he might > have got for a substantive offence if there were evidence hje had > committed one. According to the reports, the police are "still trying to crack the password". Assuming they are eventually able to do this, he could still end up being prosecuted for the original crime as well... From igb at batten.eu.org Wed Oct 6 14:04:02 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 6 Oct 2010 14:04:02 +0100 Subject: BBC News - Man jailed over computer password refusal Message-ID: http://www.bbc.co.uk/news/uk-england-11479831 -------------- next part -------------- An HTML attachment was scrubbed... URL: From james2 at jfirth.net Wed Oct 6 18:29:51 2010 From: james2 at jfirth.net (James Firth) Date: Wed, 6 Oct 2010 18:29:51 +0100 Subject: Man jailed over computer password refusal In-Reply-To: <4CAC5A64.1050802@ernest.net> References: <4CAC5A64.1050802@ernest.net> Message-ID: <008801cb657c$158997c0$409cc740$@net> Nicholas Bohm wrote: > > A sentence of 16 weeks may be a good bargain compared with what he > might > have got for a substantive offence if there were evidence hje had > committed one. A dangerous bit of logic. I know nothing about the facts of this case but considering the reported attitude of the police towards Barry George even after his conviction was quashed despite numerous credible theories emerging which didn't involve George I'll remain sceptical until evidence is found proving otherwise. Incidentally David Allen Green, a solicitor who writes the Jack of Kent blog has indicated he's going to write more about this case on his blog, here: http://jackofkent.blogspot.com/ James Firth From fw at deneb.enyo.de Wed Oct 6 21:17:48 2010 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed, 06 Oct 2010 22:17:48 +0200 Subject: Man jailed over computer password refusal In-Reply-To: <4CAC5A64.1050802@ernest.net> (Nicholas Bohm's message of "Wed, 06 Oct 2010 12:15:48 +0100") References: <4CAC5A64.1050802@ernest.net> Message-ID: <87wrpvm5xv.fsf@mid.deneb.enyo.de> * Nicholas Bohm: > A sentence of 16 weeks may be a good bargain compared with what he might > have got for a substantive offence if there were evidence hje had > committed one. Can't the authorities issue a new notice, and non-compliance with that would result in a second sentence, over and over again, at least until the ECHR ends this mockery of law (as they did with a similar provision in the Insolvency Act)? From rich at annexia.org Wed Oct 6 15:47:25 2010 From: rich at annexia.org (Richard Jones) Date: Wed, 6 Oct 2010 15:47:25 +0100 Subject: Man jailed over computer password refusal In-Reply-To: References: <4CAC5A64.1050802@ernest.net> Message-ID: <20101006144725.GA29121@annexia.org> On Wed, Oct 06, 2010 at 12:59:10PM +0100, Paul Barnfather wrote: > > A sentence of 16 weeks may be a good bargain compared with what he might > > have got for a substantive offence if there were evidence hje had > > committed one. > > According to the reports, the police are "still trying to crack the password". > Assuming they are eventually able to do this, he could still end up > being prosecuted for the original crime as well... Assuming he's guilty. What I don't get is there must be some other evidence (eg. visits to a website from an IP address which can be tied back to him or his house). With this other evidence, go to court and prosecute him for the original offence, noting that this refusal to give up access to the computer is strong circumstantial evidence. A jury would surely convict when face to face with strong IP address evidence and the refusal of the defendent to absolve himself by giving up the password. Or ... is the IP evidence not so solid, and the police made a mistake? Rich. From nbohm at ernest.net Thu Oct 7 10:36:15 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 07 Oct 2010 10:36:15 +0100 Subject: Man jailed over computer password refusal In-Reply-To: <87wrpvm5xv.fsf@mid.deneb.enyo.de> References: <4CAC5A64.1050802@ernest.net> <87wrpvm5xv.fsf@mid.deneb.enyo.de> Message-ID: <4CAD948F.9080005@ernest.net> On 06/10/2010 21:17, Florian Weimer wrote: > * Nicholas Bohm: >> A sentence of 16 weeks may be a good bargain compared with what he might >> have got for a substantive offence if there were evidence hje had >> committed one. > Can't the authorities issue a new notice, and non-compliance with that > would result in a second sentence, over and over again, at least until > the ECHR ends this mockery of law (as they did with a similar > provision in the Insolvency Act)? I don't think anything in RIPA prevents this (though the second time around, the defence "I've forgotten the password" may have gained credibility through the lapse of time, so preventing further convictions). It might be regarded as an abuse of process; and the ECHR case law might be relevant (do you have a citation - I don't recognise the case from your reference?) Nicholas -- Contact and PGP key here From otcbn at callnetuk.com Thu Oct 7 09:27:55 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Thu, 07 Oct 2010 09:27:55 +0100 Subject: Man jailed over computer password refusal In-Reply-To: <20101006144725.GA29121@annexia.org> References: <4CAC5A64.1050802@ernest.net> <20101006144725.GA29121@annexia.org> Message-ID: <4CAD848B.9040401@callnetuk.com> Richard Jones wrote on 6-10-10 15:47: > What I don't get is there must be some other evidence (eg. visits to a > website from an IP address which can be tied back to him or his > house). That's how the police would got authorisation to seize the computer. Or perhaps he was arrested for some other reason and the police then obtained a PACE warrant to search his home. > With this other evidence, go to court and prosecute him for > the original offence, noting that this refusal to give up access to > the computer is strong circumstantial evidence. Of what? There are many reasons why one might not want the police poking in one's personal files, not all of them criminal. > A jury would surely > convict when face to face with strong IP address evidence and the > refusal of the defendent to absolve himself by giving up the password. As a juror I certainly wouldn't vote for conviction, in fact I'd send a note to the judge asking him to reprimand the CPS for abuse of process and seeking to pervert the course of justice. > Or ... is the IP evidence not so solid, and the police made a mistake? Clearly the original evidence (used to justify the search & seizure of the computer) could not on its own have been sufficient for a conviction. -- Pete Mitchell From rich at annexia.org Thu Oct 7 18:23:06 2010 From: rich at annexia.org (Richard Jones) Date: Thu, 7 Oct 2010 18:23:06 +0100 Subject: Man jailed over computer password refusal In-Reply-To: <4CAD848B.9040401@callnetuk.com> References: <4CAC5A64.1050802@ernest.net> <20101006144725.GA29121@annexia.org> <4CAD848B.9040401@callnetuk.com> Message-ID: <20101007172306.GA19529@annexia.org> On Thu, Oct 07, 2010 at 09:27:55AM +0100, Peter Mitchell wrote: > As a juror I certainly wouldn't vote for conviction, in fact I'd send a > note to the judge asking him to reprimand the CPS for abuse of process and > seeking to pervert the course of justice. If the webserver logfiles and ISP records have been preserved then we should be able to tell at least between: (a) he never visited the site in question (b) he visited once and got the hell out of there (c) regular visitor (d) uploaded content (e) a "kingpin" in the organization, admin account etc. Would you still come across all libertarian in some of the above cases? If I know anything about the Great British Public I don't think most people would be sending notes to the judge. No one is benefitting from him being in prison at the moment. Either he's a danger to children in which case he's effectively getting off scott-free (no need to register as a sex offender so he can wander where he wants after prison), or we taxpayers are paying a grand a week to destroy a man's future. Rich. From igb at batten.eu.org Fri Oct 8 16:52:04 2010 From: igb at batten.eu.org (Ian Batten) Date: Fri, 8 Oct 2010 16:52:04 +0100 Subject: Man jailed over computer password refusal In-Reply-To: <20101007172306.GA19529@annexia.org> References: <4CAC5A64.1050802@ernest.net> <20101006144725.GA29121@annexia.org> <4CAD848B.9040401@callnetuk.com> <20101007172306.GA19529@annexia.org> Message-ID: On 07 Oct 10, at 1823, Richard Jones wrote: > On Thu, Oct 07, 2010 at 09:27:55AM +0100, Peter Mitchell wrote: >> As a juror I certainly wouldn't vote for conviction, in fact I'd send a >> note to the judge asking him to reprimand the CPS for abuse of process and >> seeking to pervert the course of justice. > > If the webserver logfiles and ISP records have been preserved then we > should be able to tell at least between: > > (a) he never visited the site in question What records would show that? It's reasonable to assume that the webserver is outside UK jurisdiction, and I presume that porn barons don't keep detailed logs on non-volatile storage. And if is ISP is prospectively keeping detailed, URL level logs then they're breaking the law. If there were RIPA-warranted interception going on, then that didn't come out in the case. ian From tharg at gmx.net Sat Oct 9 03:14:45 2010 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Sat, 9 Oct 2010 04:14:45 +0200 Subject: 50 characters ? (was RE: Man jailed over computer password refusal Message-ID: <008401cb6757$c0debe70$429c3b50$@gmx.net> I wonder how it was known that the password was 50 characters (or if this is standard press release garbling)? CB -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry Sent: 06 October 2010 10:46 To: ukcrypto at chiark.greenend.org.uk Subject: Man jailed over computer password refusal A teenager has been jailed for 16 weeks after he refused to give police the password to his computer...Drage was convicted of failing to disclose an encryption key... http://www.bbc.co.uk/news/uk-england-11479831 -- Roland Perry From nbohm at ernest.net Sat Oct 9 09:42:43 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 09 Oct 2010 09:42:43 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <008401cb6757$c0debe70$429c3b50$@gmx.net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> Message-ID: <4CB02B03.4020901@ernest.net> An HTML attachment was scrubbed... URL: From passiveprofits at yahoo.com Sat Oct 9 15:01:06 2010 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Sat, 9 Oct 2010 07:01:06 -0700 (PDT) Subject: 50 characters ? (was RE: Man jailed over computer password refusal Message-ID: <484055.35782.qm@web110502.mail.gq1.yahoo.com> On 09/10/2010 03:14, Caspar Bowden (travelling private e-mail) wrote: I wonder how it was known that the password was 50 characters (or if this is standard press release garbling)? Some reports say he claimed to have forgotten the password; that