From passiveprofits at yahoo.com Tue Feb 1 12:06:26 2011 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Tue, 1 Feb 2011 04:06:26 -0800 (PST) Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <66qdYNGDltRNFADw@highwayman.com> Message-ID: <967334.31727.qm@web110506.mail.gq1.yahoo.com> --- On Mon, 1/31/11, Richard Clayton wrote: > From: Richard Clayton > Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia > To: UKcrypto at chiark.greenend.org.uk > Date: Monday, January 31, 2011, 7:46 AM > In article <967819.51174.qm at web110516.mail.gq1.yahoo.com>, > Passive > PROFITS > writes > > >So Cert Patrol just picked up an SSL certificate switch > for > >encrypted.google.com; here's the new SHA1 fingerprint > I've got... > > > >F1:BD:D4:59:78:7F:6B:EB:2F:4D:A8:72:E1:74:86:53:79:6B:3A:DD > > > >Anyone confirm they've also had a switch > > Yes I have that one too...? apparently it is valid > from 5Jan11 to 5Jan12 Many thanks for this Richard, truly appreciated. FYI, Cert Patrol also noticed (rather a neat feature), that the switch had occurred before the expiry of the previous certificate, which is why it was flagged by Cert Patrol as 'suspicious' [apart from the switch itself which it would also have noticed regardless I think/assume]. Great extension! Though I'm no coder, and cannot check it's bona-fides; does seem to work as advertised on the tin, which is always nice! :) > My guess would be that the previous cert was about to > expire so they > have bought a new one, and now pushed it out... Ibid; it was pushed out early; 263 days early, after only 102 days use (why; this does of course seem highly suspicious, as in theory, there would have been no need for this new cert at all for some considerable period of time)? The obvious (though not necessarily correct) implication is that the private key AND/OR passphrase, have been stolen or lost, etc.; essentially compromised in some way. A Google for any info on the new certificate issue (though only a quick few search phrases) brought up no info whatsoever relating to this particular new certificate yesterday [done before I made the post here], in and of itself, a highly unsatisfactory state of affairs, most especially in the light of events around the world this week and last. I took a screen shot of the Cert Patrol screen, if you're interested I could send on or off list (I do not know if this list is capable or desirous of any attachments flowing through it - moderator/owner?). If this list does not accept (or does but has a policy of not doing so) attachments, I can upload to make available for a few hours, if more than just yourself would wish to take a peek at the screen shot? > ... means the next push will be smack in the middle of > Xmas/New Year > next year. Some lucky sysadmin will not be pleased! Ibid; not necessarily; they seem to have changed this cert after only 102 days validity (rather than use; not sure when it was first brought into use, as opposed to 'minted'). > I note that Google have chosen to go with a 1024bit cert > again, despite > strong US Government encouragement for 2048bits. I expect > that's because > they can't face making the longer certs work on mobile > platforms. Unable to intelligently comment on this I'm afraid to say, other than it's public domain knowledge AFAIK (reported at least in the UK press by the London Evening Standard] that Google was CIA venture capital fund seeded. i.e. who knows who you're really dealing with with Google. Thanks again for the confirmation though, very much appreciated. Sincerely, PP From passiveprofits at yahoo.com Tue Feb 1 15:23:06 2011 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Tue, 1 Feb 2011 07:23:06 -0800 (PST) Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: Message-ID: <188877.45100.qm@web110505.mail.gq1.yahoo.com> --- On Wed, 1/26/11, Roland Perry wrote: > From: Roland Perry > Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia > To: ukcrypto at chiark.greenend.org.uk > Date: Wednesday, January 26, 2011, 2:49 AM > In article , > Mark Lomas > writes > > May I conduct an informal survey? Who on this mailing > list has not removed any of the CA certificates that were > pre-installed by whoever supplied your browser? Playing email catch up today ... I have not removed any; like Nicholas, I simply don't trust any of them. I only trust self signed certs these days, and then, only if I've received a fingerprint (of the cert), under digitally signed encrypted email (obviously with the signature showing valid), direct from someone I know who is an owner of the website in question (alternatively, have taken the fingerprint from the website concerned, where the HTML page itself has a detached signature for it or is signed, itself). This moves the debate obviously, to is the (PGP) key genuine (a whole other area of debate which I do not have the time to comment on), and does the website owner know enough about security to have kept their private key/passphrase, secure. If the website owner knows enough about crypto, that's as good as you're going to get AFAIK. Obviously if they use windows; you can forget it (IMHO) {though also see comment next re: OpenBSD}. To respond to John Young's comment (sorry John, I missed that when first posted); essentially I agree - there is no such thing as a secure network; only levels of security, but if you're a big enough target, they'll get you somehow (even if it be simply by pin-head camera in front of (i.e. looking at) your computer screen (and/or keyboard), where TEMPEST attack, itself, would not even be required. Summary: the entire system of certificates is a joke (unless self-issued/signed, fingerprinted, and the fingerprint distributed under digital signature). Cert Patrol is also, obviously required; or a manual check, each time the website is visited, to ensure no cert substitution has taken place. As the recent disclosure of the OpenBSD backdoor shows (if that has not been shown to be a joke of some sort); the governments of the world (in particular the USA), are a total bunch of hypocrites - they want an insecure Internet, so they can have total control, over it. ref: Internet kill-switch debate (today?) in the USA. The governments want security for them, and insecurity for everyone else. It seems they have still not worked it out, that an 'insecure everybody else', means they cannot, themselves, be secure. Go figure. That's my take