gmane.law.cryptography.uk

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Peter Fairbrother — 2013-05-22T22:12:44


That's good and bad security - good because access would be broadly 
limited to policemen who could enter the room, bad because there would 
be no logging of who asked. For the "bad old days", it's not that bad.

Limiting access to policemen, preferably at least sergeant level, and 
logging of who asked, and why (with occasional for-real checkups) is 
probably all that is needed for RDQs and electoral roll enquiries. They 
are not really very intrusive.

It's when they get into more intrusive matters. like phone and internet 
logs, that more severe restrictions are warranted. The intrusion is 
different, and more severe - so why not more severe restrictions? Like a 
Court-issued warrant?

That would cos for the Court time, but it would be balanced by not 
needing to go through a SPOC for most enquiries.

Might even end up cheaper - suppose Plod get a warrant, costs £800,  and 
get a list of 50 people the suspect called. If a SPOC RDQ enquiry costs 
£20, a non-SPOC RDQ enquiry costs £2, and a SPOC log en

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Peter Fairbrother — 2013-05-22T21:42:17

That's true enough, but if they use the end of catching the 
harder-to-reach fruit in order to justify the means, but those means 
will not let them reach that fruit ...


I'd read it.


I don't have a TV.

(people think that's strange - it was my birthday yesterday, and my 
sister asked if I wanted a TV for a present, as she has every year for 
the last ten years - but I don't want one in the house, I'd just sit and 
watch it and get nothing done).


A legitimate investigative technique, most likely - but that does not 
mean we must make it possible, especially at any cost.

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Ian Mason — 2013-05-22T17:24:52

On May 22, 2013, at 9:26 AM, Roland Perry wrote:


I can state from personal direct knowledge that in the early 90's that  
one non-metropolitan police force had unfettered online access access  
to BT's reverse-DQ and unlisted number databases. In the instance I  
directly observed no procedure or justification was required - just  
physical access to the terminal connected to BT (which in this case  
was situated in a suite of offices normally used as a major incident  
room alongside a PNC terminal and one connected to a database of all  
electoral rolls - both with similar lack of access controls or  
procedures).

Re: BBC Moneybox - contactless hiccups

Roland Perry — 2013-05-22T08:28:42

In article <20130521170923.GD20185-v7oSnKn4qNcd8cy4ZZikoQ< at >public.gmane.org>, Jon Ribbens 
<jon+ukcrypto-JgzTmhv+UHffC7kMvaharFpr/1R2p/CL< at >public.gmane.org> writes

And last week I had a Debit Card transaction "declined", when what they 
meant was "we can't seem to contact your bank at the moment, so hard 
luck".

But I suppose they'd say it was the POS machine declining to take the 
card, not the bank declining to authorise the funds. They really should 
have two different expressions for that.

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-22T08:26:34

In article <519BFD2D.5070102-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org>, Peter Fairbrother 
<zenadsl6186-1HOZaDBbGgxaa/9Udqfwiw< at >public.gmane.org> writes

Her government does. But it's never a good argument that you should give 
up picking the low-hanging fruit, just because there's some harder to 
reach fruit elsewhere.


I could write a book about it.

Did you watch 'Endeavour' (the 'Morse' prequel). I've not seen the whole 
series yet, but they've done reverse-DQ phone numbers in two of the 
plots so far.


There's two elements to this. One is whether the access is required at 
all (and checking who a suspect has been in contact with is normally 
regarded as a legitimate investigative technique), the other is to what 
extent it's "pretty much unrstricted".

I won't re-run the RIPA [vs DPA 29(3)] debate for the nth time.


Which is why there's the tailpiece in RIPA s2(9)

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Peter Fairbrother — 2013-05-21T23:03:09

Hmmm - suppose I download a game which takes an hour (or a day) to play, 
and want to see the result. Will the ISP keep the 5-tuple NAT active?


Of course throwaway dongles, unsecured WIFI, free public wifi, TOR, and 
so on need no mention here. But I wonder if Her Majesty knows about them?



Does anyone know the history of how and why telephone logs became fair 
game for Plod?

I mean. it's not obvious that Plod should have pretty much unrestricted 
access to comms data logs anyway.

Even then there is a big difference between telephone logs and internet 
logs, which are much more revealing.

Re: BBC Moneybox - contactless hiccups

Jon Ribbens — 2013-05-21T17:09:23

I've personally seen a POS machine print me a "declined" receipt
for a transaction that was actually approved.

Re: Fwd: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-21T20:22:09

In article 
<CAJ0hfotvuxk1zV1ipj4scutwLFnCnc4xsM4Jd3KKi-jiKWTvEw-JsoAwUIsXosN+BqQ9rBEUg< at >public.gmane.org>, 
"k.brown-+9tF5d9GpIpaa/9Udqfwiw< at >public.gmane.org" <k.brown-+9tF5d9GpIpaa/9Udqfwiw< at >public.gmane.org> writes


And in the recent Queen's Speech!

ORGCon 2013 June 8 London

Jim Killock — 2013-05-21T15:05:16

Hi all,

Hopefully you know about ORGCon 2013

http://orgcon.openrightsgroup.org/

- but in case you don't it has a lot to offer you all. Hope to see some of you there!

Jim

A sample:

http://orgcon.openrightsgroup.org/2013/programme

Snoopers' Charter: What's the situation now?
 -Jim Killock, ORG Executive Director
- Peter Sommer
- Others TBC

Digital Arms Trade
-Hauke Gierow, Reporters without Borders
-Eric King, Privacy International

Regulating Code
- Ian Brown and Chris Marsden on their book and its conclusions

How to wiretap the Cloud (without anybody noticing)
-Caspar Bowden, independant privacy expert
Speaking on the threat of the US FISAA (Foreign Intelligence Surveillance Ammendments Act)

Fwd: BBC News - 'Fresh proposals' planned over cyber-monitoring

2013-05-21T14:52:21



And those that were desirable were really only problems for people who
write software for routers. Not for end users. Or even people who run
computers for end users. Or even people who configure networkds for
people who run computers for end users.  And they have pretty much
been solved in the last twenty years by those people who write
software for routers.

And "simplified address structure" is only true if you are writing
software for routers.  To everybody else IPv4 looks simpler because
its just about possible for the average person to remember four
decimal numbers in a row, most people can't hold eight 4-digit hex
numbers in their head, which means they can't *read* them, which
means they are basically machine-readable-only for the average punter.

Basic nerdview mistake. Describing things from the point of view of an
insider,  so making it harder for anyone without the rignt background
to follow. (Other classic bits of nerdview in this field might include eduroam,
Freeradius and Shibboleth installa

Re: BBC News - 'Fresh proposals' planned over cyber-monitoring

Roland Perry — 2013-05-21T07:15:09

In article <518CB006.8000604-BPqP8yNAJjH10XsdtD+oqA< at >public.gmane.org>, Peter Tomlinson 
<pwt-BPqP8yNAJjH10XsdtD+oqA< at >public.gmane.org> writes

And an article looking more deeply into the technical details of CGNs, 
in this context:

http://www.potaroo.net/ispcol/2013-05/cgns.html

Re: BBC Moneybox - contactless hiccups

Tony Naggs — 2013-05-20T14:44:03


Many door locks simply try to read the unique Id (UID) of a card, &
search for it in an access rights table. The ones I've encountered are
unable to cope with multiple cards presented together.

Credit & debit cards may have random or fixed Ids, and the card
function is identified by further information on the card. If there
are multiple cards a terminal could simply charge the card it
identifies with credit/debit functionality - this may still not be the
expected behaviour.

--
Tony

Re: BBC Moneybox - contactless hiccups

Peter Tomlinson — 2013-05-20T15:14:06

(1) I agree that charging the customer twice **for the same 
transaction** is an application flaw in the POS device - and it smacks 
of a major error in POS device certification (may also be a breach of 
the Merchant Agreement if it really happened - but that it did happen 
might be an urban myth). But maybe it was actually something different 
(see point (3) below).

(2) One (and its an obvious one) difficulty with collision avoidance by 
interrogating the cards is the time that it takes - a major point about 
contactless EMV payment is transaction speed. A less obvious difficulty 
is that the terminals don't (as far as I know) have any way for the 
customer to be asked which card should be used, so assistance would have 
to be sent for when a collision is detected - and no store trying to 
speed things up (customer proposition) and keep costs down (merchant 
proposition) will want that to happen..

(3) If another report is true (that a customer with no intention of 
paying for anything gets charged just be

Re: BBC Moneybox - contactless hiccups

David Walters — 2013-05-20T14:42:39

If it is anything like the system used by Barnet libraries then it
needs a minimum separation between books so doesn't work very well
with children's picture books.

Re: BBC Moneybox - contactless hiccups

Roland Perry — 2013-05-20T15:01:48

In article <20130520144013.GB48009-fMmbJOuZRAcdnm+yROfE0A< at >public.gmane.org>, Clive D.W. Feather 
<clive-fMmbJOuZRAcdnm+yROfE0A< at >public.gmane.org> writes

I'd expect collision detection to work well for RFID chips of the kind 
used in products, but the ones in transaction cards do seem to interfere 
with each other. They also have a very short time to complete the 
transaction.

Re: BBC Moneybox - contactless hiccups

Derek Fawcus — 2013-05-20T14:51:54

I took a simpler,  although slower approach,
after 3 sets of instructions,  I finally received
a new NatWest Debit/ATM card without that 'wireless' logo.

Re: BBC Moneybox - contactless hiccups

Ian Batten — 2013-05-20T14:51:16

On 20 May 2013, at 14:07, Ian Mason <ukcrypto-A3JaN0IhGNUcrBw4rbZS770Ud+EcFu5g< at >public.gmane.org> wrote:

[...]


Surely it only leaks the common initial substring?  Yes, in the limit that is, as you say, n-1 bits of an n bit serial, but on average it will be substantially less than that, depending on how the serial numbers are allocated.

ian

Re: BBC Moneybox - contactless hiccups

Clive D.W. Feather — 2013-05-20T14:40:13

Ian Mason said:

Cambridgeshire Libraries has an automated checkout system that uses some
kind of RFID tags in the book. I've tried putting a stack of 6 books on the
reader and it found all of them.

Re: BBC Moneybox - contactless hiccups

Ian Mason — 2013-05-20T13:07:23

On May 20, 2013, at 10:49 AM, Chris Edwards wrote:


There are several collision avoidance mechanisms for RFID cards. The  
commonest uses a tree walk strategy where the reader gradually  
enumerates the possible serial number space by repeatedly transmitting  
a request for cards with a defined serial number prefix to reply and  
lengthening the prefix at every attempt. It would look something like  
this:

Reader Tx:Any cards there?
Reader Rx:<collision>
Reader Tx:Any cards with a serial number starting '0' there?
Reader Rx:<silence>
Reader Tx:Any cards with a serial number starting '1' there?
Reader Rx:<collision>
Reader Tx:Any cards with a serial number starting '10' there?
Reader Rx:<silence>
Reader Tx:Any cards with a serial number starting '11' there?
Reader Rx:<collision>
Reader Tx:Any cards with a serial number starting '110' there?
Reader Rx:This is card 11011001...

  This method has the undesirable property that it leaks all but the  
last bit of the serial number of the card it is r

Re: BBC Moneybox - contactless hiccups

Roland Perry — 2013-05-20T12:34:51

In article <E1UeMiu-0002DJ-VZ-f4/0buUZNihg9hUCZPvPmw< at >public.gmane.org>, Chris Edwards 
<chris-ukcrypto-hjQpJK1VPOvW7jotyhL5th2eb7JE58TQ< at >public.gmane.org> writes

It's never worked for me (in either direction) trying to unscramble an 
Oyster with something else.

I suspect a field trip is in order... (and while I'm at it I can see if 
LRT buses accept my Paywave Paypal debit card or not - from the 
publicity material it's ambiguous).

Re: BBC Moneybox - contactless hiccups

Chris Edwards — 2013-05-20T09:49:44


$workplace uses a mifare card based entry system (wave your wallet 
containing card at door reader).  Last year, I started frequently having 
problems opening doors.  Then I realised this was due to my bank having 
issued a new visa card, which has the "pay-by-wave" logo (looks a bit like 
a WiFi symbol).  Removing this visa card from my wallet reinstated by 
ability to open doors.

I had some idea the protocols specifically catered for multiple cards, and 
that the door card reader would be able to "select" the card it wants to 
talk to.  But if so, this doesn't seem to work very well (for me).