From njohnsn at njohnsn.com Sat Nov 1 09:03:03 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Sat, 1 Nov 2003 11:03:03 -0600 Subject: Chaumian blinding & public voting? In-Reply-To: <8ECF8DB8-0C27-11D8-B14E-000A956B4C74@got.net> References: <8ECF8DB8-0C27-11D8-B14E-000A956B4C74@got.net> Message-ID: <200311011103.03898.njohnsn@njohnsn.com> On Friday 31 October 2003 10:55 pm, Tim May wrote: ... (Standard Tim May "Anyone who doesn't agree with me deserves to die a horrible death rant) ... > --Tim May I figured that was coming. Chuckle. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From nobody at dizum.com Sat Nov 1 06:30:02 2003 From: nobody at dizum.com (Nomen Nescio) Date: Sat, 1 Nov 2003 15:30:02 +0100 (CET) Subject: anonymous weblog publishing Message-ID: <934f94571c010761c23348e5aac26a84@dizum.com> http://invisiblog.com/ Coolt Uses Mixmaster and GPG From mv at cdc.gov Sat Nov 1 15:35:56 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 01 Nov 2003 15:35:56 -0800 Subject: Chaumian blinding & public voting? Message-ID: <3FA4435C.DC227C74@cdc.gov> First, much thanks to Howie Goodell for his reply. (Note that printing stuff on transparencies was proposed (by Shamir?) some time ago, perhaps for quorum-required info.) At 09:17 PM 10/31/03 -0600, Neil Johnson wrote: >On Friday 31 October 2003 12:10 pm, Major Variola (ret) wrote: >> Is is possible to use blinding (or other protocols) so that all votes >> are published, you can check that your vote is in there, and you >> (or anyone) can run the maths and verify the vote? Without being >> able to link people to votes without their consent. >> > >Doing this would allow vote buyers to verify a voter voted the way they >wanted. Yeah, so? I've voted from home for a decade. Nothing stops me from showing Vinny (Vinny the votebuyer, he's Eve's cousin on Mallory's side) my ballot before I mail it. Or registering my cat to vote. They are illegal, and detectable, that suffices. [Note to furriners: in the US you don't need "ID" to register or to vote, just a signature, and for that an X suffices.] Although I *do* agree with you --resistance to votebuying is a desirable feature if you can have it. (Insert cellphone-with-camera-in-voting-booth discussion here.) (And yes, voting at home is succeptible to spousal coercion. Better than queueing up with the sheeple! Which is also a form of *meteorological* coercion, folks don't go out in crappy weather. Also snipers and bombs, in places with that kind of weather, will deter centralized voting.) >One option might be to give the voter a MAC of their ballot and then print the >MAC's in the paper. The voter could check to see if their vote had been >altered. That's a good idea. I don't think Chaum's transparency-printing scheme does this. Its also possible to write-in candidates for elections you don't care about as "tracers" to make sure your ballot (albeit not other votes in the same bundle) made it. I voted for Monica Lewinsky a few times that way. >I still think far better methods for improving voter turn out other than >Internet voting are: >1. A National Election Holiday (but in the middle of the work week so people >can't use it to extend a vacation). Too expensive. >2. Couple the Election with a National Lottery with local, state, and national >prizes. With appropriate delink of voter's identity from the way they voted >of course. Well, lotteries are evil in my book, but they certainly do inspire the innumerate sheeple. I doubt it would work unless the "prizes" were huge --I only get DoS'ed by queues at 7-11s when the prizes orders of magnitude larger than 1e6. >(I'm not claiming that this would actually improve things overall, just >increase voter turnout). Have a hollywood actor run. Or have recalls every year. Worked in Calif! On the other hand, perhaps it should be made harder to vote. Democracy is mob rule, after all. Testing citizens on the Bill of Rights would be a good start. From measl at mfn.org Sat Nov 1 16:11:15 2003 From: measl at mfn.org (J.A. Terranson) Date: Sat, 1 Nov 2003 18:11:15 -0600 (CST) Subject: FLASH: DHS wants info on store refunds? Message-ID: Ahhh, the joys of shopping for new toys. A new sling. A scope mount and 4x. Music to the ears (after mufflers are properly applied :-). Here in the heart of Redneck Country, there are two stores with a decent selection that are under an hours drive: Dunn's and Galyans (a chain). Galyans is closer, so off I went. I made several purchases, including three different scope mounts, as I was uncertain as to the proper form in use - figuring that bringing back the two wrong choices would not be a big deal. I even checked at the counter - "Sure. No problem. Just bring your receipt.". Well, when I brought back the returns, they wanted a drivers license. Odd, considering it was a cash sale and I was holding the receipt. "It's required by the Homeland Security Department" says the kid behind the register. Sorry. I need ID, and I have to enter it into the computer and forward it to the Homeland Security Office. The Terrorists are using this kind of thing to wash money." I must have looked pretty stupid with my jaw hanging down like that. I made a scene of course. A *big* scene. Lots of loud argument, pointing out all the obvious things: as a cash sale, the money did not need "washing". Cash sales are inherently ID agnostic. Etc., etc., etc. No dice. They want ID, and they are not going to budge. I guess Galyans is off my list of acceptable stores :-( Pity, as I've spent almost a grand there since they opened just a few months ago, and had plans to sped a *lot* more. Next time, I'll have to make that extra 25 minute drive to Dunn's and pray they have what I want. I suppose I shouldn't be surprised - we all *knew* this day was coming - but I really thought it wouldn't happen until RFIDs were in the money... Gotta find a new country. Fast... -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko From Freematt357 at aol.com Sat Nov 1 16:33:10 2003 From: Freematt357 at aol.com (Freematt357 at aol.com) Date: Sat, 1 Nov 2003 19:33:10 EST Subject: Jim Bovard on C-SPAN, Sunday 11/02 8-9pm Booknotes, Terrorism and Tyranny Message-ID: <119.2afa4674.2cd5aac6@aol.com> Author James Bovard will appear on C-SPAN 's Booknotes with Brian Lamb this Sunday, 11/02, from 8 pm to 9 pm (I believe it may re-air from 11 pm to midnight). Bovard will be discussing his new book "Terrorism and Tyranny: Trampling Freedom, Justice, and Peace to Rid the World of Evil". I've read the book and recommend it highly. For program notes go to: http://www.booknotes.org/Program/?ProgramID=1752 For additional information on the works of James Bovard please go to: http://www.jimbovard.com bfrom the publisher's website "The war on terrorism is the first political growth industry of the new Millennium." So begins Jim Bovard's newest and, in some ways, most provocative book as he casts yet another jaundiced eye on Washington and the motives behind protecting "the homeland" and prosecuting a wildly unpopular war with Iraq. For James Bovard, as always, it all comes down to a trampling of personal liberty and an end to privacy as we know it. From airport security follies that protect no one to increased surveillance of individuals and skyrocketing numbers of detainees, the war on terrorism is taking a toll on individual liberty and no one tells the whole grisly story better than Bovard. Regards, Freematt- From sfurlong at acmenet.net Sat Nov 1 17:23:17 2003 From: sfurlong at acmenet.net (Steve Furlong) Date: 01 Nov 2003 20:23:17 -0500 Subject: Chaumian blinding & public voting? In-Reply-To: <8ECF8DB8-0C27-11D8-B14E-000A956B4C74@got.net> References: <8ECF8DB8-0C27-11D8-B14E-000A956B4C74@got.net> Message-ID: <1067736196.2629.11.camel@localhost.localdomain> On Fri, 2003-10-31 at 23:55, Tim May wrote: > Increasing voter turnout is, of course, a Bad Thing. For the reasons we > discuss so often. Agreed. To the extent that I want a government at all, I support a constitutional republic, not a democracy. Legions of bleary-eyed, TV-addled, bigoted jackasses are not needed for determining the will of the people. For that matter, I'd just as soon go a few steps closer to the US's original franchise: leaving out the sex- and race-based qualifications, you have to be an established citizen with some assets. This method of setting the franchise would curb the excesses of the bread and circuses crowd, and it would have the added benefit of pissing off the activists and the populists. ... > the list of 25 million in these united states who need to be sent up > the chimneys? Only 25 million? Gotta disagree with you there, Tim. I'm with Sturgeon on this: 90% of everything is crud. The correct statement is, 25 million should be spared. From mv at cdc.gov Sun Nov 2 01:47:47 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 02 Nov 2003 01:47:47 -0800 Subject: Spelling corrections are now export-controlled Message-ID: <3FA4D2C3.F82B9A48@cdc.gov> At 04:05 PM 11/2/03 +1300, Peter Gutmann wrote: >Still... it occurs to me that the State >department is setting itself up for a DOS attack -- what would happen if 10% >of all US academics were to apply for one of these licenses? It would facilitate the blacklisting and later roundup. And hmm, where do academics get their $ from? Any questions? Imagine McCarthy with computers. McCarthy on a paranoid speed binge, with computers. Or don't imagine, just visit DC. Hmm, if it didn't cause problems for the list maintainers I'd post some technical queries from a spoofed address from an axis of whatever nation. Then again, maybe I'm from an axis country spoofing the US, and you're all as fucked as a Chinook with a SAM locking onto its tail :-) ---- Of course there are limits in regards to freedom of speech. They are as follows: "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances." Everything else is, of course, allowed. -Sunder From jamesd at echeque.com Sun Nov 2 08:16:45 2003 From: jamesd at echeque.com (James A. Donald) Date: Sun, 02 Nov 2003 08:16:45 -0800 Subject: ECC and blinding. Message-ID: <4cbaqv8ka0jer4l8934tfjbncu4kjicim4@4ax.com> -- James A. Donald: > > Simple Chaumian blinding works fine on EC. On 31 Oct 2003 at 15:26, Adam Back wrote: > So Chaumian blinding with public exponent e, private exponent d, and > modulus n is this and blinding factor b chosen by the client: > > blind: > b^e.m mod n -> > sign: > <- (b^e.m)^d mod n > = b.m^d mod n (simplifying) > > and divide by b to unblind: > m^d mod n > > how are you going to do this over EC? You need an RSA like e and d to > cancel. See:"Anonymous Electronic Cash" http://www.echeque.com/Kong/anon_transfer.htm Lower case letters represent integers, capital letters elliptic curve points. Let k be the banks secret key. The bank promises to pay a specific sum of money for any secret of the form ( x, P), such that P = k * H(x) where H is a hash function mapping random integers onto points on an elliptic curve and k is a secret known only to the token issuer Bob has an existing old used token of this form, and therefore knows that V= k * U even though he does not know k. Bob invents the random numbers t and q, constructs an elliptic point R = t *U + Hash( q ) and pays the bank to construct T= k * R He then calculates Q = T- t * V He now has a new token ( q , Q) of the required form, even though the Bank did not generate Q, has never seen it before, and when it sees it will not recognize it as having any relationship to T or R. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR From adam at cypherspace.org Sun Nov 2 09:26:56 2003 From: adam at cypherspace.org (Adam Back) Date: Sun, 2 Nov 2003 09:26:56 -0800 Subject: ECC and blinding. In-Reply-To: <4cbaqv8ka0jer4l8934tfjbncu4kjicim4@4ax.com> References: <4cbaqv8ka0jer4l8934tfjbncu4kjicim4@4ax.com> Message-ID: <20031102172656.GA18017@dual.cypherspace.org> Fair enough. But this is not Chaum's scheme, it is Wagners and it is DH based (or ECDH based in your writeup). You said earlier: > Simple Chaumian blinding works fine on EC. and the above scheme is not Chaumian blinding. Chaum never invented DH blinding, if you read Brands thesis even you'll see that Chaum (who was Brands PhD supervisor for some of the time) told Brands to forget about trying to do DH based blinding because it's not possible. Brands credits Chaum for setting the challenge :-) which led him to find ways to do DH based blinding. (And the private key certificate which is a generalisation of DH blinding to multiple attributes and selective disclosure of those attributes). Adam On Sun, Nov 02, 2003 at 08:16:45AM -0800, James A. Donald wrote: > See:"Anonymous Electronic Cash" > http://www.echeque.com/Kong/anon_transfer.htm > > Lower case letters represent integers, capital letters elliptic > curve points. > > Let k be the banks secret key. > > The bank promises to pay a specific sum of money for any secret > of the form ( x, P), such that P = k * H(x) where H is a hash > function mapping random integers onto points on an elliptic > curve and k is a secret known only to the token issuer > > Bob has an existing old used token of this form, and therefore > knows that V= k * U even though he does not know k. > > Bob invents the random numbers t and q, constructs an elliptic > point R = t *U + Hash( q ) and pays the bank to construct T= k > * R > > He then calculates Q = T- t * V > > He now has a new token ( q , Q) of the required form, even > though the Bank did not generate Q, has never seen it before, > and when it sees it will not recognize it as having any > relationship to T or R. > > --digsig > James A. Donald > 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG > ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S > 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR From s.schear at comcast.net Sun Nov 2 11:12:47 2003 From: s.schear at comcast.net (Steve Schear) Date: Sun, 02 Nov 2003 11:12:47 -0800 Subject: Spelling corrections are now export-controlled In-Reply-To: <3FA4D2C3.F82B9A48@cdc.gov> Message-ID: <5.2.1.1.0.20031102110827.05423f58@mail.comcast.net> At 01:47 AM 11/2/2003 -0800, Major Variola (ret) wrote: >Of course there are limits in regards to freedom of speech. They are as > >follows: >"Congress shall make no law respecting an establishment of religion, or >prohibiting the free exercise thereof; or abridging the freedom of >speech, >or of the press; or the right of the people peaceably to assemble, and >to >petition the Government for a redress of grievances." >Everything else is, of course, allowed. -Sunder So, for those of us who worship science it looks like we're home free. It seems that such a religious bent isn't too far out. Both the recognized religions and scince fall within the academic category of philosophy. Both attempt to explain the nature of the world around us. Has there ever been a 'formal' attempt to legitimize science as a religion? steve From mv at cdc.gov Sun Nov 2 12:06:41 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 02 Nov 2003 12:06:41 -0800 Subject: Spelling corrections are now export-controlled Message-ID: <3FA563D1.861AF9E0@cdc.gov> At 11:12 AM 11/2/03 -0800, Steve Schear wrote: >At 01:47 AM 11/2/2003 -0800, Major Variola (ret) wrote: >>"Congress shall make no law respecting an establishment of religion, or >>prohibiting the free exercise thereof; or abridging the freedom of >>speech, >>or of the press; or the right of the people peaceably to assemble, and >>to >>petition the Government for a redress of grievances." >>Everything else is, of course, allowed. -Sunder > >So, for those of us who worship science it looks like we're home free. It >seems that such a religious bent isn't too far out. Both the recognized >religions and scince fall within the academic category of philosophy. Both >attempt to explain the nature of the world around us. Has there ever been >a 'formal' attempt to legitimize science as a religion? 1. You might try "empirical gnostic" when dealing with lawyer types. 2. There's also the Church of Strong Cryptography. Its kind of uptight though, it has sins, even mental sins, like considering arithmetical methods of producing random digits. 3. Always remember that the 14th restricts not only Congress but State and local vermin. And everything they give money to. From trevp at trevp.net Sun Nov 2 12:07:41 2003 From: trevp at trevp.net (Trevor Perrin) Date: Sun, 02 Nov 2003 12:07:41 -0800 Subject: cryptoIDs Message-ID: <5.2.0.9.0.20031102120245.02f3a138@pop.sbcglobal.yahoo.com> Hi cypherpunks, First-time poster. I've lurked awhile. I'm working on a system for key infrastructure, and I'd like to invite criticism, comments, help, etc., from anyone interested. You can find the paper and code here: http://trevp.net#cryptoID Here's a summary - The system is based on a critique of X.509-style PKI. The critique is this: Any key infrastructure has to handle the twin tasks of: - Public-key distribution (Bob finding Alice's public-key) - Private-key management (Alice keeping her private-key(s) secure yet accessible) PKI handles the former through certificates, and the latter through certificate revocation. These force a tight coupling between subjects (e.g. Alice) and CAs - subjects must contact CAs to get their certificates, and also to revoke keys and renew certificates. Since the function of Trusted-Third-Parties (e.g. CAs) is to provide information to *relying parties* (e.g. Bob), I argue that this coupling of *subjects* with TTPs is inappropriate for a decentralized environment like the Internet. In such an environment, different relying parties will trust different TTPs. For the subject to procure certificates that would satisfy all these RPs, he'd have to predict the future to know which RPs will contact him, read the minds of these future RPs to know what they care about, and then contact the hundreds of TTPs these different RPs trust to procure relevant certificates. It would be better to decouple subjects from TTPs, so that subjects could perform private-key management without the involvement of TTPs, and so that TTPs could perform key distribution without the involvement of subjects. The key to this separation of tasks is to use fingerprints as the interface between the "private" and "public" domains: the subject will use private-key management to perpetuate a long-lived public-key. The fingerprint of this key will be the subject's "cryptographic identifier" - it will be passed around by TTPs and RPs to "speak about" the subject. Now, private-key management and public-key distribution can proceed independently. For private-key management, the subject will most likely keep his long-lived "root key" in a safe place, and use it only occasionally to certify "subkeys". The subject may also do things such as splitting the root key into shares, using proactive and/or threshold signing schemes, using "threshold subjects" a la SPKI, using multiple layers of subkeys as "intermediate CAs", using revocation/revalidation to quickly disable compromised subkeys, or even just giving his root key to someone he trusts who has better security, and more competence with these techniques, than himself. For public-key distribution, online trusted directories (such as DNS, LDAP, XKMS, etc.) should replace CAs. Users would have address books containing trusted fingerprints, which they populate manually or by querying directories. In sum, the argument is that fingerprints are better than certificates for key distribution, but that fingerprint key distribution is most effective when supported by cert-based private-key management, to secure the long life of the fingerprints. This is similar to PGP (without the Web of Trust) - PGP uses fingerprints to authenticate distributed keys, and has subkeys that can be used for private-key management. However, if you take this approach seriously, PGP's fingerprints and subkeys aren't good enough. PGP fingerprints are too long, and PGP subkeys don't support important techniques like revalidation, threshold subjects, or multiple layers of subkeys. So the paper presents "cryptoIDs", which are 20-character-long fingerprints; and cryptoID certificates, which are a certificate format designed solely for private-key management. Anyways, I'm interested to hear what anyone thinks. Thanks, Trevor From pgut001 at cs.auckland.ac.nz Sat Nov 1 19:05:37 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Sun, 2 Nov 2003 16:05:37 +1300 Subject: Spelling corrections are now export-controlled Message-ID: <200311020305.hA235b706193@cs.auckland.ac.nz> Looks like the USG is going to outdo its ITAR silliness of a few years ago with something even more ridiculous: Grammar and spelling corrections now require an export license. The following was forwarded to me by Clark Thomborson: -- Snip -- Dear colleagues, If I'm reading http://chronicle.com/free/2003/10/2003100201n.htm correctly, any US citizen must get a license (from the US State department) before providing editorial services to any citizen or resident of any country embargoed by the US. ... The Treasury Department's response on Wednesday, in a letter to the IEEE, affirmed its position that editing scholarly papers provides a service to authors. "U.S. persons may not provide the Iranian author substantive or artistic alterations or enhancement of the manuscript, and IEEE may not facilitate the provision of such alterations or enhancements," wrote R. Richard Newcomb, director of the Office of Foreign Assets Control. Trade policy prohibits "the reordering of paragraphs or sentences, correction of syntax, grammar, and replacement of inappropriate words by U.S. persons," according to the letter. The institute may apply for a license to edit papers, Mr. Newcomb wrote. ... I guess this embargo would apply to professors as well as to editors of technical journals headquartered in the US, although I'm not keen to ask the State department for a ruling on this! Apparently this embargo on editorial services applies to Iran, Cuba, Iraq, Libya, and Sudan. I guess I must check http://www.ustreas.gov/offices/eotffc/ofac/sanctions/index.html frequently, if I wanted to be a really obedient US citizen. Wow. I have to laugh, but of course it's not really funny unless you look for the humourous side. For example I have tried to infer the public-policy objectives that might be (in some bureaucrat's mind) served by this regulatory decision. Perhaps one of the objectives is to make it easier to recognise terrorists -- some terrorists will have bad grammar when they speak English, and no US citizen will dare to help them improve it! (This could be good new for the Kiwi English-education industry I guess, but if NZ did this in a big way there might be diplomatic repercussions or even trade sanctions.) Of course there'll be a lot of "false positives" in any terrorist recognition- by-grammar scheme but hey, it's apparently good public policy (from the perspective of the US Congress) to hassle (or maim, kill, or whatever seems appropriate at the time) a large number of non-US citizens if this might save a few US lives? Anyway I don't have to worry about being falsely recognised as a terrorist becuz my grammer and speling is alwys good. I don't think I'll bother to apply for a license to supply editorial services to citizens of embargoed countries. Still... it occurs to me that the State department is setting itself up for a DOS attack -- what would happen if 10% of all US academics were to apply for one of these licenses? Clark From cpunk at lne.com Sun Nov 2 20:00:01 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 2 Nov 2003 20:00:01 -0800 Subject: Cypherpunks List Info Message-ID: <200311030400.hA3401ce029904@slack.lne.com> Cypherpunks Mailing List Information Last updated: Oct 13, 2003 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From roy at rant-central.com Mon Nov 3 04:22:27 2003 From: roy at rant-central.com (Roy M. Silvernail) Date: Mon, 3 Nov 2003 07:22:27 -0500 Subject: Freenet and DHCP Message-ID: <200311030722.27428.roy@rant-central.com> In looking over the Freenet FAQ (specifically the Firewall/NAT stuff), it looks like a static public IP address is assumed/needed. My DSL connection is DHCP, so my visible IP changes periodically. Even more fun, the visible IP isn't visible from my side. (I get a 10.x.x.x address from my DSL modem) I can do some sneaky stuff to recover the visible IP, but can Freenet work under these conditions? From timcmay at got.net Mon Nov 3 09:38:34 2003 From: timcmay at got.net (Tim May) Date: Mon, 3 Nov 2003 09:38:34 -0800 Subject: Chaumian blinding & public voting? In-Reply-To: <3FA63188.9080005@students.bbk.ac.uk> Message-ID: <8C2F0E18-0E24-11D8-9473-000A956B4C74@got.net> On Monday, November 3, 2003, at 02:44 AM, ken wrote: > Major Variola (ret) wrote: > >> Currently voting is trusted because political adversaries supervise >> the >> process. >> Previously the mechanics were, well, mechanical, ie, open for >> inspection. > > That really is worth saying more often. > > If we here can't agree on how to make machine voting both robust and > private, then EVEN IF A PERFECT SYSTEM COULD BE DESIGNED it is > extremely unlikely that a large number of people could be persuaded > that it /was/ perfect. There are already people who are confused by, and in some cases afraid of, computer touch screen voting. Some of these people are the ones who refuse to use automated teller machines and insist on deal with real bank tellers. Some of them think the government is watching. Some of them are just weird. Trying to educate these people about Chaumian blinding is pointless. (And don't count on the younger generation...they are often less-educated than their parents and grandparents, and in the ghettoes, than their 60-year-old great grandparents.) I can see the PR campaign on WWF wrestling: "Using a combination of Diffie-Hellman and holographic mark inspection, Alice is assured that Vinnie the Votebuyer cannot interfere, by means of a standard ANDO protocol..." Those who propose sophisticated voting systems are sentenced to reread Clarke's "Superiority." --Tim May "Stupidity is not a sin, the victim can't help being stupid. But stupidity is the only universal crime; the sentence is death, there is no appeal, and execution is carried out automatically and without pity." --Robert A. Heinlein From timcmay at got.net Mon Nov 3 09:53:20 2003 From: timcmay at got.net (Tim May) Date: Mon, 3 Nov 2003 09:53:20 -0800 Subject: Chaumian blinding & public voting? In-Reply-To: <3FA63188.9080005@students.bbk.ac.uk> Message-ID: <9C96E314-0E26-11D8-9473-000A956B4C74@got.net> On Monday, November 3, 2003, at 02:44 AM, ken wrote: > If we here can't agree on how to make machine voting both robust and > private, then EVEN IF A PERFECT SYSTEM COULD BE DESIGNED it is > extremely unlikely that a large number of people could be persuaded > that it /was/ perfect. > > So if public confidence in the mechanisms of voting is considered > desirable, no electronic or digital system is viable. > > > You can run an algorithm on any subset of codes, including just > > your own, > [...] > > you already lost 94% of the electorate. They are saying "huh?" and > going back to whatever they were doing before the election rudely > interrupted them. > I should have mentioned in my last response that there have already been cases where the "electronic vote results" were accidentally posted before the election polls had closed. This did wonders for belief in the system. One of the reported cases was somewhat understandable, not that this affected overall suspicion of the system: some or most of the absentee ballots had already been counted and recorded into the electronic system. They were of course not supposed to be agglomerated with the other electronic vote totals until after the polls closed. Someone made a typical computer error and the partial totals were released ahead of the polls closing. Apparently some number of voters planning to vote thought the election was over and didn't vote. Now with conventional, slow, paper-based systems of the sort we mostly still use in the U.S., there are various "ontological safeguards," or "speed bumps," which make this kind of "computer error" less of an issue. Any computerized system is likely to have glitches like the above, each of which will cause some fraction of the electorate to think things are rigged. As they probably will be. (By the way, there are some possible crypto fixes, such as "timed-release crypto." A beacon could broadcast an unlocking key at some time well after the polls had closed, simultaneously unlocking the many sealed ballot messages. Of course, Joe Sixpack will not understand or trust this kind of complexity, either.) SSL works because it is transparent (hidden from) to the user. Likewise, the crypto used