December 2003 - cypherpunks-legacy

Re: Spamming (Good or Bad?)
by James C. Sewell 17 Dec '03

17 Dec '03

At 03:35 AM 8/23/96 +0000, Vipul Ved Prakash wrote: > >This is peculiar. Nobody seems to mind ads in Newspapers, printed >magazines, TV, and for that matter web sites. That is unwanted stuff I'd suggest that most/all of us 'mind' ads in papers, tv, etc. The difference is that while we can do nothing about commercials on TV (short of breaking federal law and jamming the signal) we can do something about spam. If there is enough concensus we can develop/distribute/encourage the use of new mailers that will help defeat spam. For example: If mail comes into a server that has more than 25 recipients then it is only forwarded to those who have "signed up" for that sender. When we subscribe to Cypherpunks we also have to register that with our network of mail servers. Then if Mr. Spam sends stuff out it's not been "signed up" for so it gets trashed. I don't really like mail servers redirecting my mail, but perhaps we could arrive at a reasonable criteria for filtering if we tried real hard. Jim Jim Sewell - jims(a)tansoft.com Tantalus Incorporated - Key West, FL

2 1

Verdict in "MTV" Case
by tcmay＠got.net 17 Dec '03

17 Dec '03

Indiannapolis, IN (A.P.) -- A jury has awarded the State of Indiana $25 million in damages in the case of "Indiana v. Music Television." Music Television, also known as MTV, was accused of costing the state of Indiana more than $100 million in additional educational expenses due to students watching MTV when they should have been doing their homework. The jury foreman in the case was quoted as saying, "Like, like the kids are, like, goofin' off. Besides, MTV doesn't like play enough old stuff, like Zeppelin and Floyd." Following the various court decisions to award damages to states for medical costs associated with smoking by state residents, a barrage of similar lawsuits is happening across the country. School systems are suing book publishers, movie makers, television broadcasters, shopping malls, and miniature golf arcades. Makers of sports equipment are facing crippling lawsuits by insurers. The last remaining American bicycle maker, Trek, announced that it is withdrawing from the U.S. market, following the $37 million judgement against it in "Oregon v. Trek." --Klaus! von Future Prime

2 1

BOD_ies
by jya＠pipeline.com 17 Dec '03

17 Dec '03

8-23-96. FiTi: "The race is on for global groups to develop 'electronic purses' using smart cards." "We are moving into the electronic age where money will just be information about the wealth you have," says Visa. Some companies believe that parts of the body, rather than paper or coins, can be used to establish the amount of money somebody has available to spend. WaPo: "Group Plans Challenge To Net Address Monopoly." The end may be at hand for the virtual monopoly that Network Solutions holds over the registration of Internet addresses. The Internet Assigned Numbers Authority, the Internet Society and IETF will organize a competition for the right to operate new registries. The group's aim is to create alternatives to the established categories of Internet addresses. NYP: "Flaw Said to Be Found in Microsoft's Browser." Markoff's report on the Princeton group's discovery. ----- http://jya.com/bodies.txt (17 kb for 3) BOD_ies

1 0

"Regulation of Commerce" and the Crypto Issue
by tcmay＠got.net 17 Dec '03

17 Dec '03

It seems to me that in recent years nearly any type of sweeping legislation is justifed, constitutionally, by the clause in the U.S. Constitution which says Congress shall have the power to regulate commerce. (More precisely, the clause says: "To regulate commerce with foreign nations, and among the several states, and with the Indian tribes;" This is usually interpreted to mean _interstate_ commerce, and not sales/commerce/etc. that do not centrally involved more than one state....obviously nearly all things sold in one state are sold in other states, so there is lattitude for applying the commerce clause, albeit wrongly.) Today's news is the sweeping new restrictions on tobacco and cigarettes, including restriction on advertising and even on the placement of tobacco and cigarette logos and names on sports jerseys and shirts. (The much-publicized press event is not for another hour, as I write, so I don't know all the details. I'll be watching.) Note that similar restrictions on alchohol advertising were recently struck down by the Supreme Court as being unconstitutional infringements on free speech. Many expect the same outcome with these latest proposed restrictions. (The issue of advertisements of hard liquor, cigarettes, condoms, and other "unhealthful" [sic] products on television and radio is of course complicated by the role of the Federal Communications Commission and by "gentlemen's agreements" not to carry advertisements for some products.) Personally, I have never smoked, nor chewed, nor mainlined nicotine. Personally, I dislike cigarette smoke. But this is all _personally_. If a restaurant, bookstore, airline, bar, antique store, gym, or whatever wishes to allow smoking (or not), this is there choice. As many of us see things, it is not for the government to take a kind of "poll" of what people like and dislike and then to impose rules on property owners as to what smoking or nonsmoking policies they may set. Likewise, if I want to silk-screen a "Joe Camel" image, or a "Bud Frogs" image, on a t-shirt, this is between me and the putative owner of these images. Free speech and all. Or, to remove any confusion with the issue of owned logos, to silk-screen a fictitious cigarette brand on a shirt and then wear it, or sell it. It seems likely that individual wearers of such shirts will not be busted (think of how many already exist, and there is no plan for confiscating them), but that the burden will be placed, as it is so often conveniently placed, on the shirt makers. The catch-all for these laws seems to be the "regulate commerce" language in the Constitution. Cigarettes are sold in multiple states, the logic goes, so the commerce clause gives the government the power/authority to regulate it. (Well, Steven King novels are sold in all 50 states, too. Does this "regulate commerce" clause give the government the power/authority to regulate what King puts in his novels? Or to ban advertising for Steven King novels? Or to require that stores only sell such novels to adults?) This language is already being cited for some as a justification for regulating encryption (hey, some businesses use it!), digital signatures (ditto), and other forms of crypto. In fact, since nearly everything involves "commerce" in some way, whether interstate or not, the "regulate commerce" clause can presumably be used as a jusitification for interfering in all sorts of areas. The several legal experts out there on this list can clarify any errors of interpretation I have made. I certainly know that the commerce clause cannot be used to suppress certain kinds of speech, though the boundaries of where it may be applied seem unclear. I do expect it to be used for crypto, though, and this might even be upheld by the Supremes, especially in any areas directly involving "digital commerce." We should watch for this, and think about ways to deflect or derail such interpretations. --Tim May We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay(a)got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."

3 2

The Future Of Cyber Terrorism
by Joseph M. Reagle Jr. 17 Dec '03

17 Dec '03

The Future Of Cyber Terrorism The proceedings or a recent conference on the subject of Cyber Terrorism are now available online. The conference looked at terrorism carried out with the tools of today's information age and against the computer and information systems that the world increasingly depends upon. World Wide Web: http://www.acsp.uic.edu/OICJ/CONFS/terror02.htm _______________________ Regards, I hate quotations. -Ralph Waldo Emerson Joseph Reagle http://rpcp.mit.edu/~reagle/home.html reagle(a)mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E

1 0

secret message
by JOHN E. HOLT 17 Dec '03

17 Dec '03

Date: 01-Aug-96 14:50 EDT From: JOHN E. HOLT [76473,1732] Subj: puzzle ^%}{{ ZZ VVPAGMIGJEKMCCHIAKKPEHJDDDLOABGAMMJOCDFNOLNOKKKNIADPBGPPOEPIDCEMPGWW VVFCMOPKLKPJOHCNCJBDGOOJKFANCJJBDBMDIFIEKEDPLKDDGMPLHMIIPIJFMKOLENWW VVCAKJGJCKPAEOOMLJPNFJEKEINIHFKHNOLPCAHLEKHHLMHJFCOEKAFAGPHJBCPBHBWW VVOKLAENICAFDHEOEODMHMFGIONMAACAOHEOHDAJDNENGAHABNHGOCCPJNFDMAMKADWW VVMGDHKGPKBEIDBNLOCMLFMEIOKBFBFKJIMIIIFKJDFENCBPAPFBAOFMHEDODBFFPDWW VVOMFFJBNGEJPLGHJLFOBLFOGCBKAACEICLBIKHGILKCLMHPFIAHPDEOOODPPMLGDNWW VVGLDNEBDINMILDJDOJOJNKCLIBBKBCBEJPBJCFHGKMFLLEPGLGOOIIGAKJEGNPFHDWW VVIJBMFLALHPEHHGEGPCLGILBDBMEGMOGOIFBPPONGEDJPNFNMPCJFJPAEMIDOEMBLWW ZZ ZZ Distribution: To: ME > [76473,1732]

1 0

Re: (fwd) ANNOUNCE: Free Little PGP Credit Card App
by Alan Olsen 17 Dec '03

17 Dec '03

At 07:54 PM 8/22/96 -0400, Damaged Justice wrote: >>From: "David j. Sopuch" <djs(a)iwinpak.com> >Newsgroups: comp.infosystems.www.misc >Subject: ANNOUNCE: Free Little PGP Credit Card App >Date: Thu, 22 Aug 1996 12:00:24 -0400 >Organization: Datamax Research corp. >Lines: 10 >Message-ID: <321C8418.2647(a)iwinpak.com> > >v2.08 of the iWinpak Internet Payment System is now available in >both freeware and shareware versions at http://www.iwinpak.com An interesting little piece of CGI code, but the demo leaves a bit to be desired. The demo is for bank checks. The order form has you sending your bank information (including bank number and check info) in the clear. So the hooks into your credit card are not sent in the clear, but the ones to your bank are... Double plus ungood. It is a start... How good of one, I am not certain though... --- Alan Olsen -- alano(a)teleport.com -- Contract Web Design & Instruction `finger -l alano(a)teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "Microsoft -- Nothing but NT promises."

1 0

strengthening remailer protocols
by peter.allan＠aeat.co.uk 17 Dec '03

17 Dec '03

This is long enough. I've been brutal and cut sections less likely to promote discussion. (I've also contacted OUP about Ganley's book, and may buy it if I can kid myself I don't need the money.) ============================================================ August 1996 Peter M Allan peter.allan(a)aeat.co.uk Strengthening Remailer Protocols STATUS OF THIS MEMO This memo proposes improvements for the Mixmaster protocol and requests discussion and further suggestions. Distribution of this memo is unlimited. INTRODUCTION Lance Cottrell's documents [1] and [2] describe the current Mixmaster protocol and attacks against it. This memo began as a response to those thoughts, but has developed in discussion with Cottrell. SPAMMING ATTACK [2] describes an active attack where many messages are sent to an honest remailer to separate a message of interest from other traffic. The aim is to clear other messages out of the message pool, wait for the target and finally eject that from the pool. The target message is identified because the attacker can recognise his own messages. Attempts to defeat this attack could well be based on preventing the attacker from recognising his own messages. That is the approach taken here. RE-ENCRYPTION AS A SPAM DEFENCE In this diagram remailer 'A' has received a message addressed to himself. Inside that is one to 'B' - unreadable to A. Further layers are hidden of course. AB????? decrypts to B????? This means that our remailer can only disguise the message by re-encrypting it on the outside. But the message has got to make some net progress toward delivery. The trick is that a remailer can find the outer two headers addressed to him and process both of them. Two headers processed and one rewound is net progress. When the header rewound is addressed to the same recipient as was next on the list anyway the diagram looks like this. Actions at 'A': AB????? decrypts to B????? B????? encrypts to BB????? Actions at 'B': BB????? decrypts to B????? decrypts to C???? encrypts to CC???? The beauty of this is that it is compatible with the existing protocol. If a remailer only knows about removing layers of encryption it still fits into a network where some can do both actions. Whether it sends or receives the message it still works. RE-ENCRYPTION IN THE MIXMASTER ROTATING QUEUE MODEL Instead of layers like an onion, Mixmaster has a queue of headers that get rotated. A used header goes to the back of the queue where it can never again be read. At some point the header at the front of the queue is found to be the last one, and the message is sent on its final hop. For a header queue the above actions look like this: Actions at 'A': AAAB??? -> AAB???a -> AB???aa -> BB???aa In general when the first H headers are addressed to the remailer reading them, (H-1) rotations will be performed, and the top header will be overwritten with another one with a random key and IV to encrypt the rest of the message. The number of headers present remains 20, however many or few of these are still to be read. No valid header block is ever overwritten, only used header blocks that are good for nothing. This is always possible because