You are here

rick's blog

Pragmatic Security: the history of the Visa card

I've been looking at the evolution of electronic funds transfer (EFT) and payment systems recently. My research uncovered a gem: about two years ago, David Stearns completed a dissertation that looks at the early evolution of the Visa card (originally "Bank Americard") in the context of other evolving electronic payment systems. Stearns' work is both readable and filled with interesting information.

Old BankAmericard logo

What I find most fascinating is that the card systems followed the same security trajectory as cell phones. The first cards, like the early analog cell phones, were  vulnerable to fraud. In fact, the cards were absurdly vulnerable to fraud.

However, the promoters believed that the long term benefits of electronic cash were worth the risks. They also assumed without evidence that they could fix the fraud problems eventually.

Wordpress tag: 

Some Tech Lives Forever

The Whirlwind is my favorite first-generation computer. It is also the basis of SAGE, a nationwide air defense system built by IBM in the '50s. Nuclear missiles made SAGE obsolete pretty quickly. By the mid '60s, big chunks of the SAGE computers, affectionately called the AN/FSQ-7, started showing up in surplus.

These parts soon made cameo and even starring appearances in TV shows and movies. Mike Loewen has constructed a web site that tracks "sightings" of Q-7 parts in movies.

Q7 console - Computer History Museum

We've all seen them: those rows of blinkenlights installed at a slight angle and often rigged with pyrotechnics. They appeared in almost every science fiction TV show from the '60s, and many movies. Surprisingly, these ancient panels still show up occasionally. Most recently, panels appeared in the background of a Comcast ad.

Wordpress tag: 
Post category: 

Web Monetization

Here's a recent posting on "how the web makes money," focusing on the on-line gaming community.

The bottom line: successful game sites rely too much on questionable vendors. Game players like to acquire game currency to improve their experience, especially as new players. They can often either buy game money or they can "earn" it by clicking allegedly "free" links. These sometimes give them game currency for free, but too-often involve scams.

While this Cryptosmith site pays for itself through consulting leads, I've always been interested in  more direct methods (described here). I think it's fair to collect a commission if I directly encourage someone to buy something, and I gave them the link to buy it. The jury is still out on whether this is worth the effort of constructing the links. I'm also curious as to whether this opens me up to various forms of fraud.

LinkShare  Referral  Prg

When I do provide links with commissions, I limit myself to links that I might use myself. I hope that that provides adequate quality control for my visitors.

Wordpress tag: 
Post category: 

When is public data non-public?

If it's public information on paper, is the electronic version also a public record?

As a techie, I tend to think so. The electronic version carries more information, is easier to work with, and is sometimes easier to authenticate.

The city of Phoenix, AZ, recently argued the opposite in court, and ultimately lost. Someone was suing the city and demanded some public records. The city provided paper copies, some of which appeared to be backdated. The plaintiff demanded the electronic copies so he could examine the metadata. The city refused, saying that the metadata was not public record. Two courts agreed, but the Arizona Supreme Court disagreed. So a court is on record saying that, if the document is a public record, the electronic form is also a public record.

Post category: 

Thought provoking polemic on copyright

Apparently someone in the UK has proposed a sort of "three strikes" law - if your household is accused by a copyright holder of illegal downloading multiple times, then the holder can demand removal of the househ0ld's Internet connection.

Cory Doctorow, the author, wrote a polemic about how this reflects on the big media firms it tries to help.

He notes how copyright owners now use "takedown notices" as an extrajudicial form of censorship.

AES in Cartoon Form!

I've always been a fan of graphic presentations. More people understand graphs and diagrams than understand equations. While this is a bad thing in some ways, it remains a fact. So it's always great to see a graphical representation of a really difficult set of concepts.

Jeff Moser Fisher has posted A Stick Figure Guide to the Advanced Encryption Standard (AES). He has wisely structured it in layers.

Wordpress tag: 
Post category: 

Cloud Computing Discovers Covert Channels

A SANS Handler Notebook entry by Toby Kohlenberg reports on data leakage in cloud computing, and links to a terrific paper from some UCSD/MIT people: Ristenpart, Tromer, Shacham, and Savage.

If we set the wayback machine to the early 1970s, we find a paper by Butler Lampson about something called the confinement problem. It's the same thing. Ristenpart et al pick up some of the threads (like noninterference) though their paper doesn't point all the way back to Lampson.

This is a hard problem to solve. The only defense right now is if attackers lack the motivation to exploit it.

Malware Ad on

Troy Davis posted info about a malware ad encountered on I always enjoy a good, basic forensic analysis. The location of the ad is disturbing, to say the least, though it reflects a problem with today's on-line commercial culture.

It's so easy to do on-line transactions (you send money, I do an on-line service) that vendors aren't inclined to vet their customers. Vetting costs money: it takes time and it puts the vendor in the position of turning down potential sales.

Post category: 

Boak's Puzzle Revisited

A reader, GregoryF, has proposed a solution to Boak's puzzle. Many years ago, David G. Boak of the NSA gave lectures to train employees on communications security matters. In one case he presented a written story about insufficiently burned crypto materials (keys, etc.), several tons' worth, that needed disposal.

Boak didn't quite explain how they disposed of the waste. Instead, he coded the answer using an innocent text system and challenged the readers to solve it.

GregoryF's solution is posted as a comment to the earlier article. He actually came up with two different solutions. The "system" behind the second solution gets somewhat complicated, which casts some doubt on its correctness. Also, I haven't quite recovered the same results.

Spoilers ahead!

Wordpress tag: 

Vernam's Cipher

Gilbert Vernam was a digital systems designer from the early 20th century. He invented the stream cipher, what browsers often use today to encrypt messages exchanged with protected web sites. In his days, however, the mechanism of choice was the relay: an electromagnetic switch. Vernam also described the one-time pad, and noted the danger in reusing the key stream.

What, then is a Vernam cipher? Is it a stream cipher or a one-time pad? I've seen the term used both ways.

Now we can check the source. Steve Bellovin recently blogged on Vernam's work, and posted a PDF of Vernam's original  paper. Vernam wrote the paper for an AIEE conference (that's one of the precursors of today's IEEE - Bellovin negotiated permission to post the historic paper).

If we look at the historical description, Vernam does not restrict his cipher to the one-time pad case. Thus, a Vernam cipher in practice might - or might not - be a one-time pad. [revised 9/7/09]


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer