cypherpunks
Threads by month
- ----- 2026 -----
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- 1 participants
- 34085 discussions
http://jiggerwit.wordpress.com/2013/09/25/the-nsa-back-door-to-nist/
Thomas C. Hales (University of Pittsburgh)
(This article will be published in the Notices of the American Mathematical
Society.)
Use once. Die once. — activist saying about insecure communication
This article gives a brief mathematical description of the NIST standard for
cryptographically secure pseudo-random number generation by elliptic curves,
the back door to the algorithm discovered by Ferguson and Shumow, and finally
the design of the back door based on the Diffie-Hellman key exchange
algorithm.
NIST (the National Institute for Standards and Technology) of the U.S.
Department of Commerce derives its mandate from the U.S. Constitution,
through the congressional power to “fix the standard of weights and
measures.” In brief, NIST establishes the basic standards of science and
commerce. Whatever NIST says about cryptography becomes implemented in
cryptographic applications throughout U.S. government agencies. Its influence
leads to the widespread use of its standards in industry and the broad
adoption of its standards internationally.
Through the Snowden disclosures, the NIST standard for pseudo-random number
generation has fallen into disrepute. Here I describe the back door to the
NIST standard for pseudo-random number generation in elementary and
mathematically precise terms. The NIST standard offers three methods for
pseudo-random number generation [NIST]. My remarks are limited to the third
of the three methods, which is based on elliptic curves.
Random number generators can either be truly random (obtaining their values
from randomness in the physical world such as a quantum mechanical process)
or pseudo-random (obtaining their values from a deterministic algorithm, yet
displaying a semblance of randomness). The significance of random number
generation within the theory of algorithms can be gauged by Knuth’s
multivolume book, The Art of Computer Programming. It devotes a massive 193
pages (half of volume two) to the subject! A subclass of pseudo-random number
generators are cryptographically secure, intended for use in cryptographic
applications such as key generation, one-way hash functions, signature
schemes, private key cryptosystems, and zero knowledge interactive proofs
[Luby].
Elliptic curves as pseudo-random number generators
The NIST standard gives a list of explicit mathematical data (E,p,n,f,P,Q) to
be used for pseudo-random number generation [NIST]. Here E is an elliptic
curve defined over a finite field \mathbb{F}_p of prime order p. The group
E(\mathbb{F}_p) has order n, which is prime for all of the curves that occur
in the NIST standard. The elements of the group E(\mathbb{F}_p) consist of
the set of points on an affine curve, together with a point at infinity which
serves as the identity element of the group. The affine curve is defined by
an equation y^2 = f(x) for some explicit cubic polynomial f in
\mathbb{F}_p[x]. Finally, P and Q are given points on the affine curve.
NIST gives a few sets of data and in each case the prime number p is large.
(The smallest is greater than 10^{77}.) No explanation is given of the
particular choices (E,p,n,f,P,Q). We are told to use these data and not to
question why. The standard stipulates that “one of the following NIST
approved curves with associated points shall be used in applications
requiring certification under FIPS-140 [U.S. government computer security
accreditation].”
When A is any point other than the identity in E(\mathbb{F}_p), we may
evaluate the coordinate function x at A, to obtain x(A)\in \mathbb{F}_p. By
further lifting \mathbb{F}_p to a set of representatives in \mathbb{Z}, we
obtain a function by composition x1 : E(\mathbb{F}_p)\setminus\{0\}~ \to~
\mathbb{F}_p~\to~ \mathbb{Z}. Write (n,A)\mapsto n * A for the
\mathbb{Z}-module action of \mathbb{Z} on E. (We write powers of the group
element A using multiplicative rather than exponential notation.)
The pseudo-random bit generator is initialized with a random integer seed s,
obtained by some different process such as a separate random number
generator. What is important for us is that the number s represents the
hidden internal state of the algorithm. The hidden state must be kept secret
for the pseudo-randomness to be effective. (Once the state is disclosed, a
pseudo-random sequence becomes predictable and useless for many cryptographic
purposes.)
The essence of the pseudo-random bit generator can be written in the
Objective Caml language as follows. In the syntax of this language, each
phrase (let x = a in …) defines the value of x to be a. The last line of the
block of code gives the output of the function.
let pseudo_random s =
let r = x1 (s * P) in
let s' = x1 (r * P) in
let t = x1 (r * Q) in
let b = extract_bits t in
(s',b);
That is, we successively apply the integer s or r to the point P or the point
Q and take the x1 coordinate of the resulting point, then extract some bits
from the number t. The integer s’ becomes the new secret internal state to be
fed into the next iteration of the function. The output b is passed to the
consumer of pseudo-random bits. This output may become publicly known. The
function extract_bits operates by converting t to a list of bits, discarding
the 16 most significant bits (for reasons that do not matter to this
discussion), and giving the remaining bits as output. According to NIST
standards, by iterating this function, updating the internal state at each
iteration, a cryptographically secure stream b … of pseudo-random bits is
obtained.
The back door
This algorithm is fatally flawed, as Ferguson and Shumow pointed out
[Shumow-Ferguson]. Since P and Q are non-identity elements of a cyclic group
of prime order, each is a multiple of the other. Write P = e * Q, for some
integer e. We show that once we have e in hand, it is a simple matter to
determine the secret internal state s of the pseudo-random bit generator by
observing the output b, and thus to compromise the entire system.
The function extract_bits discards 16 bits. Given the output b, we take the
2^{16} (a small number of) possible preimages t of b under extract_bits. For
each t, the coordinate x is known, and solving a quadratic, there are at most
two possibilities for the coordinate y of a point A on the elliptic curve
such that t = x1 (A). One such A is r * Q. For each A, we compute e * A. One
of the small number of possibilities for e * A is
e * (r * Q) = r * (e * Q) = r * P. (1)
Finally s’ = x1 (r * P). In short, the internal state s’ can be be narrowed
down to a small number of possibilities by an examination of the
pseudo-random output bitstream. Shumow and Ferguson state that in
experiments, “32 bytes of output was sufficient to uniquely identify the
internal state of the PRNG [pseudo-random number generator].”
The back door to the algorithm is the number e such that P = e * Q. To use
the back door, one must know of the value e. The NIST standard does not
disclose e (of course!), and extensive cryptographic experience suggests that
it is hard to compute e from the coordinates of P and Q (unless you happen to
own a quantum computer). This is the problem of discrete logarithms. But
starting with e, there is no difficulty in creating a pair P and Q. The back
door is universal: a single number e gives back door access to the internal
state of the algorithm of all users worldwide.
It is a matter of public fact that the NSA was tightly involved in the
writing of the standard. Indeed, NIST is required by law to consult with NSA
in creating its standard. According to the New York Times, “classified NSA
memos appear to confirm that the fatal weakness, discovered by two Microsoft
cryptographers in 2007, was engineered by the agency” [NYT]. The news article
goes on to say that “eventually, NSA became the sole editor” and then pushed
aggressively to make this the standard for the 163 member countries of the
International Organization for Standardization. Further historical and social
context appears in [Wired]. NSA had facile access to the crown jewel e and
motive to seize it. Draw your own conclusions.
Observations
1. This back door to this algorithm is extremely elementary from a
mathematical perspective. We wrote the essential algorithm in six lines of
computer code, even if more supporting code is needed to make it industrial
strength. The algorithm could be explained to undergraduate math majors, or
sufficiently advanced high-school students. The story also has the spy-agency
intrigue to make a good math club talk or a special lecture in an elementary
abstract algebra course. We essentially just need to understand that an
elliptic curve is an abelian group whose elements (other than the identity
element) are determined by two numbers x and y, that y is the root of a
quadratic when x is given, and that every non-identity element of a cyclic
group of prime order is a generator. Easy stuff.
2. Without prior knowledge of the back door, how difficult would it be to
rediscover the possible existence of a back door? An analysis of the argument
shows the required level of creativity is that of an undergraduate homework
problem. We must think to write the element P as a multiple of the generator
Q in a cyclic group of prime order. This a student learns in the first weeks
of undergraduate algebra.
The rest of the process of inverting the pseudo-random number generator is
determined by the definition of the function itself: simply take each step
defining the function and reverse the steps, asking for the preimage of the
function at each step of its definition, working from the output back to the
secret state s’. Once the question of inverting the function is asked, it is
easy to do the group theory, even if it is computationally difficult to write
e explicitly.
One-way functions are a standard tool in the cryptographer’s bag. Every
professional who has been trained to analyze cryptographic algorithms knows
to ask the question of invertibility. It is unsettling that NIST and others
do not seem to have asked this basic question.
Diffie-Hellman key exchange
In what follows, let us assume that someone, whom we will call the Spy, has
access to the back door e. How is it possible for the Spy and the end user
(the User) of the NIST algorithm to come into possession of the same shared
secret (the internal state of the pseudo-random number generator), when all
communication between them is public? Information flows from the Spy to the
User through the published NIST standard, and from the User back to the Spy
through the public output of the pseudo-random generator. The back door must
have a remarkable cryptographic design to permit a secret to pass across
these public channels, yet prevent the secret from becoming known to a third
party.
As we now explain, the design of the back door to NIST is based on a
well-known algorithm in cryptography called the Diffie-Hellman key exchange
[Diffie-Hellman]. This is an algorithm to share a secret between two parties,
when there is a possibility that the channel of communication is being
monitored. In the current context, the Spy has full knowledge of the
Diffie-Hellman key exchange for what it is. However, the User participates in
the exchange innocently and unwittingly, by blindly following the rules of
the NIST protocol.
The Diffie-Hellman key exchange requires a group, which we will take to be a
cyclic group E of order n (to preserve notation). The group E, its order n,
and a generator Q are made public. To share a secret, the first party (the
Spy), picks a random number e, which is kept secret, and publishes P = e * Q
to the world. The second party (the User) picks a random number r, which is
kept secret, and publishes r * Q. Then by Equation (1), the Spy who knows e
and r *Q, and the User who knows r and e * Q can both compute (r e) * Q = r *
P, which is the shared secret. (In our context, the shared secret determines
the internal state s’ of the pseudo-random number generator.) If E is a group
in which the public knowledge E, n, Q, P = e * Q, r * Q does not allow the
easy computation of (r e) * Q, then the shared secret is protected from
public disclosure by the difficulty of the computation. In this way, the only
two who learn the internal state of the pseudo-random number generator are
the Spy and the User.
What we have described here is not an imaginary scenario: NIST documents do
in fact publish the data E, n, Q, and P, needed to initiate the
Diffie-Hellman exchange. A user, when making public the output from the
pseudo-random number generator, does in fact complete the exchange.
Diffie-Hellman is Diffie-Hellman, whether it has been advertised as such or
not.
To say that the Diffie-Hellman key exchange algorithm is well-known is a vast
understatement. This algorithm is a significant lesson in virtually every
first course in cryptography everywhere in the world. Building on Merkle, the
Diffie-Hellman paper, by starting the entire field of public key
cryptography, is one of the most influential papers in cryptography ever
written.
What is the significance of all this? It is no secret that the NSA employs
some of the world’s keenest cryptographic minds. They all know
Diffie-Hellman. In my opinion, an algorithm that has been designed by NSA
with a clear mathematical structure giving them exclusive back door access is
no accident, particularly in light of the Snowden documents. This is a work
of experts.
References
[NIST] E. Barker and J. Kelsey, Recommendation for random number generation
using deterministic random bit generators. NIST Special Publication 800-90A
(2012), http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf.
[Diffie-Hellman] W. Diffie and M. Hellman, New directions in cryptography.
IEEE Transactions on Information Theory 22 (1976), 644-654.
[Luby] M. Luby, Pseudorandomness and cryptographic applications, Princeton
University Press, 1996.
[NYT] N. Perloth, J. Larson, and S. Shane. N.S.A. able to foil basic
safeguards of privacy on web, September 5, 2013, New York Times,
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html.
[Shumow-Ferguson] D. Shumow and N. Ferguson, On the possibility of a back
door in the NIST SP800-90 dual EC PRNG,
http://rump2007.cr.yp.to/15-shumow.pdf, 2007.
[Wired] K. Zetter, How a crypto `backdoor’ pitted the tech world against the
NSA, Wired (Sept 24, 2013),
http://www.wired.com/threatlevel/2013/09/nsa-backdoor/
1
0
At 03:16 AM 10/15/2013, coderman wrote:
>On Tue, Oct 15, 2013 at 3:03 AM, Cathal Garvey
><cathalgarvey(a)cathalgarvey.me> wrote:
> > People focus too much on the "profit" miners make, and not the
> > verifiability and anarchism they are supposed to be providing to the
> > bitcoin network.
>
>this is why it is useful to run a bitcoind and contribute to the
>network, even if you do not mine.
Anarchism's a great thing, but if you're trying to run an actual economy,
you need to make it workable for economic reasons, not just ideological ones.
Now that mining takes actual work and non-trivial amounts of electricity,
and there are enough bitcoins on the market that you can just buy them,
people are only going to do it if they can make a profit.
(If the market gets big enough that there aren't enough bitcoins
circulating to meet demand, the price goes up,
and maybe mining becomes profitable again.)
2
1
16 Oct '13
Recipe for a DoS.
----- Forwarded message from Richard Brooks <rrb(a)acm.org> -----
Date: Tue, 15 Oct 2013 12:44:07 -0400
From: Richard Brooks <rrb(a)acm.org>
To: liberationtech <liberationtech(a)lists.stanford.edu>
Subject: [liberationtech] NSA must be best informed entity regarding viagra market
Message-ID: <525D70D7.90501(a)acm.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
Reply-To: liberationtech <liberationtech(a)lists.stanford.edu>
Since most email is spam, how productive is the NSA dragnet?
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/15/the-nsas-giant…
--
Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys(a)stanford.edu.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
2
1
16 Oct '13
----- Forwarded message from Florian Cramer <flrncrmr(a)gmail.com> -----
Date: Tue, 15 Oct 2013 22:37:17 +0200
From: Florian Cramer <flrncrmr(a)gmail.com>
To: nettime-l(a)kein.org
Subject: Re: <nettime> Pascal Zachary: Rules for the Digital Panopticon (IEEE)
Reply-To: a moderated mailing list for net criticism <nettime-l(a)mail.kein.org>
One aspect doesn't seem to have been addressed here yet: that the
Panopticon may be an outmoded metaphor because of its sole emphasis on
visuality. Twelve years ago, in 2001, the exhibition "ctrl_space" at ZKM
Karlsruhe drew deserved criticism after its curators had departed from the
notion of the panopticon and narrowed down the show to visual surveillance:
primarily, cctv cameras and video installation work. This was at a time
when Telepolis and other media had extensively covered Echelon, the NSA
communications surveillance program that preceded PRISM [
http://www.heise.de/tp/artikel/6/6929/1.html] The ZKM curators apparently
couldn't deal with Echelon because it wasn't visual and thus not easily
translatable into an exhibition, and because it didn't fit Foucault's and
Deleuze's canonical cultural studies theories of surveillance as smoothly.
In 2013, we're watching this history repeat itself as a farce. Many people
(myself included) are flabbergasted by the lack of mass-scale protest
against the government programs disclosed by Snowden. It seems as if two
limiting factors are at work simultaneously: Seasoned media activists and
critics didn't learn anything fundamentally new from Snowden except that
their earlier assumptions are now confirmed and can no longer be dismissed
as paranoia. For others, the news simply seemed to be too abstract and
intangible, much like the news reporting on financial derivatives schemes
and billion dollar bank bailouts in the past. There are no emotionalizing
images, no icons, figuratively speaking: no My Lai photographs.
Teaching a mixed group of third year Bachelor-level students of
informatics, media technology and media design, I learned that even most of
them did not know or understand systems like PRISM, commercial mining of
personal data and big data operations.
Criticism is unlikely to become effective unless (a) it sharpens up its
analysis beyond staid cultural studies paradigms and metaphors, and (b),
seemingly in contradiction to (a), creates a powerful visual language to
raise awareness of the issue. For the time being, I'd seriously recommend
people watching the 1998 Will Smith blockbuster "Enemy of the State" (and
its Coen brothers parody "Burn after Reading"), for the lack of anything
better. A popular activist philosopher like Zizek could be criticized for
reinforcing visual fetishisms and resulting blindness through the way his
own lecturing is so much based on iconic popular cultural images; on the
other hand, this might be the route to go.
-F
On Tue, Oct 15, 2013 at 6:19 PM, Al Matthews <prolepsis(a)gmail.com> wrote:
> Hello list. On Tor,
>
> >The US was slow to realize (or did they know this from the beginning?)
>
> Surely the latter
<...>
# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: http://mx.kein.org/mailman/listinfo/nettime-l
# archive: http://www.nettime.org contact: nettime(a)kein.org
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
1
0
Lodewijk andré de la porte wrote:
> if you cannot pronounce truth, what other ways can you not perceive or
> produce it.