it was 50 characters long might have been part of that claim. Nicholas Hi Nicholas/Caspar/All, May also have been something potentially more obvious; camera or audio surveillance picking up the number of keystrokes, but not what they were. FYI; I've not even read the press report/followed this case, but that seems an obvious answer to this question (which seems to be being asked all around the web in consequence of the article's wording). First post to the list; hello all! :) Best, PP From igb at batten.eu.org Mon Oct 11 09:42:20 2010 From: igb at batten.eu.org (Ian Batten) Date: Mon, 11 Oct 2010 09:42:20 +0100 Subject: OATH Tokens Message-ID: Does anyone know of a route by which I could buy half a dozen OATH-compliant tokens for a OTP experiment? Alternatively, give the minimum order quantity I've so far been able to find is 25, is there anyone else who has an application for some tokens who'd split an order with me? ian From mikie.simpson at gmail.com Tue Oct 12 14:30:29 2010 From: mikie.simpson at gmail.com (Michael Simpson) Date: Tue, 12 Oct 2010 14:30:29 +0100 Subject: OATH Tokens In-Reply-To: References: Message-ID: On 11 October 2010 09:42, Ian Batten wrote: > Does anyone know of a route by which I could buy half a dozen OATH-compliant tokens for a OTP experiment? > > Alternatively, give the minimum order quantity I've so far been able to find is 25, is there anyone else who has an application for some tokens who'd split an order with me? > > ian > > yubikey does OATH 6 or 8 digit otp and you can order from 1 unit upwards http://yubico.com/home/index/ mike From james2 at jfirth.net Tue Oct 12 16:55:08 2010 From: james2 at jfirth.net (James Firth) Date: Tue, 12 Oct 2010 16:55:08 +0100 Subject: OATH Tokens In-Reply-To: References:

Message-ID: <009201cb6a25$d8dbd190$8a9374b0$@net> > yubikey does OATH 6 or 8 digit otp and you can order from 1 unit > upwards > > http://yubico.com/home/index/ > Wow - I presume being an open source algorithm there is no annual cost to running this? Could be a game-changer for RSA who charged something along the lines of $200 per token, per year - from memory - when I was last involved at the coal face. James Firth From madlists at teaparty.net Tue Oct 12 14:47:06 2010 From: madlists at teaparty.net (Tom Yates) Date: Tue, 12 Oct 2010 14:47:06 +0100 (BST) Subject: OATH Tokens In-Reply-To: References: Message-ID: On Mon, 11 Oct 2010, Ian Batten wrote: > Does anyone know of a route by which I could buy half a dozen > OATH-compliant tokens for a OTP experiment? according http://www.yubico.com/products/yubikey/, the yubikey is OATH-compliant, and you can certainly buy those singly or in multiples from their site. i have one, but i use it in yubico's 44-character OTP mode, so can't confirm that it works OATHily. i have no connection to the company other than being a happy end-user. -- Tom Yates - http://www.teaparty.net From madlists at teaparty.net Tue Oct 12 20:01:42 2010 From: madlists at teaparty.net (Tom Yates) Date: Tue, 12 Oct 2010 20:01:42 +0100 (BST) Subject: OATH Tokens In-Reply-To: <009201cb6a25$d8dbd190$8a9374b0$@net> References:

<009201cb6a25$d8dbd190$8a9374b0$@net> Message-ID: On Tue, 12 Oct 2010, James Firth wrote: > Wow - I presume being an open source algorithm there is no annual cost to > running this? you presume correctly, and since the verification code is for the most part GPLed, you can throw it in where you see fit. i wrote up some of what i did at http://www.teaparty.net/technotes/yubikey.html if anyone's really curious. Tom Yates Cambridge, UK. From igb at batten.eu.org Wed Oct 13 07:10:36 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 13 Oct 2010 07:10:36 +0100 Subject: OATH Tokens In-Reply-To: References:

Message-ID: <32CF0A10-B55A-4486-9F51-A3E0A4D4E216@batten.eu.org> On 12 Oct 2010, at 14:30, Michael Simpson wrote: > On 11 October 2010 09:42, Ian Batten wrote: >> Does anyone know of a route by which I could buy half a dozen OATH-compliant tokens for a OTP experiment? >> >> Alternatively, give the minimum order quantity I've so far been able to find is 25, is there anyone else who has an application for some tokens who'd split an order with me? >> >> ian >> >> > > yubikey does OATH 6 or 8 digit otp and you can order from 1 unit upwards Interesting product. It requires getting at the USB ports, but that shouldn't be a problem for my intended application (securing the batten.eu.org webmail service for when my children use it from school!). Thanks very much: I'll order a few to play with. ian From james2 at jfirth.net Wed Oct 13 18:15:20 2010 From: james2 at jfirth.net (James Firth) Date: Wed, 13 Oct 2010 18:15:20 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB02B03.4020901@ernest.net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> Message-ID: <001201cb6afa$38490970$a8db1c50$@net> > I wonder how it was known that the password was 50 characters (or > if this is > standard press release garbling)? Some very interesting background has been published in the New Statesman regarding this case in an article by David Allen Green, the telecoms and media lawyer I mentioned in a previous post. It seems: * most if not all the information published by the press came from Lancashire police either from a "sensationalist" press release, or "background" information given over the telephone. * the CPS indicate that the defendant did claim to have forgotten his password, but the prosecution persuaded the jury otherwise * the defendant claimed in police interviews that the password was between 40-50 characters, and the CPS issued this information in their own press release. Full article here: http://www.newstatesman.com/blogs/the-staggers/2010/10/police-drage-password -sex James Firth From igb at batten.eu.org Thu Oct 14 22:21:00 2010 From: igb at batten.eu.org (Ian Batten) Date: Thu, 14 Oct 2010 22:21:00 +0100 Subject: OATH Tokens In-Reply-To: References: Message-ID: <15854EDA-06D3-49EF-9307-A69AB135EE50@batten.eu.org> On 12 Oct 2010, at 14:47, Tom Yates wrote: > On Mon, 11 Oct 2010, Ian Batten wrote: > >> Does anyone know of a route by which I could buy half a dozen OATH-compliant tokens for a OTP experiment? > > according http://www.yubico.com/products/yubikey/, the yubikey is OATH-compliant, and you can certainly buy those singly or in multiples from their site. Thanks to the people who suggested this. I now have two programmed up to run in OATH mode. I'd already written the code to handle softtokens on my iPhone, and the Yubicos dropped straight in and worked first time. Reassuringly, you provide your own key material, rather than as with other products messing about making sure you have the right physical token configured with the right pre-programmed key. They also have two profiles, so you can configure them for two purposes. My kids will try them at school tomorrow. ian From k.brown at bbk.ac.uk Fri Oct 15 15:39:13 2010 From: k.brown at bbk.ac.uk (ken) Date: Fri, 15 Oct 2010 15:39:13 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <001201cb6afa$38490970$a8db1c50$@net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> Message-ID: <4CB86791.3070309@bbk.ac.uk> On 13/10/2010 18:15, James Firth wrote: > Some very interesting background has been published in the New Statesman > regarding this case in an article by David Allen Green, the telecoms and > media lawyer I mentioned in a previous post. It seems: > > * most if not all the information published by the press came from > Lancashire police either from a "sensationalist" press release, or > "background" information given over the telephone. Worryinger and worryinger. According to the Staggers the police were telling everyone who phoned and claimed to be a reporter about the original allegations. That looks pretty dubious to me. Also, if Mr Drage is now 19, and he was arrested in May last yer, he must have been 18 at the most and possibly 17. So its quite possible that he was a legal minor at the time that that some of the offences he is alleged to have committed would have been committed when he was a minor. Does that make a difference? I would have thought it would. Not really relevant but I think I could remember a 40-50 character password if it was derivable from a poem or a song or similar, or if it was mostly dictionary words. But my ability to remember arbitrary strings of characters seems to fail somewhere in the region of ten. (For some reason letters are easier than numbers - I genuinely can't remember my own mobile phone number, though I suppose I could learn it if I tried) From james2 at jfirth.net Fri Oct 15 15:56:55 2010 From: james2 at jfirth.net (James Firth) Date: Fri, 15 Oct 2010 15:56:55 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB86791.3070309@bbk.ac.uk> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> Message-ID: <000301cb6c79$364b53a0$a2e1fae0$@net> > Not really relevant but I think I could remember a 40-50 > character password if it was derivable from a poem or a song or > similar, or if it was mostly dictionary words. On the crypto angle NIST recons the entropy in English language passphrases is so low that one needs over 50 characters to achieve 80-bit equivalent key strength. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf Of course the entropy significantly increases if one uses random capitalisation and illogical placing of alphanumerical characters, which then somewhat obviously can make the passphrase less memorable. James Firth From k.brown at bbk.ac.uk Fri Oct 15 16:25:31 2010 From: k.brown at bbk.ac.uk (ken) Date: Fri, 15 Oct 2010 16:25:31 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <000301cb6c79$364b53a0$a2e1fae0$@net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> Message-ID: <4CB8726B.6090409@bbk.ac.uk> On 15/10/2010 15:56, James Firth wrote: > On the crypto angle NIST recons the entropy in English language passphrases > is so low that one needs over 50 characters to achieve 80-bit equivalent key > strength. > > http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf > > Of course the entropy significantly increases if one uses random > capitalisation and illogical placing of alphanumerical characters, which > then somewhat obviously can make the passphrase less memorable. And of course poems and songs and assorted bits of memorable literature don't help because the other side knows them too. So as Leo Marks and others realised seventy years ago, there is a genuine use - these days even a lucrative use - for bad poetry. That should warm the hearts of sensitive literary-minded 17-year-olds everywhere. From nbohm at ernest.net Fri Oct 15 16:43:06 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 15 Oct 2010 16:43:06 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB8726B.6090409@bbk.ac.uk> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> Message-ID: <4CB8768A.30505@ernest.net> An HTML attachment was scrubbed... URL: From tugwilson at gmail.com Fri Oct 15 16:52:49 2010 From: tugwilson at gmail.com (John Wilson) Date: Fri, 15 Oct 2010 16:52:49 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB8768A.30505@ernest.net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> Message-ID: On 15 October 2010 16:43, Nicholas Bohm wrote: > Leo Marks also noted the benefits of keeping secret information recorded on > easily destructible media (e.g. silk).? Adopting his procedures, and citing > his work, might have helped Mr Drage present a more convincing account. If I read the specs right this http://yubico.com/home/index/ allows have and use a password that you need never know and which can be easily destroyed (http://www.yubico.com/developers/static/ seems to say that if you press the button for 10 seconds the password is replaced by another random one.). The mere possession of one of these devices would seem to allow you to plausibly clam that you cannot comply with the request to disclose the password. John Wilson From lists at internetpolicyagency.com Fri Oct 15 17:07:02 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 15 Oct 2010 17:07:02 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB86791.3070309@bbk.ac.uk> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> Message-ID: In article <4CB86791.3070309 at bbk.ac.uk>, ken writes >I genuinely can't remember my own mobile phone number This is one of the reasons I collect "vanity" domains, phone numbers, car numberplates etc. It's not just to show off - they are much more memorable for *me*. -- Roland Perry Whose ex-boss owns AMS 1 From fw at deneb.enyo.de Fri Oct 15 17:16:49 2010 From: fw at deneb.enyo.de (Florian Weimer) Date: Fri, 15 Oct 2010 18:16:49 +0200 Subject: OATH Tokens In-Reply-To: <009201cb6a25$d8dbd190$8a9374b0$@net> (James Firth's message of "Tue, 12 Oct 2010 16:55:08 +0100") References:

<009201cb6a25$d8dbd190$8a9374b0$@net> Message-ID: <87zkuf4ej2.fsf@mid.deneb.enyo.de> * James Firth: > Wow - I presume being an open source algorithm there is no annual cost to > running this? Could be a game-changer for RSA who charged something along > the lines of $200 per token, per year - from memory - when I was last > involved at the coal face. There are several options these days, most of them way cheaper. When you want to sell to folks who actually suffer from fraud, you need to make sure that your proposal is measurably cheaper than just absorbing the fraud (and factor in that such tokens do not even stop all current attacks, let alone future ones). From nbohm at ernest.net Fri Oct 15 18:42:46 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 15 Oct 2010 18:42:46 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> Message-ID: <4CB89296.2020602@ernest.net> On 15/10/2010 16:52, John Wilson wrote: > On 15 October 2010 16:43, Nicholas Bohm wrote: >> Leo Marks also noted the benefits of keeping secret information recorded on >> easily destructible media (e.g. silk). Adopting his procedures, and citing >> his work, might have helped Mr Drage present a more convincing account. > > If I read the specs right this http://yubico.com/home/index/ allows > have and use a password that you need never know and which can be > easily destroyed (http://www.yubico.com/developers/static/ seems to > say that if you press the button for 10 seconds the password is > replaced by another random one.). The mere possession of one of these > devices would seem to allow you to plausibly clam that you cannot > comply with the request to disclose the password. Maybe, but it's quite likely to be found and seized when the computer is seized, and the time to destroy your password is after the computer is seized but before you are served with a s49 notice. I would think a discreet piece of paper (e.g. a cigarette paper) might much more easily be missed on a search - perhaps slipped in the binding of a book, etc. Nicholas -- Contact and PGP key here From tugwilson at gmail.com Fri Oct 15 19:43:00 2010 From: tugwilson at gmail.com (John Wilson) Date: Fri, 15 Oct 2010 19:43:00 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB89296.2020602@ernest.net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> Message-ID: On 15 October 2010 18:42, Nicholas Bohm wrote: > ?On 15/10/2010 16:52, John Wilson wrote: >> On 15 October 2010 16:43, Nicholas Bohm wrote: >>> Leo Marks also noted the benefits of keeping secret information recorded on >>> easily destructible media (e.g. silk). ?Adopting his procedures, and citing >>> his work, might have helped Mr Drage present a more convincing account. >> >> If I read the specs right this http://yubico.com/home/index/ allows >> have and use a password that you need never know and which can be >> easily destroyed (http://www.yubico.com/developers/static/ seems to >> say that if you press the button for 10 seconds the password is >> replaced by another random one.). The mere possession of one of these >> devices would seem to allow you to plausibly clam that you cannot >> comply with the request to disclose the password. > > Maybe, but it's quite likely to be found and seized when the computer is > seized, and the time to destroy your password is after the computer is > seized but before you are served with a s49 notice. ?I would think a > discreet piece of paper (e.g. a cigarette paper) might much more easily > be missed on a search - perhaps slipped in the binding of a book, etc. I wasn't really thinking of using it to hold the password. I'm assuming that I'm using one I can remember without writing it down. How about: I buy a YubiKey making sure that I use my normal credit card and the email's involved in the purchase are archived in my Gmail account. I destroy and safely dispose of my YubiKey I ensure that any system logs which record things like USB keyboard connections are regularly truncated. When the Police arrive I ensure that they can find and take all my electronic junk (a couple a vans worth in my case). When served with the RIPA notice I as "I use a YubiKey, I don't know what the password is because it was generated by the token and you took it away in one of the boxes" I can prove I bought it, if the Police have lost it it's really not my fault. John Wilson From bdm at fenrir.org.uk Fri Oct 15 19:49:17 2010 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 15 Oct 2010 19:49:17 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> Message-ID: <20101015194917.51801557@peterson.fenrir.org.uk> On Fri, 15 Oct 2010 19:43:00 +0100 John Wilson wrote: > I destroy and safely dispose of my YubiKey And if you do this before you are served with any notice then surely it's entirely a defence to say that your key is now gone and you are unable to provide it? -- Brian Morrison GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From tugwilson at gmail.com Fri Oct 15 20:00:32 2010 From: tugwilson at gmail.com (John Wilson) Date: Fri, 15 Oct 2010 20:00:32 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <20101015194917.51801557@peterson.fenrir.org.uk> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <20101015194917.51801557@peterson.fenrir.org.uk> Message-ID: On 15 October 2010 19:49, Brian Morrison wrote: > On Fri, 15 Oct 2010 19:43:00 +0100 > John Wilson wrote: > >> I destroy and safely dispose of my YubiKey > > And if you do this before you are served with any notice then surely > it's entirely a defence to say that your key is now gone and you are > unable to provide it? Nicolas' point was that the Police might well find the key in the search, which is a real risk. Are you suggesting that immediately destroy it claim that the Police missed it but that I subsequently destroyed it? If so that seems a rather risky thing to claim. I'd have to explain why I'd destroyed the key and I'm not sure I could do that in a way which would be likely to convince a Jury. I could, I think, explain why I'd reused the key but then I'd have to have kept it and there's always a risk that the search would have found it. I think Police incompetence is by far the most credible excuse:) John Wilson From lists at internetpolicyagency.com Fri Oct 15 17:06:42 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 15 Oct 2010 17:06:42 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB8726B.6090409@bbk.ac.uk> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> Message-ID: In article <4CB8726B.6090409 at bbk.ac.uk>, ken writes >there is a genuine use - these days even a lucrative use - for bad >poetry. So we should all have a tame Vogon? -- Roland Perry Who was briefly in the same class at school as Paul Johnstone. From bdm at fenrir.org.uk Fri Oct 15 22:56:07 2010 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 15 Oct 2010 22:56:07 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <20101015194917.51801557@peterson.fenrir.org.uk> Message-ID: <20101015225607.07b9b6c2@peterson.fenrir.org.uk> On Fri, 15 Oct 2010 20:00:32 +0100 John Wilson wrote: > If so that seems a rather risky thing to claim. I'd have to explain > why I'd destroyed the key and I'm not sure I could do that in a way > which would be likely to convince a Jury. "I destroyed it because my hardware was compromised due to being seized and therefore I had no further need of it" -- Brian Morrison GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From nbohm at ernest.net Sat Oct 16 08:14:15 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 16 Oct 2010 08:14:15 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> Message-ID: <4CB950C7.1000006@ernest.net> On 15/10/2010 19:43, John Wilson wrote: > On 15 October 2010 18:42, Nicholas Bohm wrote: >> On 15/10/2010 16:52, John Wilson wrote: >>> On 15 October 2010 16:43, Nicholas Bohm wrote: >>>> Leo Marks also noted the benefits of keeping secret information recorded on >>>> easily destructible media (e.g. silk). Adopting his procedures, and citing >>>> his work, might have helped Mr Drage present a more convincing account. >>> If I read the specs right this http://yubico.com/home/index/ allows >>> have and use a password that you need never know and which can be >>> easily destroyed (http://www.yubico.com/developers/static/ seems to >>> say that if you press the button for 10 seconds the password is >>> replaced by another random one.). The mere possession of one of these >>> devices would seem to allow you to plausibly clam that you cannot >>> comply with the request to disclose the password. >> Maybe, but it's quite likely to be found and seized when the computer is >> seized, and the time to destroy your password is after the computer is >> seized but before you are served with a s49 notice. I would think a >> discreet piece of paper (e.g. a cigarette paper) might much more easily >> be missed on a search - perhaps slipped in the binding of a book, etc. > > I wasn't really thinking of using it to hold the password. I'm > assuming that I'm using one I can remember without writing it down. > > How about: > > I buy a YubiKey making sure that I use my normal credit card and the > email's involved in the purchase are archived in my Gmail account. > > I destroy and safely dispose of my YubiKey > > I ensure that any system logs which record things like USB keyboard > connections are regularly truncated. > > When the Police arrive I ensure that they can find and take all my > electronic junk (a couple a vans worth in my case). > > When served with the RIPA notice I as "I use a YubiKey, I don't know > what the password is because it was generated by the token and you > took it away in one of the boxes" > > I can prove I bought it, if the Police have lost it it's really not my fault. Nice scenario, but not everyone knows how to "ensure that any system logs which record things like USB keyboard connections are regularly truncated." (I don't, for one.) And not everyone has such a haystack of electronic gear as to make loss of the Yubikey needle plausible. With a key written on a cigarette paper, you can play the game either way: either "It was on my desk when you searched, I haven't seen it since, so you must have lost or destroyed it by accident" or "It was in the binding of my copy of 'A Midsummer Ramble in the Dolomites' by Amelia Edwards, and your search missed it. As you had my computer, I destroyed it after you left." The second variant could be buttressed by evidence from an unimpeachable witness who saw the paper with a very long and unrememberable password on it and saw it destroyed. The first variant is perhaps more plausible as an account of how we amateurs really do things with written records of passwords. Nicholas -- Contact and PGP key here From fjmd1a at gmail.com Sat Oct 16 10:18:13 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Sat, 16 Oct 2010 10:18:13 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB950C7.1000006@ernest.net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <4CB950C7.1000006@ernest.net> Message-ID: On 16 October 2010 08:14, Nicholas Bohm wrote: Nice scenario, but not everyone knows how to "ensure that any system > logs which record things like USB keyboard connections are regularly > truncated." (I don't, for one.) And not everyone has such a haystack of > electronic gear as to make loss of the Yubikey needle plausible. > > With a key written on a cigarette paper, you can play the game either > way: either "It was on my desk when you searched, I haven't seen it > since, so you must have lost or destroyed it by accident" or "It was in > the binding of my copy of 'A Midsummer Ramble in the Dolomites' by > Amelia Edwards, and your search missed it. As you had my computer, I > destroyed it after you left." > > It would be easy enough to set up an escrow/destruction service (maybe they already exist - I've never had cause to use one). Its the kind of thing lawyers did in the olden days (since they were thought to be unimpeachable - alas if only it were really true). -- Francis Davey -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Sat Oct 16 12:37:10 2010 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Sat, 16 Oct 2010 13:37:10 +0200 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> Message-ID: <002201cb6d26$7a09d280$6e1d7780$@gmx.net> A Vogon poetry (i.e. memorably appealing to oneself but of no conspicuous literary merit) generator would indeed appear to be a necessary and cryptographically practicable way of dealing with Part.3 There really should be a Wikipedia page on such Part.3 strategems... Caspar -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry Sent: 15 October 2010 18:07 To: ukcrypto at chiark.greenend.org.uk Subject: Re: 50 characters ? (was RE: Man jailed over computer password refusal In article <4CB8726B.6090409 at bbk.ac.uk>, ken writes >there is a genuine use - these days even a lucrative use - for bad >poetry. So we should all have a tame Vogon? -- Roland Perry Who was briefly in the same class at school as Paul Johnstone. From tugwilson at gmail.com Sat Oct 16 16:21:40 2010 From: tugwilson at gmail.com (John Wilson) Date: Sat, 16 Oct 2010 16:21:40 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB950C7.1000006@ernest.net> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <4CB950C7.1000006@ernest.net> Message-ID: On 16 October 2010 08:14, Nicholas Bohm wrote: > With a key written on a cigarette paper, you can play the game either > way: ?either "It was on my desk when you searched, I haven't seen it > since, so you must have lost or destroyed it by accident" or "It was in > the binding of my copy of 'A Midsummer Ramble in the Dolomites' by > Amelia Edwards, and your search missed it. ?As you had my computer, I > destroyed it after you left." > > The second variant could be buttressed by evidence from an unimpeachable > witness who saw the paper with a very long and unrememberable password > on it and saw it destroyed. ?The first variant is perhaps more plausible > as an account of how we amateurs really do things with written records > of passwords. OK, here's another variant: I buy two YubiKey one black and one white. I destroy and securely dispose of the white one I use the black one to generate and hold the first part of my passphrase and manually type the rest in from memory - this means that I only know a part of the passphrase I also use the password held in the YubiKey as the password for some innocuous application to allow me to explain why I needed two YubiKey. When the computer equipment is seized the YubiKey may or may not be seized with it. If the YubiKey is not seized I get the YubiKey to forget the password (I can do that in front of witnesses) If the YubiKey is seized I claim that the white YubiKey was used to hold the password. If the Police don't have it they must either have lost it or they left it here and I've lost it. In the first scenario I always tell the truth In the second I tell a single lie. In either case the computer logs confirm that I've used a YubiKey every time I've accessed the encrypted data. John Wilson From nbohm at ernest.net Sat Oct 16 17:57:06 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 16 Oct 2010 17:57:06 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <4CB950C7.1000006@ernest.net> Message-ID: <4CB9D962.1040807@ernest.net> On 16/10/2010 16:21, John Wilson wrote: > On 16 October 2010 08:14, Nicholas Bohm wrote: > >> With a key written on a cigarette paper, you can play the game either >> way: either "It was on my desk when you searched, I haven't seen it >> since, so you must have lost or destroyed it by accident" or "It was in >> the binding of my copy of 'A Midsummer Ramble in the Dolomites' by >> Amelia Edwards, and your search missed it. As you had my computer, I >> destroyed it after you left." >> >> The second variant could be buttressed by evidence from an unimpeachable >> witness who saw the paper with a very long and unrememberable password >> on it and saw it destroyed. The first variant is perhaps more plausible >> as an account of how we amateurs really do things with written records >> of passwords. > OK, here's another variant: > > I buy two YubiKey one black and one white. > > I destroy and securely dispose of the white one > > I use the black one to generate and hold the first part of my > passphrase and manually type the rest in from memory - this means that > I only know a part of the passphrase > > I also use the password held in the YubiKey as the password for some > innocuous application to allow me to explain why I needed two YubiKey. > > When the computer equipment is seized the YubiKey may or may not be > seized with it. > > If the YubiKey is not seized I get the YubiKey to forget the password > (I can do that in front of witnesses) > > If the YubiKey is seized I claim that the white YubiKey was used to > hold the password. If the Police don't have it they must either have > lost it or they left it here and I've lost it. > > In the first scenario I always tell the truth > > In the second I tell a single lie. A neat scenario. > In either case the computer logs confirm that I've used a YubiKey > every time I've accessed the encrypted data. This is, I think, its single advantage over the piece of flimsy paper approach, where there would be no evidence from logs. Paper might be easier for a jury to follow, perhaps - less geekish. And perhaps it's a good thing the criminal classes don't subscribe to ukcrypto (if they don't). Nicholas -- Contact and PGP key here From otcbn at callnetuk.com Sat Oct 16 18:15:13 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Sat, 16 Oct 2010 18:15:13 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <20101015194917.51801557@peterson.fenrir.org.uk> Message-ID: <4CB9DDA1.2090601@callnetuk.com> John Wilson wrote on 15-10-10 20:00: > Are you suggesting that immediately destroy it claim that the Police > missed it but that I subsequently destroyed it? > > If so that seems a rather risky thing to claim. I'd have to explain > why I'd destroyed the key and I'm not sure I could do that in a way > which would be likely to convince a Jury. I do not think there is anything in RIPA to stop you saying "I destroyed the key because I didn't want the police coming back with a RIPA notice and forcing me to disclose my private documents". There seems to be no obligation on a person to preserve his key in anticipation of a notice. I suppose the police could argue that destroying it amounted to an attempt to pervert the course of justice. But one would hope they would first have to prove that some other crime had been committed that the suspect was trying to conceal. -- Pete Mitchell From tugwilson at gmail.com Sat Oct 16 18:23:40 2010 From: tugwilson at gmail.com (John Wilson) Date: Sat, 16 Oct 2010 18:23:40 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: <4CB9DDA1.2090601@callnetuk.com> References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <20101015194917.51801557@peterson.fenrir.org.uk> <4CB9DDA1.2090601@callnetuk.com> Message-ID: On 16 October 2010 18:15, Peter Mitchell wrote: > John Wilson wrote ?on 15-10-10 20:00: >> >> Are you suggesting that immediately destroy it claim that the Police >> missed it but that I subsequently destroyed it? >> >> If so that seems a rather risky thing to claim. I'd have to explain >> why I'd destroyed the key and I'm not sure I could do that in a way >> which would be likely to convince a Jury. > > I do not think there is anything in RIPA to stop you saying "I destroyed the > key because I didn't want the police coming back with a RIPA notice and > forcing me to disclose my private documents". ?There seems to be no > obligation on a person to preserve his key in anticipation of a notice. > I suppose the police could argue that