gmane.law.cryptography.uk

Not quite off topic...

Peter Tomlinson — 2013-06-10T15:09:02

Circulated by BCS on behalf of IAAC:

The Department of Culture, Media and Sport (DCMS) is proposing some 
changes to classifications of official statistics which could be of 
significant detriment to the Tech Sector and wider economic growth. They 
are proposing re-classifying 39% of IT & Telecoms occupations and 57% of 
the IT & Telecoms industry as 'creative' alongside the following six 
creative industry sectors: advertising and marketing; architecture; 
design; film & TV; publishing; music and the arts.

There is concern that this fragmentation would mean that with regard to 
official statistics and government policy, IT & Telecoms would not be 
recognised as a coherent sector of strategic importance in its own 
right. There is also concern in some quarters that it also fails to 
recognise that all sectors of the economy, including engineering, 
financial services, retail, health, have a strong and increasing 
dependency on IT specialists.

A background paper is attached [was attached but I have strippe

PRISM

Mary Hawking — 2013-06-07T12:38:12

From the Washington Post
http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-docum
ents/ 
link from
http://tinyurl.com/mm3ttqt 
Should I stop using social media and think twice about Dropbox?

Mary Hawking
Retired from NHS on 31.3.13 because of the Health and Social Care Act 2012
"thinking - independent thinking - is to humans as swimming is to cats: we
can do it if we really have to."  Mark Earles on Radio 4
blog http://maryhawking.wordpress.com/ , bloglist
https://dl.dropbox.com/u/4529244/MH%20blog%20list.doc And Fred! 
http://primaryhealthinfo.wordpress.com/2013/01/20/who-knows-what-and-why/

PRISM && Excited Guardianista

Ian Batten — 2013-06-07T10:56:35

The Graun are very excited about: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data

The most interesting thing to me is that he slides they have say it has a budget of $20m per year.

Given the likely costs of even the fairly anodyne proposals in the Data Communications Bill, either there a few zeros missing or the content of the project is being somewhat over-interpreted.

ian

ORGCon 2013 June 8 London

Jim Killock — 2013-05-21T15:05:16

Hi all,

Hopefully you know about ORGCon 2013

http://orgcon.openrightsgroup.org/

- but in case you don't it has a lot to offer you all. Hope to see some of you there!

Jim

A sample:

http://orgcon.openrightsgroup.org/2013/programme

Snoopers' Charter: What's the situation now?
 -Jim Killock, ORG Executive Director
- Peter Sommer
- Others TBC

Digital Arms Trade
-Hauke Gierow, Reporters without Borders
-Eric King, Privacy International

Regulating Code
- Ian Brown and Chris Marsden on their book and its conclusions

How to wiretap the Cloud (without anybody noticing)
-Caspar Bowden, independant privacy expert
Speaking on the threat of the US FISAA (Foreign Intelligence Surveillance Ammendments Act)

Apologies for the previous top post.

David Biggins — 2013-05-19T19:50:53

D.

BBC Moneybox - contactless hiccups

Roland Perry — 2013-05-18T10:34:55

        "Some Marks and Spencer customers have told the BBC of cases
        where the chain's contactless payment terminals have taken money
        from cards other than the ones intended for payment.

        "Card are supposed to be within about 4cm of the front of the
        contactless terminal to work.

        "But some customers say payments have been taken from cards
        while in purses and wallets at much greater distances.

http://www.bbc.co.uk/news/business-22545804

BBC News - 'Fresh proposals' planned over cyber-monitoring

Ian Batten — 2013-05-08T12:42:56

http://www.bbc.co.uk/news/uk-politics-22449209

You have to wonder at the people the BBC talks to:

Yeah.  You mean "IPv6 would be a good idea", I think.

ian

practical homomorphic encryption (allegedly)

Peter Tomlinson — 2013-05-08T09:56:36

Have received a link to the following article:

IBM takes a big new step in cryptography: practical homomorphic encryption

http://nakedsecurity.sophos.com/2013/05/05/ibm-takes-big-new-step-in-cryptography/

by Paul Ducklin on May 5, 2013

IBM just released an open source software package called HELib.

The HE stands for homomorphic encryption.

Although it doesn't sound terribly sexy or impressive, HELib is actually 
an interesting and important milestone in cryptography.

HE is also a surprisingly relevant topic right now, with our 
ever-increasing attraction to cloud computing.

<more in the article>

Peter

FAQ on UK law

Nicholas Cole — 2013-05-07T09:43:42

Dear List,

Is there an FAQ anywhere on the state of UK law as it relates to the
development of cryptography and software that uses cryptography?

