Category: Privacy

UK Chip and PIN vulnerable to simple attack

LightBlueTouchpaper, a blog by security researchers at Cambridge University, has posted details of a study documenting easy attacks on the new generation of British bank cards.  Saar Drimer explains, “This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography”.  Let's all heed the warning: 

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

Ingenico attack Dione attack

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED’s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.

We also found that the certification process of these PEDs is flawed. APACS has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated, which does not equal Common Criteria Certified (no PEDs are CC Certified). What APACS means by “Evaluated” is that an approved lab has performed the “evaluation”, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.

This process causes a race to the bottom, with PED developers able to choose labs that will approve rather than improve PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.

The threat is very real: tampered PEDs have already been used for fraud. See our press release and FAQ for basic points and the technical report where we discuss the work in detail.

[Thanks to Richard Turner for the heads up.]

New plans for German identity card

IdealGovernment's William Heath describes a planned identification card for German citizens that incorporates a pseudonym capability for electronic commerce: 

The German Home Office has confirmed that a new electronic identity card for German citizens will incorporate the use of pseudonyms for secure web access.

According to the plans of the German Home Office, a credit card sized electronic identity card will be introduced in 2009. It will replace the larger, non-electronic identity cards currently in use. “Apart from the usual personal information, the electronic identity card will contain biometric information, in particular digital fingerprints of both index fingers, and additional information for facial recognition”, says secretary of state August Hanning.

Hanning confirmed that the new identity card will contain a pseudonym function. In a leaked letter to Gisela Piltz, a Member of German Parliament for the Liberal Democrats (FDP), Hanning stated that the card could be used as a “passport for the internet” in the future. “The new identity card offers the possibility of an electronic identity proof for E-Government- and E-Business-applications”, writes Hanning.

The central idea is that the individual card number is used to generate a pseudonym that cannot be reconverted mathematically into the original card number. This pseudonym could then be used to register at, for example, eBay, or any other web service that requires personal identification.

I don't yet know the details of how this works.  I would be concerned if the card generates a single pseudonym that remains constant everywhere it is used.   This would still be an “identifier beacon” that could be used to link all your digital activities into a super-profile. Such a profile would be as irresistable to marketers as it would be to organized crime, so we can be pretty sure it would emerge .  If any aspect of this profile is linked to a molecular identity, all of it is.

In a sense, using a pseudonym that ends up creating a super-dossier would be worse than just using an official government identity, since it would create false expectations in the user, breaking the First Law of identity that ensures the transparency of the identity system so the user can control it.

Regardless of the details of the proposal, it is great to see the German government thinking about these issues.  Once you start to look at them, they lead to the requirement to also support “directed identities”.  There are leading academics and policy makers in Germany who are capable of guiding this proposal to safety.  The key here is to take advantage of the new generation of intelligent smart cards, identity selectors and web service protocols.

[Read more on the  e-health Europe site.]

Understanding Windows CardSpace

There is a really wonderful new book out on digital identity and Information Cards called “Understanding Windows CardSpace“. 

Written by Vittorio Bertocci, Garrett Serack and Caleb Baker, all of whom were part of the original CardSpace project, the book is deeply grounded in the theory and technology that came out of it.  At the same time, it is obviously their personal project.  It has a personal feeling and conviction I found attractive.

The presentation begins with a problem statement – “The Advent of Profitable Digital Crime”.  There is a systematic introduction to the full panoply of attack vectors we need to withstand, and the book convincingly explains why we need an in-depth solution, not another band-aid leading to some new vulnerability.

For those “unskilled in the art”, there is an introduction to relevant cryptographic concepts, and an explanation of how both certificates and https work.  These will be helpful to many who would otherwise find parts of the book out of reach.

Next comes an intelligent discussion of the Laws of Identity, the multi-centered world and the identity metasystem.  The book is laid out to include clever sidebars and commentaries, and becomes progressively more McLuhanesque.  On to SOAP and Web Services protocols – even an introduction to SAML and WS-Trust, always with plenty of diagrams and explanations of the threats.

Then we are introduced to the concept of an identity selector and the model of user-centric interaction.

Part two deals specifically with CardSpace, starting with walk-throughs, and leading to implementation.  This includes “Guidance for a Relying Party”, an in-depth look at the features of CardSpace, and a discussion of using CardSpace in the browser.

The authors move on to Using CardSpace for Federation, and explore how CardSpace works with the Windows Communication Foundation.  Even here, we're brought back to the issues involved in relying on an Identity Provider, and a discussion of potential business models for various metasystem actors.