destroying it amounted to an attempt > to pervert the course of justice. But one would hope they would first have > to prove that some other crime had been committed that the suspect was > trying to conceal. Yes that is a good point. I wonder why Mr Drage didn't just claim that he'd written his 50 character passphrase down and had then destroyed it? John Wilson From nbohm at ernest.net Sat Oct 16 18:42:29 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 16 Oct 2010 18:42:29 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> <000301cb6c79$364b53a0$a2e1fae0$@net> <4CB8726B.6090409@bbk.ac.uk> <4CB8768A.30505@ernest.net> <4CB89296.2020602@ernest.net> <20101015194917.51801557@peterson.fenrir.org.uk> <4CB9DDA1.2090601@callnetuk.com> Message-ID: <4CB9E405.8010309@ernest.net> On 16/10/2010 18:23, John Wilson wrote: > On 16 October 2010 18:15, Peter Mitchell wrote: >> John Wilson wrote on 15-10-10 20:00: >>> Are you suggesting that immediately destroy it claim that the Police >>> missed it but that I subsequently destroyed it? >>> >>> If so that seems a rather risky thing to claim. I'd have to explain >>> why I'd destroyed the key and I'm not sure I could do that in a way >>> which would be likely to convince a Jury. >> I do not think there is anything in RIPA to stop you saying "I destroyed the >> key because I didn't want the police coming back with a RIPA notice and >> forcing me to disclose my private documents". There seems to be no >> obligation on a person to preserve his key in anticipation of a notice. I think there is none. >> I suppose the police could argue that destroying it amounted to an attempt >> to pervert the course of justice. But one would hope they would first have >> to prove that some other crime had been committed that the suspect was >> trying to conceal. It's destroying something which might be evidence, but it's hard to see that it could be proved beyond reasonable doubt that it really was. And that's basis for my suggestion of the hidden flimsy paper destroyed after not being found when the computer was taken. > Yes that is a good point. I wonder why Mr Drage didn't just claim that > he'd written his 50 character passphrase down and had then destroyed > it? Perhaps he doesn't read this list. Nicholas -- Contact and PGP key here From ukcrypto at sourcetagged.ian.co.uk Sun Oct 17 21:36:30 2010 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Sun, 17 Oct 2010 21:36:30 +0100 Subject: 50 characters ? (was RE: Man jailed over computer password refusal In-Reply-To: References: <008401cb6757$c0debe70$429c3b50$@gmx.net> <4CB02B03.4020901@ernest.net> <001201cb6afa$38490970$a8db1c50$@net> <4CB86791.3070309@bbk.ac.uk> Message-ID: <13332C9E-85BE-4E7A-BAD1-173DD6B1902B@sourcetagged.ian.co.uk> On 15 Oct 2010, at 17:07, Roland Perry wrote: > In article <4CB86791.3070309 at bbk.ac.uk>, ken > writes > >> I genuinely can't remember my own mobile phone number > > This is one of the reasons I collect "vanity" domains, phone > numbers, car numberplates etc. It's not just to show off - they are > much more memorable for *me*. > -- > Roland Perry > Whose ex-boss owns AMS 1 > I personally find car registration numbers easy to remember. I can still remember the registration number of my parents car from the mid- sixties. One of my 'random but memorable' password schemes is to stand at the road side and record a few registration numbers, memorise them and use the concatenated reg numbers as a password. Calculating the entropy of a UK car registration number is left as an exercise for the student. From madlists at teaparty.net Mon Oct 18 12:40:07 2010 From: madlists at teaparty.net (Tom Yates) Date: Mon, 18 Oct 2010 12:40:07 +0100 (BST) Subject: national ID fraud prevention week: unclear on the concept Message-ID: having learned from the grauniad [1] that this week is national ID fraud prevention week, and that to mark it "A guide, supported by organisations including the Metropolitan police, the National Fraud Authority and the Federation of Small Businesses, can be found at www.stop-idfraud.co.uk", i went off to get a copy, from http://www.stop-idfraud.co.uk/resource-centre.aspx . the guide, now i've read it, offers such useful gems as "Be wary of publishing identifying information about yourself online", in which class they include your full name and pictures of your employer. amusingly, they require you to give your full name, employer (company affiliation) and email address in an insecure web form before allowing you to access the leaflet. afaict, they don't validate any of the data, though i'm not sure whether that makes me more or less depressed. -- Tom Yates - http://www.teaparty.net [1] http://www.guardian.co.uk/money/2010/oct/18/britons-identity-fraud From pwt at iosis.co.uk Mon Oct 18 14:39:16 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 18 Oct 2010 14:39:16 +0100 Subject: national ID fraud prevention week: unclear on the concept In-Reply-To: References: Message-ID: <4CBC4E04.5050408@iosis.co.uk> Domain name: stop-idfraud.co.uk Registrant: Ben Mason Registrant type: UK Individual Registrant's address: 40 Long Acre Covent Garden London London N19 3HU United Kingdom Registrar: Tollon Limited t/a ukureg [Tag = UKUREG] URL: http://www.tollon.net Relevant dates: Registered on: 07-Oct-2005 Renewal date: 07-Oct-2011 Last updated: 02-Nov-2009 Registration status: Registered until renewal date. Name servers: ns0.eechost.net ns2.eechost.net WHOIS lookup made at 14:38:23 18-Oct-2010 Tom Yates wrote: > having learned from the grauniad [1] that this week is national ID > fraud prevention week, and that to mark it "A guide, supported by > organisations including the Metropolitan police, the National Fraud > Authority and the Federation of Small Businesses, can be found at > www.stop-idfraud.co.uk", i went off to get a copy, from > http://www.stop-idfraud.co.uk/resource-centre.aspx . > > the guide, now i've read it, offers such useful gems as "Be wary of > publishing identifying information about yourself online", in which > class they include your full name and pictures of your employer. > > amusingly, they require you to give your full name, employer (company > affiliation) and email address in an insecure web form before allowing > you to access the leaflet. afaict, they don't validate any of the > data, though i'm not sure whether that makes me more or less depressed. > > From tugwilson at gmail.com Mon Oct 18 14:53:52 2010 From: tugwilson at gmail.com (John Wilson) Date: Mon, 18 Oct 2010 14:53:52 +0100 Subject: national ID fraud prevention week: unclear on the concept In-Reply-To: <4CBC4E04.5050408@iosis.co.uk> References: <4CBC4E04.5050408@iosis.co.uk> Message-ID: On 18 October 2010 14:39, Peter Tomlinson wrote: > Domain name: > stop-idfraud.co.uk > > Registrant: > Ben Mason > > Registrant type: > UK Individual > > Registrant's address: > 40 Long Acre > Covent Garden > London > London > N19 3HU > United Kingdom The post code is wrong. N19 3HU is 5 miles north of Covent Garden John Wilson -------------- next part -------------- An HTML attachment was scrubbed... URL: From otcbn at callnetuk.com Mon Oct 18 15:02:54 2010 From: otcbn at callnetuk.com (Peter Mitchell) Date: Mon, 18 Oct 2010 15:02:54 +0100 Subject: national ID fraud prevention week: unclear on the concept In-Reply-To: References: <4CBC4E04.5050408@iosis.co.uk> Message-ID: <4CBC538E.9020908@callnetuk.com> John Wilson wrote on 18-10-10 14:53: > > > On 18 October 2010 14:39, Peter Tomlinson > wrote: > > Domain name: > > stop-idfraud.co.uk > > > > Registrant: > > Ben Mason > > > > Registrant type: > > UK Individual > > > > Registrant's address: > > 40 Long Acre > > Covent Garden > > London > > London > > N19 3HU > > United Kingdom > > The post code is wrong. N19 3HU is 5 miles north of Covent Garden > Presumably then Nominet will now disable the domain on the basis of incorrect contact details (see uk-crypto thread "Unpersons" Jan 2010, and http://www.out-law.com/page-10652 "Nominet legal head Nick Wenban-Smith told OUT-LAW Radio that it acted because there had been a breach of the contract agreed by the people behind the websites. They had given false contact details, he said. "If you provide false details or they are out of date for some reason then that enables us to have an investigation and suspend until we're happy that everything is well," he said." -- Pete Mitchell From tugwilson at gmail.com Mon Oct 18 15:12:24 2010 From: tugwilson at gmail.com (John Wilson) Date: Mon, 18 Oct 2010 15:12:24 +0100 Subject: national ID fraud prevention week: unclear on the concept In-Reply-To: <4CBC538E.9020908@callnetuk.com> References: <4CBC4E04.5050408@iosis.co.uk> <4CBC538E.9020908@callnetuk.com> Message-ID: 40 Long Acre,?Covent Garden is the address of a PR firm called Fleishman-Hillard. A Ben Mason worked for them June 2002 ? April 2008 (according to LinkedIn). He's on Twitter, I've asked him if he was the guy who registered the site. John Wilson From james2 at jfirth.net Mon Oct 18 15:43:29 2010 From: james2 at jfirth.net (James Firth) Date: Mon, 18 Oct 2010 15:43:29 +0100 Subject: national ID fraud prevention week: unclear on the concept In-Reply-To: References: <4CBC4E04.5050408@iosis.co.uk> <4CBC538E.9020908@callnetuk.com> Message-ID: <004d01cb6ed2$d48b2f30$7da18d90$@net> > 40 Long Acre,?Covent Garden is the address of a PR firm called > Fleishman-Hillard. A Ben Mason worked for them June 2002 ? April 2008 > (according to LinkedIn). > > He's on Twitter, I've asked him if he was the guy who registered the > site. > > John Wilson A trademarked logo/slogan and a somewhat keen attempt to discover if each enquiry is from a business or household. Oodles of free press coverage and it appears all to be run by Fellowes - manufacturers of shredders. Can one expect therefore the emphasis to be on physical security rather than electronic security? James Firth From tugwilson at gmail.com Mon Oct 18 16:16:28 2010 From: tugwilson at gmail.com (John Wilson) Date: Mon, 18 Oct 2010 16:16:28 +0100 Subject: national ID fraud prevention week: unclear on the concept In-Reply-To: <004d01cb6ed2$d48b2f30$7da18d90$@net> References: <4CBC4E04.5050408@iosis.co.uk> <4CBC538E.9020908@callnetuk.com> <004d01cb6ed2$d48b2f30$7da18d90$@net> Message-ID: The Irish site http://www.stop-idfraud.ie/ doesn't have a privacy statement and there's no apparent opt out for email communications. Fleishman-Hillard are the PR company behind this: http://www.stop-idfraud.co.uk/press-room.aspx Odd that they are using a domain name belonging to an ex-employee. let's hope they parted on good terms. John Wilson From pwt at iosis.co.uk Mon Oct 18 16:24:23 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 18 Oct 2010 16:24:23 +0100 Subject: national ID fraud prevention week: unclear on the concept In-Reply-To: <004d01cb6ed2$d48b2f30$7da18d90$@net> References: <4CBC4E04.5050408@iosis.co.uk> <4CBC538E.9020908@callnetuk.com> <004d01cb6ed2$d48b2f30$7da18d90$@net> Message-ID: <4CBC66A7.3060805@iosis.co.uk> James Firth wrote: >> 40 Long Acre, Covent Garden is the address of a PR firm called >> Fleishman-Hillard. A Ben Mason worked for them June 2002 ? April 2008 >> (according to LinkedIn). >> >> He's on Twitter, I've asked him if he was the guy who registered the >> site. >> >> John Wilson >> > A trademarked logo/slogan and a somewhat keen attempt to discover if each > enquiry is from a business or household. Oodles of free press coverage and > it appears all to be run by Fellowes - manufacturers of shredders. > > Can one expect therefore the emphasis to be on physical security rather than > electronic security? > > James Firth Its a bit of an ID fraud, then. Lock 'em up. Peter From DaveWalker at ubuntu.com Mon Oct 18 13:44:57 2010 From: DaveWalker at ubuntu.com (Dave Walker) Date: Mon, 18 Oct 2010 13:44:57 +0100 Subject: OATH Tokens In-Reply-To: <32CF0A10-B55A-4486-9F51-A3E0A4D4E216@batten.eu.org> References:

