Shrub wargaming at crawford.

[Matthew X]

http://www.makethemaccountable.com/real/
let it load,let it load,let it load.
uninalienable rights.HAHAHA!
Unintelligible maybe.hirstory can be fun,check this out..."My trip to Asia 
begins here in Japan for an important reason. (Applause.) It begins here 
because for a century and a half now, America and Japan have formed one of 
the great and enduring alliances of modern times."
"All in all, it's been a fabulous year for Laura and me."
STOP! Your killing me.

Re: alternate dos pgp client?

[Adam Back]

I put together a list of openpgp related software at:

http://www.cypherspace.org/openpgp/

this includes library only code, and add on software.

Not sure about your questions about key versions, but I forwarded it
to Ulf Moeller and Len Sassaman (current maintainer of mix3).

>From what I've seen mix3 (pgptest app) is the closest to providing a
command line.  There was also Tom Zerucha's reference openPGP code,
which is command line but it's alpha level code I think and no longer
maintained.

Adam

On Tue, Aug 20, 2002 at 09:28:47PM -0500, Anonymous wrote:
> The latest release of Mixmaster claims to be an "OpenPGP enhancement
> release".  I looked at the source more closely, and it seems to contain an
> entire pgp implementation.  I had previously thought it made external calls
> to either pgp or gnupg.
> 
> This got me thinking - has anyone tried hacking mixmaster to be a pgp
> client?  I have compiled it under DOS before, so I know that is possible.
> Does anyone know if mixmaster can use 'non-legacy' RSA keys?  Is there any
> pgp functionality that it lacks?  I am looking for a pgp implementation that
> will run on DOS, but will also be compatible with modern key types.

HEP AYNI YEMEKLERDEN SIKILDINIZ MI?

[Yemek zevki]

Sofralariniz $enlenecek...
Rutin yemek çesitlerinden kurtulacaksiniz.
Word formatinda hazirlanmis yaklasik 40 kategori ve 3000 adet tariften 
olusan 5 cilt yemek kitabi serisi sadece ama sadece 10.000.000.- (onmilyon)

Örnek dosya ve ayrintili bilgi için;

http://www.geocities.com/yemekzevki3003/


Adreslerini ziyaret ediniz...

Re: Chaum's unpatented ecash scheme

[Ben Laurie]

Nomen Nescio wrote:
> David Chaum gave a talk at the Crypto 2002 conference recently in which
> he briefly presented a number of interesting ideas, including an approach
> to digital cash which he himself said would "avoid the ecash patents".
> 
> The diagram he showed was as follows:
> 
> 
> Optimistic Authenticator
> 
>  z = x^s
> 
> Payer f(m)^a z^b Bank
>   ->
> 
> [f(m)^a z^b]^s
>   <-
> 
>m, f(m)^s
>   ->
> 
> 
> It's hard to figure out what this means, but it bears resemblance to a
> scheme discussed on the Coderpunks list in 1999, a variant on a blinding
> method developed by David Wagner.  See
> http://www.mail-archive.com/coderpunks@toad.com/msg02323.html for a
> description, with a sketch of a proof of blindness at
> http://www.mail-archive.com/coderpunks@toad.com/msg02387.html and
> http://www.mail-archive.com/coderpunks@toad.com/msg02388.html.
> 
> In Chaum's diagram it is not clear which parts of the key are private and
> which public, although z is presumably public.  Since the bank's action
> is apparently to raise to the s power, s must be secret.  That suggests
> that x is public.  However Chaum's system seems to require dividing by
> (z^b)^s in order to unblind the value, and if s is secret, that doesn't
> seem possible.
> 
> In Wagner's scheme everything was like this except that the bank's key
> would be expressed as x = z^s, again with x and z public and s secret.
> f(m) would be a one-way function, which gets doubly-blinded by being
> raised to the a power and multiplied by z^b, where a and b are randomly
> chosen blinding factors.  The bank raises this to its secret power s,
> and the user unblinds to form f(m)^s.  To later deposit the coin he does
> as in the third step, sending m and f(m)^s to the bank.
> 
> For the unblinding, the user can divide by (z^b)^s, which equals z^(b*s),
> which equals (z^s)^b, which equals x^b.  Since x is public and the user
> chose b, he can unblind the value.  Maybe the transcription above of the
> Chaum scheme had a typo and it was actually similar to the Wagner method.

Sounds like it.

> 
> Chaum commented that the payer does not receive a signature in this
> system, and that he doesn't need one because he is protected against
> misbehavior by the bank.  This is apparently where the scheme gets
> its name.

Note that the scheme as described (and corrected) is vulnerable to 
marking by the bank, and so is not anonymous. This is discussed and 
fixed in my paper on Lucre 
(http://anoncvs.aldigital.co.uk/lucre/theory2.pdf).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

Available for contract work.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Discouraging credential sharing with Mojo

[Anonymous]

Some credential issuing schemes, such as those from Brands as well as from
Camenisch & Lysyanskaya, try to avoid credential sharing by embedding
into the credential some secret which is important and valuable to the
credential holder.  Then if the credential is shared, the recipient
learns the important secret, to the detriment of the person sharing
the credential.  So he won't do it.

The problem is that there don't seem to be any secrets that will work
well in discouraging sharing.  The most obvious is a credit card number,
but this has a number of problems: some people don't have credit cards;
people could cancel their credit cards after receiving the credentia;
and underground hackers have access to thousands of stolen credit card
numbers that they don't mind sharing.

Clearly we need a new approach.  Here is a suggestion for a simple
solution which will give everyone an important secret that they will
avoid sharing.

At birth each person will be issued a secret key.  This will be called
his Mojo.  He will also get the associated public key which will assist
in protocols which involve commiting to his Mojo.  The public key can
be revealed but the Mojo should be kept secret at all costs.

Then in a credential issuing protocol, the user embeds his Mojo into
his credential in a provable way.  It is important that the protocol
not reveal the Mojo to the issuer, but rather that some kind of zero
knowledge proof be used so that the issuer is confident that sharing
the credential will reveal the Mojo.

Now all that is needed is a simple change to the law so that knowing
someone's Mojo makes him your slave.

That is, if you know someone's Mojo you own him.  You get access to all
his money and all his assets.  You can force him to work for you and
take all he earns.  You can mistreat and even kill him.  If he tries to
escape, the Runaway Mojo Slave act will commit the government to tracking
him down and returning him to you.

With this small change to the law, everyone will be gifted with an
important secret which they can use to bind and commit themselves in
a variety of protocols.  By embedding their Mojo into their secret
credentials, they can assure the credential issuer that the credential
won't be shared.  Mojo can also serve as an "is a person" credential
and allow for secure electronic voting and other protocols where each
person should only participate once.

Please join me in supporting this important reform.

Just say, "I want my Mojo!"

Re: Signing as one member of a set of keys

[Len Sassaman]

On Sat, 17 Aug 2002, Anonymous wrote:

> *** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c,
> ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE
> CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? ***

The files are available at:

http://www.abditum.com/~rabbi/ringsig/

Also, if you'd like to send me a more detailed blurb for the webpage, I'd
be happy to put it up. Otherwise, this will have to do.

> 9.  Please report whether you were able to succeed, and if not, which step
> failed for you.

I just ran into a bunch of errors when trying to compile with OpenSSL
0.9.7beta3. I'm debugging now...


--Len.

Re: alternate dos pgp client?

[Len Sassaman]

On Tue, 20 Aug 2002, Anonymous wrote:

> This got me thinking - has anyone tried hacking mixmaster to be a pgp
> client?  I have compiled it under DOS before, so I know that is possible.
> Does anyone know if mixmaster can use 'non-legacy' RSA keys?  Is there any
> pgp functionality that it lacks?  I am looking for a pgp implementation that
> will run on DOS, but will also be compatible with modern key types.

It is possible to build a simple PGP client with the source you have --
the file pgptest.c offers that, but it's really only for debugging
purposes. Run "make mpgp" in the Src directory to try it.

A better interface to the standalone PGP functions shouldn't be hard to
write. We can look into that if there is demand for it. Note that
Mixmaster has no concept of the web of trust, and doesn't do keychain
management. It assumes that if you are placing a key on your keyring,
you've determined it is valid.

That said, Mixmaster does offer all the basic OpenPGP messaging
capabilities, except for verification of clear-signed messages. (This
wasn't needed for any of the features Mixmaster provides, so it wasn't
added.) We'll be adding this capability soon, however. (The author of
the QuickSilver Windows remailer client app has requested it. QuickSilver
provides PGP capabilities through the Mixmaster .dll, sans clearsig
verification.)

Mixmaster does support RSA v4 keys, though it doesn't have Twofish support
since it links against OpenSSL for its crypto, and OpenSSL doesn't have
Twofish support. If you have OpenSSL 0.9.7, Mixmaster will support AES.

(Also, Mixmaster now supports use of the Modification Code Detection
packet in OpenPGP messages, which is used to prevent the attack Schneier,
et al. recently wrote about.)

As far as DOS goes -- I honestly haven't tried compiling for DOS. It
"should" work. Please let me know if you run into any problems.

(And, as always, we're in need of developers and testers. If you're
interested in working on this project, please join the development mailing
list. See mixmaster.sf.net for more info.)


--Len.

Re: IETF WG on SMTP feeler...

[Morlock Elloi]

> There has been an awful lot of discussion on this here in CP land, 
> so maybe some responses too?
> 
> A good place to put forward suggestions to make hard calculations
> a requirement of delivery or maybe some digicash to pay for it?

SMTP will never change, assuming it is a pipe dream. There is no record of
basic internet protocol ever being changed away from compatibility (and guess
what, spammers won't upgrade.) Looks like desperate dotcommies.

If you want to be seen by the world, the world will send you shit. No way
around it.


=
end
(of original message)

Y-a*h*o-o (yes, they scan for this) spam follows:
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

The state wants your 'buddy' list

[Major Variola (ret)]

Consider the privacy implications of requiring mothers to list all mates
with the State..


http://www.latimes.com/news/nationworld/nation/la-na-adopt21aug21005115.story?coll=la%2Dheadlines%2Dnation%2Dmanual



Florida Wants All the Details From Mothers in Adoption Notices
   Rule: Law stirs furor as women must publicly list
sexual partners before giving up their children.

 By JOHN-THOR DAHLBURG, TIMES STAFF WRITER

 MIAMI -- Can a woman be compelled by law to publish
details of her
 sex life in the newspaper, including the names of
the men she has been
 intimate with? In Florida she can, if she is
offering her child for adoption.

 The law, intended to give biological fathers a
greater say in the adoption
 process, has stirred controversy nationwide.
Opponents call it a
 latter-day "scarlet letter" meant to shame
promiscuous women. Even the
 state senator who championed the measure admits
that it has had
 unintended results.

 "The law is


anti-adoption,

anti-family,
 anti-child,


anti-woman,"
 contended
Nashville
 attorney
Bob Tuke,
 president
of the
 American
Academy
 of Adoption

 Attorneys.
"There is
 no other
law like it
 in
America."

 Jeffery M.
Leving, a Chicago attorney and
 advocate
for fathers' rights, countered: "I like
 the law
because it recognizes that fathers are
 parents too. It recognizes that they should have
notice before a child is given away forever."

 Under the law, if a Florida mother seeks to give up
her child for adoption and a search has failed to
 turn up the father, she is required to publish a
legal notice giving her full name, height, weight and
 coloring--plus the names or descriptions of every
possible father and the dates and places of their
 sexual encounters.

 The ads are supposed to run once a week for four
weeks and must appear in newspapers in any city
 or county where the child might have been
conceived.

 "This is such an intrusion of a woman's privacy and
of the privacy of the men who were involved with
 her," said Charlotte H. Danciu, a Boca Raton, Fla.,
attorney who specializes in adoptions and has
 gone to court to challenge the law. "And the men
named in the newspaper may not even be the
 father."

 The goal of the law, which was passed
overwhelmingly by the Florida Legislature last year, is to
 locate as many biological fathers as possible and
prevent the bitter, drawn-out battles that can break
 up adoptive families after children have been
placed.

 But when told of the statute's publication clause,
some pregnant women have walked out of Danciu's
 office and had abortions, the lawyer said.

 On July 24, in response to a suit brought by
Danciu, Palm Beach County Circuit Judge Peter Blanc
 ruled that the law should not apply to rape
victims. The lawyer is representing six clients, including a
 12-year-old rape victim, who want to offer their
offspring for adoption but haven't been able to
 locate the fathers or don't know their identities.
Danciu plans to appeal to have the law declared
 unconstitutional for adults and minors alike.

 "Under the judge's ruling, if there was consensual
sex, which in the case of one of my clients involves
 a 14-year-old who slept with numerous men and boys
in her school, she would have to put these ads
 in her hometown newspaper, with their names, plus
their descriptions: eye color, hair color, weight,
 height," Danciu said. "It's repulsive. I refuse to
do it."

 The law's chief sponsor was state Sen. Walter
"Skip" Campbell Jr., a Democrat from Browa

Re: Discouraging credential sharing with Mojo

[Meyer Wolfsheim]

On Wed, 21 Aug 2002, Anonymous wrote:

> Clearly we need a new approach.  Here is a suggestion for a simple
> solution which will give everyone an important secret that they will
> avoid sharing.
>
> At birth each person will be issued a secret key.  This will be called
> his Mojo.

[snip]

> Now all that is needed is a simple change to the law so that knowing
> someone's Mojo makes him your slave.

Virtually all cultures have held the mythological belief that all "beings
with souls" have a True Name, and that knowledge of one's true name
leads to power over him.

(This isn't really surprising, since the True Name concept features
prominently in Babylonian mythology, from which the myths of nearly all
other civilizations have sprung.)

For instance, knowing the True Name of a god could result in one being
granted godly powers, or immortality (cf: Isis learning the True Name of
Ra in Egyptian mythology). In Greek (and neo-pagan) nature myths, speaking
the true name of a landscape object could give the speaker protection or
favors from the spirit inhabiting the object. In Hebrew, Essene, and
Islamic mythology, as well as Celtic, Pacific Island, and Norse
tales, the True Name theme appears repeatedly. Etc.

It sounds like you wish to revive this superstition, but instead make it
cryptographically enforcable. "Trust in the laws of mathematics and men,
not of gods?"

Welcome to the Church of Strong Cryptography.

> Please join me in supporting this important reform.
>
> Just say, "I want my Mojo!"

Sometimes, I wonder if some of these posts are not intended to be as
ironic as they appear.


-MW-

暴力营销打造网络新贵

[[EMAIL PROTECTED]]

±©Á¦ÓªÏú´òÔìÍøÂçйó


±©Á¦ÓªÏúÊÇÓÉ"FBGÉÌÒµÁªÃË"»ãͬ¹úÄÚÖøÃûÓªÏúר¼Ò¡¢ÍøÂçѧÕߣ¬¸ù¾Ý¹úÄÚÆóÒµÉè¼ÆÇé¿öÍÆ
³öµÄÒ»ÖÖȫеÄÉÌÎñÓªÏúģʽ£¬¾ßÓÐ"³É±¾µÍ¡¢Æô¶¯¿ì¡¢Ð§¹ûÏÔÖø¡¢¿É²Ù×÷ÐÔÇ¿"µÄÌص㣬Ìرð
ÊÊÓÃÓÚ¹úÄÚ¹ã´óÖÐСÆóÒµ¡¢¿ìËٳɳ¤ÐÍÆóÒµ¡¢µç×ÓÉÌÎñÍøÕ¾ºÍSOHO×ÔÓÉÖ°ÒµÈËÊ¿¡¢¸öÌå´´ÒµÍÅ
¶Ó¡£
"e¿á±©Á¦ÓªÏú"ÊǹúÄÚÊ×Ì×ÓÉ"FBGÉÌÒµÁªÃË"ÕýʽÊÚȨÍƳöµÄ´óÐ͵ç×ÓÉÌÎñÍƹãÈí¼þϵÁУ¬
Ê×Åú¼Æ»®ÍƳöÒÔϲúÆ·£º
::e¿á±©Á¦¹ã¸æ£º±»ÓþΪ"Ê·ÉÏ×îÇ¿º·µÄÖÐÎÄÔÚÏß¹ã¸æϵͳ"£ºº£Á¿ÖÐÎÄBBSÊý¾Ý¿â£¬³¬¹ýÈýÍò
¸ö´¿ÖÐÎÄÄ¿±êÂÛ̳£¬ÊÇÄ¿Ç°È«ÇòΨһÄܹ»ÊµÏÖÖÐÎÄÂÛ̳"ÍòվȺ·¢"µÄµç×ÓÉÌÎñÍƹãϵͳ£»´©Í¸
ÄÜÁ¦Ç¿£¬²ÉÓÃ×ÔÖ÷¿ª·¢¶àÖÖ¶¯Ì¬±ä»»¼¼Êõ£¬Äܹ»³É¹¦·¢²¼ÐÂÀË¡¢Î÷½¡¢263¡¢ÙøÕþ¡¢¹è¹È¶¯Á¦¡¢
ÊÀ½çÂÛ̳µÈ´óÐͳ¬ÈËÆøÍøÂçÂÛ̳£»Îȶ¨ÐԺ㬶À¼Ò²ÉÓöàÒýÇæ·¢²¼¼¼Êõ£¬Ö§³Ö¶ÏµãÐø·¢¡£
::e¿á±©Á¦ÓÊÏ䣺¾Þ¿áµÄÈ«ÖÇÄÜ»¯µç×ÓÓʼþËÑË÷ϵͳ£¬ÒµÄÚÊ×¼ÒÖ§³Ö"KEYWORD"ÅúÁ¿ËÑË÷£¬
È«×Ô¶¯ÊµÏÖ"°Ð±ê"ʽ¶¨ÏòËÑË÷£¬Îȶ¨ÐԺã¬Ö§³Ö¶ÏµãËÑË÷¡£
::e¿á±©Á¦ËÑË÷£º£¨¼´½«ÍƳö£©
::e¿á±©Á¦µÇ¼£º£¨¼´½«ÍƳö£©
::e¿á±©Á¦Óʼþ£º£¨¼´½«ÍƳö£©

