From igb at batten.eu.org Tue Dec 11 07:20:03 2012 From: igb at batten.eu.org (Ian Batten) Date: Tue, 11 Dec 2012 07:20:03 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward Message-ID: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Communication Data scrutiny report [1], paragraph 92 implies that Google are in a position to retrospectively decrypt SSL sessions. ian > 92. Many internet services are encrypted; this includes many of the major overseas based communications services such as Gmail. Encryption is the basis of internet security and companies encrypt their services to protect their customers. If these companies are asked directly for communications data and agree to supply it, whether under RIPA or following a request under a Mutual Legal Assistance Treaty (MLAT), then they will decrypt the information, extract the relevant communications data and provide it to the requesting authority in an accessible format. They told us however that if information about their service was collected by another CSP they would not cooperate in helping decrypt it. Sarah Hunter from Google explained: > > ?From a Google Inc perspective, we are very confident about the security of our encryption. If a valid RIPA request comes in or UK law enforcement goes through the MLAT, receives a court order and in turn gets Gmail user data, we will obviously provide that data decrypted. If it was to use a third-party provider to gather the encrypted data, I think it very unlikely that Google Inc would provide anyone outside Google Inc with that key. That is simply because, as everyone said earlier, security is our most important asset. Our relationship with our users is predicated on trust. Without that, we have no business?.65 > [1] http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Tue Dec 11 13:47:53 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 11 Dec 2012 13:47:53 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Message-ID: In article <84AA0149-0EC8-4A79-9470-C65BF912942A at batten.eu.org>, Ian Batten writes >Communication Data scrutiny report [1], paragraph 92 implies that >Google are in a position to retrospectively decrypt SSL sessions. ?? > >ian > >92. Many internet services are encrypted; this includes many of the >major overseas based communications services such as Gmail. Encryption >is the basis of internet security and companies encrypt their services >to protect their customers. If these companies are asked directly for >communications data and agree to supply it, whether under RIPA or >following a request under a Mutual Legal Assistance Treaty (MLAT), then >they will decrypt the information, extract the relevant communications >data and provide it to the requesting authority in an accessible >format. They told us however that if information about their service >was collected by another CSP they would not cooperate in helping >decrypt it. Sarah Hunter from Google explained: > >?From a Google Inc perspective, we are very confident about the >security of our encryption. If a valid RIPA request comes in or UK law >enforcement goes through the MLAT, receives a court order and in turn >gets Gmail user data, we will obviously provide that data decrypted. If >it was to use a third-party provider to gather the encrypted data, I >think it very unlikely that Google Inc would provide anyone outside >Google Inc with that key. That is simply because, as everyone said >earlier, security is our most important asset. Our relationship with >our users is predicated on trust. Without that, we have no busines It seems more likely to me that they'll provide the content of the communications, residing on their servers. The fact the transmission between the client and their server is encrypted is surely a red herring? -- Roland Perry From matthew at pemble.net Tue Dec 11 13:52:41 2012 From: matthew at pemble.net (Matthew Pemble) Date: Tue, 11 Dec 2012 13:52:41 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Message-ID: On 11 December 2012 13:47, Roland Perry wrote: > > It seems more likely to me that they'll provide the content of the > communications, residing on their servers. The fact the transmission > between the client and their server is encrypted is surely a red herring? That bit of the "content" that is communications data, I hope ... Which would normally be extractable from logs if the fuzz get in there quickly enough? M. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Tue Dec 11 16:13:42 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 11 Dec 2012 16:13:42 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Message-ID: In article , Matthew Pemble writes >It seems more likely to me that they'll provide the content of the >communications, residing on their servers. The fact the transmission >between the client and their server is encrypted is surely a red herring? > >That bit of the "content" that is communications data, I hope ... Which >would normally be extractable from logs if the fuzz get in there >quickly enough The original quote talked about comms data (where the encryption of the link isn't an issue) then went on to talk about "User data", which I'd presume was content. LEAs getting authorisation depends somewhat on the jurisdiction asking. -- Roland Perry From iptv at gn.apc.org Tue Dec 11 13:13:09 2012 From: iptv at gn.apc.org (IPTV) Date: Tue, 11 Dec 2012 13:13:09 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Message-ID: <6.2.5.6.2.20121211131124.07e72a08@gn.apc.org> This is about gmail. The web mail service has its SSL terminal on their mail server where it become plaintext and is stored and used in all sorts of things Google won't talk about. In that context, plaintext retrieval for LE is trivial. Duncan At 11/12/2012 07:20, you wrote: >Communication Data scrutiny report [1], paragraph 92 implies that >Google are in a position to retrospectively decrypt SSL sessions. > >ian >> >>92. Many internet services are encrypted; this includes many of the >>major overseas based communications services such as Gmail. >>Encryption is the basis of internet security and companies encrypt >>their services to protect their customers. If these companies are >>asked directly for communications data and agree to supply it, >>whether under RIPA or following a request under a Mutual Legal >>Assistance Treaty (MLAT), then they will decrypt the information, >>extract the relevant communications data and provide it to the >>requesting authority in an accessible format. They told us however >>that if information about their service was collected by another >>CSP they would not cooperate in helping decrypt it. Sarah Hunter >>from Google explained: >> >>"From a Google Inc perspective, we are very confident about the >>security of our encryption. If a valid RIPA request comes in or UK >>law enforcement goes through the MLAT, receives a court order and >>in turn gets Gmail user data, we will obviously provide that data >>decrypted. If it was to use a third-party provider to gather the >>encrypted data, I think it very unlikely that Google Inc would >>provide anyone outside Google Inc with that key. That is simply >>because, as everyone said earlier, security is our most important >>asset. Our relationship with our users is predicated on trust. >>Without that, we have no business".65 > > > >[1] >http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf From bdm at fenrir.org.uk Tue Dec 11 14:05:28 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 11 Dec 2012 14:05:28 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Message-ID: <20121211140528.000037e3@surtees.fenrir.org.uk> On Tue, 11 Dec 2012 13:47:53 +0000 Roland Perry wrote: > It seems more likely to me that they'll provide the content of the > communications, residing on their servers. The fact the transmission > between the client and their server is encrypted is surely a red > herring? So, suppose that they are presented with ciphertext of some nature. How would Google know which plaintext that actually referred to? -- Brian Morrison From james2 at jfirth.net Tue Dec 11 17:38:56 2012 From: james2 at jfirth.net (James Firth) Date: Tue, 11 Dec 2012 17:38:56 -0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Message-ID: <00af01cdd7c6$665ade20$33109a60$@net> Ian Batten wrote: > Communication Data scrutiny report [1], paragraph 92 implies that Google are > in a position to retrospectively decrypt SSL sessions. > > > > "From a Google Inc perspective, we are very confident about the security > of our encryption. If a valid RIPA request comes in or UK law enforcement goes > through the MLAT, receives a court order and in turn gets Gmail user data, we > will obviously provide that data decrypted. If it was to use a third-party > provider to gather the encrypted data, I think it very unlikely that Google > Inc would provide anyone outside Google Inc with that key. Sarah Hunter is Google UK's chief policy advisor. She used to be a New Labour SPAD on culture or somesuch. I.e. AFAIK she has no background in crypto, or security protocols, etc. So I wouldn't read anything into this. Having read some of the transcripts and heard first hand from witnesses and observers about some knowledge gaps on e.g. how TOR is structured (systems architecture and business) and SSL (some people believe a "black box" can read sessions in real time, because such kit is advertised, but don't know the first thing about certificate chains, fingerprints etc) I'm fairly sure the whole legislative process is dependent on "I believe so-and-so's view but I don't have a clue what [s]he's talking about..." IMO the likes of Sarah Hunter are simply translators in the process. They get told one thing by Google's capable engineers and translate it into a PR- and politico-friendly blurb. I'm sure a lot is lost in this translation. James Firth From zenadsl6186 at zen.co.uk Tue Dec 11 20:59:38 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 11 Dec 2012 20:59:38 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> Message-ID: <50C79EBA.9040109@zen.co.uk> On 11/12/12 07:20, Ian Batten wrote: > Communication Data scrutiny report [1], paragraph 92 implies that Google > are in a position to retrospectively decrypt SSL sessions. Well, I expect that that is because in most cases they are are in a position to retrospectively decrypt SSL sessions. They know the private certificate key. I assume that that's the key Sarah Hunter is talking about [1]. SSL sessions do not, per se, offer forward secrecy of any kind unless a DHE suite is used (and despite the frequent abuse of the term by so-called "cryptographers", only OTP's offer any kind of "perfect" forward secrecy of a communication channel). If a DHE cipher suite is not used then the session-master and session keys can be derived from the handshaking, if you know the private certificate key. It's been a while since I checked, but I think Google do offer a DHE suite - but the client must ask for one, they are not used as default. By far, most sessions do not use DHE suites. When a non-DHE cipher suite is used, as part of the handshake the client sends a random number encrypted with the public certificate key, which is decrypted by the server (which knows the private certificate key - but an observer who doesn't know the private key cannot decrypt this part of the intercepted handshake). After that the server knows the secret random data, and the client obviously knows it as well, as the client generated it - and this shared secret random data is used to derive the session-master and session keys. If a DHE suite is used then Google would have to retain their Diffie-Hellman Ephemeral secret - something they should not do - in order to retrospectively decrypt a session. Afaik, SSL-everywhere and the like do not distinguish between DHE and non-DHE suites. They should. [1] While Google, if it was entirely a UK company, could undoubtedly be required to hand over the private certificate key under RIPA - it is a dual-use key after all, it is used for key exchange as well as for authentication - they would understandably be very reluctant to hand it over to anyone under any circumstances whatsoever. I think they would rather enforce all-DHE suites, so their private certificate key was only used for authentication (and therefore could not be demanded under RIPA) than have the key they use for authentication in someone else's possession - and I think that's what Sarah was actually saying. -- Peter Fairbrother > > ian >> >> 92. Many internet services are encrypted; this includes many of the >> major overseas based communications services such as Gmail. Encryption >> is the basis of internet security and companies encrypt their services >> to protect their customers. If these companies are asked directly for >> communications data and agree to supply it, whether under RIPA or >> following a request under a Mutual Legal Assistance Treaty (MLAT), >> then they will decrypt the information, extract the relevant >> communications data and provide it to the requesting authority in an >> accessible format. They told us however that if information about >> their service was collected by another CSP they would not cooperate in >> helping decrypt it. Sarah Hunter from Google explained: >> >> ?From a Google Inc perspective, we are very confident about the >> security of our encryption. If a valid RIPA request comes in or UK law >> enforcement goes through the MLAT, receives a court order and in turn >> gets Gmail user data, we will obviously provide that data decrypted. >> If it was to use a third-party provider to gather the encrypted data, >> I think it very unlikely that Google Inc would provide anyone outside >> Google Inc with that key. That is simply because, as everyone said >> earlier, security is our most important asset. Our relationship with >> our users is predicated on trust. Without that, we have no business?.65 >> > > > > [1] > http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf From alan.braggins at gmail.com Wed Dec 12 17:03:01 2012 From: alan.braggins at gmail.com (Alan Braggins) Date: Wed, 12 Dec 2012 17:03:01 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: <50C79EBA.9040109@zen.co.uk> References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> <50C79EBA.9040109@zen.co.uk> Message-ID: <50C8B8C5.1060202@gmail.com> On 11/12/12 20:59, Peter Fairbrother wrote: > It's been a while since I checked, but I think Google do offer a DHE > suite - but the client must ask for one, they are not used as default. The default is now DHE. http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-term-with.html "We are now pushing forward by enabling forward secrecy by default." http://www.imperialviolet.org/2011/11/22/forwardsecret.html "Firstly, the preferred cipher suite for most Google HTTPS servers is ECDHE-RSA-RC4-SHA. If you have a client that supports it, you'll be using that ciphersuite." From flyingkiwiguy at gmail.com Thu Dec 13 00:57:27 2012 From: flyingkiwiguy at gmail.com (Gary Mulder) Date: Thu, 13 Dec 2012 00:57:27 +0000 Subject: =?UTF-8?B?RndkOiBbTG9uZG9uLUZ1dHVyaXN0c10gU0NSQVAgVS5LLiDigJxDT01NVU5JQ0FUSU9OUw==?= =?UTF-8?B?IERBVEEgQklMTOKAnSBQRVRJVElPTuKAjw==?= In-Reply-To: <1721103010.1355349244662.JavaMail.nobody@james2.pvt.meetup.com> References: <1721103010.1355349244662.JavaMail.nobody@james2.pvt.meetup.com> Message-ID: FYI: ---------- Forwarded message ---------- From: *Lisa Austen* Date: Thursday, 13 December 2012 Subject: [London-Futurists] SCRAP U.K. ?COMMUNICATIONS DATA BILL? PETITION? To: london-futurists-list at meetup.com Dear Friends, The United Kingdom could soon become a "surveillance superpower" --- more so than it already is --- following today's publication of the draft Communications Data Bill by the U.K. government. This Bill waives every single privacy law ever enacted in the name of "cyber security". Allowing the ?intelligence agencies" to spy on British citizens on British soil goes against every principle this country was founded on. Internet firms will be required to give intelligence agency GCHQ access to communications on demand, in real time. The Home Office says the move is key to tackling crime and terrorism. They have no right to attack our privacy, if the legislation goes through, Britain will be no different from regimes it criticises such as China and Iran. It would enable intelligence officers to identify who an individual or group is in contact with, how often and for how long. They would also be able to see which websites someone had visited. The U.K. government says it will spend ?1.8 billion ($2.8bn) once the bill passes through Parliament. Critics say it could cost as much as ?2 billion ($3.1bn). It's a good job we're not in a double dip recession. Oh, wait..!! If you don?t agree with this Bill then please sign this petition and share your views on this subject; those who agree with the bill are also welcome to have a debate on this issue. Government should scrap plans immediately. http://epetitions.direct.gov.uk/petitions/32400 Written by Lisa Austen 11.12.12 -- Please Note: If you hit "*REPLY*", your message will be sent to *everyone*on this mailing list ( London-Futurists-list at meetup.com ) This message was sent by Lisa Austen (la.1 at hotmail.co.uk ) from London Futurists . To learn more about Lisa Austen, visit his/her member profile Set my mailing list to email me As they are sent| In one daily email | Don't send me mailing list messages Meetup, PO Box 4668 #37895 New York, New York 10163-4668<#13b911c3d59b8987_>| support at meetup.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Thu Dec 13 08:50:43 2012 From: igb at batten.eu.org (Ian Batten) Date: Thu, 13 Dec 2012 08:50:43 +0000 Subject: =?utf-8?Q?Re=3A_=5BLondon-Futurists=5D_SCRAP_U=2EK=2E_=E2=80=9CC?= =?utf-8?Q?OMMUNICATIONS_DATA_BILL=E2=80=9D_PETITION=E2=80=8F?= In-Reply-To: References: <1721103010.1355349244662.JavaMail.nobody@james2.pvt.meetup.com> Message-ID: <4E56DBA0-7E10-4EFB-98B3-849AFB92987D@batten.eu.org> On 13 Dec 2012, at 00:57, Gary Mulder wrote: > FYI: > > ---------- Forwarded message ---------- > From: Lisa Austen > Date: Thursday, 13 December 2012 > Subject: [London-Futurists] SCRAP U.K. ?COMMUNICATIONS DATA BILL? PETITION? > To: london-futurists-list at meetup.com > > > Dear Friends, > > The United Kingdom could soon become a "surveillance superpower" --- more so than it already is --- following today's publication of the draft Communications Data Bill by the U.K. government. It was published six months ago tomorrow. That's "futurists" in the sense of "an Italian art movement of the early 20th century", presumably. ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From zenadsl6186 at zen.co.uk Thu Dec 13 19:04:35 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 13 Dec 2012 19:04:35 +0000 Subject: Perfect Forward Secrecy: Not So Perfect, Not So Forward In-Reply-To: <50C8B8C5.1060202@gmail.com> References: <84AA0149-0EC8-4A79-9470-C65BF912942A@batten.eu.org> <50C79EBA.9040109@zen.co.uk> <50C8B8C5.1060202@gmail.com> Message-ID: <50CA26C3.3040909@zen.co.uk> On 12/12/12 17:03, Alan Braggins wrote: > On 11/12/12 20:59, Peter Fairbrother wrote: >> It's been a while since I checked, but I think Google do offer a DHE >> suite - but the client must ask for one, they are not used as default. > > The default is now DHE. > > http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-term-with.html > > "We are now pushing forward by enabling forward secrecy by default." > > http://www.imperialviolet.org/2011/11/22/forwardsecret.html > "Firstly, the preferred cipher suite for most Google HTTPS servers is > ECDHE-RSA-RC4-SHA. If you have a client that supports it, you'll be > using that ciphersuite." Sounds good, shame it doesn't work with IE .. so Google should only be able to retrospectively decrypt SSL sessions about 1/3 of the time. Suppose plod are looking at minimally-competent badguy. He has a Gmail account which he uses for crooked purposes, but being minimally competent he doesn't use his real name. He accesses his crooky Gmail account from home (and afaict he may also access another Gamil account in the same SSL session), we'll assume he uses a DHE-supported browser, and his ISP keeps some kind of record of his internet use - if Plod demand account use details from Google, how do Google know his account name? From the IP? Do Gmail keep records of IPs? For how long? -- peter F From lists at internetpolicyagency.com Fri Dec 14 09:06:01 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 14 Dec 2012 09:06:01 +0000 Subject: Transaction history of Paywave cards Message-ID: Paywave cards are now accepted on London buses (in a very basic configuration, no daily capping, no use on the tube), as an alternative to Oyster. If a ticket inspector wants to check your Oyster card on the bus to see if you have paid, then it contains a recent journey history (10 transactions I think). Do Paywave cards have any history stored on them - even as minimal as the time/date/amount of the most recent usage? -- Roland Perry From tony.naggs at googlemail.com Fri Dec 14 11:19:35 2012 From: tony.naggs at googlemail.com (Tony Naggs) Date: Fri, 14 Dec 2012 11:19:35 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: Message-ID: Hi Roland, all I'm sure the contactless credit cards have transaction history, for fraud investigation & enforcing limits on the number of transaction without entering a PIN. I have not read the EMV standard for contactless cards, but that would contain details. The credit cards are 'smartcards' with a simple microcontroller, memory & crypto support, so they could have sophisticated access control rules to the different data the contain. Newer Oyster cards, since early 2011, are similar Mifare DESFire EV1, rather than the previous encrypted memory Mifare ['Classic'] 1k cards. Maybe I'll my contactless card on a bus the next time I'm in London, and see how easy it is to read the details back from the card. Cheers, Tony On 14 December 2012 09:06, Roland Perry wrote: > Paywave cards are now accepted on London buses (in a very basic > configuration, no daily capping, no use on the tube), as an alternative to > Oyster. > > If a ticket inspector wants to check your Oyster card on the bus to see if > you have paid, then it contains a recent journey history (10 transactions I > think). > > Do Paywave cards have any history stored on them - even as minimal as the > time/date/amount of the most recent usage? > -- > Roland Perry > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jon+ukcrypto at unequivocal.co.uk Fri Dec 14 12:43:30 2012 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Fri, 14 Dec 2012 12:43:30 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: Message-ID: <20121214124330.GP12289@snowy.squish.net> On Fri, Dec 14, 2012 at 09:06:01AM +0000, Roland Perry wrote: > Paywave cards are now accepted on London buses (in a very basic > configuration, no daily capping, no use on the tube), as an alternative > to Oyster. > > If a ticket inspector wants to check your Oyster card on the bus to see > if you have paid, then it contains a recent journey history (10 > transactions I think). > > Do Paywave cards have any history stored on them - even as minimal as > the time/date/amount of the most recent usage? I would doubt that even if it did the ticket inspector could read it. Do you not get a paper ticket if you use contactless payment? From lists at internetpolicyagency.com Fri Dec 14 19:14:19 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 14 Dec 2012 19:14:19 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References:

Message-ID: In article , Tony Naggs writes >I'm sure the contactless credit cards have? transaction history, for >fraud investigation & enforcing limits on the number of transaction >without entering a PIN. >I have not read the EMV standard for contactless cards, but that would >contain details I've read through a 200-page spec today and there's no mention of writing anything to the card. Indeed, the card is allowed to be removed from the RF field of the reader before the latter has even started to authenticate the transaction, let alone in a postion to tell the card that it's been successful. -- Roland Perry From lists at internetpolicyagency.com Fri Dec 14 19:16:44 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 14 Dec 2012 19:16:44 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <20121214124330.GP12289@snowy.squish.net> References: <20121214124330.GP12289@snowy.squish.net> Message-ID: In article <20121214124330.GP12289 at snowy.squish.net>, Jon Ribbens writes >> Paywave cards are now accepted on London buses (in a very basic >> configuration, no daily capping, no use on the tube), as an alternative >> to Oyster. >> >> If a ticket inspector wants to check your Oyster card on the bus to see >> if you have paid, then it contains a recent journey history (10 >> transactions I think). >> >> Do Paywave cards have any history stored on them - even as minimal as >> the time/date/amount of the most recent usage? > >I would doubt that even if it did the ticket inspector could read it. >Do you not get a paper ticket if you use contactless payment? Perhaps you get a thermal-printed receipt, but that would slow the process down somewhat. There must be a definitive answer to your question though. (Have you seen the advert with the chap in New York in a roller-coaster swiping his card - that didn't seem to feature receipts). -- Roland Perry From tony.naggs at googlemail.com Fri Dec 14 20:00:04 2012 From: tony.naggs at googlemail.com (Tony Naggs) Date: Fri, 14 Dec 2012 20:00:04 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References:

Message-ID: On 14 December 2012 19:14, Roland Perry wrote: > In article gmail.com >, Tony Naggs < > tony.naggs at googlemail.com> writes > > I'm sure the contactless credit cards have transaction history, for >> fraud investigation & enforcing limits on the number of transaction without >> entering a PIN. >> I have not read the EMV standard for contactless cards, but that would >> contain details >> > > I've read through a 200-page spec today and there's no mention of writing > anything to the card. Indeed, the card is allowed to be removed from the RF > field of the reader before the latter has even started to authenticate the > transaction, let alone in a postion to tell the card that it's been > successful. > Sorry, I made a wrong assumption then. The BBC News story & film do not show any paper ticket being issued .. some of the readers shown look like those from the middle of the bendy buses and so could not issue a paper ticket anyway. An alternative way for ticket inspection to work is that the inspector's card reader first fetches a list of card unique (serial) ids from the bus readers for the current journey, and can then compare those with the credit cards presented for inspection. Cheers, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From rl.hird at orpheusmail.co.uk Fri Dec 14 19:58:16 2012 From: rl.hird at orpheusmail.co.uk (Roger Hird) Date: Fri, 14 Dec 2012 19:58:16 +0000 (GMT) Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net> Message-ID: <52fe194e79rl.hird@orpheusmail.co.uk> In article , Roland Perry wrote: > >I would doubt that even if it did the ticket inspector could > >read it. Do you not get a paper ticket if you use contactless > >payment? > Perhaps you get a thermal-printed receipt, but that would slow > the process down somewhat. There must be a definitive answer > to your question though. > (Have you seen the advert with the chap in New York in a > roller-coaster swiping his card - that didn't seem to feature > receipts). It's probably clear to everyone - though possibly not to people who don't use or know them - but you don't get tickets or receipts when using Oyster Cards. Actually, I'm not sure how contactless cards without some remembered stuff on them can easily work in the same wipe in/wipe out system as Oyster unless you are billed the maximum ticket cost for every journey when you swipe it in. Perhaps just as a ticket purchasing medium at offices? Oh well, someone will know. -- Roger Hird rl.hird at orpheusmail.co.uk Website: http://roger.hird.orpheusweb.co.uk From pwt at iosis.co.uk Sat Dec 15 07:10:28 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sat, 15 Dec 2012 07:10:28 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <52fe194e79rl.hird@orpheusmail.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> Message-ID: <50CC2264.3020701@iosis.co.uk> On 14/12/2012 19:58, Roger Hird wrote: > It's probably clear to everyone - though possibly not to people who > don't use or know them - but you don't get tickets or receipts when > using Oyster Cards. Actually, I'm not sure how contactless cards > without some remembered stuff on them can easily work in the same wipe > in/wipe out system as Oyster unless you are billed the maximum ticket > cost for every journey when you swipe it in. Perhaps just as a ticket > purchasing medium at offices? Oh well, someone will know. You dn't get billed anything when you touch in on a TfL bus with a standard [1] contactless payment card. If your card is accepted, the card's bank information is logged and later reported to the back office [2]. You are charged overnight with the amount that the back office calculates that you owe for the day. This is ticketless travel. Peter [1] Only normal debit/credit cards accepted, I think, i.e. not pre-paid cards. [2] There is an authorisation process (in the report of the Mastercard New York trial on the metro I read that, when extending to buses, they were intending to use GPRS to talk to the local back office, with a small hot list in the vehicle's system as backup if the link was not available). TfL takes some of the risk - remember that the intention in London is to get people to travel, which is why the bus driver does not challenge people whose card is rejected or who simply don't touch in when they get on the bus. From lists at internetpolicyagency.com Sat Dec 15 08:59:18 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 15 Dec 2012 08:59:18 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net> Message-ID: In article , Roland Perry writes >>I would doubt that even if it did the ticket inspector could read it. >>Do you not get a paper ticket if you use contactless payment? > >Perhaps you get a thermal-printed receipt, but that would slow the >process down somewhat. There must be a definitive answer to your >question though. I've been pointed at this, from TfL: "You won't get a receipt (or paper bus ticket) when you use a contactless payment card; exactly the same as when you use an Oyster card. Each bus journey made using your contactless card will be shown as a separate transaction on your bank or card statement." -- Roland Perry From lists at internetpolicyagency.com Sat Dec 15 09:08:51 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 15 Dec 2012 09:08:51 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <52fe194e79rl.hird@orpheusmail.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> Message-ID: <2zAEOBnj4DzQFAnC@perry.co.uk> In article <52fe194e79rl.hird at orpheusmail.co.uk>, Roger Hird writes >Actually, I'm not sure how >contactless cards without some remembered stuff on them can >easily work in the same wipe in/wipe out system as Oyster unless >you are billed the maximum ticket cost for every journey when you >swipe it in. London buses are flat fare [1] so no swiping out required. >Perhaps just as a ticket purchasing medium at offices? No, it will eventually be accepted at all 'Oyster' gates. Oyster works by deducting a fairly high "entrance fee", and then giving you a refund if/when you swipe out to prove you've done a short enough journey. The contactless card could use the same mechanism, or alternatively they might be planning on using a series of ?0 transactions to track your progress through the network, then work out retrospectively what the final charge should be - then present that as one entry on your bill. [1] ?2.40 for cash, ?1.40 Oyster or contactless card. Oyster has a daily cap of ?4.40, but contactless card doesn't (yet). -- Roland Perry From pwt at iosis.co.uk Sat Dec 15 09:27:00 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sat, 15 Dec 2012 09:27:00 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <2zAEOBnj4DzQFAnC@perry.co.uk> References: <20121214124330.GP12289@snowy.squish.net><52fe194e79rl.hird@orpheusmail.co.uk> <2zAEOBnj4DzQFAnC@perry.co.uk> Message-ID: <50CC4264.4000303@iosis.co.uk> On 15/12/2012 09:08, Roland Perry wrote: > ... they might be planning on using a series of ?0 transactions to > track your progress through the network, then work out retrospectively > what the final charge should be - then present that as one entry on > your bill. That is what they have been saying that they are doing, and indeed they had to explain to the banks the need for a ?0 transaction. Peter From lists at internetpolicyagency.com Sat Dec 15 09:38:33 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 15 Dec 2012 09:38:33 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <50CC4264.4000303@iosis.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <2zAEOBnj4DzQFAnC@perry.co.uk> <50CC4264.4000303@iosis.co.uk> Message-ID: <5W+XnOtZUEzQFAV$@perry.co.uk> In article <50CC4264.4000303 at iosis.co.uk>, Peter Tomlinson writes >> ... they might be planning on using a series of ?0 transactions to >>track your progress through the network, then work out retrospectively >>what the final charge should be - then present that as one entry on >>your bill. >That is what they have been saying that they are doing, and indeed they >had to explain to the banks the need for a ?0 transaction. I hope they will have a way for you to audit the charge, similar to getting an Oyster "statement" that shows all the touches in/out and sideways for each of your trips. -- Roland Perry From benc at hawaga.org.uk Sat Dec 15 11:41:23 2012 From: benc at hawaga.org.uk (Ben Clifford) Date: Sat, 15 Dec 2012 11:41:23 +0000 (UTC) Subject: Transaction history of Paywave cards In-Reply-To: <5W+XnOtZUEzQFAV$@perry.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <2zAEOBnj4DzQFAnC@perry.co.uk> <50CC4264.4000303@iosis.co.uk> <5W+XnOtZUEzQFAV$@perry.co.uk> Message-ID: The previously posted contactless-on-bus URL points to this other URL: http://www.tfl.gov.uk/corporate/projectsandschemes/19976.aspx My three highlights: > you'll also be able to check your journey history online, > And because everything will be managed by your card issuer, it means the > whole system is secure. There's no need for PIN numbers, and at no point > will we have access to your account. > Once the system has been rolled out across all our services, fares will > be capped like Oyster. -- From lists at internetpolicyagency.com Sat Dec 15 15:24:15 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 15 Dec 2012 15:24:15 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <2zAEOBnj4DzQFAnC@perry.co.uk> <50CC4264.4000303@iosis.co.uk> <5W+XnOtZUEzQFAV$@perry.co.uk> Message-ID: In article , Ben Clifford writes > >The previously posted contactless-on-bus URL points to this other URL: > >http://www.tfl.gov.uk/corporate/projectsandschemes/19976.aspx > >My three highlights: > >> you'll also be able to check your journey history online, That sounds helpful, although perhaps you'll have to register your Paywave card separately with TfL, rather than getting this information online from your credit card supplier?? >> And because everything will be managed by your card issuer, it means the >> whole system is secure. There's no need for PIN numbers, and at no point >> will we have access to your account. Other than to deduct money from it, clearly. >> Once the system has been rolled out across all our services, fares will >> be capped like Oyster. Agreed. It's the details of the implementation we are interested in. -- Roland Perry From pwt at iosis.co.uk Sat Dec 15 15:39:50 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sat, 15 Dec 2012 15:39:50 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net><52fe194e79rl.hird@orpheusmail.co.uk> <2zAEOBnj4DzQFAnC@perry.co.uk><50CC4264.4000303@iosis.co.uk> <5W+XnOtZUEzQFAV$@perry.co.uk> Message-ID: <50CC99C6.3090805@iosis.co.uk> On 15/12/2012 15:24, Roland Perry wrote: > Once the system has been rolled out across all our services, fares will >>> be capped like Oyster. > > Agreed. It's the details of the implementation we are interested in. Well, they are actually very busy people, because, as well as rolling out all the rest of the contactless bank card scheme, the next phase they are now working on (IOP3, being I believe the third release of 'ITSO on Prestige'). Next comes integration with the ATOC/RSP project SEFT (South East Flexible Ticketing, currently being developed) for through travel to and from traditional heavy rail services that will be using ITSO method electronic National Rail tickets. Peter From igb at batten.eu.org Sat Dec 15 23:54:20 2012 From: igb at batten.eu.org (Ian Batten) Date: Sat, 15 Dec 2012 23:54:20 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <50CC2264.3020701@iosis.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> Message-ID: On 15 Dec 2012, at 07:10, Peter Tomlinson wrote: > > [1] Only normal debit/credit cards accepted, I think, i.e. not pre-paid cards. I wonder why not. ian From pwt at iosis.co.uk Sun Dec 16 06:27:32 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 16 Dec 2012 06:27:32 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net><52fe194e79rl.hird@orpheusmail.co.uk><50CC2264.3020701@iosis.co.uk> Message-ID: <50CD69D4.8060006@iosis.co.uk> On 15/12/2012 23:54, Ian Batten wrote: > On 15 Dec 2012, at 07:10, Peter Tomlinson wrote: >> [1] Only normal debit/credit cards accepted, I think, i.e. not pre-paid cards. > I wonder why not. I'm told that they need online authorisation. Peter From lists at internetpolicyagency.com Sun Dec 16 07:56:49 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 16 Dec 2012 07:56:49 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <50CD69D4.8060006@iosis.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> <50CD69D4.8060006@iosis.co.uk> Message-ID: <1N4kBDPB7XzQFAFE@perry.co.uk> In article <50CD69D4.8060006 at iosis.co.uk>, Peter Tomlinson writes >>> [1] Only normal debit/credit cards accepted, I think, i.e. not pre-paid cards. >> I wonder why not. >I'm told that they need online authorisation. To make sure they have any money in the account, I presume; they don't keep a running total on the card itself. This is a bit of an issue, given that pre-paid cards are marketed to tourists at airports, and as a substitute for cash from various bureau-de-change, and the Paywave scheme on TfL is aimed largely at tourists (because UK-based regulars will have season tickets or Oysters). -- Roland Perry From lists at internetpolicyagency.com Sun Dec 16 07:53:23 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 16 Dec 2012 07:53:23 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> Message-ID: In article , Ian Batten writes >> [1] Only normal debit/credit cards accepted, I think, i.e. not pre-paid cards. > >I wonder why not. If they are tracking people's journeys by taking zero-pence charges, then an empty pre-paid card will work, right up to the point at the end of the day when they calculate how much they are owed and try to take the money from the card account. -- Roland Perry From pwt at iosis.co.uk Sun Dec 16 08:28:48 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 16 Dec 2012 08:28:48 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <1N4kBDPB7XzQFAFE@perry.co.uk> References: <20121214124330.GP12289@snowy.squish.net><52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk><50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk> Message-ID: <50CD8640.5030306@iosis.co.uk> On 16/12/2012 07:56, Roland Perry wrote: "...the Paywave scheme on TfL is aimed largely at tourists (because UK-based regulars will have season tickets or Oysters)" Now I don't speak for TfL, nor am I in any way connected with the project, but even so I cannot disagree more. The entire thrust of the project in things that I see and hear is simplicity for the vast majority of users, together with cost reduction for TfL. There may of course be a risk of loss of loyalty to the Oyster brand as existing users convert to using bank cards, but no matter: as I indicated earlier, the aim is to facilitate the movement of people round London. Visitors to the country who bring full fat bank cards should have no problem using them on London's public transport - no need any more to buy an Oyster. A possible unintended consequence will be that uninformed people here in Bristol will be less likely to demand that we have Oyster here - there just isn't the public money to do what they really want, which is cheaper (i.e. subsidised) travel by public transport. Peter From igb at batten.eu.org Sun Dec 16 09:23:54 2012 From: igb at batten.eu.org (Ian Batten) Date: Sun, 16 Dec 2012 09:23:54 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <1N4kBDPB7XzQFAFE@perry.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> <50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk> Message-ID: <70626272-A563-4B61-951D-E22C5166FBE6@batten.eu.org> On 16 Dec 2012, at 07:56, Roland Perry wrote: > In article <50CD69D4.8060006 at iosis.co.uk>, Peter Tomlinson writes >>>> [1] Only normal debit/credit cards accepted, I think, i.e. not pre-paid cards. >>> I wonder why not. >> I'm told that they need online authorisation. > > To make sure they have any money in the account, I presume; they don't keep a running total on the card itself. But my children have bank cards. The accounts they're linked to have no overdraft facility (illegal to lend to under sixteens, and possibly under eighteens) and routinely towards the end of the months have balances substantially less than a day's travel in London. The distinction between those cards and pre-pay cards seems pretty tenuous. I don't see that pre-pay cards are uniquely, or even substantially, the "insufficient funds" problem. I suppose a pre-pay card has no reliable user information, and therefore you can't pursue them for non-payment, but realistically TfL is hardly going to start suing people for refused debit card transactions for a couple of quid (especially if they're not UK citizens/residents). ian From lists at internetpolicyagency.com Sun Dec 16 15:23:42 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 16 Dec 2012 15:23:42 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <50CD8640.5030306@iosis.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> <50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk> <50CD8640.5030306@iosis.co.uk> Message-ID: In article <50CD8640.5030306 at iosis.co.uk>, Peter Tomlinson writes > >On 16/12/2012 07:56, Roland Perry wrote: > >"...the Paywave scheme on TfL is aimed largely at tourists (because >UK-based regulars will have season tickets or Oysters)" > >Now I don't speak for TfL, nor am I in any way connected with the >project, but even so I cannot disagree more. The entire thrust of the >project in things that I see and hear is simplicity for the vast >majority of users, together with cost reduction for TfL. The vast majority of users have season tickets - are those storable on a Paywave card? >There may of course be a risk of loss of loyalty to the Oyster brand as >existing users convert to using bank cards, but no matter: as I >indicated earlier, the aim is to facilitate the movement of people >round London. Visitors to the country who bring full fat bank cards >should have no problem using them on London's public transport Not currently, because they only accept UK-issued Paywave cards. >- no need any more to buy an Oyster. > >A possible unintended consequence will be that uninformed people here >in Bristol will be less likely to demand that we have Oyster here - Oyster in Bristol - that's new one. Wouldn't any new initiatives there be ITSO? > there just isn't the public money to do what they really want, which >is cheaper (i.e. subsidised) travel by public transport. And such folks are already in denial about how much most of their public transport is already subsidised. -- Roland Perry From lists at internetpolicyagency.com Sun Dec 16 15:29:06 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 16 Dec 2012 15:29:06 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <70626272-A563-4B61-951D-E22C5166FBE6@batten.eu.org> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> <50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk> <70626272-A563-4B61-951D-E22C5166FBE6@batten.eu.org> Message-ID: In article <70626272-A563-4B61-951D-E22C5166FBE6 at batten.eu.org>, Ian Batten writes > >On 16 Dec 2012, at 07:56, Roland Perry wrote: > >> In article <50CD69D4.8060006 at iosis.co.uk>, Peter Tomlinson >> writes >>>>> [1] Only normal debit/credit cards accepted, I think, i.e. not >>>>>pre-paid cards. >>>> I wonder why not. >>> I'm told that they need online authorisation. >> >> To make sure they have any money in the account, I presume; they >>don't keep a running total on the card itself. > >But my children have bank cards. The accounts they're linked to have >no overdraft facility (illegal to lend to under sixteens, and possibly >under eighteens) and routinely towards the end of the months have >balances substantially less than a day's travel in London. The >distinction between those cards and pre-pay cards seems pretty tenuous. Not really. The banks know where your children live, so if they run up an unauthorised overdraft - or possibly if they have to refuse a payment to TfL that would create an overdraft - they can come after them. Whereas a prepay card is just something an anonymous bloke bought from a booth at an airport. Alternatively, maybe your children's cards have a flag that says "always authenticate online", which means it's yet another class of Paywave that the TfL buses won't be accepting. > I don't see that pre-pay cards are uniquely, or even substantially, >the "insufficient funds" problem. I suppose a pre-pay card has no >reliable user information, and therefore you can't pursue them for >non-payment, but realistically TfL is hardly going to start suing >people for refused debit card transactions for a couple of quid >(especially if they're not UK citizens/residents). No, but if such cards become a well known loophole, they could lose large amounts. -- Roland Perry From pwt at iosis.co.uk Sun Dec 16 16:33:59 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 16 Dec 2012 16:33:59 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net><52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk><50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk><50CD8640.5030306@iosis.co.uk> Message-ID: <50CDF7F7.5070907@iosis.co.uk> On 16/12/2012 15:23, Roland Perry wrote: > In article <50CD8640.5030306 at iosis.co.uk>, Peter Tomlinson > writes >> >> On 16/12/2012 07:56, Roland Perry wrote: >> >> "...the Paywave scheme on TfL is aimed largely at tourists (because >> UK-based regulars will have season tickets or Oysters)" >> >> Now I don't speak for TfL, nor am I in any way connected with the >> project, but even so I cannot disagree more. The entire thrust of the >> project in things that I see and hear is simplicity for the vast >> majority of users, together with cost reduction for TfL. > > The vast majority of users have season tickets - are those storable on > a Paywave card? They will be stored in the back office - this is ticketless travel, which we all have to get our heads around... > >> There may of course be a risk of loss of loyalty to the Oyster brand >> as existing users convert to using bank cards, but no matter: as I >> indicated earlier, the aim is to facilitate the movement of people >> round London. Visitors to the country who bring full fat bank cards >> should have no problem using them on London's public transport > > Not currently, because they only accept UK-issued Paywave cards. So next upgrade or three (in conjunction with MC and Visa) they will be accepting incoming cards... > >> - no need any more to buy an Oyster. >> >> A possible unintended consequence will be that uninformed people here >> in Bristol will be less likely to demand that we have Oyster here - > > Oyster in Bristol - that's new one. Wouldn't any new initiatives there > be ITSO? I wrote 'uninformed people'. > >> there just isn't the public money to do what they really want, which >> is cheaper (i.e. subsidised) travel by public transport. > > And such folks are already in denial about how much most of their > public transport is already subsidised. Exactly. But what they (we) actually want (as well as cheap) is something accountable, i.e. we can kick ass when it fails and get it fixed - permanently. This is the new paradigm shift (we now have an elected but apolitical (sic) Mayor in Bristol). Peter From lists at internetpolicyagency.com Sun Dec 16 18:36:00 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 16 Dec 2012 18:36:00 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <50CDF7F7.5070907@iosis.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> <50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk> <50CD8640.5030306@iosis.co.uk> <50CDF7F7.5070907@iosis.co.uk> Message-ID: In article <50CDF7F7.5070907 at iosis.co.uk>, Peter Tomlinson writes >> The vast majority of users have season tickets - are those storable >>on a Paywave card? >They will be stored in the back office - this is ticketless travel, >which we all have to get our heads around... So when you buy a season ticket you'll have extra options like "associate this with my Paywave card", as well as "load this onto my ITSO", "load this onto my Oyster", and "print it on a bit of dead tree". The only extension I've seen any mention of is the "load this onto my ITSO", which is apparently going to work [in London] late in 2013 at the same time as the Paywave card is acceptable on all modes. Coincidence? And getting back to my original question, that I still feel I need an answer to, how does a ticket inspector do his job in a regime of ticketless travel? >>> There may of course be a risk of loss of loyalty to the Oyster brand >>>as existing users convert to using bank cards, but no matter: as I >>>indicated earlier, the aim is to facilitate the movement of people >>>round London. Visitors to the country who bring full fat bank cards >>>should have no problem using them on London's public transport >> >> Not currently, because they only accept UK-issued Paywave cards. >So next upgrade or three (in conjunction with MC and Visa) they will be >accepting incoming cards... Speculation, or do you know this as a fact? -- Roland Perry From pwt at iosis.co.uk Sun Dec 16 19:51:51 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 16 Dec 2012 19:51:51 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net><52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk><50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk><50CD8640.5030306@iosis.co.uk> <50CDF7F7.5070907@iosis.co.uk> Message-ID: <50CE2657.6030408@iosis.co.uk> On 16/12/2012 18:36, Roland Perry wrote: > In article <50CDF7F7.5070907 at iosis.co.uk>, Peter Tomlinson > writes So next upgrade or three (in conjunction with > MC and Visa) they will be accepting incoming cards... > > Speculation, or do you know this as a fact? Speculation, but its the obvious thing for them (and MC and Visa) to do. Peter From pwt at iosis.co.uk Mon Dec 17 06:40:32 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 17 Dec 2012 06:40:32 +0000 Subject: NSTIC (USA) Message-ID: <50CEBE60.4020001@iosis.co.uk> This, I'm well aware, is a UK group, but from across the pond comes news of NSTIC and the USA Identity Ecosystem Pilots: http://nstic.blogs.govdelivery.com/2012/12/13/seeking-small-business-partners-to-evaluate-nstic-identity-ecosystem-pilots/ Seasons Greetings, Peter From pwt at iosis.co.uk Mon Dec 17 07:35:28 2012 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 17 Dec 2012 07:35:28 +0000 Subject: Transaction history of Paywave cards In-Reply-To: References: <20121214124330.GP12289@snowy.squish.net><52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk><50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk><50CD8640.5030306@iosis.co.uk> <50CDF7F7.5070907@iosis.co.uk> Message-ID: <50CECB40.30108@iosis.co.uk> Just arrived is this link to a good article, dated Dec 13: http://nfctimes.com/news/london-bus-riders-can-tap-bank-cards-pay-fares-nfc-acceptance-unlikely-now And another, dated Dec 14, this time a strange article that makes incorrect use of the term NFC: http://hexus.net/business/news/enterprise/49353-entire-london-transport-network-accept-nfc-end-2013/ These links courtesy of Smartexpress, a free daily news service from Smartex Ltd. Peter On 16/12/2012 18:36, Roland Perry wrote: > In article <50CDF7F7.5070907 at iosis.co.uk>, Peter Tomlinson > writes > >>> The vast majority of users have season tickets - are those storable >>> on a Paywave card? > >> They will be stored in the back office - this is ticketless travel, >> which we all have to get our heads around... > > So when you buy a season ticket you'll have extra options like > "associate this with my Paywave card", as well as "load this onto my > ITSO", "load this onto my Oyster", and "print it on a bit of dead tree". > > The only extension I've seen any mention of is the "load this onto my > ITSO", which is apparently going to work [in London] late in 2013 at > the same time as the Paywave card is acceptable on all modes. > > Coincidence? > > And getting back to my original question, that I still feel I need an > answer to, how does a ticket inspector do his job in a regime of > ticketless travel? > >>>> There may of course be a risk of loss of loyalty to the Oyster >>>> brand as existing users convert to using bank cards, but no matter: >>>> as I indicated earlier, the aim is to facilitate the movement of >>>> people round London. Visitors to the country who bring full fat >>>> bank cards should have no problem using them on London's public >>>> transport >>> >>> Not currently, because they only accept UK-issued Paywave cards. >> So next upgrade or three (in conjunction with MC and Visa) they will >> be accepting incoming cards... > > Speculation, or do you know this as a fact? > From lists at internetpolicyagency.com Mon Dec 17 09:10:06 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 17 Dec 2012 09:10:06 +0000 Subject: Transaction history of Paywave cards In-Reply-To: <50CECB40.30108@iosis.co.uk> References: <20121214124330.GP12289@snowy.squish.net> <52fe194e79rl.hird@orpheusmail.co.uk> <50CC2264.3020701@iosis.co.uk> <50CD69D4.8060006@iosis.co.uk> <1N4kBDPB7XzQFAFE@perry.co.uk> <50CD8640.5030306@iosis.co.uk> <50CDF7F7.5070907@iosis.co.uk> <50CECB40.30108@iosis.co.uk> Message-ID: In article <50CECB40.30108 at iosis.co.uk>, Peter Tomlinson writes >And another, dated Dec 14, this time a strange article that makes >incorrect use of the term NFC: > >http://hexus.net/business/news/enterprise/49353-entire-london-transport- >network-accept-nfc-end-2013/ And also fails to note that currently the system is not available to *foreign* tourists. -- Roland Perry From tharg at gmx.net Mon Dec 17 13:27:09 2012 From: tharg at gmx.net (Caspar Bowden (travelling)) Date: Mon, 17 Dec 2012 14:27:09 +0100 Subject: NSTIC (USA) In-Reply-To: <50CEBE60.4020001@iosis.co.uk> References: <50CEBE60.4020001@iosis.co.uk> Message-ID: <50CF1DAD.3050705@gmx.net> FYI - a lot of this comes from the work Kim Cameron and I did when I was with Microsoft (until Sep 2011) If one clicks through the referenced .pdf to http://www.nist.gov/itl/csd/ct/pec-workshop.cfm it is evident there are some serious people involved Although I do not have warm words for Microsoft's activities in privacy, the concepts pursued here are IMHO still valid, 12 years after Brands' PhD thesis and 20 years after Chaum's SciAm article on privacy in e-govt. Building these kinds of system _without_ such technology (and especially without a horizontal Data Protection law rather stronger than EU95/46 or the new Regulation) is just building a humongous transactional surveillance system... Despite many to educate HMG since 2006 in many fora, AFAIK the UK version of NSTIC does _not_ have any similar genuine PET element (slender hope that it is in NSTIC), and _will_ be a humongous transactional surveillance system... http://www.independent.co.uk/news/uk/politics/national-virtual-id-card-scheme-set-for-launch-is-there-anything-that-could-possibly-go-wrong-8196543.html Caspar On 17/12/12 07:40, Peter Tomlinson wrote: > This, I'm well aware, is a UK group, but from across the pond comes > news of NSTIC and the USA Identity Ecosystem Pilots: > > http://nstic.blogs.govdelivery.com/2012/12/13/seeking-small-business-partners-to-evaluate-nstic-identity-ecosystem-pilots/ > > > Seasons Greetings, > > Peter > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Thu Dec 20 09:55:59 2012 From: igb at batten.eu.org (Ian Batten) Date: Thu, 20 Dec 2012 09:55:59 +0000 Subject: Victory for the Mail! Children WILL be protected from online porn after Cameron orders sites to be blocked automatically | Mail Online Message-ID: <585E2CDF-5686-49FF-8A86-FD1F8A416F08@batten.eu.org> Yes, I know, reading the Daily Mail rots the brain, although in my defence I only saw this story because it was on the front page that Paxman showed at the end of last night's Newsnight. David Cameron is trying to square the circle of the Mail's howling about online pornography and the resounding results of the recent consultation exercise: David Cameron writes: > Want to restrict access to Facebook after 8pm? Decide to allow younger children to view fewer sites than their older siblings? Or want to stop access to certain sites altogether? Now you will be shown how to do it. > > > Read more: http://www.dailymail.co.uk/news/article-2250809/Victory-Mail-Children-WILL-protected-online-porn-Cameron-orders-sites-blocked-automatically.html#ixzz2FaHpxWqU > Follow us: @MailOnline on Twitter | DailyMail on Facebook So, for those of us in the security community, it appears Dave is going to solve the problem of home users sharing computers and/or sharing accounts at a stroke. All the issues associated with people using one login (or, more commonly, no logins) will be gone. And, better, devices which don't have the concept of multiple users (such as those iPads which so few people have bought, and which have been so unpopular since their damp-squib launch) will now be locked to a single user and won't be shared around in households. Excellent! That's a major security issue solved at a stroke! ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at openrightsgroup.org Thu Dec 20 10:16:09 2012 From: jim at openrightsgroup.org (Jim Killock) Date: Thu, 20 Dec 2012 10:16:09 +0000 Subject: Victory for the Mail! Children WILL be protected from online porn after Cameron orders sites to be blocked automatically | Mail Online In-Reply-To: <585E2CDF-5686-49FF-8A86-FD1F8A416F08@batten.eu.org> References: <585E2CDF-5686-49FF-8A86-FD1F8A416F08@batten.eu.org> Message-ID: <7F203BA5-B770-4112-B504-995EB3D2DB13@openrightsgroup.org> On 20 Dec 2012, at 09:55, Ian Batten wrote: > Yes, I know, reading the Daily Mail rots the brain, although in my defence I only saw this story because it was on the front page that Paxman showed at the end of last night's Newsnight. David Cameron is trying to square the circle of the Mail's howling about online pornography and the resounding results of the recent consultation exercise: > > David Cameron writes: > >> Want to restrict access to Facebook after 8pm? Decide to allow younger children to view fewer sites than their older siblings? Or want to stop access to certain sites altogether? Now you will be shown how to do it. I think this is what's known as "spin": ISPs are already trying to alert parents to the existence of filters, and the official consultation response is calling for nothing more. Nor is it calling for legislation. Suddenly the need for parental understanding and control when implementing filtering tools to protect children appropriately has become very important for the Mail, despite being previously repeatedly dismissed by the Mail and Claire Perry as being dangerous for children whose (delinquent) parents will avoid implementing filters. The Mail's audacity knows no bounds in declaring victory anyway. >> >> >> Read more: http://www.dailymail.co.uk/news/article-2250809/Victory-Mail-Children-WILL-protected-online-porn-Cameron-orders-sites-blocked-automatically.html#ixzz2FaHpxWqU >> Follow us: @MailOnline on Twitter | DailyMail on Facebook > > So, for those of us in the security community, it appears Dave is going to solve the problem of home users sharing computers and/or sharing accounts at a stroke. All the issues associated with people using one login (or, more commonly, no logins) will be gone. And, better, devices which don't have the concept of multiple users (such as those iPads which so few people have bought, and which have been so unpopular since their damp-squib launch) will now be locked to a single user and won't be shared around in households. Excellent! That's a major security issue solved at a stroke! -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at thejohnsons.co.uk Fri Dec 21 09:48:04 2012 From: brian at thejohnsons.co.uk (Brian L Johnson) Date: Fri, 21 Dec 2012 09:48:04 -0000 Subject: Elcomsoft $300 decryption tool. Message-ID: http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/ "This $299 tool is reportedly capable of decrypting BitLocker, PGP, and TrueCrypt disks in real-time" The actual press release is at: http://www.elcomsoft.com/PR/EFDD_121220_en.pdf So the computer has to be turned on? Or have hibernation files laying around in memory? -- brianlj From ben at links.org Fri Dec 21 18:02:04 2012 From: ben at links.org (Ben Laurie) Date: Fri, 21 Dec 2012 18:02:04 +0000 Subject: Elcomsoft $300 decryption tool. In-Reply-To: References: Message-ID: On Fri, Dec 21, 2012 at 9:48 AM, Brian L Johnson wrote: > http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/ > > "This $299 tool is reportedly capable of decrypting BitLocker, PGP, and > TrueCrypt disks in real-time" Somewhat misleadingly labeled product - it is actually a key stealing tool. From brian at thejohnsons.co.uk Fri Dec 21 22:44:15 2012 From: brian at thejohnsons.co.uk (Brian L Johnson) Date: Fri, 21 Dec 2012 22:44:15 -0000 Subject: Elcomsoft $300 decryption tool. In-Reply-To: References: Message-ID: Ben Laurie ,: > On Fri, Dec 21, 2012 at 9:48 AM, Brian L Johnson > wrote: >> http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/ >> >> "This $299 tool is reportedly capable of decrypting BitLocker, PGP, and >> TrueCrypt disks in real-time" > > Somewhat misleadingly labeled product - it is actually a key stealing > tool. True, but they could argue that the decrypting bit comes after the stealing bit. -- brianlj From igb at batten.eu.org Sun Dec 23 11:01:49 2012 From: igb at batten.eu.org (Ian Batten) Date: Sun, 23 Dec 2012 11:01:49 +0000 Subject: Elcomsoft $300 decryption tool. In-Reply-To: References: Message-ID: On 21 Dec 2012, at 18:02, Ben Laurie wrote: > On Fri, Dec 21, 2012 at 9:48 AM, Brian L Johnson > wrote: >> http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/ >> >> "This $299 tool is reportedly capable of decrypting BitLocker, PGP, and >> TrueCrypt disks in real-time" > > Somewhat misleadingly labeled product - it is actually a key stealing tool. > And one which makes you ponder if they're still worrying about having to rewind VHS tapes before returning them to the video rental store. People who want to scare the money from the pockets of the gullible with talk of key-stealing attacks immediately invoke the fact that Firewire ports can do DMA all over memory. Firewire ports. On Windows. In 2012. What proportion of machines does that cover? And as for practical purposes no-one is using it, how hard would it be to either disable in the BIOS or fill with Araldite? ian [[ Apple, quietly, have addressed this issue with the "destroyfvkeyonstandby" option to pmset --- combined with standby and hibernatemode 3 or 25, you use standbydelay to say "on closing the lid, go to sleep, but after standbydelay seconds turn off the RAM and destroy the Filevault keys". ]] ian