on it ATM, anyway. Unfortunately I don't see things changing too much, either, not in the short term. :( Best, PP From passiveprofits at yahoo.com Tue Feb 1 17:58:40 2011 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Tue, 1 Feb 2011 09:58:40 -0800 (PST) Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <20110126192425.GA20647@annexia.org> Message-ID: <703270.70820.qm@web110514.mail.gq1.yahoo.com> --- On Wed, 1/26/11, Richard W.M. Jones wrote: > From: Richard W.M. Jones > Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia > +0000, Brian Morrison wrote: > > True, but are any CAs already present *really* more > trustworthy than > > the others? I suspect not. > > I think this gets to the nub of it.? There's literally > no criterion > for trusting a CA except that I set it up myself (and even > then I'm > suspicious :-)? Why wouldn't the NSA have the private > keys used by > Verisign?? I'd actually consider them to be failing in > their job if > they *hadn't* got them. > > Rich. > > -- > Richard Jones > Red Hat Which I suppose is why Red Hat was recently named by the Washington Post as part of the USA military industrial complex.* All non USA companies, governments, etc, using Red Hat products, should take note, not just of the naming of the company in this context, but of the attitude of it's employees, to your/your organisation's security. With employee attitudes to security like those expressed above, who needs a clandestine stealing of the private key/pass phrase. The implication is clear; use Red Hat products, you're owned. :( Best, PP * http://www.topsecretamerica.com http://projects.washingtonpost.com/top-secret-america/companies/?keywords=Red+Hat&x=23&y=13 From rich at annexia.org Fri Feb 4 19:23:15 2011 From: rich at annexia.org (Richard W.M. Jones) Date: Fri, 4 Feb 2011 19:23:15 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <703270.70820.qm@web110514.mail.gq1.yahoo.com> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> Message-ID: <20110204192315.GA28396@annexia.org> On Tue, Feb 01, 2011 at 09:58:40AM -0800, Passive PROFITS wrote: > --- On Wed, 1/26/11, Richard W.M. Jones wrote: > > From: Richard W.M. Jones > > Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia > > +0000, Brian Morrison wrote: > > > True, but are any CAs already present *really* more > > trustworthy than > > > the others? I suspect not. > > > > I think this gets to the nub of it.? There's literally > > no criterion > > for trusting a CA except that I set it up myself (and even > > then I'm > > suspicious :-)? Why wouldn't the NSA have the private > > keys used by > > Verisign?? I'd actually consider them to be failing in > > their job if > > they *hadn't* got them. > > > > Rich. > > > > -- > > Richard Jones > > Red Hat > > Which I suppose is why Red Hat was recently named by the Washington Post as part of the USA military industrial complex.* > > All non USA companies, governments, etc, using Red Hat products, should take note, not just of the naming of the company in this context, but of the attitude of it's employees, to your/your organisation's security. > > With employee attitudes to security like those expressed above, who needs a clandestine stealing of the private key/pass phrase. > > The implication is clear; use Red Hat products, you're owned. :( I've no idea what you're on about. I work for Red Hat (hence the .signature), but the comments here are in *no* way related to, endorsed by, authorized by, recommended by, guaranteed by, underwritten by or encouraged by Red Hat. Just to make that clear. Rich. -- Richard Jones Red Hat From mjdb at dorevale.demon.co.uk Sat Feb 5 18:27:19 2011 From: mjdb at dorevale.demon.co.uk (M J D Brown) Date: Sat, 5 Feb 2011 18:27:19 -0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia References: <20110126192425.GA20647@annexia.org><703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> Message-ID: <35E405A8D8C945F5B5043635873A9599@Powerstation> A recent experience has illuminated the CA trust problem for me. During the installation and configuration of a Netgear NAS the default assumption of its manufacturer-provided certificate resulted in an complaint by IE8. Having generated a new certificate and key using the NAS internal firmware, Windows XP then asked me whether to trust the internal LAN URL of the NAS device as the certificate issuing authority. I know that nobody else can access the NAS admin area, because only I have the key, and data transmissions are encrypted across the LAN which is hiding behind a hardware firewall that Shields Up does not penetrate. Accordingly I approved the request. As a rhetorical question: was I misguided? It would seem that there is a fair concensus that the present system cannot be trusted at a technical level. Apropos the present discussion; I suggest that what we really need to identify are the pre-conditions for trusting a certificate issuing authority. If there are really no circumstances in which trust could be given, then the whole tomfoolery should be junked. Otherwise, a new system that respects the agreed pre-conditions would be a worthwhile goal. Mike. ----- Original Message ----- From: "Richard W.M. Jones" To: "UK Cryptography Policy Discussion Group" Sent: Friday, February 04, 2011 7:23 PM Subject: Re: nationwide interception of Facebook & webmail logincredentials in Tunisia > On Tue, Feb 01, 2011 at 09:58:40AM -0800, Passive PROFITS wrote: >> --- On Wed, 1/26/11, Richard W.M. Jones wrote: >> > From: Richard W.M. Jones >> > Subject: Re: nationwide interception of Facebook & webmail login >> > credentials in Tunisia >> > +0000, Brian Morrison wrote: >> > > True, but are any CAs already present *really* more >> > trustworthy than >> > > the others? I suspect not. >> > >> > I think this gets to the nub of it. There's literally >> > no criterion >> > for trusting a CA except that I set it up myself (and even >> > then I'm >> > suspicious :-) Why wouldn't the NSA have the private >> > keys used by >> > Verisign? I'd actually consider them to be failing in >> > their job if >> > they *hadn't* got them. >> > >> > Rich. >> > >> > -- >> > Richard Jones >> > Red Hat >> >> Which I suppose is why Red Hat was recently named by the Washington >> Post as part of the USA military industrial complex.* >> >> All non USA companies, governments, etc, using Red Hat products, >> should take note, not just of the naming of the company in this >> context, but of the attitude of it's employees, to your/your >> organisation's security. >> >> With employee attitudes to security like those expressed above, who >> needs a clandestine stealing of the private key/pass phrase. >> >> The implication is clear; use Red Hat products, you're owned. :( > > I've no idea what you're on about. I work for Red Hat (hence the > .signature), but the comments here are in *no* way related to, > endorsed by, authorized by, recommended by, guaranteed by, > underwritten by or encouraged by Red Hat. Just to make that clear. > > Rich. > > -- > Richard Jones > Red Hat > From matthew at pemble.net Sun Feb 6 10:23:59 2011 From: matthew at pemble.net (Matthew Pemble) Date: Sun, 6 Feb 2011 10:23:59 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <35E405A8D8C945F5B5043635873A9599@Powerstation> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> Message-ID: On 5 February 2011 18:27, M J D Brown wrote: > LAN which > is hiding behind a hardware firewall that Shields Up does not penetrate. > Speaking as an ex-pen tester, I'm really not certain that this is a properly effective security test ... > Accordingly I approved the request. As a rhetorical question: was I > misguided? > > It would seem that there is a fair concensus that the present system > cannot be trusted at a technical level. > But here you know the CA - the NAS - and you have physical control of it. You are trusting it for the issue of one certificate. Yes, somebody could have subverted the NAS firmware in order to attack you but it is quite a significant attack. Does anybody want what you have got that much? Matthew -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From mjdb at dorevale.demon.co.uk Sun Feb 6 17:12:51 2011 From: mjdb at dorevale.demon.co.uk (M J D Brown) Date: Sun, 6 Feb 2011 17:12:51 -0000 Subject: nationwide interception of Facebook & webmail logincredentials inTunisia References: <20110126192425.GA20647@annexia.org><703270.70820.qm@web110514.mail.gq1.yahoo.com><20110204192315.GA28396@annexia.org><35E405A8D8C945F5B5043635873A9599@Powerstation> Message-ID: <49CD7D0B5F5448C2910B56CE88561F71@Powerstation> Thank you; that's very helpful - evidently I need to look more deeply into firewall integrity, though I cannot think that backups, etc, stored on my NAS would be an attractive target if their extraction involved significant effort. Perhaps more worrying is the thought that subverting the NAS firmware could be worthwhile, considering that the devices might find themselves in all sorts of interesting places. The basic question remains: what are the required conditions for a trustable CA? Mike. ----- Original Message ----- From: "Matthew Pemble" To: "UK Cryptography Policy Discussion Group" Sent: Sunday, February 06, 2011 10:23 AM Subject: Re: nationwide interception of Facebook & webmail logincredentials inTunisia > On 5 February 2011 18:27, M J D Brown > wrote: > > >> LAN which >> is hiding behind a hardware firewall that Shields Up does not >> penetrate. >> > > Speaking as an ex-pen tester, I'm really not certain that this is a > properly > effective security test ... > > >> Accordingly I approved the request. As a rhetorical question: was I >> misguided? >> >> It would seem that there is a fair concensus that the present system >> cannot be trusted at a technical level. >> > > But here you know the CA - the NAS - and you have physical control of > it. > You are trusting it for the issue of one certificate. Yes, somebody > could > have subverted the NAS firmware in order to attack you but it is quite > a > significant attack. Does anybody want what you have got that much? > > > Matthew > > > -- > Matthew Pemble > From igb at batten.eu.org Sun Feb 6 19:25:52 2011 From: igb at batten.eu.org (Ian Batten) Date: Sun, 6 Feb 2011 19:25:52 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <35E405A8D8C945F5B5043635873A9599@Powerstation> References: <20110126192425.GA20647@annexia.org><703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> Message-ID: <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> On 5 Feb 2011, at 18:27, M J D Brown wrote: > > A recent experience has illuminated the CA trust problem for me. > During > the installation and configuration of a Netgear NAS the default > assumption of its manufacturer-provided certificate resulted in an > complaint by IE8. Having generated a new certificate and key using > the > NAS internal firmware, Windows XP then asked me whether to trust the > internal LAN URL of the NAS device as the certificate issuing > authority. > I know that nobody else can access the NAS admin area, because only I > have the key, and data transmissions are encrypted across the LAN > which > is hiding behind a hardware firewall that Shields Up does not > penetrate. > Accordingly I approved the request. As a rhetorical question: was I > misguided? Another problem is also that it's quite subtle to figure out precisely what you're agreeing to. The intention is for your relationship with the NAS box is bound to the certificate, so if something purporting to be your NAS box can't present that certificate "something has gone wrong". But that doesn't require a certificate authority per se, it just requires that the particular certificate is accepted. What you really, really don't want is to accept the certificate as an authority for anything it happens to sign, because there are a lot of ways that could be exploited. For example, imagine I control the firmware of an ADSL router. It would be trivial to generate a certificate to use to sign the administrative key, and then send the private signing key to my disused volcano lair. I can then use the fact that the victims have accepted that key to forge SSL connections to their banks. You and I know the difference between trusting a certificate and trusting anything signed by that certificate, but most people don't. Encouraging end users to manipulate their certificate store is not likely to be a happy story. ian From bdm at fenrir.org.uk Mon Feb 7 10:43:01 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Mon, 7 Feb 2011 10:43:01 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> Message-ID: <20110207104301.00006fae@surtees.fenrir.org.uk> On Sun, 6 Feb 2011 19:25:52 +0000 Ian Batten wrote: > You and I know the difference between trusting a certificate and > trusting anything signed by that certificate, but