From richard at highwayman.com Wed Mar 2 11:22:48 2011 From: richard at highwayman.com (Richard Clayton) Date: Wed, 2 Mar 2011 11:22:48 +0000 Subject: ORG intervention in judicial review of DEA Message-ID: ORG has been given permission to make a submission to the court in regard to the upcoming judicial review of the Digital Economy Act: An adjunct to Jim Killock's witness statement is a technical report written by myself which discusses various issues relating to the traceability of IP addresses and the viability of detecting unlawful file sharing... ... there is some discussion of encryption, so it's marginally on topic for this list :) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From james2 at jfirth.net Fri Mar 4 11:26:12 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 4 Mar 2011 11:26:12 -0000 Subject: Adult content blocks on mobile ISPs Message-ID: <006801cbda5e$f82f1fd0$e88d5f70$@net> Back in 2008 I believe it was discussed on this list the possibility that ISPs implementing Phorm-like systems could lose "mere conduit" liability indemnity under S17 of the E-Commerce (EC Directive) Regs 2002 (transposition of Directive 2000/31/EC). I also remember discussion of whether CleenFeed-type systems could also possibly open similar discussions. (Noting that the public archive of UKCRYPTO has not been publically accessible for some time now.) The debate has been re-opened with the proposal for a UK-wide adult (nb legal adult content, not illegal) content filtering system, something which some mobile phone networks have been doing for a few years, and others are following suit. My reading of S17 E-Commerce Regs are that such filtering could open up the networks to liability, since when a subscriber initiates a session with any arbitrary HTTP/GET request, the network is making a decision on whether to pass-on the request to the intended recipient, or divert to a holding page explaining that it's been blocked, therefore the carrier did "select the receiver of the transmission" under S17(1)(b); and, potentially, depending on how it's implemented, fail the test S17(1)(c) "did not select or modify the information contained in the transmission" The exemptions described in 17(2) and S18 (Caching) don't seem to apply. Would any suitably qualified person on this list be prepared to make a comment - possibly for use on my blog - on this? Specifically with regards to the filtering some mobile phone companies are already doing, and also in the wider context of the campaign to prevent a UK-wide ISP filter? James Firth From nbohm at ernest.net Fri Mar 4 12:54:23 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 04 Mar 2011 12:54:23 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <006801cbda5e$f82f1fd0$e88d5f70$@net> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> Message-ID: <4D70E0FF.6090208@ernest.net> On 04/03/2011 11:26, James Firth wrote: > Back in 2008 I believe it was discussed on this list the possibility that > ISPs implementing Phorm-like systems could lose "mere conduit" liability > indemnity under S17 of the E-Commerce (EC Directive) Regs 2002 > (transposition of Directive 2000/31/EC). > > I also remember discussion of whether CleenFeed-type systems could also > possibly open similar discussions. > > (Noting that the public archive of UKCRYPTO has not been publically > accessible for some time now.) > > The debate has been re-opened with the proposal for a UK-wide adult (nb > legal adult content, not illegal) content filtering system, something which > some mobile phone networks have been doing for a few years, and others are > following suit. > > My reading of S17 E-Commerce Regs are that such filtering could open up the > networks to liability, since when a subscriber initiates a session with any > arbitrary HTTP/GET request, the network is making a decision on whether to > pass-on the request to the intended recipient, or divert to a holding page > explaining that it's been blocked, therefore the carrier did "select the > receiver of the transmission" under S17(1)(b); and, potentially, depending > on how it's implemented, fail the test S17(1)(c) "did not select or modify > the information contained in the transmission" > > The exemptions described in 17(2) and S18 (Caching) don't seem to apply. > > Would any suitably qualified person on this list be prepared to make a > comment - possibly for use on my blog - on this? Specifically with regards > to the filtering some mobile phone companies are already doing, and also in > the wider context of the campaign to prevent a UK-wide ISP filter? I don't feel specially qualified in my understanding of directives, but I find your argument convincing - I do not think that regulation 17 will protect an ISP carrying out filtering as you describe. But showing that the shield is removed is step one. Step two is to establish what liability can be fixed on the ISP in its absence - the regulations do not impose any liability themselves. Nicholas -- Contact and PGP key here From ukcrypto at philipkatz.eu Fri Mar 4 20:25:45 2011 From: ukcrypto at philipkatz.eu (ukcrypto at philipkatz.eu) Date: Fri, 4 Mar 2011 20:25:45 -0000 Subject: Adult content blocks on mobile ISPs Message-ID: <000401cbdaaa$57411690$05c343b0$@philipkatz.eu> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of James Firth > Sent: Friday, March 04, 2011 11:26 AM > > The debate has been re-opened with the proposal for a UK-wide adult (nb > legal adult content, not illegal) content filtering system, something > which some mobile phone networks have been doing for a few years, and > others are following suit. Is this related to increased activity by O2 in this area? http://www.theregister.co.uk/2011/03/04/o2_filter/ -- Philip From lists at internetpolicyagency.com Fri Mar 4 22:02:19 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 4 Mar 2011 22:02:19 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <4D70E0FF.6090208@ernest.net> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4D70E0FF.6090208@ernest.net> Message-ID: <4rtHYOQrFWcNFAan@perry.co.uk> In article <4D70E0FF.6090208 at ernest.net>, Nicholas Bohm writes >> Back in 2008 I believe it was discussed on this list the possibility that >> ISPs implementing Phorm-like systems could lose "mere conduit" liability >> indemnity under S17 of the E-Commerce (EC Directive) Regs 2002 >> (transposition of Directive 2000/31/EC). ... >I don't feel specially qualified in my understanding of directives, but >I find your argument convincing - I do not think that regulation 17 will >protect an ISP carrying out filtering as you describe. > >But showing that the shield is removed is step one. Step two is to >establish what liability can be fixed on the ISP in its absence - the >regulations do not impose any liability themselves. The liability would arise from being considered an accomplice in the dissemination (I could say publication, perhaps) of content. Which was "illegal" in some way, or infringed copyright, or was defamatory etc etc. But if we accepted that the selective blocking of *anything* destroyed the whole idea that they were a mere conduit, then that could be triggered by the OP's issue with filtering "adult" content, or it could be because they use the IWF's list (of newsgroups or websites), or because they select (sorry, identify) some emails as potential spam or actual virus-laden, or choke P2P because it exceeds a bandwidth cap, or (anti-spam again) block outbound port 25... . So if it's the case that not letting through *everything* loses you the immunity, that train left the station long ago. Whether any of the above is "selecting" as mentioned in the Directive, is another matter. It's not explained in the text, although the recitals suggest that what they intend is, to give immunity as long as the ISP isn't colluding with the subscriber to identify and deliver dodgy content. In other words, letting through dodgy content because you haven't bothered to filter it out, is exactly the circumstances they want the *protection* from liability to cover. Anyway, just a few thoughts; happy to discuss it further. -- Roland Perry From fjmd1a at gmail.com Fri Mar 4 22:19:26 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Fri, 4 Mar 2011 22:19:26 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <006801cbda5e$f82f1fd0$e88d5f70$@net> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> Message-ID: On 4 March 2011 11:26, James Firth wrote: > > Would any suitably qualified person on this list be prepared to make a > comment - possibly for use on my blog - on this? Specifically with regards > to the filtering some mobile phone companies are already doing, and also in > the wider context of the campaign to prevent a UK-wide ISP filter? > It seems to me that filtering cannot cause mere conduit status to be lost. The best starting point to think about it is the directive 2000/31/EC rather than the regulations (after all, who wants to talk to the monkey when they've got the organ grinder?). Recall that for European legislation: * interpretation is generally purposive rather more than is traditional in UK legislative acts and * to that end, the recitals are important in aiding construction. Recital 40 says: "(40) Both existing and emerging disparities in Member States' legislation and case-law concerning liability of service providers acting as intermediaries prevent the smooth functioning of the internal market, in particular by impairing the development of cross-border services and producing distortions of competition; service providers have a duty to act, under certain circumstances, with a view to preventing or stopping illegal activities; this Directive should constitute the appropriate basis for the development of rapid and reliable procedures for removing and disabling access to illegal information; such mechanisms could be developed on the basis of voluntary agreements between all parties concerned and should be encouraged by Member States; it is in the interest of all parties involved in the provision of information society services to adopt and implement such procedures; the provisions of this Directive relating to liability should not preclude the development and effective operation, by the different interested parties, of technical systems of protection and identification and of technical surveillance instruments made possible by digital technology within the limits laid down by Directives 95/46/EC and 97/66/EC." So the directive envisages that service providers should be able to act voluntarily to prevent access to "illegal" information. Its clear that filtering/blocking and monitoring by service providers is entirely consistent with the directive's objectives (provided that any such activity is not illegal for some other reason - such as being an infringement of privacy which is covered by other directives). Now blocking "adult" content is not the same as blocking "illegal" content, but once the point is conceded, I think it follows that the mere conduit defence must be interpreted so as to permit service providers to act in the public interest by filtering or disabling access to information. In this light, recital 42: "(42) The exemptions from liability established in this Directive cover only cases where the activity of the information society service provider is limited to the technical process of operating and giving access to a communication network over which information made available by third parties is transmitted or temporarily stored, for the sole purpose of making the transmission more efficient; this activity is of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored." should be read as including filtering even though that isn't the literal meaning (to some minds) of "activity .. of a mere technical, automatic and passive nature." In particular the mere conduit immunity is directed at liability for information and the rationale is that the mere conduit has no real control over the information in question (it didn't create it or select it) and therefore should not be liable for it. Now its possible that there could be liability for (say) an ISP that actively filtered "adult" material in such a way that it could exercise choice or control over that material but chose not to do so and the liability arose as a result of the particular material filtered or not filtered. I doubt something that was relatively automatic (say as a result of meta tags, an "adult sites" list not edited by the ISP, and customer opt-ins). After all, ISP's do by their very nature "select" destinations in the sense that they take automatic routing decisions (or may have to). That is my half-pennyworth anyway. There's no authority on the point directly and who knows how it might go. -- Francis Davey From lists at internetpolicyagency.com Fri Mar 4 23:11:52 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 4 Mar 2011 23:11:52 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: References: <006801cbda5e$f82f1fd0$e88d5f70$@net> Message-ID: <4Yp3UDY4GXcNFApx@perry.co.uk> In article , Francis Davey writes >In particular the mere conduit immunity is directed at liability for >information and the rationale is that the mere conduit has no real >control over the information in question (it didn't create it or >select it) and therefore should not be liable for it. I think the crux is that they are not liable when failing-to-'select' it [ie failing to block it, or being as the name suggests a mere conduit]. >After all, ISP's do by their very nature "select" destinations in the >sense that they take automatic routing decisions (or may have to). If there's load balancing going on they'll be playing a part in 'selecting' where a particular bit of content is sourced from. Not that such a decision should affect what the content *is*. But this is way beyond the sort of complication the authors were expecting to be legislating for [albeit that's for a court to decide, not the authors]. -- Roland Perry From igb at batten.eu.org Sat Mar 5 08:38:28 2011 From: igb at batten.eu.org (Ian Batten) Date: Sat, 5 Mar 2011 08:38:28 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <4Yp3UDY4GXcNFApx@perry.co.uk> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> Message-ID: <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> > > But this is way beyond the sort of complication the authors were expecting to be legislating for [albeit that's for a court to decide, not the authors]. It strikes me that ISPs that offer progressively finer-toothed filters on content run another risk. If an ISP offers a filtering service as a value-added proposition ("you can buy a phone for your children safe in the knowledge that we are looking after them and keeping them away from all that nasty porn") and their filtering is not (100-epsilon)% effective against said porn, wouldn't the contract holder, in this scenario a parent, have a straight-forward cause of action for non-performance, trade descriptions, etc? In the case of most things you might sell with a child-protection purpose --- child car seats, or stairgates --- there are BS or DIN or EN standards that you can show compliance with, and if God Forbid a child is harmed through the failure in some way of your product, demonstrating that you have a correct test and quality regime so that both the design and each individual realisation of it meet the standard is probably a defence. But if you are _selling_ filtering as a contractual part of an ISP offer, what effectiveness is being offered? Assume filtering would be aligned with BBFC criteria, so that an ISP would offer 12A, 15, 18 or R18 feeds. What ISP is going to be able to perform filtering to a "nothing that would cause a video to get an R18 certificate" standard reliably? Considering deep controversy about those standards (Dark Knight 12A, Made in Dagenham 15, discuss) just how are they going to do it? Cleenfeed finesses this by punting the problem to the IWF who have a quasi-governmental role; I cannot for a second believe there is an appetite for the BBFC to "classify the Internet", a la the train-wreck of Australian government policy. But without a legal source of ratings, just what is an ISP's position if a child's phone downloads something the parents --- perhaps rightly --- see as outside the rating that has been established. And then, of course, we have the problem that the paying customer for the filtering (the parent) isn't the end user (the child) and the latter may have no incentive to comply with the former. Ergo we hit a non-performance problem on the circumvention-resistance of the blocking technology. Fun for all. ian From fjmd1a at gmail.com Sat Mar 5 08:56:38 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Sat, 5 Mar 2011 08:56:38 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> Message-ID: On 5 March 2011 08:38, Ian Batten wrote: > > It strikes me that ISPs that offer progressively finer-toothed filters on content run another risk. ? If an ISP offers a filtering service as a value-added proposition ("you can buy a phone for your children safe in the knowledge that we are looking after them and keeping them away from all that nasty porn") and their filtering is not (100-epsilon)% effective against said porn, wouldn't the contract holder, in this scenario a parent, have a straight-forward cause of action for non-performance, trade descriptions, etc? > Not if you made sure to word your advertising properly and drafted your contractual documents with care, no. If you offered a 100% effective service then (i) you are an idiot (ii) you might well open yourself to contractual liability. But assuming you have a halfway competent legal department you should be able to avoid any such problem. [snip - sensible comments] -- Francis Davey From lists at internetpolicyagency.com Sat Mar 5 10:23:39 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 5 Mar 2011 10:23:39 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> Message-ID: In article <48A6804B-843F-477F-B8F2-81ECA165B6CB at batten.eu.org>, Ian Batten writes >> >> But this is way beyond the sort of complication the authors were >>expecting to be legislating for [albeit that's for a court to decide, >>not the authors]. > >It strikes me that ISPs that offer progressively finer-toothed filters >on content run another risk. If an ISP offers a filtering service as >a value-added proposition ("you can buy a phone for your children safe >in the knowledge that we are looking after them and keeping them away >from all that nasty porn") and their filtering is not (100-epsilon)% >effective against said porn, wouldn't the contract holder, in this >scenario a parent, have a straight-forward cause of action for >non-performance, trade descriptions, etc? It's very rare for any utility company to offer more than "best efforts", with service-level-agreements almost unknown for domestic consumers. >In the case of most things you might sell with a child-protection >purpose --- child car seats, or stairgates --- there are BS or DIN or >EN standards that you can show compliance with, and if God Forbid a >child is harmed through the failure in some way of your product, >demonstrating that you have a correct test and quality regime so that >both the design and each individual realisation of it meet the standard >is probably a defence. But if you are _selling_ filtering as a >contractual part of an ISP offer, what effectiveness is being offered? People have been arguing about what a "British Standard" for filtering software would entail, for about five years. They got quite close to agreement at one point; not heard much recently. >Assume filtering would be aligned with BBFC criteria, so that an ISP >would offer 12A, 15, 18 or R18 feeds. That's a non-starter because the various 'publishers' are not required to rate their content, nor can an intermediary start rating everything on the fly. (These suggestions of yours are very 20th Century if I may say so. Various proposals for rating/filtering schemes all died out a long time ago). -- Roland Perry From james2 at jfirth.net Sat Mar 5 11:33:04 2011 From: james2 at jfirth.net (James Firth) Date: Sat, 5 Mar 2011 11:33:04 -0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> Message-ID: <000601cbdb29$17e225f0$47a671d0$@net> Roland Perry wrote: > People have been arguing about what a "British Standard" for filtering > software would entail, for about five years. They got quite close to > agreement at one point; not heard much recently. Firstly thanks everyone for the valued debate earlier on mere conduit and Directive 2000/31/EC. I'm still of the mind that because viewing a web page is a "fetch" operation, ie solicited, then we can draw a distinction between web filtering and email filtering. But I see problems with the lack of clarity in the legislation and analogies to "good" blocking (IWF) could lead to common-sense interpretation that filtering on its own should not be grounds to revoke mere conduit protection. On blocking I see a practical problem that could open up any filtering system to a level of "corruption", in that any attempt to enforce a fairly rigorous age-verification system by the ISP overlooks informal content "hiding" systems currently in used by sites like Flickr (amongst many others). Flickr carries adult content, there's no rigorous age verification required to unblock this content, so why isn't Flickr blocked by default on A.N.Arbitrary Network? Is it "too big to be blocked"? Which brings me back to my bugbear of audience monopolies being a bigger threat to free market competition than non-neutral networks (OT: see Audience Monopoly http://ejf.me/cW and slightly more on topic: 5 problems with the UK net filtering proposal: http://ejf.me/dc ) James Firth From igb at batten.eu.org Sat Mar 5 14:40:15 2011 From: igb at batten.eu.org (Ian Batten) Date: Sat, 5 Mar 2011 14:40:15 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> Message-ID: <27719475-43C8-4750-94DF-E148184F497E@batten.eu.org> On 5 Mar 2011, at 10:23, Roland Perry wrote: > > It's very rare for any utility company to offer more than "best > efforts", with service-level-agreements almost unknown for domestic > consumers. But on the other hand, they can't escape the "reasonable skill and care" test. What would be reasonable skill and care? With broadband, "consumer" broadband connections are de facto >99.9% available, and an ISP who delivered 80% and said "best efforts" would probably struggle to enforce its contracts (ie, if my ISP delivered 80% availability, I'd stop payment and argue they'd breached their side of the contract). But a filtering solution certainly isn't going to be 99.9% effective, so what does "best efforts" imply? > >> Assume filtering would be aligned with BBFC criteria, so that an >> ISP would offer 12A, 15, 18 or R18 feeds. > > That's a non-starter because the various 'publishers' are not > required to rate their content, nor can an intermediary start rating > everything on the fly. (These suggestions of yours are very 20th > Century if I may say so. Various proposals for rating/filtering > schemes all died out a long time ago). They're C20 because the whole issue is C20. If the publishers won't rate, and the intermediary cannot rate, how can blocking work? ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Sat Mar 5 15:06:47 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 5 Mar 2011 15:06:47 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <27719475-43C8-4750-94DF-E148184F497E@batten.eu.org> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> <27719475-43C8-4750-94DF-E148184F497E@batten.eu.org> Message-ID: <$eWWlcIHGlcNFAIm@perry.co.uk> In article <27719475-43C8-4750-94DF-E148184F497E at batten.eu.org>, Ian Batten writes >It's very rare for any utility company to offer more than "best >efforts", with service-level-agreements almost unknown for domestic >consumers. > >But on the other hand, they can't escape the "reasonable skill and >care" test. ?What would be reasonable skill and care? ?With broadband, >"consumer" broadband connections are de facto >99.9% available, and an >ISP who delivered 80% and said "best efforts" would probably struggle >to enforce its contracts (ie, if my ISP delivered 80% availability, I'd >stop payment and argue they'd breached their side of the contract). >?But a filtering solution certainly isn't going to be 99.9% effective, >so what does "best efforts" imply? Different percentages for different activities. For example, my current ISP seems to be a consistent basket case on Saturday evenings, which I assume is a result of too many iPlayer users in the vicinity. But ask me if I have the energy to sue them to provide anything like the connection speed they sold me. [For the avoidance of doubt I don't mind that my "up to 8Mbit" turns out to be 4Mbit, that's just my distance from the exchange and the laws of physics. What I do mind is my non-streaming throughput dropping way below 4Mbit too often.] >They're C20 because the whole issue is C20. ?If the publishers won't >rate, and the intermediary cannot rate, how can blocking work Most people think it can't work very well, unless you have someone like the IWf working very hard to produce a small and accurate block list. From my experience of the mobile phone web blocking, it suffers from a degree of Scunthorpe effect that would be amusing if it wasn't so daft. -- Roland Perry From Andrew.Cormack at ja.net Mon Mar 7 09:14:21 2011 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Mon, 7 Mar 2011 09:14:21 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> Message-ID: <61E52F3A5532BE43B0211254F13883AE04E5FF@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry > Sent: 05 March 2011 10:24 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: Adult content blocks on mobile ISPs > > People have been arguing about what a "British Standard" for filtering > software would entail, for about five years. They got quite close to > agreement at one point; not heard much recently. The kitemark for parental control software finally exists, and the BSI reported the first award of it a couple of months ago: http://www.bsigroup.com/en/About-BSI/News-Room/BSI-News-Content/General/BSI-helps-protect-children-online-with-the-award-of-the-first-Kitemarkcertification/ Cheers Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG From igb at batten.eu.org Mon Mar 7 10:36:30 2011 From: igb at batten.eu.org (Ian Batten) Date: Mon, 7 Mar 2011 10:36:30 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <61E52F3A5532BE43B0211254F13883AE04E5FF@EXC001> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> <61E52F3A5532BE43B0211254F13883AE04E5FF@EXC001> Message-ID: On 07 Mar 11, at 0914, Andrew Cormack wrote: > > The kitemark for parental control software finally exists, and the BSI reported the first award of it a couple of months ago: Well, it's pushing the phrase "kitemark" a little: it's PAS74, and warns: > This Publicly Available Specification is not to be regarded as a British Standard. It will be withdrawn if its content is published in, or as, a British Standard. Appendix B, which is a normative "Categories of inappropriate content" to which everything else refers, is precisely the problem. It appears to be taken from the usual collection of topics that commercial blocking software restricts, and is an absolute minefield of ambiguity. It boils down to "bad stuff? I know it when I see it." "Romeo and Juliet" is a set work for my 12 year old at school, and indeed she'd seen a couple of productions of it by the time she was 11. I reckon the play, and more concretely the current RSC production that everyone should see as it's great, fails B.1(f) textual descriptions of sexual acts, B.2(f) glamorization of knives, B.3(a) violence on cultural community grounds, B.4(a) use of drugs. Or doesn't it count in iambs? Other plays I've taken the kids to include Lear (B.2(b) torture, mutilation), Godot (B.2(c) suicide) and Night Music (B.2(f) again, this time in three-time rather than iambs). My children have on several occasions been sent home with the instruction to look up some webpage on the grounds that the school's filtering (which appears to be broad-brush by the LEA for everything from KS1 to A Level) blocks it. Biology, RS, History, now probably English... Meanwhile, the school's IT department puts hectoring notes in the newsletter to encourage people to run filtering software at home. I have been tempted to point this contradiction out --- that were I to run filtering software the school recommends, my children would be unable to do the homework the school sets --- but life is too short. As no-one, so far as I can tell, runs filtering software, it's all a bit of a red herring. Are there any parents who do? I've never met any. I briefly ran squidguard on my border proxy when the kids were teeny-tiny, but now I just tell them that I can read the browser logs remotely (via OSX "Parental Controls"). My children can distinguish Arial from Helvetica and, following a rather long car journey where the conversation got a little dull, UTC from UT1; searches for fonts and timescales are more likely to lead them into forums with lots of chaotic shouting than any amount of "inappropriate content". The elephant in the room appears to be that the main concern being aimed at by vendors is parents who wish to discourage their teenage sons from masturbating. Trying to do that is like trying to stop water from being wet, and makes parents look like Joan Crawford (in deed, not in physique, sadly). Beyond that, the categories are so vague as to be useless, and assume a unilinear concern on the part of parents to wildly disparate issues. Even if I were minded to block access to holocaust denial, words cannot express how little I care about whether or not my children can access the odds for the 3:10 at Kempton; only last month I used odds in UK, American and European format for a little home-tutoring on ratios and proportion. Harumph. ian From lists at internetpolicyagency.com Mon Mar 7 11:55:36 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 7 Mar 2011 11:55:36 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> <61E52F3A5532BE43B0211254F13883AE04E5FF@EXC001> Message-ID: In article , Ian Batten writes >My children have on several occasions been sent home with the >instruction to look up some webpage on the grounds that the school's >filtering (which appears to be broad-brush by the LEA for everything >from KS1 to A Level) blocks it. I know a little about this, and agree that it's very unlikely to ever take account of the age of individual children in a school (or indeed 'in education' if the same thing is supplied to all schools). How can it, as the design is either metaphorically a firewall box in the Head's study, or the functional equivalent of that in the network. -- Roland Perry From igb at batten.eu.org Mon Mar 7 13:18:32 2011 From: igb at batten.eu.org (Ian Batten) Date: Mon, 7 Mar 2011 13:18:32 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> <61E52F3A5532BE43B0211254F13883AE04E5FF@EXC001> Message-ID: <197036DE-5915-409B-AEE6-2AD0D649ED14@batten.eu.org> On 07 Mar 11, at 1155, Roland Perry wrote: > In article , Ian Batten writes >> My children have on several occasions been sent home with the instruction to look up some webpage on the grounds that the school's filtering (which appears to be broad-brush by the LEA for everything from KS1 to A Level) blocks it. > > I know a little about this, and agree that it's very unlikely to ever take account of the age of individual children in a school (or indeed 'in education' if the same thing is supplied to all schools). How can it, as the design is either metaphorically a firewall box in the Head's study, or the functional equivalent of that in the network. Well, there's no _technical_ reason why the students couldn't supply credentials to the proxy which then set the filtering policy. But I agree, it's unlikely, and as the filters themselves have the scientific precision of a brummagem screwdriver fine adjustment is not really on the agenda. I've read the standard in more detail, and I note with sadness that the standard defines testing blocking by checking it blocks a supplied list of URLs, and testing overblocking by confirming another supplied list is not blocked. As to where those lists come from: it's experts, innit? ian From lists at internetpolicyagency.com Mon Mar 7 14:13:39 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 7 Mar 2011 14:13:39 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <197036DE-5915-409B-AEE6-2AD0D649ED14@batten.eu.org> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> <61E52F3A5532BE43B0211254F13883AE04E5FF@EXC001> <197036DE-5915-409B-AEE6-2AD0D649ED14@batten.eu.org> Message-ID: <30S0vlOTgOdNFAzz@perry.co.uk> In article <197036DE-5915-409B-AEE6-2AD0D649ED14 at batten.eu.org>, Ian Batten writes >I've read the standard in more detail, and I note with sadness that >the standard defines testing blocking by checking it blocks a >supplied list of URLs, and testing overblocking by confirming >another supplied list is not blocked. That would be trivially easy, if the software itself had access to the first list. Is that how they do it, rather than relying upon some sort of on-the-fly context checking? I wonder which side of the line the infamous country park where "Great Tits" can be found in abundance, is? -- Roland Perry From igb at batten.eu.org Mon Mar 7 15:41:58 2011 From: igb at batten.eu.org (Ian Batten) Date: Mon, 7 Mar 2011 15:41:58 +0000 Subject: Adult content blocks on mobile ISPs In-Reply-To: <30S0vlOTgOdNFAzz@perry.co.uk> References: <006801cbda5e$f82f1fd0$e88d5f70$@net> <4Yp3UDY4GXcNFApx@perry.co.uk> <48A6804B-843F-477F-B8F2-81ECA165B6CB@batten.eu.org> <61E52F3A5532BE43B0211254F13883AE04E5FF@EXC001> <197036DE-5915-409B-AEE6-2AD0D649ED14@batten.eu.org> <30S0vlOTgOdNFAzz@perry.co.uk> Message-ID: <739D0ACC-A7BB-4F1C-9809-1C3D4C0FD5D1@batten.eu.org> On 07 Mar 11, at 1413, Roland Perry wrote: > In article <197036DE-5915-409B-AEE6-2AD0D649ED14 at batten.eu.org>, Ian Batten writes > >> I've read the standard in more detail, and I note with sadness that >> the standard defines testing blocking by checking it blocks a >> supplied list of URLs, and testing overblocking by confirming >> another supplied list is not blocked. > > That would be trivially easy, if the software itself had access to the first list. Is that how they do it, rather than relying upon some sort of on-the-fly context checking? It's not clear if the software has access to the list or not. If it does, then everything is meaningless, but I presume on reflection that the intent is that the lab has the list, but the software doesn't. ian From igb at batten.eu.org Mon Mar 14 14:05:23 2011 From: igb at batten.eu.org (Ian Batten) Date: Mon, 14 Mar 2011 14:05:23 +0000 Subject: DPP on "Doormat" Interpretations Message-ID: <5974A204-D96B-4183-9AE6-3319EA7968D4@batten.eu.org> http://www.guardian.co.uk/media/2011/mar/13/phone-hacking-newspapers > My position is clear: a robust attitude needs to be taken to any unauthorised interception and investigations should not be inhibited by a narrow approach to the provisions in issue. The approach I have taken is therefore to advise the police and CPS prosecutors to assume that the provisions of Ripa mean that an offence may be committed if a communication is intercepted or looked into after it has been accessed by the intended recipient. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Mon Mar 14 16:06:33 2011 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Mon, 14 Mar 2011 17:06:33 +0100 Subject: DPP on "Doormat" Interpretations In-Reply-To: <5974A204-D96B-4183-9AE6-3319EA7968D4@batten.eu.org> References: <5974A204-D96B-4183-9AE6-3319EA7968D4@batten.eu.org> Message-ID: <00b201cbe261$cb99f200$62cdd600$@gmx.net> Looks like Yates and Perry have had at least one previous encounter http://www.guardian.co.uk/commentisfree/2007/oct/24/comment.politics1 From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten Sent: 14 March 2011 15:05 To: UK Cryptography Policy Discussion Group Subject: DPP on "Doormat" Interpretations http://www.guardian.co.uk/media/2011/mar/13/phone-hacking-newspapers My position is clear: a robust attitude needs to be taken to any unauthorised interception and investigations should not be inhibited by a narrow approach to the provisions in issue. The approach I have taken is therefore to advise the police and CPS prosecutors to assume that the provisions of Ripa mean that an offence may be committed if a communication is intercepted or looked into after it has been accessed by the intended recipient. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ukcrypto at absent-minded.com Wed Mar 23 21:05:21 2011 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Wed, 23 Mar 2011 21:05:21 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> Message-ID: This story reminds me of something I said in January (and in about 2000): http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/ Mark On 26 January 2011 09:18, Mark Lomas wrote: > Some years ago (probably in 2000) I persuaded a major bank to remove the > majority of CA certificates from the key store of the browser they had > deployed. > > The IT department regarded the change as a nuisance, but the Legal > department understood the problem as soon as I showed them the list of CAs. > > May I conduct an informal survey? Who on this mailing list has not removed > any of the CA certificates that were pre-installed by whoever supplied your > browser? > > Mark > > > On 25 January 2011 20:24, Ian Batten wrote: > >> >> On 25 Jan 2011, at 16:18, Passive PROFITS wrote: >> >> > That would not deal with the falsifying of certificates. Assuming the >> code-base of this is not intentional corrupt, the addition of an extension >> such as certpatrol is also required (a firefox extension), to notify one >> when the SSL cert swap by the government/ISP (using the browser accepted as >> 'true' passported C.A.(s) under their control) has taken place (a MiTM is in >> progress notification function). The other known way would be manual/local >> (each time) inspection of the cert fingerprint(s). e.g. you note Facebook's >> fingerprint then check each time it's got the same 'print. Then (once under >> notice the hack is under progress) you could retreat, or start playing your >> own pre-planned counter-measures ... depending on the peril of the >> situation, tactics, etc, call the government, depending on the nature of >> your business, etc. >> >> There's been some recent, if un-startling, discussion of this: >> http://www.freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model >> >> I suspect that once you have more than a handful of CAs, it's for >> practical purposes impossible to get any meaningful assurance that they are >> all legitimate. If CAs delegate their authority, it's difficult to even >> know that certificates whose chain of trust goes back to a CA you trust was >> actually issued by that CA. And for as long as any CA can issue a >> certificate in any name, any domain can be subverted by any one of the CAs. >> >> Which means that certificates are as weak as the weakest CA you trust, >> unless that CA in turn trusts a yet weaker CA. >> >> I've not looked at this in detail (perhaps I should) but I think it's >> possible in most browsers to trust _no_ CAs and yet trust individual >> certificates, which might have the required semantics: when a certificate is >> encountered, you check it (by whatever out of band mechanism you deem >> appropriate) and then add it to your certificate store, but you do not add >> its certifying keys. >> >> ian >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From David_Biggins at usermgmt.com Fri Mar 25 12:01:15 2011 From: David_Biggins at usermgmt.com (David Biggins) Date: Fri, 25 Mar 2011 12:01:15 -0000 Subject: nationwide interception of Facebook & webmail login credentialsin Tunisia In-Reply-To: References: <853336.29452.qm@web110513.mail.gq1.yahoo.com><7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> Message-ID: I suspect that the answer is "almost everybody". The related question would also he "how many people review their installed root certificates after windows updates?" and the answer to that is probably "almost nobody". And it wouldn't necessarily have helped at various times if you did - XP at one point had as default a feature that automatically and silently reinstated them. [ http://www.proper.com/root-cert-problem/ ] D. From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Mark Lomas Sent: 23 March 2011 9:05 PM To: UK Cryptography Policy Discussion Group Subject: Re: nationwide interception of Facebook & webmail login credentialsin Tunisia This story reminds me of something I said in January (and in about 2000): http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_f orgeries/ Mark On 26 January 2011 09:18, Mark Lomas wrote: Some years ago (probably in 2000) I persuaded a major bank to remove the majority of CA certificates from the key store of the browser they had deployed. The IT department regarded the change as a nuisance, but the Legal department understood the problem as soon as I showed them the list of CAs. May I conduct an informal survey? Who on this mailing list has not removed any of the CA certificates that were pre-installed by whoever supplied your browser? Mark On 25 January 2011 20:24, Ian Batten wrote: On 25 Jan 2011, at 16:18, Passive PROFITS wrote: > That would not deal with the falsifying of certificates. Assuming the code-base of this is not intentional corrupt, the addition of an extension such as certpatrol is also required (a firefox extension), to notify one when the SSL cert swap by the government/ISP (using the browser accepted as 'true' passported C.A.(s) under their control) has taken place (a MiTM is in progress notification function). The other known way would be manual/local (each time) inspection of the cert fingerprint(s). e.g. you note Facebook's fingerprint then check each time it's got the same 'print. Then (once under notice the hack is under progress) you could retreat, or start playing your own pre-planned counter-measures ... depending on the peril of the situation, tactics, etc, call the government, depending on the nature of your business, etc. There's been some recent, if un-startling, discussion of this: http://www.freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-c ertificate-authority-trust-model I suspect that once you have more than a handful of CAs, it's for practical purposes impossible to get any meaningful assurance that they are all legitimate. If CAs delegate their authority, it's difficult to even know that certificates whose chain of trust goes back to a CA you trust was actually issued by that CA. And for as long as any CA can issue a certificate in any name, any domain can be subverted by any one of the CAs. Which means that certificates are as weak as the weakest CA you trust, unless that CA in turn trusts a yet weaker CA. I've not looked at this in detail (perhaps I should) but I think it's possible in most browsers to trust _no_ CAs and yet trust individual certificates, which might have the required semantics: when a certificate is encountered, you check it (by whatever out of band mechanism you deem appropriate) and then add it to your certificate store, but you do not add its certifying keys. ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Sun Mar 27 19:19:45 2011 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Sun, 27 Mar 2011 20:19:45 +0200 Subject: NYT on T-Mobile, Verizon & AT&T's location tracking and location data retention Message-ID: <001801cbecab$8e615fa0$ab241ee0$@gmx.net> It's Tracking Your Every Move and You May Not Even Know By NOAM COHEN Published: March 26, 2011 A favorite pastime of Internet users is to share their location: services like Google Latitude can inform friends when you are nearby; another, Foursquare, has turned reporting these updates into a game. Michael L?wa for The New York Times But as a German Green party politician, Malte Spitz, recently learned, we are already continually being tracked whether we volunteer to be or not. Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts. The results were astounding. In a six-month period - from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin. Mr. Spitz has provided a rare glimpse - an unprecedented one, privacy experts say - of what is being collected as we walk around with our phones. Unlike many online services and Web sites that must send "cookies" to a user's computer to try to link its traffic to a specific person, cellphone companies simply have to sit back and hit "record." "We are all walking around with little tags, and our tag has a phone number associated with it, who we called and what we do with the phone," said Sarah E. Williams, an expert on graphic information at Columbia University's architecture school. "We don't even know we are giving up that data." Tracking a customer's whereabouts is part and parcel of what phone companies do for a living. Every seven seconds or so, the phone company of someone with a working cellphone is determining the nearest tower, so as to most efficiently route calls. And for billing reasons, they track where the call is coming from and how long it has lasted. "At any given instant, a cell company has to know where you are; it is constantly registering with the tower with the strongest signal," said Matthew Blaze, a professor of computer and information science at the University of Pennsylvania who has testified before Congress on the issue. Mr. Spitz's information, Mr. Blaze pointed out, was not based on those frequent updates, but on how often Mr. Spitz checked his e-mail. Mr. Spitz, a privacy advocate, decided to be extremely open with his personal information. Late last month, he released all the location information in a publicly accessible Google Document, and worked with Zeit Online, a sister publication of a prominent German newspaper, Die Zeit, to map those coordinates over time. "This is really the most compelling visualization in a public forum I have ever seen," said Mr. Blaze, adding that it "shows how strong a picture even a fairly low-resolution location can give." In an interview from Berlin, Mr. Spitz explained his reasons: "It was an important point to show this is not some kind of a game. I thought about it, if it is a good idea to publish all the data - I also could say, O.K., I will only publish it for five, 10 days maybe. But then I said no, I really want to publish the whole six months." In the United States, telecommunication companies do not have to report precisely what material they collect, said Kevin Bankston, a lawyer at the Electronic Frontier Foundation, who specializes in privacy. He added that based on court cases he could say that "they store more of it and it is becoming more precise." "Phones have become a necessary part of modern life," he said, objecting to the idea that "you have to hand over your personal privacy to be part of the 21st century." In the United States, there are law enforcement and safety reasons for cellphone companies being encouraged to keep track of its customers. Both the F.B.I. and the Drug Enforcement Administration have used cellphone records to identify suspects and make arrests. If the information is valuable to law enforcement, it could be lucrative for marketers. The major American cellphone providers declined to explain what exactly they collect and what they use it for. Verizon, for example, declined to elaborate other than to point to its privacy policy, which includes: "Information such as call records, service usage, traffic data," the statement in part reads, may be used for "marketing to you based on your use of the products and services you already have, subject to any restrictions required by law." AT&T, for example, works with a company, Sense Networks, that uses anonymous location information "to better understand aggregate human activity." One product, CitySense, makes recommendations about local nightlife to customers who choose to participate based on their cellphone usage. (Many smartphone apps already on the market are based on location but that's with the consent of the user and through GPS, not the cellphone company's records.) Because of Germany's history, courts place a greater emphasis on personal privacy. Mr. Spitz first went to court to get his entire file in 2009 but Deutsche Telekom objected. For six months, he said, there was a "Ping Pong game" of lawyers' letters back and forth until, separately, the Constitutional Court there decided that the existing rules governing data retention, beyond those required for billing and logistics, were illegal. Soon thereafter, the two sides reached a settlement: "I only get the information that is related to me, and I don't get all the information like who am I calling, who sent me a SMS and so on," Mr. Spitz said, referring to text messages. Even so, 35,831 pieces of information were sent to him by Deutsche Telekom as an encrypted file, to protect his privacy during its transmission. Deutsche Telekom, which owns T-Mobile, Mr. Spitz's carrier, wrote in an e-mail that it stored six months' of data, as required by the law, and that after the court ruling it "immediately ceased" storing data. And a year after the court ruling outlawing this kind of data retention, there is a movement to try to get a new, more limited law passed. Mr. Spitz, at 26 a member of the Green Party's executive board, says he released that material to influence that debate. "I want to show the political message that this kind of data retention is really, really big and you can really look into the life of people for six months and see what they are doing where they are." While the potential for abuse is easy to imagine, in Mr. Spitz's case, there was not much revealed. "I really spend most of the time in my own neighborhood, which was quite funny for me," he said. "I am not really walking that much around." Any embarrassing details? "The data shows that I am flying sometimes," he said, rather than taking a more fuel-efficient train. "Something not that popular for a Green politician." This article has been revised to reflect the following correction: Correction: March 26, 2011 An earlier version of this article misstated Malte Spitz's partner in the mapping project. He worked with Zeit Online, not Die Zeit. Zeit Online is a sister publication of Die Zeit. A version of this article appeared in print on March 26, 2011, on page A1 of the New York edition. From maryhawking at tigers.demon.co.uk Sun Mar 27 11:11:55 2011 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Sun, 27 Mar 2011 11:11:55 +0100 Subject: Is Barclay's Pinsentry part of RSA SecureID - and compromised? Message-ID: <2D9F07D62E6947BB95E33FB77BE9126E@MaryPC> http://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/ Is the Barclays pinsentry an example of RSA SecureID? AFAIAA NHS smartcards are not - unless there is something in Gem Authenticate (installed on the PC) - using this technology. Mary Hawking -------------- next part -------------- An HTML attachment was scrubbed... URL: From tony.naggs at googlemail.com Sun Mar 27 23:31:42 2011 From: tony.naggs at googlemail.com (Tony Naggs) Date: Sun, 27 Mar 2011 23:31:42 +0100 Subject: Is Barclay's Pinsentry part of RSA SecureID - and compromised? In-Reply-To: <2D9F07D62E6947BB95E33FB77BE9126E@MaryPC> References: <2D9F07D62E6947BB95E33FB77BE9126E@MaryPC> Message-ID: No, RSA SecurID is a quite different technology. An RSA SecurID token is physically a standalone object, about 2" * 1" * 1.2", with LCD showing a 6 digit number that changes every minute. Each token has a unique serial number, and maybe secret customer identification number for each company that uses the system, that are the base deriving the displayed number. (Details are not published by RSA.) The token serial number is registered for user with the company, and then the remote user identifies herself with both a password or PIN (something she knows) and the currently displayed number (something they have). Hence is the basis of so called two factor authentication. Speculation about RSA SecurID being broken is guessing that some secret design aspects of the system have been stolen, or maybe a list of companies using SecurID & the embedded per company secret seed numbers. Even if true a bad person would still have to have some very specific information for it to be of use: a user's account, their normal password and/or PIN, and the serial number of the SecurID token. Regards, Tony On 27 March 2011 11:11, Mary Hawking wrote: > http://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/ > > Is the Barclays pinsentry an example of RSA SecureID? > AFAIAA NHS smartcards are not - unless there is something in Gem > Authenticate (installed on the PC) - using this technology. > > Mary Hawking > From amidgley at gmail.com Mon Mar 28 14:29:35 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Mon, 28 Mar 2011 14:29:35 +0100 Subject: Is Barclay's Pinsentry part of RSA SecureID - and compromised? In-Reply-To: <2D9F07D62E6947BB95E33FB77BE9126E@MaryPC> References: <2D9F07D62E6947BB95E33FB77BE9126E@MaryPC> Message-ID: On 27 March 2011 11:11, Mary Hawking wrote: > http://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/ > > AFAIAA NHS smartcards are not - unless there is something in Gem > Authenticate (installed on the PC) - using this technology. I believe these are the tags given out to people who want to access a service inside NHS Net from outside NHS Net. -- Adrian Midgley?? http://www.defoam.net/ From ukcrypto at lawnjam.com Mon Mar 28 13:22:59 2011 From: ukcrypto at lawnjam.com (John Lamb) Date: Mon, 28 Mar 2011 13:22:59 +0100 Subject: Is Barclay's Pinsentry part of RSA SecureID - and compromised? In-Reply-To: References: <2D9F07D62E6947BB95E33FB77BE9126E@MaryPC> Message-ID: <20110328122259.GA27778@olann.net> I would say this attack looks serious for any banks who *are* using SecurId. SecurID starts with a seed and continually changes over time. The security is based around the secrecy of the seed - being able to respond with the current number on the token proves that either you have the token itself, or you have the seed for the token and the algorithm to generate the values. If an attacker had all the seeds issued to an organisation, then they could identify your token by capturing the current number on your SecurID at a known time and comparing it to a generated list of the numbers all the issued tokens would have been displaying at that time. Once they have identified your token's seed they can impersonate you at any future time. If the attacker is targeting internet banking then they have already trojaned your PC and captured your login details, so capturing the token value as well is trivial. John On Sun, Mar 27, 2011 at 11:31:42PM +0100, Tony Naggs wrote: > No, RSA SecurID is a quite different technology. > > An RSA SecurID token is physically a standalone object, about 2" * 1" > * 1.2", with LCD showing a 6 digit number that changes every minute. > Each token has a unique serial number, and maybe secret customer > identification number for each company that uses the system, that are > the base deriving the displayed number. (Details are not published by > RSA.) The token serial number is registered for user with the > company, and then the remote user identifies herself with both a > password or PIN (something she knows) and the currently displayed > number (something they have). Hence is the basis of so called two > factor authentication. > > Speculation about RSA SecurID being broken is guessing that some > secret design aspects of the system have been stolen, or maybe a list > of companies using SecurID & the embedded per company secret seed > numbers. Even if true a bad person would still have to have some very > specific information for it to be of use: a user's account, their > normal password and/or PIN, and the serial number of the SecurID > token. > > Regards, > Tony > > On 27 March 2011 11:11, Mary Hawking wrote: > > http://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/ > > > > Is the Barclays pinsentry an example of RSA SecureID? > > AFAIAA NHS smartcards are not - unless there is something in Gem > > Authenticate (installed on the PC) - using this technology. > > > > Mary Hawking > > > > From igb at batten.eu.org Mon Mar 28 21:27:41 2011 From: igb at batten.eu.org (Ian Batten) Date: Mon, 28 Mar 2011 21:27:41 +0100 Subject: Is Barclay's Pinsentry part of RSA SecureID - and compromised? In-Reply-To: <20110328122259.GA27778@olann.net> References: <2D9F07D62E6947BB95E33FB77BE9126E@MaryPC> <20110328122259.GA27778@olann.net> Message-ID: <69AB4327-453B-46C8-8494-BBFFFDFA69CA@batten.eu.org> On 28 Mar 2011, at 13:22, John Lamb wrote: > > If an attacker had all the seeds issued to an organisation, then > they could > identify your token by capturing the current number on your SecurID > at a known > time and comparing it to a generated list of the numbers all the > issued tokens > would have been displaying at that time. Well, for a large organisation they might need two values to narrow it right down. SecureID allows for some clock drift because the tokens aren't hugely accurate. One value might only narrow things down to about one in one thousand (there will be some tokens displaying the same value, and the clocks are also drifting). Two values gets you about one in a million. ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From chl at clerew.man.ac.uk Tue Mar 29 21:43:04 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Tue, 29 Mar 2011 21:43:04 +0100 (BST) Subject: Actionfraud Message-ID: <201103292043.p2TKh36B018129@clerew.man.ac.uk> Saw this on uk.comp.misc. He asks whether it is illegal. Sure seems like unlawful interception to me. >Newsgroups: uk.comp.misc >Subject: Re: Actionfraud >Date: Thu, 24 Mar 2011 14:34:13 +0000 >Organization: Scott family >Message-ID: On 24/03/11 09:22, Graham Harrison wrote: > Not so long ago there were various news items about > http://www.actionfraud.org.uk/ > > I decided it wouldn't do any harm to forward them a few scam emails so I > started doing just that. Then BT (my ISP) decided I was actually sending > spam. It hasn't stopped me sending ordinary mails but I can no longer > forward the spam/scam mails. I tried talking to them and their help desk > initially found it difficult to believe the problem was with their own > system (it is) and when they finally got it (or said they did) they said > they couldn't do anything. > > So I went to Actionfraud whose response also suggested they didn't > understand that the problem is at BT and they suggested I print my mails > and send them to a freepost address. > > Has anyone else had any similar experiences? Yep. Bethere (as I found out) scan outgoing mails for particular strings (that they won't reveal - probably just a list of scam web sites) and assume anything containing one is spam. And of course when I tried to forward such an email to complain to a (probably) respectable ISP about one of their customers, I didn't get very far. And bethere's front-line CS didn't know. "You're spam-checking my mail" "no we're not" "yes you are - escalate the call and find out!" "Oh yes, so we are. Tough." I'm sure it's illegal to do this scanning (it's not even in their T&C's that they may/will), although I can understand an ISP's desire not to be black-listed. -- Mike Scott (unet2 [deletethis] scottsonline.org.uk) Harlow Essex England -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From jon+ukcrypto at unequivocal.co.uk Wed Mar 30 01:45:16 2011 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 30 Mar 2011 01:45:16 +0100 Subject: Actionfraud In-Reply-To: <201103292043.p2TKh36B018129@clerew.man.ac.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> Message-ID: <20110330004516.GG28020@snowy.squish.net> On Tue, Mar 29, 2011 at 09:43:04PM +0100, Charles Lindsey wrote: > I'm sure it's illegal to do this scanning (it's not even in their T&C's > that they may/will), although I can understand an ISP's desire not to be > black-listed. It's entirely standard practice to scan for spam on incoming email, why would outgoing email be any different legally? From pwt at iosis.co.uk Wed Mar 30 06:13:16 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 30 Mar 2011 06:13:16 +0100 Subject: Actionfraud In-Reply-To: <201103292043.p2TKh36B018129@clerew.man.ac.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> Message-ID: <4D92BBEC.1090706@iosis.co.uk> I, too, have forwarded to them some scam emails - and some of those forwarded by me have been bounced as spam by the police incoming filter. Maybe I should bin this domain name - it was registered a long time ago, and thus emails sent will have been harvested by the spammers a long time ago.... Peter On 29/03/2011 21:43, Charles Lindsey wrote: > Saw this on uk.comp.misc. He asks whether it is illegal. Sure seems like > unlawful interception to me. > >> Newsgroups: uk.comp.misc >> Subject: Re: Actionfraud >> Date: Thu, 24 Mar 2011 14:34:13 +0000 >> Organization: Scott family >> Message-ID: > On 24/03/11 09:22, Graham Harrison wrote: >> Not so long ago there were various news items about >> http://www.actionfraud.org.uk/ >> >> I decided it wouldn't do any harm to forward them a few scam emails so I >> started doing just that. Then BT (my ISP) decided I was actually sending >> spam. It hasn't stopped me sending ordinary mails but I can no longer >> forward the spam/scam mails. I tried talking to them and their help desk >> initially found it difficult to believe the problem was with their own >> system (it is) and when they finally got it (or said they did) they said >> they couldn't do anything. >> >> So I went to Actionfraud whose response also suggested they didn't >> understand that the problem is at BT and they suggested I print my mails >> and send them to a freepost address. >> >> Has anyone else had any similar experiences? > Yep. Bethere (as I found out) scan outgoing mails for particular > strings (that they won't reveal - probably just a list of scam web > sites) and assume anything containing one is spam. And of course when I > tried to forward such an email to complain to a (probably) respectable > ISP about one of their customers, I didn't get very far. > > And bethere's front-line CS didn't know. "You're spam-checking my mail" > "no we're not" "yes you are - escalate the call and find out!" "Oh yes, > so we are. Tough." > > I'm sure it's illegal to do this scanning (it's not even in their T&C's > that they may/will), although I can understand an ISP's desire not to be > black-listed. > > > From pwt at iosis.co.uk Wed Mar 30 06:55:13 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 30 Mar 2011 06:55:13 +0100 Subject: Actionfraud In-Reply-To: <4D92BBEC.1090706@iosis.co.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92BBEC.1090706@iosis.co.uk> Message-ID: <4D92C5C1.6090706@iosis.co.uk> And they have just bounced another one, but this time they quote their own email address (not a first line police host address, which was what they quoted a few days ago). Their message is fowarded below, as is the first part of the message that I forwarded (the bulk of it is in an html file that was attached to it) Peter Police bounce message: The following message to was undeliverable. The reason for the problem: 5.3.0 - Other mail system problem 550-'ATLAS(2503): Your email was detected as spam. (RCPTs:\nemail at actionfraud.org.uk)' Reporting-MTA: dns; relay.ptn-ipout02.plus.net Final-Recipient: rfc822;email at actionfraud.org.uk Action: failed Status: 5.0.0 (permanent failure) Remote-MTA: dns; [94.136.40.151] Diagnostic-Code: smtp; 5.3.0 - Other mail system problem 550-'ATLAS(2503): Your email was detected as spam. (RCPTs:\nemail at actionfraud.org.uk)' (delivery attempts: 0) Fraud attempt body included: Tuesday, March 29th 2011. From: Mr. Liu Yan Hong Kong. Dear Friend, I am Liu Yan, an employee of one of the top financial institutions here in Hong Kong. I want to use this opportunity to offer you a business undertaking with a very high monetary gain and value, mutually beneficial to both parties if you are interested, read through the attached message. On 30/03/2011 06:13, Peter Tomlinson wrote: > I, too, have forwarded to them some scam emails - and some of those > forwarded by me have been bounced as spam by the police incoming filter. > > Maybe I should bin this domain name - it was registered a long time > ago, and thus emails sent will have been harvested by the spammers a > long time ago.... > > Peter > > On 29/03/2011 21:43, Charles Lindsey wrote: >> Saw this on uk.comp.misc. He asks whether it is illegal. Sure seems like >> unlawful interception to me. >> >>> Newsgroups: uk.comp.misc >>> Subject: Re: Actionfraud >>> Date: Thu, 24 Mar 2011 14:34:13 +0000 >>> Organization: Scott family >>> Message-ID: >> On 24/03/11 09:22, Graham Harrison wrote: >>> Not so long ago there were various news items about >>> http://www.actionfraud.org.uk/ >>> >>> I decided it wouldn't do any harm to forward them a few scam emails >>> so I >>> started doing just that. Then BT (my ISP) decided I was actually >>> sending >>> spam. It hasn't stopped me sending ordinary mails but I can no longer >>> forward the spam/scam mails. I tried talking to them and their help >>> desk >>> initially found it difficult to believe the problem was with their own >>> system (it is) and when they finally got it (or said they did) they >>> said >>> they couldn't do anything. >>> >>> So I went to Actionfraud whose response also suggested they didn't >>> understand that the problem is at BT and they suggested I print my >>> mails >>> and send them to a freepost address. >>> >>> Has anyone else had any similar experiences? >> Yep. Bethere (as I found out) scan outgoing mails for particular >> strings (that they won't reveal - probably just a list of scam web >> sites) and assume anything containing one is spam. And of course when I >> tried to forward such an email to complain to a (probably) respectable >> ISP about one of their customers, I didn't get very far. >> >> And bethere's front-line CS didn't know. "You're spam-checking my mail" >> "no we're not" "yes you are - escalate the call and find out!" "Oh yes, >> so we are. Tough." >> >> I'm sure it's illegal to do this scanning (it's not even in their T&C's >> that they may/will), although I can understand an ISP's desire not to be >> black-listed. >> >> >> > > From lists at internetpolicyagency.com Wed Mar 30 07:23:13 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 30 Mar 2011 07:23:13 +0100 Subject: Actionfraud In-Reply-To: <4D92BBEC.1090706@iosis.co.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92BBEC.1090706@iosis.co.uk> Message-ID: In article <4D92BBEC.1090706 at iosis.co.uk>, Peter Tomlinson writes >I, too, have forwarded to them some scam emails - and some of those >forwarded by me have been bounced as spam by the police incoming filter. I have forwarded several, and they were *all* bounced back by the AF gateway. As for the legality of filtering outgoing (or indeed incoming) emails; they are either being dropped, or "returned to sender", neither of which is interception. -- Roland Perry From igb at batten.eu.org Wed Mar 30 08:28:51 2011 From: igb at batten.eu.org (Ian Batten) Date: Wed, 30 Mar 2011 08:28:51 +0100 Subject: Actionfraud In-Reply-To: <20110330004516.GG28020@snowy.squish.net> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <20110330004516.GG28020@snowy.squish.net> Message-ID: <89AB1B2F-74CD-431C-81DF-85BAD6B4AEF8@batten.eu.org> On 30 Mar 2011, at 01:45, Jon Ribbens wrote: > On Tue, Mar 29, 2011 at 09:43:04PM +0100, Charles Lindsey wrote: >> I'm sure it's illegal to do this scanning (it's not even in their T&C's >> that they may/will), although I can understand an ISP's desire not to be >> black-listed. > > It's entirely standard practice to scan for spam on incoming email, At an ISP level? I'm not sure that's true, is it? ian From wmheath at gmail.com Wed Mar 30 08:36:37 2011 From: wmheath at gmail.com (William Heath) Date: Wed, 30 Mar 2011 08:36:37 +0100 Subject: Actionfraud In-Reply-To: References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92BBEC.1090706@iosis.co.uk> Message-ID: Note the Actionfraud web site says *Got an email bounce back? We have still received the scam emails you forward to us even if you get a bounce back message. The bounce back message just means the email has gone into a holding area for spam, which is then released and received by us as usual. You therefore do not need to contact us again once you have forwarded your scam emails.* William -- ctrl-shift.co.uk mydex.org On 30 March 2011 07:23, Roland Perry wrote: > In article <4D92BBEC.1090706 at iosis.co.uk>, Peter Tomlinson < > pwt at iosis.co.uk> writes > > I, too, have forwarded to them some scam emails - and some of those >> forwarded by me have been bounced as spam by the police incoming filter. >> > > I have forwarded several, and they were *all* bounced back by the AF > gateway. > > As for the legality of filtering outgoing (or indeed incoming) emails; they > are either being dropped, or "returned to sender", neither of which is > interception. > -- > Roland Perry > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From otcbn at callnetuk.com Wed Mar 30 08:29:16 2011 From: otcbn at callnetuk.com (Peter Mitchell) Date: Wed, 30 Mar 2011 08:29:16 +0100 Subject: Actionfraud In-Reply-To: <201103292043.p2TKh36B018129@clerew.man.ac.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> Message-ID: <4D92DBCC.1090200@callnetuk.com> Charles Lindsey wrote on 29-03-11 21:43: > Yep. Bethere (as I found out) scan outgoing mails for particular > strings (that they won't reveal - probably just a list of scam web > sites) and assume anything containing one is spam. Yes, we use Be and we had this too. The worst thing is that you don't know they are doing it - they simply fail to deliver your outgoing email. No bounce warning or anything. We only noticed it when my wife was trying to reply to an email with one of these forbidden strings in it. She uses that daft email convention where you reply by reproducing the whole of the previous correspondence at the bottom and add your comments at the top; so the forbidden string was still in her outgoing message when she tried to send it. Be stopped it going out (oddly they hadn't blocked the incoming e-mail with the offending string). It took me ages to discover what was happening. > And of course when I > tried to forward such an email to complain to a (probably) respectable > ISP about one of their customers, I didn't get very far. > > And bethere's front-line CS didn't know. "You're spam-checking my mail" > "no we're not" "yes you are - escalate the call and find out!" "Oh yes, > so we are. Tough." I find it kind of comforting that their own staff don't know what's going on either. It makes me feel less persecuted. -- Pete Mitchell From pwt at iosis.co.uk Wed Mar 30 10:20:03 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 30 Mar 2011 10:20:03 +0100 Subject: Actionfraud In-Reply-To: References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92BBEC.1090706@iosis.co.uk> Message-ID: <4D92F5C3.6010209@iosis.co.uk> So a bounce is here not a bounce but is a reflection. But this seems new to me, and perhaps coincides with the bounces starting to be labelled as from their own system: The following message to was undeliverable. The reason for the problem: 5.3.0 - Other mail system problem 550-'ATLAS(2503): Your email was detected as spam. (RCPTs:\nemail at actionfraud.org.uk)' rather than from (as happened at first): actionfraud at attorneygeneral.gsi.gov.uk (generated from email at actionfraud.org.uk) or from (as was happening later): AdvanceFeeFraud at city-of-london.pnn.police.uk So its getting better - good. Peter On 30/03/2011 08:36, William Heath wrote: > Note the Actionfraud web site says > > > *Got an email bounce back? We have still received the scam emails you > forward to us even if you get a bounce back message. The bounce back > message just means the email has gone into a holding area for spam, > which is then released and received by us as usual. You therefore do > not need to contact us again once you have forwarded your scam emails.