From ukcrypto at originalthinktank.org.uk Thu Oct 20 01:49:02 2011 From: ukcrypto at originalthinktank.org.uk (Chris Salter) Date: Thu, 20 Oct 2011 01:49:02 +0100 Subject: New Universal Credit system to be accessed via existing consumer online banking systems!!!!! Message-ID: <4E9F6FFE.1000301@originalthinktank.org.uk> Hello UKCRYPTO, Below are selected quotes from "Welfare reform: government hopes there's an app for that" http://www.guardian.co.uk/society/2011/oct/19/welfare-reform-government-hopes-app or http://preview.tinyurl.com/3s3u6va "An online "app" to help 8m households apply for the new universal credit, integrating tax credits and out-of-work benefits, is being developed as part of one of the most hazardous and ambitious IT programmes ever undertaken by government" "The IT security for the system is to be linked to claimants' existing security codes, operated by their commercial banks, he also disclosed." "Freud said: "We are getting a lot of help from the banking community. They have got security systems we are looking at very closely. The fundamental is to know who is on the system, and one of the things we are looking at is piggy-backing on those systems. So rather than us having to ID assure, one of the things we can do is get customers to click through their bank account to us."" End quotes. The government already have an 'ID assurance system' called "Government Gateway" used for submitting tax returns, accessing state pension forecasting and probably other facilities. -- Chris Salter http://www.originalthinktank.org.uk/ http://www.post-polio.org.uk/ From benc at hawaga.org.uk Thu Oct 20 14:45:25 2011 From: benc at hawaga.org.uk (Ben Clifford) Date: Thu, 20 Oct 2011 09:45:25 -0400 Subject: New Universal Credit system to be accessed via existing consumer online banking systems!!!!! In-Reply-To: <4E9F6FFE.1000301@originalthinktank.org.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> Message-ID: <4DA64721-6F86-471B-9B4F-0E9E07C29351@hawaga.org.uk> On Oct 19, 2011, at 8:49 PM, Chris Salter wrote: > The government already have an 'ID assurance system' called "Government Gateway" used for submitting tax returns, accessing state pension forecasting and probably other facilities. "probably other facilities" is listed here: http://www.gateway.gov.uk/Help/Help.aspx?content=help_government_services_online.htm&languageid=0 -- From ben at links.org Fri Oct 21 04:27:19 2011 From: ben at links.org (Ben Laurie) Date: Fri, 21 Oct 2011 03:27:19 +0000 Subject: New Universal Credit system to be accessed via existing consumer online banking systems!!!!! In-Reply-To: <4E9F6FFE.1000301@originalthinktank.org.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> Message-ID: On Thu, Oct 20, 2011 at 12:49 AM, Chris Salter < ukcrypto at originalthinktank.org.uk> wrote: > Hello UKCRYPTO, > > Below are selected quotes from > "Welfare reform: government hopes there's an app for that" > http://www.guardian.co.uk/**society/2011/oct/19/welfare-** > reform-government-hopes-app > or > http://preview.tinyurl.com/**3s3u6va > > "An online "app" to help 8m households apply for the new universal credit, > integrating tax credits and out-of-work benefits, is being developed as part > of one of the most hazardous and ambitious IT programmes ever undertaken by > government" > > "The IT security for the system is to be linked to claimants' existing > security codes, operated by their commercial banks, he also disclosed." > > "Freud said: "We are getting a lot of help from the banking community. They > have got security systems we are looking at very closely. The fundamental is > to know who is on the system, and one of the things we are looking at is > piggy-backing on those systems. So rather than us having to ID assure, one > of the things we can do is get customers to click through their bank account > to us."" > > End quotes. > > The government already have an 'ID assurance system' called "Government > Gateway" used for submitting tax returns, accessing state pension > forecasting and probably other facilities. > The government gateway handily allows its operators to impersonate anyone they want... -------------- next part -------------- An HTML attachment was scrubbed... URL: From rich at annexia.org Thu Oct 20 21:48:03 2011 From: rich at annexia.org (Richard W.M. Jones) Date: Thu, 20 Oct 2011 21:48:03 +0100 Subject: New Universal Credit system to be accessed via existing consumer online banking systems!!!!! In-Reply-To: <4E9F6FFE.1000301@originalthinktank.org.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> Message-ID: <20111020204803.GA18226@annexia.org> On Thu, Oct 20, 2011 at 01:49:02AM +0100, Chris Salter wrote: > "Freud said: "We are getting a lot of help from the banking > community. They have got security systems we are looking at very > closely. The fundamental is to know who is on the system, and one of > the things we are looking at is piggy-backing on those systems. So > rather than us having to ID assure, one of the things we can do is > get customers to click through their bank account to us."" Oh christ not Verified By Visa ... Rich. -- Richard Jones Red Hat From nigel at dotdot.it Fri Oct 21 10:02:33 2011 From: nigel at dotdot.it (Nigel Metheringham) Date: Fri, 21 Oct 2011 10:02:33 +0100 Subject: New Universal Credit system to be accessed via existing consumer online banking systems!!!!! In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk> Message-ID: My favourite use of the government online IDs... the fact that I get to use the same login credentials for both the Online Tax portal *and* for booking sessions with the National Blood Transfusion Service... What do mean, they want blood??? Nigel. -- [ Nigel Metheringham ------------------------------ nigel at dotdot.it ] [ Ellipsis Intangible Technologies ] From k.brown at bbk.ac.uk Fri Oct 21 11:35:14 2011 From: k.brown at bbk.ac.uk (k.brown at bbk.ac.uk) Date: Fri, 21 Oct 2011 11:35:14 +0100 Subject: New Universal Credit system to be accessed via existing consumer online banking systems!!!!! In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk> Message-ID: I'm not sure exactly what I think of this idea but I am pretty sure it includes the phrase "waiting to happen". -- Ken Brown From kristen.eisenberg at yahoo.com Fri Oct 21 22:20:52 2011 From: kristen.eisenberg at yahoo.com (Kristen Eisenberg) Date: Fri, 21 Oct 2011 14:20:52 -0700 (PDT) Subject: Card transactions by proxy Message-ID: <1319232052.17219.YahooMailNeo@web122312.mail.ne1.yahoo.com> * Mark Cottle: > I've been asked for my thoughts on what seems to be a slightly odd > proposal for card transactions. I wonder if anyone here can put me > straight on the legal and technical positions. Is this about credit cards? It is my understanding that a very similar thing happens when you do some business transaction over the phone (like booking a hotel). The call center agent typically enters your credit card details into a web application on your behalf. Kristen Eisenberg Billige Fl?ge Marketing GmbH Emanuelstr. 3, 10317 Berlin Deutschland Telefon: +49 (33) 5310967 Email: utebachmeier at gmail.com Site: http://flug.airego.de - Billige Fl?ge vergleichen -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Sat Oct 22 08:41:41 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 22 Oct 2011 08:41:41 +0100 Subject: Card transactions by proxy In-Reply-To: <1319232052.17219.YahooMailNeo@web122312.mail.ne1.yahoo.com> References: <1319232052.17219.YahooMailNeo@web122312.mail.ne1.yahoo.com> Message-ID: In article <1319232052.17219.YahooMailNeo at web122312.mail.ne1.yahoo.com>, Kristen Eisenberg writes >> I've been asked for my thoughts on what seems to be a slightly odd >> proposal for card transactions. I wonder if anyone here can put me >> straight on the legal and technical positions. > >Is this about credit cards? > >It is my understanding that a very similar thing happens when you do >some business transaction over the phone (like booking a hotel). The >call center agent typically enters your credit card details into a web >application on your behalf The term used in the industry is "Cardholder not present". -- Roland Perry From ben at liddicott.com Sat Oct 22 20:17:18 2011 From: ben at liddicott.com (Ben Liddicott) Date: Sat, 22 Oct 2011 20:17:18 +0100 Subject: Card transactions by proxy In-Reply-To: References: <1319232052.17219.YahooMailNeo@web122312.mail.ne1.yahoo.com> Message-ID: <5B2CBF2614334D5E812646A2E05D9A80@intelligentdatasystems.co.uk> Retailers who have a chip & pin machine can generally get cardholder-not-present privileges for a small extra fee, once they have established themselves (which generally involves building up a credit balance with the bank which is held in case of chargebacks). This enables them to take orders via email or telephone. Customers of WorldPay and presumably other e-payment services can get cardholder-not-present privileges using what is referred to as a "virtual terminal", i.e. a web page which performs the same function of the chip & pin machine in CNP mode, again at an extra fee. Cheers, Ben -------------------------------------------------- From: "Roland Perry" Sent: Saturday, October 22, 2011 8:41 AM > The term used in the industry is "Cardholder not present". > -- > Roland Perry From james2 at jfirth.net Wed Oct 26 18:31:50 2011 From: james2 at jfirth.net (James Firth) Date: Wed, 26 Oct 2011 18:31:50 +0100 Subject: Newzbin2 blocking order, questions over SSL etc Message-ID: <000301cc9405$25c952c0$715bf840$@net> The Newzbin2/BT blocking order finally appeared today. It raises lots of issues, including the fact that the studios can ask for additional IP addresses to be blocked, including sites whose predominant purpose is to provide access to Newzbin2 (I blogged a whole summary here: http://ejf.me/mi ) but am I missing something re HTTPS? Paragraph 6 of the ruling states "the Studios now accept that the order should refer to IP address re-routing and not IP address blocking." Mr Justice Arnold adds: "It appears that IP address blocking could lead to "overblocking" of sites or pages that ought not to be blocked" OK, so it *appears* as though we have a situation where BT have to add an IP address and URL to Cleanfeed, even if the URL is the root domain for Newzbin2 [and mirrors]. So, what if Newzbin2 go HTTPS/SSL? Surely Cleanfeed can't match a URL from an encrypted HTTP GET request? James Firth From flyingkiwiguy at gmail.com Wed Oct 26 20:58:04 2011 From: flyingkiwiguy at gmail.com (Gary Mulder) Date: Wed, 26 Oct 2011 20:58:04 +0100 Subject: Newzbin2 blocking order, questions over SSL etc In-Reply-To: <000301cc9405$25c952c0$715bf840$@net> References: <000301cc9405$25c952c0$715bf840$@net> Message-ID: On 26 October 2011 18:31, James Firth wrote: > So, what if Newzbin2 go HTTPS/SSL? Surely Cleanfeed can't match a URL from > an encrypted HTTP GET request? > > James Firth > The destination IP address of the SSL connection can still be blocked. Of course any SSL proxy or Tor can tunnel through any content filters. Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: From clive at davros.org Thu Oct 27 10:20:02 2011 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 27 Oct 2011 10:20:02 +0100 Subject: Newzbin2 blocking order, questions over SSL etc In-Reply-To: <000301cc9405$25c952c0$715bf840$@net> References: <000301cc9405$25c952c0$715bf840$@net> Message-ID: <20111027092002.GA8660@davros.org> James Firth said: > So, what if Newzbin2 go HTTPS/SSL? Surely Cleanfeed can't match a URL from > an encrypted HTTP GET request? To the best of my knowledge (which was pretty comprehensive but may now be out of date) BT's system only looks at HTTP, not HTTPS. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From fjmd1a at gmail.com Thu Oct 27 10:23:32 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 27 Oct 2011 10:23:32 +0100 Subject: Newzbin2 blocking order, questions over SSL etc In-Reply-To: <20111027092002.GA8660@davros.org> References: <000301cc9405$25c952c0$715bf840$@net> <20111027092002.GA8660@davros.org> Message-ID: 2011/10/27 Clive D.W. Feather : > James Firth said: >> So, what if Newzbin2 go HTTPS/SSL? Surely Cleanfeed can't match a URL from >> an encrypted HTTP GET request? > > To the best of my knowledge (which was pretty comprehensive but may now be > out of date) BT's system only looks at HTTP, not HTTPS. > That seems to be what Richard Clayton thought: http://www.lightbluetouchpaper.org/2011/07/28/will-newzbin-be-blocked/ Though as he's on this list, I imagine he might have a view. -- Francis Davey From james2 at jfirth.net Thu Oct 27 11:05:54 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 27 Oct 2011 11:05:54 +0100 Subject: Newzbin2 blocking order, questions over SSL etc In-Reply-To: References: <000301cc9405$25c952c0$715bf840$@net> <20111027092002.GA8660@davros.org> Message-ID: <008201cc9490$0475c410$0d614c30$@net> Francis Davey wrote: > > James Firth said: > >> So, what if Newzbin2 go HTTPS/SSL? Surely Cleanfeed can't match a > URL from > >> an encrypted HTTP GET request? > > > > To the best of my knowledge (which was pretty comprehensive but may > now be > > out of date) BT's system only looks at HTTP, not HTTPS. > > > > That seems to be what Richard Clayton thought: > > http://www.lightbluetouchpaper.org/2011/07/28/will-newzbin-be-blocked/ > > Though as he's on this list, I imagine he might have a view. > It was a multi-part question. It was apparent though not 100% clear to me in the judgement that any blocking should be for an IP address *and* URL. Important, as I wrote in my blog, because there could be additional IP addresses adding to the block list (paras 10-12) for [other] sites whose predominant purpose is to facilitate access to Newzbin2, ie sites offering any specialised client for Newzbin2. Such sites may well be transient and use IP addresses for a short period only, and I found no mention of any process for IP addresses to be removed from the blocking order. Therefore such "Other IP addresses and URLs" may remain on BTs block list for an indeterminate period. At least URL matching will limit the impact of this, although the "IWF/Wikiepdia effect" will remain a problem. The judge seemed to say (para 6) that BT should be required to use IP address re-routing, not blocking. He mentions over-blocking but doesn't explicitly state (from my reading) that URLs must then match before access is denied. But assuming this is the intention, then surely the ruling is as good as useless if Newzbin2 move to SSL? James Firth From rich at annexia.org Thu Oct 27 15:43:13 2011 From: rich at annexia.org (Richard W.M. Jones) Date: Thu, 27 Oct 2011 15:43:13 +0100 Subject: Newzbin2 blocking order, questions over SSL etc In-Reply-To: <000301cc9405$25c952c0$715bf840$@net> References: <000301cc9405$25c952c0$715bf840$@net> Message-ID: <20111027144313.GA22027@annexia.org> I discovered today that enta.net (a UK ISP) have gone one better and simply decided to stop transferring all nntp traffic (by port, presumably) across their whole network ... http://lists.ukfsn.org/pipermail/users/2011-October/003296.html Rich. -- Richard Jones Red Hat From pwt at iosis.co.uk Sun Oct 30 18:01:03 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 30 Oct 2011 18:01:03 +0000 Subject: Comantra (telephone scammer) has its MS partner status revoked In-Reply-To: <2om677l3kdggae0qmiob4q3s37iahi32ln@4ax.com> References: <2om677l3kdggae0qmiob4q3s37iahi32ln@4ax.com> Message-ID: <4EAD90DF.7040407@iosis.co.uk> Had my first experience of one of those phone calls earlier this month (my computer had sent them a message, etc). But I was very busy and simply told the caller (lady with South Asian accent) that it wasn't true and her organisation wasn't genuine (not quite as politely as that) and put the phone down. Peter On 16/09/2011 15:21, Marcus Williamson wrote: > > Over the last year the UK media has run a number of stories about fake tech > support companies making unsolicited calls to people in the UK, such as this one: > http://www.guardian.co.uk/money/2011/jul/29/computer-phone-scam > From colinthomson1 at o2.co.uk Mon Oct 31 01:10:30 2011 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Mon, 31 Oct 2011 01:10:30 -0000 Subject: Comantra (telephone scammer) has its MS partner status revoked In-Reply-To: <4EAD90DF.7040407@iosis.co.uk> References: <2om677l3kdggae0qmiob4q3s37iahi32ln@4ax.com> <4EAD90DF.7040407@iosis.co.uk> Message-ID: Had a couple of those last year and again this year (and was only in the UK 4 months last year and 3 months this year; that suggests that I would get about 6 such calls per year if my UK phone was always answered). The caller was clearly working off a script without a clue what she was talking about (given a complicated method of invoking event viewer, I said something like "you mean open event viewer?" and was met by blank incomprehension; the first time round I followed to the next stage - tell her what warning messages you have got and harmless warning messages will be said to indicate a major catastrophe). After a certain amount of clowning around had produced yet more evidence of complete ignorance of all things to do with PCs I told her that her call was clearly a scam which I would report. When I reported it, the police didn't want to know, of course. They never do, do they? And of course Trading Standards have no clout on callers from India, because the Indian authorities won't cooperate in any meaningful manner. Subsequent calls got a quick hang up - I could waste their time but that would also waste mine, so I didn't bother. Tom > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Peter Tomlinson > Sent: 30 October 2011 18:01 > To: UK Cryptography Policy Discussion Group > Subject: Re: Comantra (telephone scammer) has its MS partner status > revoked > > Had my first experience of one of those phone calls earlier this month > (my computer had sent them a message, etc). But I was very busy and > simply told the caller (lady with South Asian accent) that it wasn't > true and her organisation wasn't genuine (not quite as politely as that) > and put the phone down. > > Peter > > On 16/09/2011 15:21, Marcus Williamson wrote: > > > > Over the last year the UK media has run a number of stories about fake > tech > > support companies making unsolicited calls to people in the UK, such as > this one: > > http://www.guardian.co.uk/money/2011/jul/29/computer-phone-scam > > From tim.hoddy at skyhook.ath.cx Mon Oct 31 07:20:12 2011 From: tim.hoddy at skyhook.ath.cx (Tim Hoddy) Date: Mon, 31 Oct 2011 07:20:12 +0000 Subject: Comantra (telephone scammer) has its MS partner status revoked In-Reply-To: <2om677l3kdggae0qmiob4q3s37iahi32ln@4ax.com> References: <2om677l3kdggae0qmiob4q3s37iahi32ln@4ax.com> Message-ID: <201110310720.12448.tim.hoddy@skyhook.ath.cx> On Friday 16 September 2011 15:21:01 Marcus Williamson wrote: > Over the last year the UK media has run a number of stories about fake tech > support companies making unsolicited calls to people in the UK, such as > this one: http://www.guardian.co.uk/money/2011/jul/29/computer-phone-scam I had two such phone calls. I said, "But I don't have a computer!" Reply: "Then it must be your laptop." "But I don't have one of those either" "Ah, ok." ::click:: Hopefully they will have removed me from their list.