Needless to say, much of what's covered in this book applies to Higgins and OpenInformationCard and Bandit as well as CardSpace. 

Above all, it is a readable book that balances technology with the broader issues of identity.  I imagine almost anyone who reads this blog will have something to gain from it.  I especially recommend it for people who want a holistic introduction to digital identity, CardSpace and web services.  I think the book is excellent for students.  I even expect it will be enjoyed by more than one policy maker who wants to understand the underlying technical problems of identity.

So check it out, and let me know what you think.

[By the way:  One chapter of the book is now online as a stream of html text, but I'd avoid it. The printed layout and interplay of commentaries add both life and interest…]

Booze and Identity

Let's turn to New Zealand's Identity and Privacy Blog for the latest in… news about Canada:  

It’s interesting to see how booze seems to bring up great questions of identity and privacy. Or maybe it’s just the Canadians?

Canadian Dick Hardt uses buying booze as an example in his famous Identity 2.0 presentation and makes very interesting points about using ID, such as a drivers licence, to buy booze.

Now comes another angle from Canada involving booze: if your ID is scanned when entering a bar, would that make you behave? That was one of the issues at the heart of a case decided by the Information and Privacy Commissioner of Alberta.

The Tantra Nightclub in Calgary had a practice of scanning driver licences before allowing people in. Clearly it is collecting and storing personal information as it includes an individual’s photograph, license number, birth date, address, and bar codes with embedded information unique to the individual driver’s license.

The club says that “We’ve got hard data that it works, we that says crime and violence is down in our venues by over 77%.” On the other hand, the Information and Privacy Commissioner described ID scanning as a deterrent to violent behaviour “conjecture” not backed up by hard data and ordered the club to stop the practice.

In terms of consent, the only thing that the complainant agreed to was the club confirming his date of birth off the licence.

This is precisely the kind of situation that the Laws of Identity frowns upon in digital identity systems, in particular User Control and Consent; Minimal Disclosure for a Constrained Use; and Directed Identity. And another example of unjustified expectations from ID cards that knowing a person’s identity somehow magically solves most societal problems.

Wow.  You have to love this nightclub chain.

The owner is apparently bitter.  But he could get around these problems if he would just change the club's name to something more fitting.  How about the Mein Kampf Eagle Lounge?  Then having a functionary scanning “your papers” would just be part of the show – justifiable by any measure.

The whole report is worth a read, but this argument by Tantra management really stands out:

“The SC System [SecureClub ID System – Kim], as part of the overall comprehensive security system, is intended to act as a deterrent to potential wrongdoers in that all patrons know that their identification is scanned and that therefore they could easily be identified if they were involved in any violent or illegal activity. It is submitted that potential wrongdoers would be less likely to engage in violent or other illegal behaviour if their ability to remain anonymous was removed. It is further submitted that the SC system removes the anonymity of potential wrongdoers, and is therefore one effective component of an effective overall comprehensive security system.”

Hey, come to think of it, we should all have our papers scanned wherever we go, day and night!

Gee, maybe it's that Canadian thing, but it all makes me want to go for a beer.

Half-life of personal information

In November I coined the term “Identity Chernobyl” for Britain's HMRC fiasco (at least it seems that way when I look at Google).

Cory Doctorow elaborates on this in a nice Guardian piece:

When HM Revenue & Customs haemorrhaged the personal and financial information of 25 million British families in November, wags dubbed it the “Privacy Chernobyl”, a meltdown of global, epic proportions [Hey, Cory, are you calling me a wag? – Kim].

The metaphor is apt: the data collected by corporations and governmental agencies is positively radioactive in its tenacity and longevity. Nuclear accidents leave us wondering just how we're going to warn our descendants away from the resulting wasteland for the next 750,000 years while the radioisotopes decay away. Privacy meltdowns raise a similarly long-lived spectre: will the leaked HMRC data ever actually vanish?

The financial data in question came on two CDs. If you're into downloading movies, this is about the same size as the last couple of Bond movies. That's an incredibly small amount of data – my new phone holds 10 times as much. My camera (six months older than the phone) can only fit four copies of the nation's financial data.

Our capacity to store, copy and distribute information is ascending a curve that is screaming skyward, headed straight into infinity. This fact has not escaped the notice of the entertainment industry, where it has been greeted with savage apoplexy.

Wet Kleenex

But it seems to have entirely escaped the attention of those who regulate the gathering of personal information. The world's toughest privacy measures are as a wet Kleenex against the merciless onslaught of data acquisition. Data is acquired at all times, everywhere.

For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it.

Hidden in that toxic pile are a million seams waiting to burst: a woman secretly visits a fertility clinic, a man secretly visits an HIV support group, a boy passes through the turnstiles every day at the same time as a girl whom his parents have forbidden him to see; all that and more.

All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper.

How long does this information need to be kept private? A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side.

If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor.

Every gram – sorry, byte – of personal information these feckless data-packrats collect on us should be as carefully accounted for as our weapons-grade radioisotopes, because once the seals have cracked, there is no going back. Once the local sandwich shop's CCTV has been violated, once the HMRC has dumped another 25 million records, once London Underground has hiccoughup up a month's worth of travelcard data, there will be no containing it.

And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror.

The best answer is to make businesses and governments responsible for the total cost of their data collection. Today, the PC you buy comes with a surcharge meant to cover the disposal of the e-waste it will become. Tomorrow, perhaps the £200 CCTV you buy will have an added £75 surcharge to pay for the cost of regulating what you do with the footage you take of the public.

We have to do something. A country where every snoop has a plutonium refinery in his garden shed is a country in serious trouble.

The notion of information half-life is a great one.  Let's adopt it.

The tendency for “information to merge” is one of the defining transformations of our time.  When it comes to understanding what this means, few think forward, or even realize that there “is a forward”.

The “contextual separation” in our lives has been central to our personalities and social structures for many centuries.   

Call me conservative, but we need to  retain this separation. 

The mobility and clonability of digital information, in combination with commercial interest and naivite, lead us toward a vast sea of personal information intermixed with our most intimate and tentative thoughts. 

The essence of free-thinking is to be able to think things you don't believe as part of the process of grasping the truth.  If the mind melts into the computer, and the computer melts into a rigid warehouse of indelible data, how easy is it for us to change, and what is left of the mind that is “transcendental” (or even just unfettered…)?

The ramifications of this boggle the mind.  The alienation it would cause, and the undermining of institutions it would bring about, concern me as much as any other threat to our civilization.

    

Passwords now 100 times weaker

At first blush it seems we're looking at a 100 fold increase in teenage cracking power, according to this piece from the BBC News.

Security researcher Nick Breese used a PS3 to crack supposedly strong eight-character passwords in hours.

Typically, previous attempts to crack such passwords took days to get the same result.

Eight-character passwords are used to protect PDF and Zip files as well as those produced by Microsoft Office.

The work to turn the PS3 into a password cracker was carried out by Nick Breese, who works for Auckland-based Security Assessment.

The Cell processor at the heart of the PS3 is the key to speeding up the time it takes to crack a password.

In a presentation given at the Kiwicon security conference in mid-November, Mr Breese said a powerful Intel chip could crank through 10-15 million cycles per second.

The architecture of the Cell processor meant it could speed through 1.4 billion cycles per second. This speed boost was possible because each Cell chip had several processing cores – each one of which could be effectively trying passwords at the same time.

This was important when attempting “brute force” attacks that go through all possible combinations for a password.

Speaking to the Sydney Morning Herald, Mr Breese said although the PS3 could be used to crack eight-character passwords featuring letters and numbers, stronger encryption systems – such as those used to safeguard web transactions – remained safe.

Mr Breese's research comes soon after work by Russian company Elcomsoft to use graphics cards to speed up password cracking.

Hmmm.  Security comes from the multiple circles of defense that protect our resources.  So this discovery has many implications.

Amongst other things, it reminds us that password encryption just isn't a solution to problems like the one faced recently by Britain's HMRC.  You need approaches that are more structural – partition data and use strong auth.

[Thanks to Richard Turner for pointing me to this story.  He loves passwords as much as I do.]

Discount software store where to download cheap oem software.
DNS NAXRMicrosoft Office 2004 for MAC.
Buy cheap cheap buy online levitra downloadable.

Buy cheap buy cheap super online l viagra downloadable.

Buy cheap buy free online levitra viagra downloadable.

Buy cheap buy very cheap online levitra viagra now downloadable.

Touchpaper breached

Light Blue Touchpaper is a blog run by leading international security researchers at the Computer Laboratory, University of Cambridge.  In recent posts, researcher Steven Murdoch writes that Touchpaper, which is based on the same WordPress blogging software I use, was breached around the same time as Identityblog (described here).  

Steven explains that the attack was the result of several problems in WordPress – a SQL injection vulnerability plus a basic misuse in the way password hashes are stored and used in cookies.  The latter problem remains even after release 2.3.1.  He writes:

It is disappointing to see that people are still getting this type of thing wrong. In their 1978 summary, Morris and Thompson describe the importance of one way hashing and password salting (neither of which WordPress does properly).

I also pointed this problem out to several people when first experimenting with how to integrate Information Cards into WordPress a couple of years ago.  The comments may not have made their way back to people who could fix the problems…

Steven has another recent post that describes more, equally surprising, uses of hashing, and discusses the interplay between hashes and search engines:

One of the steps used by the attacker who compromised Light Blue Touchpaper a few weeks ago was to create an account (which he promoted to administrator; more on that in a future post). I quickly disabled the account, but while doing forensics, I thought it would be interesting to find out the account password. WordPress stores raw MD5 hashes in the user database (despite my recommendation to use salting). As with any respectable hash function, it is believed to be computationally infeasible to discover the input of MD5 from an output. Instead, someone would have to try out all possible inputs until the correct output is discovered.

So, I wrote a trivial Python script which hashed all dictionary words, but that didn’t find the target (I also tried adding numbers to the end). Then, I switched to a Russian dictionary (because the comments in the shell code installed were in Russian) but that didn’t work either. I could have found or written a better password cracker, which varies the case of letters, and does common substitutions (e.g. o ? 0, a ? 4) but that would have taken more time than I wanted to spend. I could also improve efficiency with a rainbow table, but this needs a large database which I didn’t have.

Instead, I asked Google. I found, for example, a genealogy page listing people with the surname “Anthony”, and an advert for a house, signing off “Please Call for showing. Thank you, Anthony”. And indeed, the MD5 hash of “Anthony” was the database entry for the attacker. I had discovered his password.

In both the webpages, the target hash was in a URL. This makes a lot of sense — I’ve even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key’s MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions. If there are too many entries to store in a single directory, by creating directories for each prefix, there will be an even distribution of files. MD5 is quite fast, and while it’s unlikely to be the best option in all cases, it is an easy solution which works pretty well.

Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best — storing large databases and searching them. I doubt, however, that they envisaged this use though. :-)

They say misery loves company.  And if I had wanted company while my blog was being breached, the Cambridge Computer Laboratory would have been about as good company as I could get.  But I'm sure they, like me, draw one conclusion above all others:   build systems on the basis they will be breached, in order to reduce the consequences to the absolute minimum. 

[Thanks to Hans Van Es for pinging me about this.]

NAO's “redaction” adds fuel to the flames

Google's Ben Laurie has a revealing link to correspondence published by the National Auditing Office relating to HMRC's recent identity disaster. 

He also explains that the practice of publishing “redacted texts” is itself outmoded in light of the kinds of statistical attacks that can now be mounted.  He concludes that, “those who are entrusted with our data have absolutely no idea of the threats it faces, nor the countermeasures one should take to avoid those threats.”

In the wake of the HMRC disaster (nicely summarised by Kim Cameron), the National Audit Office has published scans of correspondence relating to the lost data.

First of all, it's notable that everyone concerned seems to be far more concerned about cost than about privacy. But an interesting question arises in relation to the redactions made to protect the “innocent”. Once more, NAO and HMRC have shown their lack of competence in these matters…

A few years ago it was a popular pastime to recover redacted data from such documents, using a variety of techniques, from the hilarious cut'n'paste attacks (where the redacted data had not been removed, merely covered over with black graphics) to the much more interesting typography related attacks. The way these work is by working backwards from the way that computers typeset. For each font, there are lookup tables that show exactly how wide each character is, and also modifications for particular pairs of characters (for example, “fe” often has less of a gap between the characters than would be indicated by the widths of the two letters alone). This means that if you can accurately measure the width of some text it is possible to deduce which characters must have made up the text (and often what order those characters must appear in). Obviously this isn't guaranteed to give a single result, but often gives a very small number of possibilities, which can then be further reduced by other evidence (such as grammar or spelling).

It seems HMRC and NAO are entirely ignorant of these attacks, since they have left themselves wide open to them. For example, on page 5 of the PDF, take the first line “From: redacted (Benefits and Credits)”. We can easily measure the gap between “:” and “(“, which must span a space, one or more words (presumably names) and another space. From this measurement we can probably make a good shortlist of possible names.

Even more promising is line 3, “cc: redacted@…”. In this case the space between the : and the @ must be filled by characters that make a legal email address and contain no spaces. Another target is the second line of the letter itself “redacted has passed this over to me for my views”. Here we can measure the gap between the left hand margin and the first character of “has” – and fit into that space a capital letter and some other letters, no spaces. Should be pretty easy to recover that name.

And so on.