<32CF0A10-B55A-4486-9F51-A3E0A4D4E216@batten.eu.org> Message-ID: <4CBC4149.7000708@ubuntu.com> On 13/10/10 07:10, Ian Batten wrote: > Interesting product. It requires getting at the USB ports, but that shouldn't be a problem for my intended application (securing the batten.eu.org webmail service for when my children use it from school!). > > Thanks very much: I'll order a few to play with. > > ian > > Hi, Probably too late, but whilst reading up on this - i came across a 40% discount [0], which clenched me into making a purchase. :) [0] http://www.sync32.org.uk/wp/2009/08/yubikey-40-discount/ Kind Regards, Dave Walker From tugwilson at gmail.com Mon Oct 18 17:29:39 2010 From: tugwilson at gmail.com (John Wilson) Date: Mon, 18 Oct 2010 17:29:39 +0100 Subject: OATH Tokens In-Reply-To: <4CBC4149.7000708@ubuntu.com> References:

<32CF0A10-B55A-4486-9F51-A3E0A4D4E216@batten.eu.org> <4CBC4149.7000708@ubuntu.com> Message-ID: On 18 October 2010 13:44, Dave Walker wrote: > Probably too late, but whilst reading up on this - i came across a 40% > discount [0], which clenched me into making a purchase. :) > > [0] http://www.sync32.org.uk/wp/2009/08/yubikey-40-discount/ It only offers me $7.50 off with that code :( John Wilson From DaveWalker at ubuntu.com Mon Oct 18 17:49:25 2010 From: DaveWalker at ubuntu.com (Dave Walker) Date: Mon, 18 Oct 2010 17:49:25 +0100 Subject: OATH Tokens In-Reply-To: References:

<32CF0A10-B55A-4486-9F51-A3E0A4D4E216@batten.eu.org> <4CBC4149.7000708@ubuntu.com> Message-ID: <4CBC7A95.3080208@ubuntu.com> On 18/10/10 17:29, John Wilson wrote: > On 18 October 2010 13:44, Dave Walker wrote: >> Probably too late, but whilst reading up on this - i came across a 40% >> discount [0], which clenched me into making a purchase. :) >> >> [0] http://www.sync32.org.uk/wp/2009/08/yubikey-40-discount/ > > It only offers me $7.50 off with that code :( > > John Wilson > Yes, they seem to have a different algorithm for working out 40% than is conventional. :/ Kind Regards, Dave Walker From james.firth at daltonfirth.co.uk Tue Oct 19 13:23:55 2010 From: james.firth at daltonfirth.co.uk (James Firth) Date: Tue, 19 Oct 2010 13:23:55 +0100 Subject: Verfied by Visa finally gets outed Message-ID: <001301cb6f88$802d29f0$80877dd0$@firth@daltonfirth.co.uk> First I've seen about this in the mainstream press: http://www.bbc.co.uk/news/uk-11571873 "But online security experts at Cambridge University say the systems encourage people to enter their confidential information into pages that they cannot be sure are genuine and customers could end up liable for the loss." Just like they've been saying since its launch. Why they went for an embedded (IFRAMEd) approach when world+dog could see this masked the SSL certificate info from all but the most curious of visitors is still beyond me. BBC Breakfast had an interview with a "victim" of an apparent VbV tojan who claimed her bank refused to repay the fraudulent transaction because "Verified by Visa is a secure system and was used to authorise this transaction" So here we go again. Not like the banks noticed the law has changed to state explicitly they must refund or prove fraud by the customer. James Firth From lists at internetpolicyagency.com Tue Oct 19 13:48:21 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 19 Oct 2010 13:48:21 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: <001301cb6f88$802d29f0$80877dd0$@firth> References: <001301cb6f88$802d29f0$80877dd0$@firth> Message-ID: In article <001301cb6f88$802d29f0$80877dd0$@firth>, James Firth writes >Not like the banks noticed the law has changed to >state explicitly they must refund or prove fraud by the customer. Is that the new Banking Code, which someone told me yesterday most of the non-state-owned banks are failing to ratify? Or something else. -- Roland Perry From lists at barnfather.net Tue Oct 19 18:30:30 2010 From: lists at barnfather.net (Paul Barnfather) Date: Tue, 19 Oct 2010 18:30:30 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: <-2462665368518280472@unknownmsgid> References: <-2462665368518280472@unknownmsgid> Message-ID: > Just like they've been saying since its launch. ?Why they went for an > embedded (IFRAMEd) approach when world+dog could see this masked the SSL > certificate info from all but the most curious of visitors is still beyond > me. I notice they're now claiming that the "personal assurance message" is the approved way to ensure that VbV dialog box is genuine. Surely it's fairly trivial for a site to send a (hidden, bogus) request to VbV and scrape the personal assurance message that comes back, then display the message in a phishing dialog to get the victims password? Or is the VbV system secure against this attack? I still feel uncomfortable with it. From james2 at jfirth.net Tue Oct 19 19:05:10 2010 From: james2 at jfirth.net (James Firth) Date: Tue, 19 Oct 2010 19:05:10 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: References: <001301cb6f88$802d29f0$80877dd0$@firth> Message-ID: <002701cb6fb8$2bee3c50$83cab4f0$@net> > Is that the new Banking Code, which someone told me yesterday most of > the non-state-owned banks are failing to ratify? Or something else. No it's legislation enacted in November 2009(?) who's title escapes me. I know Nicolas Bohm has mentioned it in the past on this list. I'll have to dig it out. James Firth From fjmd1a at gmail.com Tue Oct 19 19:26:55 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Tue, 19 Oct 2010 19:26:55 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: <002701cb6fb8$2bee3c50$83cab4f0$@net> References: <001301cb6f88$802d29f0$80877dd0$@firth> <002701cb6fb8$2bee3c50$83cab4f0$@net> Message-ID: On 19 October 2010 19:05, James Firth wrote: > > > Is that the new Banking Code, which someone told me yesterday most of > > the non-state-owned banks are failing to ratify? Or something else. > > No it's legislation enacted in November 2009(?) who's title escapes me. I > know Nicolas Bohm has mentioned it in the past on this list. I'll have to > dig it out. > > Regulation 61 of the Payment Services Regulations 2009: http://www.legislation.gov.uk/uksi/2009/209/regulation/61/made (see: lawyers are some use 8-). -- Francis Davey -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Tue Oct 19 19:43:48 2010 From: igb at batten.eu.org (Ian Batten) Date: Tue, 19 Oct 2010 19:43:48 +0100 Subject: Oh God, Here We Go Again Message-ID: <3CCF6936-D009-4B76-9AEC-91A3E8DBD39E@batten.eu.org> http://www.bbc.co.uk/news/health-11566123 From adam at doublegeek.com Tue Oct 19 19:10:58 2010 From: adam at doublegeek.com (Adam Bradley) Date: Tue, 19 Oct 2010 19:10:58 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: References: <-2462665368518280472@unknownmsgid> Message-ID: On Tue, Oct 19, 2010 at 6:30 PM, Paul Barnfather wrote: > I notice they're now claiming that the "personal assurance message" is > the approved way to ensure that VbV dialog box is genuine. > > Surely it's fairly trivial for a site to send a (hidden, bogus) > request to VbV and scrape the personal assurance message that comes > back, then display the message in a phishing dialog to get the victims > password? > > Or is the VbV system secure against this attack? I still feel > uncomfortable with it. > > The personal assurance message doesn't protect against a relatively simple MITM HTTP proxy. That should be picked up by standard SSL stuff if it's using SSL, but of course it's in an iframe so users are never going to be aware whether it's using SSL or not. If it's a genuine site then I would expect the whole thing to be SSL, so a MITM attack couldn't replace the iframe without showing at least some SSL warnings to the user. Do we know what the attack was in this case? Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: From DaveHowe at gmx.co.uk Tue Oct 19 19:03:48 2010 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Tue, 19 Oct 2010 19:03:48 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: References: <-2462665368518280472@unknownmsgid> Message-ID: <4CBDDD84.3050007@gmx.co.uk> On 19/10/2010 18:30, Paul Barnfather wrote: >> Just like they've been saying since its launch. Why they went for an >> embedded (IFRAMEd) approach when world+dog could see this masked the SSL >> certificate info from all but the most curious of visitors is still beyond >> me. > > I notice they're now claiming that the "personal assurance message" is > the approved way to ensure that VbV dialog box is genuine. > > Surely it's fairly trivial for a site to send a (hidden, bogus) > request to VbV and scrape the personal assurance message that comes > back, then display the message in a phishing dialog to get the victims > password? > > Or is the VbV system secure against this attack? I still feel > uncomfortable with it. I would think that, given the source site is iFramed, it would be trivial for a site to just MitM the whole thing, record what you submitted, and write it into a convenient database for later use. From colinthomson1 at o2.co.uk Tue Oct 19 20:39:43 2010 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Tue, 19 Oct 2010 20:39:43 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: References: <001301cb6f88$802d29f0$80877dd0$@firth><002701cb6fb8$2bee3c50$83cab4f0$@net> Message-ID: <9171425AAF534E11AC165D50BCB1E027@your41b8d18ede> Surely the relevant regulation is regulation 60 (or maybe we are talking about the combined effect of 60 and 61). M. > Regulation 61 of the Payment Services Regulations 2009: > > http://www.legislation.gov.uk/uksi/2009/209/regulation/61/made From pwt at iosis.co.uk Wed Oct 20 00:19:31 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 20 Oct 2010 00:19:31 +0100 Subject: Oh God, Here We Go Again In-Reply-To: <3CCF6936-D009-4B76-9AEC-91A3E8DBD39E@batten.eu.org> References: <3CCF6936-D009-4B76-9AEC-91A3E8DBD39E@batten.eu.org> Message-ID: <4CBE2783.80301@iosis.co.uk> Ian Batten wrote: > http://www.bbc.co.uk/news/health-11566123 Not until we get strong eID and a promise of professional oversight of the security of all the NHS systems. DoH is part of the Cabinet Office push for ideas about securing Directgov - the two OJEU notices, the second one being available at: http://ted.europa.eu/udl?uri=TED:NOTICE:284032-2010:TEXT:EN:HTML Peter From maryhawking at tigers.demon.co.uk Wed Oct 20 06:45:31 2010 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Wed, 20 Oct 2010 06:45:31 +0100 Subject: Oh God, Here We Go Again In-Reply-To: <3CCF6936-D009-4B76-9AEC-91A3E8DBD39E@batten.eu.org> References: <3CCF6936-D009-4B76-9AEC-91A3E8DBD39E@batten.eu.org> Message-ID: <8237778E31184FB6A9AC74F3EBFBBD4D@MaryPC> Wouldn't it be nice if the records actually existed in an accessible form? What worries me is the lack of appreciation of the real world: hospitals don't have electronic patient records (and, if local experience is anything to go by, their electronic discharge letters are such poor quality as to be dangerous) and the only GP system able to offer Patient Record Access is EMIS - so at present only around 58% of practices could be covered (although other systems could use the same PAERS software - I believe). I'm only halfway through the review, but so far have found nothing likely to be useful as a GP Commissioner - or in any other role. Mary Hawking -----Original Message----- From: Ian Batten [mailto:igb at batten.eu.org] Sent: 19 October 2010 19:44 To: UK Cryptography Policy Discussion Group Subject: Oh God, Here We Go Again http://www.bbc.co.uk/news/health-11566123 From fjmd1a at gmail.com Wed Oct 20 07:57:44 2010 From: fjmd1a at gmail.com (Francis Davey) Date: Wed, 20 Oct 2010 07:57:44 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: <9171425AAF534E11AC165D50BCB1E027@your41b8d18ede> References: <001301cb6f88$802d29f0$80877dd0$@firth> <002701cb6fb8$2bee3c50$83cab4f0$@net> <9171425AAF534E11AC165D50BCB1E027@your41b8d18ede> Message-ID: On 19 October 2010 20:39, Tom Thomson wrote: > Surely the relevant regulation is regulation 60 (or maybe we are talking > about the combined effect of 60 and 61). > > The latter. Regulation 61 requires repayment to the lender - which in practice is what the bank customer wants. Regulation 60 reverses the burden of proof. -- Francis Davey -------------- next part -------------- An HTML attachment was scrubbed... URL: From nbohm at ernest.net Wed Oct 20 11:30:06 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 20 Oct 2010 11:30:06 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: References: <001301cb6f88$802d29f0$80877dd0$@firth> <002701cb6fb8$2bee3c50$83cab4f0$@net> Message-ID: <4CBEC4AE.3000607@ernest.net> On 19/10/2010 19:26, Francis Davey wrote: > > > On 19 October 2010 19:05, James Firth > wrote: > > > > Is that the new Banking Code, which someone told me yesterday > most of > > the non-state-owned banks are failing to ratify? Or something else. > > No it's legislation enacted in November 2009(?) who's title > escapes me. I > know Nicolas Bohm has mentioned it in the past on this list. I'll > have to > dig it out. > > > Regulation 61 of the Payment Services Regulations 2009: > > http://www.legislation.gov.uk/uksi/2009/209/regulation/61/made > > (see: lawyers are some use 8-). It's worth noting that this makes no material change to the law as it stood before. But it may still help, as the FSA seems to think it's reflects a change, and perhaps some banks think the same. And it gives the customer something easy to point to. Nicholas -- Contact and PGP key here From nbohm at ernest.net Wed Oct 20 11:33:59 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 20 Oct 2010 11:33:59 +0100 Subject: Oh God, Here We Go Again In-Reply-To: <4CBE2783.80301@iosis.co.uk> References: <3CCF6936-D009-4B76-9AEC-91A3E8DBD39E@batten.eu.org> <4CBE2783.80301@iosis.co.uk> Message-ID: <4CBEC597.2020706@ernest.net> On 20/10/2010 00:19, Peter Tomlinson wrote: > Ian Batten wrote: >> http://www.bbc.co.uk/news/health-11566123 > Not until we get strong eID and a promise of professional oversight of > the security of all the NHS systems. > > DoH is part of the Cabinet Office push for ideas about securing > Directgov - the two OJEU notices, the second one being available at: > http://ted.europa.eu/udl?uri=TED:NOTICE:284032-2010:TEXT:EN:HTML > If I can get access to my records from anywhere, then my spouse, prospective employer, etc, etc, can demand a peek which it may be unduly hard to refuse. If I can get at the records only from a terminal I have to queue for at the surgery, perhaps in the presence of the practice manager/nurse/whatever, then the would-be peekers probably won't bother. I doubt if there's a technical fix for this (well, duress codes omitted, I suppose, to exhibit a sanitised version; but never in the real world for the general public). Nicholas -- Contact and PGP key here From igb at batten.eu.org Wed Oct 20 12:12:35 2010 From: igb at batten.eu.org (Ian Batten) Date: Wed, 20 Oct 2010 12:12:35 +0100 Subject: Oh God, Here We Go Again In-Reply-To: <4CBEC597.2020706@ernest.net> References: <3CCF6936-D009-4B76-9AEC-91A3E8DBD39E@batten.eu.org> <4CBE2783.80301@iosis.co.uk> <4CBEC597.2020706@ernest.net> Message-ID: <13625327-E052-4C18-9A71-CBEBAB86A331@batten.eu.org> > > If I can get access to my records from anywhere, then my spouse, > prospective employer, etc, etc, can demand a peek which it may be unduly > hard to refuse. See also "why postal voting denies the vote to women in patriarchal communities". ian From james2 at jfirth.net Wed Oct 20 12:16:14 2010 From: james2 at jfirth.net (James Firth) Date: Wed, 20 Oct 2010 12:16:14 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: <4CBEC4AE.3000607@ernest.net> References: <001301cb6f88$802d29f0$80877dd0$@firth> <002701cb6fb8$2bee3c50$83cab4f0$@net> <4CBEC4AE.3000607@ernest.net> Message-ID: <006601cb7048$35c15510$a143ff30$@net> > > > > Regulation 61 of the Payment Services Regulations 2009: > > > > http://www.legislation.gov.uk/uksi/2009/209/regulation/61/made > > > > (see: lawyers are some use 8-). > > It's worth noting that this makes no material change to the law as it > stood before. But it may still help, as the FSA seems to think it's > reflects a change, and perhaps some banks think the same. And it gives > the customer something easy to point to. I thought it did - since it gives similar legal protection to debit card transaction as credit card transactions? My understanding is that previously debit card transactions were protected only by the Banking Code, whereas credit card transactions protected by the Consumer Credit Act 1974. James Firth From zenadsl6186 at zen.co.uk Wed Oct 20 23:28:50 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 20 Oct 2010 23:28:50 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: References: <-2462665368518280472@unknownmsgid> Message-ID: <4CBF6D22.5010003@zen.co.uk> Paul Barnfather wrote: >> Just like they've been saying since its launch. Why they went for an >> embedded (IFRAMEd) approach when world+dog could see this masked the SSL >> certificate info from all but the most curious of visitors is still beyond >> me. > > I notice they're now claiming that the "personal assurance message" is > the approved way to ensure that VbV dialog box is genuine. > > Surely it's fairly trivial for a site to send a (hidden, bogus) > request to VbV and scrape the personal assurance message that comes > back, then display the message in a phishing dialog to get the victims > password? > > Or is the VbV system secure against this attack? I still feel > uncomfortable with it. No, it isn't secure against it. I'd link to the archives if I knew how, but here is a post Re: Co-op Bank and Verified by Visa from 19:47 19/06/09 -- Peter Fairbrother Andrew T wrote: > 2009/6/19 Charles Lindsey : >> 1. Did the screen you were shown have the secure "padlock" set? If not, then >> for sure ut w as bogus, but... >> >> 2. If so, did you examine the certificate chain attached to it, and where >> did that chain show the screen to have come from? > > By virtue of the fact that the "Merchant Deployment Best Practices" > supplied by Visa say that it is best to put the VbV into a inline > frame, it makes it difficult to find out the certificate chain, and > even when you do they terminate with some third party that I've not > heard of. > > As others have stated, VbV seems to exist to prevent merchant fraud. > Is it impossible to conceive that a company willing to commit this > fraud would also be willing to develop a man-in-the-middle attack > using VbV? > It isn't just such a company, any crook can do it. Verified by Visa/Mastercard SecureCode Want to steal a few billion? Consider this: I'm supposedly selling something online. I set up a website and get a hosting company to provide a webserver. If I am careful, it's impossible to trace who I am. I don't have Verified by Visa/Mastercard SecureCode etc (VbV), or any other credit card arrangements, I'm not actually a registered merchant, I don't need to do anything. Obviously, I can't be traced that way. I buy a website certificate so a padlock appears on-screen when needed. That's straightforward to do, I just call myself xyz.com and get a certificate which says I am xyz.com. Again, there is no trace to me. The certificate is not linked to my bank (I don't actually have a bank), nor is it linked to the victim-to-be's bank in any way, and it does not need to be. Linking wouldn't do any good anyway. Most of the rest of this fraud is done by the webserver. I don't have to do anything by hand, or be online, or be anywhere I could get caught. Holiday in the Bahamas, maybe? The victim-to-be, the "mark", enters his order on my website, and then enters his details, including his credit card number. The webserver then gets the mark's personal recognition phrase, if it's used, by entering the mark's details in another, genuine, merchant site which uses VbV. The webserver has already ordered something from the genuine site, and is at the payments page. It has the mark's details including his credit card number, so it's straightforward to get his recognition phrase, it simply enters the mark's details into the genuine website, and the genuine site will supply the recognition phrase. The webserver then closes the connection to the genuine site. The genuine site thinks it's an aborted transaction, of which there are very many, and does nothing. Next, the webserver puts up a frame in the mark's browser purporting to be a VbV frame, with a website certificate and therefore a padlock, and also containing the mark's personal recognition phrase. It's pixel-by-pixel identical to a genuine VbV frame. *The mark sees the padlock and his personal recognition phrase, and enters his VbV passphrase. This is what his bank has told him to do.