re: Media Impact (Think a second)

Chris (cr@innocent.com)
Fri, 20 Jun 1997 20:25:44 -0400


It is interesting to read the different reasons people think that this
was important. On reason it is not important is for ATM and credit card
use. NO ONE in their right mind is going to use this technique to break
pin codes and credit card numbers. For example to steal money using ATM
codes you would have to do the following:

(1) Splice the phone line from the ATM

(2) Record the information coming from it

(3) Decode this format from tape or whatever into a content the computer
would understand

(4) Program a routine that will then brute force break this (I don't see
any around that aren't for the challenges)

(5) I might be wrong about this one, but I think we had the known plain
text of the first line "The encrypted message [or whatever] is:

(6) Figure out the format of the output

(7) Buy a magnetic decoder and blank card (or used card) stock

(8) encode the new acct#s correctly

(9) go to ATM machines and take out all the money

(10) not get caught with all the pictures and other stuff the secret
service would have to go on in investigating you.

I am sure some of you remember the famous scam up in new England where a
bunch of people had put their own ATM machine in a mall (without the mall's
knowledge) and set it up so it would say "sorry we are broke" or whatever
AFTER GETTING THE ACCT# and PIN#. These people were caught! The Secret
Service estimates they spent $180,000 !!!! to get the scam to work and only
took in $60,000. (The ATM machine was real and apparently they had bought
two others, they paid a programmer to redo the ATMs software)

It is of course far easier to sit and watch people type in their pins and
take their receipt (with acct# if they leave it). I am sure that there are
some ATM locations that would be in a position where this could be done
from a distance with the right equipment.

As far as credit card #'s go, You can go to the mall and steal the trash
(the forms you sign are carbonless, but many retail places print reports
from the verifones with CC#s that are thrown away) or log onto a hacker
site and get a credit card number generator. There is a know alg. for visa
cards and they are issued sequentially with skips. If you know it and you
know one number, you know 1,000.

Of course then you have to get the products/ services, how do you plan on
doing that without getting caught?

There is plenty of better and ways to commit financial crimes then to go
through all this trouble. I seriously doubt that most of the people who
read this group (me included) have the technical expertise to even carry
out even a portion of the simple ATM crime enumerated above. Also, I don't
think that ATM's use DES for encryption, but I could be wrong.

What I think is the real significance of "breaking" DES is that it brings
light to several problems:

(1) The government can decrypt anything that it has a need to with such
small key lengths. I do not know how often this goes on, but logic tells
me that:

If the government is trying to limit key lengths to a certain length
either:

(a) they all ready decrypt lots of stuff and this would hamper their
efforts;

or

(b) they are planning on decrypting a lot of stuff and don't want their
plans messed up

The government takes computers every day even in investigations of crimes
that have little to with computers. People often have private data on it
that almost certainly can be embarrassing and is none of the governments
business. I for one do not like the idea of the government looking through
my files and being able to look at what ever they want.

Law enforcement is known to have used scanners and the like to listen into
private cordless and cell phone calls. This almost always involves hearing
calls from other people, since they don't often know what frequency it will
be on, they check 'em all. I have seen advertisements in Law enforcement
magazines for items specifically designed to intercept cell phone calls,
including a digital display to decode the called number and other info.
These techniques are likely to be used more by Law Enforcement because they
require no physical access to the phone company; and wireless access is
expanding. Rogue officers can also do this to help their career, with
little chance of getting caught, because they can do it without anyone
knowing. The legal status on the issue of listening to cordless phones is
up in the air, because courts have ruled that people have "no reasonable
expectation of privacy" when the talk on the radio waves.

Currently, my understanding is that, the data from digital 900Mhz cordless
and PCS phone like sprint spectrum are not encrypted, but merely in a
digital form. I heard, but have not confirmed and would like more info if
someone has it, that someone has even modified his/her sprint spectrum
phone to be used as a scanner for other calls.

Do we as Americans, the land of the free, not deserve to have conversations
that are totally private? The 4th amendment protects me against
"unreasonable searches". I find it unreasonable that the government can
channel surf through my phone calls to find info on someone else they want.
We NEED STRONG ENCRYPTION for phone calls and the next wireless standard
should include strong encryption.

(2) Businesses, especially overseas, have been caught spying on each other.
Is it right that they should be handicapped in protecting themselves,
merely for the purposes of abiding by the wishes of the U.S. Government
that strong encryption not be exported. This of course is almost funny. A
true terrorist or evil government would have little problem getting so
called "strong encryption" out of the US. A diplomat or terrorist
confidant could easily take a disk through customs (and customs doesn't
search diplomats) containing so called strong encryption. That is of
course much more complicated then just having it emailed to him or her, but
you get the point.

American businesses should also not be hindered in competing in the
international market place for secure products. Getting "strong"
encryption approved through the US Gov't is a burden that the companies
should not have to face in order to compete.

(3) Foreign governments spy on US citizens. The Soviet Union, Russia, or
whatever name they are using now, has a tower in Cuba devoted solely to
spying on American businesses, people, and government agencies. Much of
this is done through monitoring microwave communications. Sen. Moynihan
has attempted to draw attention to this problem, that the US has known for
years, to little avail. I think our nation as a whole deserves that
communications that are intended to be private remain private
communications.

Hopefully Americans will look at this and say, "Hey if a bunch of guys on
the internet can break DES, I want a more secure key length for my
encryption uses." Well actually most Americans couldn't give a crap about
encryption. But there is always hope . . .

-Chris Raimondi

:In message <199706201915.PAA22429@goffette.research.megasoft.com>, C
Matthew Cu
:rtin writes:
>>>>>> "Nelson" == Nelson Minar <nelson@media.mit.edu> writes:
:>
:>Nelson> Where else has the crack been reported? What spin has there
:>Nelson> been? The CNN article says "but it took 4 months" as a
:>Nelson> subtitle.
:>
:>All of the folks that picked up the story from AP got the "but it took
:>4 months" spin. This is incredibly stupid, though. Does everyone
:>change ATM card, credit card, etc., info in less than four months?
:>No! Any of these encrypted with DES are totally vulnerable to attack,
:>and we've proven that.
:
:Money Daily[1] has a "Alarming, yes, but not yet time to tear up
:your ATM card" spin article.

:The Salt Lake Tribune also has an article this morning's edition [2].
:
:[1]: <URL:http://www.moneydaily.com/>
:[2]: <URL:http://www.sltrib.com/062097/business/business.htm

_________________