>
apologies for delving deeper, it is a fascinating area to consider the
dynamics involved at this threshold or juncture, because interpretation and
relations can be defined and changed by the above mentioned criteria. thus
how is the information modeled, in what dimensions, concepts, and
abstraction...
what might the word [истината] mean if the language is not known, and thus
cannot be deciphered, decoded, or decrypted. might it operate on a visual
level, like a rorschach test, via whatever is recognized, or is it instead
ignored as a failed pattern match and thus upholds a boundary or perimeter
between known and unknown, like and unlike.
could it be possible to utilize these dynamics in other ways, such that
graphic elements of dε|cθи-şλวực+相ή could be utilized across conventional
boundaries and perhaps unlock other interpretative or structural layers,
via ambiguity or alternative readings of the potentials involved with
superposition of intrasign characters
another way to consider this is that until now the [sign] has functioned as
a whole concept, yet what if each letter was considered in its variability
in terms of its potential <multiple> meanings. such that |e|a|c|h| letter
could have variability, as demonstrated in HIOX dynamics, e.g. |a|e|n|y|.
in terms of superposition of a given letter, how this ambiguity could shift
meaning: |v|iew -> |c|iew, in phonetic terms (view, cue). in this context
of superposition of variables and their n-potential, i like the comparison
to juggling, as to what interpretation or pattern exists in a given
viewpoint or contingent framework, yet that can be swapped out or evaluated
in other patterning, as this relates to numerous available or unknown
interpretations. inter-sign, yet also infra- and intra-sign. as these views
could be grounded in some conceptual or methodological framework. for
instance as cipher systems or whatnot.
does the meaning of the word [nest] change with a variable character, such
that |n|est could become ήest. perhaps suddenly the out-of-bounds extra
information accessed via this new juxtaposition opens meaning, such that
jest appears as a partial variable, as if a spread of an orbital cloud of
electrons over their domain. another example: hat & hật, beyond
pronunciation, graphically that the additional caret symbol (^) could be
read as 'top hat' via symbolic processing, in some interpretative,
arbitrary framework based on what is referenced and how, in what terms.
graphically, outside the conventional language boundary, it could still be
functional as graphic language or data in this way
the issue then of subsign meaning as this relates to subtext and issues of
bounded interpretation, where the lines are drawn- via what parameters of
literacy. perhaps in this way 'not knowing' can open up potential readings,
as if approaching a rosetta stone of meta-language. and yet keyboards are
formatted in a particular way that prohibits and forbids this as a
practice. though ascii emoticons and icons (say in instagram or other
social media trinket-based visual feedback) are of this same nature, some
repurposed for graphical use, to communicate and allow such symbolic
communication and processing, relations and exchange in a perhaps similar
realm of communication.
i was going to be writing about this soon, typography and geometry, so will
save the larger evaluation for that conveyance.
there are examples of this same interpretative superposition within
language that i wanted to share, to clarify the point and its use within
culture. one is quite bleak, so the good things first...
Olek example
https://www.facebook.com/photo.php?fbid=10151655052466759
note: this could be evaluated in terms of a billboard and external
armature, outside the frame of the [sign]. yet instead to focus just on the
superposition of letters in the text within the boundary of the frame...
what is the [word] in the frame? #cool, #bod, #cod, #cool, #God, #feel,
#fool, #Bed, #66 eel, #GG ed, #Beef, #ceel, #coed, #Coal?
how do each of these potential meanings change the relation between the
observer, the self evaluating the event, and the surrounding context within
the image. how does the meaning shift as the combined signs tabulate into
different frameworks of reference. how does the circuitry transform.
also, conceptualization of the situation itself, what if the frame is a
magic device that shows someones hidden thoughts, as if a decrypting
device, and that this is what the artist is potentially conveying, in terms
of deep aesthetic insight and questioning.
an attempt at approximating and mapping this superposition:
# [c|GG|66|G|f|B] [o|e|e|oa|oo|ee|ed|od] [l|d|f]
now you could go a long way with this, into what it potentially means. one
interpretation could be 'bod' as it relates to body, where a face is
unseen, and how the body of a female may not actually be grounded to an
female-born entity, and could be a male in drag for instance. thus
questions of [woman] and [man] as this may involve signage, versus
grounding of the meaning of these words beyond a partial evaluation. such
that superficially [man] could equate with driving a truck and drinking
beers and having a dog, the image matching and pattern recognition of this.
such that a [person] who is male, on a motorcycle who wears a leather
jacket is automatically a man, while perhaps being completely subservient
to a machine worldview and submitting to its values, no fight left in the
person. yet perhaps costumed as if a rebel or somehow radical, etc, as
signs may become props and so on. lots of not-tough-guys taking on the
superficial appearance, ungrounded, as if roles. lots of females who in
certain dimensions appear female yet are not. just like having ungrounded
political analysis, such as ["republicans"] whose ideology actually maps to
the far-left in terms of worldview and values. the image of the sign can be
grounded in more than one way, given its hidden armature. how much is
encrypted in boundaries that are not understood in the depths this way, or
how much of knowledge and intelligence exists in being able to evaluate
these situations accurately, learn, become literate of the issues and
dimensions involved
music is especially involved in this variability of language dynamic.
listen to some song that you are trying to figure out the lyrics for, only
to realize that someone wrote a different word in the lyrics than what you
hear in the song- and yet it possibly ~could be misinterpreted or forced
into that interpretation, or could be stretch there, yet it may also be
mismatched, inauthentic, yet provide other meaning. i would say this
variance is occurring in 50% or greater of the lyrics i have referenced, if
not a higher percentage.
(there are some artists who are adept at exploring these issues with
language and meaning, and they are differentiated from others by their
extreme aesthetic awareness, that aesthetics are a condition of their life
values and consciousness, a higher level of awareness than is ordinary.
Olek is certainly one of these rare birds, and others exist across various
disciplines likewise, though i think they are actually the exception, it is
natural talent born of intuitive understanding versus contrived and born of
artifice)
Santigold is another wild one... consider the lyrics to this song...
Santigold - Rock This
http://music-mix.ew.com/2013/06/24/santigold-the-heat-soundtrack/
cf. Rock This [shi-t|p], we [vicious|bitches], [fat|bad] bitches
Santigold - The Keepers // aesthetics, boundaries, interpretation...
http://www.youtube.com/watch?v=SZoHSce004M
Santigold - Disparate Youth // masterful symbolism...
http://www.youtube.com/watch?v=mIMMZQJ1H6E
In relation to language techniques, in a 60 minutes Eminem discussed his
technique...
2010 Eminem 60 Minutes Interview // video
http://www.youtube.com/watch?v=HPSRqVXEQ4Y
he confirms it involves 'bending the word' via its annunciation (5:04m),
which can map into superposition of interpretation- how a subsign unit is
~processed or parsed as data. thus a word like [data] could be
reinterpreted if d#ta was the condition, and spoken as [dota], for
instance, this being my example. though it could inflect or spin or process
and rewire meaning, sending it to different or multiple circuitry,
especially in a looping condition of continual evaluation. thus, insight
into consciousness, observation, relation itself as experience is tested
against an empirical model, refined, error-checked and corrected, expanded
beyond given parameters and boundaries, etc.
thus the potential that each [l|e|t|t|e|r] in each word or concept or
[s|i|g|n] or even their combination or relation, could shift or
_recontextualize meaning via variability that leads to parallel structures
of interpretation, different mappings and circuitry or co-existing
frameworks, latent and hidden, overt and otherwise, perhaps even encrypted,
[signs] as sarcophagi, the bones these entombed structures, of past lives
revealed. thus what if every [sign] has other potential meaning buried
within it as a potential, in that there could be some other dimensionality
not accounted for yet accessible, say through a typoraphic error, and how
that recontextualized and rewires meaning, say if a missing 'j' is
revealed, or double jj, as r and g could structurally relate via a missing
puzzle piece, though other evaluations are likewise possible. thus, rabbit
holes into labyrinths, this
there is a last example that is extremely disturbing and it gets to the
subliminal use of these techniques. a local television commercial, likely
non-profit, has lyrics to a song or jingle that have a very menacing double
meaning. that context is forgotten is not particularly helpful either,
though in general the commercial is of a 'helping nature' and about caring,
etc. so when it sings, if remembering correctly: "wake the sun" or "wake
the son", as this is repeated, it sounds very much like "rape the son, rape
the son, rape the son". and this stuff is going on all the time in terms of
semiotics and symbology. so what if that is a coded or programmed message
that is formatting the behavior of someone via broadcasting an encrypted or
encoded message and that their interpretation could find authority-based
validation, ideological confirmation this way. well, without empirical
truth no one could argue this is happening- it is all subjective and to
consider this a person would have to be sick in the mind, etc, as plausible
deniability goes. and yet these types of activities are everywhere,
violence against women, subversion of principles and values, hatred,
discrimination, contempt, anti-[religious] messaging, etc. the binary
biasing allows this to proceed apace, as if subconscious, and if it cannot
be named or grounded, rationalized in a sane worldview, it is madness to
even speak about it or observe it because no one else will likely confirm
it and then will say it does not exist, it is just imaginary, etc. this is
what [signs] allow, in their surface manipulations.
the boundary or limit or threshold of interpretation, the issue of pattern
matching, then involves very deep and potentially disturbing correlations
that are exploited and hacked and influence interpretations. yet likewise,
if relating on this level, observing it, trying to deal with the reality,
an enforcer of relativism could 'fix' the interpretation to a given limited
boundary if the viewpoint is unfavored, via diagnosing mental illness and
proscribing psychiatric treatment and corrective pills that numb the mind
so that it receives such information uncritically, comfortably numb,
xanaxed or otherwise. so there is danger to 'unshared interpretation' that
is ungrounded, because it may be real madness though also 'unshared
interpretation' that is grounded though unfavored, which calls for remedial
action by those upholding the false perspective and managing rogue state
this is why logic is needed to deal with these ambiguities, otherwise it is
opinions in pseudo-truth reliant on false assumptions and frameworks by
default, cherry-picking data to support views, ignoring others via binary
ideology. and thus ungrounded binary evaluation in terms of "beliefs" based
within consensus superficial language where signs are equated with truth,
as *theorized*, versus grounded (1/N/0) logical evaluation based in
empirical modeling of many simultaneous, parallel observers of the same
event from its various angles, facets, structures, and dimensions, to error
check and correct and improve upon the hypothesis.
