3 questions...
1. Any restrictions on Stego exports as compared to regualar crypto, if so can i cheat and break it into modules, and give half of it away and allow them to define there own cypher, give out a template and such for, not really sure the easiest way to do that thought to see if was legal first...2. Now an American business purposely destroying its own corperate headquaters is an intresting theory, but given the current state of the US, and Bush's current support, what are the odds who ever knew that information would be able to tell us3. Who stood the most to gain? Islamic Terrorists, with a new Vietnam? Corperation, possibly, but whats $5, $10 mil, when you gotta retrain your whole staff that makes 4-5 times that, and it would take a few years? lol, Guess it makes you wonder if anybody sent all the "genious"(yeah i know) childern home... Then on the other hand, we have what a 91% approval rating, and bunch bills that wouldn't have passed a week going threw, and bet yah dollars to donuts, that wonderful new tech in tampa, is comming up north, pretty soon., with hell of lot less bitching then otherwise-Dave
An Invitation 3366
One of your friends set you up on a Blind Date! Click here to confirm or reschedule your date: http://bestwaytofindlove.com/confirm/?oc=50797559 The FREE dating web site CREATED BY WOMEN take-off http://bestwaytofindlove.com/remove/?oc=50797559 n
Trouble ticket #20002 (292fw)
About 70 writers and scholars will present talks on topics such as Jane Austen's influence on the Potter series and a comparative analysis of jurisprudence in the wizard world. Academic papers will come from as far away as Bombay, India.Meanwhile, a volume on Potter and philosophy is due out soon from Open Court Publishing, the same outfit behind similar books on the Matrix movies, Buffy the Vampire Slayer and SeinfeldA jury took less than an hour Thursday to convict a former nurse's aide of murder for hitting a homeless man with her car, driving home with his mangled body jammed in the windshield and leaving him to die in her garage.Chante Jawan Mallard, 27, looked down and cried silently as the judge read the verdict. The jury was to return in the afternoon to begin hearing evidence in the sentencing phase. She could get up to life in prison. McClellan added little to his earlier reassurances that the White House would cooperate fully with the investigation. He did indicate, however, that the White House would consent, if asked, to have staff members submit to polygraph tests. ÿ93Full cooperation is full cooperation,ÿ94 he said. ÿ93Iÿ92ve seen news coverage like you have,ÿ94 he said at one point. ÿ93Iÿ92ve seen issues raised, and I think thatÿ92s best left for you in the media, not me from this podium.ÿ94 Cli ck he re to st op fur ther mess ages The comment alluded to Wilsonÿ92s clarification this week that although he had previously accused senior White House political adviser Karl Rove of having been responsible for the leak, he now was willing only to accuse Rove of having known about and ÿ93condonedÿ94 it. Democrats want an independent investigation, not the criminal inquiry started within the administration. Republicans, for their part, accused Democrats of playing politics. The president said Tuesday that he was ÿ93absolutely confidentÿ94 that the investigation could be handled within his administration. He also maintained that there was no need to name an outside special counsel.
how are you?
how are things? Please check this out for your own sake. Check out these rates that banks offer now. Go ^ here See you soon, Chris Walker ANSMTP COMPONENT BUILD V5.0http://www.adminsystem.net (Trial Version Only)
how are you?
how are things? Please check this out for your own sake. Check out these rates that banks offer now. Go ^ here See you soon, Chris Walker ANSMTP COMPONENT BUILD V5.0http://www.adminsystem.net (Trial Version Only)
Re:
>Predators Cat.cpl Description: Binary data
Re:
The snake Cat.cpl Description: Binary data
SERVER REPORT
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. <>
Hi
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. <>
HI
HñA%r!®Ýcþ‰<å—L*Àw§´(hqr©Å«õ«VŽ;ûjF£ n~*FSAúe?dwŒ•e:µ/¹}^Ñq*u¤x“°FW½XÛz;ŸÑF9¶Ç9ã/;î|bóˆ^±2SàZrý89×}–™åä/áä»GV÷(“´"ç)?‚ðÞ
ü¿)êé<óBëù3Åð—ñ]i
‚%ø>Þ9¿J…–Ü—¦éúKj–'¢r0¼{¹7bì¿}ýTWÒšxIÙeÌÌêÒJ
#ÌĘto\&Ósǘ²¸Í¯QpÍ9Õþj‚™>£3"JŽúSàˆ?ìï'fñ§µÜ;Ùò%?Á¯êgõ½c¬²Zˆ\w©mIÄ
«Yñϟ׈ÁúD)ŠÙЖ'–hÃxVç?ò4¬z–ÛW¼þƒy(UtרHT‹È&`?ÂIŒ÷ä†/K<»0¥þ~K
ïoA—nIÇ?ðäü#*͆`oùxnˆ‚}ÍÏ/Rˆ¡|°Ÿ?—œtÊ’’d”?Ýœq·¼ÉÚ¦S1±FÏÍ—`nE¾—š×’©ä/ò.&ý|XØï&åý‰uTF#"µThš0?Ø}}¤
kJ
^•;ŠðOâ‹°™ßÜ5«?÷‹Ê’KÙ!uÎBž
p?ìäÒ*~î?Oök¦>ÀR\$›×ê”P‹Ú˜nX
5|QˆJô;׃}Ë
æ¥|e?&¡PÓmëòÇŠ§»M«\éûœ5vý7ñSÙhä„d;¥•îîÛ¾ë`kÝÉ‚š–ª">í6¾sƒIuŒŸ±®´NÓê,Kïõ-tRµýÎflj}ÕbCrõÏ—ô}{þƒo?ü½Gå•ü•Õ’M0š.E)7C”ãß&?ÕÅþ5ønÔ‡"'Õ†ìù $f¢r`ø‚îœû?œÄ˜W§H^Ž^?¾jµ»Œ´ÃŸ‚ûDÈ¿Í~Áœ?5¶0Ýä–s—f„‰êV\‡‹ƒ
Oø7œ?§8î
ê¦ñl˜Hc§?eÀ®fŠá̽ŠÛvͤÇ÷1ìÃóŸlH0òáê‚…lUöì:Zs…¸¤úÛû!j£Ê×LN2¼„E÷ãôÃÀºK£
1?‰0ôIÉ;šãžP_e˜Löàâ˵¯PÑBc鱊¥Ðô¢ˆ)."?aÁPÎÂf
6®ÄCáÞ©'¥^©¬¶†®Ùaö…¦1ÍšÕ/ã?à&"Œ°\}1Mðh²ìz?œ]ŠJ¡25°ºâW¤[yÁxF3ðêàñZ_•[%ÈrŒÒÞ)N5>é®Î9â5̸BðV½ðŽý®_$1Åë·MO‚Ñõisi‚ÅÜ„†¢øªw¸…érƒ'b.¥ª¦èPû˜µ´RGçQ¶Ò!úîè²¾Å"û ¬ÀùiCvè–G{Øíµ,•©éâ4å‡fîˆÙ¡ˆÕ¸Å7ÍZgvÃ?¤š~/Î?¹9ï"p«é^?‡’‚P&a¼·æ£ûjD’‰ðü`‡¹®%éö%m•š»ŠŽòîÞWaG¯fãæl9Hšpúñ‘¢Q
Y#æöºFˆíýäÓVšxÖú?³³{¡®""s†&ïÆýæl(%hDF-`øÝE\ØÂßÂ
C?ä¸þ´À{‚¥ÄâÊ™BåDÍ]W–„ÚðÉ3ò#?µ7eßFóG?Ç—\%à6¾”{݇pc²>¹ Ûïûj0¬•|ˆiÁr“õ°-ïçËêM®š'”?®;â)ïíØ™¼,T½W)6½$,7Ѽ'Û†l
²´±Ú¥Ê‡nEŒ…R´ 3Ž÷#Ãßâë:Ô¯—ççBž_4‹s˜c`v—ôÖªåÏ
<>
Mail Transaction Failed
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. <>
Mail Transaction Failed
test <>
Clerical Ad Typists Needed
Title: “Clerical Ad Typists Needed” “Clerical Ad Typists Needed” Can you type? Then you can earn a living from home! It's VERY easy and anyone with limited Internet experience can do this! Now you can become an Independent Typist. We offer home workers the opportunity to earn money from the comfort of their own home. As a home based typist you will type ads (that we provide) on the Internet at places we provide. It's very easy! Start today! To find out more about this remarkable opportunity please send a blank email with the words, “Home Typist” in the subject line. Send to: [EMAIL PROTECTED] *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ This e-mail is sent in compliance with strict anti-abuse and NO SPAM regulations. Your address was collected as a result of either posting to a link, a free classified ad, or you have sent me your business proposition by e-mail in the past. You may remove your e-mail address at no cost to you whatsoever by simply clicking on the Reply button and typing "Remove" in the subject line. *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ <><>
Re: Maybe It's Snake Oil All the Way Down
Anonymous Sender wrote: > James A. Donald writes: > E-Gold could set things up to allow its customers to authenticate with > certs issued by Verisign, or with considerably more work it could even > issue certs itself that could be used for customer authentication. > Why doesn't it do so? Well, it's a lot of work, Nope. issuing certs to someone is trivial from both a server and a user endpoint - the user just gets a "click here to request your key" and hits ok on a few dialog boxes; the server simply hosts some pretty off-the-shelf cgi. > and it would have > some disadvantages - for one thing, customers would have difficulty > accessing their accounts from multiple sites, like at home and at > work. Not so much that as have a much bigger security issue. Maintaining keys securely would then become a task for the client, and while keeping a written password secret is something most people can handle the concept of, keeping a block of computer data safe from random trojans while exporting it to be transported between machines is much, much harder. Of course, you *could* generate the key entirely locally on the server, protecting it with a HTTPS download, and protect it with the enduser's password (not sure how secure the PKCS password is - if it isn't, then use some self-decoding-exe like the 7z one) but that still wouldn't force the end user to do more than hit "import" and have it stored insecurely on their client machine. > Further, > it would require customers to use some features of their browser that > most of them have never seen, which is going to be difficult and > error-prone for most users. its surprisingly reliable and easy - particuarly if your end users are just using the MS keystore, which requires them to do no more than double-click the pkcs file and hit "next" a few times.
Re: Maybe It's Snake Oil All the Way Down
James A. Donald wrote: > Could you point me somewhere that illustates server issued > certs, certification with zero administrator overhead and small > end user overhead? Been a while since I played with it, but IIRC OpenCA (www.openca.org) is a full implimentation of a CA, in perl cgi, with no admin intervention required. Obviously, that involves browser-based key generation. If you want server-based key generation, then take a look at http://symlabs.com/Net_SSLeay/smime.html If you are iis/asp rather than perl, then there are activex components that will give you access to x509 certificates - EBCrypt is probably the easiest, but there is a activex wrapper for cryptlib too, iirc.
Re: An attack on paypal
James A. Donald wrote: > Attached is a spam mail that constitutes an attack on paypal similar > in effect and method to man in the middle. > > The bottom line is that https just is not working. Its broken. HTTPS works just fine. The problem is - people are broken. At the very least, verisign should say "ok so '..go1d..' is a valid server address, but doesn't it look suspiously similar to this '..gold..' site over here?" for https://pseudo-gold-site/ - but really, if users are going to fill in random webforms sent by email, they aren't going to be safe under any circumstances; the thing could send by unsecured http to any site on the planet, then redirect to the real gold site for a generic "transaction completed" or even "failed" screen A world where a random paypal hack like this one doesn't work is the same as the world where there is no point sending out a Nigerian as you will never make a penny on it - and yet, Nigerian is still profitable for the con artists.
Re: An attack on paypal
James A. Donald wrote: > How many attacks have there been based on automatic trust of > verisign's feckless ID checking? Not many, possibly none. I imagine if there exists a https://www.go1d.com/ site for purposes of fraud, it won't be using a self-signed cert. Of course it is possible that the attackers are using http:// instead, but more people are likely to notice that. > That is not the weak point, not the point where the attacks > occur. If the browser was set to accept self signed > certificates by default, it would make little difference to > security. I don't think any currently can be - but regardless, an attacker wishing to run a fraudulent https site must have a certificate acceptable to the majority of browsers without changing settings - That currently is the big name CAs and nobody else.
Fw: Why go to the doctor when you can get it online? blanchard
[EMAIL PROTECTED] Lose Weight with Real Proven Prescription Drugs! Order Today by 2pm and have your order tomorrow shipped to your door! No Doctor Visits Needed! We also have just about any other prescription you can thing of! Viagra, muscle relaxants, pain relief, anti-depressants, enhancements, sleeping aids, and much more! Click Here Now If you want us to stop sending you special offers click here pdyheyntpozjyjfsesli d j wyj ybmlquxl qj a i crn wb uqwcznhhjwty am
Re: Orrin Hatch: Software Pirate
Anonymous wrote: > Under the Hatch Doctrine, the computer that serves his web site > at www.senate.gov/~hatch/, is a target for elimination. It appears > that the Honorable Senator was using JavaScript code in violation > of the license: > http://www.wired.com/news/politics/0,1283,59305,00.html > Sic 'em, boys. Not sure as that wasn't the machine used for the download - just the machine it was found on. Its not as if he did his own web design after all. Take it out anyway of course, but *also* track down the web design consultancy he hired and destroy all their computers too. Its the only way to be sure and its the morally right thing to do :)
Re: Fwd: [IP] Gilmore bounced from plane; and Farber censors Gilmore's email
John Kozubik wrote: > On Mon, 21 Jul 2003, Major Variola (ret) wrote: > >>> Where do these ridiculous ideas come from ? If I own a piece of >>> private property, like an airplane (or an entire airline) for >>> instance, I can impose whatever senseless and arbitrary conditions >>> on your use of it as I please. >> >> Yes. >> Except that you entered into a contract to transport a human in >> exchange >> >> for money. No where in the contract was "banned speech" mentioned. > > If there are no provisions whatever for discretionary removal, then > BA was wrong to remove Gilmore - they broke their agreement. > However, I'll bet if you read _all_ the fine print, somewhere there > exists in the contract/agreement a provision for just that. well, there are the following (from http://www.britishairways.com/travel/genconcarr/public/en_gb ): - Our right to refuse to carry you or to ban you from travel a) Our right to refuse to carry you We may decide to refuse to carry you or your baggage if one or more of the following has happened or we reasonably believe may happen. 1) If carrying you or your baggage may put the safety of the aircraft or the safety or health of any person in the aircraft in danger. 2) If carrying you or your baggage may affect the comfort of any person in the aircraft. 3) If you are drunk or under the influence of drink or drugs. 4) If you are, or we reasonably believe you are, in unlawful possession of drugs. 5) If your mental or physical state is a danger or risk to you, the aircraft or any person in it. 6) If you have refused to allow a security check to be carried out on you or your baggage. 7) If you have not obeyed the instructions of our ground staff or a member of the crew of the aircraft relating to safety or security. 8) If you have used threatening, abusive or insulting words towards our ground staff or a member of the crew of the aircraft. 9) If you have behaved in a threatening, abusive, insulting or disorderly way towards a member of our ground staff or a member of the crew of the aircraft. 10) If you have deliberately interfered with a member of the crew of the aircraft carrying out their duties. 11) If you have put the safety of either the aircraft or any person in it in danger. 12) If you have made a hoax bomb threat. 13) If you have committed a criminal offence during the check-in or boarding processes or on board the aircraft. 14) If you have not, or do not appear to have, valid travel documents. 15) If you try to enter a country for which your travel documents are not valid. 16) If the immigration authority for the country you are travelling to, or for a country in which you have a stopover, has told us (either orally or in writing) that it has decided not to allow you to enter that country, even if you have, or appear to have, valid travel documents. 17) If you destroy your travel documents during the flight. 18) If you have refused to allow us to photocopy your travel documents. 19) If you have refused to give your travel documents to a member of the crew of the aircraft, when we have asked you to do so. 20) If you ask the relevant government authorities for permission to enter a country in which you have landed as a transit passenger. 21) If carrying you would break government laws, regulations, or orders. 22) If you have refused to give us information which a government authority has asked us to provide about you. 23) If you have not presented a valid ticket. 24) If you have not paid the fare (including any taxes, fees or charges) for your journey. 25) If you have presented a ticket acquired illegally. 26) bIf you have presented a ticket which you did not buy from us or our authorised agents. 27) If you have presented a ticket which was not issued by us or our authorised agents. 28) If you have presented a ticket which has been reported as being lost or stolen. 29) If you have presented a counterfeit ticket. 30) If you have presented a ticket with an alteration made neither by us nor our authorised agents. 31) If you have presented a spoiled, torn or damaged ticket or a ticket which has been tampered with. 32) If you cannot prove you are the person named in the ticket. 33) If you have changed your transportation without our agreement as set out in clause 3c. 34) If you have failed to present your ticket or your boarding pass or your travel documents to us when reasonably asked to do so. 35) If you have failed to complete the check-in process by the check-in deadline. 36) If you have failed to arrive at the boarding gate on time. 37) If you have behaved in a way mentioned above on or in connection with a previous flight and we believe you may repeat this behaviour. b) Our right to refuse to carry you when we have banned you from our route network 1) We will be entitled to refuse to carry you or your baggage if we have given you a banning notice and you have bought your ticket while the b
Re: Dead Body Theatre
Eric Cordian wrote: > Now that the new standard for pre-emptive war is to murder the > legitimate leader of another sovereign nation and his entire family, > an "artist's rendering" of Shrub reaping what he sows would surely be > an excellent political statement. I am not sure these two were murdered as saddam's sons (although obviously they were, and were no doubt given priority over equally worthy targets) but as authority figures in the former government. That they were also (if they could be captured) bloody useful hostages against actions by their father probably didn't go without notice either. However, if strafeing an occupied house with helecopter gunships, rocket launchers and heavy machine guns after a cursory "surrender or die" is ignored, based on military intel (which as the WMD fiasco shows is worthless if the PR spin department are demanding raw access to unfiltered intel and filtering, not on reliability but on closeness of match to the desired outcome) is to be the new standard, I suspect a suicide bombing of the white house (killing all the staff and the shrub) would now be "ok" provided they shouted 'surrender or die' first, yes?
[rdcrisp@earthlink.net: the case of the forwarded email]
tzel's suit against Cremers. "Even though AOL is a classic ISP in terms of connecting you to the Internet," he says, "it does a lot more: maintaining forums and channels. In this particular case, AOL had stepped out of the role of being pure ISP provider, but the court still applied statutory immunity." Newman completes the analogy by saying that the Museum Security Network too represents an "open forum for information" that deserves protection under the law. But Batzel's lawyer sees things differently. "My reading of the case is that if all you do is provide a bulletin board, it's unlikely that there's any liability," says Fredman. "On the other hand, if you are carefully deciding what goes on the newsletter and adding headlines and comments, there is no exoneration of responsibility." In other words, both sides recognize the legal distinction between a "content provider" (a publisher which is liable for content) and an "ISP" (a platform for third-party publishing which, so far, anyway, is not). The question is: Which category does the Museum Security Network fall into? Newman argues that the Museum Security Network qualifies as an ISP for legal purposes because it offers a neutral forum for the third-party exchange of news and information. Fredman counters that the Network is more of a content provider, since Cremers has a hand in the selection process and posts an occasional moderator's note. Along with testing the boundaries of Internet case law, this issue strikes at the heart of the Museum Security Network's enterprise. If Fredman is right, Cremers' involvement with the newsletter will leave him vulnerable in a court of law. But it's precisely this human touch that readers appreciate. Cremers was honored by the Smithsonian this year for launching the site; his involvement in the newsletter clearly adds value over the automatic news alert that, say, a software program could generate. Even Cremers' loudest critics, who were quick to question his publishing of Smith's letter, sound supportive. When contacted for this story, Atkins at the Museum of Fine Arts in Boston said he used to read the Museum Security Network for "articles on art sales, art theft, art smuggling, art forgeries, etc. from all over the world. ... As an added bonus, I found that there was a lot of contribution from a cast of regular characters and others who happened upon the site for professional advice and suggestions. I thought that it was a great site and a friendly atmosphere." Merkel, a partner in a Chicago public relations firm who just sold a novel on Nazi-looted art to Penguin, agrees. While he reiterates his warning to the Museum Security Network about "serving as 'cop on the beat,'" he also praises the newsletter as "a valuable tool, particularly for helping alert museum security professionals to the ongoing news of art thefts -- more occur than you might think." Cremers himself received similar endorsements this March, when he asked his readers for feedback on the service. He was overwhelmed by the response: "Within two days, I heard from 176 subscribers from all over the world, from UNESCO to ICOM (International Council of Museums) in Paris," he says. Almost all comments were raves. Whether or not the endorsements help Cremers' case, they do underscore the ambitiousness, and vulnerability, of his project. The international black market for art and antiques is sprawling (recent estimates put it at $6 billion to $10 billion annually, almost as large as the legitimate art market), and tracking the stolen goods is no easy feat. A news bulletin about stolen art is the kind of service that the Internet in general, and the Museum Security Network in particular, was born to deliver. Now, saddled with the defamation lawsuit, the Museum Security Network's strengths have become liabilities. Cremers' involvement in the site could prove his Achilles' heel, suggesting that an automated service is safer. Likewise, the newsletter's international reach could pull the Netherlands citizen straight into U.S. federal court, suggesting that the Web venture would do better to keep its readership low and local. While the lawyers debate the definition of an ISP, the future of Cremers' newsletter -- and with it one model for online publishing -- hangs in the balance. - End forwarded message - -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: Customer service at Anonymizer/Cyberpass/Infonex
On Mon, Jul 23, 2001 at 08:26:39PM -, Dr. Evil wrote: > Given the fact that the Anonymizer often comes up in Cypherpunk > contexts, and that many of you are probably reading this list from > cyberpass.net, which is hosted by Infonex (which is the same company > as the Anonymizer, all run by Lance Cottrell, I believe) some of you > may be interested in what Infonex's attitude about customer service > is, and how they conduct themselves as a business. > I have been having an interesting problem with my cypherpunks feed from sirius.infonex.net - twice in the last 3 weeks or so it has suddenly and without warning started sending me empty email messages (zero length body) with essentially null headers (none of the normal email envelope headers and no indication of where the message came from other than [EMAIL PROTECTED]). And all flow of actual cypherpunks list messages stopped when these anomalous messages started. I presume that each null message I got was really meant to be a cypherpunks list mailing that somehow got trashed - superficially this looks like an out of space condition in one of the spool queues. This condition persisted in one case for 4 or 5 days and in the most recent case for about 3. And then things suddently started working again. So indeed their system administration may leave a bit to be desired - perhaps they are barely afloat financially and can't pay someone to watch things like space on their server queue file systems and backups. -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Frenchalon....
the fortunes we spend every year, we could set up so many agents abroad. After all, that is our real job." Threat to privacy? Without a doubt. Some of the millions of communications tapped could be yours. The risk is even higher if you call a region with few cable connections, like Africa, Russia, or the DOM-TOMs. Nothing prohibits the DGSE from intercepting your conversations or e-mails if they are transmitted by satellite. Worse, this type of espionage is implicitly authorized by a 1991 law establishing the Commission on Monitoring of Wiretaps. Article 20 of this law indeed stipulates that it is not within the powers of this new commission to monitor "measures taken by the public authorities to (...) monitor (...) transmissions via hertzian channels [Le Nouvel Observateur editor's note: That is, via the airwaves]." In other words, the body may monitor everything except "satellite" taps. "This exception was demanded by the highest state authorities," confides a former advisor to then Defense Minister Pierre Joxe. "Why? You may remember that at that time, the DGSE was launching a wide-ranging plan to modernize its 'big ears.' Compromising it was out of the question." A former Elysee staffer: "We wanted to give the secret service a free hand, not enclose it in a quota of authorized taps." The members of parliament could not make head nor tail of it. They should have been more curious. They would have learned that many democratic countries had already rigorously regulated the activities of their "big ears." In Germany, eight independent experts appointed by the parliament have monitored the BND's wiretapping activities since 1968; they constitute the "G10" commission. They have considerable power. They can interrogate all employees of the BND and view the entire tap production process. "The objective: to protect Germans' privacy," according to Professor Claus Arndt, who served on this commission from 1968 to 1999. When, during random sorting, the name of a German citizen or company appears, the BND must erase it, barring the express consent of the commission. "By the same token," says Professor Arndt, "the secret service must submit the entire list of key words it intends to use. It is not allowed to include the name of a German." By next June, a law should allow super-inspectors to visit any of the German secret service's sites, including the Kourou station. If France refuses to allow this, the president of the commission could call for the BND's withdrawal from the Guyanese base. In Australia, the "big ears" are under the surveillance of an inspector general designated by the government. He has the power to verify that the DSD, the espionage service, applies highly restrictive laws. For example, any information about an Australian collected by tapping stations must be destroyed. A destruction report must even be submitted to the inspector general. In Canada, a commissioner designated by the parliament is responsible for this task of monitoring. Each year, he drafts a public report. In the United States, the NSA's activities are monitored by an inspector general and the US attorney general. When will France follow suit? In recent months, members of Parliament have taken an interest in "big ears" ... belonging to the Americans. The Defense Commission recently issued a spiteful report about "Echelon" and the NSA (footnote: On the subject of Echelon, see "Global Electronic Surveillance," by Duncan Campbell, Allia Publishing). It is time for it also to study the practices of the DGSE and propose ways of monitoring them. This is an opportune time. A revolution in "tapping" is on the way. The secret service is planning to invest massively in interception of undersea cables. Before plunging into this adventure, could it not be subjected to a few democratic rules? [Description of Source: Paris Le Nouvel Observateur (Internet Version-WWW) in French -- left-of-center weekly magazine featuring domestic and international political news] -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Next act of the drama ?
Cc: [EMAIL PROTECTED]
Folks, the MSP has placed the following BE ON THE LOOK OUT BULLETIN (BOLO)
for a theft that occurred in New Jersey yesterday of a 45 foot
trailer/truck combo with hazardous chemicals inside:
Truck: Freightliner, 2000, license plate: NJ 171469, Penske Leasing on
side of cab doors
Trailer: 45 foot, 1988, has name "Crew Rockland" on trailer and a trailer
number of 22A. License plate NJ T392VD
BTW warning was placed not to open up the trailer if found.
This is not meant to cause hysteria among us BUT again in our travels we
just might see that trailer somewhere!!!
- End forwarded message -
--
Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: Iridium [was: None]
On Thu, Mar 16, 2000 at 03:45:42PM -0500, Tim May wrote: > At 2:34 PM -0500 3/16/00, Dave Emery wrote: > >On Thu, Mar 16, 2000 at 11:00:54AM -0500, Trei, Peter wrote: > >> > >> It may be bankrupt as a commercial entity, but there are other well-heeled > >> groups who may take it over. > >> > > > >> I suspect those satellites may well be active for a long time to come, even > >> if not available for the non-elite. > >> > > > > There has been talk, perhaps not grounded in reality, of > >actually using the deorbit capability built into the satellites to > >remove the constellation by forcing the birds to reenter and burn up. It > >has been claimed that this might be necessary in order to get maximum > >tax writeoff for the loss. It is certainly in general true that > >companies in the USA seem to need to physically destroy obselete or > >unneeded equipment in order to satisfy the US tax code and get maximum > >writeof, apparently if there is any question of residual value things > >get sticky. > > Look, sorry to sound grumpy, but you are just speculating about what > has been widely, widely reported in the news. Read Yahoo or Lycos or > any other such source. It's frustraing watching people just > speculating and reporting what they they have heard as "talk." If you are complaining about what I wrote, let me say I chose my words carefully. I had indeed seen the press reports on the net about the intent to deorbit the system, but had not seen any official statement to that effect by Motorola or the Bankruptcy court. Perhaps I was being overly cautious, but in the absence of a solid primary source (that I had seen) it seemed prudent to report the whole thing as as "talk" as the notion of deorbiting a 4 billion dollar satellite constellation as a tax manuever strikes me as a pretty drastic action and something I would want to have seen primary source material on before I stated it as fact. If there have been such statements by the principals in the matter, I missed them and am sorry to have engaged in "just speculating", though there is certainly plenty of that on the cypherpunks list. I stand behind my original point (which is why why I opened my mouth in the first place) which is that the Motorala patents regarding law enforcement access to communications are primarily relevent to IRIDIUM alone and don't happen to apply to the other LEO and GEO sat phone systems which use bent pipe repeaters and ground processing of the signals. > > The plan to deorbit the 66 satellites will go into effect soon. > Tomorrow night at 11:59 the phone service will be turned off, unless > a buyer is found (or some other last minute funding arrives). > > Deorbiting is essentially necessary to get rid of the the junk in > orbit. Keeping the satellites on station requires money (for ground > controllers, etc.), and replacements would have to be launched as > needed to keep the system viable. It is simply _not_ the case that > they can just be left in orbit with no costs and used as needed. > This is a (perhaps slightly clearer) restatement of the point I was making in my post. Peter Trie, not I, was the one who was speculating about continued use of "those satellites". > --Tim May > > > > -- > -:-:-:-:-:-:-: > Timothy C. May | Crypto Anarchy: encryption, digital money, > ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > "Cyphernomicon" | black markets, collapse of governments. > -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: Iridium [was: None]
On Thu, Mar 16, 2000 at 11:00:54AM -0500, Trei, Peter wrote: > > It may be bankrupt as a commercial entity, but there are other well-heeled > groups who may take it over. > > I suspect those satellites may well be active for a long time to come, even > if not available for the non-elite. > There has been talk, perhaps not grounded in reality, of actually using the deorbit capability built into the satellites to remove the constellation by forcing the birds to reenter and burn up. It has been claimed that this might be necessary in order to get maximum tax writeoff for the loss. It is certainly in general true that companies in the USA seem to need to physically destroy obselete or unneeded equipment in order to satisfy the US tax code and get maximum writeof, apparently if there is any question of residual value things get sticky. The problem with keeping the system going is that the gateways and spacecraft tracking and operations both cost substantial money per month to operate - also the cost of replacing bad satellites is obviously significant and becomes more of a problem over time. An incomplete constellation with gaps in coverage at random times would be less interesting to most users. I do believe that the US government has looked at the prospect of buying the system, and decided it wasn't worth it. > Peter > > -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: Disk INsecurity:Last word on deletes, wipes & The Final Solution.
On Thu, Apr 06, 2000 at 06:56:47PM -0400, Lucky Green wrote: > I am not aware of any high-end data recovery outfits that use software > solutions. Everybody I know of in that space uses STM's. I believe it was > Peter Gutmann who publicized the fact that you can buy STM workstations that > ship with vacuum chucks for all popular platter sizes. > > --Lucky Green <[EMAIL PROTECTED]> > Have any of your contacts in this arena given you any sense of how many layers of data their operational STM systems used day to day in their recovery business (not some theoretical system they don't really have up and usable) can actually recover off a typical disk platter ? Is it 1, 2, 5, or 25 discrete layers ? And what kind of bit error rate in the recovered date do they achieve with the STMs ? How automated is the process ? Can they prepare a platter, pump down the chamber and read out multiple layers of data almost as if reading a disk with the drive electronics or is there a lot of human operator intervention and twiddling required to set things up to retrieve a sector ? I assume the actual interpretation of the STM scan output as encoded binary data is completely automated and that they are not ever working from raster images by hand using the human eye and brain as a kind of OCR (unlike IC mask reverse engineering of a few years back) ? Do they often recover overwritten information at all ? I would imagine that most disk recovery work involves drives that went bad leaving valuable data inaccessible via normal disk reading mechanisms due to problems like corrupt servo tracks and damaged media surfaces and heads rather than actual overwritten information. Sure there might be cases of a sector or two that needs to be read in order to correctly understand the rest of the data, but massive recovery of gigabytes should be rare I would think... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: POTS encryption product.
On Sun, Jul 23, 2000 at 02:37:08AM -0400, BMM wrote: > http://www.l-3com.com/cs-east/programs/infosec/privatel.htm > > A triple-DES bump-in-the-cord encrypter, retails for ~US$600. > Buyer beware, L-3 is a Lock-Mart spinoff with NSA and DoD contracts. > That is sort of an understatement, amoung other things they are the only supplier of the next generation government secure phone - the STE. Certainly makes one wonder about whether the Privatel device is genuinely secure and a major NSA and DOD contractor actually allowed to sell bump in the cord 168 bit 3-DES devices with DH key exchange to apparently just about anyone - sure makes one wonder where the backdoor is... (perhaps they broadcast the key in TEMPEST emanations - the specs say nothing about TEMPEST certification)... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: 2600 - bell toll signals
On Thu, Jul 27, 2000 at 02:20:26AM -0400, !Dr. Joe Baptista wrote: > Hello: > > I'm looking for a list of telephone company modulation frequencies used on > toll lines (trunk lines) to control switching between offices. Anyone > know where I can find them. Used to know them by heart - 2600 to disconect > and 300 - 1200 ?? for the control tones. > > Joe Baptista > In band signalling (tones on the trunk lines) is no longer in use in the USA to any important degree and hasn't been since the late 70s or so. Control of call setup and supervision is handled by an out of band packet network using a signalling protocol called signalling system 7 (SS7) running over entirely separate data circuits which often don't even take the same paths through the network as the trunk groups they control do. But what you are looking for is the CCITT signalling system #5 or the Bell MFKP (multifrequency key pulsing) tone set (different than DTMF, the touch tone tones).Also commonly known as the "Blue Box" tones. The US frequencies were 700, 900, 1100, 1300, 1500, 1700 sent in pairs. But what this has to do with cryptography and the politics of privacy I am apparently too dimwitted to see... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com)
Tim May wrote: > On Thursday, November 6, 2003, at 09:20 AM, Dave Howe wrote: >>> No Such Agency doesn't fab much of anything; they can't afford to. >>> They and their ilk are far more interested in things like FPGAs and >>> adapting numerical algorithms to COTS SIMD hardware, such as graphics >>> processors (a la http://www.gpgpu.org/). >> Why do they have their own fab plant if they don't fab anything? >> http://www.globalsecurity.org/intell/facility/nsaspl.htm > I heard ten years ago that the National Semi fab on-site was a lowly > 2-micron fab. Which was enough for keying material. Hmm. according to the link I found and posted, they *started* at 1-micron and has been tracking its "industry partners" improvements in tech, 0.8 microns up to 1995 then .5 then onwards (with an eventual goal of 0.35, although the piece was written in 1995 so they are probably on copper now too) > Crunching chips, for special purpose computers, don't carry the same > security requirements, as the secret stuff in the code that is being > run and not the fuses or links being blown. For this, they would use > whatever is out there. Non-volitile keying material on-chip requires only standard proms - much cheaper just to buy those off the shelf; for that matter Industry standard "smartcards" usually possess cpu, eaprom program and eaprom data areas on a single chip (and the application would actually prefer some sort of dynamic memory whose contents will vanish if the power is removed from the onboard CPU but we can leave that aside for now - smartcard chips often have that too) Some of that capacity is no doubt used and intended to bridge real or artificial chip droughts (if a manu doesn't want to sell them a given chip, or raises the price drastically because he knows how essential it is to some secure device, the NSA can churn out a few thousand to fill in the gap) but there are advantages to having a completely custom chip - if no attacker could possibly know the layout, command set or capabilities of a chip, that makes his job so much harder (not quite STO - if an attacker has only one or two chips to attack, then every time he gets hit by a trap that removes a crackable device; custom chips can have such things as capacitive test pads (for detection of insulation removal) thin conductive (but visually identical) layers that must maintain continuity, and so forth.)
Biometric ID cards to be "backdoored" in the UK
Students of UK politics should be aware that the british prime minister considered it a sign of "moral courage" to press ahead with an attack on iraq despite protests in the streets and massed opposition by politicians of all parties, and that forging evidence is fully justified by the results. That being given, it should come as no surprise that, despite public opposition by the people, other politicans and the prime minister himself, and repeated proofs that ID cards have no effect at all on terrorism (for instance, the 9/11 attackers all had ID) the Home Secretary is pressing forward with a road map to compulsory ID cards for all UK citizens by 2012. The "results summary" from a consultation process that was more than 70% opposed to introduction of ID Cards is here: http://www.official-documents.co.uk/document/cm60/6020/6020.htm Note that the preferred path is now to update passport and driving licence documents (at the citizen's expense) to include digital ID and biometric information; once 80% of citizens have been forced to accept ID cards by this backdoor process (no parlimentary debate required) it will seem only a small step to force the remaining 20% to purchase such a card. There will apparently not be any compulsion to *carry* the card (at this stage) but it will be required to be produced to obtain access to government controlled services such as healthcare
CONGRATULATIONS WINNER
LOTTO CHANCELLOR, PRIZE AWARD DEPARTMENT, ATTENTION: RE/ AWARD NOTIFICATION; FINAL NOTICE We are pleased to inform you of the announcement today,13th.novenber2003, of winners of the GRANDPREMIUM LOTTO PROMO LOTTERY,THE NETHERLANDS/ INTERNATIONAL, PROGRAMS held on 13th novenber 2003.Your company/You,is attached to ticket number 023--790-459, with serial number 5073-10 drew the lucky numbers 43-10-42-37-10-43, and consequently won the lottery inthe 3rd category. You have therefore been approved for a lump sum pay out of US$2.5M in cash credited to file REF: XYL /26510460037/02. This is from total prize money of US$42,500,000.00 shared among the seventeen international winners in this category. All participants were selected through a computer ballot system drawn form 25,000 names from,Africa, Australia, New Zealan d, America, Europe, North America and Asia as part of International Promotions Program, which is conducted annually. CONGRATULATIONS! Your fund is now deposited with a Security companyinsured in your name. Due to the mix up of some numbers and names, we ask that you keep this award strictly from public notice until your claim has been processed and your money remitted to your account. This is part of our security protocol to avoid double claiming or unscrupulous acts by participants of this program. We hope with a part of you prize, you will participate in our end of year high stakes US$1.3 billion International Lottery. To begin your claim, please contact our International claim agent; Ms HELLEN SCOTT FOREIGN SERVICE MANAGER/CONSULTANT, [EMAIL PROTECTED] For due processing and remittance of your prize money to a designated account of your choice. Remember, all prize money must be claimed not later than 13th december2003. After this date, all funds will be returned as unclaimed. NOTE: In order to avoid unnecessary delays and complications, please remember to quote your reference and batch numbers in every one of your corespondences with your agent.Furthermore, should there be any change of your address, do inform your claim s agent as soon as possible. Congratulations again from all our staff and thank you for being part of our promotions program. Sincerely, DAVE MOORE THE PROMOTIONS MANAGER,GRAND PREMIUM LOTTO PROMO LOTTERY,THE NETHERLANDS. N.B. Any breach of confidentiality on the part of the winners will result to disqualification. The company has three payment centers.
For your rev.iew stubro xy
SUPER VIAGRA & GENERIC VIAGRA Both Available online - NO Dr. Visit! CIALIS - known as SUPER VIAGRA or the "Weekend Drug" is like VIAGRA but Amazingly it works right away & lasts 36 hours! FOR SUPER VIAGRA CLICK HERE You can also now get GENERIC VIAGRA which is 60% off from us! Why pay so much? FOR VIAGRA CLICK HERE Both products shipped discretely to your door Not interested? mydjxh dvr
Re: Partition Encryptor
Sunder wrote: > Which only works on win9x, and no freeware updates exist for > Win2k/XP/NT. i.e. worthless... There was a payware (but disclosed source) update for NT/2K, and of course E4M (on which the NT driver for scramdisk was based) was always NT compatable and very similar to Scramdisk. I don't think either works on XP though (and of course DriveCrypt by the authors of both scramdisk and E4M is both closed source and product activation - a dark path to walk) E4M can still be downloaded from http://www.samsimpson.co.uk/cryptography/scramdisk/ IIRC E4M could also mount existing scramdisks, but had trouble dismounting them cleanly on W2K.
Re: Freedomphone
Steve Schear wrote: > If and when this is accomplished the source could then be used, if it > can't already, for PC-PC secure communications. A practical > replacement for SpeakFreely may be at hand. The limitation of either > direct phone or ISDN connection requirement is a problem though. *nods* it is over a POTS or ISDN (ie, normal phone) conversation, not over IP. have to wait and see what the code looks like to see exactly what crypto and how it is keyed as well. as a related aside - does anyone know of a decent SIPS VoIP implimentation? preferably one that uses some sort of PKI?
Re: Freedomphone
Steve Schear wrote: > No, but this may be of interest. > http://www.technologyreview.com/articles/wo_hellweg111903.asp > > Its closed source but claims to use AES. *nods* closed source, proprietory protocol, as opposed to SIP which is an RFC standard (and interestingly, is supported natively by WinXP) Might not be snakeoil, but I am giving it a wide berth anyhow.
Re: Freedomphone
Neil Johnson wrote: > On Wednesday 19 November 2003 05:33 pm, Dave Howe wrote: > SIP is just the part of the VoIP protocols that handling signaling > (off-hook, dialing digits, ringing the phone, etc.). The voice data > is handled by Real-Time Streaming Protocol (RTSP), one stream for > each direction. *nods* and it is normally UDP, which is good for latency and lousy for NAT traversal. Partysip supports rtsp over tcp I believe - as a proxy, which adds yet another layer of latency *sigh*
Re: e voting
Tim May wrote: > Without the ability to (untraceably, unlinkably, of course) verify > that this vote is "in the vote total," and that no votes other than > those > who actually voted, are in the vote total, this is all meaningless. The missing step is that that paper receipt isn't kept by the voter - but instead, is deposited in a conventional voting box for use in recounts.
HELLO!!
Dear SIR/MADAM. I am Barrister Moore Dave a Solicitor, I know it will come to you as a surprise because we have not met either physically or through correspondence. I am the Personal Attorney to Mr. Adams Blair a Foriegn national and a contractor here in Nigeria. On the 21st of April 2000, my client,wereinvolved in a car accident along Ibadan / Lagos ExpressRoad.Unfortunately they All lost their lives in the event of the accident, after the several unsuccessful attempts, I decided to trace his relatives over the Internet to locate any member of his family but of no avail, hence I contacted you. I plead for your assist in repatriating the money and property left behind by my client before they get confiscated or declared unserviceable by the Apex Bank where these huge deposits were lodged. Particularly, the APEX BANK where the deceased had an account valued at about US$28M United Stated Dollars.Consequently, APEX BANK Has issued me a notice to provide the next of kin or have the account confiscated. Since I have been unsuccessful in locating the relatives for over 2 years now. I seek your consent to present you as the next of kin of the deceased, so that the proceeds of this account valued at US$28MD can be paid to you and then you and me can share the money. 50% to me and 40% to you, while 10% should be for expenses or tax as your government may require.If you are interested to kindly forward immediately the following: 1. YOUR FULL NAME 2. CONTACT ADDRESS 3. PRIVATE TELEPHONE AND FAX NUMBER. I have all necessary legal documents that can be used to back up any claim we may make. All I require is your honest cooperation to enable us see this deal through. I guarantee that this will be executed under a legitimate arrangement that will protect you from any breach of the law.Please direct your reply through the Email Box below immediately you receive this proposal for more explanation on the inheritance. Yours Faithfully, BarristerMoore Dave (Esq.).
Re: e voting (receipts, votebuying, brinworld)
Miles Fidelman wrote: > - option for a quick and dirty recount by feeding the ballots through > a different counting machine (maybe with different software, from a > different vendor) or indeed constructing said machines so they *assume* they will be feeding another machine in a chain (so every party could have their own counter in the chain if they wish to, and each gets a bite at the cherry in sequence)
Re: U.S. in violation of Geneva convention?
Jim Dixon wrote: > The Geneva conventions require, among other things, that soldiers wear > uniforms. No, they don't. Fox news repeats this enough that more than half of america believes it, but then, more than half of america believes Iraq was somehow involved in the Trade Center attacks too The rules are considerably more lax for the defenders than the attackers - if you are entering another country, then you must either be part of a uniformed, standing army or be part of a militia (with a rigid authority structure, open carrage of arms and an identifying badge or emblem). You must also respect the rules of war - so at least in theory, even a uniformed "official" combatant is not entitled to the protections of the Geneva conventions if he himself breaks those conventions (by e.g. shooting noncombatants) If you are defending though, you are entitled to the protection of the geneva convention (and lawful combatant status) simply by being an "open" hostile (carrying your weaponry openly and obeying all the usual provisions of the geneva convention, which obviously doesn't allow hiding in a crowd of civilians). This is the "take up arms" provision so beloved of the american people - that in the face of invasion, the ordinary citizen would "take up arms" to defend his home and neighbours. There is considerable doubt as to exactly how this applies to sniping - certainly, uniformed combatants are little less likely to decide to dive into cover and "take out" their opponents with aimed fire than random undertrained militia are, and it would be insane for a lone "take up arms" defender to stand out in the open to "duke it out"; the problem is a random sniper is difficult to locate *after* an attack if he is not otherwise identifiable; ok, he isn't permitted to drop his weapon and retain his lawful combatant status, but nor could a uniformed individual (one of several) be expected to volunteer that he was the one who just killed four of the team now pointing weapons at him. (the "take up arms" provision seems to assume the defender picks up a gun and continues firing until he is killed, captured, or he wins :) "name rank and number" is for the movies.
Re: Snake oil?
[EMAIL PROTECTED] wrote: > http://www.topsecretcrypto.com/ > Snake oil? I am not entirely sure. on the plus side - it apparently uses Sha-1 for a signing algo, RSA with a max keysize of 16Kbits (overkill, but better than enforcing something stupidly small), built in NTP synch for timestamps (probably spoofable, but at least a valiant attempt to keep timestamps accurate "by default") and supports a range of file, folder, email and chat crypto with a onscreen keyboard for password entry (again, not unbeatable but a valiant attempt) next step is the symmetric component though - which shows more than slight traces of oil. First is a randomly generated session key, protected by the RSA component - on the face of it fine (its how pgp and smime do it, after all) but no details are given on *how* the random key is obtained (the code apparently "contains a true random number generator" which seems doubtful) and the symmetric component is a proprietary algo (for which source is provided, but even so...) Second is pretty much pgp's conventional mode - but with a user supplied key. no mention of hashing, and again, the proprietary algo is in use. Third is True One Time Pad - yes well duh! I could write one in eight lines or so of VBScript, for free. Nobody needs to pay for a OTP application, certainly not per-seat. An announcement of the software (and subsequent discussion) took place in Sci.Crypt some months ago - dejagoogle link here: http://makeashorterlink.com/?M138249F6 - if anyone wants to read it.
Re: Canada issues levy on non-removable memory (for MP3 players)
> Would something like this go over in the US? I wonder ... I thought that there was already a levy on blank CDR media in the US; there is certainly already one on blank audio tapes...