after a remailer receives a message at least the one header it has just read must be of no further use. This will hide the message content from eavesdroppers, but not from the next remailer in line - 'B'. Assume that remailer B is operated by an attacker, and that he directs spam messages there after host A (which is holding your message in the pool at the time of the attack). B can read all messages sent by the attacker (who knows B's private key). This is also why I think link encryption offers incomplete protection. RE-ENCRYPTION WITH CHEATERS Mixmaster assumes that no particular remailer in the network can be trusted and that the user does not know which remailers cheat. The message passes through a chain of remailers, who aim to hide information from each other so that the compromise of some of them will not disclose the original sender and final destination. Central to the spamming attack is the idea that the attacker can recognise the messages he is trying to trace. This is done by eliminating his own messages. The whole set - not just some of them. It can be arranged that the attacker does not obtain the whole set until it is too late to trace the target message (i.e. after a few hops, when it is likely to have met other legitimate traffic). The partial information the attacker obtains before all the spams are identified will be of some use, but following each of several leads with a new spam attack is unappealing as the number of suspect messages will just grow. The remailer needs the freedom to divert packets to another remailer. This is shown below; where remailer C was chosen at random. Actions at 'A': AAAB??? -> AAB???a -> AB???aa -> CB???aa Each remailer could have three options when sending a packet to its next host. 1) rotate all possible headers, and send the result (current protocol) 2) re-encrypt message with new 3DES key and IV. Do not divert. 3) re-encrypt message with new 3DES key and IV. Divert at random. Good probabilities for these options might be: 1) 20% P(1) = P(3) The number of headers the next host can read should not reveal whether a diversion has just been made. (We care about this because it discourages cheaters deliberately refusing to pass on your mail.) 2) 60% Other outgoing packets are not distinguishable from spams. 3) 20% Should not approach 100%. (To arrive is better than to travel in hope.) A spam attack as described in [2] would use many more packets than those in the message pool (N) on the host under attack. The number of spam packets diverted to honest remailers (a proportion R of the whole) would be about MANY . N . P(3) . R and those diverted twice in succession to honest remailers would be about MANY . N . P(3) . P(3) . R . R and I'd expect a figure above 5 here to thwart the spammer, because of the time taken to collect the 5 spams. This diversion (adding steps to the middle of a chain) seems different from a Middleman scheme [3] where extra hops are added at the end. This scheme does NOT allow a remailer to choose the rest of the chain to be followed. A dishonest remailer cannot bypass any remailer chosen by the original sender (in the hope of following the message to its destination) using only cooperating dishonest remailers) because the message has been encrypted in the public key of each remailer the sender chose before it entered the network. REFERENCES 1 Frequently Asked Questions about Mixmaster Remailers FAQ Version 1.8 July 4 1996 by Lance Cottrell <loki(a)obscura.com.> 2 http://www.obscura.com/~loki/remailer/remailer-essay.html by Lance Cottrell <loki(a)obscura.com.> 3 email "Re: middleman - what is it ?" "John A. Perry" <perry(a)alpha.jpunix.com>

4 3

Re: The Future Of Cyber Terrorism
by jya＠pipeline.com 17 Dec '03

17 Dec '03

http://www.acsp.uic.edu/OICJ/CONFS/terror02.htm This quackery-puffery is truely hilarious. Worth reading for brave attempt to distinguish between our-adorable-intelligent-children qua hackers and terrifying next-door-neighbors so differently-abled-from-us cyber-terrorists. Unsubtly shaded white, off-white, black and blacknet movie-plotting. Thus Sprachen Zarathrustran Klaus: Commerce in ignorant-inner-fear-panderings regulation time.

2 1

Anonymous Remailers
by chris230＠juno.com 17 Dec '03

17 Dec '03

When you mail an item through more than one anonymous remailer, how does that make it anymore anonymous, or doesn't it?

1 0