in lottery tickets (e.g., the Scientific Games model) is transparent to the user and he doesn't have to pore over crypto explanations before buying a ticket. (I bought _one_ lottery ticket, for $1, just to see how the numbers were done. Lotteries are of course a tax on the gullible and stupid.) I see less chance that a crypto-based electronic voting system will be adopted in the U.S. than that Robin Hanson's and John Poindexter's "let CIA gamble on who gets assassinated" betting pool will rise from the dead. --Tim May From bbrow07 at students.bbk.ac.uk Mon Nov 3 02:44:24 2003 From: bbrow07 at students.bbk.ac.uk (ken) Date: Mon, 03 Nov 2003 10:44:24 +0000 Subject: Chaumian blinding & public voting? References: <3FA2A58B.67C48379@cdc.gov> Message-ID: <3FA63188.9080005@students.bbk.ac.uk> Major Variola (ret) wrote: > Currently voting is trusted because political adversaries supervise the > process. > Previously the mechanics were, well, mechanical, ie, open for > inspection. That really is worth saying more often. If we here can't agree on how to make machine voting both robust and private, then EVEN IF A PERFECT SYSTEM COULD BE DESIGNED it is extremely unlikely that a large number of people could be persuaded that it /was/ perfect. So if public confidence in the mechanisms of voting is considered desirable, no electronic or digital system is viable. > You can run an algorithm on any subset of codes, including just > your own, [...] you already lost 94% of the electorate. They are saying "huh?" and going back to whatever they were doing before the election rudely interrupted them. Current electoral systems work - where they do - because the officials keep their hands above the table, and because members of opposing political parties co-operate in snooping on each other, because it is in their interest to do so. This adversarial system not only works (sort of, most of the time, in jurisdictions where the local law enforcement isn't entirely in the hands of one sector of society) but it can be made to appear to work (well enough to satisfy that minority of voters who seem to care) And leaving aside the ritual invokation of gas ovens and 747s, this nasty socialist agrees with the burden of Tim's rant - if people don't want to vote what business is it of government to force them to vote? If someone doesn't want to vote, that's their choice, and a tiny increment to the tiny portion of influence possessed by those of us who do vote. So no skin of our noses. If all of you zombies give up voting than the rest of us get to choose the government, for what its worth. As for lotteries - you want to encourage stupid people to vote? Public holidays for voting are as bad - they are likely to lead fewer people to vote of course - just as in every other public holiday those who get off work will head for the hills or the beaches or the bars or the sports stadiums (and why not if they want to?) and those who have to work anyway will be even busier than normal. It is enough if registration is simple and open, if there are sanctions against employers/landlords/unions/political parties/thugs in general preventing people voting, and if there is a postal vote scheme for people who really can't make it on the day. Most countries don't even have all that yet (big chunks of the USA didn't not that long ago), why complicate things unnecessarily? Ken Brown (resident evil lefty) From s.schear at comcast.net Mon Nov 3 10:53:40 2003 From: s.schear at comcast.net (Steve Schear) Date: Mon, 03 Nov 2003 10:53:40 -0800 Subject: FLASH: DHS wants info on store refunds? In-Reply-To: Message-ID: <5.2.1.1.0.20031103105203.053e1fa8@mail.comcast.net> At 06:11 PM 11/1/2003 -0600, J.A. Terranson wrote: >Well, when I brought back the returns, they wanted a drivers license. Odd, >considering it was a cash sale and I was holding the receipt. > >"It's required by the Homeland Security Department" says the kid behind the >register. Sorry. I need ID, and I have to enter it into the computer and >forward it to the Homeland Security Office. The Terrorists are using this >kind of thing to wash money." > >I must have looked pretty stupid with my jaw hanging down like that. > >I made a scene of course. A *big* scene. Lots of loud argument, pointing >out all the obvious things: as a cash sale, the money did not need >"washing". Cash sales are inherently ID agnostic. Etc., etc., etc. > >No dice. > >They want ID, and they are not going to budge. Was this information prominently displayed either behind the register or on the sales receipt prior to purchase? Most state laws require this. steve From ptrei at rsasecurity.com Mon Nov 3 08:15:13 2003 From: ptrei at rsasecurity.com (Trei, Peter) Date: Mon, 3 Nov 2003 11:15:13 -0500 Subject: FLASH: DHS wants info on store refunds? Message-ID: > J.A. Terranson[SMTP:measl at mfn.org] > > Well, when I brought back the returns, they wanted a drivers license. > Odd, > considering it was a cash sale and I was holding the receipt. > > "It's required by the Homeland Security Department" says the kid behind > the > register. Sorry. I need ID, and I have to enter it into the computer and > forward it to the Homeland Security Office. The Terrorists are using this > kind of thing to wash money." > I strongly suspect that this is not DHS policy - it would have to apply to *every* cash refund, regardless as to whether the underlying purchase was weapon related or not. We'd have heard a lot more about it if this were the case. For more gubmint nonsense on things that go bang, take at look at: http://www.premierreticles.com/ "Effective immediatly, US State Dept. regulations prohibit the export of any riflescope with a mil-dot reticle outside the United States." Peter Trei From jwashburn at whittmanhart.com Mon Nov 3 09:38:23 2003 From: jwashburn at whittmanhart.com (John Washburn) Date: Mon, 3 Nov 2003 11:38:23 -0600 Subject: Chaumian blinding & public voting? Message-ID: <9A1CCCE54805534C80F5BD0FC19D1E6B179915@chi-exch02.ffhq.ffconsulting.net> The Soviet Union and Pre-Invasion II Iraq had voter turnouts of 98+%. If voter turnout were important the same could be done here. What is wanted is a high turnout of INTERESTED voters. Only ballot choices produce that. Nevada has consistently higher voter turnout at all levels than any other state. Nevada also is the only state with No Of The Above (NOTA) as a pre-printed ballot option which must be included in all elections; even the "uncontested" races. I do not think this is a coincidence. Unfortunately the NOTA votes are non-binding as is the case in Australia. With binding NOTA, if NOTA with there is a new race with new candidates; none of whom can have appeared on the ballot where NOTA won. In Nevada, you have the ignominy of being listed as coming in second behind NOTA. But, you still get to exercise the levers of political power. Still, even Nevada's miniscule expansion of ballot options demonstrated my point. Interesting ballots (more candidates or more options) draw more voters because the pool of interested voters is larger. Another simple option I would like to see is a star next to the current office holder. This would slightly offset the staggering advantages of incumbency. After binding NOTA and incumbency identification, then you can begin to work on the rigged ballot access game create by the Democrat/Republican hegemony. -----Original Message----- From: Neil Johnson [mailto:njohnsn at njohnsn.com] Sent: Friday, October 31, 2003 9:18 PM To: Major Variola (ret); cypherpunks at lne.com Subject: Re: Chaumian blinding & public voting? On Friday 31 October 2003 12:10 pm, Major Variola (ret) wrote: > Is is possible to use blinding (or other protocols) so that all votes > are published, you can check that your vote is in there, and you > (or anyone) can run the maths and verify the vote? Without being > able to link people to votes without their consent. > Doing this would allow vote buyers to verify a voter voted the way they wanted. That is one of the main reasons you can't take a copy of your paper ballot home with you now. One option might be to give the voter a MAC of their ballot and then print the MAC's in the paper. The voter could check to see if their vote had been altered. I still think far better methods for improving voter turn out other than Internet voting are: 1. A National Election Holiday (but in the middle of the work week so people can't use it to extend a vacation). 2. Couple the Election with a National Lottery with local, state, and national prizes. With appropriate delink of voter's identity from the way they voted of course. (I'm not claiming that this would actually improve things overall, just increase voter turnout). -- Neil Johnson http://www.njohnsn.com PGP key available on request. From Nick.Keller at savvis.net Mon Nov 3 11:41:22 2003 From: Nick.Keller at savvis.net (Keller, Nick) Date: Mon, 3 Nov 2003 14:41:22 -0500 Subject: [AntiSocial] Re: FLASH: DHS wants info on store refunds? Message-ID: Thst is BS - I just received cash back from my Grocery Store (Giant) - No ID asked... What was the amount? -Nicolas > -----Original Message----- > From: Steve Schear [mailto:s.schear at comcast.net] > Sent: Monday, November 03, 2003 1:54 PM > To: cypherpunks at lne.com > Cc: antisocial at mfn.org > Subject: [AntiSocial] Re: FLASH: DHS wants info on store refunds? > > > At 06:11 PM 11/1/2003 -0600, J.A. Terranson wrote: > >Well, when I brought back the returns, they wanted a drivers > license. > >Odd, considering it was a cash sale and I was holding the receipt. > > > >"It's required by the Homeland Security Department" says the > kid behind > >the register. Sorry. I need ID, and I have to enter it into the > >computer and forward it to the Homeland Security Office. The > >Terrorists are using this kind of thing to wash money." > > > >I must have looked pretty stupid with my jaw hanging down like that. > > > >I made a scene of course. A *big* scene. Lots of loud argument, > >pointing out all the obvious things: as a cash sale, the > money did not > >need "washing". Cash sales are inherently ID agnostic. Etc., etc., > >etc. > > > >No dice. > > > >They want ID, and they are not going to budge. > > Was this information prominently displayed either behind the > register or on > the sales receipt prior to purchase? Most state laws require this. > > steve > > > --------------------------------------------------- > To unsubscribe: send mail to majordomo at mfn.org with > "unsubscribe antisocial" as the entire message. From measl at mfn.org Mon Nov 3 16:58:10 2003 From: measl at mfn.org (J.A. Terranson) Date: Mon, 3 Nov 2003 18:58:10 -0600 (CST) Subject: [AntiSocial] Re: FLASH: DHS wants info on store refunds? In-Reply-To: Message-ID: On Mon, 3 Nov 2003, Keller, Nick wrote: > Thst is BS - Exactly my point! > I just received cash back from my Grocery Store (Giant) - > No ID asked... > > What was the amount? $19.99 plus tax. > -Nicolas > > > > -----Original Message----- > > From: Steve Schear [mailto:s.schear at comcast.net] > > Sent: Monday, November 03, 2003 1:54 PM > > To: cypherpunks at lne.com > > Cc: antisocial at mfn.org > > Subject: [AntiSocial] Re: FLASH: DHS wants info on store refunds? > > > > > > At 06:11 PM 11/1/2003 -0600, J.A. Terranson wrote: > > >Well, when I brought back the returns, they wanted a drivers > > license. > > >Odd, considering it was a cash sale and I was holding the receipt. > > > > > >"It's required by the Homeland Security Department" says the > > kid behind > > >the register. Sorry. I need ID, and I have to enter it into the > > >computer and forward it to the Homeland Security Office. The > > >Terrorists are using this kind of thing to wash money." > > > > > >I must have looked pretty stupid with my jaw hanging down like that. > > > > > >I made a scene of course. A *big* scene. Lots of loud argument, > > >pointing out all the obvious things: as a cash sale, the > > money did not > > >need "washing". Cash sales are inherently ID agnostic. Etc., etc., > > >etc. > > > > > >No dice. > > > > > >They want ID, and they are not going to budge. > > > > Was this information prominently displayed either behind the > > register or on > > the sales receipt prior to purchase? Most state laws require this. > > > > steve > > > > > > --------------------------------------------------- > > To unsubscribe: send mail to majordomo at mfn.org with > > "unsubscribe antisocial" as the entire message. > -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko From measl at mfn.org Mon Nov 3 18:32:13 2003 From: measl at mfn.org (J.A. Terranson) Date: Mon, 3 Nov 2003 20:32:13 -0600 (CST) Subject: [AntiSocial] Re: FLASH: DHS wants info on store refunds? In-Reply-To: <5.2.1.1.0.20031103105203.053e1fa8@mail.comcast.net> Message-ID: On Mon, 3 Nov 2003, Steve Schear wrote: > >They want ID, and they are not going to budge. > > Was this information prominently displayed either behind the register or on > the sales receipt prior to purchase? Most state laws require this. Hrm... I'd love a citation, as I was unable to find one for Missouri, and have never even thought about such a weird scenario as this in my many drug-induced ramblings. :-) I'm still amazed they believe that *we believe* this BS. I'm even more amazed they *do* this BS song and dance. > > steve > > > --------------------------------------------------- > To unsubscribe: send mail to majordomo at mfn.org with > "unsubscribe antisocial" as the entire message. > > -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko From timcmay at got.net Mon Nov 3 20:45:35 2003 From: timcmay at got.net (Tim May) Date: Mon, 3 Nov 2003 20:45:35 -0800 Subject: [AntiSocial] Re: FLASH: DHS wants info on store refunds? In-Reply-To: Message-ID: On Monday, November 3, 2003, at 11:41 AM, Keller, Nick wrote: > Thst is BS - I just received cash back from my Grocery Store (Giant) - > No ID asked... > > What was the amount? > It's probably B.S., but if it isn't, and HomeSec is actually requiring this, then they are doing so without a specific warrant. Note that similar attempts in the past to get the names of book buyers, or other customers, have failed even when general warrants were sought. A store is, unless the Constitution has been rewritten lately, free to tell any Fed that its paperwork is its paperwork, save for matters relating to taxation, and that if the Feds want a _specific_ transaction or name, they can seek the appropriate search warrant before a judge. --Tim May From bill.stewart at pobox.com Tue Nov 4 02:13:27 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 4 Nov 2003 02:13:27 -0800 (PST) Subject: FLASH: DHS wants info on store refunds? In-Reply-To: References: Message-ID: <4469.216.240.32.1.1067940807.squirrel@smirk.idiom.com> > Well, when I brought back the returns, they wanted a drivers license. > Odd, considering it was a cash sale and I was holding the receipt. > "It's required by the Homeland Security Department" says the kid behind > the register. Sorry. I need ID, and I have to enter it into the > computer and forward it to the Homeland Security Office. The > Terrorists are using this kind of thing to wash money." Sounds like a pure bogus lie to me. Doesn't mean the _kid_ was lying; he may have been told that that was the policy, or the complexities of Homeland Security vs. Fed Firearms Burons vs. State Gun Law Enforcer Thugs may just be beyond him. Normally there'd be no reason that the store would be required to accept your returns at all, except that it's good business, but in this case they told you they would, so it's a verbal contract. If you've already talked to the manager, and haven't gotten satisfaction, then yeah, it's time to deal with the other store. From timcmay at got.net Tue Nov 4 08:01:04 2003 From: timcmay at got.net (Tim May) Date: Tue, 4 Nov 2003 08:01:04 -0800 Subject: Chaumian blinding & public voting? In-Reply-To: <200311041206.hA4C6tS06065@cs.auckland.ac.nz> Message-ID: <17CCED56-0EE0-11D8-9473-000A956B4C74@got.net> On Tuesday, November 4, 2003, at 04:06 AM, Peter Gutmann wrote: > Tim May writes: > >> (I bought _one_ lottery ticket, for $1, just to see how the numbers >> were >> done. Lotteries are of course a tax on the gullible and stupid.) > > A friend of mine likes to say that lotteries are a tax on stupidity: > The > dumber you are, the more tax you have to pay. > When California was considering a lottery to 'help the schools," I voted against it. On the grounds that if something is illegal (gambling, prostitution, copyright violation, etc.), governments shouldn't be running casinos or brothels or Napster services. If governments act as bookies or slot machines, why not you and me? (And if any private gambling operation used the deceptive bookkeeping the lotteries typically use, they'd be shut down for fraud. A slot machine which paid "$10,000....(paid over 20 years, or you can have $3481.98 _immediately_!)" would be shut down by the Gambling Commission in most states.) And, practically, it led to the inner city welfare mutants and mountain hillbillies buying large numbers of lottery tickets every week. Which is of course a good thing. Except it causes them to clamor for more handouts taken at gunpoint from those of us smart enough to save our money and not buy lottery tickets. But my main objection is that it is never an assigned responsibility of government to run gambling operations. Oh, and the "our children benefit, too!" never materialized. The politicos took in the rakeoff from the deceptive odds, plus the more normal rakeoff, and spent it on their usual stuff. Which is why California is now nattering about the need for more spending for schools. --Tim May From sfurlong at acmenet.net Tue Nov 4 12:48:31 2003 From: sfurlong at acmenet.net (Steve Furlong) Date: 04 Nov 2003 15:48:31 -0500 Subject: Chaumian blinding & public voting? In-Reply-To: <17CCED56-0EE0-11D8-9473-000A956B4C74@got.net> References: <17CCED56-0EE0-11D8-9473-000A956B4C74@got.net> Message-ID: <1067978911.2429.3.camel@daft> On Tue, 2003-11-04 at 11:01, Tim May wrote: > When California was considering a lottery to 'help the schools," ... > Oh, and the "our children benefit, too!" never materialized. The > politicos took in the rakeoff from the deceptive odds, plus the more > normal rakeoff, and spent it on their usual stuff. Three words: "Money is fungible". From comesefosse at ntani.firenze.linux.it Tue Nov 4 10:43:03 2003 From: comesefosse at ntani.firenze.linux.it (Tarapia Tapioco) Date: Tue, 4 Nov 2003 19:43:03 +0100 (CET) Subject: Freenet and DHCP Message-ID: Hi, Roy M. Silvernail (roy at rant-central.com) wrote on 2003-11-03: > In looking over the Freenet FAQ (specifically the Firewall/NAT stuff), it > looks like a static public IP address is assumed/needed. My DSL connection > is DHCP, so my visible IP changes periodically. Even more fun, the visible > IP isn't visible from my side. (I get a 10.x.x.x address from my DSL modem) > I can do some sneaky stuff to recover the visible IP, but can Freenet work > under these conditions? It Depends[tm]. All you really need is one TCP listen socket - if you can't receive incoming TCP connections, you can only participate as a transient node and retrieve content, but you're not really useful to the network as it is. Using a DynDNS host name for the ipAddress setting is pretty common on Freenet, so that shouldn't be a problem. From pgut001 at cs.auckland.ac.nz Tue Nov 4 04:06:55 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Wed, 5 Nov 2003 01:06:55 +1300 Subject: Chaumian blinding & public voting? Message-ID: <200311041206.hA4C6tS06065@cs.auckland.ac.nz> Tim May writes: >(I bought _one_ lottery ticket, for $1, just to see how the numbers were >done. Lotteries are of course a tax on the gullible and stupid.) A friend of mine likes to say that lotteries are a tax on stupidity: The dumber you are, the more tax you have to pay. Peter. From bogus@does.not.exist.com Wed Nov 5 08:11:39 2003 From: bogus@does.not.exist.com () Date: Wed, 05 Nov 2003 11:11:39 -0500 Subject: [s-t] needle in haystack digest #3 Message-ID: Re: privacy and caution digest #2 from "Bryan O'Sullivan" and David M Chess and Steve Lamont ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From bogus@does.not.exist.com Wed Nov 5 13:36:54 2003 From: bogus@does.not.exist.com () Date: Wed, 5 Nov 2003 13:36:54 -0800 Subject: [aprssig] Re: Commercial APRS Service Message-ID: And then too, of course, the "dramatic demonstration" from http://www.satsecurity.com/news103103.htm SAN DIEGO - October 31, 2003 -- Satellite Security Systems (S3), a global provider of asset security and logistics control, in cooperation with the California Highway Patrol (CHP) and InterState Oil Company, dramatically demonstrated the first wireless remote shutdown of a fully loaded moving petrochemical tanker truck. >From S3's headquarters in San Diego - 530 miles from the demonstration site - satellite communications were used to disable the truck in seconds, proving S3's GlobalGuardT and FleetGuardT a viable solution to the challenge of controlling rogue hazardous waste vehicles that could pose a threat to homeland security. The event, conducted on CHP Academy grounds in Sacramento and administered by the CHP, addresses ongoing concerns about the affordability of effective security technology, stealthiness of such a security device, and how GPS monitoring can be incorporated safely into law enforcement protocol. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From ericm at lne.com Wed Nov 5 14:39:51 2003 From: ericm at lne.com (Eric Murray) Date: Wed, 5 Nov 2003 14:39:51 -0800 Subject: [declan@well.com: [Politech] FBI visits John Young, asks about anti-government activity [fs]] Message-ID: <20031105143951.A32545@slack.lne.com> ----- Forwarded message from Declan McCullagh ----- From dcopley at eeye.com Wed Nov 5 16:32:54 2003 From: dcopley at eeye.com (Drew Copley) Date: Wed, 5 Nov 2003 16:32:54 -0800 Subject: Six Step IE Remote Compromise Cache Attack Message-ID: > -----Original Message----- > From: Benjamin Franz [mailto:snowhare at nihongo.org] > Sent: Wednesday, November 05, 2003 2:50 PM > To: Thor Larholm > Cc: Liu Die Yu; bugtraq at securityfocus.com > Subject: RE: Six Step IE Remote Compromise Cache Attack > > > On Wed, 5 Nov 2003, Thor Larholm wrote: > > > This post raises an interesting question. Is our goal to find new > > vulnerabilities and attack vectors to help secure users and > critical > > infrastructures, or is our goal to ease exploitation of existing > > vulnerabilities? > > > > There are no new vulnerabilities or techniques highlighted in this > > attack (which is what it is), just a combination of several already > > known vulnerabilities. This is not a proof-of-concept designed to > > highlight how a particular vulnerability works, but an exploit > > designed specifically to compromise your machine. All a malicious > > viruswriter has to do is exchange the EXE file. > > > > Believe me, I am all in for full disclosure and detailing > every aspect > > of a vulnerability to prevent future occurances of similar threats, > > but I don't particularly think that we should actively be trying to > > help malicious persons. > > I have mixed emotions about this. On one side - why put > millions of systems at risk to script kiddies? On the other > side, as noted by the poster, one of these vulnerabilities > has been known for more than _TWO YEARS_. Surely far more > than enough time for MS to have actually _fixed_ the problem > if they intended to. MS seems (at least in some cases) to > ignore security problems until someone publically 'holds > their feet to the fire' over them. I suspect this happens > when the problem 'runs deep' in their code and will require > more than fixing a boundary limit check and recompiling. Very well said. I would note that I believe their strategy for securing code wants to be inline with their strategy for pushing their products. The company is full of strategies, and this is good. But, the primary stategy needs to be to "put security first". Especially, post 9/11. A few others things... As with all security issues, the researcher is not bound to tell anyone about them. Liu Die Yu could have just shared this with his friends, and we all could have kept these to do as we will. Kind of like keeping your own personal nuclear weapon. Who knows? Maybe there will be a rainy day. My question then, to everybody, is "would you have preferred that he keep this to himself and his friends, or would you have preferred for him to have disclosed this, with a workaround?" Because Liu Die Yu has worked with Microsoft (China) in the past, and he has, unfortunately, found that he can not trust them. Maybe he talked to the wrong person. Who knows? But, we can all see plainly that Microsoft was without excuse to ignore these problems all of these years. What was the thinking behind that? Was somebody's job saved so this could happen? Was somebody able to make a more successful career move because of this? Are researhers like Liu Die Yu too intimidating to deal with, too challenging, too successful? What would have happened if someone else put these flaws together and discovered they could make them work? What would have been the case in that situation? Why did Microsoft ignore the advice of all these researchers and not do something about these issues? Why did they think they could go it alone in this way? The advice was free for them. They had almost two years to fix this, should Liu Die Yu even conceivably be forced to wait another three to six months from a company that has shown him bad dealings in the past? This is using the system at its' best. It is an example of the best kind of system. There is no bureaucracy, there is no limitation, no glass ceilings, no prejudice... Anyone who is capable, come, find bugs. Microsoft is putting out millions of dollars in bounties for worm writers while people like Liu Die Yu are just trying to get into the security field, so they can do what they are best at. What they love to do. It isn't like he is incapable of doing this. He has found swarms of bugs since starting to look for them. Bounties work. We know they do. But, let's close the gap. Let's make sure that tomorrow's bugs are not found outside of the Full Disclosure community. Why would anybody be making these kinds of shortcuts? What good is AV or Firewalls or anything if your OS let's the attacker through? We worry about script kiddies trying to figure out what Liu Die Yu did here to make their own version? We should be worrying about rogue nations and criminal organizations creating teams of bug finders so they can penetrate any system they want to. The computers themselves are worthless, compared to human lives, but the information within them are invaluable. Blueprints. Military strategies. Political strategies. Security strategies. Governmental secrets. Corporate secrets. Identities. Weaknesses. I have to wonder when people when begin to figure out that security bugs mean... security holes mean: keys to the application, and generally, keys to the system. We can ponder all we want about the NSA having a backdoor, or merely Microsoft having a backdoor... But anytime someone finds a security hole like this, they have a backdoor. If you want, ask the researcher to please alert the vendor. Be rude about it, whatever. But, understand that if they were bad or interested in doing evil... They would not report it to the world. They would use it. Lastly, just to be fair. Most researchers that find bugs in Microsoft's products do so at least partly because everyone uses their software. Microsoft actually has a code auditing team, they actually have made moves towards securing their software. Most companies have not done this. Their code is not even looked at. If the case were anything different, Liu Die Yu would just put his resume on monster or dice, and he wouldn't be speaking to us right now. He would be working in the field he loves. Drew Copley Research Engineer, eEye Digital Security Fun quote for the day: "Who knows what evil lurks in the hearts of men? The Shadown knows!" > > -- > Benjamin Franz > > Gauss's law is always true, but it is not always useful. > -- David J. Griffiths, "Introduction to Electrodynamics" > > > ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From declan at well.com Wed Nov 5 14:01:52 2003 From: declan at well.com (Declan McCullagh) Date: Wed, 05 Nov 2003 17:01:52 -0500 Subject: [Politech] FBI visits John Young, asks about anti-government activity [fs] Message-ID: John Young is a longtime supporter of open government and public access to government information. See: http://www.mccullagh.org/cgi-bin/photosearch.cgi?name=john+young -Declan --- http://cryptome.org/fbi-cryptome.htm 4 November 2003 Cryptome received