headers
Jim Killock | 21 May 2013 17:05
Favicon

ORGCon 2013 June 8 London

Hi all,

Hopefully you know about ORGCon 2013

http://orgcon.openrightsgroup.org/

- but in case you don't it has a lot to offer you all. Hope to see some of you there!

Jim

A sample:

http://orgcon.openrightsgroup.org/2013/programme

Snoopers' Charter: What's the situation now?
 -Jim Killock, ORG Executive Director
- Peter Sommer
- Others TBC

Digital Arms Trade
-Hauke Gierow, Reporters without Borders
-Eric King, Privacy International

Regulating Code
- Ian Brown and Chris Marsden on their book and its conclusions

How to wiretap the Cloud (without anybody noticing)
-Caspar Bowden, independant privacy expert
Speaking on the threat of the US FISAA (Foreign Intelligence Surveillance Ammendments Act)
Permalink | Reply | 0 comments |
headers
k.brown-+9tF5d9GpIpaa/9Udqfwiw@public.gmane.org | 21 May 2013 16:52
Picon
Favicon

Fwd: BBC News - 'Fresh proposals' planned over cyber-monitoring

On 13 May 2013 18:45, Florian Weimer <fw@...> wrote:

> If you look at typical IPv6 textbooks, they give you a long list of
> advantages:
>
> * larger address space
> * simplified address structure
> * universal reachability of all end devices
> * protocol header optimized for efficient forwarding
> * more flexibility due to scoped addresses
> * improved security through IPsec
> * smaller routing tables due to aggregation
> * stateless auto-configuration
> * automatic renumbering between different provider aggregates
> * no broadcasts
> * improved multicast
> * built-in mobility
> * better for QoS with flow labels
>
> A lot of that turned out to be totally undesirable...

And those that were desirable were really only problems for people who
write software for routers. Not for end users. Or even people who run
computers for end users. Or even people who configure networkds for
people who run computers for end users.  And they have pretty much
been solved in the last twenty years by those people who write
software for routers.

And "simplified address structure" is only true if you are writing
software for routers.  To everybody else IPv4 looks simpler because
(Continue reading)

Permalink | Reply | 1 comment |
headers
David Biggins | 19 May 2013 21:50

Apologies for the previous top post.

D.

Permalink | Reply | 0 comments |
headers
Roland Perry | 18 May 2013 12:34

BBC Moneybox - contactless hiccups

        "Some Marks and Spencer customers have told the BBC of cases
        where the chain's contactless payment terminals have taken money
        from cards other than the ones intended for payment.

        "Card are supposed to be within about 4cm of the front of the
        contactless terminal to work.

        "But some customers say payments have been taken from cards
        while in purses and wallets at much greater distances.

http://www.bbc.co.uk/news/business-22545804
--

-- 
Roland Perry
Permalink | Reply | 19 comments |
headers
Ian Batten | 8 May 2013 14:42

BBC News - 'Fresh proposals' planned over cyber-monitoring


http://www.bbc.co.uk/news/uk-politics-22449209

You have to wonder at the people the BBC talks to:

"The problem stems from the way that the fixed internet has been designed," said Prof Rahim Tafazolli, director of Surrey University's Centre for Communications Systems Research.

"Many people can share a single IP address and the IP address may be dynamic - meaning there's a new address issued each time they log on - while a communication traverses across different networks. It can be difficult to link all these addresses and trace them back to the origin.

"One possible solution would be to find a way to associate a person's internet use with a fixed and unique number such as their mobile number or a device's MAC [media access control] address.

"But that would require changes in the way addresses are allocated on the internet and changes would need to be adopted internationally because we couldn't just change it in the UK."

Yeah.  You mean "IPv6 would be a good idea", I think.

ian

Permalink | Reply | 54 comments |
headers
Peter Tomlinson | 8 May 2013 11:56
Picon

practical homomorphic encryption (allegedly)

Have received a link to the following article:

IBM takes a big new step in cryptography: practical homomorphic encryption

http://nakedsecurity.sophos.com/2013/05/05/ibm-takes-big-new-step-in-cryptography/

by Paul Ducklin on May 5, 2013

IBM just released an open source software package called HELib.

The HE stands for homomorphic encryption.

Although it doesn't sound terribly sexy or impressive, HELib is actually 
an interesting and important milestone in cryptography.

HE is also a surprisingly relevant topic right now, with our 
ever-increasing attraction to cloud computing.

<more in the article>

Peter
Permalink | Reply | 0 comments |
headers
Nicholas Cole | 7 May 2013 11:43
Picon

FAQ on UK law

Dear List,

Is there an FAQ anywhere on the state of UK law as it relates to the development of cryptography and software that uses cryptography?