This clearly demonstrates that those who are entrusted with our data have absolutely no idea of the threats it faces, nor the countermeasures one should take to avoid those threats.

Childrens’ birthdates, addresses and names revealed

Here is more context on the HMRC identity catastrophe.    

According to Terri Dowty, Director of Action on Rights for Children (ARCH):

“This appalling security lapse has placed children in the UK in immediate danger especially those who are already vulnerable. Child Benefit records contain every child’s address and date of birth [italics mine – Kim]. We are not surprised that the Chair of HMRC’s Board has resigned immediately.”

Last year Terri Dowty co-authored a report for the British Information Commissioner which highlighted the risks to children’s safety of the government’s policy of creating large, centralised databases containing sensitive information about children. But he says the government chose to dismiss the concerns of the report's authors. 

Dowty's experience is a clear instance of my thesis that reduction of identity leakage is still not considered to be a “must-have” rather than a “nice-to-have”.

“The government has recently passed regulations allowing them to build databases containing details of every child in England. They have also announced an intention to create a second national database containing the in-depth personal profiles of children using services. They have batted all constructive criticism away, and repeatedly stressed that children’s data is safe in their hands.

“The events of today demonstrate that this is simply not the case, and all of our concerns for children’s safety are fully justified.”

The report ‘Children’s Databases: Safety and Privacy’ can be downloaded here.

Today the “inconvenient” input of people like Terry Dowty is often dismissed – much the way other security concerns used to be – until computer systems began to fall under the weight of internet and insider attacks…

I urge fellow architects, IT leaders, policy thinkers and technologically aware politicians to consider very seriously the advice of advocates like Terry Dowty.  We can deeply benefit from building safe and privacy-enhancing systems that are secure enough to withstand attack and procedural error.  Let's work together to translate this thinking to those who are less technical.  We need to explain that all the functionality required for government and business can be provided in ways that enhance privacy, rather than diminish it or set society up for failure.   

Ready or not: Barbie is an identity provider…

From Wired's THREAT LEVEL, news of an identity provider for girls.

Just today at the CSI Conference in Washington, DC, Robert Richardson was saying he saw signs everywhere that we were “on the cusp of digital identity truly going mainstream”.  Could anything be more emblematic of this than the emergence of Barbie as an identity provider?  It's really a sign of the times. 

From the comments on the Wired site (which are must-reads), it seems Mattel would be a lot better off giving parents control over whitelist settings (Law 1:  user control and consent).  It would be interesting to review other aspects of the implementation.  I guess we should be talking to Mattel about support for “Barbie Cards” and minimal disclosure…  I certainly tip my hat to those involved at Mattel for understanding the role identity can play for their customers.

At last, a USB security token for girls! 

Pre-teens in Mattels’ free Barbie Girls virtual world can chat with their friends online using a feature called Secret B Chat. But as an ingenious (and presumably profitable) bulwark against internet scum, Mattel only lets girls chat with “Best Friends,” defined as people they know in real life.

That relationship first has to be authenticated by way of the Barbie Girl, a $59.95 MP3 player that looks like a cross between a Bratz doll and a Cue Cat, and was recently rated one of the hottest new toys of the 2008 holiday season.

The idea is, Sally brings her Barbie Girl over to her friend Tiffany's house, and sets it in Tiffany's docking station — which is plugged into a USB port on Tiffany's PC.  Mattel's (Windows only) software apparently reads some sort of globally unique identifier embedded in Sally's Barbie Girl, and authenticates Sally as one of Tiffany's Best Friends.

Now when Sally gets home, the two can talk in Secret B Chat. (If Sally's parents can't afford the gadget, then she has no business calling herself Tiffany's best friend.)

It's sort of like an RSA token, but with cute fashion accessories and snap-on hair styles. THREAT LEVEL foresees a wave of Barbie Girl parties in the future, where tweens all meet and authenticate to each other — like a PGP key signing party, but with cupcakes.

Without the device, girls can only chat over Barbie Girls’ standard chat system, which limits them to a menu of greetings, questions and phrases pre-selected by Mattel for their wholesome quality. 

In contrast, Secret B Chat  lets girls chat with their keyboards — just like a real chat room. But it limits the girl-talk to a white list of approved words. “If you happen to use a word that's not on our list (even if it's not a bad one), it will get blocked,” the service cautioned girls at launch. “But don't worry —  we're always adding cool new words!”

By the way, Kevin Poulsen has to get the “High Tech Line of the Year Award” for “a PGP key signing party, but with cupcakes.”  Fantastic!

[Thanks to Sid Sidner at ACI for telling me about this one…]