* I now have the mark's VbV passphrase, and can use it to commit online fraud etc. If the same passphrase is used for telephone banking, and at least one bank insists on this, I can also work out who the mark's bank is from the first part of the credit card number. I then phone their bank and steal all their money. Once the mark has deleted or overwritten his browser cache and browsing history etc there is no backtrace to the scam, or to my website, apart from the mark's memory; so he'll have a hard time proving anything to his bank, or to a Court. Verified by Visa/Mastercard SecureCode should be scrapped. Today. By the way, there are several strategies which can extend the life of the site and the fraud. For instance I can tell the mark that I'm out of stock and his money has not been debited. I can actually send the goods, if they are cheap - most marks won't notice a small debit is missing, or complain that a debit on their statement isn't there! If I wait a while before collecting he will probably have forgotten all about it by then. There are several more. BTW2, there is a deliberate omission (or two) here which might make it possible to detect the fraud and maybe catch the crook. Most security people and the more intelligent crooks will be able to work out what it is though, and get around it; the omission is mostly to deter script kiddies. -- Peter Fairbrother From David_Biggins at usermgmt.com Thu Oct 21 14:31:03 2010 From: David_Biggins at usermgmt.com (David Biggins) Date: Thu, 21 Oct 2010 14:31:03 +0100 Subject: The IMP rides again! Message-ID: http://www.guardian.co.uk/technology/2010/oct/20/internet-phone-data-pla n-revived The revival of the programme is buried in the strategic defence and security review, which was published yesterday. The review says the programme is required to "maintain capabilities that are vital to the work these agencies do, to protect the public". Ahead of the election, the Lib Dems said they would "end the storage of internet and email records without good reason", a pledge which appears in the coalition agreement [ http://www.guardian.co.uk/politics/2010/may/20/coalition-government-agre ement-cameron-clegg ] One of the fastest house-trainings in history. One has to wonder what else is in store.... ID cards back by Christmas? D. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nbohm at ernest.net Thu Oct 21 17:26:05 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 21 Oct 2010 17:26:05 +0100 Subject: Verfied by Visa finally gets outed In-Reply-To: <006601cb7048$35c15510$a143ff30$@net> References: <001301cb6f88$802d29f0$80877dd0$@firth> <002701cb6fb8$2bee3c50$83cab4f0$@net> <4CBEC4AE.3000607@ernest.net> <006601cb7048$35c15510$a143ff30$@net> Message-ID: <4CC0699D.6020004@ernest.net> On 20/10/2010 12:16, James Firth wrote: >>> Regulation 61 of the Payment Services Regulations 2009: >>> >>> http://www.legislation.gov.uk/uksi/2009/209/regulation/61/made >>> >>> (see: lawyers are some use 8-). >> It's worth noting that this makes no material change to the law as it >> stood before. But it may still help, as the FSA seems to think it's >> reflects a change, and perhaps some banks think the same. And it gives >> the customer something easy to point to. > I thought it did - since it gives similar legal protection to debit card > transaction as credit card transactions? I cannot see anything in it that has that effect. > My understanding is that previously debit card transactions were protected > only by the Banking Code, whereas credit card transactions protected by the > Consumer Credit Act 1974. That remains the case (except, as I understand it, where a debit card transaction creates or enlarges an overdraft). Nicholas -- Contact and PGP key here From fm-lists at st-kilda.org Thu Oct 21 16:06:44 2010 From: fm-lists at st-kilda.org (Fearghas McKay) Date: Thu, 21 Oct 2010 16:06:44 +0100 Subject: The IMP rides again! In-Reply-To: References: Message-ID: On 21 Oct 2010, at 14:31, David Biggins wrote: > One has to wonder what else is in store?. ID cards back by Christmas? > Don't be so pessimistic - they should have them back by Guy Fawkes day if they pull the finger out :-/ f From ukcrypto at magardner.co.uk Wed Oct 27 20:25:00 2010 From: ukcrypto at magardner.co.uk (Martin Gardner) Date: Wed, 27 Oct 2010 20:25:00 +0100 Subject: RBS and HSBC using Rapport any advice or opinions? Message-ID: Hi, I have been wondering whether it is worthwhile giving in to the nagging from RBS and now HSBC to install Rapport ( http://www.rbs.co.uk/corporate/ms/sc/online-security/rapport.ashx) for use with internet banking. Before I go to the effort of investigating Rapport myself has anyone else looked into it? What is the general opinion of it? Does anyone know what the position might be if I continue to refuse to use it? Especially if I then become a victim of fraud? Thanks in advance Martin --- Martin Gardner ukcrypto at magardner.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at pmsommer.com Thu Oct 28 07:27:31 2010 From: peter at pmsommer.com (Peter Sommer) Date: Thu, 28 Oct 2010 07:27:31 +0100 Subject: RBS and HSBC using Rapport any advice or opinions? In-Reply-To: References: Message-ID: <4CC917D3.6060306@pmsommer.com> I found it pretty kludgy - on the XP system where I had it installed it left a whole series of processes which didn't close down properly when I went through a regular close down of XP itself - a succession of windows appeared and you had to terminate the processes manually. In terms of your liability if you don't use it - you have an obligation to exercise reasonable care but it is not for the banks to tell you how specifically to exercise it, particularly as I strongly suspect that Rapport themselves are not guaranteeing either to you or the bank that if you deploy its product they will in all circumstances make good any loss you incure through fraud. Peter Sommer On 27/10/2010 20:25, Martin Gardner wrote: > Hi, > > I have been wondering whether it is worthwhile giving in to the > nagging from RBS and now HSBC to install Rapport > (http://www.rbs.co.uk/corporate/ms/sc/online-security/rapport.ashx) > for use with internet banking. > > Before I go to the effort of investigating Rapport myself has anyone > else looked into it? > What is the general opinion of it? > > Does anyone know what the position might be if I continue to refuse to > use it? Especially if I then become a victim of fraud? > > Thanks in advance > > Martin > --- > Martin Gardner From igb at batten.eu.org Thu Oct 28 11:38:25 2010 From: igb at batten.eu.org (Ian Batten) Date: Thu, 28 Oct 2010 11:38:25 +0100 Subject: RBS and HSBC using Rapport any advice or opinions? In-Reply-To: <4CC917D3.6060306@pmsommer.com> References: <4CC917D3.6060306@pmsommer.com> Message-ID: <583A6C95-E9A7-4566-84BB-6BD85BCBC5CF@batten.eu.org> On 28 Oct 10, at 0727, Peter Sommer wrote: > I found it pretty kludgy - on the XP system where I had it installed it left a whole series of processes which didn't close down properly when I went through a regular close down of XP itself - a succession of windows appeared and you had to terminate the processes manually. > > In terms of your liability if you don't use it - you have an obligation to exercise reasonable care but it is not for the banks to tell you how specifically to exercise it, particularly as I strongly suspect that Rapport themselves are not guaranteeing either to you or the bank that if you deploy its product they will in all circumstances make good any loss you incure through fraud. The bank certainly aren't. > We have worked with the financial security experts at Trusteer to offer Rapport to our customers, free of charge. In October 2008, Online Banking Report called Rapport ??a major boost in fraud prevention??. > > Important information - The Bank accepts no liability for the set up, provision or use of software provided by third party providers. It's not at all clear from the vendor's website what the code does in detail. But it strikes me that it's hard to reduce the size of the TCB involved in a banking transaction, and without using a TPM or another trusted boot technology it's hard to assess whether that TCB has been modified. Having one set of user-space processes running on a platform that audit the behaviour of another set of user-space processes (and by user-space I actually include loadable kernel modules) is an endless regress of layer X sub n monitoring layer X sub n-1, and ultimately can't provide serious assurance. ian From David_Biggins at usermgmt.com Thu Oct 28 11:49:46 2010 From: David_Biggins at usermgmt.com (David Biggins) Date: Thu, 28 Oct 2010 11:49:46 +0100 Subject: RBS and HSBC using Rapport any advice or opinions? In-Reply-To: References: Message-ID: I originally found it extremely unstable when there was a mixture of 32-bit and 64-bit IE8 running on Vista 64. My normally stable system ran to 9-10 crashes per day, usually while closing tabs, but only while Rapport was running. The mixture of 32/64 that could induce the crashes included running IE64 together with Outlook 2003 or Visual Studio 2008, both of which have an embedded copy of IE32 running in a window, and several other similar cases. Some messing about with support got an update which stopped the crashes... by stopping Rapport from trying to run in IE64, only IE32. So you then have to remember all the time to use the 32-bit version to do your banking, or it still nags at you. Then I upgraded to Office 2010 64-bit, which of course includes an embedded 64-bit copy of IE... and I'm finding that there appears to have been some return of the crashing, though nowhere near as bad as the original. A prolonged flu has prevented me from getting back to their support people to discuss this yet. All in all, it seems like a reasonable idea, and they are helpful people, but I'm not actually convinced that it is really ready for deployment on 64-bit systems, which are after all increasingly popular. D. From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Martin Gardner Sent: 27 October 2010 20:25 To: ukcrypto at chiark.greenend.org.uk Subject: RBS and HSBC using Rapport any advice or opinions? Hi, I have been wondering whether it is worthwhile giving in to the nagging from RBS and now HSBC to install Rapport (http://www.rbs.co.uk/corporate/ms/sc/online-security/rapport.ashx) for use with internet banking. Before I go to the effort of investigating Rapport myself has anyone else looked into it? What is the general opinion of it? Does anyone know what the position might be if I continue to refuse to use it? Especially if I then become a victim of fraud? Thanks in advance Martin --- Martin Gardner ukcrypto at magardner.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: