Busted for hijacking web site (social engr)

[Major Variola (ret.)]

Man Is Accused of Hijacking Web Site
[*]  He allegedly diverted Al Jazeera viewers to a bogus home page at

the height of the war.

By David Rosenzweig, Times Staff Writer

A California man has been charged by federal
authorities with hijacking Al
Jazeera's Internet Web site during the Iraqi war and
diverting viewers to a bogus
home page that displayed an American flag and the
message, "Let freedom ring."

John William Racine II, a 24-year-old Web site
designer from Norco, has agreed
to plead guilty to wire fraud and unlawful
interception of an electronic
communication, a spokesman for the U.S. attorney's
office said Wednesday .

Impersonating an employee of the Arab television
network's Web site, Racine
allegedly tricked an Internet service provider into
changing a password that
enabled him to commandeer the Al Jazeera site,
according to a criminal complaint.

Racine was accused of intercepting about 300 e-mail
messages intended for Al
Jazeera before the takeover was discovered during
the height of the war in
March.

Al Jazeera, the popular Arab satellite television
channel based in Qatar, has been
the target of some criticism in the United States
because of its airing of
videotaped pronouncements from fugitive Al Qaeda
leaders

Al Jazeera is backed by the government of Qatar but
is widely perceived as
editorially independent, experts said.

Racine could not be reached for comment Wednesday.

http://www.latimes.com/news/local/la-me-jazeera12jun12,1,4525407.story?coll=la-headlines-california

unregistered shell

[Major Variola (ret.)]

June 6, 2003  |  WASHINGTON -- A man was arrested outside the Capitol
Friday for
carrying unregistered ammunition in his car, a police spokeswoman said.

Capitol Police spokeswoman Jessica Gissubel said police stopped the car
as it was
traveling on Constitution Avenue on the north side of the Capitol
because it had a
gasoline container strapped to its roof. The man, who was not
identified, voluntarily
handed over the ammunition, described as a shotgun shell. It is illegal
to carry
unregistered ammunition in the District of Columbia.

http://www.salon.com/news/wire/2003/06/06/capitol/

They can't find WMD, but they can find a dude with a shell in his truck.

IQ, g, flying

[Major Variola (ret)]

At 02:30 PM 5/30/03 -0700, Tim May wrote:
>The second irony is that just today I took my first flying lesson, in a

>Diamond Katana composite/carbon single-prop plane. I took off from the
>Watsonville Airport, which is, I assume, the home airport of Adelman.

Just FYI, if you read up on G (general intelligence factor), you will
learn that the *only* cause of death that increases with G is dying in
airplanes.
(This is evidence that G is real, and general, and intelligence is
adaptive.)

You might also enjoy http://www.av8n.com/ which I once stumbled upon
because Denker now does crypto.

Re: Brinworld: Streisand sues amateur coastal photographer at californiacoastline.org

[Major Variola (ret)]

At 10:00 PM 5/30/03 -0400, Tyler Durden wrote:
>You think that's bad?
>
>I know someone who was offerred $1,000 a night to play lead trumpet for

>Streisand. When he heard that a major requirement was that he was not
to
>"lock eyes onto Streisand" (ie, look at her), he declined the offer.

Who cares?  That's a private transaction.  Neurosis is not criminal.
You can hire Streisand to sing on the condition that she keeps her nose
up your ass,
so long as its a mutually consensual transaction.

But you can't use the threat of violence (ie law) to coerce photogs
publishing what
anyone can see.  *That* is the point.

Re: Maybe It's Snake Oil All the Way Down

[Major Variola (ret)]

At 08:32 PM 5/31/03 -0400, Scott Guthery wrote:
>Hello, Rich ...
>
>When I drill down on the many pontifications made by computer
>security and cryptography experts all I find is given wisdom.  Maybe
>the reason that folks roll their own is because as far as they can see
>that's what everyone does.  Roll your own then whip out your dick and
>start swinging around just like the experts.

Are you trying to confirm that either the WASTE folks are homosexual, or
puerile,
as one might guess from the names of some of their projects?  (Not that
either impugns their code.)

On the other hand, both AES and 3DES are US gov't approved.  Which is
sufficient reason to use Blowfish.

Some of the other critiques of WASTE methods are substantial, however,
in particular the SSL recommendations are useful tidbits to remember.

Re: "PGP Encryption Proves Powerful"

[Major Variola (ret)]

   At 11:18 AM 6/1/03 -0400, Ian Grigg wrote:
>There is a reason that the AK47 is the weapon of
>choice:  it is an extraordinarily simple weapon.
>Training is probably about half the requirements
>of say the M16.  That makes a difference, much
>more so than, say, the increased accuracy of the
>M16!
Got evidence?  The benefits of the AK involve
the *weapon's* robustness, not its user interface.
Also, a 7.62 beats a 5+change mm any day.
>Phsycologically, it makes us unhappy to realise
>that the 911 attackers were actually quite simple,
>so we don't.  We build up Osama bin Laden to be
>a mastermind, a sort of James Bond-qualified evil
>guy who constructs plans of insidious cunning.
OBL is at least 2 standard deviations smarter than
Bush, and probably one more than Rummy too. 
Thinking otherwise is buying into the "madman" propoganda.

>All this is a long winded way of saying your
>average terrorist is much more like your grandma
>when it comes to tech.  Highly competant in the
>kitchen, but can't send an email to save herself.
Except that post sat-phone, the Base has plenty
of motivation to train well in opsec.  Or catch
a tomahawk.  You working for Fox News these
days?   Or just wishful thinking?

Re: Nullsoft's WASTE communication system

[Major Variola (ret)]

At 01:09 PM 5/30/03 -0400, John Brothers wrote:
>
>> Any license that you may
>> believe you acquired with the Software is void, revoked and terminated.
>
>Can you void and/or revoke the GPL?

Who cares?  There is *no* obligation that you check back with Nullsoft
to re-read their terms.  They can whine about licenses all they want,
but no downloader has any need to check back, or change their behavior.
E.g., Realmedia may have pulled an early Free version their .ram 
generator, but its out there.

I think people have not quite gotten their hands around the
speed at which information can be disseminated online.
-Monica Lewinsky, LATimes 9 may 01

[Brinworld] Neighbor's surveillance camera?

[Major Variola (ret)]

Authorities said they were considering the possibility that a second 
person might have been involved in the abduction, based on video from a 
neighbor's surveillance camera.

http://www.cnn.com/2003/US/West/06/09/california.abduction/index.html

Typical PGP user mistakes

[Major Variola (ret.)]

I recall reading at least one study of learning PGP and its UI.
I have had the chance to observe half a dozen (albeit, smarter
than normal) others' (mostly engineers) learning curves.
All are using PGP 7.03 and Eudora 3.05.
We are not using public key servers.

Mistakes include:
* neglecting to encrypt to an intended recipient's key
* encrypting to self (only)
* not encrypting to self, requiring a recipient to send it back to you
* accidentally multiply encrypting a message (ie, you encrypt the
encrypted ASCII)

Problems also include not being able to rename the email address
associated
with a key, leading to some recipients being recognized and encrypted
to,
others not.  Also errors if there are spaces added to the PGP ASCII
block.

Yes, there are checkbox-features and PGP Groups and sufficient GUI
feedback
such that these mistakes are "not the tool's fault".  And I/we
appreciate these
features and overall excellent design.

Yet there are also people who enjoy
studying UI design, cognition, learning, etc.  and perhaps these
anecdotal observations
would be useful.  After all, Enigma was broken by exploiting the
man-machine
interface.

No one new to any tool should be using it for life-critical
apps before competent.  The above mistakes more self-inflicted denial of
service
problems than tool weaknesses.  In fact, one group member accidentally
sent email to
a random user in the sender's ISP (because of the sender's Eudora-alias
not matching the alias he typed in the To: field).  This didn't matter
because the content was encrypted.

You often put locks on things (cars, homes, throwaway email accounts) to
protect against benign, accidental intrusions, even if the lock is
easily defeated/circumvented.  We just happened to be
using a strong lock, endorsed by the Red Brigade :-)

---
Pierre Curie didn't die from radiation
poisoning, he was hit by a horse drawn cart

Re: unregistered shell

[Major Variola (ret)]

At 12:29 AM 6/10/03 -0700, Bill Stewart wrote:
>At 09:48 AM 06/09/2003 -0700, Major Variola (ret.) wrote:
>>the Capitol because it had a gasoline container strapped to its roof.

>but this sounds like a case of Darwin catching up with the guy
>in a way that only eliminates *him* from the gene pool
>rather than taking out innocent bystanders when the
>gas can falls off his car roof

Depends on how sturdily he attached it.  Jeeps (et al) have spots
for gas cans in the rear exterior of the car.  Driving with
a tank of gas in the passenger compartment isn't a good
thing.  Also RVs typically have a few gallons of propane on
an exterior tank.  And welding trucks..

But the real point is that ammo has to be registered.  Amazing.
I found an old, live cartridge in the desert last weekend, tossed it in
the car.  What if I lived near DC instead of SoCal?

---
"Did you really think that we want those laws to be observed? . . .
We want them broken. You'd better get it straight that it's not a
bunch of boy scouts that you're up against - and then you'll know
that this is not the age for beautiful gestures. We're after power
and we mean it. . . . . There's no way to rule innocent men. The only
power any government has is the power to crack down on criminals.
Well, when there aren't enough criminals one makes them. One declares
so many things to be a crime that it becomes impossible for men to
live without breaking laws. Who wants a nation of law-abiding
citizens? What's there in that for anyone? But just pass the kind of
laws that can neither be observed nor enforced nor objectively
interpreted - and you create a nation of lawbreakers - and then you
cash in on the guilt. Now that's the system, . . . that's the game,
and once you understand it, you'll be much easier to deal with."
   From Atlas Shrugged, by Ayn Rand.

Re: SIGINT planes vs. radioisotope mapping

[Major Variola (ret)]

t 10:23 AM 6/6/03 -0700, Tim May wrote:
>I certainly never implied in any way that a simple G-M tube would be
>useful for this. Implicit in my radioistope mapping comment was that a
>gamma ray spectrometer would be used.
>
>And note that this is just what can be easily bought on the open
>market...N.E.S.T. (Nuclear Emergency Search Team) and similar LEO
>people almost certainly have more miniaturized detector setups.

Indeed, there is a group of GeigerCounterEnthusiasts on Yahoo whose
members
have/make this kind of thing.  You use scintillation plastic &
photomultiplier tubes;
you can get these on eBay.

Sometimes they mount their detectors in cars and find that some sections

of roads are hotter than background, or a hot railroad car.

>For this I used a pair of large sodium
>iodide crystals

which also show up on eBay

>mode that resulted in a pair of gammas sent out in opposite directions.

Also the principle behind PET scans.  Mr. positron meets Ms. electron,
and bang, two little Gammas carry the momentum away...

GM tubes use avalanche to amplify; the scintillators, NaI, semiconductor

junctions measure analogue energy, so you get an energy spectrum.
Add a few comparators and a logic gate and you get a channel.

...
Pierre Curie didn't die from radiation
poisoning, he was hit by a horse drawn cart

1st amend applies to video games

[Major Variola (ret.)]

A federal appeals court panel has struck down a law that restricted
children's access to
violent video games, giving the software the same free-speech
protection as that for
works of art.

A panel of the 8th Circuit Court of Appeals ruled Tuesday that a St.
Louis County, Mo.,
ordinance that bans the rentals or sales of graphically violent
video games to minors violates
free-speech rights. In doing so, the panel reversed a ruling by the
U.S. District Court for the
Eastern District of Missouri and ordered the lower court to craft an
injunction that would
prohibit the ordinance from taking effect.

In Tuesday's ruling, the panel decided that if the paintings of
Jackson Pollock, the music of
Arnold Schoenberg and the Jabberwocky verse of Lewis Carroll are
protected by the First
Amendment, then video games should be, too.
http://news.com.com/2100-1043_3-1012882.html?tag=lh

Re: An attack on paypal

[Major Variola (ret)]

At 03:39 PM 6/10/03 -0700, Bill Frantz wrote:
>At 5:12 PM -0700 6/8/03, Anne & Lynn Wheeler wrote:
>>somebody (else) commented (in the thread) that anybody that currently
>>(still) writes code resulting in buffer overflow exploit maybe should
be
>>thrown in jail.

Not a very friendly bug-submission mechanism :-)

>IMHO, the problem is that the C language is just too error prone to be
used
>for most software.  In "Thirty Years Later:  Lessons from the Multics
>Security Evaluation",  Paul A. Karger and Roger R. Schell
> credit the use of PL/I
for
>the lack of buffer overruns in Multics.  However, in the
Unix/Linux/PC/Mac
>world, a successor language has not yet appeared.

What about Java?  Apart from implementation bugs, its secure by design.

---
"and then you go to jail" is a bad error-handler for a protocol.

Re: Steganography and musical scores?

[Major Variola (ret)]

(resent) At 11:44 AM 6/13/03 -0400, Peter Wayner wrote:
>At 9:27 AM +0200 6/13/03, Thomas Shaddack wrote:
>>See also something about computer-generated music:
>>http://brainop.media.mit.edu/online/net-music/net-instrument/Thesis.html

>>
>
>
>I'm told someone is trying to encode information by ordering the
>musical notes played in a chord with a Midi synthesizer. It's
>possible to hide information in the order of a set using a technique
>like this:
>
>http://www.wayner.org/books/discrypt2/sorted.php

That's cute --there's no acoustic difference.  There are also
methods which produce nearly imperceptible differences --you
can adjust the millisecond-scale timings, or the dynamics.
Since these will vary with each performer's rendition anyway,
they're fairly stealthy.

