Ben Laurie blathering

28 Apr 2006

I Rule The World!

Filed under: Crypto,Security — Ben @ 3:13

Just over 10 years ago (according to folklore, we’ve managed to lose the exact date), I wrote Apache-SSL, the first SSL-enabled version of Apache. Yesterday, Netcraft reported that SSL-enabled Apache has taken the lead for secure servers.

I suppose I should feel something other than “why did it take so long?”. Ah, well.

eBay Scamming

Filed under: General — Ben @ 2:23

My friend, Ben Hyde, recently blogged about a scheme to use second chance offers on eBay to extract the maximum price from the winning bidder.

Recently, a friend of mine bid on an item with five minutes left to run. As it happened I had monitored several previous sales of the same item by the same seller, and knew that they generally did not sell. Two minutes before the end of the auction she was outbid. With Ben’s comments in mind I advised her to not find another auction to bid on just yet, and to wait for the second chance offer to come through. Sure enough, just one day later, it did. In her case she didn’t pay any extra, because she’d bid the exact amount of the initial bid, but clearly she could’ve ended up paying a lot more.

Interestingly, eBay don’t offer the data that would make this obvious – show a user’s record for not paying for successful bids. I wonder why they don’t? Not doing so makes this behaviour essentially invisible to other users.

27 Apr 2006

GSX-R600 and FZ6

Filed under: Motorbikes — Ben @ 22:39

I’m trying to make it a feature of every journey that I take a bike ride somewhere. In order to do that, I have to rent, which gives a great opportunity to try out different bikes. So, in Dallas, I rented an FZ6. I didn’t really like it. The handling was OK, but not stellar, it sounded terrible (at least compared to my SV650) and it didn’t really feel like it was nearly 50% more powerful than the SV650.

On the other hand, last weekend I had an ’06 GSX-R600. That bike was awesome. It felt as light as a feather, was instantly responsive, both on the throttle and steering, you could lie it down practically flat and it still felt as solid as when it was vertical, and it sounded good. I think I’m in love. On the other hand, it gave me one hell of a sore arse after a couple of hours of riding.

It may help that there’s some seriously fun riding in California, of course. If you don’t know about Mad Maps it’s time to find out!

21 Apr 2006

Royal de Luxe

Filed under: General — Ben @ 19:38

The excellent giant puppet group Royal de Luxe are coming to London on May 4-7. By a miracle, I’ll actually be in London for some of that to see it. Look here for more.

20 Apr 2006

Funky Maps

Filed under: General,Motorbikes — Ben @ 16:02

My friend, Ben Hyde, blogs about map porn. They’re all fun, but here’s one showing motorcycles.

9 Apr 2006

Not Microwavable!

Filed under: General — Ben @ 2:18

I just opened a pack of AA batteries from Sainsbury’s. On the back it says:

“Warning! This product is fitted with a security device which is NOT MICROWAVABLE”

WTF is that about?

5 Apr 2006


Filed under: Toys — Ben @ 16:15

I know this is probably old hat, but I am quite impressed by Pandora. The general idea is that music is classified by various characteristics, by hand. You tell it what you like and what you don’t like, and it selects tracks it thinks will suit you. Unlike the usual social networking style of recommendation, this approach appears to work.

Most systems I’ve tried consistently recommend things I hate (I have a suspicion that this is because most of them don’t actually let me say “I hate this”, though – being a good example of this), mingled in with stuff that’s OK but not earth-shaking. In sharp contrast, Pandora supplied me with a bunch of pretty good music, much of it by people I’ve never heard of, after almost no training at all.

1 Apr 2006

Unforgeable Blinded Credentials

Filed under: Crypto,Identity Management,Lazyweb — Ben @ 12:30

It is possible to use blind signatures to produce anonymity-preserving credentials. The general idea is that, say, British Airways want to testify that I am a silver BA Executive Club cardholder. First I create a random number (a nonce), I blind it, then send it to BA. They sign it with their “this guy is a silver member” signing key, I unblind the signature and then I can show the signed nonce to anyone who wants to verify that I am silver. All they need to do is check the signature against BA’s published silver member key. BA cannot link this nonce back to me because they have never seen it, so they cannot distinguish me from any other member.

However, anyone I show this proof to can then masquerade as a silver member, using my signed nonce. So, it occurred to me that an easy way to prevent this is to create a private/public key pair and instead of the nonce use the hash of the public key. Then to prove my silver status I have to show that both the hash is signed by BA and that I possess the corresponding private key (by signing a nonce, say).

It seems to me quite obvious that someone must have thought of this before – the question is who? Is it IP free?

Obviously this kind of credential could be quite useful in identity management. Note, though, that this scheme doesn’t give me unlinkability unless I only show each public/private key pair once. What I really need is a family of unlinkable public/private key pairs that I can somehow get signed with a single “family” signature (obviously this would need to be unlinkably transformed for each member of the key family).

Powered by WordPress