a visit today from FBI Special Agents Todd Renner and Christopher Kelly from the FBI Counterterrorism Office in New York, 26 Federal Plaza, telephone (212) 384-1000. Both agents presented official ID and business cards. SA Renner said that a person had reported Cryptome as a source of information that could be used to harm the United States. He said Cryptome website had been examined and nothing on the site was illegal but information there might be used for harmful purposes. He noted that information in the Cryptome CDs might wind up in the wrong hands. SA Renner said there is no investigation of Cryptome, that the purpose of the visit was to ask Cryptome to report to the FBI any information which Cryptome "had a gut feeling" could be a threat to the nation. There was a discussion of the purpose of Cryptome, freedom of information, the need for more public information on threats to the nation and what citizens can do to protect themselves, the need for more public information about how the FBI functions in the field and the intention of visits like the one today. SA Kelly said such visits are increasingly common as the FBI works to improve the reporting of information about threats to the US. Asked what will happen as a result of the visit. SA Renner said he will write a report of the visit. Cryptome said it will publish a report of the visit, including naming the agents. Both agents expressed concern about their names being published for that might lead to a threat against them and/or their families -- one saying that due to copious personal databases any name can be traced. Cryptome said the reason for publishing names of agents is so that anyone can verify that a contact has been made, and that more public information is needed on how FBI agents function and who they are. Cryptome noted that on a previous occasion FBI agents had protested publication of their names by Cryptome. Cryptome did not agree to report anything to the FBI that is not available on the website. _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) ----- End forwarded message ----- From eugen at leitl.org Wed Nov 5 08:45:56 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 5 Nov 2003 17:45:56 +0100 Subject: [s-t] needle in haystack digest #3 Message-ID: <20031105164556.GC25659@leitl.org> From jamesd at echeque.com Wed Nov 5 18:58:58 2003 From: jamesd at echeque.com (James A. Donald) Date: Wed, 5 Nov 2003 18:58:58 -0800 Subject: Deniable data storage Message-ID: <3FA94872.14740.DEE36E@localhost> -- I want fully deniable information storage -- information theoretic deniable, not merely steganographic deniable, for stenography can never be wholly secure. So I would have a fixed sized block of data containing a variable number of smaller secret chunks of data. A random key would extract a random length of gibberish, a valid key would extract a stream of valid data, and revealing one secret key to the adversary would not give the adversary any evidene that more secrety keys were present or absent. Any good known algorithms for this? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG E/45zLbSQGo9twu/KUBNIOlEXbRyhzQ7Y3BaLVsF 41igtTR/jdGIfGHEe9yPuW0cL6FbO81L4da208BC1 From jamesd at echeque.com Wed Nov 5 18:58:58 2003 From: jamesd at echeque.com (James A. Donald) Date: Wed, 5 Nov 2003 18:58:58 -0800 Subject: Deniable data storage In-Reply-To: <20030325092528.A22947@cluebot.com> References: <3E7F8732.24885.D5EF3A@localhost>; from jamesd@echeque.com on Mon, Mar 24, 2003 at 10:31:14PM -0800 Message-ID: <3FA94872.10325.DEE3A0@localhost> I want to store information deniably. So there would be a fixed sized block of data, say one megabyte, increasing by multiples of 8 as needed. This would contain various items of information that one could extract by supplyin a secret, symmetric, key. A random key would extract a block of gibberish of random length There would be no indication as to how many bits of meaningful data were stored in the block, though obviously they would have to add up to less than the size of the block. So one could store one's password list under one key, and the location of the dead bodies under another key, and absent that key, there would be no evidence that they key, or information hidden under that key, existed. What is a good algorithm for this? From njohnsn at njohnsn.com Wed Nov 5 18:58:54 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Wed, 5 Nov 2003 20:58:54 -0600 Subject: test - please ignore Message-ID: <200311052058.54541.njohnsn@njohnsn.com> ping. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From njohnsn at njohnsn.com Wed Nov 5 19:05:19 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Wed, 5 Nov 2003 21:05:19 -0600 Subject: Remote vechicle shutdown Message-ID: <200311052105.19076.njohnsn@njohnsn.com> Wouldn't you know it, just after I send a test message to check to see if I'm still getting mail from the list. I find something worthwhile to post. >From a Amateur Radio Mail List I frequent: ---------- Forwarded Message ---------- From jtrjtrjtr2001 at yahoo.com Thu Nov 6 03:39:48 2003 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Thu, 6 Nov 2003 03:39:48 -0800 (PST) Subject: Deniable data storage In-Reply-To: <3FA94872.10325.DEE3A0@localhost> Message-ID: <20031106113948.75554.qmail@web21202.mail.yahoo.com> hi, Keep K =Original Key P =Original Plain Text C =Original cipher text D=Dummy plain text C'=Dummy cipher text K'=Dummy key use a symmetric key encryption algorithm with a secret key 'k' over plain text 'P' to obtain cipher text 'C' Then we find k'= C (xor) D Preferably D is atleast as long as C. Now we can claim we used k' as one time pad to encrypt. When the police decrypts they obtain D= C (xor) k', the dummy plain text. This is not an efficient algorithm but even if you did have one, this is not a very good idea because the secret police will first get the dummy key and when they see there is nothing of significance in the plain text, they will beat the original key out of us and I dont suppose any democracy in the world prevents this from happening :-) Regards Sarath. --- "James A. Donald" wrote: > I want to store information deniably. > > So there would be a fixed sized block of data, say > one megabyte, > increasing by multiples of 8 as needed. > > This would contain various items of information that > one could > extract by supplyin a secret, symmetric, key. A > random key would > extract a block of gibberish of random length > There would be no > indication as to how many bits of meaningful data > were stored in the > block, though obviously they would have to add up to > less than the > size of the block. > > So one could store one's password list under one > key, and the > location of the dead bodies under another key, and > absent that key, > there would be no evidence that they key, or > information hidden under > that key, existed. > > What is a good algorithm for this? > __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From frissell at panix.com Thu Nov 6 03:55:40 2003 From: frissell at panix.com (Duncan Frissell) Date: Thu, 06 Nov 2003 06:55:40 -0500 Subject: [declan@well.com: [Politech] FBI visits John Young, asks about anti-government activity [fs]] In-Reply-To: <20031105143951.A32545@slack.lne.com> Message-ID: <5.2.1.1.0.20031106065346.040b5620@mail.panix.com> It's a little late for Special Agent Todd Renner to avoid publicity: http://www.networks.org/?src=cnn:2003:US:Northeast:05:22:explosives.arrest "Todd Renner -- an FBI special agent assigned to the Joint Terrorist Task Force in New York" DCF At 02:39 PM 11/5/03 -0800, Eric Murray wrote: >----- Forwarded message from Declan McCullagh ----- > >Date: Wed, 05 Nov 2003 17:01:52 -0500 >To: politech at politechbot.com >From: Declan McCullagh >Subject: [Politech] FBI visits John Young, asks about anti-government >activity [fs] > > >John Young is a longtime supporter of open government and public access to >government information. See: >http://www.mccullagh.org/cgi-bin/photosearch.cgi?name=john+young > >-Declan > >--- > >http://cryptome.org/fbi-cryptome.htm > >4 November 2003 > >Cryptome received a visit today from FBI Special Agents Todd Renner and >Christopher Kelly from the FBI Counterterrorism Office in New York, 26 >Federal Plaza, telephone (212) 384-1000. Both agents presented official ID >and business cards. > >SA Renner said that a person had reported Cryptome as a source of >information that could be used to harm the United States. He said Cryptome >website had been examined and nothing on the site was illegal but >information there might be used for harmful purposes. He noted that >information in the Cryptome CDs might wind up in the wrong hands. > >SA Renner said there is no investigation of Cryptome, that the purpose of >the visit was to ask Cryptome to report to the FBI any information which >Cryptome "had a gut feeling" could be a threat to the nation. > >There was a discussion of the purpose of Cryptome, freedom of information, >the need for more public information on threats to the nation and what >citizens can do to protect themselves, the need for more public information >about how the FBI functions in the field and the intention of visits like >the one today. > >SA Kelly said such visits are increasingly common as the FBI works to >improve the reporting of information about threats to the US. > >Asked what will happen as a result of the visit. SA Renner said he will >write a report of the visit. > >Cryptome said it will publish a report of the visit, including naming the >agents. Both agents expressed concern about their names being