You bought it, Who controls it? [TR Article]

[Major Variola (ret.)]

article by Edward Tenner,
Technology review, June 2003 p61-64

Also an article on "deceipt detector" p67-69
about using IR reflectivity of your frontal lobes
to detect deceipt.  Sort of a polygraph on steroids.

(sorry, only cites, not URLs this time)

[Brinworld] Car's data recorder convicts driver

[Major Variola (ret.)]

(ok, from slashdot..)
http://www.newhouse.com/archive/jensen061203.html

Re: [Brinworld] Car's data recorder convicts driver

[Major Variola (ret)]

At 11:16 AM 6/16/03 -0500, Shawn K. Quinn wrote:
>On Monday June 16 2003 09:59, Major Variola (ret.) wrote:
>> (ok, from slashdot..)
>> http://www.newhouse.com/archive/jensen061203.html
>
>I personally find the privacy implications of EDRs rather unsettling.
>This story doesn't change that one bit. However, in this particular
>case, I don't think what the EDR said really matters.

Not only the privacy implications, but also the legal evidence
validity.  When you get radared, or ethanol-tested, the measurements
are calibrated.  When your house or computer gets searched, there
is a concept of a chain of control over the evidence, to
assure that no one slips something incriminating into
an evidence bag or onto your disk.

Now, I don't know how subpeoned phone or other
electronic records are handled ---has anyone ever
questioned Telco's or paging company recordkeeping?
Any readers know more?

Are these records merely put forth for the jury to
consider, on the assumption that they will consider
them 'impartial' and also 'infallible'?  (Note that when
red-light-camera operators (TRW) get a cut of the $ take,
judges/juries will sometimes throw out those tickets, on
the basis of calibration & motivation.  San Diego did this.)

The different-diameter tire, and hacked control system
*are* relevent, as well as the EDR system not being designed
for legal-forensic reliability.

Albeit in this particular case, the driver needs to be hung merely on
what's been admitted and what happened.  But in cases
where the EDR is critical to an argument, I wonder.
The PR aspect for the car companies is also very interesting.
Of course, when an EDR *absolves* someone, they will
surely play it up.

PGP 8 flaw work-around

[Major Variola (ret)]

Someone posted a bug wherein PGP 8 (XP version) saw keys >4 years
as expired.  There is a workaround, merely change your passphrase
and resend the key.  (You may change the passphrase to the same
passphrase.)

Hacking for pigs makes you a pig, trojans, 4th amend

[Major Variola (ret.)]

June 18, 2003

Evidence Barred in Ex-O.C. Judge's Child-Porn Case
Writings and photos were illegally obtained from Ronald Kline's
computer, court rules.

By Christine Hanley, Times Staff Writer

A federal judge on Tuesday threw out most of the key evidence in a
high-profile
child pornography case against a former Orange County judge, ruling that

sexually explicit diary entries and photos were discovered after illegal
computer
searches by a Canadian hacker who was working for police.

The ruling could undermine much of the case against Ronald C. Kline,
whose
arrest drew national attention and ultimately resulted in the judge
dropping his bid
for reelection.

U.S. District Judge
Consuelo B. Marshall in
Los Angeles found that
Kline's 4th Amendment
privacy rights were
violated when Bradley
Willman of Langley,
British Columbia, invaded
his home computer with
a so-called Trojan Horse
virus.
In a 12-page decision,
Marshall suppressed all
the evidence seized from
Kline's home and his
home computer, including excerpts from a
computer diary about his sexual desires and more
than 1,500 pornographic photos of young boys.

"The Court finds that Bradley Willman was a government agent at the time
of the intrusion, that Willman
thought of himself as an agent for law enforcement, and that Willman's
motivation was to act for law
enforcement purposes," Marshall wrote.

Willman, the judge ruled, was acting as a tool for police and  as with
any law enforcement agent 
would be barred from seizing any personal property without a search
warrant.

Marshall left open the question of whether material seized from Kline's
courthouse computer will be allowed,
asking both sides to return Sept. 15 to discuss that matter.


http://www.latimes.com/news/local/la-me-kline18jun18,1,5480864.story?coll=la-headlines-california

1st amend, thoughtcrime, schools as pipelines to jail

[Major Variola (ret.)]

To establish a criminal threat, it would have to be shown that he wanted
the [threatened] officer to see the
 work, the court said.

"The painting does not appear to be anything other than pictorial
ranting," the court said. "The criminal law
does not, and cannot now, implement a zero-tolerance policy concerning
the expressive depiction of
violence."

Schools are becoming one of the primary pipelines to the juvenile
justice system," said Shannan Wilber,
executive director of Legal Services for Children in San Francisco.

Excerpts from
http://www.latimes.com/news/local/la-me-threat18jun18001434,1,6789200.story?coll=la-headlines-california

Re: Destroying computers

[Major Variola (ret)]

At 01:07 AM 6/19/03 -0400, Tyler Durden wrote:
> Methinks Mr Hatch is not a very bright man.

A Southern senator.  Need I say more?

Usual suspect wrote:
>>If Orrin Hatch proposes such a thing, we can propose technologies
which
>>identify those from .gov or .mil or other Congress/Gov't. domains and
send
>>lethal viruses and suchlike back to them to destroy their machines  if
they
>>illegally connect to our machines.

Trivial to do, and legal, if they are advised and consent by clicking
through.
M$'s auto bug- / RAMsnooping- reporting is legal since the lUsers
agreed.
One man's trojan is another's remote control / file sharing program,
baby.
Similarly an encryption program that won't decrypt without a license.

I have often considered releasing binaries with a EULA that stipulates
various actions taken if found to be running on machines whose IP
address
reverse-lookups to an evil, (specified) TLD.  No different than a demo
program that won't save results without a license; if the license is
granted
automatically for non-evil TLDs.  Similarly with M$'s auto posting of
RAM.

Of course, that astronomy Professor Usher would be pretty bummed when
his research was toasted by an RIAA killbot, but then the Prof employs a

provocatory surname, no?  "Collateral damage" -hey, he could change his
name, after all.  Maybe to David Nelson :-)


If programmers are liable for security flaws in code, are legislators
liable
for unconstitutional laws they pass?

Senators from Utah being Southern

[Major Variola (ret)]

At 12:30 PM 6/19/03 -0500, John Washburn wrote:
>Utah is Southern?  I do not want directions from you. :-)

Well, it is southern w.r.t. certain states, but yeah, y'all got me.

But what I meant was, a jeebus-talking, flag-waving pinhead.
A look at hatchmusic.com (while its still up :-) supports that
description.

Not all niggers are negroes, you know.  And many negroes
are not niggers.  Substitute "southern"...  its culture, not
genes or geography.

I'll leave it as an exercise to the reader to discover with whom
I was confusing, or what other senators (and other
elected federal officials) give that impression.

---
"The government of the United States is not, in any sense, founded on
the
Christian religion." George Washington, November 4, 1796

Re: You Don't Say

[Major Variola (ret)]

At 10:00 AM 6/19/03 -0700, R. A. Hettinga wrote:
>
>thousands of Americans, and the Times is dismayed, perplexed, angry and
shocked that some of them may have been >subjected to the sort of
manhandling that occurs in the hallways of middle schools throughout the
nation.

Manhandling the bitch Coulter tolerates, and then is surprised when the
manhandled show up in trenchcoats,
with guns, lots of guns, and a simple exit plan.

Analogies to US policies, 9/11, etc left as an exercise to the reader.

---
An RPG a day keeps the invaders away...

Is Hatch a Mormon or a crypto Satanist?

[Major Variola (ret)]

At 07:36 PM 6/20/03 -0400, Tyler Durden wrote:
>"Except Utah is not in the South by anybody's definition."
>
>Also as it happens I saw that WIERD Temple downtown there, and asked
"Sister
>Johnson" if she really believed God was a guy kicked back in a
Laz-Z-Boy on
>the planet Kolab. She could not tell me decisely that this was not the
case.
>
>Is Hatch a Mormon?

Surely you jest.  Anyone in any office in Utah is a Mormon.  And most of
the profs
at the universities there.  Good luck trying to buy a beer, BTW.

If they didn't own Utah, they would be firebombed faster than you can
say Janet Reno.
They only got to own Utah because they Judased their own religious
beliefs (polygamy)
to suck up to the rest of the (puritan-based) country.

I have no beef with anyone practicing their mental illnesses privately,
but when they
use the violence of the State to coerce others, they need killing.

---
Reminds me of when a sociologist was interviewing a southern farmer:
Why do you think the murder rate is higher in the south?
I guess more southerners need killin'.
as told by Aaron Evans

Army patents biowar tech, aiding the enemy, indicting itself

[Major Variola (ret.)]

Helping the Enemy?

  The U.S. Army is catching some flak for patenting two devices that
could be used to
  launch bioweapons. Critics say the patents may violate a
weapons-control treaty--and
  could give terrorists a blueprint for manufacturing the devices.

  The U.S. Patent and Trademark Office issued the two patents
(numbers 6,523,478 and
  6,047,644) over the last year. One details a "nonlethal cargo
dispenser" that attaches to
  the end of a rifle and uses a bullet's momentum to zip a chemical
or biological payload to
  its target. The other describes a cartridge that can spread an
aerosol cloud.

  The Sunshine Project, a nonprofit arms-control group with offices
in Austin, Texas, and
  Hamburg, Germany, first raised questions about the patents last
month, saying they
  appeared to violate the Biological and Toxin Weapons Convention,
which bars the
  development of delivery devices. And this month, Greg Aharonian,
publisher of the
  prominent Internet Patent News Service, piled on. "Which words in
the phrase 'aiding
  and abetting the enemy' does the Army not understand?" he asks,
adding that "it is
  hypocritical to complain about countries developing biological and
chemical weapons
  when we are openly educating them on how to do so." He says the
military should have
  classified the patents. The Army says it is looking into the
issue.

http://www.sciencemag.org/content/vol300/issue5627/r-samples.shtml#300/5627/1873a

Re: Torture done correctly is a terminal process

[Major Variola (ret)]

At 01:39 PM 6/25/03 -0400, [EMAIL PROTECTED] wrote:
>> At present, if the US wants someone terminally interrogated,
>> they ship him to Egypt and ask the Egyptians to do the
>> interrogation.

More chance of a leak there; Mossad is highly recommended.

But a terminal interrogation might bury some secrets.  Whereas
a mindfuck approach --fake newspapers, fabricated environments,
informers, nonlethal psychotropics-- can keep your resource going,
and make him leak.

Why do you think the captured al Q dudes are not allowed to speak
to others, it would trash the illusion.

"Torture done correctly is a terminal process" is so old-school...

1st amend: non commercial publishers not liable for libel

[Major Variola (ret.)]

The Ninth Circuit Court of Appeals ruled last Tuesday that Web loggers,
website operators and e-mail list
editors can't be held responsible for libel for information they
republish, extending crucial First
Amendment protections to do-it-yourself online publishers.

Online free speech advocates praised the decision as a victory. The
ruling effectively differentiates
conventional news media, which can be sued relatively easily for libel,
from certain forms of online
communication such as moderated e-mail lists. One implication is that
DIY publishers like bloggers cannot
be sued as easily.

"One-way news publications have editors and fact-checkers, and they're
not just selling information --
they're selling reliability," said Cindy Cohn, legal director of the
Electronic Frontier Foundation. "But on
blogs or e-mail lists, people aren't necessarily selling anything,
they're just engaging in speech. That
freedom of speech wouldn't exist if you were held liable for every piece
of information you cut, paste and
forward."

The court based its decision on a section of the 1996 Communications
Decency Act, or the CDA. That
section states, "... no provider or user of an interactive computer
service shall be treated as the publisher
or speaker of any information provided by another information content
provider." Three cases since then
-- Zeran v. AOL, Gentry v. eBay and Schneider v. Amazon -- have granted
immunity to commercial online
service providers.

Tuesday's court ruling clarifies the reach of the immunity granted by
the CDA to cover noncommercial
publishers like list-server operators and others who take a personal
role in deleting or approving messages
for online publication.

"Here, the court basically said that when it comes to Internet
publication, you can edit, pick and choose,
and still be protected," said Cohn.

The case traces back to a North Carolina town in 1999, where handyman
Robert Smith was repairing a
truck owned by attorney and art collector Ellen Batzel. Smith claimed to
have overheard Batzel say she
was related to Nazi Gestapo head Heinrich Himmler. He said he concluded
that the European paintings he
saw in her home must be stolen goods, and shared this in an e-mail he
sent to the editor of the Museum
Security Network, an organization that publishes information about
stolen art.

Without telling Smith the e-mail would be published, Ton Cremers -- the
sole operator of
Amsterdam-based Museum Security Network –- made minor edits, then
posted Smith's e-mail to a
list of about 1,000 museum directors, journalists, auction houses,
gallery owners and Interpol and FBI
agents.

Three months later, Batzel learned of the post. She contacted Cremers to
deny both the stolen art and Nazi
ancestry allegations. She also said Smith's claims were motivated by
financial disputes over contracting
work.

Smith said he had no idea Cremers would publish a private e-mail on the
list or on the Web.

Batzel sued Smith, Cremers and the Museum Security Network for
defamation and won. Cremers
appealed.

The appeals court questioned whether Cremers' minor edits to Smith's
e-mail altered it so much that the
post became a new piece of expression, and decided it had not. But
because Smith claims he didn't know
the e-mail would be published, the court also questioned whether the
immunity provision of the Act
applied, and passed the case back to the district court. The lower court
will reconsider whether Cremers
had reasonable belief that Smith's e-mail was intended for publication.

"Some weblogs are interesting mixes of original and forwarded content,
so this issue may come up again
in the courts," EFF's Cohn said. "Where that legal line is drawn may
become a point of contention."

Ellen Batzel says the case changed her life.

"This was a small, North Carolina mountain town -- I talked to the
(district attorney) and he said 'Get a
dog, get a gun, get a security system or better yet get out of town.' I
sold my house and moved. I've been
hurt in my professional reputation and in my private life.

"I know what free speech is, and I support it, but this is about
invasion of privacy and my civil liberty.
Every time I meet someone now, I have to say, 'Hi, I'm not Himmler's
granddaughter."

Attorney Howard Fredman, who represented Batzel in the case, said the
next legal steps could include a
rehearing before the appeals court, or petitioning the U.S. Supreme
Court.

http://wired.com/news/politics/0,1283,59424,00.html

Re: Attacking networks using DHCP, DNS - probably kills DNSSEC

[Major Variola (ret)]

At 01:05 PM 6/30/03 -0400, William Allen Simpson wrote:
>"Steven M. Bellovin" wrote:
>>
>> I can pretty much guarantee that the IETF will never standardize
that,
>> except possibly in conjunction with authenticated dhcp.
>>
>Would this be the DHCP working group that on at least 2 occasions
>when I was there, insisted that secure DHCP wouldn't require a secret,
>since DHCP isn't supposed to require "configuration"?

In some cases it would be trivial to distribute a key for DHCP trust
purposes.
My cable ISP distributes a CDROM which configures Wintel machines for
it.  (I don't use this.)  It would be easy enough for them to distribute
secret
or public keys or even hash sigs that worked with their DHCP, *if* the
clients
could use it, and *if* the users paid attention to whatever UI
accompanied
problems.

In other cases --the visitor who wants to connect a laptop to an office
net--
there is a perhaps unacceptable burden.

Re: Warchalking does not exist: a wager.

[Major Variola (ret)]

At 10:24 PM 6/30/03 -0500, Harmon Seaver wrote:
>   Don't know about warchalking per se, gpsdrive and kismet work a lot
better,
>and people trade the waypoints/nodes. Makes a hundred times more sense
that
>scribbling marks on buildings, especially that are hard to find and
wash away.

Publishing a table of GPS coords and other info sounds like something
2600 would do, for yucks.
(In fact, I thought I had seen such tables there, but couldn't find it
in a brief scan of my issues.)

architecture as torture

[Major Variola (ret)]

http://www.smh.com.au/articles/2003/01/27/1043534004548.html

Re: Reporter writing article on proffr/mattd and threats

[Major Variola (ret)]

At 04:09 PM 7/2/03 -0400, Declan McCullagh wrote:
>I received a phone call today from a newspaper reporter who's writing
an
>article on mattd/proffr and wanted background on the cypherpunks group
or
>movement, as he put it. The reporter -- who covers crime, law
enforcement,
>and the courts

How does one authenticate that a voice on a phone is a reporter?

Or is my sarcasm/wryness detector stuck?

---
We are all  reporters, we are all book sellers. We are all first class
objects. --Tim May

talking to coworkers = deemed exports

[Major Variola (ret)]

http://www.eetimes.com/story/OEG20030623S0011

The Commerce Department considers some U.S. transfers of commercial
technologies to
foreign workers as exports. In some cases, U.S. companies may be
required to obtain a
deemed-export license before giving foreign-born employees access to
sensitive
technologies.

[shades of the old crypto days, where you couldn't ask a colleage from
another country
to review your code.. this time its China, India they're freaking about]

[Reverse panopticon] Govt Information Awareness

[Major Variola (ret.)]

http://www.wired.com/news/privacy/0,1848,59495,00.html

Researchers at the MIT Media Lab unveiled the Government Information
Awareness, or GIA, website
Friday. Using applications developed at the Media Lab, GIA collects and
collates information about
government programs, plans and politicians from the general public and
numerous online sources.
Currently the database contains information on more than 3,000 public
figures.

The premise of GIA is that if the government has a right to know
personal details about citizens, then
citizens have a right to similar information about the government.

Re: Idea: The ultimate CD/DVD auditing tool

[Major Variola (ret)]

At 04:13 AM 7/6/03 +0200, Thomas Shaddack wrote:
>Pondering. Vast majority of the CD/DVD "protection" methods is based on

>various deviations from the standards, or more accurately, how such
>deviations are (or aren't) handled by the drive firmware.
>
>However, we can sidestep the firmware.
>
>The drive contains the moving part with the head assembly. There is an
>important output signal there: the raw analog signal bounced from the
>disk and amplified.
>
>We can tap it and connect it to a highspeed digital oscilloscope card.

This is a valid idea.  You do have to get in there with delicate probes
to read the amplified analog signal, its not available past the drive.

The people who already do this are called test engineers for CD drive
companies.
Or the data-recovery techs for the NSA et al.

I doubt that hardcore pirates bother, they may as well just do a single
high quality
ADC.   That, as has been mentioned here before, is always the fatal
flaw, even
if you put the DAC in your DRM chip (and solve the resulting noise
issues..)


"Yes, we know they have logic analyzers in Hong Kong" --a Sony engineer
when
confronted with weaknesses in the design of a DRM box

DNA of relative indicts man, cuckolding ignored

[Major Variola (ret.)]

Slashdot pointed to this story of a man indicted via
his *relative's* DNA sample:

http://news.bbc.co.uk/2/hi/uk_news/wales/3044282.stm

But an interesting, unmentioned issue is this: in population
DNA surveys you find that a lot of purported fathers *aren't*.
So the possibility of indicting a cuckolded man on the basis
of nominal (only) relatives is quite real.

[list rel: tech DBs, errors, law, biosurveillance]

Re: Idea: The ultimate CD/DVD auditing tool

[Major Variola (ret)]

At 03:08 PM 7/6/03 +0300, Sampo Syreeni wrote:
>. A writing drive capable of working at such a low level
>could be used to experiment with new encodings beyond what standard
CD's
>can do -- say, substituting CIRC with RSBC and gaining some extra room
on
>the disc, getting rid of the subchannels, a more intelligent coding of
>disc addresses... Breaking compatibility wouldn't be too useful, but it

>sure would be fun.

And think of the ulcers you would cause the TLAs!  Assuming they got
your
disks and not your custom drive...

>Now you simply can't do it.

There's a good reason why, viz: it would cost the drive developer to
allow
or export this flexibility.  Since very few customers are sick enough
:-) to want to invent
their own incompatible formats it simply isn't worth their
development-engineering time or
end-product resources (eg gates) in such a commodity product.

Re: Idea: The ultimate CD/DVD auditing tool

[Major Variola (ret)]

At 02:33 AM 7/7/03 +0300, Sampo Syreeni wrote:
>On 2003-07-06, Major Variola (ret) uttered to [EMAIL PROTECTED]:
>
>>There's a good reason why, viz: it would cost the drive developer to
>>allow or export this flexibility.
>
>I'd guess either because of a) terminal stupidity or b) benefits to
scale
>in making it sure people go with compatibility. As there probably have
to
>be some limits to how stupid engineers capable of making things like
>writable CD's can be, I'd have to go with the second alternative.

Frankly its obvious you haven't worked (or thought about
the constraints) on a commercial
product with a deadline / resource constraints
or worked on something extremely cost sensitive
like commodity drives/chipsets.

Here, ponder this: why are there no oxygen sensor
or manifold temperature or ignition-phase (etc) displays
in ordinary cars?
(Although there probably are in custom race cars)  You
know (much like the analog CD signal) they're being measured
and used by the ECU.  So, why not?
Chew on that one for a while, grasshopper.

Economics is applied physics.

Re: Finding collision resistant hash functions

[Major Variola (ret)]

At 02:19 AM 7/7/03 -0700, Sarad AV wrote:

or how are we supposed to
>find collision free hash functions?What exactly is the
>difficulty in finding collision free hash functions?

Because there are no collision *free* hash functions,
there will always be several domain elements that map to the
same range element.  Assuming more domain elements than
range elements, which is generally what people mean by hashing.

You're not asking the right question, you need more constraints
on the type of hash functions and their resistance to collisions.
You're probably looking for functions that make it hard to intentionally

find arguments that produce hashes identical to a given one.

There's an incredibly dry taxonomically-inclined downloadable text on
this somewhere
but the margin of my screen is too small to contain the url.  You'll
first
have to use language more precisely to get any use out of it.

Re: DNA of relative indicts man, cuckolding ignored

[Major Variola (ret)]

At 11:58 AM 7/7/03 +0100, Ben Laurie wrote:
>Major Variola (ret.) wrote:
>> So the possibility of indicting a cuckolded man on the basis
>> of nominal (only) relatives is quite real.
>
>Only he was convicted because he confessed.

Yes, of course, in this *particular* case.  Which is irrelevent.

The point is that there are undiscussed evidentiary problems using
relatives' DNA,
hinging on the assumption that "blood relatives actually share blood",
in layspeak.

Re: Genetic engineering [was: RE: DNA of relative indicts man, cuckol ding ignored]

[Major Variola (ret)]

At 03:59 PM 7/7/03 -0400, Trei, Peter wrote:
>There are some things where nearly everyone will agree
>a genetic fix is desirable - for example, suceptibility to
>heart disease, cancer, dental caries, and myopia. Other
>'vanity' fixes seem pretty harmless - being tall, busty,
>or having a well-stuffed package.
>
>Its when we get to 'fixes' to behaviour and personality
>that things start to get very hairy.

Although your examples are important, anyone who
has or has known someone with depression,
schizophrenia, or ADD [1] will argue that *subjectively unpleasant*
mental ills are as worth fixing as bad teeth.  If not more so.


I fear that those in
>power will use genetic engineering as they have used
>every other tool at their disposal - weapons, states,
>laws, and governments - to maintain their position at
>the expense of the overall welfare of the species, by
>allowing improvements only to their own descendents,
>while requiring changes to those out of power which
>make it harder for them to change their status.

Agreed, as with the rest of your post.  There are real
horrorshow future possibilities.

One more point.  What is "adaptive" depends on
your environment.  As I try to explain to my
more pigmented wife (it comes up because my
3.8 year old is in the "why" phase) while I'd get skin cancer
in tropical zones, she'd get rickets in more
northerly areas.

Extrapolate to personality properties like
"inhibition" (recently shown to be persistant
from 2 to 20 year olds ie genetic)  "aggression", etc.

[1] Please don't lets start the flame about chemical coercion
in mandatory youth education camps.  Real ADD
fucks people up.  Which is not to say that M.Y.E.C.
are well designed nor that ADD treatments are abused.

Re: DNA of relative indicts man, cuckolding ignored

[Major Variola (ret)]

At 08:36 PM 7/7/03 -0400, Stormwalker wrote:
>
>> What's wrong with voluntary eugenics?  The invention of agriculture
>> started a policy of negative eugenics that culminates with the
>> industrial welfare state paying stupids to breed, while others chose
>> birth control.  And banning somatic or germ line fixes to diseases,
if
>> you can do them, is as compassionate as banning insulin.  Which isn't

>> even a fix, just a workaround.
>
>  I was thinking of eugenics where something was forced upon others,
>  which I do not think is desirable.

Hey, I oppose *anything* which is forced upon others, even if *I*
deem it as "good".


>  The invention of agriculture has not yet culminated. It gave/gives
>  people time to do other things.

Yeah, like raise armies, feed bureaucraps, etc.  Still, I don't
hold it against the farmers.  Besides, the dominant cultures
are descendants of farmers.  See the writings of Jared Diamond.

>  Good luck banning germ lines :)
>
>> If a germ line fix has an unintended side effect, you either undo it
>> (revert back to being inclined towards diabetes, if this is
preferable
>> to the side effect, say) or you debug or patch it.  Current &
historical
>> medicine is filled with such things for mere *temporary* meds that
>> don't cure anything.
>
>   Reverting may or not be possible. The products of some germ line
>   may like what they are and wil lnot revert, no matter what other
>   folks think.

Well, if they *like* it, only violent coercion would cause reversion.
I was thinking something like, the diabetes-fix package causes premature

death or something bothersome like that.

Obviously the "service pack 6 nasal spray" needs to refuse to install
on folks without the proper prior install.  Also it needs to avoid
spurious installation on folks who don't want it ---maybe you have
to take a snort of some antibiotic combo at the same time to activate
it,
which is a current technique used for turning on inserted genes.

Later

Re: DNA of relative indicts man, cuckolding ignored

[Major Variola (ret)]

At 08:53 PM 7/7/03 -0400, Stormwalker wrote:
>On Mon, 7 Jul 2003, Tim May wrote:
>> No, it was NOT "all supposed to be a big pool that we would draw on
>> when needed." You seem to be confusing medical insurance with
>> nationalized social medicine.
>
>   No, I am not confusing medical insurance with socialized medicine
>   or anything else. I mentioned life insurance on purpose. That is a
>   bet on when I will die, they bet later, I bet earlier. Money can
>   be made - although never by me unless I cheat.

Not at all.  Much like gambling, sometimes you win "randomly"
if you stop playing after that.  "Random" is a word that means
"ignorance" and both you and the insurer are ignorant about
your true lifespan.  You only play the life-insurance game once :-)

>   Medical insurance is about maintenence of our lives. You do not
>   need to participate, but I'll bet if you get hurt, you'll head
>   to the nearest emergency room.

One person's need does not make another a slave.

BTW One could argue that driver's insurance is *more* necessary
than medical insurance, because to exist daily you need to drive.

But again, need and slaves.

>  Well, you probably don't need to explain the problems of socialized
>  medicine, but I would like to hear about how you will do your own
>  X-Rays or chemotherapy.

Some pay cash.  You can do without car insurance if you post a bond.
Others depend on *voluntary* charity --though nowadays this competes
with compulsory (taxed) welfare.

>  Not any more. See life insurance. Also, please keep in mind that
>  insurance compnaies do not make their money from premiums, but
>  from investments of all the premiums they collect and hold. Your
model
>  is not correct.

You forget that if the insurer bets wrong, they have to pay up and cash
in their investments.  For certain investments, premature withdrawl
costs more
than sitting on the cash.  Otherwise, like banks, or landlords with
deposits,
or other putatively free agents, insurers are free to do with their
funds as they please.
So long as they hold up their end of the contracts they've entered.

>The rock climber will probably not have that
>   heart attack.

FWIW, the rock climber's choice of ancestors (!) has more to do with
their heart attack (etc) risk than their choice of avocation.

>> (There are interesting scenarios for private testing for various
genes
>> or proclivities, followed by opting-out for the diseases one is
highly
>> unlikely to contract. This kind of "not paying for what you don't
use"
>> is a form of cherry-picking which only a total state could outlaw.
>> Think about it.)
>
>   This scenario of testing for specific genes is already underway.
Stay
>   tuned.

The flip side of Tim's comment is that you can pay extra for things you
are at risk for.  In a truly free market, insurers would offer packages
customized to your risk.  Genomic tendancy towards X?  Pay more,
get more ---including max payout.  Little tendancy towards Y?  Pay
less.  Rational people follow Pascal --you include probability in your
reasoning about costs.  Of course, in a free society, you are free to
be irrational, too.  (And consume whatever, and enjoy masochism, etc.)

[oblig] Those who would constrain those freedoms have earned killing.

Re: Idea: The ultimate CD/DVD auditing tool

[Major Variola (ret)]

At 08:45 AM 7/7/03 -0700, alan wrote:
>But the real issue is that all of these DRM methods rely on "security
by
>obscurity".  Such methods eventually fail.  Either the actual method is

>discovered and published or the DRM method fails in the marketplace and
is
>never heard from again.

Hilary R and Jack V are *far* more fucked than mere
security-by-obscurity.

Any human-consumable (analogue) input is readily recordable with
a single, one-time ADC, and thereafter is toast.  DRM is a fraud
perpetrated by engineers on Hollywood suits.  Good for employment
though.

Re: Idea: The ultimate CD/DVD auditing tool

[Major Variola (ret)]

At 03:14 PM 7/8/03 -0700, Tim May wrote:
>As for hearing heterodyning in 28 KHz and 30 KHz signals, maybe. CD
>players have brickwall filters to of course block such frequencies.
>Some analog groove-based systems can have some kind of signal up there
>at those frequencies, but not much.

Regular vinyl is (was) also recorded with all kinds of filters, too,
including the lowpass ones.

If you cut vinyl (or metal) through a signal chain that didn't
impose the filtering, perhaps the ultrasonics would remain,
which is perhaps the analogophiles claim.  You would need
a special vinyl cutter though.  Some of the filtering imposed
on vinyl was to not fry the cutter, or otherwise deal with its inertia.

(BTW, I thought your Monster USB cable was a prank.. its not..
some folks just don't get digital..)

MRAM, persistance of memory

[Major Variola (ret.)]

The persistance of memory could be a problem if your melting
clocks are swarmed by spooky ants.

Wired has an article on magetic RAM
http://wired.com/news/technology/0,1282,59559,00.html
that fails to mention security implications.  Obviously
nonvolitile RAM presents a different security risk than
RAM that forgets when powered off.  Will future OSes
have provisions to keep certain data out of MRAM banks,
if MRAM doesn't completely displace DRAM?
I doubt it.

And shutting off your virtual memory swapping
--useful today because of the gobs of DRAM machines have--
will no longer be useful for security.

Not so obviously to the layman is how many times MRAM
must be overwritten to keep the TLAs away.  (Exactly
analogous to scrubbing a disk.)  While this is trivial to do for
user-space,
if the OS keeps copies of sensitive info this might require
more than a huge malloc() & overwrites before shutdown.

Re: Idea: The ultimate CD/DVD auditing tool

[Major Variola (ret)]

At 07:15 PM 7/8/03 -0700, Mike Rosing wrote:
>To produce 65kHz (for cats) my present boss prefers a 1 MHz sample
rate.

Do cats buy a lot of audiophile equiptment :8=||

>The human hearing system is capable of noticing phase relations at
100kHz
>rates.

Actually I thought humans are insensitive to phase relations, modulo
inter-aural timing at low frequencies for spatial location.  Perhaps
that
is what you meant?   But spatial location isn't the same as the
frequency-fetishing
audiophiles go for.  To do that well you need casts of the outer ear
too.

You doing owl-type studies on auditory localization?  Audio-visual
mapping
and plasticity?   Making the cats wear funky glasses?

Re: [CI] Re: Finding collision resistant hash functions

[Major Variola (ret)]

At 02:59 AM 7/9/03 -0700, Sarad AV wrote:
>hi,
>> MV:
>>There's nothing gained by
>> increasing
>> the input entropy (compressing
>
>I was looking for such a compression function such
>that the chances of collision in the message digest
>obtained by hashing these 2^80 messages is collision
>free or very low probability of collision or in other
>words I dont want the birthday attack to work on it.
>
>If i hash 2^80 messages they should be equidistibuted
>in such a manner that it does not affect the security
>of the algorithm.

Again, unless you know something about the distribution
of your input AND their interaction with your chosen
hash function, you gain nothing by remapping (compression
or otherwise) your input.  And again, a good hash function
will disperse your input randomly, regardless of its clustering.

So pick a crypto-like hash function
(which guarantees random dispersion)
and use it.  You can't do better unless
you "cheat" and know your input before
you pick a hash function.  And picking pathological
inputs (to cause collisions) will be hard.

e.g.,

hash=0
while (input)
hash = hash ^ DES( input, fixed_key )
return hash

The only reason to compress would be to
cut down the number of DES operations,
useful only if compression is cheaper than DES.

Re: Idea: The ultimate CD/DVD auditing tool (meow)

[Major Variola (ret)]

At 11:45 AM 7/9/03 -0700, Mike Rosing wrote:
>On Wed, 9 Jul 2003, Major Variola (ret) wrote:
>> Actually I thought humans are insensitive to phase relations, modulo
>> inter-aural timing at low frequencies for spatial location.  Perhaps
>> that
>> is what you meant?   But spatial location isn't the same as the
>> frequency-fetishing
>> audiophiles go for.  To do that well you need casts of the outer ear
>> too.
>
>No, if you put 2 clicks out that are 10 usec's apart on right and
>left, most people can pick out which side came first.  90% of the
>time anyway.

Yes this is for localization ---clicks are broadband, you need to
identify which freq components are used.  I still think
humans can't discriminate the phase of a tone.  In fact, MP3s
use this to cut bits.

>> You doing owl-type studies on auditory localization?  Audio-visual
>> mapping
>> and plasticity?   Making the cats wear funky glasses?
>
>Yup.  they sew coils into their eyes.  For humans they use contacts :-)

>PETA is definitly a problem :-)

Gaak.  I was thinking prism-glasses maybe bolted on that translate the
vis field.
Its ok for undergrads so its ok for cats.

After the experiments, the cats
will be ok, as I assume they're sufficiently
plastic, unless you do brain staining on them.  :-(Or your policy is
the
Tim McVeigh treatment.

Cool stuff, though my domestic feline wants to know where you live.

PS: have you identified the "can opener sound" brain-center yet?



Cats manage biometrics and reputation better than most human systems..

Re: MRAM, persistance of memory

[Major Variola (ret)]

At 04:45 PM 7/10/03 +0200, Thomas Shaddack wrote:
>run stripped-down Linux? Maybe something based on ARM or MIPS
>architecture?)

I'm familiar with 100 Mhz 32b MIPS cores that cost about $10 and include
2 ethernet i/faces.
Intended for cheap SOHO routers, etc.  Newer variants include IPsec
support
(e.g., a DES engine) for the same price.  They'll run Linux.

ARM's advantage is in power consumption, AFAIK, which doesn't always
matter.

I can see other reasons for hacking an answering machine ---encrypting
stored messages,
implementing/augmenting your own DTMF decision tree, allowing some to
leave longer messages than others, even
machines that call another number to forward.(I once worked on a
commercial
system that implemented a POTS i/f as boards in a Wintel machine, its
(perhaps
now extinct) niche was cheapening international phone calls.)  Cheapo
fax/soundcards
are able to do ring detection, pick up, etc.  Probably a fun project,
the POTS i/f
won't go away soon.

Re: MRAM, persistence of memory

[Major Variola (ret)]

At 01:51 AM 7/15/03 +0300, Sampo Syreeni wrote:
>On 2003-07-14, Michael Shields uttered to Bill Frantz:
>
>>> Encrypted swap is a crypto sweet spot, because it has perhaps the
easiest
>>> key management of any crypto system.  It seems that the BSD systems
have it
>>> while Linux still thinks it is difficult.

>At this stage I think a small question is in order. Is there any Big
Red
>Button software out there to complement this level of paranoia?
>
>What I mean is, after you've got everything in your system under
>industrial strength crypto, you have exactly one weak spot, that being
a
>whole lot of people charging through your door when your system is
already
>running hot and accessible. At that point the only thing that can save
you
>is a one-touch mechanism to effect a swift (i.e. at most two or three
>seconds), dirty, no-matter-what shutdown, with guaranteed loss of key
>material.
>
>Is there open source software out there to effect that sort of thing?

Its called the power button.  Which is why MRAM is a different security
risk.

One could design software such that only the least required is decrypted

at any one time, which would minimize the risk from persistant memory
after you offed the power.  There would probably be a serious
performance
hit in such software, but tradeoffs are what the game is about.

Re: MRAM, persistence of memory

[Major Variola (ret)]

At 09:29 AM 7/15/03 -0400, Sunder wrote:
>So, the best way to avoid that situation and not being able to reach
the
>big red switch, is simply not to attract their attention in the first
>place by not following the footsteps of Jim Bell.  :)

Stego + broadcast is indeed your friend.

>A more likely, and far more important, scenario to worry about is the
>black bag job whereby a hardware keystroke recorder can get installed
>without your knowledge...
>
>There may be ways to prevent/detect this...  Software (open or closed
>source) alone won't help very much.

Epoxy and other conformal coatings are also your friends.

MPAA vs. Net anonymity, AB 1143

[Major Variola (ret.)]

Studios Stage Fight Against Internet Bill
By Jon Healey, Times Staff Writer

The Hollywood studios are fighting a
behind-the-scenes
battle in Sacramento to derail a bill they say would

promote online piracy  though the bill has little
to do
with downloading movies.

Actually, the fight may have more to do with who's
behind the legislation: the Electronic Frontier
Foundation,
a civil liberties and technology advocacy group that

frequently opposes the studios' anti-piracy
initiatives.

The measure by Assemblyman Joe Simitian (D-Palo
Alto)
would help Internet users maintain the anonymity
they
have in chat rooms and elsewhere on the Internet
when
sued in state court for something they said or did
online.

Passed by the Assembly on June 2 and scheduled for a

Senate Judiciary Committee hearing today, AB 1143
would require Internet services to notify customers
of
subpoenas seeking their identities and give
customers 30
days to challenge the requests in court.

Because it would apply to lawsuits in state courts,
the bill
wouldn't affect people accused of pirating movies or

other copyrighted works online. Copyright cases are
heard in federal court.

http://www.latimes.com/business/la-fi-mpaa15jul15,1,5900411.story?coll=la-home-todays-times

Re: Sealing wax, funny looking dogtags

[Major Variola (ret)]

At 12:08 PM 7/15/03 -0700, Tim May wrote:
>On Tuesday, July 15, 2003, at 09:05  AM, Major Variola (ret) wrote:
>> Epoxy and other conformal coatings are also your friends.
>>
>Thinking about this brief comment, I assume MV means sealing a PC to
>make black bag opening more apparent.

Both more apparent and more physically difficult.

>But this suggest a return to _sealing wax_. Seriously.

:-)  Only modern sealing waxes don't melt, adhere extremely well,
and make tampering evident.  They also mean the Adversary
has to spend a lot more time... maybe more than one visit.

>(As we all know, CIA and other spook agency "flaps and seals"
>specialists are well-versed in duplicating such seals...

Yes.

but probably
>only after collecting good information. An FBI black bag job is likely
>to encounter the sealing wax and seal and be unable to duplicate it.

You seem to think I thought the epoxy would be used like a seal,
with the signet ring and all, visually verified when you sit down.
That's too lame, any hobbyist whose good with casting can dupe it.
I just meant that if Scarfo had epoxied his keyboard to his chassis
properly, (and epoxied the keyboard, etc.) he might still be free
(to pick shitty passphrases, it turned out).

And some "sealing waxes" such as those used on nuclear weapons
and verification devices, are very difficult to duplicate.  Given, they
require special equipment to read.  (Fine reflector particles dispersed
in clear epoxies)

Or, as has been discussed here before, if Nico did his crypto work on
a handheld that stayed with him.  (An epoxy-sealed one, of course.)
Your suggestions re USB, PCMCIA, etc. are in the same line.
Better, because they're smaller.  However, I don't know of a card that
you can
*shower* with, which is frankly what's required.  It can't ever leave
you.  A keychain fob is not good enough.  Even a finger ring gets
removed
sometimes.

>(All of this slows down the process. The rigamarole that a shipboard
>crypto shack will put up with is not the same as what Joe Sixpack will
>put up

Yes, but Scarfo's DirOpSec should have been able to convince him
that at the hourly rate the Company pays him, he should put up with
it :-)  He can surf for porn on a different machine.  As long as he
knows to use different passwords there...

>-- the usual point about having a network with a secure machine locked
>up very well in a closet or safe (I have a large gun safe, which I
>usually run a small heating element into to prevent condensing
>conditions...I have toyed with the idea of  putting a small PC running
>on 25-40 watts, or less, into this gun safe, with only a power cord and

>Ethernet wire coming out).

I like the dual use of keeping a security-sensitive PC in a gun safe
which also keeps the guns dry :-)   You could have the door opening
silence
the PC, too.  A nice lead lining will keep the black bag x-ray team
(they'll borrow a unit from the bomb squad) from seeing much.

>Still, his series fits with the kind of security awareness and
>hypervigilance we often discuss.

"The ultimate in paranoia is not when everyone is against you
but when everything is against you."  PKD

(and quite apropos here)

Re: Sealing wax & eKeyboard

[Major Variola (ret)]

(resent)
At 11:15 AM 7/16/03 -0700, Tim May wrote:
>We've talked many times about using laptops, heads-up displays (like
>the Sony glasses), and even putting mesh bags over a user and his
>laptop. Actual Faraday cage rooms are not really needed.

Don't forget the 3M screen-addons which are basically a miniature
venetian blinds.
They prevent others from reading your screen at off-angles.  Very useful
if you run your laptop on an airplane.  Even if you take private notes
at a meeting.

Swiss cheese by Microsoft

[Major Variola (ret.)]

Microsoft Admits Flaw in Windows Software

WASHINGTON - Microsoft Corp. acknowledged a critical vulnerability
Wednesday in nearly all versions of its flagship Windows operating
system
software, the first such design flaw to affect its latest Windows Server
2003
software.
...

Microsoft said corporate firewalls commonly block the type of data
connections
that hackers outside a company would need for these attacks. The flaw
affects
Windows technology used to share data files across computer networks.

[Yes but a virus can exploit from *within* the system.]

...
But four Polish researchers, known as the "Last Stage of Delirium
Research
Group," said they discovered how to bypass the additional protections
Microsoft
added, just three months after the software went on sale.

[Gotta love that acronym..]

--
Router attack, ca. 1954:
Bikers disable a town's router infrastructure in _The Wild Ones_.
Her name is Dorothy, she runs a plugboard, she runs off scared.

Re: Optical Tempest? I have my doubts...

[Major Variola (ret)]

At 03:15 PM 7/17/03 -0400, Tyler Durden wrote:
>I dunno...I'm thinking that optical tempest is probably bullshit 99% of
the
>time, but what do I know?

There was an article on optical tempest based on reading modem-LEDs,
which are sometimes modulated with the data stream.  For Mhz rates it
works.

>But I still don't believe that specular reflection of smallish type
from a
>monitor will have anything that is recoverable. Of course, this is
going to
>be dependent on the quality of the wall material, but for most
not-so-even
>plaster/drywall painted surfaces, I just can't believe the appopriate
>spacial frequencies of the image are not scattered after that kind of
>reflection.

The idea of reading the *matte* reflection of the CRT beam is possible.
But its not *spatial* frequency, its using intensity vs. time.
At any one instant you have a single 1-D measurement.
This exploits the fact, as stated, that the phosphor is brightest under
the
(scanning) beam.  There is no spatial info present.  You simply need
a sensitive (contrast is low) and fast (raster rate) optical
measurement.

>The conspiracy theorist is telling me there's some reason they floated
the
>optical tempest story, though I can't quite figure out what that reason

>is...

Its the Windowshade division of the Anti-Illuminati



Irony:
Jewish Zealots were famous for offing (Jewish) Roman collaborators.
100 generations later, Arabic Zealots whack (Arabic) ZionistCrusader
collaborators.
"Pro-American Mayor, Son Killed in Iraq"


Of course Iraq isn't another Vietnam.  They don't know how to make good
pho hoa.

1st amend: fiction != reality, words not kiddy pr0n

[Major Variola (ret.)]

Appeals Court Dismisses Ohio Man's Guilty Plea in Obscenity Case
Involving Fictitious Stories

COLUMBUS, Ohio (AP) - A state appeals court on Thursday dismissed the
guilty plea of a man imprisoned for writing fictitious stories of child
torture and molestation.

Lawyers specializing in the First Amendment believe Brian Dalton was the
first person in the United States successfully prosecuted for child
pornography that involved fictional writings, not images.

The 10th Ohio District Court of Appeals in Columbus ruled that Dalton
received ineffective legal assistance. Dalton had argued that his former
lawyer didn't inform him of the legal implications of a guilty plea or
ask for an immediate dismissal on First Amendment grounds.

The 3-0 ruling sends the case back to Franklin County Common Pleas
Court. Dalton could still be tried but prosecutors have not said whether
they would seek to do so.

Ray Vasvari, the American Civil Liberties Union's state legal director
in Cleveland, called the decision an "important recognition for not only
freedom of speech but freedom of thought."

Dalton, 24, of Columbus, pleaded guilty in July 2001 to pandering
obscenity involving a minor, which falls under Ohio's pornography law.
He later asked to withdraw the plea so he could challenge the
constitutionality of the law, but Franklin County Common Pleas Judge
Nodine Miller refused. ACLU attorneys then appealed.

Miller had sentenced Dalton to seven years, plus 4 1/2 years from a 1998
child pornography conviction on the grounds he violated probation by
possessing the journal.

The 14-page journal contained stories about three children - ages 10 and
11 - being caged in a basement, molested and tortured. Prosecutors
acknowledged the stories were pure fiction.

The journal was found by Dalton's probation officer during a routine
search of his home.

Dalton was charged under Ohio's 1989 child porn law, which bans
possession of obscene material involving children. He was not charged
under Ohio's obscenity law, which requires dissemination and not just
possession.

The appeals court found that Dalton's defense attorney, Isabella Dixon,
misunderstood the two charges against her client.

Both charges were based on the journal and involved fictitious events,
the court found. Dixon, it said, had erroneously believed one of the
charges was based on a letter Dalton wrote describing sexual molestation
of a young cousin, a real person.

"This misunderstanding was significant because of the important
differences in the constitutional protections afforded the private
possession of pornographic depictions of real children and similar
depictions of fictional children," Judge William Klatt said, writing for
the majority.

A message was left with Dixon seeking comment.

http://ap.tbo.com/ap/breaking/MGAQA2U49ID.html

Unsubtle Wetwork

[Major Variola (ret.)]

Weapons Adviser Named as Possible Source for BBC Story Disappears; Man's
Body Found

LONDON (AP) - Police searching for a missing Ministry of Defense
adviser, who was named by the government as the possible source for a
disputed news report on Iraqi arms, said Friday they have found a man's
body near his home.

http://ap.tbo.com/ap/breaking/MGABVMP3AID.html


Maybe he's just hanging out with Ritter in upstate
NY...

Re: Optical Tempest? I have my doubts...

[Major Variola (ret)]

At 01:33 PM 7/17/03 -0700, Meyer Wolfsheim wrote:
>
>For what it's worth, a "secure viewer" that displayed text in red on a
>black background should make an optical tempest attack much more
>difficult.

Why?
On a black background you have higher contrast, which you don't want
here.

The eye is most sensitive to greenish, so if you are trying to reduce
the signal, use barely visible green.

On a nearly-same-luminance green background.
Green on green or gray on gray is *low contrast*.
That's what you want.

(You may as well use gray on gray, assume the adversary has color
vision, and might even
have the CIE chart on your monitor phosphor.  The different RGB
phosphors also have different decay times, which smears the signal
if the adversary has no color vision)

Possibly dither the text.  You might also have brighter
lines or areas on the screen to obscure the signal from the less-bright
e-beamed text areas.  Actual distribution should depend on the decay
over time
of the phosphor (you want the bright "distractors" to be as bright
as the text-pixel even though the distractor is no longer illuminated
by the e beam).

You also want some incandescants and fluorescant lights, the latter
running off batteries (with switching converters) so they run out of
phase and frequency with the ones on wall current.  Optical jamming.

Or just close the windowshade and put a towel under the door gap.
(Others may think you're [sm|t]oking, however.. and with the
multiple, multitinted fluorescants, they'll think you're growing too)

Or use a box.
(I once did med-imaging related vision experiments... the setup was a
Sun with
a calibrated greyscale monitor, in a medical office, behind the
receptionists until
we got more space... we had a giant cardboard box over the monitor &
subject to
control ambient light.. which stayed while I was programming it too.. it
amused the patients
who came in to see their cardiologist to see a guy working with his head
in a big box..
probably would have been more disconcerting if the MD was a psychiatrist
:-)

Re: [Dewayne-Net] RE: [IP] Gilmore bounced from plane; and Farber censors Gilmore's email

[Major Variola (ret)]

At 09:16 AM 7/20/03 -0700, Steve Schear wrote:
>>>Guess he's never heard of US court's limitations against using 'free
>>>speech' as a defense against the consequences of falsely yelling
'Fire'
>>>in a crowded theater.
>
>Except when there really is a fire, which is certainly the case here.
>
>steve

:-)

It would have been quite amusing for JG to wear a "Those who sacrifice
liberty for security.."
button (or T-shirt, rather a lot of text for a button) and get kicked
off.

His button must not have been attached with a standard pin, they could
have disallowed
the pointy pin, on the basis of pointyness, not the message attached to
it.

On the matter of free speech, "Fuck the TSA" would be pretty well
protected by the
"Fuck the Draft" precedent, at least in the (federal-territory) airport,
if not the plane itself.

---
Of course there are limits in regards to freedom of speech.  They are as

follows:
"Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of
speech,
or of the press; or the right of the people peaceably to assemble, and
to
petition the Government for a redress of grievances."
Everything else is, of course, allowed.  -Sunder

Iraqi vs. Chechen efficiency

[Major Variola (ret.)]

I read somewhere that the Russkies lose about 8 invaders
a day in Chechnya.  The Iraqis need to increase their
productivity.  Maybe take over a theatre or something.

Have a nice day.

Re: Defeating Optical Tempest will be easy...

[Major Variola (ret)]

At 02:17 AM 7/21/03 +0200, Thomas Shaddack wrote:
>On Sat, 19 Jul 2003, Tyler Durden wrote:
>There is some minuscule proportion of X-rays produced by CRT displays.

Produced by the ebeam decelerating on the shadow mask, but adsorbed
by the glass.

Re: Fwd: [IP] Gilmore bounced from plane; and Farber censors Gilmore's email

[Major Variola (ret)]

At 11:36 PM 7/20/03 -0700, John Kozubik wrote:
>On Sat, 19 Jul 2003, Steve Schear wrote:
>
>> >remove a small 1" button pinned to my left lapel.  I declined,
saying
>> >that it was a political statement and that he had no right to censor

>> >passengers' political speech.  The button, which was created by
>
>Where do these ridiculous ideas come from ?  If I own a piece of
private
>property, like an airplane (or an entire airline) for instance, I can
>impose whatever senseless and arbitrary conditions on your use of it as
I
>please.

Yes.
Except that you entered into a contract to transport a human in exchange

for money.  No where in the contract was "banned speech" mentioned.

Suppose that instead two men were kicked off a flight for holding hands,

or a woman & offspring for breast-feeding.  That would be a violation of
the transportation
contract.  Because such behavior does not endanger the flight or
passengers.
(Although all behaviors cannot be enumerated, under a "reasonable"
common-law interpretation
of the contract, passive speech (vs. say screaming the whole flight) is
harmless.)

Private property rights, of course.  But contract law too.

Re: Defeating Optical Tempest will be easy...

[Major Variola (ret)]

At 07:49 PM 7/21/03 +0100, Peter Fairbrother wrote:
>a_b_sorbed. Absorb is a widely used word meaning 3to drink in, to soak
up,2
>both literally and figuratively. Adsorb is a specialized technical
term,
>meaning only 3to collect a condensed gas or liquid on a surface.2

Thank you.  Have a hard time keeping them straight.  Probably a textual
clue that will undermine my pseudo-anonymity some day :-)

>The glass of CRT's absorbs so much of the X-rays that it might be hard
to
>detect a signal at all at any distance, but then the signal is not
swamped
>by noise from the not-immediately-illuminated areas, unlike the optical

>emissions.

Yes but anything that picks up the weak X-ray will be sensitive to other

normal background ionizing.  With a proportional counter like a
scintillator/PMT
combo, where you could discriminate different types of radiation on the
basis of pulse height,
but you'll be down in the photomultiplier tube's noise.  And as a cosmic
ray secondary
slows down it can generate x-rays.

Maybe if the Adversary is allowed cryogenic detectors in the next room
over... he still has to deal with the attenuating
coefficient for drywall, etc.  And again, I think basically nothing gets
through the glass.

>"0.5 milliroentgens per hour at a distance of five (5) centimeters from
any
>point on the external surface of the receiver" is the US legal
limit[*], and
>low voltage (and thus very low x-ray emission) crt monitors are common
now,
>if not a de-facto standard.

That's pretty hot, actually.   A glass vial of 5 gms U Acetate is only
twice that,
a few mm from the alpha-window of a GM detector.
And the broad face of a CRT means 1/R^2 doesn't apply until you
get some distance away... more like 1/R for an infinite slab.

