July 2018 - cypherpunks-legacy

Re: Financial identity is *dangerous*? (was re: Fake companies,
by None 06 Jul '18

06 Jul '18

real money) From: Somebody at a Central Securities Depository :-) Date: Wed, 13 Oct 2004 10:31:10 +0100 i buy the argument that transaction instantaneity is a solution to the identity theft problem - my cash in your hands, at the same time (now) as your goods in my hands, in a way that allows both of us to ensure we have got what we wanted. But there's a trade-off; I have to use money, not credit, now - your point about the buyer 'lending' the seller cash at 0% interest. I'm not sure how "the system compensates" for that. It seems to me it becomes a risk-cost trade-off for the individual: I can work out the cost to me of using real money not credit; then I know what I am paying to insure myself against identity theft. Of course I probably rely on the credit people covering me against a lot of the risk of identity theft, and I may not even pay them for that cost (if it is built into the APR they charge and I can avoid interest by paying off the card quickly)... so to me identity theft risk is almost costless. Why then would I choose to insure myself explicitly by using cash instead of credit? What is it that makes all the individuals start thinking about the best interests of "the system" (which should be cheaper without all these hidden insurance costs) instead of thinking about their own interests?! David "R.A. Hettinga" <rah(a)shipwright.com> 12/10/2004 15:52 To: John Kelsey <kelsey.j(a)ix.netcom.com>, cryptography(a)metzdowd.com, cypherpunks(a)al-qaeda.net cc: Subject: Re: Financial identity is *dangerous*? (was re: Fake companies, real money) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:49 AM -0400 10/12/04, John Kelsey wrote: >Hmmm. I guess I don't see why this story supports that argument all >that well. More like the straw that broke the camel's back, admittedly. A long time ago I came to the conclusion that the closer we get to transaction instantaneity, the less counterparty identity matters at all. That is, the fastest transaction we can think of is a cryptographically secure glop of bits that is issued by an entity who is responsible for the integrity of the transaction and the quality of assets that the bits represent. Blind signature notes work fine for a first-order approximation. In other words, an internet bearer transaction. In such a scenario, nobody *cares* who the counterparties are for two reasons. The first reason is existential: title to the asset has transferred instantaneously. There is *no* float. I have it now, so I don't *care* who you were, because, well, it's *mine* now. :-). Second, keeping an audit trail when the title is never in question is, in the best circumstances superfluous and expensive, and, in the worst, even dangerous for any of a number of security reasons, depending on the color of your adversary's hat, or the color your adversary thinks his hat is, or whatever. Keeping track of credit card numbers in a database is an extant problem, for instance, with a known, shall we say, market cost. We'll leave political seizure and other artifacts of totalitarianism to counted by the actuaries. > Clearly, book entry systems where I can do transactions in your >name and you are held liable for them are bad, but that's like >looking at Windows 98's security flaws and deciding that x86 >processors can't support good OS security. I'm walking out on a limb here, in light of what I said above, and saying that when there's *any* float in the process, your liability for identity theft increases with the float involved. Furthermore, book-entry transactions *require* float, somewhere. They are debt-dependent. Someone has to *borrow* money to effect a transaction. (In a bearer transaction, the shoe's on the other foot, the purchaser is *loaning* money, at zero interest, but that's what the buyer wants so the system compensates accordingly, but that's another story.) Because the purchaser has to borrow money to pay, and because you *cannot* wring the float out of a transaction (that is, you can get instantaneous execution, but the transaction clears and settles at a later date; 90 days is the maximum float time for a non-repudiated credit-card transaction, for instance), I claim that book-entry transactions will *always* be liable for "identity" theft. Put another way, remember Doug Barnes' famous quip that "and then you go to jail" is not an acceptable error handling step for a transnational internet transaction protocol. I would claim that enforcement of identity as a legal concept costs too much in the long run to be useful, and that the cheapest way to avoid the whole problem is to go to systems which not only don't require identity, but they don't even require book-entry *accounts* at all to function at the user level. Financial cryptography has had that technology for more than two decades now, so long that the patent's about expired on it, if it hasn't already. >The aspect of this that's generally spooky is not the existence of >book entry payment systems, it's the ease with which someone can get >credit (in one form or another) in your name, based on information >they got from public records and maybe a bit of dumpster diving, >some spyware installed on your machine, or a phishing expedition. >How the payment systems are cleared isn't going to change that, >right? (I know you've thought about this stuff a lot more than I >have, so maybe I'm missing something....) See above. When you use book-entry transactions, by definition, you need identity. Biometric, is-a-person, go-to-jail-if-you-lie-about-a-book-entry identity. With bearer transactions, digital/internet or otherwise, you don't have identity. You don't *need* identity to execute, clear, and settle the transaction, primarily because all three happen at once. There's no float between the three activities. You don't have to send someone to jail if they lie, because the transaction never executes in the first place if they do. Now, there are tradeoffs. The first one is key management, which as Schneier likes to point out, is a hard problem. Personally, I think that if you don't have to associate a key with a flesh-and-blood body in meatspace, a whole continent full of problems just disappears. In a bearer transaction, it's orthogonal to the issue of security anyway, and all it does is cost you money to do for no added benefit. The second one is security of the digital bearer notes and coins themselves, which, frankly, scares people in the finance business most of all. However, I would claim that all organizations, and even people :-), do their *database* and document backups already, and that proper system hygiene will evolve, particularly if literal money is involved. Frankly, there already is a market for distributed data storage, and there are even working systems using m-of-n distributed data storage, which would be the most secure way to solve the problem. And, as we all know, digital bearer transactions are the best *way* to pay for those kinds of m-of-n services anyway, so it feeds on itself nicely. I think that it's less of a chicken-and-egg problem than it used to be, and I think that reality is catching up to all the theory we've kicked around on these lists for more than a decade now. The ultimate solution to the problem of identity theft is to not use identity at all, and, frankly, not even to use book-entries at all. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQWvvMcPxH8jf3ohaEQK7sQCgv7HrWERRq8oJwZWq+6K/Ekiq4mMAoKCc sc4xGjfFFKMysKjV2hRDjSsy =C/Ar -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' This email is for the intended recipient only and is confidential. If you are not the intended recipient, please inform the sender immediately and delete this email and any copies, (including attachments), from your system. You should not read, copy or make any use of this email if you have received it in error. You should take whatever measures you deem to be appropriate to ensure that this email is virus free. CRESTCo Ltd does not give any representation, guarantee or warranty (whether expressed or implied) that this email has been securely transmitted or is accurate, timely or complete and excludes all liability in connection with this email or for any statements which are clearly the senders own and do not represent the views of CRESTCo Ltd. CRESTCo Ltd reserves the right to monitor the use and content of all emails. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

Re: Financial identity is *dangerous*? (was re: Fake companies,
by None 06 Jul '18

