Comments: WSJ: Soft evidence on a crypto-related breach

aside from the issues AADS and X9.59 financial standard protocol
http://www.garlic.com/~lynn/x959.html

providing transaction armoring for naked transactions
http://www.garlic.com/~lynn/subintegrity.html#payments

so they are no longer vulnerable to evesdropping and
replay attacks
http://www.garlic.com/~lynn/subintegrity.html#harvest

there is this recent item:

New Weakness in 802.11 WEP
http://developers.slashdot.org/developers/01/07/27/1734259.shtml?tid=93

which claims that it has an attack against what is being proposed for WEP2.

the referenced website:
http://ebiquity.org/article.php?sid=189

may be suffering from having been "slashdot'ed" ... since it haven't been responding.

Posted by Lynn Wheeler at May 7, 2007 05:47 PM

that was a blockbuster post !


it's funny, perhaps the whole bizarre edifice of Visa/MC payment model as we know it now will have to be changed.

is it a case where centralisation is logical and the only way?

You often mention DGCs on the blog - with DGCs of course, obviously, everything about the payment is handled (newsflash!) -- BY THE DGC.

If customer C tries to buy a book in bookshop B using DGC D, then of course - obviously, duh - C communictes with and only with -- again, "duh!" --- D. It's All About C and D.

The Payment has no involvement at all between C and B - it's a Payment! C, a customer of D is making a Payment at D. It's all C-D .. no B.

After a whole lot of interaction between C and D, D establishes that indeed C "has made a payment." Then, as an unimportant afterthought (it can be checked later if there's a woe), D just let's B know that C did in fact make a payment.

Note that in all this, in the DGC universe, it is totally inconceivable that D would farm out part of the function of the payment to B ("what??!"), or that B could somehow "take the payments" ("huh??"), or that B would have something to do with "processing the payment" ("sorry?!?"), or that B would use some other set of companies to help do the payment ("WTF??") .....

of course, obviously, duh, give me a break, etc .... the bloody payment is of course handled entirely by D!!

With cards, the whole situation is risible .... other entities, even the Merchant (no - seriously!) are involved in the Payment; rather than just the Payer and the Payment System.

I suppose the reason is that nowadays we live in an "online" world. Movies are edited "online" (old-fashioned "offline editing" is history), heart patients get monitored in real time, and "maps" in your car now show you where you are with a pointer, they are online.

So, in our "online" world of today, anyone thinking of starting up a payment system (such as the DGC universe did), of course just obviously assumes that a Payment is done by the Payer and Payment System - and it would be ridiculously whacky if the (no, really) Merchant, or anyone else, was involved in that for any reason. There's no other way you'd think about it. You'd never in a million years think about the merchant (or anyone else) being involved.

When credit cards were invented, I guess it was still an offline world (hard to imagine) (remember checks, "clearing", etc etc?) ...... so for that reason the total epic KLUDGE that is credit card processing 2007, with madness like the merchant, processing companies, banks, and so on being involved with the Payment, that we see today.


Surely there's enough fiber around now that Visa/MC will just say "screw that" and move to a ("normal, sane") online model?? No? Has the time come?

Posted by Jape at May 8, 2007 02:53 AM

> > e. Why did they use a weak crypto protocol? Because it is the one
> > delivered in the hardware.
> >
> > Question: Why is hardware often delivered with weak crypto?

Because of 2 simple reasons.

Firstly they failed to garner "real" crypto input when designing WEP and I believe the handshaking etc is attacked rather then the actual algorithm (RC4).

Secondly RC4 was cheap (in terms of CPU cycles), and only requires about 10 lines of code, but again no attacks brute force the actual encryption, but focus on the implementation of it.

Oh and they believed no one could attack it because no one would be able to get their hands on equipment that could do it, but of course mass producing and selling equipment to connect can also be used to break it.

Posted by Duane at May 8, 2007 03:47 AM

Shmoocon 07 had a presentation on what went on in the WEP design commitee.
Al Potter, Renderman, and Russ Housley "Standard Bodies - What are these Guys Drinking?"

http://www.shmoocon.org/2007/videos/

The process and incentives were wrong, simply put - security concerns were there but voted down.

Posted by fluortanten at May 8, 2007 04:41 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x557815eed428) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.