>However, I expect shot noise to be a limiting factor here.
Unfortunately,
>the Roentgen is such a wierd unit it's not that easy to convert it to
>photons and do the math!

Since the signal is rastering at MHz, you can't very well integrate
ionizing radiation over long times,
as you could to say detect the betas coming out of a jar of salt
substitute (potassium).

Roentgens are defined as producing a certain amount of ionization in dry
air.
The photons doing the ionizing would range from the 10's of keV for
X-rays
to MeV for gammas.  (Careful with that brightness control Eugene!)  An
ion
pair takes about 37 eV to form.  Compare with visible light's very small
range,
blue to red.

>I use 180:210:210[**] (r:g:b) text on a 255:255:255 window background
at
>present, with very light wallpaper, though I speckle both slightly.
It's a
>little hard to read, but much better than some other suggested
combinations.

I hope you don't do this all the time...

>[*]< Probably far too high for safety! Originally for TV's, where the
>viewing distance is much higher. But most modern monitors will emit
much
>less than that. I hope! >

As do TVs.  Nowadays its the Radon daughters attracted to the charged
glass
that will be giving you your RDA (Radiation Daily Allowance.. RDA is a
Yank FDA pun)

Also some of the TV radiation was from HV tubes inside the box; that was
solved by first
using leaded glass (hack!) and then more elegantly by getting rid of
tubes.

A tiny bit of karma for BA

[Major Variola (ret.)]

http://story.news.yahoo.com/news?tmpl=story&u=/afp/20030722/ts_afp/britain_air_strike_company_ba_030722122901

LONDON (AFP) - British Airways was battling to clear a backlog of
frustrated
passengers stranded at London's Heathrow Airport, some of whom had been
stuck there for four days after a wildcat strike by check-in staff.

Re: Dead Body Theatre

[Major Variola (ret)]

At 06:00 PM 7/24/03 +0100, Dave Howe wrote:
>the new standard, I suspect a suicide bombing of
>the white house (killing all the staff and the shrub) would now be "ok"

>provided they shouted 'surrender or die' first, yes?

Dude, if Julius Caesar had magnetometers we might all be speaking
Italian now.

The one with the bigger guns makes the rules.  Which is why those with
smaller
guns don't play by those rules.

Just because the UN fnord hasn't been given the  paperwork or Congress
hasn't made
the required fnord legal declaration, don't think there isn't a war on.
Or several.

Re: Panther's FileVault can damage data

[Major Variola (ret)]

At 06:37 PM 11/7/03 -0600, Harmon Seaver wrote:
>   Apple is both a software *and* a hardware company, however, and
they've
>pretty much always been negligent about making sure that other vendor's
hardware
>worked with theirs and/or their OS.

I thought that was half the point of Apple ---you play only with us, and
we make
sure it all runs smoothly.  (The other half being a once-superior UI).
But you pay.

If you want cheaper hardware that you have to wrestle with, you get a
PC.
Isn't that why Fry's has a return policy?

A policy is a set of tradeoffs.   Free people choose what they want.

Re: Disguising the Key length (Was...Has a change taken place in factoring RSA keys)

[Major Variola (ret)]

At 02:09 PM 11/10/03 -0500, Tyler Durden wrote:
>My first question is, how easy is it for them to estimate the key size
of an
>encrypted message?

Its not secret.  But lets look at twiddling what the message header
encodes.

Suppose you relabel a 2Kbit key as a 1Kbit.  Then what are the extra
bits for,
Eve will wonder.

Suppose you claim a 1Kbit RSA key is 2Kbits.
Now, the math works if you treat a 1Kbit key as 2Kbit.  But the
decrypt won't work unless the recipient modifies
the header to specify 1Kbit to ignore the fake extra key bits.  Which
requires a secure OOB channel, see below.


>Can they do this without actually "chewing" on the message for a while?
(ie,
>if it doesn't crack in x minutes then there's a 99% probability of the
key
>being Y in length...)

"How can you have any pudding if you don't eat your meat? "

Lets think about DES, which also has a publicly-visible keylength.
If you've run through *all* the 56 bit keys, and found
no solution, you know that either DES wasn't the algorithm (perhaps
3DES was, perhaps DES-X, perhaps Blowfish, AES, Skipjack, etc.
You need to reconfigure your FPGAs for each algorithm.)  And if you
haven't
run through all the keys, it could always be the *last* key you try.

So although given *large sets of messages* you can say that 99% would
have been cracked "by now", this kind of stats isn't really useful.
"Close" is for hand grenades, horseshoes, and proximity fuzes; there is
no "close" in crypto.

>Second question: Is it possible to make a message appear to have been
>encrypted with a shorter key than was actually used?

That would cause the decrypting code to truncate significant digits
which would not permit decryption.  Suppose you did this and the
recipient
fixed the length so it would work.  This wouldn't matter: Eve would
wonder what
all those extra random bits are for.

A better approach *might* be to lie about the symmetric encryption
you've
used.  Encrypt with AES-256, use RSA on that 256 bit key, but modify
the message to claim you've used AES-128 or 3DES.

However, this requires a secure out of band channel to communicate this
to
your recipient.  And if you have such a channel, you may as well give
them
a nonstandard S-box initialization (eg "e times your SSN number" vs.
"pi" in Blowfish) or a OTP.

---
A SAM a day keeps the invaders away.

Clipper for luggage

[Major Variola (ret)]

Fwded for your comic relief:

--

 From the New York Times. Any guesses on how long it'll take before your

local hacker will have a key which will open any piece of your luggage?

  - Tim

A Baggage Lock for You and the Federal Screeners

By JOE SHARKEY
Published: November 11, 2003

AIRLINE passengers will be able to lock checked bags confidently again
starting tomorrow, thanks to a new customer-service initiative between
private enterprise and the Transportation Security Administration.

Here's how the plan will work: Several major luggage and lock retailers
in
the United States will announce tomorrow the availability of new locks,
made by various manufacturers, that T.S.A. inspectors will be able to
readily identify and open on checked bags selected for hand searches at
airports.

T.S.A. screeners in airports around the country have already been
trained
in using secure procedures to open the new certified locks when
necessary,
and relock them after inspecting bags.

"Literally since we began the process of screening every checked bag for

explosives in December, one of the challenges has been the ability to
get
into bags without doing damage to them," said Brian Turmail, a spokesman

for the T.S.A.

The system, developed in cooperation with the T.S.A. and the Travel
Goods
Association, a trade group, was designed around "a common set of
standards
that any company that manufactures, or is interested in manufacturing,
luggage or luggage locks could follow that would allow T.S.A. screeners
to
open the bag without doing damage to the bag, in a manner that would
allow
the bag to stay secured afterwards,'' Mr. Turmail said. "In other words,
we
can open it, but no one else can."

The locks will be available in various manufacturers' designs. All will
be
geared around a uniform technology allowing them to be opened by T.S.A.
inspectors using a combination of secure codes and special tools,
according
to John W. Vermilye, a former airline baggage-systems executive who
developed the system through Travel Sentry, a company he set up for that

purpose.

All the locks will carry a red diamond-shaped logo to certify to
screeners
that they meet the Travel Sentry standards. Mr. Vermilye said his
company
would receive royalties from manufacturers.

The system will ensure that passengers using the locks will not have to
worry about a lock being broken or a locked bag being damaged if it is
selected for hand inspection. It will also mean more peace of mind for
passengers worried about reports of increased pilferage from unlocked
bags.

"The general feeling of airline passengers is, 'I don't like to have to
keep my bags unlocked,' " added Mr. Vermilye, who once worked as a
baggage
handler. "As somebody in the business for 30 years, I don't like it
either,
because I know what goes on" in some baggage-handling areas, he said.

An industry study showed that 90 percent of air travelers are now
leaving
checked bags unlocked, whereas before this year about 66 percent of them

said they always locked their bags.

"I travel all the time, and I always used to lock my bags" until this
year,
said Michael F. Anthony, the chairman and chief executive of Brookstone,
a
specialty retailer with 266 shops, including 30 in airports. Besides the

worry about theft within the airline baggage-handling systems, Mr.
Anthony
said he was concerned on business trips about unlocked bags in the hands
of
cab and airport shuttle drivers, bellhops and others.

Brookstone airport shops are planning to introduce the chain's own brand
of
new locks with in-store promotions tomorrow, Mr. Anthony said. A package
of
two four-digit Brookstone combination locks costs $20. Luggage and other

accessories with the lock standards incorporated also will begin moving
soon onto shelves at Brookstone and other retailers.

Mr. Anthony said that the locks represented a needed air-travel
customer-service breakthrough, "helping people reclaim a sense of
security
they had in the past" with their checked possessions.

The T.S.A. mandated screening of all checked bags starting last Dec. 31.

Since then, most of the estimated 1.5 million bags checked daily in
domestic airports have been inspected by bomb-detecting machinery - but
about 10 percent of checked bags are opened and inspected by hand.

Initially, the T.S.A. planned to issue a blanket prohibition against
locking bags, but the agency ultimately decided instead to merely
suggest
that passengers not lock them. The T.S.A. public directive on the
subject
says: "In some cases screeners will have to open your baggage as part of

the screening process. If your bag is unlocked, then T.S.A. will simply
open the bag and screen the bag. However, if the bag is locked and
T.S.A.
needs to open your bag, then locks may have to be broken. You may keep
your
bag locked if you choose, but T.S.A. is not liable for damage caused to
locked bags that must be opened.''

With bags unlocked, many travelers, including business travelers who
pac

Re: Jews Go Nuclear

[Major Variola (ret)]

At 01:44 PM 11/14/03 -0800, Eric Cordian wrote:
>http://observer.guardian.co.uk/international/story/0,6903,10613
>Israel deploys nuclear arms in submarines

You put nukes in subs to avoid getting them blown up
esp. by a first strike.

So whoever nukes Israel had best do so without a
piece of real estate associated with it, because the sub
nukes will persist.  Even if the ground-based intel
the subs might have relied on for targeting is smoking slag.

The problem of real estate:
Look what happened to the Afghans who gave ClintonBush
a place to target.

Yet another advantage to being a unlocalized organization.

Or working out of an untouchable like Saudi arabia.

Re: Partition Encryptor

[Major Variola (ret)]

At 11:45 AM 11/16/03 -0500, Stirling Westrup wrote:
>Does anyone know of a good partition encryptor for Windows? I know of
an
>accountant who would like to encrypt her client's financial data. She's
stuck
>with Windows until such time as a major company starts shipping yearly
tax
>software for linux.

Look into Scramdisk.  It works fine.  Free, open source AFAIK.
You can store & run your tools (eg email client) from the
encrypted virtual partition easily, as well as store data.

Pellicano: encrypted files, wiretaps, pacbell on the take

[Major Variola (ret.)]

Pellicano Taking His Secrets With Him to Federal Prison
 Private investigator refuses to cooperate in FBI probe of alleged
illegal wiretapping

http://www.latimes.com/news/local/la-me-pellicano17nov17,1,3427559.story?coll=la-home-todays-times

Federal agents searched Pellicano's offices three times and seized 36
electronic devices, including computer hard drives and storage drives of
encrypted files, according to court documents.

Law enforcement sources allege that the computers contained detailed
bookkeeping records, wiretapping software and encrypted files of tapped
phone conversation transcripts.

Officials have notified two men that they are subjects of the
wiretapping probe: Bert Fields, one of Hollywood's most prominent
attorneys who employed Pellicano on a number of cases; and Ray Turner, a
former Pacific Bell employee.

State to take innocent kids' DNA

[Major Variola (ret.)]

FBI may collect juveniles' DNA
By Richard Willing, USA TODAY
WASHINGTON  DNA profiles from hundreds of thousands of juvenile
offenders and adults arrested but not convicted of crimes could be added
to the FBI's national DNA crime-fighting program under a proposed law
moving through Congress.
The law, if enacted, would be the greatest single expansion of the
federal government's power to collect and use DNA since the FBI's
national database was created in 1992. The FBI says its national DNA
database holds genetic profiles from about 1.4 million adults convicted
of state and federal crimes.

http://www.usatoday.com/news/washington/2003-11-16-fbi-juvenile-dna_x.htm

---
Let right be done, though the blackhawks should fall

crypto, surveillance, RF for uk bush burners

[Major Variola (ret.)]

Protest Is in the Airwaves on Eve of Bush UK Visit
Mon Nov 17,10:46 AM ET

By Bernhard Warner, European Internet Correspondent

LONDON (Reuters) - With President Bush (news - web sites) due to touch
down on British soil Tuesday, Internet message boards, mobile phones and
pagers are buzzing with the sounds of protest, and police are scrambling
to catch every word.


Since the 1999 World Trade Organization (news - web sites) riots in
Seattle, the protester's toolkit has gone noticeably high-tech,
embracing the latest Internet and mobile technologies for everything
from selling T-shirts for the cause to coordinating mass demonstrations.



Handheld gadgets, equipped with global positioning systems and Internet
access, are being used to mobilize groups quickly and catch police on
the hop.


"What you have now is the equivalent of battlefield soldiers. That's
what the technology has created," said a London-based telecommunications
security expert who advises law enforcement units.


British police have a special task force that follows how everyday
technologies are being used to plot mass demonstrations and avoid the
long arm of the law should violence break out.


Forces across Britain are preparing for anti-Bush protests this week
which are expected to attract more than 60,000 demonstrators, by combing
protest groups' Web sites and message boards for clues on their plans.


A number of anti-war organizations, including Stop the War, have been
openly detailing their plans for rallies and demonstrations. The group's
site, www.stopthewar.org.uk, is expected to reach a one-day peak of
23,000 visitors on Monday, said John Rees, a group co-founder.