06 Jul '18

real money) From: Somebody at a Central Securities Depository :-) Date: Wed, 13 Oct 2004 10:31:10 +0100 i buy the argument that transaction instantaneity is a solution to the identity theft problem - my cash in your hands, at the same time (now) as your goods in my hands, in a way that allows both of us to ensure we have got what we wanted. But there's a trade-off; I have to use money, not credit, now - your point about the buyer 'lending' the seller cash at 0% interest. I'm not sure how "the system compensates" for that. It seems to me it becomes a risk-cost trade-off for the individual: I can work out the cost to me of using real money not credit; then I know what I am paying to insure myself against identity theft. Of course I probably rely on the credit people covering me against a lot of the risk of identity theft, and I may not even pay them for that cost (if it is built into the APR they charge and I can avoid interest by paying off the card quickly)... so to me identity theft risk is almost costless. Why then would I choose to insure myself explicitly by using cash instead of credit? What is it that makes all the individuals start thinking about the best interests of "the system" (which should be cheaper without all these hidden insurance costs) instead of thinking about their own interests?! David "R.A. Hettinga" <rah(a)shipwright.com> 12/10/2004 15:52 To: John Kelsey <kelsey.j(a)ix.netcom.com>, cryptography(a)metzdowd.com, cypherpunks(a)al-qaeda.net cc: Subject: Re: Financial identity is *dangerous*? (was re: Fake companies, real money) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:49 AM -0400 10/12/04, John Kelsey wrote: >Hmmm. I guess I don't see why this story supports that argument all >that well. More like the straw that broke the camel's back, admittedly. A long time ago I came to the conclusion that the closer we get to transaction instantaneity, the less counterparty identity matters at all. That is, the fastest transaction we can think of is a cryptographically secure glop of bits that is issued by an entity who is responsible for the integrity of the transaction and the quality of assets that the bits represent. Blind signature notes work fine for a first-order approximation. In other words, an internet bearer transaction. In such a scenario, nobody *cares* who the counterparties are for two reasons. The first reason is existential: title to the asset has transferred instantaneously. There is *no* float. I have it now, so I don't *care* who you were, because, well, it's *mine* now. :-). Second, keeping an audit trail when the title is never in question is, in the best circumstances superfluous and expensive, and, in the worst, even dangerous for any of a number of security reasons, depending on the color of your adversary's hat, or the color your adversary thinks his hat is, or whatever. Keeping track of credit card numbers in a database is an extant problem, for instance, with a known, shall we say, market cost. We'll leave political seizure and other artifacts of totalitarianism to counted by the actuaries. > Clearly, book entry systems where I can do transactions in your >name and you are held liable for them are bad, but that's like >looking at Windows 98's security flaws and deciding that x86 >processors can't support good OS security. I'm walking out on a limb here, in light of what I said above, and saying that when there's *any* float in the process, your liability for identity theft increases with the float involved. Furthermore, book-entry transactions *require* float, somewhere. They are debt-dependent. Someone has to *borrow* money to effect a transaction. (In a bearer transaction, the shoe's on the other foot, the purchaser is *loaning* money, at zero interest, but that's what the buyer wants so the system compensates accordingly, but that's another story.) Because the purchaser has to borrow money to pay, and because you *cannot* wring the float out of a transaction (that is, you can get instantaneous execution, but the transaction clears and settles at a later date; 90 days is the maximum float time for a non-repudiated credit-card transaction, for instance), I claim that book-entry transactions will *always* be liable for "identity" theft. Put another way, remember Doug Barnes' famous quip that "and then you go to jail" is not an acceptable error handling step for a transnational internet transaction protocol. I would claim that enforcement of identity as a legal concept costs too much in the long run to be useful, and that the cheapest way to avoid the whole problem is to go to systems which not only don't require identity, but they don't even require book-entry *accounts* at all to function at the user level. Financial cryptography has had that technology for more than two decades now, so long that the patent's about expired on it, if it hasn't already. >The aspect of this that's generally spooky is not the existence of >book entry payment systems, it's the ease with which someone can get >credit (in one form or another) in your name, based on information >they got from public records and maybe a bit of dumpster diving, >some spyware installed on your machine, or a phishing expedition. >How the payment systems are cleared isn't going to change that, >right? (I know you've thought about this stuff a lot more than I >have, so maybe I'm missing something....) See above. When you use book-entry transactions, by definition, you need identity. Biometric, is-a-person, go-to-jail-if-you-lie-about-a-book-entry identity. With bearer transactions, digital/internet or otherwise, you don't have identity. You don't *need* identity to execute, clear, and settle the transaction, primarily because all three happen at once. There's no float between the three activities. You don't have to send someone to jail if they lie, because the transaction never executes in the first place if they do. Now, there are tradeoffs. The first one is key management, which as Schneier likes to point out, is a hard problem. Personally, I think that if you don't have to associate a key with a flesh-and-blood body in meatspace, a whole continent full of problems just disappears. In a bearer transaction, it's orthogonal to the issue of security anyway, and all it does is cost you money to do for no added benefit. The second one is security of the digital bearer notes and coins themselves, which, frankly, scares people in the finance business most of all. However, I would claim that all organizations, and even people :-), do their *database* and document backups already, and that proper system hygiene will evolve, particularly if literal money is involved. Frankly, there already is a market for distributed data storage, and there are even working systems using m-of-n distributed data storage, which would be the most secure way to solve the problem. And, as we all know, digital bearer transactions are the best *way* to pay for those kinds of m-of-n services anyway, so it feeds on itself nicely. I think that it's less of a chicken-and-egg problem than it used to be, and I think that reality is catching up to all the theory we've kicked around on these lists for more than a decade now. The ultimate solution to the problem of identity theft is to not use identity at all, and, frankly, not even to use book-entries at all. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQWvvMcPxH8jf3ohaEQK7sQCgv7HrWERRq8oJwZWq+6K/Ekiq4mMAoKCc sc4xGjfFFKMysKjV2hRDjSsy =C/Ar -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' This email is for the intended recipient only and is confidential. If you are not the intended recipient, please inform the sender immediately and delete this email and any copies, (including attachments), from your system. You should not read, copy or make any use of this email if you have received it in error. You should take whatever measures you deem to be appropriate to ensure that this email is virus free. CRESTCo Ltd does not give any representation, guarantee or warranty (whether expressed or implied) that this email has been securely transmitted or is accurate, timely or complete and excludes all liability in connection with this email or for any statements which are clearly the senders own and do not represent the views of CRESTCo Ltd. CRESTCo Ltd reserves the right to monitor the use and content of all emails. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

Re: Financial identity is *dangerous*? (was re: Fake companies,
by None 06 Jul '18

06 Jul '18

real money) From: Somebody at a Central Securities Depository :-) Date: Wed, 13 Oct 2004 10:31:10 +0100 i buy the argument that transaction instantaneity is a solution to the identity theft problem - my cash in your hands, at the same time (now) as your goods in my hands, in a way that allows both of us to ensure we have got what we wanted. But there's a trade-off; I have to use money, not credit, now - your point about the buyer 'lending' the seller cash at 0% interest. I'm not sure how "the system compensates" for that. It seems to me it becomes a risk-cost trade-off for the individual: I can work out the cost to me of using real money not credit; then I know what I am paying to insure myself against identity theft. Of course I probably rely on the credit people covering me against a lot of the risk of identity theft, and I may not even pay them for that cost (if it is built into the APR they charge and I can avoid interest by paying off the card quickly)... so to me identity theft risk is almost costless. Why then would I choose to insure myself explicitly by using cash instead of credit? What is it that makes all the individuals start thinking about the best interests of "the system" (which should be cheaper without all these hidden insurance costs) instead of thinking about their own interests?! David "R.A. Hettinga" <rah(a)shipwright.com> 12/10/2004 15:52 To: John Kelsey <kelsey.j(a)ix.netcom.com>, cryptography(a)metzdowd.com, cypherpunks(a)al-qaeda.net cc: Subject: Re: Financial identity is *dangerous*? (was re: Fake companies, real money) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:49 AM -0400 10/12/04, John Kelsey wrote: >Hmmm. I guess I don't see why this story supports that argument all >that well. More like the straw that broke the camel's back, admittedly. A long time ago I came to the conclusion that the closer we get to transaction instantaneity, the less counterparty identity matters at all. That is, the fastest transaction we can think of is a cryptographically secure glop of bits that is issued by an entity who is responsible for the integrity of the transaction and the quality of assets that the bits represent. Blind signature notes work fine for a first-order approximation. In other words, an internet bearer transaction. In such a scenario, nobody *cares* who the counterparties are for two reasons. The first reason is existential: title to the asset has transferred instantaneously. There is *no* float. I have it now, so I don't *care* who you were, because, well, it's *mine* now. :-). Second, keeping an audit trail when the title is never in question is, in the best circumstances superfluous and expensive, and, in the worst, even dangerous for any of a number of security reasons, depending on the color of your adversary's hat, or the color your adversary thinks his hat is, or whatever. Keeping track of credit card numbers in a database is an extant problem, for instance, with a known, shall we say, market cost. We'll leave political seizure and other artifacts of totalitarianism to counted by the actuaries. > Clearly, book entry systems where I can do transactions in your >name and you are held liable for them are bad, but that's like >looking at Windows 98's security flaws and deciding that x86 >processors can't support good OS security. I'm walking out on a limb here, in light of what I said above, and saying that when there's *any* float in the process, your liability for identity theft increases with the float involved. Furthermore, book-entry transactions *require* float, somewhere. They are debt-dependent. Someone has to *borrow* money to effect a transaction. (In a bearer transaction, the shoe's on the other foot, the purchaser is *loaning* money, at zero interest, but that's what the buyer wants so the system compensates accordingly, but that's another story.) Because the purchaser has to borrow money to pay, and because you *cannot* wring the float out of a transaction (that is, you can get instantaneous execution, but the transaction clears and settles at a later date; 90 days is the maximum float time for a non-repudiated credit-card transaction, for instance), I claim that book-entry transactions will *always* be liable for "identity" theft. Put another way, remember Doug Barnes' famous quip that "and then you go to jail" is not an acceptable error handling step for a transnational internet transaction protocol. I would claim that enforcement of identity as a legal concept costs too much in the long run to be useful, and that the cheapest way to avoid the whole problem is to go to systems which not only don't require identity, but they don't even require book-entry *accounts* at all to function at the user level. Financial cryptography has had that technology for more than two decades now, so long that the patent's about expired on it, if it hasn't already. >The aspect of this that's generally spooky is not the existence of >book entry payment systems, it's the ease with which someone can get >credit (in one form or another) in your name, based on information >they got from public records and maybe a bit of dumpster diving, >some spyware installed on your machine, or a phishing expedition. >How the payment systems are cleared isn't going to change that, >right? (I know you've thought about this stuff a lot more than I >have, so maybe I'm missing something....) See above. When you use book-entry transactions, by definition, you need identity. Biometric, is-a-person, go-to-jail-if-you-lie-about-a-book-entry identity. With bearer transactions, digital/internet or otherwise, you don't have identity. You don't *need* identity to execute, clear, and settle the transaction, primarily because all three happen at once. There's no float between the three activities. You don't have to send someone to jail if they lie, because the transaction never executes in the first place if they do. Now, there are tradeoffs. The first one is key management, which as Schneier likes to point out, is a hard problem. Personally, I think that if you don't have to associate a key with a flesh-and-blood body in meatspace, a whole continent full of problems just disappears. In a bearer transaction, it's orthogonal to the issue of security anyway, and all it does is cost you money to do for no added benefit. The second one is security of the digital bearer notes and coins themselves, which, frankly, scares people in the finance business most of all. However, I would claim that all organizations, and even people :-), do their *database* and document backups already, and that proper system hygiene will evolve, particularly if literal money is involved. Frankly, there already is a market for distributed data storage, and there are even working systems using m-of-n distributed data storage, which would be the most secure way to solve the problem. And, as we all know, digital bearer transactions are the best *way* to pay for those kinds of m-of-n services anyway, so it feeds on itself nicely. I think that it's less of a chicken-and-egg problem than it used to be, and I think that reality is catching up to all the theory we've kicked around on these lists for more than a decade now. The ultimate solution to the problem of identity theft is to not use identity at all, and, frankly, not even to use book-entries at all. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQWvvMcPxH8jf3ohaEQK7sQCgv7HrWERRq8oJwZWq+6K/Ekiq4mMAoKCc sc4xGjfFFKMysKjV2hRDjSsy =C/Ar -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' This email is for the intended recipient only and is confidential. If you are not the intended recipient, please inform the sender immediately and delete this email and any copies, (including attachments), from your system. You should not read, copy or make any use of this email if you have received it in error. You should take whatever measures you deem to be appropriate to ensure that this email is virus free. CRESTCo Ltd does not give any representation, guarantee or warranty (whether expressed or implied) that this email has been securely transmitted or is accurate, timely or complete and excludes all liability in connection with this email or for any statements which are clearly the senders own and do not represent the views of CRESTCo Ltd. CRESTCo Ltd reserves the right to monitor the use and content of all emails. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

Re: Financial identity is *dangerous*? (was re: Fake companies,
by None 06 Jul '18

06 Jul '18

real money) From: Somebody at a Central Securities Depository :-) Date: Wed, 13 Oct 2004 10:31:10 +0100 i buy the argument that transaction instantaneity is a solution to the identity theft problem - my cash in your hands, at the same time (now) as your goods in my hands, in a way that allows both of us to ensure we have got what we wanted. But there's a trade-off; I have to use money, not credit, now - your point about the buyer 'lending' the seller cash at 0% interest. I'm not sure how "the system compensates" for that. It seems to me it becomes a risk-cost trade-off for the individual: I can work out the cost to me of using real money not credit; then I know what I am paying to insure myself against identity theft. Of course I probably rely on the credit people covering me against a lot of the risk of identity theft, and I may not even pay them for that cost (if it is built into the APR they charge and I can avoid interest by paying off the card quickly)... so to me identity theft risk is almost costless. Why then would I choose to insure myself explicitly by using cash instead of credit? What is it that makes all the individuals start thinking about the best interests of "the system" (which should be cheaper without all these hidden insurance costs) instead of thinking about their own interests?! David "R.A. Hettinga" <rah(a)shipwright.com> 12/10/2004 15:52 To: John Kelsey <kelsey.j(a)ix.netcom.com>, cryptography(a)metzdowd.com, cypherpunks(a)al-qaeda.net cc: Subject: Re: Financial identity is *dangerous*? (was re: Fake companies, real money) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:49 AM -0400 10/12/04, John Kelsey wrote: >Hmmm. I guess I don't see why this story supports that argument all >that well. More like the straw that broke the camel's back, admittedly. A long time ago I came to the conclusion that the closer we get to transaction instantaneity, the less counterparty identity matters at all. That is, the fastest transaction we can think of is a cryptographically secure glop of bits that is issued by an entity who is responsible for the integrity of the transaction and the quality of assets that the bits represent. Blind signature notes work fine for a first-order approximation. In other words, an internet bearer transaction. In such a scenario, nobody *cares* who the counterparties are for two reasons. The first reason is existential: title to the asset has transferred instantaneously. There is *no* float. I have it now, so I don't *care* who you were, because, well, it's *mine* now. :-). Second, keeping an audit trail when the title is never in question is, in the best circumstances superfluous and expensive, and, in the worst, even dangerous for any of a number of security reasons, depending on the color of your adversary's hat, or the color your adversary thinks his hat is, or whatever. Keeping track of credit card numbers in a database is an extant problem, for instance, with a known, shall we say, market cost. We'll leave political seizure and other artifacts of totalitarianism to counted by the actuaries. > Clearly, book entry systems where I can do transactions in your >name and you are held liable for them are bad, but that's like >looking at Windows 98's security flaws and deciding that x86 >processors can't support good OS security. I'm walking out on a limb here, in light of what I said above, and saying that when there's *any* float in the process, your liability for identity theft increases with the float involved. Furthermore, book-entry transactions *require* float, somewhere. They are debt-dependent. Someone has to *borrow* money to effect a transaction. (In a bearer transaction, the shoe's on the other foot, the purchaser is *loaning* money, at zero interest, but that's what the buyer wants so the system compensates accordingly, but that's another story.) Because the purchaser has to borrow money to pay, and because you *cannot* wring the float out of a transaction (that is, you can get instantaneous execution, but the transaction clears and settles at a later date; 90 days is the maximum float time for a non-repudiated credit-card transaction, for instance), I claim that book-entry transactions will *always* be liable for "identity" theft. Put another way, remember Doug Barnes' famous quip that "and then you go to jail" is not an acceptable error handling step for a transnational internet transaction protocol. I would claim that enforcement of identity as a legal concept costs too much in the long run to be useful, and that the cheapest way to avoid the whole problem is to go to systems which not only don't require identity, but they don't even require book-entry *accounts* at all to function at the user level. Financial cryptography has had that technology for more than two decades now, so long that the patent's about expired on it, if it hasn't already. >The aspect of this that's generally spooky is not the existence of >book entry payment systems, it's the ease with which someone can get >credit (in one form or another) in your name, based on information >they got from public records and maybe a bit of dumpster diving, >some spyware installed on your machine, or a phishing expedition. >How the payment systems are cleared isn't going to change that, >right? (I know you've thought about this stuff a lot more than I >have, so maybe I'm missing something....) See above. When you use book-entry transactions, by definition, you need identity. Biometric, is-a-person, go-to-jail-if-you-lie-about-a-book-entry identity. With bearer transactions, digital/internet or otherwise, you don't have identity. You don't *need* identity to execute, clear, and settle the transaction, primarily because all three happen at once. There's no float between the three activities. You don't have to send someone to jail if they lie, because the transaction never executes in the first place if they do. Now, there are tradeoffs. The first one is key management, which as Schneier likes to point out, is a hard problem. Personally, I think that if you don't have to associate a key with a flesh-and-blood body in meatspace, a whole continent full of problems just disappears. In a bearer transaction, it's orthogonal to the issue of security anyway, and all it does is cost you money to do for no added benefit. The second one is security of the digital bearer notes and coins themselves, which, frankly, scares people in the finance business most of all. However, I would claim that all organizations, and even people :-), do their *database* and document backups already, and that proper system hygiene will evolve, particularly if literal money is involved. Frankly, there already is a market for distributed data storage, and there are even working systems using m-of-n distributed data storage, which would be the most secure way to solve the problem. And, as we all know, digital bearer transactions are the best *way* to pay for those kinds of m-of-n services anyway, so it feeds on itself nicely. I think that it's less of a chicken-and-egg problem than it used to be, and I think that reality is catching up to all the theory we've kicked around on these lists for more than a decade now. The ultimate solution to the problem of identity theft is to not use identity at all, and, frankly, not even to use book-entries at all. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQWvvMcPxH8jf3ohaEQK7sQCgv7HrWERRq8oJwZWq+6K/Ekiq4mMAoKCc sc4xGjfFFKMysKjV2hRDjSsy =C/Ar -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' This email is for the intended recipient only and is confidential. If you are not the intended recipient, please inform the sender immediately and delete this email and any copies, (including attachments), from your system. You should not read, copy or make any use of this email if you have received it in error. You should take whatever measures you deem to be appropriate to ensure that this email is virus free. CRESTCo Ltd does not give any representation, guarantee or warranty (whether expressed or implied) that this email has been securely transmitted or is accurate, timely or complete and excludes all liability in connection with this email or for any statements which are clearly the senders own and do not represent the views of CRESTCo Ltd. CRESTCo Ltd reserves the right to monitor the use and content of all emails. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

Re: [liberationtech] iPhones/iPads secretly track 'scary amount' of your movements
by Frank Corrigan 06 Jul '18

06 Jul '18

More critical analysis of the original tracking claims has been posted here: "Here's hoping Apple's location tracking isn't as big a threat as some believe. But until those who know for sure speak up (Apple PR, are you listening?), we think the prudent thing to do is assume it is." http://www.theregister.co.uk/2011/04/22/apple_iphone_location_tracking_anal… No, iPhone location tracking isn't harmless and here's why Secret Apple database already being tapped by cops By Dan Goodin in San Francisco b" Posted in ID, 22nd April 2011 00:51 GMT Analysis It didn't take long for the blogosphere to pooh pooh research presented on Wednesday that detailed a file in Apple iPhones and iPads unknown to the vast majority of its users that stored a long list of their time-stamped locations, sometimes with alarming detail. On Thursday, a forensics expert who sells software to law enforcement agencies gave a first-hand account why scrutiny of the location-tracking database is crucial. We'll get to that in a moment. But first, let's take a sampling of the rampant naysaying. The most common criticism was that the contents of the SQLite file, which is stored on the phone and on any computer backups, were wildly imprecise. Blogger and web developer Will Clarke, for instance, used the researchers' freely available software to map the coordinates gathered by his own iPhone during a recent round-trip bike tour he took from Philadelphia to New Jersey. When he compared the results to the actual route, he found that b almost all the points were way off.b In an interview with The Reg, he said some of the points on the resulting map were as much as 3,000 meters, or almost two miles, away from his true location. b The data that is exposed basically reveals which city you were in at a given time,b he concluded in a post that called the research b sensational.b b Nothing more specific than that. It can't tell what house you live in, it can't tell what route you jog on, nothing like that.b He went on to conclude: b Apple is not storing the device's location, it's storing the location of the towers that the device is communicating with.b Software analyst David b Leftyb Schlesinger found similar inaccuracies when he used the database contents of his iPhone to plot a train ride he took in July from Amsterdam to Den Haag, about 60 kilometers away. He also found that the iPhone file showed he was in Santa Cruz, California, on Christmas Day and traveled as much as 80 miles, when in fact he stayed in the state's Central Valley, some 130 miles away, the entire day. Like several other bloggers, he also noted huge inconsistencies in the time intervals that locations were logged. Sometimes iPhones and iPads went days without updating the database, and on one occasion went almost two weeks. The critics make a valid point that the data stored in the consolidated.db file hardly contains a historical record of a user's real-time comings and goings, or a user's every move, as incorrectly suggested in initial coverage from The Register and many other news sites. Researchers Pete Warden and Alasdair Allan readily acknowledge that they have yet to figure out what triggers iDevices to log location details, but it's not unusual for hours or even weeks to occasionally pass between entries. They said they have noted one or two grossly inaccurate locations logged in the database. One region that seems to regularly pop up in files stored on multiple phones is an area just outside of Las Vegas. Allan said the database extracted from his iPhone and the iPhones of several people he knows logged that Nevada city even though none of the owners were anywhere near it on the date indicated in the corresponding timestamp. Las Vegas also incorrectly showed up on the iPhones of Clarke and a co-worker of his, suggesting the iOS code that logs locations may be buggy. b We both have the exact same data point in Vegas, and neither of us have been,b he said. Warden and Allan said their reverse engineering exercise made it impossible to learn the precise way the logging works, but they insist the conclusion of their research is still correct: The contents of the consolidated.db file stored on every iDevice and on any computer containing a backup of its data contains a b scary amount of detail on our movements.b b By inspecting it, I can tell what part of downtown San Francisco I'm in, I can see that I'm in a particular neighborhood,b Warden said. Added Allan: b It's a bit above block level, but it can certainly tell that I'm in north east Manhattan, or south east Manhattan.b They said the precise latitude and longitude plotted on a map is accurate to about 500 meters in areas where there are many cellphone nodes and as much as 4 kilometers with fewer nodes. b It really does seem to be dependent on how good your cell coverage is,b Allan said. b If you're in a big city like downtown San Francisco, the positioning is going to be much better. If you're in the middle of London, the positioning is going to be much better. If you're in a rural or semi-rural area, your positions are going to be much rougher.b They also refuted Clarke's assertion that the latitude and longitude coordinates logged in the database referred to the position of cell towers rather than the Apple devices themselves. Some of the extracted databases they examined plotted literally thousands of unique coordinates in a small part of a single city. It's almost impossible that there could be that many corresponding nodes in such a confined area, they said. What's more, the geographic locations of cell towers is usually kept secret by the carriers who own them, and there's no clear way an iPhone would be able to detect its longitude and latitude anyway. b Our current stance is that this is the position of the device,b Allan said. b There has to be now or very soon a big public debate about location data and privacy. This (research) might be something that helps kick that debate off.b Cops already tapping consolidated.db predecessor Chris Soghoian, a security and privacy researcher with no connection to Warden and Allan's work, agreed. b I don't think users had any idea that this information was being collected,b he said. b The fact that it doesn't detail the exact street corner you were on and merely deals with what neighborhood you were in, I donbt think that's going to be comforting to people. He compared the the iPhone and iPad's tracking of location information to the Google Street View debacle, in which roving vehicles throughout the globe logged unencrypted Wi-Fi traffic and dumped it into a giant database, contradicting previous assurances from the company. Google later pledged to destroy the data, which may include passwords and other sensitive information. Soghoian said Apple had a responsibility to let customers know the type and extent of the information their iPhones and iPads were collecting about them. b When you get stopped by the police and they arrest you for any crime, they can search your phone and get any data off of it,b he said. b This is definitely something that people should be concerned about and I think what it points to is that Apple isn't taking privacy seriously.b Indeed, Alex Levinson, a forensics expert specializing in mobile devices, blogged here that b geolocational artifacts were one of the single most important forensic vectors found onb the devices. As a result, he wrote a proprietary program called Lantern that law enforcement agencies use to actively examine the contents of the iPhone location database. b Within 24 hours of the iPhone 4's release, we had updated Lantern to support forensic analysis of iOS 4.0 devices,b he wrote. b Within 36 hours, we had begun writing code to investigate consolidated.db. Once a jailbreak came out for iOS 4, I wrote a small proof of concept application to harvest the contents of consolidated.db and feed it to a server for remote location tracking.b Levinson also said iPhone location tracking has gone on much longer than indicated by Warden and Allan, who claimed it began with the introduction of Apple's iOS 4 in late June. In fact, said Levinson, earlier iPhones contained a hidden file called h-cells.plist that contained much of the same baseband radio locations that consolidated.db has now. b Through my work with various law enforcement agencies, we've used h-cells.plist on devices older than iOS 4 to harvest geolocational evidence from iOS devices,b wrote Levinson, who is a lead engineer for Katana Forensics. Based on Levinson's account, it's hard to put much credence in critics who cite bugs and a lack of geographic granularity to argue that the undisclosed tracking of iPhones and iPads is harmless or inconsequential to its millions of users. Inclusion of the database means that anyone who ever loses his device risks exposing potentially large amounts of information about where he was over months or years. That could be devastating for people embroiled in messy lawsuits or those whose whereabouts are closely guarded secrets, such as volunteers who work with victims of abusive spouses. Of course, none of this speculation would be necessary if Apple would come clean about exactly how the location tracking it built into its devices works and what precise information is collected. The company, in keeping with its Jobsian obsession with privacy, has yet to utter a peep despite widespread media coverage. Here's hoping Apple's location tracking isn't as big a threat as some believe. But until those who know for sure speak up (Apple PR, are you listening?), we think the prudent thing to do is assume it is. Frank ----- Original message ----- From: "Rafal Rohozinski" <r.rohozinski(a)psiphon.ca> To: "Liberation Technologies" <liberationtech(a)lists.stanford.edu> Date: Wed, 20 Apr 2011 22:51:53 -0400 Subject: Re: [liberationtech] iPhones/iPads secretly track 'scary amount' of your movements It's not just iPhones that record vast amount of data that can be easily geo-located and reconstruct person's movements, networks, and personal communication - any cell phone going back 15 years stores data through log files, message and SMS traffic that can be reconstructed and retrieved to create pretty comprehensive profiles of usage and location. Devices that do forensic extraction (UFED) are quite widespread and in use throughout police forces intelligence agencies as well as most cellular carriers around the world. For those of you for whom this is a revelation, I'd advise you to take a look at this website of a leading provider of UFEDs. There are some interesting videos, and once you're done, take a look at where this company has it's permanent representatives. http://www.cellebrite.com/forensic-products/ufed-physical-pro.html Time for a reality check. Mobile phones are essentially digital dogtags so if you're concerned about the ability they have to track your movements and communications - do like Osama, use exclusively off-line means through trusted intermediaries. Otherwise accepting that cell phones are a risk to privacy is just the flip side of the convenience that these devices bring. With or without Apple networks are essentially spiderwebs - that's the essence of modern signals intelligence. It's worrisome that there are a lot of myths among the activist community about cell phone security. True, you can "drive up the negatives" and make it more difficult for a casual actor to scan or obtain PII from your phone ( so I I agree with Nathan) - but if you're up against well resourced opponents, most of these tools plain ineffective and their very presence on your phone may be more of a giveaway that actually makes you more of a a target of interest. Unfortunately security is not a product or something you can buy shrink-wrapped in code. Its practice and process and ultimately comes down to the risks you're willing to take in the service of an objective or cause. And if you want to play in the big tent, it's good old-fashioned tradecraft and not better toys that make a difference. Rafal On Apr 20, 2011, at 5:43 PM, Frank Corrigan wrote: > > I am aware of the general principle of mobile phone tracking, it is just > that most people assume this data is only accessible via cell tower > providers or via a court order/lawful request, not recorded on the > device itself and accessible in an easy to read format to anyone who has > access and inclination or has impounded it for law enforcement purposes. > I suppose it's a bit like the Windows IE index.dat files. Now of course > anyone crossing a USA border can have such devices taken away and such > location data easily copied for later in-situ analysis. > > Frank > > ----- Original message ----- > From: "Nathan Freitas" <nathan(a)freitas.net> > To: "Frank Corrigan" <email(a)franciscorrigan.com>, "Liberation > Technologies" <liberationtech(a)lists.stanford.edu> > Date: Wed, 20 Apr 2011 16:20:13 -0400 > Subject: Re: [liberationtech] iPhones/iPads secretly track 'scary > amount' of your movements > > On 04/20/2011 03:55 PM, Frank Corrigan wrote: >> More reasons for activists/protesters in hostile (ordinary) environments >> not to bring along their mobile phone, latest cell connected gizmo. > > ... and return to megaphones, flags, smoke signals, carrier pigeons and > frantic arm waving instead? If our ordinary environments are truly > hostile, then either we give up ever using a mobile phone, or we find > some way to address the problem. > > Don't get me wrong, this latest revelation on mobile privacy is indeed > scary, and Apple better fess up. I just think we can fix these issues, > instead of allowing them to be disempowering. > > In this case at least, turning your phone into "airplane mode" would > have stopped the phone from broadcasting its availability to and > registering with mobile towers. This would stop the active triangulation > of your location from being logged into the local iOS database. > > I have an "airplane mode" icon on my Android phone home screen. Anytime > I am not expecting an important call, or am reachable by another means > (email, IM, irc), I generally activate it. Not only does it reduce my > location footprint data trail, but it also saves quite a bit of battery > life! > > I also like Google's Latitude Dashboard which encourages user to really > "own it" when it comes to mobile location data tracking. They have a > really pretty UI, charts, etc, that can show you how many minutes a day > you spend at home, the gym, work or your local pub. Their point is that > if government and mobile phone operators already have this data, why > shouldn't you (the user and human being tracked) also benefit from it? > > https://www.google.com/latitude/history/dashboard > > All in all, we shouldn't cede the advantage technology can bring to the > movements and causes we care about because developers at Apple and Skype > (see their recent issue with Android app data permissions) are clearly > make very bad decisions about how they implement their closed-source > software. > > Best, > Nathan > > _______________________________________________ > liberationtech mailing list > liberationtech(a)lists.stanford.edu > > Should you need to change your subscription options, please go to: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" > > You will need the user name and password you receive from the list moderator in monthly reminders. > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on http://twitter.com/#!/Liberationtech _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [liberationtech] iPhones/iPads secretly track 'scary amount' of your movements
by Frank Corrigan 06 Jul '18