most people > don't. Encouraging end users to manipulate their certificate store is > not likely to be a happy story. Can anyone think of a way to make this work on a grand scale for people that are not clued up on what certificates are, what they can do, what they are often used for and why they are necessary? I find that most people I speak to in the pub struggle to understand much of this at all, they can just about grasp that they should be looking for a padlock symbol when they are banking or shopping online but try to delve any deeper into their knowledge and one gets a blank stare. Essentially, all the institutions in our lives that once we trusted because we didn't know enough about them to be able to see where the holes were have now become well known enough that we are aware that much they do is not properly overseen and that often they do not have our interests at heart. And even if they do something wrongly and we suffer financial impact because of that, then our chances of redress as an individual are negligible. Not the foundation for much trust at all I'd say. -- Brian Morrison From james2 at jfirth.net Mon Feb 7 10:55:02 2011 From: james2 at jfirth.net (James Firth) Date: Mon, 7 Feb 2011 10:55:02 -0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <20110207104301.00006fae@surtees.fenrir.org.uk> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> Message-ID: <006a01cbc6b5$7a04b460$6e0e1d20$@net> Brian Morrison wrote: > Essentially, all the institutions in our lives that once we trusted > because we didn't know enough about them to be able to see where the > holes were have now become well known enough that we are aware that > much they do is not properly overseen and that often they do not have > our interests at heart. It depends what the purpose of the trust relationship is. If it's to make electronic transactions secure, then is the CA to be trusted to keep the CA secret key from criminals? Probably, yes. If it's to keep communications secure from governments, then no, of course private individuals shouldn't be encourage to trust implicitly any central CA. Remember that until fairly recently, strong encryption was subject to export controls. The need to secure electronic transactions online was probably a driving factor in removing most of these controls, as far as SSL is concerned at least. What was the payback? Centrally-run trust brokers. I can't see how any centrally-managed trust broker can be trusted if considering the kind of state interference seen in countries like Egypt, but I'm not worried about my eBank. The likes of Facebook, Twitter and Linked-IN bring trust in content back to social groupings. Truth has been seen to travel fast and mistruth quenched (e.g. false rumours that Vince Cable had resigned in the wake of the Murdoch/Sky kerfuffle - at first streams were full of the rumour but very very quickly questions about sources started flying around and the false rumour was quenched). I wonder if a social mesh can ever offer a distributed trust authority, and whether there could be a mechanism whereby members of the social mesh can work together to maintain trust (or revoke when trust is compromised). James Firth From nbohm at ernest.net Mon Feb 7 11:01:08 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Mon, 07 Feb 2011 11:01:08 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <20110207104301.00006fae@surtees.fenrir.org.uk> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> Message-ID: <4D4FD0F4.7080202@ernest.net> On 07/02/2011 10:43, Brian Morrison wrote: > On Sun, 6 Feb 2011 19:25:52 +0000 > Ian Batten wrote: > >> You and I know the difference between trusting a certificate and >> trusting anything signed by that certificate, but most people >> don't. Encouraging end users to manipulate their certificate store is >> not likely to be a happy story. > Can anyone think of a way to make this work on a grand scale for people > that are not clued up on what certificates are, what they can do, what > they are often used for and why they are necessary? > > I find that most people I speak to in the pub struggle to understand > much of this at all, they can just about grasp that they should be > looking for a padlock symbol when they are banking or shopping online > but try to delve any deeper into their knowledge and one gets a blank > stare. > > Essentially, all the institutions in our lives that once we trusted > because we didn't know enough about them to be able to see where the > holes were have now become well known enough that we are aware that > much they do is not properly overseen and that often they do not have > our interests at heart. And even if they do something wrongly and we > suffer financial impact because of that, then our chances of redress as > an individual are negligible. > > Not the foundation for much trust at all I'd say. I think certificates have made it all much harder to understand. I find it relatively straightforward to consider trusting a signature because I can use a verification key to assure me that it was made by a signature key that I have reasons for trusting. Once you get into relying on assurances from third parties, or chains of third parties, My Eyes Glaze Over. PKI is too far beyond intuitive common sense to be likely ever to catch on. Nicholas -- Contact and PGP key here From james2 at jfirth.net Mon Feb 7 11:05:15 2011 From: james2 at jfirth.net (James Firth) Date: Mon, 7 Feb 2011 11:05:15 -0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <4D4FD0F4.7080202@ernest.net> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> <4D4FD0F4.7080202@ernest.net> Message-ID: <006d01cbc6b6$e6b83310$b4289930$@net> Nicholas Bohm wrote: > On 07/02/2011 10:43, Brian Morrison wrote: > > > > Not the foundation for much trust at all I'd say. > > I think certificates have made it all much harder to understand. > > I find it relatively straightforward to consider trusting a signature > ... Signatures are not hierarchical - at least not explicitly. Electronic certificates are, which makes them very useful in a structured organisation like government or corporation but very little use in a social setting, where trust and influence follows more of a matrix structure than a hierarchy. James Firth From pwt at iosis.co.uk Mon Feb 7 11:18:37 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 07 Feb 2011 11:18:37 +0000 Subject: nationwide interception of Facebook & webmail logincredentialsin Tunisia In-Reply-To: <4D4FD0F4.7080202@ernest.net> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org><20110207104301.00006fae@surtees.fenrir.org.uk> <4D4FD0F4.7080202@ernest.net> Message-ID: <4D4FD50D.5040103@iosis.co.uk> On 07/02/2011 11:01, Nicholas Bohm wrote: > PKI is too far beyond intuitive common sense > > Nicholas Now maybe but later it could happen at the level of trusting the methods that use it. How many people actually know how radio waves propagate? Does anyone yet know how gravity works? There are increasing numbers of countries deploying PKI for national level ID, so I think that we will get there, including trust for transactions with commercial organisations. But, as I have alluded to a little while ago, the software typically used on our PCs seems too often to confuse. (Currently I'm having to think about whether one will be able to trust mobile phones with NFC added as a means to accept and use high value tickets - public transport, events - plus making micro or even bigger payments... It will come, along with some disasters.) Peter From lists at internetpolicyagency.com Mon Feb 7 11:39:54 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 7 Feb 2011 11:39:54 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <4D4FD0F4.7080202@ernest.net> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> <4D4FD0F4.7080202@ernest.net> Message-ID: In article <4D4FD0F4.7080202 at ernest.net>, Nicholas Bohm writes >PKI is too far beyond intuitive common sense to be likely ever to catch >on. On occasions like this I'm always reminded of the quote which isn't quite: "If you think encryption can solve your security problems then you don't understand the problems and you don't understand encryption". -- Roland Perry From igb at batten.eu.org Mon Feb 7 13:28:33 2011 From: igb at batten.eu.org (Ian Batten) Date: Mon, 7 Feb 2011 13:28:33 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <20110207104301.00006fae@surtees.fenrir.org.uk> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> Message-ID: <9E0789D3-E857-441C-A70E-BDC290910749@batten.eu.org> On 07 Feb 11, at 1043, Brian Morrison wrote: > > I find that most people I speak to in the pub struggle to understand > much of this at all, they can just about grasp that they should be > looking for a padlock symbol when they are banking or shopping online > but try to delve any deeper into their knowledge and one gets a blank > stare. I think the problem is that the focus in the 1990s was on encryption: there was a real fear (although whether it was based on real risk) of interception of sensitive data in flight. We now know that the real issues are twofold: impersonation (which requires certificates to work properly, rather than just transient transport encryption) and data at rest issues (for which SSL is an irrelevance). Unfortunately, both are harder to solve and harder to communicate than mere key length. ian From chl at clerew.man.ac.uk Fri Feb 11 14:52:58 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Fri, 11 Feb 2011 14:52:58 -0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: <20110207104301.00006fae@surtees.fenrir.org.uk> References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> Message-ID: On Mon, 07 Feb 2011 10:43:01 -0000, Brian Morrison wrote: > I find that most people I speak to in the pub struggle to understand > much of this at all, they can just about grasp that they should be > looking for a padlock symbol when they are banking or shopping online > but try to delve any deeper into their knowledge and one gets a blank > stare. I think the one further thing the man in the pub needs to understand is that, when he sees a padlock, he should click on it and see whether the names that comes up is what he expected. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From lists at internetpolicyagency.com Fri Feb 11 15:54:25 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 11 Feb 2011 15:54:25 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> Message-ID: In article , Charles Lindsey writes >I think the one further thing the man in the pub needs to understand is >that, when he sees a padlock, he should click on it and see whether the >names that comes up is what he expected. That rather depends where the padlock is. The biggest failure of this so-called security strategy is where the naive user is supposed to see the padlock. -- Roland Perry From benc at hawaga.org.uk Fri Feb 11 15:04:24 2011 From: benc at hawaga.org.uk (Ben Clifford) Date: Fri, 11 Feb 2011 15:04:24 +0000 (GMT) Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> Message-ID: > I think the one further thing the man in the pub needs to understand is that, > when he sees a padlock, he should click on it and see whether the names that > comes up is what he expected. Safari does that for you automatically - when I go to natwest's home page and click on the online banking link, I get 'Royal Bank of Scotland Group plc'. So RBS either 0wns or owns natwest? But it doesn't match up with who I went to - NatWest. (Also, I went to the obvious 'natwest.co.uk' and was redirected to nwolb.co.uk. Poor training for your users: don't be surprised when you're using natwest online banking if the URL is some strange letter sequence rather than the website you went to...) -- From bdm at fenrir.org.uk Fri Feb 11 18:51:59 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 11 Feb 2011 18:51:59 +0000 Subject: nationwide interception of Facebook & webmail logincredentials in Tunisia In-Reply-To: References: <20110126192425.GA20647@annexia.org> <703270.70820.qm@web110514.mail.gq1.yahoo.com> <20110204192315.GA28396@annexia.org> <35E405A8D8C945F5B5043635873A9599@Powerstation> <65EF939E-F811-44BF-B47B-986EA1A4FE54@batten.eu.org> <20110207104301.00006fae@surtees.fenrir.org.uk> Message-ID: <20110211185159.00007154@surtees.fenrir.org.uk> On Fri, 11 Feb 2011 14:52:58 -0000 "Charles Lindsey" wrote: > On Mon, 07 Feb 2011 10:43:01 -0000, Brian Morrison > wrote: > > > I find that most people I speak to in the pub struggle to understand > > much of this at all, they can just about grasp that they should be > > looking for a padlock symbol when they are banking or shopping > > online but try to delve any deeper into their knowledge and one > > gets a blank stare. > > I think the one further thing the man in the pub needs to understand > is that, when he sees a padlock, he should click on it and see > whether the names that comes up is what he expected. > Which is what I meant when I said I nearly always get a blank stare :) -- Brian Morrison From tharg at gmx.net Mon Feb 21 16:53:42 2011 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Mon, 21 Feb 2011 17:53:42 +0100 Subject: News of one late of this parish...(any publicity is good publicity?) Message-ID: <004501cbd1e7$e6fa6050$b4ef20f0$@gmx.net> Westminster eForum Keynote Seminar eCommerce - emerging technologies, consumer rights and the Digital Single Market with Nigel Hickson Head of EU and International ICT policy Department for Business, Innovation and Skills Westminster eForum Keynote Seminar eCommerce - emerging technologies, consumer rights and the Digital Single Market with Nigel Hickson Head of EU and International ICT policy Department for Business, Innovation and Skills http://www.westminsterforumprojects.co.uk/forums/agenda/ecommerce-agenda.pdf I am sure ukcrypto old-timers wish Nigel a rousing reception.... From ukcrypto at originalthinktank.org.uk Fri Feb 25 12:26:51 2011 From: ukcrypto at originalthinktank.org.uk (Chris Salter) Date: Fri, 25 Feb 2011 12:26:51 +0000 Subject: FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key. Message-ID: <179818055.20110225122651@originalthinktank.org.uk> Hello UKCrypto, "The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key". http://www.trustedreviews.com/mobile-phones/review/2011/02/24/The-Challenge-of-Turning-Phones-into-Credit-Cards/p1?utm_source=newsletter&utm_campaign=clicks&utm_medium=daily_20110225_1277 or http://preview.tinyurl.com/4w4wz46 Regards to All, Chris -- Chris Salter mailto:ukcrypto at originalthinktank.org.uk Cornwall United Kingdom http://www.originalthinktank.org.uk/ From zenadsl6186 at zen.co.uk Fri Feb 25 14:26:08 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 25 Feb 2011 14:26:08 +0000 Subject: FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key. In-Reply-To: <179818055.20110225122651@originalthinktank.org.uk> References: <179818055.20110225122651@originalthinktank.org.uk> Message-ID: <4D67BC00.1040009@zen.co.uk> Chris Salter wrote: > Hello UKCrypto, > > "The Challenge of Turning Phones into Credit Cards - The Challenge of > Security & Why the UK is Key". > > http://www.trustedreviews.com/mobile-phones/review/2011/02/24/The-Challenge-of-Turning-Phones-into-Credit-Cards/p1?utm_source=newsletter&utm_campaign=clicks&utm_medium=daily_20110225_1277 > or > http://preview.tinyurl.com/4w4wz46 It seems to be a very stupid implementation, and quite possibly a stupid idea as well - no-one seems to have worked out the security model so far, or even have worked out any working security model. That should have been done *first*. Is this micropayments, or major purchases? Is a PIN entered on the 'phone? Does the issuer put a tamperproof chip in the 'phone? I'm not surprised that the Kaspersky guy is keen, more business for him - but is he going to take responsibility. and more important accept liability, when things go wrong? As K. take zero liability for the effectiveness of their software at present, I kinda doubt it. However if Visa want to implement it, and take the risk, fine by me - as long as I don't have to bail them out (again), and as long as paying by card remains an option. This should be a legal requirement, like chip and signature cards vs chip and PIN cards. Come to think of it, it may be a legal requirement already, depending on the way the present law is interpreted - but that's not an area of law I'm familiar with. BTW I don't have a mobile 'phone, and I don't want one. -- Peter Fairbrother From anish.mohammed at gmail.com Fri Feb 25 14:38:48 2011 From: anish.mohammed at gmail.com (Anish Mohammed) Date: Fri, 25 Feb 2011 14:38:48 +0000 Subject: FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key. In-Reply-To: <4D67BC00.1040009@zen.co.uk> References: <179818055.20110225122651@originalthinktank.org.uk> <4D67BC00.1040009@zen.co.uk> Message-ID: Hi Peter, Doing a micropayment, I dont see much of a problem. I have to admit at this point i was working as security expert for one such product from Ericsson a decade ago. It didnt take off as it was too early ( or too much security :-) ) regards Anish On Fri, Feb 25, 2011 at 2:26 PM, Peter Fairbrother wrote: > Chris Salter wrote: > >> Hello UKCrypto, >> >> "The Challenge of Turning Phones into Credit Cards - The Challenge of >> Security & Why the UK is Key". >> >> >> http://www.trustedreviews.com/mobile-phones/review/2011/02/24/The-Challenge-of-Turning-Phones-into-Credit-Cards/p1?utm_source=newsletter&utm_campaign=clicks&utm_medium=daily_20110225_1277 >> or >> http://preview.tinyurl.com/4w4wz46 >> > > It seems to be a very stupid implementation, and quite possibly a stupid > idea as well - no-one seems to have worked out the security model so far, or > even have worked out any working security model. > > That should have been done *first*. > > Is this micropayments, or major purchases? Is a PIN entered on the 'phone? > Does the issuer put a tamperproof chip in the 'phone? > > I'm not surprised that the Kaspersky guy is keen, more business for him - > but is he going to take responsibility. and more important accept liability, > when things go wrong? As K. take zero liability for the effectiveness of > their software at present, I kinda doubt it. > > > > However if Visa want to implement it, and take the risk, fine by me - as > long as I don't have to bail them out (again), and as long as paying by card > remains an option. This should be a legal requirement, like chip and > signature cards vs chip and PIN cards. > > Come to think of it, it may be a legal requirement already, depending on > the way the present law is interpreted - but that's not an area of law I'm > familiar with. > > > > BTW I don't have a mobile 'phone, and I don't want one. > > > -- Peter Fairbrother > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cryptome at earthlink.net Fri Feb 25 16:13:03 2011 From: cryptome at earthlink.net (John Young) Date: Fri, 25 Feb 2011 11:13:03 -0500 Subject: FYI: The Challenge of Turning Phones into Credit Cards - TheChallenge of Security & Why the UK is Key. In-Reply-To: <4D67BC00.1040009@zen.co.uk> References: <179818055.20110225122651@originalthinktank.org.uk> <179818055.20110225122651@originalthinktank.org.uk> Message-ID: >BTW I don't have a mobile 'phone, and I don't want one. > >-- Peter Fairbrother On denying having a cellphone in your sex toolkit: The Chinese "father" of the Great Firewall claims that the Internet is being used by some 180 countries to spy and that is the reason the US and allies are pushing for its expansion under guise of FOI. He warns that opening North Korea via the Internet has that primary purpose. "Father" wryly notes all the spying countries are desperately hoping to keep themselves protected from electronic invasion of their own kind, in fact that threat is the rationale for cyber-spying on everybody else and direly warning (in unison) digital armageddon is nigh. He admits to that self-selfing pathology on behalf of the Chinese popluace's need for protection, parroting the lingo of mercenary protectors thoughout history. Oddly, there have been far fewer similar warnings about cellphones. now more widely available to the world's populace than the Internet (even more than golden calved social media), and much cheaper (millions being handed out for free, thanks to highly trusted NGOs, handily provided with solar batteries for uninterrupted spew), more portable, more geo-trackable across borders, more readily recordable, more linkable to individuals, less secure and less warned against (as North African despots cheered along with those giants they emulate and are bountifully armed by), and, best of all, compulsively addictable with blithe indifference to suspicion due to the Ga-Ga pleasure of instant gratification to swap secret intimacies, only occasionally walking in front of a tram or being gobbled on safari by a tiger wearing an RFID bleeping to the exotic-skin-market-checker, run, asshole, run. Benefically, in countries which prohibit drugs and alcohol and pornography, if not cancer sticks, cellphones are vaunted as kingly to the peasantly. Once free cigarettes were recognized as lethal injections to destroy the body's natural defenses. Cellphones implanted in in cavities, under pillows, in vehicles, in aircraft, in confessionals and love nests, in priests' and lovers' undies, no way could screwing yourself and others by humping sans sheath. Chuck those cryptophones, Julian, Phil Zimmermann's work on them is pointing the way in, his brain is RFID'd to give only pretty good warning. With this deep actionable intelligence (R), it would be wise to think the Internet is now a ploy to divert suspicion from those adorable iPhone ear-pieces siphoning innermost scheming. From pwt at iosis.co.uk Fri Feb 25 16:39:13 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 25 Feb 2011 16:39:13 +0000 Subject: FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key. In-Reply-To: References: <179818055.20110225122651@originalthinktank.org.uk> <4D67BC00.1040009@zen.co.uk> Message-ID: <4D67DB31.8090808@iosis.co.uk> The transaction model described appears to be very similar to the contactless payment method using debit/credit cards that is being rolled out here now - and a dual PR push for contactless debit/credit for public transport in London, featuring Transport For London and a head Mastercard honcho, happened this week [1]. The extra gained by using the mobile phone is the bonus for the user: a receipt stored in the phone. There is indeed a great deal of work going into transaction security for this architecture, and of course there are several architectures available for the phone and Simcard and microSD card (maybe with Bluetooth as well). This one will run and run - and a number of security people are tearing their hair out as they try to work through the matrix of not just secure element architectures but also of the multiplicity of phone operating systems. Its a consumer product; money has to be made by transferring money and by executing the real transactions (buying things and services [2]); there will be some casualties, but a great number of people will like it. Peter [1] on London buses before the Olympics, on all TfL services a bit later. [2] And money transfer in some countries On 25/02/2011 14:38, Anish Mohammed wrote: > Hi Peter, > Doing a micropayment, I dont see much of a problem. I have to admit > at this point i was working as security expert for one such product > from Ericsson a decade ago. It didnt take off as it was too early ( or > too much security :-) ) > regards > Anish > > On Fri, Feb 25, 2011 at 2:26 PM, Peter Fairbrother > > wrote: > > Chris Salter wrote: > > Hello UKCrypto, > > "The Challenge of Turning Phones into Credit Cards - The > Challenge of > Security & Why the UK is Key". > > http://www.trustedreviews.com/mobile-phones/review/2011/02/24/The-Challenge-of-Turning-Phones-into-Credit-Cards/p1?utm_source=newsletter&utm_campaign=clicks&utm_medium=daily_20110225_1277 > > or > http://preview.tinyurl.com/4w4wz46 > > > It seems to be a very stupid implementation, and quite possibly a > stupid idea as well - no-one seems to have worked out the security > model so far, or even have worked out any working security model. > > That should have been done *first*. > > Is this micropayments, or major purchases? Is a PIN entered on the > 'phone? Does the issuer put a tamperproof chip in the 'phone? > > I'm not surprised that the Kaspersky guy is keen, more business > for him - but is he going to take responsibility. and more > important accept liability, when things go wrong? As K. take zero > liability for the effectiveness of their software at present, I > kinda doubt it. > > > > However if Visa want to implement it, and take the risk, fine by > me - as long as I don't have to bail them out (again), and as long > as paying by card remains an option. This should be a legal > requirement, like chip and signature cards vs chip and PIN cards. > > Come to think of it, it may be a legal requirement already, > depending on the way the present law is interpreted - but that's > not an area of law I'm familiar with. > > > > BTW I don't have a mobile 'phone, and I don't want one. > > > -- Peter Fairbrother > > > > > > > > > > > > From nbohm at ernest.net Fri Feb 25 17:04:57 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 25 Feb 2011 17:04:57 +0000 Subject: FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key. In-Reply-To: <4D67DB31.8090808@iosis.co.uk> References: <179818055.20110225122651@originalthinktank.org.uk> <4D67BC00.1040009@zen.co.uk> <4D67DB31.8090808@iosis.co.uk> Message-ID: <4D67E139.60303@ernest.net> On 25/02/2011 16:39, Peter Tomlinson wrote: > The transaction model described appears to be very similar to the > contactless payment method using debit/credit cards that is being > rolled out here now - and a dual PR push for contactless debit/credit > for public transport in London, featuring Transport For London and a > head Mastercard honcho, happened this week [1]. The extra gained by > using the mobile phone is the bonus for the user: a receipt stored in > the phone. > > There is indeed a great deal of work going into transaction security > for this architecture, and of course there are several architectures > available for the phone and Simcard and microSD card (maybe with > Bluetooth as well). This one will run and run - and a number of > security people are tearing their hair out as they try to work through > the matrix of not just secure element architectures but also of the > multiplicity of phone operating systems. > > Its a consumer product; money has to be made by transferring money and > by executing the real transactions (buying things and services [2]); > there will be some casualties, but a great number of people will like it. No doubt; but some may like it less if the risk of fraud is left in their laps, so the liability model will be of equal interest to the security model. As to the liability model, transparency will in due course reign, since Ts&Cs will necessarily be public in order to have effect. As to the security model, who knows? Nicholas -- Contact and PGP key here From bakeryworms at gmail.com Sat Feb 26 12:22:48 2011 From: bakeryworms at gmail.com (bakeryworms at gmail.com) Date: Sat, 26 Feb 2011 12:22:48 +0000 Subject: FYI: The Challenge of Turning Phones into Credit Cards - TheChallenge of Security & Why the UK is Key. In-Reply-To: <4D67E139.60303@ernest.net> References: <179818055.20110225122651@originalthinktank.org.uk> <4D67BC00.1040009@zen.co.uk> <4D67DB31.8090808@iosis.co.uk><4D67E139.60303@ernest.net> Message-ID: <268245907-1298722935-cardhu_decombobulator_blackberry.rim.net-3755308-@b18.c16.bise7.blackberry> Sent from my BlackBerry? wireless device -----Original Message----- From: Nicholas Bohm Sender: ukcrypto-bounces at chiark.greenend.org.uk Date: Fri, 25 Feb 2011 17:04:57 To: UK Cryptography Policy Discussion Group Reply-To: nbohm at ernest.net, UK Cryptography Policy Discussion Group Subject: Re: FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key. On 25/02/2011 16:39, Peter Tomlinson wrote: > The transaction model described appears to be very similar to the > contactless payment method using debit/credit cards that is being > rolled out here now - and a dual PR push for contactless debit/credit > for public transport in London, featuring Transport For London and a > head Mastercard honcho, happened this week [1]. The extra gained by > using the mobile phone is the bonus for the user: a receipt stored in > the phone. > > There is indeed a great deal of work going into transaction security > for this architecture, and of course there are several architectures > available for the phone and Simcard and microSD card (maybe with > Bluetooth as well). This one will run and run - and a number of > security people are tearing their hair out as they try to work through > the matrix of not just secure element architectures but also of the > multiplicity of phone operating systems. > > Its a consumer product; money has to be made by transferring money and > by executing the real transactions (buying things and services [2]); > there will be some casualties, but a great number of people will like it. No doubt; but some may like it less if the risk of fraud is left in their laps, so the liability model will be of equal interest to the security model. As to the liability model, transparency will in due course reign, since Ts&Cs will necessarily be public in order to have effect. As to the security model, who knows? Nicholas -- Contact and PGP key here From bakeryworms at gmail.com Sat Feb 26 12:24:06 2011 From: bakeryworms at gmail.com (bakeryworms at gmail.com) Date: Sat, 26 Feb 2011 12:24:06 +0000 Subject: FYI: The Challenge of Turning Phones into Credit Cards - TheChallenge of Security & Why the UK is Key. In-Reply-To: <4D67E139.60303@ernest.net> References: <179818055.20110225122651@originalthinktank.org.uk> <4D67BC00.1040009@zen.co.uk> <4D67DB31.8090808@iosis.co.uk><4D67E139.60303@ernest.net> Message-ID: <1320018058-1298723014-cardhu_decombobulator_blackberry.rim.net-882639768-@b18.c16.bise7.blackberry> Sent from my BlackBerry? wireless device -----Original Message----- From: Nicholas Bohm Sender: ukcrypto-bounces at chiark.greenend.org.uk Date: Fri, 25 Feb 2011 17:04:57 To: UK Cryptography Policy Discussion Group Reply-To: nbohm at ernest.net, UK Cryptography Policy Discussion Group Subject: Re: FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key. On 25/02/2011 16:39, Peter Tomlinson wrote: > The transaction model described appears to be very similar to the > contactless payment method using debit/credit cards that is being > rolled out here now - and a dual PR push for contactless debit/credit > for public transport in London, featuring Transport For London and a > head Mastercard honcho, happened this week [1]. The extra gained by > using the mobile phone is the bonus for the user: a receipt stored in > the phone. > > There is indeed a great deal of work going into transaction security > for this architecture, and of course there are several architectures > available for the phone and Simcard and microSD card (maybe with > Bluetooth as well). This one will run and run - and a number of > security people are tearing their hair out as they try to work through > the matrix of not just secure element architectures but also of the > multiplicity of phone operating systems. > > Its a consumer product; money has to be made by transferring money and > by executing the real transactions (buying things and services [2]); > there will be some casualties, but a great number of people will like it. No doubt; but some may like it less if the risk of fraud is left in their laps, so the liability model will be of equal interest to the security model. As to the liability model, transparency will in due course reign, since Ts&Cs will necessarily be public in order to have effect. As to the security model, who knows? Nicholas -- Contact and PGP key here