The group has a small, but growing e-commerce business, selling various
items, such as "wanted" posters of Bush and Prime Minister Tony Blair
(news - web sites) for one pound ($1.69) and leaflets at 1,000 for 10
pounds.


Rees said the group can reach thousands of people with a single e-mail
and via mobile phone text alerts. "With new technology, we've moved with
the times, not necessarily ahead of the times," he said.


The bigger concern for police are groups that operate underground. Some
use sophisticated encryption techniques favored by the military to
disguise the content of e-mail messages and Internet postings, the
security expert said.


But it is the sophistication of hand-held devices that have police on
the look-out.


Internet-enabled phones and gadgets are capable of sending and receiving
elaborate messages detailing meeting locations, maps and last-minute
instructions to fellow protesters in the streets.


The widespread use of picture phones is also a concern as the could be
used to capture images of the police officers.


"Some of these guys run counter-intelligence. They want to know who the
cops are. With a mobile phone that's equipped with a camera you could
start your own database of cops," he said. ($1=.5919 Pound)

http://news.yahoo.com/news?tmpl=story2&cid=575&u=/nm/20031117/wr_nm/bush_britain_gadgets_dc_2&printer=1


An RPG a day keeps the invaders away
or at least not re-electable

Re: Freedomphone

[Major Variola (ret)]

At 12:59 PM 11/19/03 -0800, Steve Schear wrote:
>If and when this is accomplished the source could then be used, if it
can't
>already, for PC-PC secure communications.

They claim to be releasing code for PCs for free.

A practical replacement for
>SpeakFreely may be at hand.  The limitation of either direct phone or
ISDN
>connection requirement is a problem though.

Since they use GSM *data* services, and since quality affects *delay* in
their
setup, they may be hindered by users acceptance.  However, it might also

be a reminder to the users of why they payed the kiloEuros.

Read their FAQ. They have total clue.  No one should think less of them
for trying to make a Euro at first, paid by users well able to pay the
price,
endure the problems, and Metcalfe's law inconveniences.
That's techonomics -CD players cost a kilobuck at first, and not every
content was available.

-
An RPG a day keeps the invaders away.

israeli torture center reason for no satellite pix?

[Major Variola (ret.)]

The US has restrictions on even commercial satellite photos of Israel.
http://www.guardian.co.uk/israel/Story/0,2763,1084796,00.html
might indicate why --the torture center is airbrushed out of other pix.


The price of empire is death.

can you hear me now?

[Major Variola (ret.)]

"The ultimate in paranoia is not when everyone is against you but when
everything is against you." ---PKD

An appeals court this week put the brakes on an FBI surveillance
technique that turns an automobile driver's on-board vehicle navigation
system into a covert eavesdropping device, after finding that the spying
effectively disables the system's emergency and roadside assistance
features

...in which agents obtained a court order compelling a telematics
company to secretly activate the stolen vehicle recovery feature in a
customer's car. The feature, designed to listen-in on car thieves as
they cruise around in a stolen auto, turns on a dashboard microphone and
pipes conversations out over a cellphone connection -- normally to the
company's response center, but in this case to an FBI listening post.

http://www.theregister.co.uk/content/55/34100.html

e voting

[Major Variola (ret.)]

Secretary of State Kevin Shelley is expected to announce today that as
of 2006, all electronic voting machines in California must be able to
produce a paper printout that voters can check to make sure their votes
are properly recorded.

http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story?coll=la-headlines-california

RE: e voting (receipts, votebuying, brinworld)

[Major Variola (ret)]

At 01:04 PM 11/24/03 -0500, Trei, Peter wrote:
>Thats not how it works. The idea is that you make your choices on
>the machine, and when you lock them in, two things happen: They
>are electronically recorded in the device for the normal count, and
>also, a paper receipt is printed. The voter checks the receipt to
>see if it accurately records his choices, and then is required to
>put it in a ballot box retained at the polling site.
>
>If there's a need for a recount, the paper receipts can be checked.
>
>I imagine a well designed system might show the paper receipt through
>a window, but not let it be handled, to prevent serial fraud.

Vinny the Votebuyer pays you if you send a picture of your
face adjacent to the committed receipt, even if you can't touch it.
Since the voting booth is private, no one can see you do this,
even if it were made illegal.  (And since phones can store images,
jamming the transmission at the booth doesn't work.)

You send your picture from the cellphone that took it, along with a
paypal
account number as a text message.

Vinny knows the vote is committed at that point.  Vinnie can bin diff
compare
pix to assure non-duplicates, hires someone (probably offshore :-)
to verify its not a quick and dirty photoshop job, and that its a vote
for the
"right" candidate.  Further resisting photoshop, Vinny accepts pictures
only during voting hours.

Vinny has some kind of front business which could be expected to pay
lots of people in
bursts --a political polling service that reimburses interviewees would
be ideal.

On a small scale (coerce your voting age household members) its
untraceable.
On a medium scale (free drinks if you can show you voted for Caesar) its
easy too.
On a larger scale you might need confidentiality for the image and
traffic analysis resistance.
Maybe anon cash.

Fundamentally, its just like the analog hole for DRM ---you can't show a
human a commit
message without the human being able to reproduce it for others.

The booths could cycle through fake commit messages for all possible
candidates,
so that you could take a picture of yourself with a bogus commit
message, vote
as you will, and still collect.   That might be confusing but is a
counter.

NB: Collect = avoid retribution.

RE: e voting (receipts, votebuying, brinworld)

[Major Variola (ret)]

At 12:56 PM 11/25/03 -0500, Sunder wrote:
>Um, last I checked, phone cameras have really shitty resolution,
usually
>less than 320x200.  Even so, you'd need MUCH higher resolution, say
>3-5Mpixels to be able to read text on a printout in a picture.
>
>Add focus and aiming issues, and this just won't work unless you carry
a
>good camera into the booth with you.

Ever hear of Moore's law?   How about electronic image stabilization?
Piezo gyros optional.

Don't you think the cellphone folks will do the more-pixels-game, trying
to
add features that distinguish their model from the nearly identical
other models?

Related:
There are plans to put a couple of cameras in autos, to check where the
driver
is looking at, wakefulness, etc.  All by 2010.   (Src: EETimes)
And you thought car telemetry recorders were privacy concerns.

(There are *already* dozens of microcontrollers in low end cars, a
hundred
in high-end cars.  So much for TJ Watson's "the world only needs five
computers"...)

RE: C3 Nehemia C5P with better hardware RNG and AES support

[Major Variola (ret)]

>Also, Centaur indicated that with the SHA on die, they can produce
>statistically perfect RNG output.

No kidding.  With any crypto-quality hash, I can produce statistically
perfectly uniformly distributed
pseudorandom data from *successive integers*.

The von neumann whitener does let
>a small bias through for very large data sets IIRC (i.e. a
>statistical bias is detectable in 1G or more data)

Johnny's whitener removes a particular kind of bias but does not reduce
other
kinds of regularity at all.

Whitening don't mean squat for entropy.  (Perhaps you can think of it as

spread-spectrum for regularity, if the whitener isn't crypto-secure.)

Dataset size is irrelevent except for detectability,
you need more samples to be sure that nuances you see are there.

>If you are using the hardware rng via a user space daemon feeding
>/dev/random then this is no longer an issue.

You MUST use some "hardware" (analog) input, and you SHOULD
use whitening on the output, and most probably should do other
operations in between
(mixing partially unbiassed but imperfect input with a pool, for
instance).

Re: e voting (receipts, votebuying, brinworld)

[Major Variola (ret)]

At 07:10 PM 11/25/03 -0800, Tim May wrote:
>I have no problem with this free choice contract.

The only ones allowed to buy votes are the ones running for office.
And they are required to do it on credit.

"A democracy cannot exist as a permanent form of government. It can only

exist until the voters discover that they can vote themselves money from

the Public Treasury. From that moment on, the majority always votes for
the candidate promising the most benefits from the Public Treasury with
the result that a democracy always collapses over loose fiscal policy
always followed by dictatorship." --Alexander Fraser Tyler

Re: e voting (receipts, votebuying, brinworld)

[Major Variola (ret)]

At 11:10 PM 11/26/03 +0100, Nomen Nescio wrote:
>Cameras in the voting booth?  Jesus Christ, you guys are morons.  If
you
>want to sell your vote, just vote absentee.  The ward guy will even
stamp
>and mail it for you.  Happens every election.

For some reason I don't understand, people actually drive to queue up
and vote
in a booth on a given day.  So that was the model addressed.

Personally I vote absentee, so I have plenty of time
to photoshop what I fax to Vinny.  As well as being able to submit a new

blank ballot if Vinny demands to see the original I faxed (but before
its mailed in -that
is my commit point, just like "opening the curtain" used to be on
mechanical
voting machines).

Re: Now how they do that ?

[Major Variola (ret)]

At 11:12 AM 11/28/03 -0600, Neil Johnson wrote:
>Investigators traced the computer to Krastof when he logged onto his
own
>America Online account at home through one of the stolen computers,
White
>said. That enabled authorities to connect the computer's Internet
Protocol
>address, a number that identifies a computer on the Internet, to
Krastof's
>home address through his AOL account, White said.
>
>My guess that there was some sort of application (maybe an internally
based IM
>client) that "phoned home" when the thief started up the computer.

Conventionally, only the NIC's MAC is supposed to be unique.  Nowadays
there are other IDs including disk-drive serial numbers, motherboard
SNs, OS SN's, etc.  None of these are supposed to be sent upstream,
and the NIC MAC ends at the first router.  And of course doens't exist
if
Krastof used a modem.  So yeah, a "phone home" app sounds likely ---even

an *unintentional* one, like one that automatically checks a "home
server" for
updates, corporate news, etc.  Then you merely snag the IP, find it
comes from
AOL (rather than your internal network) who looks up who occupied that
address
at that time.  Krastof probably used his meatspace info, subpeona,
no-knock, game over.

US spying, directv, shades of global crossing

[Major Variola (ret.)]

The parent company of DirecTV, the home satellite service, has promised
several federal agencies that it can address concerns about foreign
ownership of sensitive U.S. communications systems if it wins approval
of its proposed merger with Australian-controlled News Corp.

...
But the merger also has drawn the scrutiny of the Department of Homeland
Security, the FBI and Justice Department divisions in addition to the
antitrust department. The deal would bring DirecTV's five satellites and
sophisticated communications system under the control of a company based
outside the United States.

Chief among the U.S. concerns is that a foreign-owned satellite system
and communications system could be used for illegal surveillance on U.S.
citizens and facilities, according to documents passed this week among
Hughes, News Corp. and the federal government.

"As the [FCC] is aware, the DOJ, FBI and DHS have taken the position
that their ability to satisfy their obligations to protect the national
security, to enforce the laws, and to preserve the safety of the public
could be significantly impaired by transactions in which foreign
entities will own or operate a part of the U.S. communications system,
or in which foreign-located facilities will be used to provide domestic
communications services to U.S. customers," read a letter filed at the
FCC by the three law enforcement agencies last week.

The Committee for Foreign Investment in the United States, a group made
up of executive departments and representatives from the State, Defense,
Treasury and Commerce departments, typically reviews transactions
involving foreign ownership of businesses that serve the United States.
In September, for instance, the committee approved the reorganization
plan for Global Crossing, a telecommunications company being acquired
out of bankruptcy by a Singapore-based firm. .

http://www.washingtonpost.com/ac2/wp-dyn/A19987-2003Nov28?language=printer

Re: Decline of the Cypherpunks list...Part 19

[Major Variola (ret)]

At 03:26 PM 12/7/03 -0800, Tim May wrote:
>But even if crypto got trendy again, I just don't see the young
>students of today flocking to our particular mailing list. Too many
>other choices. Probably they'll read someone's daily blog

A few observations.

Nowadays, colleges offer courses in crypto.
This was not the case when I started reading this list.

And 'net social issues were not widely discussed; now
there are many fora and public organizations that one
can look at.  Probably college courses on that, too.

So *perhaps* neophytes interested in these things have
many more places to learn.   Just an optimistic possibility.
I did much like your "the nose rings of the followers" comment
though.

--
"When I was your age we didn't have Tim May! We had to be paranoid
on our own! And we were grateful!" --Alan Olsen

Re: cypherpunks discussions

[Major Variola (ret)]

At 07:22 AM 12/8/03 -0800, Eric Murray wrote:
>Other people have made the point that mailing lists are "old tech"
>and I agree.   I don't like the new replacements (blogs, web boards)
>as much as lists, but perhaps that's because of what I used first.

Its not just "the First is the Only Way" phenom.

What's going on is that folks are online all the time now, so
things interactive (web boards, IM) have become more popular
than they could have been in the dial-up past.

The big advantage of email, which was the original "killer app",
was store and forward.  Ie, asych; offline.  IM strikes me as
perverse.  If I wanted to be interrupted I'd answer my telephone.
Email clients of olde allowed aliasing to lists, which predated
(and motivated) mailing list exploders/auto-managers.  They
are still widely used for group-of-friends 'private' lists.  Even
my parents understand Bcc: nowadays.

Yahoo boards have options to use email, and
modern clients manage multiple email addresses.  But
for online folks a board is perhaps more convenient,
since the board is accessable everywhere.  For
home/office/school mobility this is a feature, even
if its regressing to the "PC as dumb terminal" mechanism.

The advantage of eg Yahoo groups (and presumably blogs)
is their moderation; the lack thereof enabled spammers to
bulldoze the commons of usenet.   Inevitable.  Also the
reason why lne.com is the best node.



>Kids these days don't know how to use shell shortcuts either.