Re: [mnet-devel] DOS in DHTs (fwd from amichrisde@yahoo.de)
On Wed, Oct 22, 2003 at 04:47:02PM -0700, Steve Schear wrote: > > I think the U.S. Constitution will stand in the way of widespread adoption > of NDLs. They may have regulated firearms, though these laws are widely > ignored by citizens, but I have yet to see a license for owning a > typewriter or PC proposed. They have already ruled numerous times that the > Internet is deserving of at least as free and access as print media and > political flyers (which can be anonymnous and still pass legal muster). > You are an optimist. Us pessimists see use of Palladium/TCPA/NGSCB as all too tempting a means of regulation of the net. Initially one will not be able to get high speed Internet service at affordable rates without the big brother inside, but as this "voluntary" commercial regulatory measure proves not to curb behavior that certain powerful lobbies want controlled, there will be mandatory requirements imposed by law as per the Fritz chip. Perhaps courts will not allow such to be used for explicit censorship of otherwise legal free speech, but I'd not bet that an ISP would be required to allow "objectionable content" to pass over its wires under such a scheme. And once one must register to obtain certificates for Palladium/NGSCB attestation, one really does have a form of net drivers license. > steve -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
U.S. Licensed Doctors online.jeffrey
Title: ghhgfhffsshhsg Prescription Drugs Shipped Overnight to Your Door! Visit Our Online Drugstore Now & SAVE! Free Prescriptions by Licensed US Doctors! Trim your waistline with: Phentermine, Bontril, Didrex & more... Starting at Only $79! feverish Eliminate arthritic pain with: Fiorecet, Vioxx, Tramadol & more.. Starting at Only $99! annihilate Relax all your muscles with: Soma, Flexeril, Skelaxin & more... Starting at Only $99! ramble Improve your sex life with: Viagrra, Valtrex, Acyclovir & more... Starting at Only $79! congolese Eliminate your depression with: Paxil, Prozac, Zoloft & more... Starting at Only $115! foss WOMEN - Birth Control, Skin Care, Enhancements & more Starting at Only $49! nearby MEN - Quit Smoking, Prevent Hare Loss, Impotence & more.. Starting at Only $79! icebox FOR EVERYONE - Sleeping Aids, Allergy Protection, Heartburn Relief and MORE...! Prescription Drugs Shipped Overnight to Your Door! Visit Our Online Drugstore Now & SAVE! Free Prescriptions by Licensed US Doctors! bhg v ev sxt -Delete my email from your mailing list-
'G.ET`BI"G"'P_E_N.IS_ mwzccxiypcr
The only solution to Penis Enlargement zvnbmgbhsyo noottycpvmpq LIMITED OFFER: Add at least 3 INCHES or get your money back! uufsuywuefjuc honiobsdrmuv We are so sure our product works we are willing to prove it by offering a free trial bottle + a 100% money back guarantee upon purchase if you are not satisfied with the results. ---> Click Here To Learn More <--- Also check out our *brand new* product: Penis Enlargement Patches Comes with the 100% money back warranty as well! vnoclwdwio hxzdjsckcxz ejtdazbwhz fyhlyhbxzeywbo ysmgglcndmt oarrczdmbde No more offers
Accoustic Cryptoanalysis for RSA?
opinions? http://www.wisdom.weizmann.ac.il/~tromer/acoustic/
Re: Science: throttling computer viruses
Eric Cordian wrote: > I have a dual boot system which normally runs Linux. Since it had > been a couple of months since I last ran XP, I booted it on Tuesday > to run Windows Update, and keep it current with critical patches. > Within minutes, before I had even downloaded the first update, my box > ground to a nearly screeching halt from Sasser, and some other piece > of malware which was trying to make thousands of connections to > random IPs on port 5000. Personally, I would have downloaded the patches under linux, rebooted offline, installed them and *then* ran the update. but that's just me :)
Re: Reverse Scamming 419ers
Eric Cordian wrote: But Nigeria is a very poor country, with high unemployment, where people are forced by economic circumstances to do almost anything to try and feed their families. I see no reason to be proud of reverse-scamming a Nigerian out of $80 when it might be his entire family's food money for the month. Presumably these are the Nigerians who have only $80 for food that month, yet somehow can still afford to bulkspam thousands of inboxes each day, process bank transactions and take part in international phone calls. hell, if that sort of internet access and telephony is so cheap it doesn't make a noticable dent in a $80/month income, I definitely should move there myself!
EZ Pass and the fast lane ....
Having been inspired by some subversive comments on cypherpunks, I actually looked up the signaling format on the EZ-Pass toll transponders used throughout the Northeast. (On the Mass Pike, and most roads and bridges in NYC and a number of other places around here). They are the little square white plastic devices that one attaches to the center of one's windshield near the mirror and which exchange messages with an interrogator in the "FAST LANE" that debits the tolls from an account refreshed by a credit card (or other forms of payment). They allow one to sail through the toll booths at about 15-20 mph without stopping and avoid the horrible nuisance of digging out the right change while rolling along at 70 mph in heavy traffic. Turns out they use Manchester encoded on-off keying (EG old fashioned pulsed rf modulation) at 500 kilobits/second on a carrier frequency of 915 mhz at a power a little under 1 mw (0 dbm). The 915 mhz is time shared - the units are interrogated by being exposed to enough 915 mhz pulsed energy to activate a broadband video detector looking at energy after a 915 mhz SAW filter (presumably around -20 dbm or so). They are triggered to respond by a 20 us pulse and will chirp in response to between a 10 and 30 us pulse. Anything longer and shorter and they will not respond. The response comes about 100-150 us after the pulse and consists of a burst of 256 bits followed by a 16 bit CRC. No present idea what preamble or post amble is present, but I guess finding this out merely requires playing with a transponder and DSO/spectrum analyzer. Following the response but before the next interrogation the interrogator can optionally send a write burst which also presumably consists of 256 bits and CRC. Both the interrogators and transponders collect two valid (correct) CRC bursts on multiple interrogations and compare bit for bit before they decide they have seen a valid message. Apparently an EEPROM in the thing determines the partition between fixed bits set at the factory (eg the unit ESN) and bits that can get written into the unit by the interrogators. This is intended to allow interrogators at on ramps to write into the unit the ramp ID for units at off ramps to use to compute the toll... (possibilities for hacking here are obvious for the criminally inclined - one hopes the system designers were thoughtful and used some kind of keyed hash). No mention is made of encryption or challenge response authentication but I guess that may or may not be part of the design (one would think it had better be, as picking off the ESN should be duck soup with suitable gear if not encrypted). But what I have concluded is that it should be quite simple to detect a response from one's transponder and activate a LED or beeper, and hardly difficult to decode the traffic and display it if it isn't encrypted. A PIC and some simple rf hardware ought to do the trick, even one of those LED flashers that detect cellphone energy might prove to work. Perhaps someone more paranoid (or subversive) than I am will follow up and actually build such a monitor and report whether there are any interogations at OTHER than the expected places... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Re: Tyler's Education
On Sat, Jul 03, 2004 at 09:41:44PM -0500, J.A. Terranson wrote: > On Sat, 3 Jul 2004, Major Variola (ret) wrote: > > > At 07:18 PM 7/3/04 -0400, Tyler Durden wrote: > > >I dunno...as an ex-optical engineer/physicst, I'm sceptical about this > > whole > > >scary "tempest" bullcrap. Even if it can be made to work fairly > > reliably, I > > >suspect deploying it is extremely costly. > > Scary or not, I can attest from first hand personal knowledge that this > type of monitoring is in active use by the US, and has been for over 4 > years (although it's only been "mainstream" for ~2). Would you care to comment on any technical or other details ? Tempest monitoring of raster scan CRTs has been around for a long long time... but most current LCD displays are much less vulnerable as pixels are switched in parallel (and of course not painted at high speeds allowing optical monitoring). But many video cards generate the rasterized stuff anyway... and use that interface to talk to the LCD monitor. Tempest monitoring of energy on communications lines and power lines related to internal decrypted traffic has been around since before the Berlin tunnel... and used effectively. But the heyday of this was the mechanical crypto and mechanical Teletype era... where sparking contacts switched substantial inductive loads. Tempest monitoring of CPU and system behavior is a newer trick in most cases if it is effective at all in typical situations. Obviously Tempest monitoring of copper wire ethernet LAN traffic is possible. Wireless LANs, of course, aren't a Tempest issue. Perhaps some keyboards radiate detectable keystroke related energy... But given the current statist tendencies here and elsewhere, it would not surprise me at all to hear that any and all techniques for surveillance anyone has shown to be effective are likely in active use - there is money, interest, and a great lowering of inhibitions. And certainly there has been more than enough open discussion of Tempest type side channel attacks, unlikely the folks behind the curtain have just ignored all of it... On the other hand the cost, complexity and sophistication of the gear required to extract information at useful ranges is still daunting compared to other methods of obtaining the same information (such as black bag jobs with disk copiers and use of trojans to capture passphrases). -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Switzerland forcing registration of PrePay customers
- Forwarded message from NEXTEL-1 - -- Switzerland forcing registration of PrePay customers The Swiss parliament decided last year to make registration mandatory for prepaid cards. By law, all mobile providers will have be able to provide information about customers buying their prepaid products for at least two years after the purchase. As of 1 July 2004, customers will have to register when buying a prepaid card from Swisscom Mobile (NATEL easy). Those who started using their NATEL easy cards on or after 1 November 2002 will have to register retrospectively. The authorities are aiming to limit the misuse of prepaid cards by these measures. Customers will be registered when they buy a NATEL easy SIM card. For verification, proof of identity will be required in the form of a valid passport, identity card or other travel document accepted for entry into Switzerland. In addition to the customer's personal details, Swisscom Mobile must also record the type of and number of the form of identification presented. The NATEL easy card will only be activated for use when all the necessary customer details have been recorded. Customers attempting to make calls with an unregistered prepaid card will hear a greeting prompting them to register their NATEL easy card. Retrospective registration until end of October 2004 On 23 June 2004, the Federal Council decided that prepaid customers who started using SIM cards on or after 1 November 2002 would have until 31 October 2004 to register. Swisscom Mobile will seek to ensure that the registration of these customers takes place in line with the statutory requirements and in as customer-friendly a manner as possible. The customers affected will be prompted via SMS to register their SIM cards. Registration can be made wherever Swisscom Mobile NATEL subscriptions can be purchased. In addition to the customers' personal details, Swisscom Mobile will also have to record their SIM card and mobile phone numbers. In accordance with the regulation, Swisscom Mobile will be obliged to block the access of customers who have not registered by 31 October 2004. Retrospective registration also applies to those prepaid customers who have already registered voluntarily with Swisscom Mobile in the past. The only exceptions are NATEL® easy customers who have registered formally (i.e. on presentation of a valid passport or identity card) in a Swisscom Shop since the middle of April 2004. On the basis of current information, Swisscom Mobile believes that several hundred thousand NATEL easy customers will have to register retrospectively. Posted to the site on 05-Jul-04 http://www.cellular-news.com/story/11407.shtml -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Re: Secure telephones
Thomas Shaddack wrote: The easiest way is probably a hybrid of telephone/modem, doing normal calls in "analog" voice mode and secure calls in digital modem-to-modem connection. The digital layer may be done best over IP protocol, assigning IP addresses to the phones and making them talk over TCP and UDP over the direct dialup. (We cannot reliably use GPRS, as the quality of service is not assured, so we have to use direct dialup. But we can implement "real" IP later, when the available technology reaches that stage.) IIRC, PGPfone (http://www.pgpi.org/products/pgpfone/) did something similar, with a "verbal handshake" protocol that relied on you being able to recognise the remote party's voice over the phone while speaking a list of words always seemed both unreliable and odd in something with "PGP" in the name, but Once we have the phones talking over IP with each other, we can proceed with the handshake. I'd suggest using OpenSSL for this purpose, as it offers all we need for certificates and secure transfer of the key. Then use UDP for the voice itself, using eg. stripped-down SpeakFreely as the engine. So during the call, two connections will be open over the IP channel: the command one (SSL-wrapped TCP, for key and protocol handshake, ensuring the identity of the caller, etc.), and the data one (a bidirectional UDP stream). As the command connection should be silent for most of the time, a 14k4 modem should offer us enough bandwidth for 9k6 GSM codec, even with the UDP/IP overhead. Raw data streams would be fine over a point to point modem link - but I can see an advantage to compartmentalization - you can break your secure phone problem down into two distinct subproblems a) establishing a secure IP VPN between two nodes b) optimizing VoIP for low bandwidth links I would add a third - a modem protocol based on something like CSMA/CD to allow conference calls to be used as carrier media for secure conversations, but that is too hairy for me :) Something like OpenVPN (http://openvpn.sourceforge.net/) seems ideal for the secure VPN part of the problem, but requires an underlying IP network the VoIP part of the problem has a embarrassment of riches; H323 used to come as standard with windows, in the form of Netmeeting (complete with videoconferencing and whiteboarding) and SIP is now part of Windows XP (a not-particuarly-well-documented) "feature" of windows messager. There are many, many more, and Asterix (sadly not particularly well known, and unix only) is a complete, open source PBX which is conventional telephony, SIP and H323 aware. OpenVPN is of course built on SSL, and can use either X509 certificates or a preshared key for authentication. Sadly, there is no convenient way to use DNS-SEC key records for OpenVPN.