(i.e. how are claims of truth accounted for, as this relates to
interpretation)
so one of the structural issues is- what is the unit of measure for the
sign itself. especially if it can be recontextualized. is the letter the
unit, such that a [w|o|r|d] can be made particulate, atomized. perhaps, in
part. though the examples above show that pronunciation or combinations or
fusing or ambiguity or overlapping of cursive or script can blur this
boundary as well, as if particle clouds and probabilities, or wave
functions that can be temporarily established then collapse again into the
surrounding ambiguity. so what if this could be expanded or unlocked, and
the unit of measure could be intra- or infra- or inter-letter, or likewise
-alphanumeric symbol or sign. that could recontextualize and provide
different structuring, perhaps even overcoding or transcoding or paracoding
texts in some way that allows multiple readings, possibilities, parallel
perspectives.
thus, a question of what a unit of the subtextual may be. and how this
could relate to fonts and typography, functioning of keyboards as dumb
peripherals where the existing assumptions and conventions lock-in a
particular perspective that instead could be opened up- if someone is
really willing to break all the rules, crack the code, etc. then language
may not be delineated in the same parameters, as there could be 20 letters
'A' to choose from, etc. and their could be a range of meaning, especially
when combined with other letters. and thus a new form of symbolic language
could develop that is akin to code, in some sense. though this could go
much further than a superficial reading of [signs] as fancified text, as if
another font style, and involves access to structures of truth, different
awareness, conceptualization, perspective. paradigm shiftkey.
⊺⧢s⟘ ⋋ëst t∈s⨁
(another reference test for wordwrap) - 77 character monospaced Courier New
font
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX
1
0
http://www.techweekeurope.co.uk/news/zeroaccess-bitcoin-botnet-sinkholed-12…
Zeroaccess was a botnet that did a bunch of things, such as fake ad
clicks and Bitcoin mining.
A DNS sinkhole was created to attack its DNS-based communications,
which took out about 1/3 of the botnet.
One side issue that I found interesting, besides the usual security
stuff, was the assertion that
"The botnet's Bitcoin operation was only profitable because it used
stolen electricity:
it used about $561,000 of electricity a day on its victims'
machines, while only generating $2,165 a day."
What does this say about the future of Bitcoin mining?
I'm guessing that the botnet only mined on CPUs, not on GPUs,
because doing GPU calculations requires adapting code to different
kinds of hardware
and is likely to have visible effects on the screen if you're not careful,
but even so, does this mean that Bitcoin miners who want to make a profit
are going to need to dump general-purpose machines in favor of
specialized hardware
such as FPGAs or ASICs? Or is buying a high-end GPU still good enough?
9
18
Lodewijk andré de la porte wrote:
More important question is: can you pronounce ... all [signs of truth]? And
> if you cannot pronounce truth, what other ways can you not perceive or
> produce it.
>
interesting considerations. interpretation slightly varying on multiple
meanings for pronounce, saying vs. declaring.
instead of copying the examples again, an ironic or emblematic
representation of "truth" as a sign of truth ["truth"], self-conscious in
its structural connection to all other signs as a concept, then could
evaluate any sign, though also all signage standing-in for this concept, in
terms of the larger integrated evaluation and its accounting...
(unbelievable perhaps though am not trying to be abstract). such that:
["truth"] ---> A=A (1)
in this way, any language with a sign representing truth could likewise be
grounded in 1=1 evaluation (this perhaps more universal as number though as
language (A) more insightful in terms of signage). e.g:
[αλήθεια] ---> 1 (T)
[真実] ---> 1 (T)
[ความจริง] ---> 1 (T)
that is, all various 'signage of truth' would be grounded in an empirical
evaluation of truth (such as A=A) whereby the absolute truth (1) would be
referenced as a basis for determining truth (T), noting that my notation
here is arbitrary and shifting, trying to describe it. thus if 'observation
of truth' is grounded, it would tend towards 1, whereas if based on
pseudo-truth and errored relativistic beliefs, where truth is minor and set
within prevailing uncorrected falsity, this ungrounded observation could
tend towards falsity instead (0), even while it references the same 'sign
of truth', the sign believed to automatically verify an inaccurate
'absolute condition' via reading/writing its sign. in other words, the
reference to the word ["truth"] is deemed the totality of accounting for
truth of an observation, via 'true belief' that is not accounted for beyond
the sign and binary onesided evaluations that assume the error-reliant
observer is infallible; corrupt POV.
[αλήθεια] ---> pT (0)
[真実] ---> pT (0)
[ความจริง] ---> pT (0)
in this way -ungrounded observations- which simply reference the 'sign of
truth' could, in their reliance on relativistic frameworks not checked
against other empirical observations beyond their given protected boundary
or parameters, then have their viewpoint carry only a minor truth (say 1%
grounded truth amidst reliance on much larger falsity) yet in binary terms
be assumed 'absolutely true' (1) which is what ideology affords- a
protected boundary that edits truth to fit a given model, yet the more this
occurs, the less real it becomes as a viewpoint of the world outside this
bubble condition.
in other words, grounded error-corrected observation of empirical truth
tends towards 1, ungrounded error-reliant and uncorrected observation of
relativistic pseudo-truth tends towards 0 (though can assume to equate with
1 via binary ideology) -- such that both these observers could reference
the same sign of truth ["truth"] and yet one observer could be situated in
an accurate and realistic empirical model and the other in a virtual,
warped, twisted and surreal model that is largely a false perspective,
false consciousness, etc.
relativistic pT (0) <--- ["truth"] ---> (1) empirical truth
and that everyday language in linear exchanges, not referencing a common
model of truth and verifying accuracy of observations, of claims and
statements and beliefs, actually by default tends towards falsity (0) and
nothingness, in terms of empirical awareness. instead >nothingness< is that
is shared as the common viewpoint. truth having been removed from the
center of cultural knowledge and awareness via relativism and binary
ideology. so basically everything exists in this far-left scenario (above)
by default, to even include mathematics (psychology of mathematicians, the
basis for their analyses in terms of logical reasoning, errors of
observers), coding, programming, communication, language, economics, and
onward to everything. it is all ungrounded belief, to greater/lesser
extents, unless subsets of empirical truth have been achieved otherwise -
yet not at the scale of existing government, the state, else people would
be able to deal with the situations that exist instead of silence,
passivity, and incapacity to question and work-through what is going on,
though there is also active hostility to exactly such _behavior, so the
animal trainers make sure humans remain the apes
so grounded and ungrounded observations influence and effect whether a sign
maps into structures of empirical truth or relativistic falsity, and this
relates to parameters, boundaries, dimensions evaluated, and the internal
processing of the observer, externalized, as a decision-making entity that
then interacts with others and various tools, using this operating system
or ruleset for guidance, navigation
i keep thinking of the Voyager spacecraft gold-record in this regard, the
challenges of interpretation this situation involves, especially the
further it gets outside of a shared framework- which is how the
universality of numbers seem to establish the basic for language outside
the variability of signs, assumably recognizable beyond a given threshold
of development, say for space-venturing civilizations
THE GOLDEN RECORD
http://voyager.jpl.nasa.gov/spacecraft/goldenrec.html
it would be pretty hilarious if the aliens could not figure out what the
various symbolic language was meant to equate with due to some hidden
relativistic bias and get future feedback on such an inherent limit in
existing approaches to communication. such that a gap may exist between
what is communicated and what is believed communicated.
the larger issue involved in the grounding of truth within signs, including
the 'signs of truth' that seek to represent it as a concept, is that it is
a general condition of linear language that repeats itself endlessly,
[such] [that] [every] [word] [and] [idea] [exist] [in] [this] [shared]
[existential] [condition] and rely on particular interpretation, to
~account for the truth, however perceived and subsequently evaluated.
thus your question of the limits to seeing, saying, conveying this truth,
what if there is a boundary and it seems the default condition, that such a
boundary exists, perhaps even an extreme limit upon observation of the
truth as it exists, versus as it is perceived and-or believed to exist in
contingent modeling used in day-to-day existence, trapped within a style of
language, styles of knowing, ways of being that could be established via
these same parameters and boundaries as a structure, the basis for given
observations, specific contexts that make each observer unique (the
relativistic context) which can be an asset if grounded and integrated into
other views of the same events, versus blocking them out, censoring reality
to fit a given parameter that itself may only be partially accurate, etc.