I've read the Crypto Law Survey:


and the rules surrounding domestic use are very clear.

What is much less clear is the question of "export".  Does, for example, hosting a piece of software like PuTTY or ssh or gnupg on a UK-based website count as "export"? What about providing support for such software?  Unlike the Americans, who seem to have specific regulations for Open Source Software, I can't see anything comparable in UK law.  There was a flurry of activity around this in the late 1990s, and things seem to have cooled down since, but clarity still seems to be lacking!

Nicholas
Permalink | Reply | 7 comments |
headers
James Fidell | 2 May 2013 12:19
Picon

Best practice for federated authentication and authorisation?

I'm currently looking for some sort of definition of best practice for
implementing federated authentication and authorisation systems, but
struggling to find much.

What I'm looking at is an application that uses Gmail/Facebook/Twitter
etc. for authentication via a bespoke intermediate ("cloud-based")
registration service and then does access control by verifying claims
with another bespoke cloud-based system.

Can anyone point me to any documents that discuss best practice for
implementation of such a system?  I'm thinking that handling all
transactions over HTTPS really isn't sufficient for this and that they
should all be at least time-stamped, digitally signed and use both
client and server certificates for HTTPS, but if I'm being overly
paranoid, or not paranoid enough, it would be useful to know :)

Thanks,
James
Permalink | Reply | 0 comments |
headers
Florian Weimer | 1 May 2013 16:43
Picon

Phone hacking: the telco angle

I recently revisited parts of the phone hacking coverage (mainly
related to the activities of NotW), and it seems that this was never
framed as a security failure at the mobile phone operators who ran the
network and provisioned the attacked services.

Is there any explanation for this?
Permalink | Reply | 5 comments |
headers
Ian Batten | 17 Apr 2013 12:18

3D Secure / Verified By Visa

Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and
high-level descriptions for application writers [2]?

Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the
issuer.  Later, for me at least (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard
equivalent logo, said it was authenticating, and then immediately succeeded.  I assumed, without
checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card
hadn't been stolen.   Not ideal, but better than nothing, and avoids having to type the password.

This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been
declined [3].   It was a non-trivial amount of money to a website I have never used before, but which Sue uses
regularly for small transactions.  This transaction was probably two orders of magnitude greater than
any previous one.   Our credit cards are separate accounts.   I was using her web browser while logged in to her
account.   My card went straight through, without asking for a 3DS password.  

To which I say, huh?  What state is there in a random user account on an OSX machine which allows it to assert
that it's me?  What are 3DS checking?

ian

[1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

[2] http://www.web-merchant.co.uk/3dsecure.asp

[3]  Itself an interesting point.  We suspect that as we use my card for making large online purchases, I've
built up a history of doing "that sort of thing", while Sue hasn't.  Alternatively, if you do a lot of
transactions of size x with a merchant, a transaction of size 100x might scream "insider fraud with stored
credentials", while a first-time transaction of the same size doesn't raise the same concern.
Permalink | Reply | 9 comments |
headers
Owen Blacker | 10 Apr 2013 15:16
Picon
Gravatar

‘Secretbook’ Lets You Encode Hidden Messages in Your Facebook Pics


Facebook is a place where you can share pictures of cute animals and fun activities. Now there’s a browser extension that lets you encode those images with secret, hard-to-detect messages.

That’s the idea behind Secretbook, a browser extension released this week by 21-year-old Oxford University computer science student and former Google intern Owen-Campbell Moore. With the extension, anyone — you, your sister, a terrorist — could share messages hidden in JPEG images uploaded to Facebook without the prying eyes of the company, the government or anyone else noticing or figuring out what the messages say. The only way to unlock them is through a password you create.

“The goal of this research was to demonstrate that JPEG steganography can be performed on social media where it has previously been impossible,” Campbell-Moore tells Danger Room. He says he spent about two months spread out over the last year working on the extension as a research project for the university.


[…]

It wasn’t easy developing the extension. “Many tools for steganography in JPEGs have existed in the past although they have always required that the images are transmitted exactly as they are,” Campbell-Moore says.

This could be a single pixel changed to a different color, and then repeated over several images, spelling out a message — which you can’t see, unless you have the translation key, and know which pixel to look for. But when you upload an image to Facebook, the image is automatically recompressed, which can lower the image quality. If you’ve encoded a secret message in the image, Facebook will garble it. Facebook competitor Google+ doesn’t do this, so you can share encoded messages there without needing an app for it.


[continues…]
-- 
Owen Blacker, London GB
Permalink | Reply | 7 comments |

Gmane