06 Jul '18

More critical analysis of the original tracking claims has been posted here: "Here's hoping Apple's location tracking isn't as big a threat as some believe. But until those who know for sure speak up (Apple PR, are you listening?), we think the prudent thing to do is assume it is." http://www.theregister.co.uk/2011/04/22/apple_iphone_location_tracking_anal… No, iPhone location tracking isn't harmless and here's why Secret Apple database already being tapped by cops By Dan Goodin in San Francisco b" Posted in ID, 22nd April 2011 00:51 GMT Analysis It didn't take long for the blogosphere to pooh pooh research presented on Wednesday that detailed a file in Apple iPhones and iPads unknown to the vast majority of its users that stored a long list of their time-stamped locations, sometimes with alarming detail. On Thursday, a forensics expert who sells software to law enforcement agencies gave a first-hand account why scrutiny of the location-tracking database is crucial. We'll get to that in a moment. But first, let's take a sampling of the rampant naysaying. The most common criticism was that the contents of the SQLite file, which is stored on the phone and on any computer backups, were wildly imprecise. Blogger and web developer Will Clarke, for instance, used the researchers' freely available software to map the coordinates gathered by his own iPhone during a recent round-trip bike tour he took from Philadelphia to New Jersey. When he compared the results to the actual route, he found that b almost all the points were way off.b In an interview with The Reg, he said some of the points on the resulting map were as much as 3,000 meters, or almost two miles, away from his true location. b The data that is exposed basically reveals which city you were in at a given time,b he concluded in a post that called the research b sensational.b b Nothing more specific than that. It can't tell what house you live in, it can't tell what route you jog on, nothing like that.b He went on to conclude: b Apple is not storing the device's location, it's storing the location of the towers that the device is communicating with.b Software analyst David b Leftyb Schlesinger found similar inaccuracies when he used the database contents of his iPhone to plot a train ride he took in July from Amsterdam to Den Haag, about 60 kilometers away. He also found that the iPhone file showed he was in Santa Cruz, California, on Christmas Day and traveled as much as 80 miles, when in fact he stayed in the state's Central Valley, some 130 miles away, the entire day. Like several other bloggers, he also noted huge inconsistencies in the time intervals that locations were logged. Sometimes iPhones and iPads went days without updating the database, and on one occasion went almost two weeks. The critics make a valid point that the data stored in the consolidated.db file hardly contains a historical record of a user's real-time comings and goings, or a user's every move, as incorrectly suggested in initial coverage from The Register and many other news sites. Researchers Pete Warden and Alasdair Allan readily acknowledge that they have yet to figure out what triggers iDevices to log location details, but it's not unusual for hours or even weeks to occasionally pass between entries. They said they have noted one or two grossly inaccurate locations logged in the database. One region that seems to regularly pop up in files stored on multiple phones is an area just outside of Las Vegas. Allan said the database extracted from his iPhone and the iPhones of several people he knows logged that Nevada city even though none of the owners were anywhere near it on the date indicated in the corresponding timestamp. Las Vegas also incorrectly showed up on the iPhones of Clarke and a co-worker of his, suggesting the iOS code that logs locations may be buggy. b We both have the exact same data point in Vegas, and neither of us have been,b he said. Warden and Allan said their reverse engineering exercise made it impossible to learn the precise way the logging works, but they insist the conclusion of their research is still correct: The contents of the consolidated.db file stored on every iDevice and on any computer containing a backup of its data contains a b scary amount of detail on our movements.b b By inspecting it, I can tell what part of downtown San Francisco I'm in, I can see that I'm in a particular neighborhood,b Warden said. Added Allan: b It's a bit above block level, but it can certainly tell that I'm in north east Manhattan, or south east Manhattan.b They said the precise latitude and longitude plotted on a map is accurate to about 500 meters in areas where there are many cellphone nodes and as much as 4 kilometers with fewer nodes. b It really does seem to be dependent on how good your cell coverage is,b Allan said. b If you're in a big city like downtown San Francisco, the positioning is going to be much better. If you're in the middle of London, the positioning is going to be much better. If you're in a rural or semi-rural area, your positions are going to be much rougher.b They also refuted Clarke's assertion that the latitude and longitude coordinates logged in the database referred to the position of cell towers rather than the Apple devices themselves. Some of the extracted databases they examined plotted literally thousands of unique coordinates in a small part of a single city. It's almost impossible that there could be that many corresponding nodes in such a confined area, they said. What's more, the geographic locations of cell towers is usually kept secret by the carriers who own them, and there's no clear way an iPhone would be able to detect its longitude and latitude anyway. b Our current stance is that this is the position of the device,b Allan said. b There has to be now or very soon a big public debate about location data and privacy. This (research) might be something that helps kick that debate off.b Cops already tapping consolidated.db predecessor Chris Soghoian, a security and privacy researcher with no connection to Warden and Allan's work, agreed. b I don't think users had any idea that this information was being collected,b he said. b The fact that it doesn't detail the exact street corner you were on and merely deals with what neighborhood you were in, I donbt think that's going to be comforting to people. He compared the the iPhone and iPad's tracking of location information to the Google Street View debacle, in which roving vehicles throughout the globe logged unencrypted Wi-Fi traffic and dumped it into a giant database, contradicting previous assurances from the company. Google later pledged to destroy the data, which may include passwords and other sensitive information. Soghoian said Apple had a responsibility to let customers know the type and extent of the information their iPhones and iPads were collecting about them. b When you get stopped by the police and they arrest you for any crime, they can search your phone and get any data off of it,b he said. b This is definitely something that people should be concerned about and I think what it points to is that Apple isn't taking privacy seriously.b Indeed, Alex Levinson, a forensics expert specializing in mobile devices, blogged here that b geolocational artifacts were one of the single most important forensic vectors found onb the devices. As a result, he wrote a proprietary program called Lantern that law enforcement agencies use to actively examine the contents of the iPhone location database. b Within 24 hours of the iPhone 4's release, we had updated Lantern to support forensic analysis of iOS 4.0 devices,b he wrote. b Within 36 hours, we had begun writing code to investigate consolidated.db. Once a jailbreak came out for iOS 4, I wrote a small proof of concept application to harvest the contents of consolidated.db and feed it to a server for remote location tracking.b Levinson also said iPhone location tracking has gone on much longer than indicated by Warden and Allan, who claimed it began with the introduction of Apple's iOS 4 in late June. In fact, said Levinson, earlier iPhones contained a hidden file called h-cells.plist that contained much of the same baseband radio locations that consolidated.db has now. b Through my work with various law enforcement agencies, we've used h-cells.plist on devices older than iOS 4 to harvest geolocational evidence from iOS devices,b wrote Levinson, who is a lead engineer for Katana Forensics. Based on Levinson's account, it's hard to put much credence in critics who cite bugs and a lack of geographic granularity to argue that the undisclosed tracking of iPhones and iPads is harmless or inconsequential to its millions of users. Inclusion of the database means that anyone who ever loses his device risks exposing potentially large amounts of information about where he was over months or years. That could be devastating for people embroiled in messy lawsuits or those whose whereabouts are closely guarded secrets, such as volunteers who work with victims of abusive spouses. Of course, none of this speculation would be necessary if Apple would come clean about exactly how the location tracking it built into its devices works and what precise information is collected. The company, in keeping with its Jobsian obsession with privacy, has yet to utter a peep despite widespread media coverage. Here's hoping Apple's location tracking isn't as big a threat as some believe. But until those who know for sure speak up (Apple PR, are you listening?), we think the prudent thing to do is assume it is. Frank ----- Original message ----- From: "Rafal Rohozinski" <r.rohozinski(a)psiphon.ca> To: "Liberation Technologies" <liberationtech(a)lists.stanford.edu> Date: Wed, 20 Apr 2011 22:51:53 -0400 Subject: Re: [liberationtech] iPhones/iPads secretly track 'scary amount' of your movements It's not just iPhones that record vast amount of data that can be easily geo-located and reconstruct person's movements, networks, and personal communication - any cell phone going back 15 years stores data through log files, message and SMS traffic that can be reconstructed and retrieved to create pretty comprehensive profiles of usage and location. Devices that do forensic extraction (UFED) are quite widespread and in use throughout police forces intelligence agencies as well as most cellular carriers around the world. For those of you for whom this is a revelation, I'd advise you to take a look at this website of a leading provider of UFEDs. There are some interesting videos, and once you're done, take a look at where this company has it's permanent representatives. http://www.cellebrite.com/forensic-products/ufed-physical-pro.html Time for a reality check. Mobile phones are essentially digital dogtags so if you're concerned about the ability they have to track your movements and communications - do like Osama, use exclusively off-line means through trusted intermediaries. Otherwise accepting that cell phones are a risk to privacy is just the flip side of the convenience that these devices bring. With or without Apple networks are essentially spiderwebs - that's the essence of modern signals intelligence. It's worrisome that there are a lot of myths among the activist community about cell phone security. True, you can "drive up the negatives" and make it more difficult for a casual actor to scan or obtain PII from your phone ( so I I agree with Nathan) - but if you're up against well resourced opponents, most of these tools plain ineffective and their very presence on your phone may be more of a giveaway that actually makes you more of a a target of interest. Unfortunately security is not a product or something you can buy shrink-wrapped in code. Its practice and process and ultimately comes down to the risks you're willing to take in the service of an objective or cause. And if you want to play in the big tent, it's good old-fashioned tradecraft and not better toys that make a difference. Rafal On Apr 20, 2011, at 5:43 PM, Frank Corrigan wrote: > > I am aware of the general principle of mobile phone tracking, it is just > that most people assume this data is only accessible via cell tower > providers or via a court order/lawful request, not recorded on the > device itself and accessible in an easy to read format to anyone who has > access and inclination or has impounded it for law enforcement purposes. > I suppose it's a bit like the Windows IE index.dat files. Now of course > anyone crossing a USA border can have such devices taken away and such > location data easily copied for later in-situ analysis. > > Frank > > ----- Original message ----- > From: "Nathan Freitas" <nathan(a)freitas.net> > To: "Frank Corrigan" <email(a)franciscorrigan.com>, "Liberation > Technologies" <liberationtech(a)lists.stanford.edu> > Date: Wed, 20 Apr 2011 16:20:13 -0400 > Subject: Re: [liberationtech] iPhones/iPads secretly track 'scary > amount' of your movements > > On 04/20/2011 03:55 PM, Frank Corrigan wrote: >> More reasons for activists/protesters in hostile (ordinary) environments >> not to bring along their mobile phone, latest cell connected gizmo. > > ... and return to megaphones, flags, smoke signals, carrier pigeons and > frantic arm waving instead? If our ordinary environments are truly > hostile, then either we give up ever using a mobile phone, or we find > some way to address the problem. > > Don't get me wrong, this latest revelation on mobile privacy is indeed > scary, and Apple better fess up. I just think we can fix these issues, > instead of allowing them to be disempowering. > > In this case at least, turning your phone into "airplane mode" would > have stopped the phone from broadcasting its availability to and > registering with mobile towers. This would stop the active triangulation > of your location from being logged into the local iOS database. > > I have an "airplane mode" icon on my Android phone home screen. Anytime > I am not expecting an important call, or am reachable by another means > (email, IM, irc), I generally activate it. Not only does it reduce my > location footprint data trail, but it also saves quite a bit of battery > life! > > I also like Google's Latitude Dashboard which encourages user to really > "own it" when it comes to mobile location data tracking. They have a > really pretty UI, charts, etc, that can show you how many minutes a day > you spend at home, the gym, work or your local pub. Their point is that > if government and mobile phone operators already have this data, why > shouldn't you (the user and human being tracked) also benefit from it? > > https://www.google.com/latitude/history/dashboard > > All in all, we shouldn't cede the advantage technology can bring to the > movements and causes we care about because developers at Apple and Skype > (see their recent issue with Android app data permissions) are clearly > make very bad decisions about how they implement their closed-source > software. > > Best, > Nathan > > _______________________________________________ > liberationtech mailing list > liberationtech(a)lists.stanford.edu > > Should you need to change your subscription options, please go to: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" > > You will need the user name and password you receive from the list moderator in monthly reminders. > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on http://twitter.com/#!/Liberationtech _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech _______________________________________________ liberationtech mailing list liberationtech(a)lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: Financial identity is *dangerous*? (was re: Fake companies,
by None 06 Jul '18

06 Jul '18

real money) From: Somebody at a Central Securities Depository :-) Date: Wed, 13 Oct 2004 10:31:10 +0100 i buy the argument that transaction instantaneity is a solution to the identity theft problem - my cash in your hands, at the same time (now) as your goods in my hands, in a way that allows both of us to ensure we have got what we wanted. But there's a trade-off; I have to use money, not credit, now - your point about the buyer 'lending' the seller cash at 0% interest. I'm not sure how "the system compensates" for that. It seems to me it becomes a risk-cost trade-off for the individual: I can work out the cost to me of using real money not credit; then I know what I am paying to insure myself against identity theft. Of course I probably rely on the credit people covering me against a lot of the risk of identity theft, and I may not even pay them for that cost (if it is built into the APR they charge and I can avoid interest by paying off the card quickly)... so to me identity theft risk is almost costless. Why then would I choose to insure myself explicitly by using cash instead of credit? What is it that makes all the individuals start thinking about the best interests of "the system" (which should be cheaper without all these hidden insurance costs) instead of thinking about their own interests?! David "R.A. Hettinga" <rah(a)shipwright.com> 12/10/2004 15:52 To: John Kelsey <kelsey.j(a)ix.netcom.com>, cryptography(a)metzdowd.com, cypherpunks(a)al-qaeda.net cc: Subject: Re: Financial identity is *dangerous*? (was re: Fake companies, real money) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:49 AM -0400 10/12/04, John Kelsey wrote: >Hmmm. I guess I don't see why this story supports that argument all >that well. More like the straw that broke the camel's back, admittedly. A long time ago I came to the conclusion that the closer we get to transaction instantaneity, the less counterparty identity matters at all. That is, the fastest transaction we can think of is a cryptographically secure glop of bits that is issued by an entity who is responsible for the integrity of the transaction and the quality of assets that the bits represent. Blind signature notes work fine for a first-order approximation. In other words, an internet bearer transaction. In such a scenario, nobody *cares* who the counterparties are for two reasons. The first reason is existential: title to the asset has transferred instantaneously. There is *no* float. I have it now, so I don't *care* who you were, because, well, it's *mine* now. :-). Second, keeping an audit trail when the title is never in question is, in the best circumstances superfluous and expensive, and, in the worst, even dangerous for any of a number of security reasons, depending on the color of your adversary's hat, or the color your adversary thinks his hat is, or whatever. Keeping track of credit card numbers in a database is an extant problem, for instance, with a known, shall we say, market cost. We'll leave political seizure and other artifacts of totalitarianism to counted by the actuaries. > Clearly, book entry systems where I can do transactions in your >name and you are held liable for them are bad, but that's like >looking at Windows 98's security flaws and deciding that x86 >processors can't support good OS security. I'm walking out on a limb here, in light of what I said above, and saying that when there's *any* float in the process, your liability for identity theft increases with the float involved. Furthermore, book-entry transactions *require* float, somewhere. They are debt-dependent. Someone has to *borrow* money to effect a transaction. (In a bearer transaction, the shoe's on the other foot, the purchaser is *loaning* money, at zero interest, but that's what the buyer wants so the system compensates accordingly, but that's another story.) Because the purchaser has to borrow money to pay, and because you *cannot* wring the float out of a transaction (that is, you can get instantaneous execution, but the transaction clears and settles at a later date; 90 days is the maximum float time for a non-repudiated credit-card transaction, for instance), I claim that book-entry transactions will *always* be liable for "identity" theft. Put another way, remember Doug Barnes' famous quip that "and then you go to jail" is not an acceptable error handling step for a transnational internet transaction protocol. I would claim that enforcement of identity as a legal concept costs too much in the long run to be useful, and that the cheapest way to avoid the whole problem is to go to systems which not only don't require identity, but they don't even require book-entry *accounts* at all to function at the user level. Financial cryptography has had that technology for more than two decades now, so long that the patent's about expired on it, if it hasn't already. >The aspect of this that's generally spooky is not the existence of >book entry payment systems, it's the ease with which someone can get >credit (in one form or another) in your name, based on information >they got from public records and maybe a bit of dumpster diving, >some spyware installed on your machine, or a phishing expedition. >How the payment systems are cleared isn't going to change that, >right? (I know you've thought about this stuff a lot more than I >have, so maybe I'm missing something....) See above. When you use book-entry transactions, by definition, you need identity. Biometric, is-a-person, go-to-jail-if-you-lie-about-a-book-entry identity. With bearer transactions, digital/internet or otherwise, you don't have identity. You don't *need* identity to execute, clear, and settle the transaction, primarily because all three happen at once. There's no float between the three activities. You don't have to send someone to jail if they lie, because the transaction never executes in the first place if they do. Now, there are tradeoffs. The first one is key management, which as Schneier likes to point out, is a hard problem. Personally, I think that if you don't have to associate a key with a flesh-and-blood body in meatspace, a whole continent full of problems just disappears. In a bearer transaction, it's orthogonal to the issue of security anyway, and all it does is cost you money to do for no added benefit. The second one is security of the digital bearer notes and coins themselves, which, frankly, scares people in the finance business most of all. However, I would claim that all organizations, and even people :-), do their *database* and document backups already, and that proper system hygiene will evolve, particularly if literal money is involved. Frankly, there already is a market for distributed data storage, and there are even working systems using m-of-n distributed data storage, which would be the most secure way to solve the problem. And, as we all know, digital bearer transactions are the best *way* to pay for those kinds of m-of-n services anyway, so it feeds on itself nicely. I think that it's less of a chicken-and-egg problem than it used to be, and I think that reality is catching up to all the theory we've kicked around on these lists for more than a decade now. The ultimate solution to the problem of identity theft is to not use identity at all, and, frankly, not even to use book-entries at all. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQWvvMcPxH8jf3ohaEQK7sQCgv7HrWERRq8oJwZWq+6K/Ekiq4mMAoKCc sc4xGjfFFKMysKjV2hRDjSsy =C/Ar -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' This email is for the intended recipient only and is confidential. If you are not the intended recipient, please inform the sender immediately and delete this email and any copies, (including attachments), from your system. You should not read, copy or make any use of this email if you have received it in error. You should take whatever measures you deem to be appropriate to ensure that this email is virus free. CRESTCo Ltd does not give any representation, guarantee or warranty (whether expressed or implied) that this email has been securely transmitted or is accurate, timely or complete and excludes all liability in connection with this email or for any statements which are clearly the senders own and do not represent the views of CRESTCo Ltd. CRESTCo Ltd reserves the right to monitor the use and content of all emails. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

