Ben Laurie blathering

29 Mar 2006

Enigma and Privacy

Filed under: Security — Ben @ 22:42

As I’m sure you’ve seen from elsewhere, there’s an Enigma machine for sale on eBay. This is pretty cool, but what intrigues me more is the buying record of the first bidder.

Firstly, it’s fascinating because he seems to buy all sorts of strange stuff, from fantastically expensive damaged zoom lenses to 500 foot of bandsaw blade. And he never sells any of it. At least, not under that name.

But the other thing that interests me is the correctness of publishing the list of purchases. Certainly I find it very useful to help to establish the trustworthiness of a seller, but does that give me the right to see it? You could argue that the fact that they have a pseudonymous ID protects them – but it only takes one slip to blow that out of the water permanently.

And if its OK to show purchases (and sales), then why stop there? Why should I not be able to retrieve their entire bidding history? Or all their Paypal transactions?

My default answer to these questions is simple: no, its wrong to show any of this information. Unless you can anonymise it, don’t publish it. But eBay wouldn’t, I suspect, work unless this kind of stuff was available to buyers.

Its an interesting dilemma.

28 Mar 2006

Untrusted Computing

Filed under: Civil Liberties,Digital Rights — Ben @ 9:59

The US-China Economic and Security Review Commission don’t think that letting China control the manufacture of computers for the State Department is such a great idea.

Somehow this reminds me of the DRM hardware Microsoft, IBM, Disney, the US Government and friends are so keen to impose on us.

(via BoingBoing)


Filed under: Crypto,Identity Management,Rants — Ben @ 4:01

Doc Searls blogs about MicroID.

The idea is pretty simple. First prove what he calls a communication identifier, say an email address. Then you can claim any resource by putting this hash:


on that resource. So far, so good – though not particularly original – both OpenID and Sxip use hashes in a similar way to claim ownership.

In his blog, the inventor claims:

The most exciting aspect is that it empowers end users with absolute control while fully protecting their rights and privacy.

Errr, no. Firstly, privacy is not protected at all. Anyone with a list of email addresses (or other communication identifiers) can mount a trivial dictionary attack to determine which one owns which resource, and since the hash has to be published to all and sundry on that resource, harvesting hashes is easy.

Secondly, rights are not protected: once the attacker has discerned the communication ID they can easily claim resources that are not yours. In response to this criticism Jeremie says:

…why would you point to something that someone else spoofed?

How is the relying party to know that “you” are doing the pointing? If it is to be sure, then there must be some kind of strong authentication going on before pointing occurs. MicroID doesn’t provide this. But once you have a system that does, then claiming things in a strong way is easy – e.g. just state “this URL is mine” down your strongly authenticated channel, so why are we messing about with hashes?

Seems to me MicroID is cute but ultimately not very useful.

Incidentally, cryptoplumbers out there, if you are going to sign things with hashes, there’s a known construct for doing so: the HMAC. Use it, don’t invent your own.

27 Mar 2006


Filed under: Where I'm At — Ben @ 18:46

As of next week I will be working for Google. Although I will be based in the London office, for the next two months I will be in Mountain View.

As always, interested in get-togethers, especially if they involve beer.

Amazon and Trade Descriptions, Round 4

Filed under: Digital Rights,Rants — Ben @ 11:10

I spoke to Trading Standards again this morning, and they say they can’t do anything. Their reasoning is that a description is only false if the thing in question cannot be described like that. Since EMI’s shiny silver things (what do you call them? Not CDs, coz they ain’t) play in some players, then they could be audio CDs, in some sense of the word, so it is not an offence under the Trade Descriptions Act.

Anyone out there want to say they’re wrong?

26 Mar 2006

FIPS 140 Again

Filed under: Crypto,Open Source — Ben @ 20:54

Apparently, we have FIPS-140 certificate number 642 for OpenSSL. I’d say I’ll believe it when I see it, but I’m not sure there’s any more to see…

Nitke v. Gonzales

Filed under: Civil Liberties — Ben @ 16:54

The US Supreme Court has declined to hear an appeal against the decision in Nitke v. Gonzales (in which I was an expert witness for Nitke), a case attempting to overthrow the remaing part of the Communications Decency Act. This means that the decency of a website is determined by the whole of the US – if any community anywhere finds it indecent then that’s enough to prosecute.

This is clearly ridiculous. I rather like the suggestion made here:

Find a community composed of more Muslims of the branch that insist women must be covered head to ankle by burkas. Within that community, bring suit against the US government, Sears, Wal-mart, etc for putting pictures on the internet of women who are not covering their hair and face. Let’s see how far Miller flies once we push its ethical relativism roots into the light. It doesn’t work in a national judicial process.

Lie To A Computer, Go To Jail

Filed under: Civil Liberties,Digital Rights — Ben @ 16:48

In a move that I think best described as interesting, the Attorney General, Lord Goldsmith, has added a clause to the Fraud Bill making it illegal to “dishonestly make a false representation … to any system or device designed to receive, convey or respond to communications (with or without human intervention) … to make a gain … or … cause a loss” (I wonder how one honestly makes a false representation?).

Since much spam, particularly phishing, involves lying, presumably this makes some spam a criminal offence. I wonder if we’ll have any luck interesting the police in it?

I also wonder if this might prove to be a little too far-reaching, though I’ll admit I can’t currently think of a case where bad things happen.

25 Mar 2006


Filed under: General — Ben @ 15:54

I don’t play computer games as a rule, I think they’re a waste of time. But I recently saw the video of Spore and it looks like so much fun I think I’ll have to play. Once.

I did actually play We Love Katamari (sorry, too lazy to find link) when the UK version finally came out, but unfortunately first person games like that give me motion sickness (I guess I should call it staying-still sickness – things that actually move are fine with me), so I gave it up pretty quickly.

18 Mar 2006

Amazon and Trade Descriptions, Round 3

Filed under: Digital Rights,Rants — Ben @ 12:50

I received a refund from Amazon today, including my postage to return the CD.

Presumably this means that they agree it is defective, since it was opened and they don’t refund opened items unless there’s something wrong with them.

Now all I’m waiting for is to hear from the Trading Standards people. Unfortunately, they are supposed to deal with it within 4 working days, which makes Monday, and I’ll be away. I guess I’ll have to check when I get back in a week.

17 Mar 2006


Filed under: Motorbikes — Ben @ 20:28

As most of my friends know by now, I recently rejoined the motorbiking fraternity (here’s my baby after a few days away, luggage still attached).

Now, as we all know, motorbikes are dangerous, so I’m quite keen on learning to be safer. To that end, I spent yesterday with Bikesafe, a scheme run by traffic police for bike riders of all ages and skills. Despite the cold and drizzle it was a very satisfying day – about three hours of observed riding, mostly on interesting country roads. Its less hard than you might think, taking directions by watching indicators in your mirrors, but still takes a lot of concentration. It certainly keeps you focussed on knowing what’s going on around you. Of course, when you’re on the right line, the police bike is often exactly behind you, which made me really lust after mirrors like theirs – mounted below the bars so they can see under their elbows. Its also very interesting following the police bike (I did rather less of this than is usual, since I had my very own traffic cop – usually its 2 to 1 – but I still did some) – those guys definitely know how to minimise the workload.

The other attendees were a very mixed bag – one of them with 45 years experience! There was even an American traffic cop who’d come to learn about the programme.

I didn’t think I’d learnt all that much by the end of the day (other than I should be less “progressive” when filtering and overtaking) – but rather to my surprise my head is buzzing with information today. Definitely worth the thirty quid. I’d recommend it to anyone.

Next step, the IAM.


Filed under: Where I'm At — Ben @ 11:28

I’ll be in Dallas next week, attending the always-riveting IETF.

I’d love to hear from anyone around there I should meet up with.

“Trusted” Computing and the MoD

Filed under: Digital Rights,Security — Ben @ 11:17

The Ministry of Defence has realised that letting someone else control your jet fighters isn’t such a great idea.

I wonder how long it’ll be before the rest of the government realise that letting someone else control your PCs isn’t such a great idea, either?

Tuna with Cumin and Orange

Filed under: Recipes — Ben @ 10:39

Last night my wife did her usual thing of presenting me with some ingredients and wanting me to cook something. What she offered was tuna steaks, leeks, mushrooms and spring greens. I was in a hurry so here’s what I cooked (yes, my kitchen is well stocked)…

Slice some ginger into thin slices, heat extra virgin olive oil in a frying pan until its pretty darn hot, chuck in the ginger slices, which should sizzle. Add a good sprinkling of whole cumin seeds, stir and fry them for a minute or so. Now put your tuna steaks on top of the cumin and ginger. Fry them for about two minutes – you should see about an eighth of an inch of cookedness up the sides. Sprinkle over finely sliced orange zest, then turn the tuna. Let it cook for a few more minutes, until still rare in the middle. Pour over a good dollop of port – this should boil pretty much instantly, or your pan isn’t hot enough. Let it cook until the port is reduced. I would serve it at this point, but my family is squeamish about rare fish, so I added more port and repeated the reduction, which should just cook through the tuna.

I served this with boiled rice and a leek, mushroom and light soy stirfry. If you are using something less salty, then add some salt to the tuna early on.

Very quick and easy. If I did it again I might consider finely chopped spring onions right at the end, though that would radically alter the flavour.

Why was I in a hurry? Because we’d been to see a rather wonderful silver exhibition at a friend’s art gallery, Flow, so it was late.

14 Mar 2006

Amazon and Trade Descriptions, Round 2

Filed under: Digital Rights,Rants — Ben @ 17:48

Well, Consumer Direct (case reference LR121106) spoke to my local trading standards officers, who apparently take the view that “audio CD” means “will play on your stereo” and doesn’t mean “will play on a CD player in your computer”, and so there’s nothing wrong with Amazon’s description.

This is, of course, utterly wrong, so I asked how I could speak to them to persuade them otherwise. I was told that I should do this through Consumer Direct. So I asked how to do that. I was told that he had already given me their response and “err, actually, write them an email, you can find their address on their website”. Sad.

Anyway, I took his advice, almost, and rang Ealing Trading Standards (for that is my local branch) (their number, incidentally is 020 8825 6086) and spoke to a much more reasonable chap called Anthony Wrightson. I explained why audio CDs should work in PCs and that it was a well-known fact that EMI made disks that don’t conform with the standards. He said he would put my case into the system, noted that I wanted to hear the outcome, and said they resolve cases within 4 working days.

I await the resolution with interest.

12 Mar 2006

PINs Make You More Secure. Honest.

Filed under: Security — Ben @ 12:55

More news about Citibank’s PIN problems. I’m less than sure whether I actually believe the theories about how this came about, especially since they all appear to come from a single source: a Gartner VP called Avivah Litan. But you have to love this quote:

“Security is tight at the ATM, but point-of-sale is a whole other story,” said Litan. “Look at your [debit card] account on a regular basis, and don’t use a PIN-based debit card at point-of-sale,” she recommended. “I never do.”

What a shame that in the UK we have no choice.

10 Mar 2006

Amazon and Trade Descriptions

Filed under: Digital Rights,Rants — Ben @ 15:46

I recently bought Beth Orton’s (alleged) CD, “Comfort of Strangers * Limited Edition” from Amazon. When it arrived, it turned out it didn’t work. Investigation reveals that this is because it isn’t actually a CD, just something that looks rather like one. EMI (for it is they) are attempting to copy protect music by making it not work in CD drives in computers.

If that’s what they want to do, then that’s their right, dumb as I think it is. However, what is not acceptable, in my view, is for vendors to attempt to sell these things to me described as “Audio CD”s. I have, therefore, initiated a return to Amazon on the grounds that the goods are defective. The text of my complaint is:

The product is not an Audio CD.

I have also, as advised by Trading Standards Central, reported Amazon to my local Trading Standards Authority (who actually delegate this to something called Consumer Direct). Here’s the text:

Amazon sell CDs manufactured by EMI described as “Audio CD”. However, EMI “CD”s do not conform to the standards for audio CDs (this is an attempt to prevent illegal copying) and so do not work, for example, in PCs.

It seems to me, therefore, that this is an offence under the Trade Descriptions Act 1968.

The reference number for this complaint is CDCO1081882, should anyone care.

Now to see what happens next.

9 Mar 2006

ATM Networks Compromised?

Filed under: Crypto,Lazyweb,Security — Ben @ 14:22

Jake Applebaum says he was told that the Canadian, Russian and UK ATM networks have been compromised. Now, I’ve known for a long time that ATM security was strangely crap, but can this be true? And if it is, why has there been no media coverage (that I’ve heard about)?

2 Mar 2006

The BBC Thinks RC4 is Crackable

Newsnight got a ton of flak over describing file sharing as theft. But, they whine, the real point is that encryption is being used, like, all over the place! And this means that the good folk at GCHQ will have a terrible time decrypting it all. Which they need to do to catch all the paedophiles and terrorists, obviously.

What they’ve totally missed is that the volume is not the issue, the strength of the encryption is. Newsnight’s self-styled “resident ubergeek”, Adam Livingstone, thinks RC4 is weak and could be cracked if only those pesky BitTorrenters wouldn’t clutter up the ‘net with their encrypted copies of broadcast TV (which, of course, they shouldn’t be sharing anyway – just because anyone can watch it, it doesn’t mean anyone can watch it, now does it? That stands to reason).

Mr. Livingstone should try consulting some real geeks before he opens his big mouth again.

Oh, and they also sob:

What we’d really like to hear is a debate on the issue we did raise. If the ISPs can’t now detect torrent data, then how will the security services manage it? And if they do figure it out, won’t RnySmile and company just up the ante again?

If you want a debate on that, dude, then provide somewhere to debate it. Or just read my blog – that’s your kind of debate: unidirectional.

1 Mar 2006

Onion Tart Tatin

Filed under: Recipes — Ben @ 16:53

This is a great starter, very easy to make. I actually saw it made on TV, but the recipe he used doesn’t, in my experience, work. Here’s my version…


Puff pastry
Goats cheese

Make some caramel, and put it on the bottom of a baking tray (given that I usually screw up the caramel, you can probably get away with just putting butter and sugar on the tray). Slice whole peeled onions ringwise into slices around 3/4 inch thick. Cover the bottom of the tray with them (just one layer deep). Don’t be too thorough – you want some gaps. Cover with puff pastry – press the pastry down to fill any gaps, touching the caramel. Bake for about 30 mins at gas mark 7 – until the pastry is done.

Invert onto a serving dish – slice it up and on each portion put a chunk of goats cheese so it melts slightly. Serve hot.

Camilla reminds me that you’re supposed to serve it with reduced balsamic vinegar drizzled (as poncy chefs like to say) over the top. I forgot last time and it was fine but it’s not a bad idea.

Powered by WordPress