Category Archives: Products

Serious Captcha!!!

Posted on by
Reply

The Croatian Ruder Boskovic Institute proposes the services of a quantum random bit generator. We often insisted on the importance of high randomness in secure protocols.

But this institute has also find an extremely “funny” why to limit the access to its service to a limited set of knowledgeable people with its captcha. Captcha is a set of technique that attempts to discriminate humans trying to sign in from automatic machines. It usually requests people to dial in a set of characters which readability has been decreased. The Institute succeeded to discriminate between different categories of human. It requires to solve mathematical problems (and not simple arithmetic calculus :) ). Definitively, not a place to sign in after an exhausting day.

Have a look at the registration page, and look for several challenges. :)

From Pirate Bay to Flattr

Posted on by
Reply

Flattr is a new Swedish “social network”. The goal of Flattr is to remunerate the creators of content you like on the Net. Our does it work?
You have to register and define a monthly sum that you will distribute. Once registered, you can add a flattr button on any of your content (blog, videos, pictures, songs…). When a flattr member likes your content, he pushes the corresponding button. Of course, you do the same. At the end of the month, your monthly sum will be equally shared between the contents you liked. The corresponding value will be credited on the account of each content owner you liked. Let’s suppose that your monthly sum is 2€. If you clicked on 10 buttons, each creator will receive 0.2€. If you clicked only once, the happy creator will be granted 2€. If you did not click, the 2€ will be given to a charity.

It is a nice business model. Flattr takes a fee of 10%. It uses a kind of micropayment.

Some potential issues:

  • It will only work if there is a network effect. For that, they need to have attractive content in other words get the buy-in of creators
  • Attractive content? One of the potential issues is the ownership of a piece of content. How to prove the ownership? How to avoid appropriating copyrighted contents?

Why such cryptic title? Does Sweden not give you a hint? One of the founders is Petter Sunde. Petter Sunde is also one of the founders of The Pirate Bay.

In any case, an interesting initiative to follow up.

Amazon’s PayPhrase

Posted on by
Reply

On November 2009, Amazon launched a new payment mode so called PayPhrase. The idea is simple. You associate to your profile a passphrase, i.e. a sentence with at least two words (more than four characters) and a 4-digit PIN. The payphrase is linked to a shipping address and a payment method. Would you like another shipment address, use a second payphrase.

Amazon offers this service for other sites. The other sites will validate the information through Amazon but will never have access to your personal data neither to your credit card data. The basic assumption is that you trust Amazon to make a clean work in securing your personal data (which seems a reasonable assumption)

Of course, Amazon expects to become a competitor to established payment methods such as PayPal.

Is it serious? Well, I have spotted one funny issue. How do I define a payPhrase?

Create an original PayPhrase yourself, or choose one of our suggestions. Once you have claimed a particular PayPhrase, it can’t be claimed by anyone else.

The unicity of the payPhrase shows that the idea is that you replace your identity by the payPhrase and the authentication is the PIN. This means two things:

  • The latest incomers may have some trouble to set up an easy to remember payPhrase because the most trivial will be used.
  • People will use the most trivial ones

And this last one is the fun part of the game. Try to find a trivial payPhrase and check if it is active. Then, you may try a DOS for this person by trying many PINs until it is blacklisted.

I tried my favorite trivial passphrase “Trust no one”. Guess what? It belongs to somebody of Portland paying with Visa! I did not try the PIN.

Lesson: Some design decisions may have “funny” side effects.

Rovi

Posted on by
Reply

Macrovision changed its name. It is now ROVI. But the commercial offer did not change. Historically, macrovision started with an analog copy protection scheme. The objective was to avoid duplication of tapes or DVD by analog recorders. They added many other new systems.

See Rovi

VC2 and AMEX

Posted on by
Reply

The Visual Cryptogram 2 (VC2) was created by VISA in 2005 to protect against online fraud. The VC2 code is the three-digit number printed at the back of your credit card. The rationale of VC2 is that to access this code, you need to have the card insight. I always thought that the rationales to print it at the back was to avoid camera capture used with card skimmers (see for instance http://www.darknet.o … ut-atm-hacking-tips/).

It seems I was wrong, or at least that AMEX does not fear this type of skimmers. AMEX uses also a visual cryptogram. But AMEX’s VC is four-digit long and printed on the front side of credit card. I do not understand the rationale for using a different scheme (Different size, different location). In fact, I learned it the hard way. When using the first time my AMEX online, I used the three digit at the back of the card. There was one! And of course, it did not work. :Sad:

Has somebody a clue?

Hate and Love authentication

Posted on by
Reply

Raven White proposes a new authentications system Blue Moon Authentication in the trend to replace typical password challenge by a more user friendlier (and less memory requesting) one.

The authentication will ask you your dislike and like choices on 15 questions. If you have right on a large numbers, you are authenticated. The initialization of the system requires you to select 8 like topics and 8 dislike topics among a selection of about 70 topics.

:Happy: The choice of the topics seem to have been done nicely. Interview of a sample of users of about 200 topics has allowed to reject the topics that have the less entropy. Some Human Computer Interaction specialists participated.

:Sad:  The distribution of 8 like and 8 dislike helps a lot when trying to guess the answer. Remember that the challenge is about 15 topics. Mathematically, you need to end up with 7 from one side and 8 from the other side. I did not do the math, but it decreases the space of exploration. I’m too lazy It is too late, and the day was hard) to calculate but is is less than 2^14 trials. Of course, if you know a little bit the person you want to impersonate, the odds are definitively changing.

:Sad: The system is supposed to remove the burden of password replacement. Nevertheless, with such a limited challenge, you will have necessary to block any brute force attack. Once the user is blacklisted, how will he be reauthorized? Through which authentication mechanism? Password?

I did not read the papers. I will do soon.

It reminds me the authentication based on the selection of pictures or icons among a set of pictures.

Would you trust this authentication process?