None
by owner-cypherpunks＠cyberpass.net 06 Jul '18

06 Jul '18

--HAA17158.993817255/einstein.ssz.com--

1 0

Re: [p2p-hackers] darknet ~= (blacknet, f2f net)
by zooko＠zooko.com 06 Jul '18

06 Jul '18

Ian, p2p-hackers: It's not my goal to quibble about etymology (except inasmuch as it is useful to preserve the historical record). My goals are: 1. Avoid ambiguity -- where some people think that word X denotes concept 1, and others think that word X denotes concept 2. Especially if concepts 1 and 2 are related but not identical. Especially if one of them is politically incendiary. 2. Make sure we have names for our useful concepts. However, before I get to that I am going to go through the history one last time in order to cast light on the current problem. I turned up some interesting details. Let's start with a Venn diagram: _______ _______ / \ / \ / \ / \ / \/ \ / /\ \ / / \ \ | | | | | 1 |1^2 | 2 | | | | | | | | | \ \ / / \ \/ / \ /\ / \ / \ / \_______/ \_______/ Let 1 be the set of networks which are used for illegal transmission of information, and 2 be the set of networks which are built on f2f connections, and 1^2 be the intersection -- the set of networks which are used for illegal transmission of information and which are built on f2f connections. [bepw2002] introduces "darknet" to mean concept 1. In their words darknet is "a collection of networks and technologies used to share digital content", and they use it consistently within that meaning. They refer to concept 2, starting in section 2.1, using the term "small-world nets", and they clearly distinguish between what they call "small-world darknets" and "non-small-world darknets". However nowadays some people in the mass media seem to think that a "darknet" means primarily a network which is "invitation-only", i.e. a "small-world" or "f2f" net [globe]. When did the meaning shift? Ooh -- how interesting to examine the evolution of this word on [wikipedia]! The original definition on wikipedia was written on 2004-09-30. It read in full: "Darknet is a broad term to denote the networks and technologies that enable users to copy and share digital material. The term was coined in a paper from four Microsoft Research authors.". The next change was that two months later someone redirected the "Darknet" page to just be a link to the "Filesharing page", with the comment "Just another word for filesharing". The next change was that on 2005-04-14 someone from IP 81.178.83.245 wrote a definition beginning with this sentence: "A Darknet is a private file sharing network where users only connect to people they trust.". By the way, I should point out that I have a personal interest in this history because between 2001 and 2003 I tried to promulgate concept 2, using Lucas Gonze's coinage: "friendnet" [zooko2001, zooko2002, zooko2003, gonze2002]. I would like to know for my own satisfaction if my ideas were a direct inspiration for some of this modern stuff, such as the Freenet v0.7 design. So much for etymology. Now the problem is that in the current parlance of the media, the word "darknet" is used to mean vaguely 1 or 2 or 1^2. The reason that this is a problem isn't that it breaks with some etymological tradition, but that it is ambiguous and that it deprives us of useful words to refer to 1 or 2 specifically. The ambiguity has nasty political consequences -- see for example these f2f network operators struggling to persuade newspaper readers that they are not primarily for illegal purposes: [globe]. My proposal to rectify the lack-of-words problem is to use "blacknet" to refer to 1 specifically and "f2f net" to refer to 2 specifically. I don't know if there is any way to rectify the ambiguity problem. Ian wrote: > > ... > defining the term "darknet" as a f2f network that is designed > to conceal the activities of its participants (this being, so far as I > have seen, one of the main motivations for building an f2f network), So you think of "darknet" as meaning 1^2. That's an interesting remark -- that you regard concealment as one of the main motivations. I personally regard concealment as one of the lesser motivations -- I'm more interested in attack resistance (resisting attacks such as subversion or denial-of-service, rather than attacks such as surveillance), scalability, and other properties. Although I'm interested in the concealment properties as well. Regards, Zooko P.S. Here's some obligatory link juice for Gonze's latest sly neologism: lightnet! [bepw2002] "The darknet and the future of content distribution" Biddle, England, Peinado, Willman (Microsoft Corporation) http://crypto.stanford.edu/DRM2002/darknet5.doc http://www.dklevine.com/archive/darknet.pdf (The .doc version crashes my OpenOffice.org app when I try to read it. Does this mean something? The .pdf version has screwed up images when I view it in evince.) [wikipedia] http://en.wikipedia.org/wiki/Darknet [zooko2001] "Attack Resistant Sharing of Metadata" Zooko and Raph Levien presentation, First O'Reilly Peer-to-Peer conference, 2001 http://conferences.oreillynet.com/cs/p2p2001/view/e_sess/1200 [zooko2002] http://zooko.com/log-2002-12.html#d2002-12-14-the_human_context_and_the_fut… e_of_Mnet [zooko2003] http://www.zooko.com/log-2003-01.html#d2003-01-23-trust_is_just_another_top… ogy [gonze2002] http://www.oreillynet.com/pub/wlg/2428 [globe] "Darknets: The invitation-only Internet" globeandmail.com 2005-11-24 http://www.globetechnology.com/servlet/story/RTGAM.20051007.gtdar knetoct7/BNStory/Technology/ [lightnet] http://gonze.com/weblog/story/lightnet _______________________________________________ p2p-hackers mailing list p2p-hackers(a)zgp.org http://zgp.org/mailman/listinfo/p2p-hackers _______________________________________________ Here is a web page listing P2P Conferences: http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: [IP] search experience on "border"
by Lauren Weinstein 06 Jul '18

06 Jul '18

>From: Travis Kalanick <travis(a)redswoosh.net> ... >While operating my laptop he said that we was tasked with preventing >illegal pornographic material from entering the United States ... >He returned my laptop after this warrantless search saying I was free Dave, And to what end -- other than going through the motions -- is such a search? Given a quick check, the border agent would be unlikely to find a cache of porn photos that was compressed and archived in a single encrypted file named C:\WINDOWS\$NtUninstallKB911567 or some other obscure name -- not a single JPG porn file to be found in a file scan. Perhaps what's really going on in such border cases is some sort of "amateur test" -- since any pro who wanted to bring porn (or any other data) into the U.S. on a laptop would never leave the data in an easily discovered form. But then again, why bother using the laptop? How about putting an innocuous looking file on that cute keychain memory dongle? Or on an iPod? Porn could be easily rigged to look like an mp3 file, that could even play properly. Or why not use some spare cell phone memory area? Or how about that 2 Gig memory stick in the camera, or a miniSD memory card inserted into an electric razor or the binding of a book? To quote the wonderful episode "OBIT" from the original '60s television series "The Outer Limits": "The machines are everywhere!" Anyone with half a brain who wants to bring data into the U.S. can do so without meaningful detection, short of a full body cavity strip search and prolonged forensic analysis -- and even then the true nature of any data might well be undiscovered. All of the rest is for show, and perhaps to cull the low hanging fruit. --Lauren-- Lauren Weinstein lauren(a)vortex.com or lauren(a)pfir.org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, IOIC - International Open Internet Coalition - http://www.ioic.net Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com ------------------------------------- You are subscribed as tfairlie(a)frontiernet.net To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting- people/ ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0