Not sure what you mean by that.  "Shortcut" is a M$ term
for lame-ass sym link.


"Remember, it takes 42 muscles to frown and only 4 to pull the trigger
of a decent sniper rifle." Michael Hohensee

Re: cypherpunks discussions

[Major Variola (ret)]

At 11:24 AM 12/8/03 -0800, Tim May wrote:
>No, I think few topics on the Cypherpunks list are taken private.
>
>My reasons are two-fold: First, to get them to stop lurking and
>participate. Second, to work up the energy to compose an essay (or
>mini-essay, whatever), I need some motivation. I am not energetic about

It can also be imprudent, as in a free trip to a grand jury in a distant

land, possibly with you fronting the govt the money for the trip.

All to hear you mention the Bill of Rights, repeatedly, of course.

Neophytes are encouraged to look up Jim Bell, Declan, John Young, etc.

Re: whitehouse.gov/robots.txt

[Major Variola (ret)]

I'd suggest "wget" for spidering sites.  It can be told to ignore
.robots files.  It is
good for mirroring sites which you suspect may be taken down.  Win/Unix
versions
available.

Re: Has this photo been de-stegoed? (and Anonymity)

[Major Variola (ret)]

At 06:22 PM 12/10/03 +0200, Anatoly Vorobey wrote:
>On Tue, Dec 09, 2003 at 04:20:20PM -0600, Declan McCullagh wrote:
>> We have anonymity in Web browsing (more or less, thanks to Lance &
>> co). It's not NSA-proof, but it's probably subpoena-proof.
>>
>> We have anonymity in email thanks to remailers (to the extent they're

>> still around).
>>
...
>
>alt.anonymous.messages has a healthy amount of traffic.

One could count some fraction of all the *.binaries.* on usenet
as anonymous communications (via stego), but then you'd have to know
how many are stego'd, and that is the game after all.


At 02:24 PM 12/8/03 -0500, Tyler Durden wrote:
>Is it possible to determine that the photo 'originally' (ie, when it
was
>sent to me) contained stegoed information, but that it was intercepted
in
>transit and the real message overwritten with noise or whatever?

Yes.  Trivially, If your correspondent told you, but that's out of
band.  Otherwise,
If there *remains* info which was not washed out "in transit", then that

would be an inband way.  Maybe all the pictures with a red flower
in them are carriers, and this content isn't washed out.  Maybe its a
more subtle crypto-watermark, independent of the stego'd message.

>Now I know pretty much nothing about this subject, but I would suppose
that
>de-stegoing a photo must like some kind of spatial spectral fingerprint
that
>should be visible after the photo is FFT'd (is there freeware software
out
>there?).

1. How do you know the signature of the unaltered carrier-medium?
E.g., have you measured the LSBit noise from my camera recently?
Under which lighting conditions?

2. Don't you think I can measure the properties of my carrier and shape
the stego'd info to match?   (This does get into an arms race over what
properties to measure.)

>Now I IMAGINE that a sophisticated interceptor could substitute
'believable'
>de-stego-ing noise so that it would look like the photo never had any
stego
>in the first place. OR...is this actually 'impossible' to do perfectly?

You don't just put your message in the LSBits or whatever.  You
compress,
encrypt, and possibly redundantly code them.  Then you shape the noise
to match the bits you're replacing.


>And then, what if the interceptor tried to put an alternate message in
there
>instead? Is there a way to tell that there was originallya different
message
>there?

Depends on the coding.

>My assumption first of all is that nothing was done to prepare the
photo
>against these possibilities.

Just make sure you did the original analog recording and destroy the
original after you stego it.  Best also if you never post unstego'd
messages
so the Adversary can't measure your raw carrier.

A simple stego message was placed without real
>thought about whether it might be intercepted and altered.

You shouldn't stego life-critical messages without proper training in
the use of your tools.
(That training may vary with personality, see _Silk and Cyanide_.  Some
like "why",
some like "do this".)

-
"You can have democracy when you vote for the people we approve of"
King George to the Colony of Iraq

Re: Zombie Patriots and other musings [was: Re: (No Subject)]

[Major Variola (ret)]

At 03:04 AM 12/11/03 -0500, [EMAIL PROTECTED] wrote:
>Nothing less than a guerilla war seems necessary to restore something
akin to the original constitutional balance in the U.S.  But where to
recruit these people?  My suggestion: the terminally ill.
>
>Many TI come to the table with a 'gift', the certainty of impending
death and for some the possibility of fearlessness for physical harm or
imprisonment.

Of course your idea has merit, both on a personal and govt payback
level.  But you can get more, and fitter soldiers:
Simply convince some healthy folks that an "afterlife" exists.  And that
by doing worthy acts
you do well there.  Religion is a terrorist weapon after all.


What would a palestinian bastard on a stick do?

LAPD captain busted for selling bootleg DVDs

[Major Variola (ret.)]

December 10, 2003

Just days after Los Angeles Police Chief William J. Bratton pledged a
crackdown on motion picture piracy, department investigators on Tuesday
helped arrest an LAPD captain suspected of selling bootleg DVDs.

Julie D. Nelson, a decorated patrol captain and a 28-year veteran of the
Los Angeles Police Department, was arrested at the Hollywood station
following a sting operation in which she allegedly sold counterfeit film
titles such as "The Cat in the Hat" to undercover officers.

http://www.latimes.com/news/local/orange/la-me-dvd10dec10,1,6566326.story?coll=la-editions-orange

Re: Has this photo been de-stegoed? (and Clouds)

[Major Variola (ret)]

At 02:35 PM 12/11/03 -0500, Tyler Durden wrote:
>Variola wrote...
>
>"How do you know the signature of the unaltered carrier-medium?
>E.g., have you measured the LSBit noise from my camera recently?
>Under which lighting conditions?"
>
>Well, having done some optical signal processing (and getting a patent
in
>that area, come to think of it), I imagined that most photos will
naturally
>have some image noise in certain frequency bands...

You are *way* too FT based in your thinking.  There are *many* other
measurements and statistics and co-relations.

And the noise I was referring to is in part electronic noise, not image
noise
in either the spatial freq. or poisson sense.  The point being that
there is
info that is perceptually insignificant, that you can replace with
compressed encrypted bits.

Re: Zombie Patriots and other musings

[Major Variola (ret)]

At 10:12 PM 12/11/03 -0500, An Metet wrote:
>
>Given small numbers and absence of any other grouping factor there
needs to be an "obvious" place for ZPs to refer to. Any obvious place
that becomes even remotely attractive to ZPs will be immediately raided.
Because ZPs have potential to be actually dangerous to the gang in
power, as opposed to everything else I've seen so far.
>
>So we're back to square one - effective anonymous publishing is
prerequisite for the regime change and executing post-natal abortions.
And it has been for centuries.

You need to think about the "lone warrior" scenario that the Gang
worries about.  McVeighs and Rudolphs.
They were influenced by memes which were not immediately suppressed.

Look at Al Q, Inc: you don't need explicit instructions from the Boss to
motivate folks to do things.
You see who is the enemy, you see opportunity.  You don't need
permission.

There is also the "copycat" phenom ---remember how school shootings
reccurred after the first big one?   So the memes can get out.

As Tim has mentioned here, the talkers can't
be the doers.  And watch out for COINTELPRO.


>When I say "effective" I don't mean posting a message to Usenet via
WiFI-ing into some sucker's open AP. No one gives a fuck for Usenet
postings, blacknet etc

Well, some do, but its not relevent for ZPs.


>. - and ZPs are unlikely to educate themselves and search for them.
Effective means untouchable web site with untouchable DNS entry.

Fuck the web.  The web is 0wn3d by the feds and run by largely spineless
fedsucking sheep.  The web is for
talkers, not doers.


>Effective means something doable by average determined person. Like
tuning to Radio London from occupied Europe in WW2.

I don't listen to shortwave, but I understand some of it can be fairly
strong.   I could easily see some
lunatic fringe suggesting that deathbed xians blowing up medical clinics
as a holy thing.  (And I understand
that shortwave is popular among lunatic xians.)
As the US descends into statism, perhaps some agitators will pick better
targets, like the oppressors.
Perhaps some will simply begin to act, the news reports it, and others
will clue in and repeat.

RE: Stego worm

[Major Variola (ret)]

At 08:09 PM 12/11/03 -0500, Tyler Durden wrote:
>
>As for Variola's comment, you might be right. I just assumed there's
some
>kind of relationship between LSB and those spatial freuencies wherein
image
>information might be stored. Actually, I would still think there's a
>relationship, in which case an Echelon-like approach based on ffts and
>"noise templates" might be going on (hence the usefulness of jamming).

I'm not saying that you could never use FT to detect weaker kinds of
stego.
But if information is encoded as say the parity of 3 LSBits from
different
regions of the image, good luck.

>Anyone got a TLA Operative Handbook? ANy mention in there of what kind
of
>photos are best for Stego? How about cloud photos? (particularly where
there
>are clouds of many different shapes and sizes present in the photo
>simultaneously.)

The most important thing is not to put too much cargo in your carrier.
Think in terms of signal to noise if you wish.

Obviously a picture with truly uniform color fields ---like a digital
cartoon--
won't be useful.  But scanning a piece of paper does not have this
problem,
for say 8 bits per grayscale pixel.   Because each analog scan of the
same piece
of paper gives different bits.

TD, you surely have the background to look into this stuff (and stego
detection) if you want.  BTW Stego ~aka watermarking.  And stego
can be done in music, movies, ascii text, etc.

Or you could work from first principles, if you are able to mentally
switch between
steganographer and stego-detecter.  (This same
playing-chess-with-yourself is
vital to security analysis, crypto, etc.)

Re: Zombie Patriots and other musings

[Major Variola (ret)]

(resend) 
At 11:52 AM 12/13/03 -0500, John Kelsey wrote:
>At 09:19 AM 12/12/03 -0800, Major Variola (ret) wrote:
>...
>>You need to think about the "lone warrior" scenario that the Gang
>>worries about.  McVeighs and Rudolphs.
>>They were influenced by memes which were not immediately suppressed.
>
>One interesting property of the lone warriors is that they can't
actually
>make peace.

Good points, but not entirely true.  For instance, we could stop the
Jihad (tm)
(including future Jihads by other parties) by stopping all foreign aid,
following the good general's advice,
"Trade with all, make treaties with none, and beware of foreign
entanglements."

If you take yourself out of the game, you are not seen by a player which
can be influenced.
Or which influencing would do any good to a given cause.

A government can take itself (and thus the proles that fed the NYC
rodentia the second week
of Sept 01) out of the game,  while individuals (corporations) continue
to trade freely, and at their
own consensual risk.

The point is that while the soldiers are independent, their motivations
are not.  So you can
reduce the cost of the lone warriors to you by not annoying them any
more.


>Of course, there's a more fundamental problem with surrendering to the
lone
>warriors.  Imagine that there's such a wave of pro-life terrorism that
we
>finally agree to ban abortion.  You're a fanatically committed
pro-choice
>activist.  What's your next move?

Rudolph bombed clinics, not random people because the govt allowed the
clinics.  Contrast with a distributed jihad which attacks citizens to
sway a govt.

If the US went neutral, whether Halliburton was in Arabia would be
entirely an economic
question, involving the cost of paying off widows or hiring Islamic
workers, or buying the
goods through a third party.  Instead its a policy question, the only
way to influence it
is to bring it home ---"the only language the American people understand
is
dead Americans." -EC

---
"Can you hear me now?" -UBL, 11.9.01

Hack the Vote: cause a blackout

[Major Variola (ret)]

(This inspired by comments in Scheier's cryptogram)

Do all the newly electronic voting places have UPS?  I doubt
it.  Think of the fun you could cause if you downed a few
substations or poles.

>> And because elections happen all at once, there would be no means of
recovery.  Imagine if, in the next presidential election, someone
hacked the vote in New York.  Would we let New York vote again in a
week?  Would we redo the entire national election?  Would we tell New
York that their votes didn't count?

>>What we need are simple voting systems--paper ballots that can be
counted even in a blackout.

Using PCR to find Hussein via the sewers? [GATTACA]

[Major Variola (ret)]

At 04:50 AM 12/15/03 -0800, John Young wrote:
>There's a good possibility that Saddam was traced by Tempest
>sensing, airborne or mundane.

I wonder if you can trace DNA in sewers back to the source,
esp. in an inbred locale?   (Peter?  PCR with Saddam specific
primers?)

Or did he just dig a cat-hole instead of using the infrastructure?

You can trace industrial contamination up sewer lines back to the
source.
How about the cells we shed?

Just theoretically.  Papers fnord says someone used to the good life
narced, couldn't
handle a jail cell.

Re: cpunk-like meeting report

[Major Variola (ret)]

At 09:57 PM 12/14/03 -0800, Morlock Elloi wrote:
>> Be sure and check the archive before posting.  It is still small.
>
>Cookies, "members only" archive access. Bad deal. Will not happen. Very
few
>consumers here.

But look how many IP addresses he got from members checking it out!

Re:Textual analysis

[Major Variola (ret)]

At 10:36 AM 12/14/03 -0500, John Kelsey wrote:
>It's not obvious to me how you'd change your writing style to defeat
these
>textual analysis schemes--would it really be as simple as changing the
>average length of sentences and getting rid of the big words, or would
>there still be ways to determine your identity from that text?

Its like steganalysis.  Its an arms race between measuring your own
signatures vs. what the Adversary can measure.  If sentence length
is a metric known to you, you can write filters that warn you.
Similarly for the Adversary.   You end up in an arms race
over metrics ---who has the more sensitive ones that the other
does not control for?