Re: Secure telephones
Jack Lloyd wrote: How well is VoIP going to work over SSL/TLS (ie, TCP) though? you can do SSL over UDP if you like - I think most VPN software is UDP only, while OpenVPN has a "fallback" TCP mode for cases where you can't use UDP (and TBH there aren't many) > I've never used any VoIP-over-TCP software before, but some people I know who have say it sucks (terrible latency, sometimes as bad as 5-10 seconds). PGPfone had that problem, even over landlines (no IP involved) - however, I think that was more do to with the compression codecs and the crypto than any external problems, as switching to half-duplex usually cleared the problems up. That may have just been an artifact of a bad implementation, though. DTLS might be a better pick for securing VoIP. There's also SRTP. The strength of a pure VPN solution is that you aren't limited to *just* VoIP - you can transfer files, use whiteboarding, run videoconferencing, support text channels. even play games :)
X-Cypher, SIP VoIP, stupid propriatory crapola
Particularly disgusted by the last paragraph |http://www.visual-mp3.com/review/14986.html | | X-Cipher - Secure Encrypted Communications | |The Internet is a wonderful shared transmission technology, allowing |any one part of the Internet to communicate to any other part of the |Internet. Like any technology, it is neither inherently good nor bad |but can be put to use for either purpose. | |X-Cipher can be used to make regular VoIP calls on any SIP network and |can also be used to make Highly Secure VoIP calls between X-Cipher |users. | |The X-Cipher Service includes: |- X-Cipher Softphone |- MD5 or SHA1 challenges |- 3DES or AES 128, 192 or 256 bit encryption |- Crypto safe random generators |- X-Cipher to X-Cipher encryption |- X-Tunnels NAT traversal functionality | |Eliminate Eavesdropping |X-Cipher is designed to combat the negative aspects of Voice Over IP. |X-Cipher ensures all voice stream data is encrypted using strong AES or |Triple DES encryption. Furthermore, X-Cipher establishes and validates |the identity of parties communicating. While voice data can be |intercepted intentionally or accidentally, it can't be understood, as |it can't be readily decrypted. | |With encryption comes the problem of either managing public/private |keys, which must be kept secret, or the annoyance of transmitting a |secure key to a remote party over other secure methods. X-Cipher |eliminates these issues. No public/private keys exist to guard and keep |safe and worry about theft and reuse. Each conversation through |X-Cipher gets a unique secure key generated by an X-Cipher server using |strong Crypto random safe algorithms.
Re: Enemy at the Door
On Wed, Nov 07, 2001 at 11:01:10PM -0600, Jim Choate wrote: > On Wed, 7 Nov 2001, Harmon Seaver wrote: > > > Duh! Read it again. "802.11'd to DSL to a very remote web site?" That > > DSL line could be clear across town. > > Not with 802.11 anything will it be 'clear across town'. A few hundred > yards w/ 802.11b and maybe a mile with 802.11a. Now if you're talking > directional then it wouldn't take a rocket scientist to ask "Where does > that nifty parabolic point? Why, at that other nifty parabolic. Well, > gentlemen, how's 'bout we take 'em both down?" > > If you want distance you'll either have to add an illegal final or else > use packet or some other mechanism (probably illegaly as well). > I have read reports of people running WiFi links of up to 20 miles. Given a clear path (clear line of sight) and relatively modest sized directional antennas (not huge suspicious looking dishes) which can be concealed under rf transparent radomes (hidden in an attic for example with appropriate (fiberglass) roofing or siding, or behind a glass picture window with curtains drawn) getting 10 to 20 mile ranges is pretty easy with gain antennas on either end... not rocket science either... and quite hard to spot visually (though of course a spectrum analyzer with good preamps and antennas will find and locate any hidden 802.11 link in no time flat - one cannot radiate rf from a fixed location and not be easily found using common TSCM tools). -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Backflow' water-line attack feared
for immediate security projects, according to a just passed Senate bill: $50 million. Sources: EPA, American Water Works Association, WSJ research Still, experts have long feared that a terrorist would try an intentional attack. As Gay Porter DeNileon - a journalist who serves on the National Critical Infrastructure Protection Advisory Group, a water-industry organization - put it in the May issue of the journal of the American Water Works Association, "One sociopath who understands hydraulics and has access to a drum of toxic chemicals could inflict serious damage pretty quickly." Utility officials say that it is difficult to fully prevent a backflow incident, but they are hopeful that they can limit the damage through early detection. The beginning of a backflow attack probably would be marked by a sudden drop in water pressure in a targeted neighborhood as terrorists stopped the flow of water into a home or business. The pressure would then climb as attackers reversed the flow of water and began using it to carry poison. Utilities regularly monitor system-wide water pressure, because a sharp and unanticipated decrease - at times other than, say, halftime of the Super Bowl, when tens of millions of American toilets flush - can indicate that a pipe has burst. Most utilities monitor pressure at water-treatment plants and inside the underground pipes that carry the water to nearby homes and businesses; some use advanced telemetric sensors inside pipes. In recent weeks, many utilities say they have increased the frequency of their checks. "A small drop-off would attract attention it wouldn't have even a short time ago," says Michelle Clements, a spokeswoman for Oregon's Portland Water District, which serves 190,000 customers. But officials concede that it might be difficult for them to actually spot the minor drop in pressure that could be the start of a backflow attack. Jeffrey Danneels, who specializes in infrastructure security at Sandia National Laboratory in New Mexico, says that water officials might have a hard time detecting a backflow attack originating in a single home or apartment building. "The smaller the pipe, the harder it would be to notice," he says. Another way to protect the public is to increase the amounts of chlorine or other chemicals added to water so that more of the chemical will remain in the pipes, providing residual protection against some toxins, according to Tom Curtis, deputy director of the American Water Works Association, which represents 4,300 public and private water utilities. At the Cleveland Division of Water, officials are considering adding more chlorine in areas where residual levels are low, says Julius Ciaccia Jr., Cleveland's water commissioner. Even before the Sept. 11 attacks, some utilities had begun replacing the chlorine with chloramine, a related substance made from the combination of chlorine and ammonia that is believed to linger in pipes longer. Increasing the chemicals has drawbacks, however. "You can only go so far before people begin to complain about the taste," says Curtis. The only sure way of preventing a backflow attack, water officials says, is installing valves to prevent water from flowing back into the pipes. Many homes have such valves on toilets and boilers. But virtually none have them on sinks, in part because water officials long assumed that the biggest threat they faced was natural, such as an earthquake, flood or hurricane carrying debris into a reservoir or pipe. Water officials say retrofitting existing structures with the valves would be prohibitively expensive. "We're used to natural incidents. We're ready for them," says Sullivan of the Association of Metropolitan Water Agencies. "But we've never really looked at what could happen if someone really wanted to come and get us. And that's a hard adjustment to make." Copyright ) 2001 Dow Jones & Company, Inc. All Rights Reserved. - End forwarded message - -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Links exchange with http://vegasreference.com.
Hello Webmaster, We have been looking for partners to exchange links with our site. I have taken a look at your site and it seems like it would be a great resource that people might be interested in visiting. I propose that we exchange links. If you will link to our website, please use the following linking details: Note: I require that your link page: -- is at least PR 2, -- is located maximum 2 clicks from home page, -- includes maximum 50 outgoing links. I can guarantee the same quality of link pages for your link. URL : http://www.1st-phentermine.net/phentermine_faq.html TITLE : Phentermine DESCRIPTION : Order Phentermine from 1st Phentermine pharmacy. or html code: http://www.1st-phentermine.net/phentermine_faq.html";>PhentermineOrder Phentermine from 1st Phentermine pharmacy. Please let me know at your earliest convenience where our link is located so we can add you to our directories as soon as possible. P.S. If this was not the correct person to send this request to, please accept my sincerest apologies. If you could forward this on to the correct person, I would be most appreciative. Warm regards, Dave Wooly
Links exchange with http://vegasreference.com.
Hello Webmaster, We have been looking for partners to exchange links with our site. I have taken a look at your site and it seems like it would be a great resource that people might be interested in visiting. I propose that we exchange links. If you will link to our website, please use the following linking details: Note: I require that your link page: -- is at least PR 2, -- is located maximum 2 clicks from home page, -- includes maximum 50 outgoing links. I can guarantee the same quality of link pages for your link. URL : http://www.1st-phentermine.net/phentermine_faq.html TITLE : Phentermine DESCRIPTION : Order Phentermine from 1st Phentermine pharmacy. or html code: http://www.1st-phentermine.net/phentermine_faq.html";>PhentermineOrder Phentermine from 1st Phentermine pharmacy. Please let me know at your earliest convenience where our link is located so we can add you to our directories as soon as possible. P.S. If this was not the correct person to send this request to, please accept my sincerest apologies. If you could forward this on to the correct person, I would be most appreciative. Warm regards, Dave Wooly
Re: Dell to Add Security Chip to PCs
On Sat, Feb 05, 2005 at 11:23:14AM +0100, Eugen Leitl wrote: > > The point is that HDTV is a popular consumer technology, and the MPAA > > and TV networks alone managed to hijack it. > > I have yet to see a single HDTV movie/broadcast, and I understand most TV > sets can't display anything beyond 800x600. Not widespread in Europe yet, but all the big networks in the US now support it for most or nearly all their prime time schedule and most big events (sports and otherwise) are now in HDTV in the USA. Also more and more cable networks in HDTV and some movie channels. Bandwidth is the big limitation on satellite and cable, otherwise there would be even more. And HDTV sets are selling well now in the USA. Most do not yet have the full 1920 by 1080 resolution, but many are around 1280 by 720 native resolution which works well with the 720p progressive version used primarily for sports (looks better with fast motion). > > DVD started with a copy protection, too. However the really strange thing about the FCC broadcast flag is that the actual over the air ATSC transport stream on broadcast channels is mandated by law to be sent *IN THE CLEAR*, no encryption allowed - so the FCC decision basicly requires any receiver sold to the public *ENCRYPT* an ITC signal before providing it to the user.Naturally this bit of nonsense will go far to make the broadcast flag very effective indeed at preventing anyone with very modest sophistication from capturing the over the air in the clear transport stream and passing it around on P2P networks or whatever - there is already plenty of PCI hardware out there to receive ATSC transmissions (MyHD and many others) and supply the transport stream to software running on the PC. -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Re: SHA1 broken?
Joseph Ashwood wrote: > I believe you are incorrect in this statement. It is a matter of public record that RSA Security's DES Challenge II was broken in 72 hours by $250,000 worth of semi-custom machine, for the sake of solidity let's assume they used 2^55 work to break it. Now moving to a completely custom design, bumping up the cost to $500,000, and moving forward 7 years, delivers ~2^70 work in 72 hours (give or take a couple orders of magnitude). This puts the 2^69 work well within the realm of realizable breaks, assuming your attackers are smallish businesses, and if your attackers are large businesses with substantial resources the break can be assumed in minutes if not seconds. 2^69 is completely breakable. Joe Its fine assuming that moore's law will hold forever, but without that you can't really extrapolate a future tech curve. with *todays* technology, you would have to spend an appreciable fraction of the national budget to get a one-per-year "break", not that anything that has been hashed with sha-1 can be considered breakable (but that would allow you to (for example) forge a digital signature given an example) This of course assumes that the "break" doesn't match the criteria from the previous breaks by the same team - ie, that you *can* create a collision, but you have little or no control over the plaintext for the colliding elements - there is no way to know as the paper hasn't been published yet.
Re: SHA1 broken?
Joseph Ashwood wrote: I believe you substantially misunderstood my statements, 2^69 work is doable _now_. 2^55 work was performed in 72 hours in 1998, scaling forward the 7 years to the present (and hence through known data) leads to a situation where the 2^69 work is achievable today in a reasonable timeframe (3 days), assuming reasonable quantities of available money ($500,000US). There is no guessing about what the future holds for this, the 2^69 work is NOW. I wasn't aware that FPGA technology had improved that much if any - feel free to correct my misapprehension in that area though :)
Re: SHA1 broken?
Eugen Leitl wrote: On Sat, Feb 19, 2005 at 03:53:53PM +, Dave Howe wrote: I wasn't aware that FPGA technology had improved that much if any - feel free to correct my misapprehension in that area though :) FPGAs are too slow (and too expensive), if you want lots of SHA-1 performance, use a crypto processor (or lots of forthcoming C5J mini-ITX boards), or an ASIC. Assuming, fast SHA-1 computation is the basis for the attack -- we do not know that. Indeed so. however, the argument "in 1998, a FPGA machine broke a DES key in 72 hours, therefore TODAY..." assumes that (a) the problems are comparable, and (b) that moores law has been applied to FPGAs as well as CPUs. I am unaware of any massive improvement (certainly to the scale of the comparable improvement in CPUs) in FPGAs, and the ones I looked at a a few days ago while researching this question seemed to have pretty much the same spec sheet as the ones I looked at back then. However, I am not a gate array techie, and most of my experience with them has been small (two-three chip) devices at very long intervals, purely for my own interest. It is possible there has been a quantum leap foward in FPGA tech or some substitute tech that can perform massively parallel calculations, on larger block sizes and hence more operations, at a noticably faster rate than the DES cracker could back then. Schneier apparently believes there has been - but is simply applying moore's law to the machine from back then, and that may not be true unless he knows something I don't (I assume he knows lots of things I don't, but of course he may not have thought this one though :)
Re: Privacy Guru Locks Down VOIP
Eugen Leitl wrote: http://wired.com/news/print/0,1294,68306,00.html Privacy Guru Locks Down VOIP By Kim Zetter Story location: http://www.wired.com/news/technology/0,1282,68306,00.html 10:20 AM Jul. 26, 2005 PT First there was PGP e-mail. Then there was PGPfone for modems. Now Phil Zimmermann, creator of the wildly popular Pretty Good Privacy e-mail encryption program, is debuting his new project, which he hopes will do for internet phone calls what PGP did for e-mail. erm, pgpfone worked over IP - it was one of the earliest VoIP packages I ever encountered, and the very first that used encryption.
Re: no visas for Chinese cryptologists
Hasan Diwan wrote: if the US wants to maintain its fantasy, it will need a Ministry of Truth to do so. Cheers, Hasan Diwan <[EMAIL PROTECTED]> And the airing of government-issued news bulletins without attributation (or indeed, anything from Fox News) doesn't convince you there already is one?
Re: no visas for Chinese cryptologists
Tyler Durden wrote: Hey...this looks interesting. I'd like to see the email chain before this. sorry, accidental crosspost from mailto:cryptography@metzdowd.com; see http://diswww.mit.edu/bloom-picayune/crypto/18225 for the post it is a reply to.
Re: [EMAIL PROTECTED]: [IP] Internet phone wiretapping ("Psst! The FBI is Having Trouble on the Line", Aug. 15)]
Tyler Durden wrote: > We need a WiFi VoIP over Tor app pronto! Let 'em CALEA -that-. Only then > will the ghost of Tim May rest in piece. Don't really need one. the Skype concept of "supernodes" - users that relay conversations for other users - could be used just as simply, and is Starbucks-compatable. If the feds had to try and monitor traffic for every VoIP user that could potentially be used as a relay (*and* prove that any outbound traffic from their target wasn't relayed traffic from another user) life would get much harder for them much faster. Plus of course some sort of assurance that skype's crypto isn't snakeoil :)
Re: Judy Miller needing killing
Gil Hamilton wrote: > The problem is that reporters want to be made into a special class of > people that don't have to abide by the same laws as the rest of us. Are > you a reporter? Am I? Is the National Inquirer? How about Drudge? > What about bloggers? Which agency will you have to apply to in order to > get a Journalism License? And will this License to Report entitle one > to ignore subpoenas from federal grand juries? Problem there is - Miller didn't write the story, pass on the info to anyone else, or indeed do much more than have a conversation with an unnamed source where a classified name was revealed. The Grand Jury is aware that Miller had this info but refused to reveal who the informant was. On the other hand - Robert Novak got the same information, REPORTED it - and isn't in any sort of trouble at all. Somehow this isn't the issue though... and I wonder why?
Re: Judy Miller needing killing
Gil Hamilton wrote: > I've never heard it disclosed how the prosecutor discovered that Miller had > had such a conversation but it isn't relevant anyway. The question is, can > she defy a subpoena based on membership in the privileged Reporter class that > an "ordinary" person could not defy? Why not? while Miller could well be prosecuted for revealing the identity, had she done so - she didn't. Why should *anyone* be jailed for failing to reveal who they had talked to in confidence? I am all in favour of people being tried for their actions, but not for thoughtcrimes. >> On the other hand - Robert Novak got the same information, REPORTED it - >> and isn't in any sort of trouble at all. Somehow this isn't the issue >> though... and I wonder why? > I don't know this either; perhaps because he immediately rolled over when he > got subpoenaed? And yet Novak is the one who purportedly committed a crime - revealing the identity of an agent and thus endangering them. So the actual crime (of revealing) isn't important, but talking to a reporter is?
Re: all the viruses, spam and bounces that are all I get from this list at the moment
Bah, I really miss the crap-filtered version of cypherpunks can anyone recommend a better node than the one I am using now?
Re: More on VoIP
Tyler Durden wrote: > Encryption ain't the half of it. Really good liottle article. And I > didin't know Skype was based in Luxemborg > http://slate.msn.com/id/2095777/ Not playing with Skype - why risk a closed source propriatory solution when there is open source, RFC documented SIP?
Re: If You Want to Protect A Security Secret, Make Sure It's Public
Riad S. Wahby wrote: > John Young <[EMAIL PROTECTED]> wrote: >> Despite the long-lived argument that public review of crypto assures >> its reliability, no national infosec agency -- in any country >> worldwide -- follows that practice for the most secure systems. >> NSA's support for >> AES notwithstanding, the agency does not disclose its military and >> high level systems. > Nevertheless, given that the public has two options (disclosure or > non-), it seems public review is as good as it gets. I also can't see an alternative; yes, we are giving military organizations the "crown jewels" of our efforts for no cost (although at least in theory they should pay for anything that is copyrighted or patented :) but no large company can afford to spend a fraction of what the NSA do every day on analysis - it is rely on the community or rely on a handful of staff who may or may not be able to code their way out of a paper bag (and if there is no community to give peer status to a cryptographer, how can you tell good from bad when you hire one?) Almost always, closed source systems are either snakeoil, or based on publically accepted algos with just a few extra valueless steps thrown in so that they can claim it is different (VME for example can be very secure indeed provided you combine it with something else - explicitly mentioned as an option in the patent document - but the combined system is still patented because their silly variant on a classic cypher is used at some point)
Interesting case?
Interesting looking case coming up soon - an employee (whose motives are probably dubious, but still :) installed a keyghost onto his boss' pc and was charged with unauthorised wire tapping. That isn't the interesting bit. the interesting bit is this is IIRC exactly how the FBI obtained Scarfo's PGP password, waybackwhen - *without* a wiretap warrant. http://www.out-law.com/php/page.php?page_id=keystrokeloggerhit1080217420 be interesting if his lawyer decided to call an FBI expert to explain why this device isn't wiretapping, wouldn't it? :)
Re: The Gilmore Dimissal
[EMAIL PROTECTED] wrote: > If you're not the driver and you don't drive you don't have to have > an ID. And you can't show what you don't have. IIRC, in the case above the guy was outside his car - his daughter (still in the car) may well have been the driver, not him
Re: Fornicalia Lawmaker Moves to Block Gmail
Riad S. Wahby wrote: > SAN FRANCISCO (Reuters) - A California state senator on Monday said > she was drafting legislation to block Google Inc.'s free e-mail > service "Gmail" because it would place advertising in personal > messages after searching them for key words. Is she planning to block all the advertising supported email services, just those associated with search engines, or just those who actually try to make the ads relevent?
Re: [IP] One Internet provider's view of FBI's CALEA wiretap push
Eugen Leitl wrote: > On Thu, Apr 22, 2004 at 01:13:48AM +0100, Dave Howe wrote: >> No, it is a terrible situation. >> It establishes a legal requirement that communications *not* be >> private from the feds. from there, it is just a small step to >> defining encryption as a deliberate attempt to circumvent that law, >> and so a crime in itself. > Are you truly expecting a worldwide ban on encryption? No. Just one on using crypto in america to avoid the feds listening in - currently this is legal, but adds an additional penalty if you are convicted of something *and* the feds decide you used crypto as well. > How do you > prove somebody is using encryption on a steganographic channel? obviously you don't - but I doubt you could conveniently find a steganographic channel convincing enough to pass muster and yet fast enough to handle VoIP traffic. Besides, it could easily devolve into a your-word-against-theirs argument, after you have already spent some time in jail waiting to get to trial (or at least the threat of this). Martha already found out how the FBI can bend the rules if they want to make an example of you.
Re: [IP] One Internet provider's view of FBI's CALEA wiretap push
R. A. Hettinga wrote: > At 12:09 PM +0200 4/22/04, Eugen Leitl wrote: >> Are you truly expecting a worldwide ban on encryption? > It's like expecting a worldwide ban on finance. Been tried. Doesn't > work. There isn't a worldwide ban on breaking CSS - doesn't stop the film industry trying to enforce it in the US courts. That it doesn't apply outside the US is fine if you are in the netherlands, not so hot if you, your isp, or some branch of your ISP is in the states.
Re: SASSER Worm Dude
Tyler Durden wrote: > "HANOVER, Germany -- German police have arrested an 18-year-old man > suspected of creating the Sasser computer worm, believed to be one of > the Internet's most costly outbreaks of sabotage." > Note the language...an "18 year old MAN" and "sabotage"... > So a HS kid, living with his parents, is able to write a worm that > takes out millions and millions of computers throughout the world > running the latest MS OS. Uhshouldn't we arrest Bill Gates first? I think you are thinking in terms of the American age scale - In england (and over most of europe although obviously it varies), 18 is old enough to marry without parental permission, be served in a bar, drive, and be a practicing homosexual. At 16 you can have hetrosexual relationships, marry with parental permission, work (and pay taxes) and rent property in your own name (you can *own* property from 12) Most schooling ends at 16, college 18, university (assuming a 3 year course) 21. I would assume a german at 18 is either at university or considered of employable age - well into majority. So legally, "man" is ok - obviously, this is a shallow typical Skript Kiddie who probably still lives with his parents, but legally that isn't the case.
Re: On what the NSA does with its tech
Morlock Elloi wrote: Hint: all major cryptanalytic advances, where governments broke a cypher and general public found out few *decades* later were not of brute-force kind. all generalizations are false, including this one. most of the WWII advances in computing were to brute-force code engines, not solve them analytically. but yes - analysis has come a long way, and it is always going to be more cost effective for the NSA to hire mathematical geniuses (at however much it costs) than to build a brute-force cracker at the keysizes available today. And cheaper still to do an end-run around the crypto and access plaintext on the microsoft-dominated internet.
Re: On what the NSA does with its tech
Pete Capelli wrote: On Thu, 05 Aug 2004 20:07:23 +0100, Dave Howe <[EMAIL PROTECTED]> wrote: all generalizations are false, including this one. Is this self-referential? yes - some generalizations are accurate - and its also a quote, but I may have misworded it so I didn't quotemark it or supply an attributation :)
Digital camera fingerprinting...
Just a random distraction from the normal topics (but not completely irrelevant either)... I happened to spend a few minutes yesterday talking with an individual who participated in the development of both low and high end digital cameras for the commercial mass market. He told me that especially in the low end camera market NO sensors used were completely free of anomalous pixels (black, white, dim, bright etc) and much of the actual processing in digital camera firmware was related to masking or hiding the inevitable defects which apparently can include (at least in CMOS sensors) entire rows or columns that are bad. This got me thinking - clearly these concealment patches are not completely undetectable in families of (multiple to many) images taken with the same exact camera... and for the most part the defects are born with the sensor and change little over time if at all. And with few exceptions they are random, and different for each sensor. Thus it ought to be possible to detect with reasonable probability that a particular image or (much easier) that a particular family of images was likely to have originated with a particular camera. A kind of digital fingerprint if you will... Cypherpunk relevance (marginal perhaps), but the ability to say that a particular image or set of images came from a particular camera COULD have legal consequences for those bent on activities someone thinks of as unfriendly to their interests... Of course the headers of jpegs from cameras (and maybe elsewhere) often contain serial numbers and other identifying information so to the first order this is irrelevant to average users, but interesting none the less. -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Re: "Forest Fire" responsible for a 2.5mi *mushroom cloud*?
On Sun, Sep 12, 2004 at 12:01:29AM -0500, J.A. Terranson wrote: > "No big deal"? Who are they kidding? Has it occured to anyone this might be a covert US (or Chinese or ) operation to destroy the PRK nuke test setup, say with cruise missiles, stealth B2 bombers, or a infiltrated sabotage team ? That could produce a large explosion (but little radioactivity)... And with obvious PRK preparations for a test far advanced (see today's NYT) , I would think it was now or never for such a covert attack. Maybe that is why Dubya was completely shitfaced getting off the helo at the WH on the way back from campaigning in Johnstown Pa this past Thursday ? Too much pressure to keep that Jim Beam bottle in the cabinet... one almost can't blame him... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Re: Congress Close to Establishing Rules for Driver's Licenses
J.A. Terranson wrote: Which of course neatly sidesteps the issue that a DRIVERS LICENSE is not "identification", it is proof you have some minimum competency to operate a motor vehicle... IIRC, several states have taken to issuing a "no compentency" driving licence (ie, the area that says what that licence allows you to drive/ride, normally occupied by car, motorcycle, truck or whatever, is blank) purely for use as identification. Few liquor stores (for example) accept anything else.
Re: Congress Close to Establishing Rules for Driver's Licenses
Riad S. Wahby wrote: ...except (ta-d) the passport, which is universally accepted by liquor stores AFAICT. And how many americans have a passport,and carry one for identification purposes?
Re: Airport insanity
Damian Gerow wrote: I've had more than one comment about my ID photos that amount to basically: "You look like you've just left a terrorist training camp." For whatever reason, pictures of me always come out looking like some crazed religious fanatic. But that doesn't mean that I'm going to bomb anything. And I sure hope that I'm not going to be detained or denied entry because of how I *look*, alone. No, of course not. even if you had a turban, carried a koran and your briefcase made a suspicious ticking noise, that would be *profiling* and therefore bad. Now, if your name happened to sound like someone who doesn't look like you, but a FBI agent had once misheard in passing... that would get you detained.
Re: comfortably numb
Major Variola (ret) wrote: t 11:22 PM 10/1/04 -0700, Bill Stewart wrote: In the US its generally illegal to tattoo someone who is drunk. Not sure about that - certainly its illegal in the UK to tattoo for a number of reasons, but the drunkenness one usually comes down to "is not capable of giving informed consent" Not sure it would be illegal for someone to agree to the tattoo, then indulge in "dutch courage" before going though with it.
[TSCM-L] Technology boosts use of wiretaps
ons that have been made public - are coming into courts. More are likely, and in more disparate parts of the state, as word of the new system's capabilities filters out, Wall said. Where formerly police in any part of the state had to seek out switching equipment - mostly in Madison or Milwaukee - to set up a wiretap, the new computer system can be run from Madison on "a phone from anywhere in the world" and piped out to any part of the state. "When they give it to us, they're essentially giving it to 72 county sheriffs and 700 police departments," Wall said. "When you call me and you're from the Podunk Police Department, we're there." Ray Dall'Osto, a Milwaukee defense attorney and former legal director for the American Civil Liberties Union of Wisconsin, said he is interested in examining the kinds of new wiretap cases and whether Wisconsin authorities use a wider range of justifications for listening in on citizens' conversations. The right to privacy in certain situations, he said, is very fragile, like an egg. "Once it's gone, it's very hard, if not impossible, to put back together," Dall'Osto said. He also expects the uptick in wiretap usage to continue. "They've got this stuff, and they've got to use it," Dall'Osto said. -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Re: City Challenged on Fingerprinting Protesters
Major Variola (ret) wrote: There is a bill in this year's Ca election to require DNA sampling of anyone arrested. Not convicted of a felony, but arrested. Doesn't surprise me - the UK police collected a huge bunch of fingerprints and dna samples "for elimination purposes" during one of the child-murder witchhunts, with written promises given that the samples were just for that one task, and would be destroyed once the hunt was over. They still kept them anyway of course, and made them the basis for their new "national dna database".
Re: Quantum cryptography gets "practical"
Tyler Durden wrote: Oops. You're right. It's been a while. Both photons are not utilized, but there's a Private channel and a public channel. As for MITM attacks, however, it seems I was right more or less by accident, and the collapsed ring configuration seen in many tightly packed metro areas (where potential customers of Quantum Key Exchange reside) does indeed make such attacks much easier. Come to think of it, an intruder that were able to gain access to a CO without having to notify the public (Patriot Act) should easily be able to insert themselves into a QKE client's network and then do whatever they want to (provided, of course, they have the means to crack the 'regular' encryption scheme used to encode the bits--NSA). Which means that, should a $75K/year NSA employee want to strike it really, really rich, they'd be able to procure advanced notice of any mergers/acquisition deals. Unless someone has come up with a new wrinkle to this since I last looked, the QKE system indeed requires three channels - the key photon one which must be optical, and a conventional comms pair (the latter of course can be substituted with any comms pair you have handy, but if you are running fibre from A to B you might as well run three) As all three require MiTM to be mounted, it would be better to have a physically diverse path for the conventional pair - but in a small city where you are patching the optical channel though the nearest exchange, this may not be practicable. The "regular encryption scheme" (last I looked at a QKE product) was XOR
Re: Quantum cryptography gets "practical"
Steve Furlong wrote: On Thu, 2004-10-07 at 14:50, Dave Howe wrote: The "regular encryption scheme" (last I looked at a QKE product) was XOR Well, if it's good enough for Microsoft, it's good enough for everyone. I have it on good authority that Microsoft's designers and programmers are second to none. (Microsoft's marketing department is a good authority, right?) well, what they *don't* tell you is the question was "which would you prefer to impliment security, a microsoft programmer or none at all" and they *still* came second :)
Re: QC Hype Watch: Quantum cryptography gets practical
R. A. Hettinga wrote: Two factors have made this possible: the vast stretches of optical fiber (lit and dark) laid in metropolitan areas, which very conveniently was laid from one of your customers to another of your customers (not between telcos?) - or are they talking only having to lay new links for the "last mile" and splicing in one of the existing dark fibres (presumably ones without any repeaters on it)
Re: Quantum cryptography gets "practical"
Tyler Durden wrote: An interesting thing to think about is the fact that in dense metro areas, you pretty much have a "star" from the CO out to a premise (which is the cause of deployment of "Collapsed SONET Rings"). This means the other photon of your encrypted pair might easily pass through the same CO somewhere, which would make the system suscpetible to a sort of man in the middle attack. Or at least, your fancy quantum crypto system has defaulted back to standard crypto in terms of its un-hackability. Unless I am mistaken as to the Quantum Key Exchange process, only one photon is ever transmitted, with a known orientation; the system doesn't use entanglement AFAIK. I note also that, as QKE is *extremely* vulnerable to MitM attacks, a hybrid system (which need only be tactically secure, not strategically secure) can be used to "lock out" a MitM attacker for long enough that his presence can be detected, without having to resort to a classical but unblockable out of band data stream. I think this is part of the purpose behind the following paper: http://eprint.iacr.org/2004/229.pdf which I am currently trying to understand and failing miserably at *sigh* Moral of this story is, even if this thing is useful, you'll probably have a very hard time finding a place it can be deployed and still retain its "advantages". I have yet to see an advantage to QKE that even mildly justifies the limitations and cost over anything more than a trivial link (two buildings within easy walking distance, sending high volumes of extremely sensitive material between them) -TD From: Dave Howe <[EMAIL PROTECTED]> To: Email List: Cryptography <[EMAIL PROTECTED]>, Email List: Cypherpunks <[EMAIL PROTECTED]> Subject: Re: QC Hype Watch: Quantum cryptography gets practical Date: Tue, 05 Oct 2004 17:48:30 +0100 R. A. Hettinga wrote: Two factors have made this possible: the vast stretches of optical fiber (lit and dark) laid in metropolitan areas, which very conveniently was laid from one of your customers to another of your customers (not between telcos?) - or are they talking only having to lay new links for the "last mile" and splicing in one of the existing dark fibres (presumably ones without any repeaters on it) _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Re: Quantum cryptography gets "practical"
Dave Howe wrote: I think this is part of the purpose behind the following paper: http://eprint.iacr.org/2004/229.pdf which I am currently trying to understand and failing miserably at *sigh* Nope, finally strugged to the end to find a section pointing out that it does *not* prevent mitm attacks. Anyone seen a paper on a scheme that does?
Re: Certicom sees lift from entertainment industry
R.A. Hettinga wrote: The technology at the core of Certicom's products - elliptic-curve cryptography, or ECC - is well suited to such purposes since it can work faster and requires less computing power and storage than conventional forms of cryptography, he said. Well, best of luck to them. any scheme where they *have* to give you the decryption key before you can use the product is doomed from the start, its just a matter of how long it takes. The satellite/cable companies are fighting hard to stay ahead of the game with their live-to-view product - by frequently changing the crypto whenever it is broken; no recorded product can possibly hold out more than a few months after launch.
Re: "Give peace a chance"? NAH...
Tyler Durden wrote: So. Why don't we see terrorist attacks in Sweden, or Switzerland, or Belgium or any other country that doesn't have any military or Imperliast presence in the middle east? Is this merely a coincidence? What I strongly suspect is that if we were not dickin' around over there in their countries, the threat of terrorism on US soil would diminish to very nearly zero. In other words, we DO have a choice of peace, and our choice was to pass on it. TBH the UK *did* have a major terrorist threat for decades - because we were dicking around in *their* country :)
Re: Airport insanity
Adam wrote: You know, the more I read posts by Mr. Donald, the more I believe that he is quite possibly the most apt troll I have ever encountered. It is quite apparent from reading his responses that he is obviously an exceptionally intelligent (academically anyway) individual. I find it hard to believe that such intelligence could reside in a person with such critically flawed core beliefs. You forget SternFud so easily?
Re: Donald's Job Description
Tyler Durden wrote: I'm sure there are several Cypherpunks who would be very quick to describe Kerry as "needs killing". but presumably, lower down the list than shrub and his current advisors?
Re: E-Vote Vendors Hand Over Software
R.A. Hettinga wrote: The stored software will serve as a comparison tool for election officials should they need to determine whether anyone tampered with programs installed on voting equipment. IIRC during the last set, the manufacturers themselves updated freshly-minted software from their ftp site onto the machines mere hours before the polls opened.
Re: Doubt
Tyler Durden wrote: Yet what of your blindness, which doubts *everything* the current administration does? 1. Abu Ghraib 2. WMD in Iraq 3. Patriot Act 4. Countless ties between this administration and the major contract winners in Iraq Hum. Seems a decent amount of doubt is called for. For that matter - a healthy dose of doubt is called "the scientific method" - its how you actually find things out. Mind you, that would be "reality based" which is shunned by the current administration - presumably in favour of "fantasy based"