in this way the reference to ["truth"] is not only how this concept is
referenced by each individual observer (or ignored by computers via their
modeling of signs instead as if truth), it is also how this
conceptualization exists as an infrastructure within all other signs and
symbols and events, as these are calculated, processed, accounted for
within observational frameworks. in other words a substructure of this
truth, within each and every sign and their combination and permutations
resulting in various arrangements of meaning, this in a perspectival
(relative->empirical) framework akin to geometric modeling (Plato:
Timaeus), such as the nesting of platonic solids or The Architecture of
Molecules, though "forms" are ideas, commonly referenced via various
viewpoints (facets) and ~dimensions, to model and accurately account for,
if not determine, things-in-themselves as concepts map into the world and
are repeated and transformed
in this way, the [sign] is like the facade of a billboard, a large outdoor
wood and metal canvas used for graphic advertisement, mainly for automobile
transportation- getting eyeballs to track to the available marketable space
between the world of civilization and the empty sky. what is relevant about
this [signage] is that the sign itself is held up by a hidden armature that
is in the background, while the message is in the foreground. and yet this
hidden armature is its physicality, its basis for how it is positioned in
space-time and also literally its grounding in the material world, such
that a lightning strike on the armature would be sent back into earth via
ground wire if atop a building otherwise constructed in the ground as a
self-contained billboard, i.e. the various typology of how buildings can
exist
in this context of the [billboard], as with any sign, its [truth] may be
equated with the signage itself, as a surface-level evaluation and thus
interpretation not extended beyond this parameter to account for its
existence. thus the image or sign may equate with its truth. yet to
understand the billboard signage in depth would require understanding
something about advertising and real estate, marketing, semiotics perhaps,
psychology, economics, whatever themes or industries or business models may
be referenced, icons, as these relate to how someone perceives this
signage, pattern-matches their dimensional awareness into or onto that
framework of the [sign], and thus how 'truth' is determined or grounded, in
what context, how much it relies on assumptions in pT or goes beyond these,
as this relates to boundaries and parameters and thresholds of observers
and knowledge and beliefs. the larger truth, in other words, may exist
outside the literal frame of the [sign], its "truth" may go into the hidden
armature, here an analogy and-or metaphor, that structures and creates the
informational model that is being mediated, evaluated, parsed, ~computed
and processed via observers in such a sign-based relation, that as a medium
may actually involve connecting two remote observers in a hidden or delayed
mode of exchange, symbolic or otherwise (economic, political, social,
cultural, informational), including demographic, statistical, ideological,
biased, to the point that pavlovian or skinnerian techniques of salivation
may be the basis for processing, more than deep intellectual consideration
so if it is possible to withstand further investigation into this, it would
then be to consider [signs] of language in these terms, whereby their
"truth" may exist as this hidden armature that connects into these other
hidden yet interconnected dimensions, a substructure or infrastructure of
signage or a substructural level of language and-or patterning, and that
this is essentially the scaffolding of structure that relates to 'logical
reasoning' that connects various ideas and concepts in their 'shared truth'
beyond given boundaries that may or may not be accounted for within a given
observation. the truth of the [sign] could be interpreted just as its
image, yet its "truth" as a ["sign"] involves more than a pattern-match
with a preconceived notion that is unaccounted for in its empirical
existence, by default. that would require getting into its armature, its
meaning yet also its modeling and *conceptualization*, which is necessarily
empirical in that the nature of perspective allows an N-dimensional
observation, via shared observation, panoptic seemingly, to evaluate every
facet and angle and vertex in its accuracy (A=A) and thus get to the
thing-in-itself versus remaining trapped in a false perspective of things
as they are perceived as [signs], never going beyond the boundary to get at
the truth that validates them as ["signs"] in terms of ideas, and this is
proposed to be requiring nonlinear modeling, stopping this linear feed of
endless unique perspective, to reference the same event or situation (x)
via various grounded perspectives, than create new unconnected
perspectives, 'reinventing the sign' each time it is observed or referenced
(x..n) (else perhaps x^n) (unsure how to denote this at the moment)
so there is a correlation between this condition, where [signs] are not
similarly referenced, and existing technology: HTML or hypertext markup
language. the Project Xanadu approach Ted Nelson invented was not followed.
[0] if understanding correctly, it was a common reference for each sign,
such that each word would be referenced to a centralized model, a single
concept, such that typing this would involve an invisible armature that
would map back towards a central model of the same information, as if a
weaving of data outward from the core. each [sign] would reference an
original, as with Plato and original forms, versus copies and copies of
copies (ideology). thus the inherent structure of language would be part of
the information modeling, online. the entire internet would be organizable
as content this way, if these concepts could then be the basis for modeling
and categorizing and relating to ideas, and communicating. or so that is
the potential for such an approach. instead, every [sign] remains as a
[sign], yet does not reference a common, accountable ["sign"] that can be
used to account for its truth, as an idea and concept. friction-free and
free-floating, language untethered from its accounting in truth, as if the
[word] in and of itself is truth, versus referencing it, a representation
that provides a pathway that grounds with reality
in this way, the programming conventions themselves can become limits to
observation and perception and relation to information and data modeling
that becomes surface-based, shallow or hollowed out in terms of issues of
representation, what is accounted for and what exists and can be exploited
in terms of belief. and by default, it is proposed, due to this lack of
accounting for the scaffolding and hidden armature that empirical truth
involves, the relativistic approach instead takes over and exists in an
ungrounded condition at this superficial level of bounded, limited, finite
interpretation trapped within dynamics mostly defined by psychology of
observers who, most, are reliant on biased and onesided binary evaluations
by default, and entire populations are trained this way, in terms of what
they see and how they convey this, what is sayable versus requiring self or
other censorship-- and at the core is fear of ideas, fear of truth, the
fear that losing these protective parameters will result in loss of self,
loss of ego (yes), loss of infallibility (yes), loss of certitude (yes),
and thus it is a different worldview, like Copernican and Galilean, though
it involves fundamental gains: grounding, neutralizing bias, clarity of
observation, access to truth beyond arbitrary boundaries, the capacity to
reason, realization of service to truth as beneficent, etc. though instead,
as if brainwashed by the ideological nanny-state, the fear of unfettered
truth: we cannot handle the truth, therefore... the false perspective and
its bliss. draw within the lines. everything will be ok. just take your
pills. pre-order your casket...
[0] Project Xanadu - Ted Nelson
http://en.wikipedia.org/wiki/Project_Xanadu
(reference test for wordwrap) - 78 character monospaced Courier New font
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX
izod-lacoste, vans, sexwax
∄ ‱ ∃
1
0
15 Oct '13
----- Forwarded message from Zooko Wilcox-OHearn <zooko(a)leastauthority.com> -----
Date: Tue, 15 Oct 2013 18:42:51 +0000
From: Zooko Wilcox-OHearn <zooko(a)leastauthority.com>
To: cryptography(a)metzdowd.com
Subject: [Cryptography] my comment to NIST about reducing capacity in SHA-3
Message-ID: <CAM_a8JzazjxXq5Y8GiFbjK6nNHQf1fHFfJ+A6r1O6tF2yfHwCg(a)mail.gmail.com>
Date: Tue, 1 Oct 2013 15:45:27 -0400
From: zooko <zooko(a)zooko.com>
To: Multiple recipients of list <hash-forum(a)nist.gov>
Subject: Re: On 128-bit security
Folks:
Here are my personal opinions about these issues. I'm not expert at
cryptanalysis. Disclosure: I'm one of the authors of BLAKE2 (but not
one of the authors of BLAKE).
I personally do not believe that there is any secret agenda behind
this proposal, even though I believe that there was a secret agenda
behind Dual EC DRBG.
One reason that I believe that the motivation behind this proposal is
the stated motivation of improving performance, is that Joan Daemen
told me in person in January of 2013 that the Keccak team had
considered defining a reduced Keccak to compete with BLAKE2, but had
decided against it because they didn't want to disrupt the SHA-3
standardization process.
Apparently they changed their minds, and apparently their fears of
disruption turned out to be prescient!
I also do not think that a "security level" of 2^256 is necessarily
better than a "security level" of 2^128. *Maybe* it is better, but I'm
not aware of any examples where that sort of distinction has turned
out to matter in practice, and I can't really judge if it is likely to
matter in the future (except, of course, if you forget to take into
account multi-target issues…). I suspect nobody else can, either.
However, even though I *personally* would have confidence that a
Keccak with a 256-bit capacity would be safe and would be free of
maliciously induced weakness, I want a standard to be widely accepted
in addition to being safe.
This is the "Caesar's wife must be above suspicion" argument. It isn't
enough to make a secure standard, but also we need other people to
have confidence in it.
And, I don't know if we can persuade people that "no it isn't actually
backdoored/weakened". It may be the kind of thing where if that's the
conversation we're having then we've already lost.
Would it make sense to go ahead and standardize
SHA3-as-a-replacement-for-SHA2 by standardizing the form of Keccak
which is most widely accepted by cryptographers and which is closest
to what was studied during the contest, and then separately offer
SHAKE and reduced-for-speed-Keccak as additional new things?
A lot of uses of secure hash functions don't need to be particularly
efficient. In my slides about BLAKE2
(https://blake2.net/acns/slides.html) I argue that there are use-cases
where efficiency is critical, but it is equally true that there are
common and important use cases where a 576-bit capacity Keccak would
be fine, e.g. public key certificates.
-------
Joan Daemen, one of inventors of AES and one of the inventors of
Keccak (SHA-3), replied to my mailing list post as follows:
Date: Fri, 4 Oct 2013 05:08:07 -0400
From: Joan DAEMEN <joan.daemen(a)st.com>
To: Multiple recipients of list <hash-forum(a)nist.gov>
Subject: RE: On 128-bit security
Hello all,
Zooko wrote:
> I personally do not believe that there is any secret
> agenda behind this proposal, even though I believe that
> there was a secret agenda behind Dual EC DRBG.
>
> One reason that I believe that the motivation behind
> this proposal is the stated motivation of improving
> performance, is that Joan Daemen told me in person in
> January of 2013 that the Keccak team had considered
> defining a reduced Keccak to compete with BLAKE2, but
> had decided against it because they didn't want to
> disrupt the SHA-3 standardization process.
>
> Apparently they changed their minds, and apparently
> their fears of disruption turned out to be prescient!
Yes, Zooko and I met at the end-of-Ecrypt II event on Tenerife early
2013 (24° C in January!).
I don't remember our conversation in detail, but I I'm sure Zooko is
citing me correctly because that is what we were thinking about at the
time.
Actually, what we had in mind was to propose something like "Keccak2"
to compete with BLAKE2 by drastically cutting the number of rounds,
e.g., down to 12 rounds for Keccak-f[1600], but otherwise keeping the
algorithm as it is. That might have sent the wrong message indeed, but
we just didn't do it.
In contrast, the capacity is an integral parameter of the Keccak
family that we even proposed as user-tunable in our SHA-3 submission.
Matching the capacity to the security strength levels of [NIST SP
800-57] is simply exploiting that flexibility.
Kind regards,
Joan, also on behalf of my Keccak companions
-------
Regards,
Zooko Wilcox-O'Hearn
Founder, CEO, and Customer Support Rep
https://LeastAuthority.com
Freedom matters.
_______________________________________________
The cryptography mailing list
cryptography(a)metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
1
0
Lessons from Silk Road: don't host your virtual illegal drug bazaar in Iceland
by Eugen Leitl 15 Oct '13
by Eugen Leitl 15 Oct '13
15 Oct '13
http://www.theverge.com/2013/10/14/4836994/dont-host-your-virtual-illegal-d…
Lessons from Silk Road: don't host your virtual illegal drug bazaar in
Iceland
By Adrianne Jeffries on October 14, 2013 11:47 am Email
When it comes to protecting your virtual black market from the Federal Bureau
of Investigation (FBI), some countries are better than others. As it turns
out, Iceland is probably not where you want to be. While the country may have
protected WikiLeaks from the Americans, it's not harboring the recently
busted illegal drug bazaar Silk Road. The Reykjavik Metropolitan Police have
confirmed that they handed over data on the Silk Road at the request of
American authorities.
It's unclear how much information Iceland turned over, but the FBI claims two
Silk Road servers were based there. Icelandic police say the site was
actually hosted there. Since Iceland does not have a formal Mutual Legal
Assistance Treaty (MLAT) with the US, it appears that the FBI negotiated a
special one-time agreement in order to get the data.
It still looks like the bulk of the information that broke open the case did
not come from Iceland, however. The complaint says "an image of the Silk Road
Web Server was made on or about July 23rd, 2013, and produced thereafter to
the FBI" as a result of a request made to a foreign country under a formal
MLAT.
"AN IMAGE OF THE SILK ROAD WEB SERVER WAS MADE ON OR ABOUT JULY 23RD, 2013."
That image, or bit-for-bit copy, of the Silk Road server gave authorities
access to private messages between the Silk Road's owner and other members of
the site. It was instrumental in seizing the site and arresting Ross
Ulbricht, the man police allege was behind the Silk Road.
Runa Sandvik, who works on the anonymizing network Tor, has been trying to
figure out which country handed over that server image. She initially ruled
out Iceland because it does not have an MLAT with the US. Various Silk Road
content was also hosted in the US, Latvia, and Malaysia. Latvia and Malaysia
are both MLAT signatories. If the request was indeed made under an MLAT, it
looks like the image either came from one of those countries or another that
has not been revealed yet by the FBI.
Another possibility is that the FBI's complaint erroneously claimed the
request was made under an MLAT, when the reality was less formal. Either way,
future virtual drug kingpins now know that Iceland is no safe haven.
Correction: An earlier version of this story said that Malaysia is not an
MLAT signatory; that is incorrect. Malaysia and the US signed an MLAT in
2009.
1
0
RISKS-LIST: Risks-Forum Digest Tuesday 15 October 2013 Volume 27 : Issue 53
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.53.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Azerbaijan releases election results -- before the election started (PGN)
Computer Failure Cuts off Access to Food Benefits (PGN)
Another botched Black Tuesday for MS (Woody Leonhard via Gene Wirchenko)
D-Link SOHO Routers reported to contain backdoor (Bob Gezelter)
Russian government's political comment trolling operation exposed
(Lauren Weinstein)
EFF Resigns from Global Network Initiative (EFF)
Re: "Let's build a more secure Internet" (Peter Houppermans, Bob Frankston,
Fred Cohen)
Re: Why the NSA's attacks on the Internet must be made public (Fred Cohen)
Re: NSA data center 'meltdowns' force year-long delay (Paul Saffo)
Correction re: Cyber Schools Fleece Taxpayers (Gene Wirchenko)
Re: Our Founding Fathers ... (Thor Lancelot Simon)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 9 Oct 2013 22:39:07 PDT
From: "Peter G. Neumann" <neumann(a)csl.sri.com>
Subject: Azerbaijan releases election results -- before the election started
http://www.washingtonpost.com/blogs/worldviews/wp/2013/10/09/oops-azerbaija…
Azerbaijan's big presidential election, held on Wednesday, was anticipated
to be neither free nor fair. President Ilham Aliyev, who took over from his
father 10 years ago, has stepped up intimidation of activists and
journalists. Rights groups are complaining about free speech restrictions
and one-sided state media coverage. The BBC's headline for its story on the
election reads `The Pre-Determined President'.
<http://www.bbc.co.uk/news/world-europe-24450227>
So expectations were pretty low.
Even still, one expects a certain ritual in these sorts of authoritarian
elections, a fealty to at least the appearance of democracy, if not
democracy itself. So it was a bit awkward when Azerbaijan's election
authorities released vote results -- a full day before voting had even
started.
<http://www.eurasianet.org/node/67607?utm_source=dlvr.it&utm_medium=twitter>
The vote counts -- spoiler alert: Aliyev was shown as winning by a landslide
-- were pushed out on an official smartphone app run by the Central Election
Commission. It showed Aliyev as "winning" with 72.76 percent of the vote.
That's on track with his official vote counts in previous elections: he won
("won"?) 76.84 percent of the vote in 2003 and 87 percent in 2008. [...]
[PGN-ed. The rest of this story is interesting as well.
[Also noted by Dan Swinehart, who said, ``This is a variant on the punch
line to a joke that I've told for decades. Reality trumps fiction again.''
http://politics.slashdot.org/story/13/10/10/0043217/azerbaijan-election-res…
PGN]
------------------------------
Date: Mon, 14 Oct 2013 16:26:37 PDT
From: "Peter G. Neumann" <neumann(a)csl.sri.com>
Subject: Computer Failure Cuts off Access to Food Benefits
AP item in *The New York Times*, PGN-ed, 13 Oct 2013:
People in 17 states (including NJ and CA) were unable to use their food
stamp debit cards for several hours on 12 Oct 2013, because a routine test
of backup systems by Xerox failed. (Yes, RISKS readers know nothing is
always "routine".)
------------------------------
Date: Thu, 10 Oct 2013 11:30:10 -0700
From: Gene Wirchenko <genew(a)telus.net>
Subject: Another botched Black Tuesday for MS (Woody Leonhard)
Woody Leonhard, InfoWorld, 10 Oct 2013
Another botched Black Tuesday: KB 2878890 patch brings back
two-year-old KB 951847 -- repeatedly
Microsoft's four-month body count: 23 bad patches. It's past time for
Microsoft to improve the quality of its Automatic Updates
http://www.infoworld.com/t/microsoft-windows/another-botched-black-tuesday-…
[It's a (Bach -> Batch -> BOTCH) FUGUE, which recapitulates the same
themes repeatedly, although sometimes in a slightly different form. PGN]
------------------------------
Date: Mon, 14 Oct 2013 03:48:44 -0700
From: "Bob Gezelter" <gezelter(a)rlgsc.com>
Subject: D-Link SOHO Routers reported to contain backdoor
Apparently, D-Link SOHO routers sold under their own and some private labels
have been reported to contain a "backdoor" which can allow anyone
Administrator without the device password. This "feature" is implemented by
the codebase using a pre-defined username, which does not need a password.
Users are cautioned to act appropriately. When will firm's learn that
backdoors are generically dangerous and should not be created? The original
article is at:
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
Bob Gezelter, http://www.rlgsc.com
------------------------------
Date: Thu, 10 Oct 2013 09:12:27 -0700
From: Lauren Weinstein <lauren(a)vortex.com>
Subject: Russian government's political comment trolling operation exposed
http://j.mp/GI5Ro3 (*St. Petersburg Times* via NNSquad)
"Local reporters have infiltrated a covert organization that hired young
people as "Internet operators" near St. Petersburg and discovered that the
employees are being paid to write pro-Kremlin postings and comments on the
Internet, smearing opposition leader Alexei Navalny and U.S. politics and
culture."
------------------------------
Date: Thursday, October 10, 2013
From: *EFF Press*
Subject: EFF Resigns from Global Network Initiative
Citing Concerns Over NSA's Impact on Corporate Members, EFF Leaves Industry
Group
San Francisco - The Electronic Frontier Foundation (EFF) today withdrew from
the Global Network Initiative (GNI), citing a fundamental breakdown in
confidence that the group's corporate members are able to speak freely about
their own internal privacy and security systems in the wake of the National
Security Agency (NSA) surveillance revelations.
EFF has been a civil society member of the multi-stakeholder human rights
group since GNI was founded in 2008 to advance freedom of expression and
privacy in the global information and communication technologies sector.
While much has been accomplished in these five years, EFF can no longer sign
its name on joint statements knowing now that GNI's corporate members have
been blocked from sharing crucial information about how the US government
has meddled with these companies' security practices through programs such
as PRISM and BULLRUN.
"We know that many within the industry do not like or approve of such
government interference, and GNI has, in statements, made it clear that
member companies want permission from the US government to engage in greater
transparency," EFF's International Director Danny O'Brien and Director for
International Freedom of Expression Jillian C. York write in a letter to GNI
leadership. "However, until serious reforms of the US surveillance programs
are in place, we no longer feel comfortable participating in the GNI process
when we are not privy to the serious compromises GNI corporate members may
be forced to make. Nor do we currently believe that audits of corporate
practice, no matter how independent, will uncover the insecurities produced
by the US government's--and potentially other governments'--behavior when
operating clandestinely in the name of national security."
EFF's involvement with GNI included helping to define its founding
principles over two years of negotiations; coordinating opposition to the
United Kingdom's Communications Data Bill in 2011; releasing a paper
addressing free-speech issues surrounding account deactivation and content
removal; and collaborating with fellow members in internal international
technical and policy analysis. However, EFF can no longer stand behind the
credibility of what had been one of GNI's most significant
achievements--third-party privacy and freedom of expression assessments of
service providers, including Google, Microsoft and Yahoo.
Moving forward, EFF plans to continue to provide guidance to the GNI and
engage companies directly, but as an external organization. EFF supports
the other organizations and individuals that continue to work within the GNI
for the free speech and privacy rights of users worldwide.
"Although EFF is taking a step back, GNI can still serve an important role
as a collaborative project between human rights groups, companies, investors
and academics," York said. "If the United States government truly supports
international 'Internet freedom,' it would recognize the damage its policies
are doing to weaken such efforts and the world's confidence in American
companies."
For the text of the letter:
https://www.eff.org/document/gni-resignation-letter-0
For this release:
https://www.eff.org/press/releases/eff-resigns-global-network-initiative
About EFF
The Electronic Frontier Foundation is the leading organization protecting
civil liberties in the digital world. Founded in 1990, we defend free speech
online, fight illegal surveillance, promote the rights of digital
innovators, and work to ensure that the rights and freedoms we enjoy are
enhanced, rather than eroded, as our use of technology grows. EFF is a
member-supported organization. Find out more at https://www.eff.org.
Electronic Frontier Foundation Media Release
For Immediate Release: Thursday, October 10, 2013
Jillian C. York
Director for International Freedom of Expression
Electronic Frontier Foundation
jillian(a)eff.org <javascript:;>
+1 415 436-9333 x118
------------------------------
Date: Thu, 10 Oct 2013 09:39:37 +0200
From: Peter Houppermans <peter(a)houppermans.net>
Subject: Re: "Let's build a more secure Internet" (Dourado, RISKS-27.52)
With all due respect to the respective people involved, in my opinion you
have the problem backwards.
By attempting to create a trustworthy Internet, you are ignoring the fact
that practically any platform carrying data over the Internet only survives
by exactly NOT doing that. The nice thing about not trusting the network
layer is that it then becomes irrelevant what the carrier is: a comfy "hard
shell, soft centre" insider threat corporate LAN, or a shaky "I have only 1
bar and my battery is dying" EDGE connection somewhere out in the field.
Well, irrelevant from a security perspective :).
Only when we ensure that everything that travels over the Internet has at
least a basic level of security attached can we progress, and there is much
to fix. Why do websites still default to FTP uploads? Why is encrypted
SMTP not the default for inter-party email exchange?
You improve security by adjusting the equation effort & risk vs. reward, and
use tools you control yourself: content, framing and encryption. What is
out of your control is by default untrusted, and doing it right also means
that it's no longer worth doing the lower level intercept.
Finally, in context I appreciate the irony of sending that submission from a
Google account :)
------------------------------
Date: Thursday, October 10, 2013
From: *Bob Frankston*
Subject: Re: Let's Build a More Secure Internet (Dourado, RISKS-27.51)
[via Dave Farber's IP distribution. PGN]
This assumes that the Internet is a layer on top of a physical
infrastructure -- a notion which misses the revolutionary idea of the
Internet. The Internet is not the switches. It is a way we use the physical
infrastructure as a resource rather than a dependency. For that matter the
very wording assumes there is an Internet that is apart from everything else
when many of the issues are in the practices both in the way we exchange
bits and the service we create using connectivity.
As long as we require that operators and service providers make a profit we
force the creation of the meta data that can then be used to analyze our
usage of the network. If we have funding model that doesn't require every
wire be a profit center than we wouldn't need to disclose (as much) metadata
and the network operators wouldn't obliged to monetize it.
There is a risk in seeking the social and business problems in technology
rather than in understanding.
------------------------------
Date: Mon, 14 Oct 2013 06:44:50 -0700
From: Fred Cohen <fc(a)all.net>
Subject: Let's Build a More Secure Internet - hardly... (Re: RISKS-27.51)
> Eli Dourado, *The New York Times*, 8 Oct 2013
> Can we ever trust the Internet again?
As usual, the press gets it wrong soup to nuts. Starting with the premise
that the Internet was ever worthy of trust in the first place, which leads
to the question - trust for what? If you trusted the Internet for integrity,
confidentiality, availability, use control, or accountability, you were
making a mistake, and this is nothing new. I refer you to the series of
articles I wrote in the mid-1990s called Internet Holes and the continuation
of that series through the present day
(http://all.net/Analyst/index.html) Not that the problems began then...
> In the wake of the disclosures about the National Security Agency's
> surveillance programs, considerable attention has been focused on the
> agency's collaboration with companies like Microsoft, Apple and Google,
> which according to leaked documents appear to have programmed "back door"
> encryption weaknesses into popular consumer products and services like
> Hotmail, iPhones and Android phones.
The difference being that they used legal process or money to get
willing cooperation? Does anybody really believe that this wasn't being
done earlier by planted insiders? And why worry about the NSA when they
are only one of more than 100 countries likely undertaking the same sort
of thing (many known to be doing so) since the beginning of the Internet.
> But while such vulnerabilities are worrisome, equally important - and
> because of their technical nature, far less widely understood - are the
> weaknesses that the N.S.A. seems to have built into the very
> infrastructure of the Internet.
We didn't need them to build weaknesses in. The commercial companies are
perfectly capable of doing it intentionally and by accident. Weaknesses
were always there. In terms of understanding, while I believe the press
widely ignored these issues for much of the last 30+ years, the
information protection field has been pointing them out since the
technology was put into use.
> The concern is that even if consumer software companies like Microsoft and
> telecommunications companies like AT&T and Verizon stop cooperating with
> the N.S.A., your online security will remain compromised as long as the
> agency can still take advantage of weaknesses in the Internet itself.
As they always have and always likely will.
> Fortunately, there is something we can do: encourage the development of an
> "open hardware" movement - an extension of the open-source movement that
> has led to software products like the Mozilla browser and the Linux
> operating system.
Open software has nothing on closed software in terms of protection, In
fact, arguably, closed source has produced fewer vulnerabilities per
line of code over time than open source. I say "arguably" because, as a
field, we have few and poorly collected metrics of such things. But
those metrics seem to indicate that open source is not more secure as a
rule.
> The open-source movement champions an approach to product development in
> which there is universal access to a blueprint, as well as universal ability
> to modify and redistribute the blueprint. Wikipedia is perhaps the
> best-known example of a product inspired by the movement. Open-source
> advocates typically emphasize two kinds of freedom that their products
> afford: they are available free of charge, and they can be used and
> manipulated free of restrictions.
Open source is not the same as free, not the same as anybody can
(legally) modify it, or any such thing. It just means you can see the
"blueprint".
> But there is a third kind of freedom inherent in open-source systems: the
> freedom to audit. With open-source software, independent security experts
> can scrutinize the code for vulnerabilities - whether accidentally or
> intentionally introduced. The more auditing by the programming masses, the
> better the security. As the open-source software advocate Eric S. Raymond
> has put it, "given enough eyeballs, all bugs are shallow."
This is a fallacy. It is simply not true that more eyes makes better
security or that "all bugs are shallow" as a side effect. Experiments have
historically shown that even if we point out the location of an intentional
Trojan horse to within a few hundred lines of code, experts don;t find
it. And automated software doesn't even look for the sorts of intentional
subversion that is used in many Trojan horses.
> Perhaps the greatest open-source success story is the Internet itself - at
> least its "soft" parts. The Internet's communications protocols and the
> software that implements them are collaboratively engineered by loose
> networks of programmers working outside the control of any single person,
> company or government. The Internet Engineering Task Force, which develops
> core Internet protocols, does not even have formal membership and seeks
> contributions from developers all over the world.
And the Internet is full of holes. It is the best example of how open source
does not provide protection. And its success is largely because it (the
process) doesn't seek to provide protection. The Internet is designed for
functionality - widespread, general, rapidly deployed, easily developed,
flexible, changeable, etc. functionality. As such, it is designed to support
rapid change, not stability. It is designed to be redundant, recoverable,
etc. NOT private, unalterable, etc.
"Security" is afforded by this approach, but not secrecy, integrity, use
control, or accountability. Availability is somewhat questionable. The
security provided is the ability to change, learn, adapt, create, do your
own thing, etc.
> But the problem is that the physical layer of the Internet's infrastructure
> - the hardware that transmits, directs and relays traffic online, as well as
> its closely knit software (or "firmware") - is not open-source. It is made
> by commercial computing companies like Cisco, Hewlett-Packard and Juniper
> Networks according to proprietary designs, and then sold to governments,
> universities, private companies and anyone else who wants to set up a
> network.
Making it "open source" will not help the situation. It will likely reveal
far more vulnerabilities, but not fix them, and not reveal the tricky
ones. But it will certainly cause these companies financial problems as
their technical advantages over competitors will collapse, and their
investment in new technology be reduced, thus reducing innovation and rate
of progress.
> There is reason to be skeptical about the security of these networking
> products. The hardware firms that make them often compete for contracts
> with the United States military and presumably face considerable pressure
> to maintain good relations with the government. It stands to reason that
> such pressure might lead companies to collaborate with the government on
> surveillance-related requests.
And those made in China have Chinese Trojan horses.
> Because these hardware designs are closed to public scrutiny, it is
> relatively easy for surveillance at the Internet's infrastructural level
> to go undetected. To make the Internet less susceptible to mass
> surveillance, we need to recreate the physical layer of its infrastructure
> on the basis of open-source principles.
This won't work. It will just make it more expensive to run the government
surveillance programs, costing the taxpayers more money and forcing the NSA
back into the darker corners.
> At the moment, the open hardware movement is limited mostly to hobbyists -
> engineers who use the Internet to collaboratively build "open" devices
> like the RepRap 3D printer.
Which uses what open source processor chips? None! They all depend on
proprietary chips.
> But the Internet community, through a concerted effort like the one that
> currently sustains the Internet's software architecture, could also
> develop open-source, Internet-grade hardware. Governments like Brazil's
> that have forsworn further involvement with American Internet companies
> could adopt such nonproprietary equipment designs and have them
> manufactured locally, free from any N.S.A. interference.
As if this would free them. It won't.
> The result would be Internet infrastructure, both hardware and software,
> that was 100 percent open and auditable.
Again, a fantasy. Even if realized, it would not accomplish the stated goal.
The "open source" version of the Internet would not be an improvement. It is
already largely open source, and has all of the problems that the
Information age portends. It is an inherent property of the information age
that in order to have effective protection, we need to restrain ourselves
from doing the wrong thing in high volume and an effective government has to
restrain itself or be restrained by its people. But this is nothing
new. Perhaps we need well armed Internet militias.
Draft of the Xth amendment: A well regulated Militia, being necessary to the
security of a free State, the right of the people to keep and bear Internet
Arms, shall not be infringed.
Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies
http://all.net/ PO Box 811 Pebble Beach, CA 93953
------------------------------
Date: Mon, 14 Oct 2013 07:01:57 -0700
From: Fred Cohen <fc(a)all.net>
Subject: Re: Why the NSA's attacks on the Internet must be made public
(Schneier, RISKS-27.51)
> Among IT security professionals, it has been long understood that the
> public disclosure of vulnerabilities is the only consistent way to improve
> security. That's why researchers publish information about vulnerabilities
> in computer software and operating systems, cryptographic algorithms, and
> consumer products like implantable medical devices, cars, and CCTV
> cameras.
This is a fallacy. There is no substantial science behind the asserted claim
(that disclosure improves protection) and no statistics behind the actual
claim (that IT security professionals have long understood that or even
agree to the asserted claim).
The rest of the article repeats this mistake. It asserts cause and effect
without a substantial basis.
> It's folly to believe that any NSA hacking technique will remain secret
> for very long.
Really! You may rest assured that they have plenty of methods that, while
published long ago in some form, remain largely a secret to anyone who is
affected by them. That's because, as a community, we don't bother to review
the literature before proclaiming ourselves experts. Nothing I have seen
published about what the NSA is asserted to have done is a big secret in
terms of the ability to do it. The secret (if there is one) is that they did
do it, with whom, etc. The techniques I have heard about are hardly a
secret. Bribe a company, extort a company, plant an insider, plant a Trojan,
not new, not secret methods. In terms of longevity, I would bet that there
are lots of things still secret from the 1950s, some of which died with
those who held them.
> The NSA has two conflicting missions. Its eavesdropping mission has been
> getting all the headlines, but it also has a mission to protect US
> military and critical infrastructure communications from foreign attack.
> Historically, these two missions have not come into conflict. During the
> cold war, for example, we would defend our systems and attack Soviet
> systems.
The equities issue has always been present, and the equities have
historically always favored attack over defense. The question that needs to
be addressed is how this balance should be as opposed to how it has been. My
personal view is that the defense should be favored far more than it is at
present or has been in the past, but then I am a defender.
The reason for my view? Because the US and our allies are asymmetrically
dependent on information and technology. So successful attack can hurt us a
lot more than it hurts them. Meanwhile, successful defense depends on
knowledge, skills, effort, etc. which we presumably have more of then our
enemies. So if we build strong defenses that require ongoing effort, we will
win as long as we are willing to spend the effort and they are not. Of
course if it takes too much effort, it will sap our strength... and
somewhere in there is an equation to be produced and solved.
Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies
http://all.net/ PO Box 811 Pebble Beach, CA 93953
------------------------------
Date: Wed, 09 Oct 2013 20:05:33 -0700
From: Paul Saffo <psaffo(a)me.com>
Subject: Re: NSA data center 'meltdowns' force year-long delay (RISKS-27.52)
... it appears the problem isn't with the grid supplying the power, but with
the electrical system on the NSA site.
------------------------------
Date: Wed, 09 Oct 2013 21:54:01 -0700
From: Gene Wirchenko <genew(a)telus.net>
Subject: Correction re: Cyber Schools Fleece Taxpayers (RISKS-27.51)
The link for the first item ("Cyber Schools Fleece Taxpayers for Phantom
Students and Failing Grades") is actually:
http://www.prwatch.org/news/2013/10/12257/junk-bonds-junk-schools-cyber-sch…
(The item's link was missing "cyber-schools-".)
------------------------------
Date: Fri, 11 Oct 2013 01:28:48 +0000 (UTC)
From: tls(a)panix.com (Thor Lancelot Simon)
Subject: Re: Our Founding Fathers ... (Robinson, RISKS-27.51)
> A couple thousand years ago, the way you moved from Slave or peon to
> Citizen in Imperial Rome was you raised enough money to afford a sword and
> shield ...
This is empirically false, and it's a shame to see made-up "facts" given
credibility by appearing in RISKS. Without this and the several other
similar assertions of "fact" in the piece I quote above, I'm not sure there
is any support for its argument at all.
If you'd like to know how changes in status really took place in Imperial
(or pre-Imperial) Rome, I can recommend Crook, J.A., _Law and Life Of Rome_,
90 B.C. - A.D. 212 (Ithaca: Cornell, 1967).
Thor Lancelot Simon, : Public Access Networks Corp., tls(a)panix.com
------------------------------
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request(a)csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request(a)csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe(a)csl.sri.com or risks-unsubscribe(a)csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall(a)newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks(a)CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 27.53
************************
1
0