FBGÉÌÒµÁªÃËͬʱ¼Æ»®ÍƳö"±©Á¦ÓªÏú"ϵÁдÔÊé
::¡¶ÉÌÕ½¹î¼Æ¡·£­£­¶ÀÒ»ÎÞ¶þµÄ·½·¨ÍùÍùÄÜÊÕµ½ÒâÏë²»µ½µÄЧ¹û
::¡¶¹ÜÀíÐÂÄÔ¡·£­£­Ó°ÏìÆóÒµ×îÉîÕßĪ¹ýÓÚÆóÒµµÄ¹ÜÀíÕß
::¡¶°Ë°Ù°ëÁ¬Ëø¼ÓÃ˲ݰ¸¡· 
::¡¶ÉÌÕ½Ó®¼Ò¡·£­£­Ö»ÓÐÓ®¼Ò²ÅÄÜÉú´æ
::¡¶ÓªÏúÌìÏ¡· 
::¡¶¹ÜÀí¸ßÊÖ¡·--162Ìõ¶¥¼â¸ßÊֵĹÜÀí¼¼ÇÉ
::¡¶¾­Óª¸ßÊÖ¡·£­£­Ò»¸öСÖ÷Ò⣬ÍùÍù»áÓ®µÃÎÞ¾¡µÄʤȯ
::¡¶ÓªÏúXµµ°¸Ö®Êг¡ºÚ¶´¡·
::¡¶ÓªÏúxµµ°¸Ö®±øÐйîµÀ¡·
::¡¶¹ã¸æxµµ°¸¡·
::¡¶Ò»·ÖÖÓMBAÖ®ÉÌÕ½Ó®¼Ò¡·
::¡¶Ò»·ÖÖÓMBAÖ®¹ÜÀíÐÂÄÔ¡·
::¡¶Ò»·ÖÖÓMBAÖ®ÉÌÒµÁìÐä¡·
::¡¶Ò»·ÖÖÓMBAÖ®¾­ÓªºÚ¶´¡·


¸ü¶à×ÊÁÏ£¬Çëä¯ÀÀ¡°¿á¿ÍÌìÏ¡±ÍøÕ¾
=
=  
=  Ö÷Á¦Õ¾µã£ºhttp://www.eChinaEdu.com
=  ¾µÏñÕ¾µã£ºhttp://www.eChinaEdu.vicp.net
=  ÂÛ̳վµã£ºhttp://qlong2008.xilubbs.com
=
=
±¾×ÊÁϲÉÓá°±©Á¦ÓªÏú¡±µç×ÓÉÌÎñÍƹãϵͳ·¢²¼

ÍøÂçËÄ´ó¿áµ©

±©Á¦ÓªÏúÊÇÓÃÀ´×¬Ç®µÄ
ħ¹íÓ¢ÓïÊÇÓÃÀ´³ö¹úµÄ
ÊýÂë¿áÁúÊÇÓÃÀ´°ç¿áµÄ
Ò°ÂùÅ®ÓÑÊÇÓÃÀ´HAPPYµÄ
Á÷Ã¥ÍÃ×ÓÊÇÓÃÀ´PLAYµÄ

Create a PAYCHECK with your COMPUTER

[EricEl]

Good Morning: -

You get emails every day, offering to show you how to make money.
Most of these emails are from people who are NOT making any money.
And they expect you to listen to them?

Please, if you want to make money with your computer, then you should
hook up with a group that is actually DOING it.  We are making
a large, continuing income every month.  What's more - we will
show YOU how to do the same thing.  How are we different?

This business is done completely by internet and email, and you
can even join for free to check it out first.  If you can send
an email, you can do this.

How much are we making?  Below are a few examples.  These are
real people, and most of them work at this business part-time.
But keep in mind, they do WORK at it - I am not going to 
insult your intelligence by saying you can sign up, do no work,
and rake in the cash.  That kind of job does not exist.  But if
you are willing to put in 10-12 hours per week, this might be
just the thing you are looking for.

N. Gallagher: $3000 per month
T. Hopkins: $1000 per month
S. Johnson: $6000 -$7000 per month
V. Patalano: $2000 per month
M. South: $5000 per month
J. Henslin: $7000 per month 

This is not income that is determined by luck, or work that is
done FOR you - it is all based on your effort.  But, as I said,
there are no special skills required.  And this income is RESIDUAL -
meaning that it continues each month (and it tends to increase
each month also).

Interested?  I invite you to find out more.  You can get in as a
free member, at no cost, and no obligation to continue if you
decide it is not for you.  We are just looking for people who still
have that "burning desire" to find an opportunity that will reward
them incredibly well, if they work at it.

To grab a FREE ID#, simply reply to: [EMAIL PROTECTED]
and write this (exact) phrase: "Grab me a free membership"
Be sure to include your:
1. First name
2. Last name
3. Email address (if different from above)

We will confirm your position and send you a special report
as soon as possible, and also Your free Member Number.

That's all there's to it.  So please check us out and prove to yourself that
 we are real. We'll then send you info, and you can make up your own mind.

Looking forward to hearing from you!
Sincerely, 

Eric Ratley


Note:  After having several negative experiences with network
marketing companies I had pretty much given up on them.
This is different - there is value, integrity, and a
REAL opportunity to have your own home-based business...
and finally make real money on the internet.

Don't pass this up..you can sign up and test-drive the
program for FREE.  All you need to do is get your free
membership.





Unsubscribing:  Send a blank email to: [EMAIL PROTECTED] with
"Remove" in the subject line.
1489Kzqn0-141vspv9914xYyv2-983tqFk3157TeSN4-199GgrT2938DdLs9-961rUl62

ADV: Bullet Proof Web Hosting Service

[bulletproof]

  

  

  
  
  Bullet Proof Web Hosting

  

  

  
  ¡ñ If
  you want to promote your web site via commercial email, bullet proof web
  hosting is a must! As you may already know, many web hosting companies
  have Terms of Service (TOS) or Acceptable Use Policies (AUP) against the
  delivery of emails advertising or promoting your web site.  If your
  web site host receives complaints or discovers that your web site has been
  advertised in email broadcasts, they may disconnect your account and shut
  down your web site.
  ¡ñ We
  offer reliable bulk email friendly web hosting services.  You can now
  have the peace of mind knowing that your web site is secure during your
  email marketing campaigns.
  

  


  

  

  

  
  

     
  Bullet Proof Web Hosting 100% Guaranteed! 
  ¡ñ This
  means you can send bulk email
  with your website address in it, and your website will not get shut
  down! I'm sure you've had a website shut down because you listed it in
  your bulk emails.

  
  
¡ñ
  For more
  information, please Email us at  [EMAIL PROTECTED] 
  ¡ñ
  

ADV: Bullet Proof Web Hosting Service

[bulletproof]

  

  

  
  
  Bullet Proof Web Hosting

  

  

  
  ¡ñ If
  you want to promote your web site via commercial email, bullet proof web
  hosting is a must! As you may already know, many web hosting companies
  have Terms of Service (TOS) or Acceptable Use Policies (AUP) against the
  delivery of emails advertising or promoting your web site.  If your
  web site host receives complaints or discovers that your web site has been
  advertised in email broadcasts, they may disconnect your account and shut
  down your web site.
  ¡ñ We
  offer reliable bulk email friendly web hosting services.  You can now
  have the peace of mind knowing that your web site is secure during your
  email marketing campaigns.
  

  


  

  

  

  
  

     
  Bullet Proof Web Hosting 100% Guaranteed! 
  ¡ñ This
  means you can send bulk email
  with your website address in it, and your website will not get shut
  down! I'm sure you've had a website shut down because you listed it in
  your bulk emails.

  
  
¡ñ
  For more
  information, please Email us at  [EMAIL PROTECTED] 
  ¡ñ
  

the underground software vulnerability marketplace and its hazards (fwd)

[Eugen Leitl]

-- 
-- Eugen* Leitl http://leitl.org";>leitl
__
ICBMTO: N48 04'14.8'' E11 36'41.2'' http://eugen.leitl.org
83E5CA02: EDE4 7193 0833 A96B 07A7  1A88 AA58 0E89 83E5 CA02


-- Forwarded message --
Date: Thu, 22 Aug 2002 00:24:54 -0400 (EDT)
From: Kragen Sitaker <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: the underground software vulnerability marketplace and its hazards

On August 7th, an entity known as "iDEFENSE" sent out an announcement,
which is appended to this email.  Briefly, "iDEFENSE", which bills
itself as "a global security intelligence company", is offering cash
for information about security vulnerabilities in computer software
that are not publicly known, especially if you promise not to tell
anyone else.

If this kind of secret traffic is allowed to continue, it will pose a
very serious threat to our computer communications infrastructure.

At the moment, the dominant paradigm for computer security research
known as "full disclosure"; people who discover security
vulnerabilities in software tell the vendor about them, and a short
while later --- after the vendor has had a chance to fix the problem
--- they publish the information, including code to exploit the
vulnerability, if possible.  

This method has proven far superior to the old paradigm established by
CERT in the late 1980s, which its proponents might call "responsible
disclosure" --- never release working exploit code, and never release
any information on the vulnerability before all vendors have released
a patch.  This procedure often left hundreds of thousands of computers
vulnerable to known bugs for months or years while the vendors worked
on features, and often, even after the patches were released, people
wouldn't apply them because they didn't know how serious the problem
was.

The underground computer criminal community would often discover and
exploit these same holes for months or years while the "responsible
disclosure" process kept their victims, who had no connections in the
underground, vulnerable.

The problem with this is that vulnerabilities that are widely known
are much less dangerous, because their victims can take steps to
reduce their potential impact --- including disabling software,
turning off vulnerable features, filtering traffic in transit, and
detecting and responding to intrusions.  They are therefore much less
useful to would-be intruders.  Also, software companies usually see
security vulnerabilities in their software as PR problems, and so
prefer to delay publication (and the expense of fixing the bugs) as
long as possible.

iDEFENSE is offering a new alternative that appears far more dangerous
than either of the two previous paradigms.  They want to be a buyer in
a marketplace for secret software vulnerability information, rewarding
discoverers of vulnerabilities with cash.  

Not long before, Snosoft, a group of security researchers evidently
including some criminal elements, apparently made an offer to sell the
secrecy of some software vulnerability information to the software
vendor; specifically, they apparently made a private offer to
Hewlett-Packard to keep a vulnerability in HP's Tru64 Unix secret if
HP retained Snosoft's "consulting services".  HP considered this
extortion and responded with legal threats, and Snosoft published the
information.

If this is allowed to happen, it will cause two problems which,
together, add up to a catastrophe.

First, secret software vulnerability information will be available to
the highest bidder, and to nobody else.  For reasons explained later,
I think the highest bidders will generally be organized crime
syndicates, although that will not be obvious to the sellers.

Second, finding software vulnerabilities and keeping them secret will
become lucrative for many more talented people.  The result will be
--- just as in the "responsible disclosure" days --- that the good
guys will remain vulnerable for months and years, while the majority
of current vulnerabilities are kept secret.

I've heard it argued that the highest bidders will generally be the
vendors of the vulnerable software, but I don't think that's
plausible.  If someone can steal $20 000 because a software bug lets
them, the software vendor is never held liable; often, in fact, the
people who administer the software aren't liable, either --- when
credit card data are stolen from an e-commerce site, for example.
Knowing about a vulnerability before anyone else might save a web-site
administrator some time, and it might save the software vendor some
negative PR, but it can net the thief thousands of dollars.

I think the highest bidders will be those for whom early vulnerability
information is most lucrative --- the thieves who can use it to
execute the largest heists without getting caught.  Inevitably, that
means organized crime syndicates, although the particular gangs who
are good at networked theft may not yet ex