I've read the Crypto Law Survey:

http://www.cryptolaw.org

and the rules surrounding domestic use are very clear.

What is much less clear is the question of "export".  Does, for example,
hosting a piece of software like PuTTY or ssh or gnupg on a UK-based
website count as "export"? What about providing support for such software?
 Unlike the Americans, who seem to have specific regulations for Open
Source Software, I can't see anything comparable in UK law.  There was a
flurry of activity around this in the late 1990s, and things seem to have
cooled down since, but clarity still seems to be lacking!

Nicholas

Best practice for federated authentication and authorisation?

James Fidell — 2013-05-02T10:19:15

I'm currently looking for some sort of definition of best practice for
implementing federated authentication and authorisation systems, but
struggling to find much.

What I'm looking at is an application that uses Gmail/Facebook/Twitter
etc. for authentication via a bespoke intermediate ("cloud-based")
registration service and then does access control by verifying claims
with another bespoke cloud-based system.

Can anyone point me to any documents that discuss best practice for
implementation of such a system?  I'm thinking that handling all
transactions over HTTPS really isn't sufficient for this and that they
should all be at least time-stamped, digitally signed and use both
client and server certificates for HTTPS, but if I'm being overly
paranoid, or not paranoid enough, it would be useful to know :)

Thanks,
James

Phone hacking: the telco angle

Florian Weimer — 2013-05-01T14:43:26

I recently revisited parts of the phone hacking coverage (mainly
related to the activities of NotW), and it seems that this was never
framed as a security failure at the mobile phone operators who ran the
network and provisioned the attacked services.

Is there any explanation for this?

3D Secure / Verified By Visa

Ian Batten — 2013-04-17T10:18:15

Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and high-level descriptions for application writers [2]?

Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the issuer.  Later, for me at least (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard equivalent logo, said it was authenticating, and then immediately succeeded.  I assumed, without checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card hadn't been stolen.   Not ideal, but better than nothing, and avoids having to type the password.

This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been declined [3].   It was a non-trivial amount of money to a website I have never used before, but which Sue uses regularly for small transactions.  This transaction was probably two orders of magnitude greater than any previous one.   Our credit cards are s

‘Secretbook’ Lets You Encode Hidden Messages in Your Facebook Pics

Owen Blacker — 2013-04-10T13:16:42

http://www.wired.com/dangerroom/2013/04/secretbook/

Facebook is a place where you can share pictures of cute animals and fun
activities. Now there’s a browser extension that lets you encode those
images with secret, hard-to-detect messages.

That’s the idea behind
Secretbook<https://chrome.google.com/webstore/detail/secretbook/plglafijddgpenmohgiemalpcfgjjbph>,
a browser extension released this week by 21-year-old Oxford University
computer science student and former Google intern Owen-Campbell Moore. With
the extension, anyone — you, your sister, a terrorist — could share
messages hidden in JPEG images uploaded to
Facebook<http://www.wired.com/magazine/2013/04/facebookqa/> without
the prying eyes of the company, the government or anyone else noticing or
figuring out what the messages say. The only way to unlock them is through
a password you create.

“The goal of this research was to demonstrate that JPEG steganography can
be performed on social media where it has previously been impossible,”
C

BBC News - Anti-cyber threat centre launched

Ian Batten — 2013-03-27T08:35:09

http://www.bbc.co.uk/news/uk-21945702

I'm really sceptical about this sort of story.  Incredible (in every sense) claims are made as to the cost of cyber-crime, but there doesn't seem to be any evidence for it.  

Suppose it's true that shadowy gangs are extorting money from British companies.  How are the payments made?  Large amounts of cash dropped by trees?   Bogus invoicing for invisible services? Direct transfer to numbered accounts in opaque offshore banks?   Have you tried getting significant amounts of money out of a company without triggering attention from your bank (obligated under money-laundering regulations to report suspicious activity), your auditors (terrified of being the next Arthur Anderson) and the taxman (for obvious reasons)?  It simply doesn't stand examination that there could be a significant flow of money out of businesses without it being noticed by someone, and that someone would have far more incentive to report it than to keep quiet.

We're reduced to the "but everyone is s

Organisational Standards for Cyber Security: Government’s Call for Evidence

Peter Tomlinson — 2013-03-26T10:16:20

 From IAAC via BCS:

Organisational Standards for Cyber Security: Government’s Call for Evidence

The government intends to select and endorse an organisational standard 
that best meets the requirements for effective cyber risk management. 
There are currently various relevant standards and guidance which can be 
confusing for organisations, businesses and companies that want to 
improve their cyber security.

BIS and Cabinet Office are therefore calling for bodies and groups of 
organisations to submit their evidence in support of their preferred 
cyber security standard.     Expressions of interest are requested 
before 8 April (as shown on the website).  BIS and Cabinet Office can 
then rationalise the submissions i.e. if a number of bodies want to 
submit on ISO27001 then we can invite them to get-together and put 
forward 1 submission between them.

Full details of the call for evidence is at 
https://www.gov.uk/government/consultations/cyber-security-organisational-standards-call-for-evidence

** en

Biggest Fake Conference in Computer Science

2013-03-22T20:08:50

Biggest Fake Conference in Computer Science


I graduated from University of Florida (UFL) and am currently 
running a computer firm in Florida. I have attended WORLDCOMP 
conference (see http://sites.google.com/site/worlddump1 for 
details) in 2010. Except for few keynote speeches and 
presentations, the conference was very disappointing due to a 
large number of poor quality papers and cancellation of some 
sessions. I was instantly suspicious of this conference. 


Me and my friends started a study on WORLDCOMP. 
We submitted a fake paper to WORLDCOMP 2011 and again (the 
same paper with a modified title) to WORLDCOMP 2012. This paper 
had numerous fundamental mistakes. Sample statements from 
that paper include: 

(1). Binary logic is fuzzy logic and vice versa
(2). Pascal developed fuzzy logic
(3). Object oriented languages do not exhibit any polymorphism or inheritance
(4). TCP and IP are synonyms and are part of OSI model 
(5). Distributed systems deal with only one computer
(6). Laptop is an example

security policy question

Root — 2013-03-04T23:29:52

Hi All,

I am not sending this from my usual account as gmail seems to have hit 
various blacklists. Even though the 2 factor auth and MITM detection seems 
to be a good thing in a web-mail service. So instead i am probably going to 
be giving spamd on this OBSD box a good work out.

I am looking for a bit of advice.
I work for part of the NHS and was recently given a new version of our 
security policy to sign.
It contains the usual i will be a good citizen, take care of the datas, 
not hand out my password or transfer data onto unencrypted memory 
sticks/laptops and leave them in taxis etc.

I am generally in favor of these and usually have no problems appending my 
signature but the difference between the old and new policy is the 
following:
"I further understand that I am responsible for any transactions carried 
out under my personal password and code"

I have no confidence that it wouldn't be trivial for someone to get hold 
of my user-name and password by methods which don't involve me being 
irrespo

Googlegroups spam

Peter Fairbrother — 2013-02-11T17:52:50

A bit OT, but..

Suppose someone who operates a Google group adds my email address to the 
group without asking me (which is a thing Google permit). I then get 
lots of spam from the group (maybe commercial, maybe not - I don't know, 
it isn't in English letters), sent from Google.


Do I have any legal comeback against Google?


Thx,

Chip and Pin compromised at B&N US

Martin Hepworth — 2013-01-19T11:54:38

Interesting story here..


http://blog.elementps.com/element_payment_solutions/2013/01/data-breach-hits-barnes-noble.html

Anyone any knowledge of the C&P terminals used etc as I'm not aware of C&P
being 'popular' in the USA (well it's been a couple years since I was last
there and things change rapidly, so could have gained alot of traction by
now).

Elcomsoft $300 decryption tool.

Brian L Johnson — 2012-12-21T09:48:04

http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/

"This $299 tool is reportedly capable of decrypting BitLocker, PGP, and  
TrueCrypt disks in real-time"

The actual press release is at:

http://www.elcomsoft.com/PR/EFDD_121220_en.pdf

So the computer has to be turned on? Or have hibernation files laying  
around in memory?

Victory for the Mail! Children WILL be protected from online pornafter Cameron orders sites to be blocked automatically | Mail Online

Ian Batten — 2012-12-20T09:55:59

Yes, I know, reading the Daily Mail rots the brain, although in my defence I only saw this story because it was on the front page that Paxman showed at the end of last night's Newsnight.  David Cameron is trying to square the circle of the Mail's howling about online pornography and the resounding results of the recent consultation exercise:

David Cameron writes:


So, for those of us in the security community, it appears Dave is going to solve the problem of home users sharing computers and/or sharing accounts at a stroke.  All the issues associated with people using one login (or, more commonly, no logins) will be gone.  And, better, devices which don't have the concept of multiple users (such as those iPads which so few people have bought, and which have been so unpopular since their damp-squib launch) will now be locked to a single user and won't be shared around in households.  Excellent!  That's a major security issue solved at a stroke!

ian