I've been looking at the evolution of electronic funds transfer (EFT) and payment systems recently. My research uncovered a gem: about two years ago, David Stearns completed a dissertation that looks at the early evolution of the Visa card (originally "Bank Americard") in the context of other evolving electronic payment systems. Stearns' work is both readable and filled with interesting information.
What I find most fascinating is that the card systems followed the same security trajectory as cell phones. The first cards, like the early analog cell phones, were vulnerable to fraud. In fact, the cards were absurdly vulnerable to fraud.
However, the promoters believed that the long term benefits of electronic cash were worth the risks. They also assumed without evidence that they could fix the fraud problems eventually.
Here's a recent posting on "how the web makes money," focusing on the on-line gaming community.
The bottom line: successful game sites rely too much on questionable vendors. Game players like to acquire game currency to improve their experience, especially as new players. They can often either buy game money or they can "earn" it by clicking allegedly "free" links. These sometimes give them game currency for free, but too-often involve scams.
While this Cryptosmith site pays for itself through consulting leads, I've always been interested in more direct methods (described here). I think it's fair to collect a commission if I directly encourage someone to buy something, and I gave them the link to buy it. The jury is still out on whether this is worth the effort of constructing the links. I'm also curious as to whether this opens me up to various forms of fraud.
When I do provide links with commissions, I limit myself to links that I might use myself. I hope that that provides adequate quality control for my visitors.
If it's public information on paper, is the electronic version also a public record?
As a techie, I tend to think so. The electronic version carries more information, is easier to work with, and is sometimes easier to authenticate.
The city of Phoenix, AZ, recently argued the opposite in court, and ultimately lost. Someone was suing the city and demanded some public records. The city provided paper copies, some of which appeared to be backdated. The plaintiff demanded the electronic copies so he could examine the metadata. The city refused, saying that the metadata was not public record. Two courts agreed, but the Arizona Supreme Court disagreed. So a court is on record saying that, if the document is a public record, the electronic form is also a public record.
Apparently someone in the UK has proposed a sort of "three strikes" law - if your household is accused by a copyright holder of illegal downloading multiple times, then the holder can demand removal of the househ0ld's Internet connection.
Cory Doctorow, the author, wrote a polemic about how this reflects on the big media firms it tries to help.
He notes how copyright owners now use "takedown notices" as an extrajudicial form of censorship.
I've always been a fan of graphic presentations. More people understand graphs and diagrams than understand equations. While this is a bad thing in some ways, it remains a fact. So it's always great to see a graphical representation of a really difficult set of concepts.
Jeff Moser Fisher has posted A Stick Figure Guide to the Advanced Encryption Standard (AES). He has wisely structured it in layers.
Troy Davis posted info about a malware ad encountered on NYTimes.com. I always enjoy a good, basic forensic analysis. The location of the ad is disturbing, to say the least, though it reflects a problem with today's on-line commercial culture.
It's so easy to do on-line transactions (you send money, I do an on-line service) that vendors aren't inclined to vet their customers. Vetting costs money: it takes time and it puts the vendor in the position of turning down potential sales.
A reader, GregoryF, has proposed a solution to Boak's puzzle. Many years ago, David G. Boak of the NSA gave lectures to train employees on communications security matters. In one case he presented a written story about insufficiently burned crypto materials (keys, etc.), several tons' worth, that needed disposal.
Boak didn't quite explain how they disposed of the waste. Instead, he coded the answer using an innocent text system and challenged the readers to solve it.
GregoryF's solution is posted as a comment to the earlier article. He actually came up with two different solutions. The "system" behind the second solution gets somewhat complicated, which casts some doubt on its correctness. Also, I haven't quite recovered the same results.
Gilbert Vernam was a digital systems designer from the early 20th century. He invented the stream cipher, what browsers often use today to encrypt messages exchanged with protected web sites. In his days, however, the mechanism of choice was the relay: an electromagnetic switch. Vernam also described the one-time pad, and noted the danger in reusing the key stream.
What, then is a Vernam cipher? Is it a stream cipher or a one-time pad? I've seen the term used both ways.
Now we can check the source. Steve Bellovin recently blogged on Vernam's work, and posted a PDF of Vernam's original paper. Vernam wrote the paper for an AIEE conference (that's one of the precursors of today's IEEE - Bellovin negotiated permission to post the historic paper).
If we look at the historical description, Vernam does not restrict his cipher to the one-time pad case. Thus, a Vernam cipher in practice might - or might not - be a one-time pad. [revised 9/7/09]