* > > > William > -- > ctrl-shift.co.uk > mydex.org > > > On 30 March 2011 07:23, Roland Perry > wrote: > > In article <4D92BBEC.1090706 at iosis.co.uk > >, Peter Tomlinson > > writes > > I, too, have forwarded to them some scam emails - and some of > those forwarded by me have been bounced as spam by the police > incoming filter. > > > I have forwarded several, and they were *all* bounced back by the > AF gateway. > > As for the legality of filtering outgoing (or indeed incoming) > emails; they are either being dropped, or "returned to sender", > neither of which is interception. > -- > Roland Perry > > > > > From jon+ukcrypto at unequivocal.co.uk Wed Mar 30 11:49:27 2011 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 30 Mar 2011 11:49:27 +0100 Subject: Actionfraud In-Reply-To: <89AB1B2F-74CD-431C-81DF-85BAD6B4AEF8@batten.eu.org> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <20110330004516.GG28020@snowy.squish.net> <89AB1B2F-74CD-431C-81DF-85BAD6B4AEF8@batten.eu.org> Message-ID: <20110330104927.GI28020@snowy.squish.net> On Wed, Mar 30, 2011 at 08:28:51AM +0100, Ian Batten wrote: > > On 30 Mar 2011, at 01:45, Jon Ribbens wrote: > > > On Tue, Mar 29, 2011 at 09:43:04PM +0100, Charles Lindsey wrote: > >> I'm sure it's illegal to do this scanning (it's not even in their T&C's > >> that they may/will), although I can understand an ISP's desire not to be > >> black-listed. > > > > It's entirely standard practice to scan for spam on incoming email, > > At an ISP level? I'm not sure that's true, is it? Hmm, I'm gonna have to go with "yes it is". From paul at blacksun.org.uk Wed Mar 30 13:22:52 2011 From: paul at blacksun.org.uk (Paul Walker) Date: Wed, 30 Mar 2011 13:22:52 +0100 Subject: Actionfraud In-Reply-To: <4D92DBCC.1090200@callnetuk.com> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92DBCC.1090200@callnetuk.com> Message-ID: <20110330122252.GA6074@blacksun.vm.bytemark.co.uk> On Wed, Mar 30, 2011 at 08:29:16AM +0100, Peter Mitchell wrote: > Yes, we use Be and we had this too. The worst thing is that you don't know > they are doing it - they simply fail to deliver your outgoing email. No > bounce warning or anything. Do Be also block outgoing SMTP connections to non-Be servers (SSL/TLS secured)? e.g. a virtual machine rented elsewhere which accepts SSL-secured authenticated relays? (NB - I've considered moving to Be and so I'm just looking for information, not saying it's your own fault for not doing this...) -- Paul It is funny about life: if you refuse to accept anything but the very best you will very often get it. -- W. Somerset Maugham From jon+ukcrypto at unequivocal.co.uk Wed Mar 30 17:25:02 2011 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 30 Mar 2011 17:25:02 +0100 Subject: Actionfraud In-Reply-To: <20110330122252.GA6074@blacksun.vm.bytemark.co.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92DBCC.1090200@callnetuk.com> <20110330122252.GA6074@blacksun.vm.bytemark.co.uk> Message-ID: <20110330162502.GP28020@snowy.squish.net> On Wed, Mar 30, 2011 at 01:22:52PM +0100, Paul Walker wrote: > On Wed, Mar 30, 2011 at 08:29:16AM +0100, Peter Mitchell wrote: > > Yes, we use Be and we had this too. The worst thing is that you don't know > > they are doing it - they simply fail to deliver your outgoing email. No > > bounce warning or anything. > > Do Be also block outgoing SMTP connections to non-Be servers (SSL/TLS > secured)? e.g. a virtual machine rented elsewhere which accepts SSL-secured > authenticated relays? Doesn't look like it to me. I can telnet from my Be connection direct to my mail server on port 25 and I see what I expect to see. From otcbn at callnetuk.com Wed Mar 30 17:27:36 2011 From: otcbn at callnetuk.com (Peter Mitchell) Date: Wed, 30 Mar 2011 17:27:36 +0100 Subject: Actionfraud In-Reply-To: <20110330122252.GA6074@blacksun.vm.bytemark.co.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92DBCC.1090200@callnetuk.com> <20110330122252.GA6074@blacksun.vm.bytemark.co.uk> Message-ID: <4D9359F8.5040608@callnetuk.com> Paul Walker wrote on 30-03-11 13:22: > On Wed, Mar 30, 2011 at 08:29:16AM +0100, Peter Mitchell wrote: > >> Yes, we use Be and we had this too. The worst thing is that you don't know >> they are doing it - they simply fail to deliver your outgoing email. No >> bounce warning or anything. > > Do Be also block outgoing SMTP connections to non-Be servers (SSL/TLS > secured)? e.g. a virtual machine rented elsewhere which accepts SSL-secured > authenticated relays? > (NB - I've considered moving to Be and so I'm just looking for information, > not saying it's your own fault for not doing this...) You can certainly use a non-Be SMTP server - I sometimes use gmail's as a fallback. Dunno about the SSL stuff. -- Pete Mitchell From igb at batten.eu.org Wed Mar 30 18:04:27 2011 From: igb at batten.eu.org (Ian Batten) Date: Wed, 30 Mar 2011 18:04:27 +0100 Subject: Actionfraud In-Reply-To: <20110330122252.GA6074@blacksun.vm.bytemark.co.uk> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92DBCC.1090200@callnetuk.com> <20110330122252.GA6074@blacksun.vm.bytemark.co.uk> Message-ID: <27C8B5AA-7940-472B-A64D-BCDBAD62811D@batten.eu.org> On 30 Mar 2011, at 13:22, Paul Walker wrote: > On Wed, Mar 30, 2011 at 08:29:16AM +0100, Peter Mitchell wrote: > >> Yes, we use Be and we had this too. The worst thing is that you >> don't know >> they are doing it - they simply fail to deliver your outgoing >> email. No >> bounce warning or anything. > > Do Be also block outgoing SMTP connections to non-Be servers (SSL/TLS > secured)? e.g. a virtual machine rented elsewhere which accepts SSL- > secured > authenticated relays? No. Although I'm a bit of a crypto nerd about this, and protect the tunnel from (Be/O2) home to my offsite server with IPSec un tunnel mode, so it wouldn't matter to me even if they did! ian From ukcrypto at airburst.co.uk Wed Mar 30 14:33:40 2011 From: ukcrypto at airburst.co.uk (Mark Cottle) Date: Wed, 30 Mar 2011 14:33:40 +0100 Subject: Card transactions by proxy Message-ID: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> I've been asked for my thoughts on what seems to be a slightly odd proposal for card transactions. I wonder if anyone here can put me straight on the legal and technical positions. A local authority is proposing to close down a number of points that provide a general counter-service (for miscellaneous enquiries, rent payments, parking permits, bin bags and so on) and to transfer some of the functions to other facilities. At present these other facilities handle only small cash transactions and do not take card payments. In order to facilitate card payments it is proposed that staff will use existing desktop PCs to access existing public online payment facilities. They are supposed to take the card and enter the relevant information (card number, holder's name, expiry date, CSC etc) into the web interface - in effect, they carry out the standard web-based transaction for the customer. I think they are hoping most people will simply use the website option from home and the counter service will be mainly for those who don't have internet access or who aren't confident with web transactions. The proposers believe that, as the new arrangements are only supposed to deal with a limited range of transactions, which already have online versions, the authority can avoid having to put chip-n-PIN equipment at the locations concerned (thus avoiding associated costs). I'm uncomfortable with this suggestion but feel I need more information before coming to a judgement. My concerns are twofold: practical and legal. From the practical perspective I can see at least one problem in the form of 3-D Secure. If a "Verified by Visa" box or similar pops up then the staff member cannot complete the transaction because they do not (or should not) know the relevant password. And I hope those involved can see it would be obviously wrong to require staff to ask customers for such a password. I wonder if there are additional problems that fall in the legal or policy domains. I naively assume online card transactions are built upon the assumption that the card holder is the one entering the data. What is the legal position of a person (in this case a local authority staff member) carrying out a card transaction for another person who is the card holder? Is the customer breaching T&Cs? Who is liable for what if there is an error? Mark C From Andrew.Cormack at ja.net Wed Mar 30 15:19:23 2011 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 30 Mar 2011 14:19:23 +0000 Subject: Actionfraud In-Reply-To: <20110330104927.GI28020@snowy.squish.net> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <20110330004516.GG28020@snowy.squish.net> <89AB1B2F-74CD-431C-81DF-85BAD6B4AEF8@batten.eu.org> <20110330104927.GI28020@snowy.squish.net> Message-ID: <61E52F3A5532BE43B0211254F13883AE05BBD0@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Jon Ribbens > Sent: 30 March 2011 11:49 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: Actionfraud > > On Wed, Mar 30, 2011 at 08:28:51AM +0100, Ian Batten wrote: > > > > On 30 Mar 2011, at 01:45, Jon Ribbens wrote: > > > > > On Tue, Mar 29, 2011 at 09:43:04PM +0100, Charles Lindsey wrote: > > >> I'm sure it's illegal to do this scanning (it's not even in their > T&C's > > >> that they may/will), although I can understand an ISP's desire not > to be > > >> black-listed. > > > > > > It's entirely standard practice to scan for spam on incoming email, > > > > At an ISP level? I'm not sure that's true, is it? > > Hmm, I'm gonna have to go with "yes it is". And the Article 29 WP have a classic piece of reverse engineering to conclude that it's lawful ;) http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp118_en.pdf Andrew From tugwilson at gmail.com Wed Mar 30 18:35:16 2011 From: tugwilson at gmail.com (John Wilson) Date: Wed, 30 Mar 2011 18:35:16 +0100 Subject: Card transactions by proxy In-Reply-To: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> Message-ID: That's quite astonishing! Barclaycard is quite clear "8.2 You must never allow anyone else to use your card." (http://www.barclaycard-bw.com/media/bw_tc_cards_v1,4556,1.pdf) Can you tell us the name of the local authority? John Wilson From chl at clerew.man.ac.uk Wed Mar 30 20:04:02 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Wed, 30 Mar 2011 20:04:02 +0100 Subject: Actionfraud In-Reply-To: <20110330004516.GG28020@snowy.squish.net> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <20110330004516.GG28020@snowy.squish.net> Message-ID: On Wed, 30 Mar 2011 01:45:16 +0100, Jon Ribbens wrote: > On Tue, Mar 29, 2011 at 09:43:04PM +0100, Charles Lindsey wrote: >> I'm sure it's illegal to do this scanning (it's not even in their T&C's >> that they may/will), although I can understand an ISP's desire not to be >> black-listed. > > It's entirely standard practice to scan for spam on incoming email, > why would outgoing email be any different legally? Customers of ISPs usually have an option to subscribe or not to their spam filter feature. I think it is important to be able to opt out of it, otherwise you will never know that some false positives were getting lost. But there seems to be no option not to have your outgoing mail checked. If it bounced back to you, then at least you would know. But, as we have just seen, false positives abound. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From chl at clerew.man.ac.uk Wed Mar 30 20:05:54 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Wed, 30 Mar 2011 20:05:54 +0100 Subject: Actionfraud In-Reply-To: References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92BBEC.1090706@iosis.co.uk> Message-ID: On Wed, 30 Mar 2011 07:23:13 +0100, Roland Perry wrote: > In article <4D92BBEC.1090706 at iosis.co.uk>, Peter Tomlinson > writes >> I, too, have forwarded to them some scam emails - and some of those >> forwarded by me have been bounced as spam by the police incoming filter. > > I have forwarded several, and they were *all* bounced back by the AF > gateway. > > As for the legality of filtering outgoing (or indeed incoming) emails; > they are either being dropped, or "returned to sender", neither of which > is interception. It all boils down to that "whether it has been made available to a person" business that got us bogged down with Phorm. Perhaps someone should raise an issue with the Information Commissioner that BT is inspecting his outgoing mails. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From jon+ukcrypto at unequivocal.co.uk Wed Mar 30 20:44:20 2011 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 30 Mar 2011 20:44:20 +0100 Subject: Actionfraud In-Reply-To: References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <20110330004516.GG28020@snowy.squish.net> Message-ID: <20110330194420.GQ28020@snowy.squish.net> On Wed, Mar 30, 2011 at 08:04:02PM +0100, Charles Lindsey wrote: > Customers of ISPs usually have an option to subscribe or not to their > spam filter feature. I think it is important to be able to opt out of it, > otherwise you will never know that some false positives were getting > lost. I quite agree. But that doesn't make it illegal. From lists at internetpolicyagency.com Wed Mar 30 22:02:59 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 30 Mar 2011 22:02:59 +0100 Subject: Card transactions by proxy In-Reply-To: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> Message-ID: <7Af3y+CDq5kNFAJg@perry.co.uk> In article <4D933F44.15263.15DAD14 at ukcrypto.airburst.co.uk>, Mark Cottle writes >I've been asked for my thoughts on what seems to be a slightly odd >proposal for card transactions. I wonder if anyone here can put me >straight on the legal and technical positions. > >A local authority is proposing to close down a number of points that >provide a general counter-service (for miscellaneous enquiries, rent >payments, parking permits, bin bags and so on) and to transfer some >of the functions to other facilities. At present these other >facilities handle only small cash transactions and do not take card >payments. In order to facilitate card payments it is proposed that >staff will use existing desktop PCs to access existing public online >payment facilities. They are supposed to take the card and enter the >relevant information (card number, holder's name, expiry date, CSC >etc) into the web interface - in effect, they carry out the standard >web-based transaction for the customer. I think they are hoping most >people will simply use the website option from home and the counter >service will be mainly for those who don't have internet access or >who aren't confident with web transactions. The proposers believe >that, as the new arrangements are only supposed to deal with a >limited range of transactions, which already have online versions, >the authority can avoid having to put chip-n-PIN equipment at the >locations concerned (thus avoiding associated costs). > >I'm uncomfortable with this suggestion but feel I need more >information before coming to a judgement. My concerns are twofold: >practical and legal. From the practical perspective I can see at >least one problem in the form of 3-D Secure. If a "Verified by Visa" >box or similar pops up then the staff member cannot complete the >transaction because they do not (or should not) know the relevant >password. And I hope those involved can see it would be obviously >wrong to require staff to ask customers for such a password. I wonder >if there are additional problems that fall in the legal or policy >domains. I naively assume online card transactions are built upon the >assumption that the card holder is the one entering the data. What is >the legal position of a person (in this case a local authority staff >member) carrying out a card transaction for another person who is the >card holder? Is the customer breaching T&Cs? Who is liable for what >if there is an error? At the most fundamental level what's happening here is that a "Cardholder not Present" transaction is being conducted with the cardholder present. That's against the rules. -- Roland Perry From lists at internetpolicyagency.com Wed Mar 30 22:25:18 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 30 Mar 2011 22:25:18 +0100 Subject: Actionfraud In-Reply-To: References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92BBEC.1090706@iosis.co.uk> Message-ID: In article , Charles Lindsey writes >> As for the legality of filtering outgoing (or indeed incoming) >>emails; they are either being dropped, or "returned to sender", >>neither of which is interception. > >It all boils down to that "whether it has been made available to a >person" business that got us bogged down with Phorm. Not quite, because filtering out Spam can be considered as a bona-fide management issue by the ISP, and therefore exempt. Just like Virus scanning, which if we accept for a moment is Interception because it's made available to a machine with a sysadmin - or whatever that argument is - doesn't break the law for the same reason. -- Roland Perry From leon at leonclarke.org Wed Mar 30 21:32:27 2011 From: leon at leonclarke.org (Leon Clarke) Date: Wed, 30 Mar 2011 21:32:27 +0100 Subject: Card transactions by proxy In-Reply-To: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> Message-ID: It could be that this is legally viewed as a card present transaction that's been conducted using a non-approved computer system (which just happens to use an approved website as one of its components, but has other components like the PC that aren't approved for how they're being used). This is a massive breach of the local authority's agreement with the acquiring bank that runs their website's card processing. On Wed, Mar 30, 2011 at 2:33 PM, Mark Cottle wrote: > I've been asked for my thoughts on what seems to be a slightly odd > proposal for card transactions. I wonder if anyone here can put me > straight on the legal and technical positions. > > A local authority is proposing to close down a number of points that > provide a general counter-service (for miscellaneous enquiries, rent > payments, parking permits, bin bags and so on) and to transfer some > of the functions to other facilities. At present these other > facilities handle only small cash transactions and do not take card > payments. In order to facilitate card payments it is proposed that > staff will use existing desktop PCs to access existing public online > payment facilities. They are supposed to take the card and enter the > relevant information (card number, holder's name, expiry date, CSC > etc) into the web interface - in effect, they carry out the standard > web-based transaction for the customer. I think they are hoping most > people will simply use the website option from home and the counter > service will be mainly for those who don't have internet access or > who aren't confident with web transactions. The proposers believe > that, as the new arrangements are only supposed to deal with a > limited range of transactions, which already have online versions, > the authority can avoid having to put chip-n-PIN equipment at the > locations concerned (thus avoiding associated costs). > > I'm uncomfortable with this suggestion but feel I need more > information before coming to a judgement. My concerns are twofold: > practical and legal. From the practical perspective I can see at > least one problem in the form of 3-D Secure. If a "Verified by Visa" > box or similar pops up then the staff member cannot complete the > transaction because they do not (or should not) know the relevant > password. And I hope those involved can see it would be obviously > wrong to require staff to ask customers for such a password. I wonder > if there are additional problems that fall in the legal or policy > domains. I naively assume online card transactions are built upon the > assumption that the card holder is the one entering the data. What is > the legal position of a person (in this case a local authority staff > member) carrying out a card transaction for another person who is the > card holder? Is the customer breaching T&Cs? Who is liable for what > if there is an error? > > Mark C > > > From zenadsl6186 at zen.co.uk Wed Mar 30 23:00:38 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 30 Mar 2011 23:00:38 +0100 Subject: Actionfraud In-Reply-To: References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <4D92BBEC.1090706@iosis.co.uk> Message-ID: <4D93A806.7000100@zen.co.uk> Roland Perry wrote: > In article <4D92BBEC.1090706 at iosis.co.uk>, Peter Tomlinson > writes >> I, too, have forwarded to them some scam emails - and some of those >> forwarded by me have been bounced as spam by the police incoming filter. > > I have forwarded several, and they were *all* bounced back by the AF > gateway. > > As for the legality of filtering outgoing (or indeed incoming) emails; > they are either being dropped, or "returned to sender", neither of which > is interception. The action of filtering them is however most definitely interception in law, as the ISPs have to look at the content of the emails in order to filter them. Just looking at the content of an email is interception as defined in law (the legal definition of interception in RIPA is more than a bit different to the usual meaning of the word), no matter what subsequently happens to the email. Whether the interception is unlawful or not is subject to some debate. The general opinion is that most probably it is lawful, under subsection 3(3) of RIPA: " Conduct consisting in the interception of a communication is authorised by this section if? (a)it is conduct by or on behalf of a person who provides a postal service or a telecommunications service; and (b)it takes place for purposes connected with the provision or operation of that service ... " as spam/scam filtering is considered to be necessary to ensure the proper operation of the email service. -- Peter Fairbrother From zenadsl6186 at zen.co.uk Wed Mar 30 23:56:20 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 30 Mar 2011 23:56:20 +0100 Subject: Actionfraud In-Reply-To: <61E52F3A5532BE43B0211254F13883AE05BBD0@EXC001> References: <201103292043.p2TKh36B018129@clerew.man.ac.uk> <20110330004516.GG28020@snowy.squish.net> <89AB1B2F-74CD-431C-81DF-85BAD6B4AEF8@batten.eu.org> <20110330104927.GI28020@snowy.squish.net> <61E52F3A5532BE43B0211254F13883AE05BBD0@EXC001> Message-ID: <4D93B514.9050408@zen.co.uk> Andrew Cormack wrote: >> -----Original Message----- >> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- >> bounces at chiark.greenend.org.uk] On Behalf Of Jon Ribbens >> Sent: 30 March 2011 11:49 >> To: ukcrypto at chiark.greenend.org.uk >> Subject: Re: Actionfraud >> >> On Wed, Mar 30, 2011 at 08:28:51AM +0100, Ian Batten wrote: >>> On 30 Mar 2011, at 01:45, Jon Ribbens wrote: >>> >>>> On Tue, Mar 29, 2011 at 09:43:04PM +0100, Charles Lindsey wrote: >>>>> I'm sure it's illegal to do this scanning (it's not even in their >> T&C's >>>>> that they may/will), although I can understand an ISP's desire not >> to be >>>>> black-listed. >>>> It's entirely standard practice to scan for spam on incoming email, >>> At an ISP level? I'm not sure that's true, is it? >> Hmm, I'm gonna have to go with "yes it is". > > And the Article 29 WP have a classic piece of reverse engineering to conclude that it's lawful ;) > http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp118_en.pdf nice link, thanks. note, while they say that while spam and virus filtering is okay, they don't actually mention scam filtering; and they say the screening of emails for the purposes of detecting any predetermined content is unlawful - even if that predetermined content is illegal, including presumably filesharing etc. -- peter f From ukcrypto at airburst.co.uk Wed Mar 30 21:07:18 2011 From: ukcrypto at airburst.co.uk (Mark Cottle) Date: Wed, 30 Mar 2011 21:07:18 +0100 Subject: Card transactions by proxy In-Reply-To: References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> Message-ID: <4D939B86.24610.2C60E94@ukcrypto.airburst.co.uk> On 30 Mar 2011 at 18:35, John Wilson wrote: > > Barclaycard is quite clear "8.2 You must never allow anyone else to > use your card." > (http://www.barclaycard-bw.com/media/bw_tc_cards_v1,4556,1.pdf) > > Can you tell us the name of the local authority? Prefer not to give the name at the moment. Although the proposals of which this is a part are out to a fairly broad consultation (and thus it's not much of a secret in the area concerned) I need to be diplomatic. It certainly seems to be a breach of the Barclaycard T&Cs and I'm guessing the same applies to most other cards/issuers. That would seem to be a matter between the issuer and the cardholder. It also sounds as if there might be issues relating to the merchant agreement under which the authority gets its web transactiosn processed, although I'm not clear about that. The aspect I most need to pin down now is the position of staff who are asked to perform transactions in the manner in question. From benc at hawaga.org.uk Thu Mar 31 05:27:40 2011 From: benc at hawaga.org.uk (Ben Clifford) Date: Thu, 31 Mar 2011 04:27:40 +0000 (GMT) Subject: Card transactions by proxy In-Reply-To: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> Message-ID: Some of this sounds similar to the Paypal virtual terminal. Their UK branding talks about taking transactions over mail, phone and email. Their US branding talks about the same but also fairly strongly alludes without saying it to using it for card-present transactions - they sell a card reader that will automatically read the details off your customers card and fill in the webform for you, and talk about using it at trade shows us branding: https://merchant.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=merchant/virtual_terminal uk branding: https://www.paypal-business.co.uk/take-credit-cards-over-the-phone-with-paypal/index.htm -- http://www.hawaga.org.uk/ben/ From tugwilson at gmail.com Thu Mar 31 08:59:26 2011 From: tugwilson at gmail.com (John Wilson) Date: Thu, 31 Mar 2011 08:59:26 +0100 Subject: Card transactions by proxy In-Reply-To: <4D939B86.24610.2C60E94@ukcrypto.airburst.co.uk> References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> <4D939B86.24610.2C60E94@ukcrypto.airburst.co.uk> Message-ID: On 30 March 2011 21:07, Mark Cottle wrote: > Prefer not to give the name at the moment. Although the proposals of > which this is a part are out to a fairly broad consultation (and thus > it's not much of a secret in the area concerned) I need to be > diplomatic. As long as it's not Aylesbury Vale District Council :) > > It certainly seems to be a breach of the Barclaycard T&Cs and I'm > guessing the same applies to most other cards/issuers. That would > seem to be a matter between the issuer and the cardholder. It also > sounds as if there might be issues relating to the merchant agreement > under which the authority gets its web transactiosn processed, > although I'm not clear about that. > > The aspect I most need to pin down now is the position of staff who > are asked to perform transactions in the manner in question. I think it puts them in a very difficult position. If there's a query about any future transaction on one of the cards they will fall under suspicion. The fact that they have colluded in making a transaction which is specifically disallowed by the card issuer's T&Cs will not help. Three obvious scenarios: 1/ Someone installs a keylogger on the council's PC (not the most highly secure machines at the best of times) Harvests CC details and sells them on. The operator is immediately the centre of suspicion. 2/ Someone gives the operator their card then makes a set of purchases and later denies they they did so claiming that the details must have been skimmed at the council terminal. 3/ Someone used a CC which is not their own. The operator is the technically one which made the fraudulent transaction. The employes of the local authority need to get their union involved. John Wilson From igb at batten.eu.org Thu Mar 31 09:56:24 2011 From: igb at batten.eu.org (Ian Batten) Date: Thu, 31 Mar 2011 09:56:24 +0100 Subject: Card transactions by proxy In-Reply-To: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> Message-ID: <1A45F119-3CC4-478F-B3D0-DBBFB996A801@batten.eu.org> > If a "Verified by Visa" > box or similar pops up then the staff member cannot complete the > transaction because they do not (or should not) know the relevant > password. As these are users who either do not use the Internet or do not feel comfortable doing online transactions, then they would not be registered for Verified By Visa (etc) anyway, so as soon as that popped up they'd be stopped from proceeding. But for a council to harvest CV2 values from customers who will, pretty much by definition, be less astute about online security is an accident waiting to happen. It's hard to see how this isn't an attempted end-run around PICS compliance and the purchase of secure terminals. And as it will be processed as a Card Not Present transaction, the fraud liability falls straight onto the council. More important, as others have pointed out, it's a clear-cut violation of the Ts and Cs for the customer: in the case of LTSB, "11.1 You must: ... not let anyone else use your Card, Cheques or Security Details;" For a local authority to solicit and encourage the breach of credit card terms and conditions is obviously the sort of things a bank would take a dim view of. To be blunt, that the council didn't immediately phone up their bank and say "would this be OK", but is instead consulting and canvassing opinion, says they know it's hooky and they know their bank would say no. Which is a good reason not to do it, I'd say. ian From amidgley at gmail.com Thu Mar 31 10:05:47 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Thu, 31 Mar 2011 10:05:47 +0100 Subject: NHS data mining: stupidity and cleverness Message-ID: I suspect that in the same way that only a proportion of people can get their minds around the idea of a pointer in C there are only a proportion of people involved in the administration of the NHS and the DoH who can get their minds around the idea that one might send a question to a host of peripheral systems, and receive back the answers, rather than collect all the data from all those peripheral systems, and then run searches on those. I doubt that all the possible questions can be answered by the first method, but then I doubt they can be, legally or accurately, by the second either. And yet again we see a row over "nonymisation" which turns out not to work. Is it time to state that MIQUEST was the way to go, and that questions should be sent out, and only answers returned, or is that approach also too vulnerable to inference and cross referencing? (MIQUEST is a subset of a superset of SQL called Health Query Language, with software that runs on the GP automation systems, and mechanisms to export, check, import and control queries, and presumably to aggregate the results at the centre. It is a beast, and locally in Devon the admin people seems convinced that their appraoch involving large Excel spreadsheets must be better.) -- Adrian Midgley?? http://www.defoam.net/ From ukcrypto at airburst.co.uk Thu Mar 31 10:35:12 2011 From: ukcrypto at airburst.co.uk (Mark Cottle) Date: Thu, 31 Mar 2011 10:35:12 +0100 Subject: Card transactions by proxy In-Reply-To: References: <4D939B86.24610.2C60E94@ukcrypto.airburst.co.uk> Message-ID: <4D9458E0.2560.2F8897@ukcrypto.airburst.co.uk> On 31 Mar 2011 at 8:59, John Wilson wrote: > On 30 March 2011 21:07, Mark Cottle wrote: > > Prefer not to give the name at the moment. Although the proposals of > > which this is a part are out to a fairly broad consultation (and thus > > it's not much of a secret in the area concerned) I need to be > > diplomatic. > > As long as it's not Aylesbury Vale District Council :) > Happy to confirm it's not. > The employes of the local authority need to get their union involved. > Indeed. And this is where I'm coming from. From chl at clerew.man.ac.uk Thu Mar 31 11:31:02 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Thu, 31 Mar 2011 11:31:02 +0100 Subject: Card transactions by proxy In-Reply-To: <7Af3y+CDq5kNFAJg@perry.co.uk> References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> <7Af3y+CDq5kNFAJg@perry.co.uk> Message-ID: On Wed, 30 Mar 2011 22:02:59 +0100, Roland Perry wrote: > At the most fundamental level what's happening here is that a > "Cardholder not Present" transaction is being conducted with the > cardholder present. That's against the rules. But is sometimes necessary. At a merchant I use from time to time, his terminal routinely does not like my card. So he (with my agreement) gets around it by performing a "cardholder not present" transaction. The only real difference is that he needs to see and use the security code on the back of the card. But any merchant who takes your card and inserts it into his normal "cardholder present" terminal can easily glance at the back of the card and memorize it. I think in the case under discussion, the agent should say "we cannot proces your card directly here, but we have a PC that you can use yourself to make a 'not present' transaction". Then, if the cardholder is not happy/familiar with web transactions, the agent can offer to assist. The essential factor is that the PC screen should be turned during the activity so that the customer can observe what is being done. In the case of verified by Visa transactions, the customer is presumably already familiar with the process (having previously set up a PIN/password) so he should be able to do that part himself (and the agent should turn the screen and give him access to the keyboard at least for the PIN/password stage). Indeed, the agent should ideally not even see the "helpful phrase" displayed by Visa to remind the customer of which password he is supposed to use. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From Ross.Anderson at cl.cam.ac.uk Thu Mar 31 10:50:04 2011 From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson) Date: Thu, 31 Mar 2011 10:50:04 +0100 Subject: Card transactions by proxy Message-ID: I wonder if anyone has the energy to read through the PCI DSS stuff? I expect that what they've done contravenes the rules there. You could always ask their acquirer, if you know which bank it is Ross From lists at internetpolicyagency.com Thu Mar 31 12:56:28 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 31 Mar 2011 12:56:28 +0100 Subject: Card transactions by proxy In-Reply-To: References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> <4D939B86.24610.2C60E94@ukcrypto.airburst.co.uk> Message-ID: In article , John Wilson writes >The employes of the local authority need to get their union involved. And the Union could usefully ask whatever APACS is called this week, for their opinion on behalf of the Credit Card industry in general. -- Roland Perry From lists at internetpolicyagency.com Thu Mar 31 12:57:19 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 31 Mar 2011 12:57:19 +0100 Subject: Card transactions by proxy In-Reply-To: References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> Message-ID: In article , Leon Clarke writes >It could be that this is legally viewed as a card present transaction >that's been conducted using a non-approved computer system And no Chip'n'Pin >(which just happens to use an approved website as one of its >components, but has other components like the PC that aren't approved >for how they're being used). >This is a massive breach of the local authority's agreement with the >acquiring bank that runs their website's card processing. -- Roland Perry From lists at internetpolicyagency.com Thu Mar 31 13:01:59 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 31 Mar 2011 13:01:59 +0100 Subject: Card transactions by proxy In-Reply-To: References: <4D933F44.15263.15DAD14@ukcrypto.airburst.co.uk> <7Af3y+CDq5kNFAJg@perry.co.uk> Message-ID: In article , Charles Lindsey writes >> At the most fundamental level what's happening here is that a >>"Cardholder not Present" transaction is being conducted with the >>cardholder present. That's against the rules. > >But is sometimes necessary. At a merchant I use from time to time, his >terminal routinely does not like my card. So he (with my agreement) >gets around it by performing a "cardholder not present" transaction. That's not the correct way to handle the situation. The fallback is a signature transaction. >The only real difference is that he needs to see and use the security >code on the back of the card. Noooo! >But any merchant who takes your card and inserts it into his normal >"cardholder present" terminal can easily glance at the back of the >card and memorize it. > >I think in the case under discussion, the agent should say "we cannot >proces your card directly here, but we have a PC which might well have a keylogger, either intended or unintended. >that you can use yourself to make a 'not present' transaction". Run away!! -- Roland Perry From bogus@does.not.exist.com Fri Mar 11 16:33:04 2011 From: bogus@does.not.exist.com () Date: Fri, 11 Mar 2011 16:33:04 -0000 Subject: No subject Message-ID: "BT contends that the injunction should be confined to its UK retail, mass market services which incorporate Cleanfeed as an integral and non-optional function. The Studios resist this limitation. I am surprised that this point was not raised by BT earlier in the proceedings, as I consider it should have been. Nevertheless, I must now consider it on its merits. Simon Milner, BT's Director of Group Industry Policy, explains in his third witness statement the manner in which BT's business is structured. It has an access services division (Openreach), an upstream division which provides products and services for use by communications providers (BT Wholesale) and two downstream divisions which provide products and services to end users (BT Retail and BT Global Services). BT Retail serves consumers and small and medium-sized enterprises. BT Global Services serves large businesses and public bodies. Cleanfeed is provided as an integral and non-optional part of the standard service offered by BT Retail. Cleanfeed is not imposed on BT's other customers, but some of BT Global Services' customers have it as an option. Counsel for BT explained that some customers, such as the police and banks, do not want Cleanfeed either because they do not want any filtering (the police) or because they have their own systems (banks). I accept that it is not appropriate to grant an injunction against BT's access services and upstream divisions. The position in respect of BT's downstream divisions is more equivocal, but in my view the proportionate answer is that the injunction should apply to all BT's services which incorporate Cleanfeed whether that is imposed on the customer or taken as an option." So, BT Retail and BT Global Services if they have the option. Try accessing newzbin and see if it works. -- Francis Davey From bogus@does.not.exist.com Fri Mar 11 16:33:04 2011 From: bogus@does.not.exist.com () Date: Fri, 11 Mar 2011 16:33:04 -0000 Subject: No subject Message-ID: bit of a nightmare. IP addresses need to be "cleansed" before recycled - they write to the blacklists to get IP addresses removed, and IP addresses are in short supply. How would one go about writing to the rights holders or the High Court to tell the ISPs to remove IP addresses no longer being used for the "sole or predominant purpose" of providing access to Newzbin? When we have a dozen sites covered by injunctions, a hundred or so "primary" IP addresses and URLs, perhaps a thousand "facilitator" sites and injunctions covering 9 ISPs each managing their own lists under instruction from rights holders... I can't see this ending well at all. James Firth From bogus@does.not.exist.com Fri Mar 11 16:33:04 2011 From: bogus@does.not.exist.com () Date: Fri, 11 Mar 2011 16:33:04 -0000 Subject: No subject Message-ID: 38 In that regard, it is common ground that implementation of that filtering system would require - first, that the ISP *identify, within all of the electronic communications of all its customers*, the files relating to peer-to-peer traffic; - secondly, that it identify, within that traffic, the files containing works in respect of which holders of intellectual-property rights claim to hold rights; - thirdly, that it determine which of those files are being shared unlawfully; and - fourthly, that it block file sharing that it considers to be unlawful. 39 Preventive monitoring of this kind would thus require *active observation of all electronic communications* conducted on the network of the ISP concerned and, consequently, would *encompass all information* to be transmitted and *all customers using that network*. 40 In the light of the foregoing, it must be held that the injunction imposed on the ISP concerned requiring it to install the contested filtering system would oblige it to actively monitor all the data relating to each of its customers in order to prevent any future infringement of intellectual-property rights. It follows that that injunction would require the ISP to carry out general monitoring, something which is prohibited by Article 15(1) of Directive 2000/31. I read that to mean that the mere act of identifying the traffic (the first step in [38]) that needs to be processed further (as in application layer analysis of P2P) is enough. So to me, even if you (the ISP) decide that the packet doesn't warrant further filtering because it is, for example, not P2P traffic, you are still caught by [39,40] because you took a positive action to decide whether the packet needs processing---certainly it can't be argued that ECJ thought that all of Scarlet's customers were in fact using P2P and sharing files. Presumably you can argue that Cleanfeed is only applied to a subset of BT's customers but that again seems to prejudice BT for providing services to, for example, the police and the banks and allowing them to opt out of the filtering... Cheers, -- Igor M.