published for >that might lead to a threat against them and/or their families -- one >saying that due to copious personal databases any name can be traced. > >Cryptome said the reason for publishing names of agents is so that anyone >can verify that a contact has been made, and that more public information >is needed on how FBI agents function and who they are. > >Cryptome noted that on a previous occasion FBI agents had protested >publication of their names by Cryptome. > >Cryptome did not agree to report anything to the FBI that is not available >on the website. >_______________________________________________ >Politech mailing list >Archived at http://www.politechbot.com/ >Moderated by Declan McCullagh (http://www.mccullagh.org/) > >----- End forwarded message ----- From rjwalsh at durables.org Thu Nov 6 09:51:14 2003 From: rjwalsh at durables.org (Robert Walsh) Date: Thu, 06 Nov 2003 09:51:14 -0800 Subject: [s-t] needle in haystack digest #3 Message-ID: > Yes. I wasn't intending to suggest an attack based solely on masks. Yes - it'd never work. Electronic Engineers are a strange bunch. I've spent way too much of my time in a room full of people staring at mask plots of various 50M transistor and up CPUS looking for flaws, areas for optimization, etc. It's part of every CPU design cycle and the developers hate it, but it has to be done. If the mask doesn't match the circuit you designed, you can spot that kind of thing fairly quickly. If it didn't match in a way that actually did something useful, then it'd leap right out at you as soon as you unfurled the plot. It's not just at the design review stage, either. The fab people are constantly processing the chip design, performing their own reviews, staring through microscopes at the wafers: working on alignment issues, probing test points, stripping layers and taking cross-sections to examine everything from VIA quality to metalization issues. Something out of the ordinary would make itself obvious pretty quickly. These people live inside their chips. That's why they sort of work. Regards, Robert. --=20 Robert Walsh Amalgamated Durables, Inc. - "We don't make the things you buy." Email: rjwalsh at durables.org ----------------------------------------------------------- From Nick.Barnes at pobox.com Thu Nov 6 05:32:40 2003 From: Nick.Barnes at pobox.com (Nick Barnes) Date: Thu, 06 Nov 2003 13:32:40 +0000 Subject: [s-t] needle in haystack digest #3 Message-ID: > Subject: Re: [s-t] privacy and caution digest #2 > From: "Bryan O'Sullivan" > Date: Mon, 27 Oct 2003 22:49:19 -0800 > > On Mon, 2003-10-27 at 14:49, Nick B wrote: > > > Nobody, but nobody, builds _anything_ electronic from the ground up. > > Not me, not you, not Apple, not Microsoft, not Sony, not Intel, not > > the NSA. [Apple,] Sony, Intel and the NSA get closer by fabbing their > > own silicon. > > No Such Agency doesn't fab much of anything; they can't afford to. They > and their ilk are far more interested in things like FPGAs and adapting > numerical algorithms to COTS SIMD hardware, such as graphics processors > (a la http://www.gpgpu.org/). My apologies; I don't have much information on the budget, interests, capabilities, facilities, or operations of the NSA. > > Who knows > > what sort of spyware those tools are adding? > > Don't be silly. The amount of computation you need to do to get a > circuit of any useful complexity to do something predictable is > enormous. You can't stuff a thousand CPUs and 200 engineers into an > Applied Materials mask etch machine, so that they can rig a WiFi card > and antenna onto your PS2's vector chip without Sony finding out. Even > if you could, how would they talk to the evil animalcules inside the > Novellus metal deposition machine in the facility next door, so the > right traces get metallised? I guess I didn't make myself clear. I wasn't hypothesizing an attack against a fab. I was saying that deeply paranoid "don't trust anyone" types could well hypothesize such attacks. They don't have to be semi-automated Thompson-style attacks (and I didn't have those in mind). Put yourself in a "don't trust anyone" frame of mind, and imagine that some part of the toolchain at (say) Intel includes spyware which allows it to be controlled by (say) NSA. Using this spyware, NSA can watch a part of a CPU going through design-and-test cycles, pick a part of the design to subvert, and carefully craft a replacement for that part of the design. Making the replacement part do something useful for the NSA is left as an exercise for those who enjoy this type of thing. My point was that anyone who has a tendency to believe in this sort of nonsense should, for consistency, be shunning mainstream hardware altogether. Even if they trust Intel, ho ho ho. > Never even mind that automatically figuring out what a bunch of geometry > in a set of masks represents is vastly harder than reverse compilation > for software. Yes. I wasn't intending to suggest an attack based solely on masks. The hypothesized attackers, having subverted the toolchain, have full access at all levels of the hardware design (including design documents, sources in various description languages, etc). > > It is actually quite hard. And if anybody > > ever does implement it really well, they can win, in principle even > > against projects like Plan 9 > > No they can't. Identifying something as "a compiler" and instrumenting > the right code is impossible for automated systems. I agree (almost), but a Thompson attack doesn't have to do that. Compilers read source code by calling read() and write object code by calling write(). These are, IMO, the right places to attack. A program which open()s a descriptor on a file called \(*\).c and read()s some source code from it, and open()s another descriptor on a file called \1.o and write()s some object code to it, is probably a compiler. Any Thompson attack is directed against a particular platform (e.g. OS + compiler + hardware) *or set of platforms*. That was the point I was trying to make. Plan 9 could have been vulnerable to an attack created after the start of the project, targetting both gcc and (say) 2c. I agree that [barring global conspiracies of the sort outlined above] someone designing a new system from scratch tomorrow, *using only tools and equipment available today*, and making the avoidance of Thompson-style attacks a priority, could come away clean. Off-hand, I guess that I would do it by avoiding having a modern bootstrap in the first place. I'd write my main compiler in some much smaller simpler language, and keep it that way. For myself, I still don't believe in Thompson attacks, or global conspiracies subverting fab toolchains. Global conspiracies seem to use much less subtle approaches (insert here stuff about chads, airliners, and Wars on Abstract Nouns). I'm so unparanoid that I'm running GNU Emacs 21.3, built from suspect sources. Heck, I'm so unparanoid that I don't even believe that Diebold is part of a global conspiracy. Hanlon's razor, and all that. Nick B ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From mv at cdc.gov Thu Nov 6 13:57:19 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 06 Nov 2003 13:57:19 -0800 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) Message-ID: <3FAAC3BF.D0B35D94@cdc.gov> At 06:00 PM 11/6/03 +0100, Eugen Leitl wrote: >I guess I didn't make myself clear. I wasn't hypothesizing an attack >against a fab. I was saying that The focus on Thomspon-trojaned tools and Chipworks-style reverse engineering is silly. There are plenty of folks who need green cards, or whose relatives do, who have modify access to the CVS of the RTL for a chip. That is the best way to add unauthorized "features" --through a technically competent insider. Since the features are not in the spec, they won't be tested for. Sure, you might have to do some work after the chips are fielded --getting the trojaned system to process a certain string, wiretapping its response-- but the payoff can be huge. From comesefosse at ntani.firenze.linux.it Thu Nov 6 05:14:45 2003 From: comesefosse at ntani.firenze.linux.it (Tarapia Tapioco) Date: Thu, 6 Nov 2003 14:14:45 +0100 (CET) Subject: Deniable data storage Message-ID: <8a68127465263ac88c1b4db00de97f64@firenze.linux.it> James A. Donald (jamesd at echeque.com) wrote on 2003-11-06: > I want fully deniable information storage -- information > theoretic deniable, not merely steganographic deniable, for > stenography can never be wholly secure. So, StegFS is not "deniable enough"? I'm not much of a theory buff, but it sure sounds nice from the paper... From eugen at leitl.org Thu Nov 6 08:14:24 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Nov 2003 17:14:24 +0100 Subject: Six Step IE Remote Compromise Cache Attack (fwd from dcopley@eeye.com) Message-ID: <20031106161424.GO27591@leitl.org> ----- Forwarded message from Drew Copley ----- From DaveHowe at gmx.co.uk Thu Nov 6 09:20:56 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Thu, 6 Nov 2003 17:20:56 -0000 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) References: <20031106170043.GS27591@leitl.org> Message-ID: <00c601c3a48a$5d5fd6f0$c71121c2@exchange.sharpuk.co.uk> > No Such Agency doesn't fab much of anything; they can't afford to. They > and their ilk are far more interested in things like FPGAs and adapting > numerical algorithms to COTS SIMD hardware, such as graphics processors > (a la http://www.gpgpu.org/). Why do they have their own fab plant if they don't fab anything? http://www.globalsecurity.org/intell/facility/nsaspl.htm From eugen at leitl.org Thu Nov 6 09:00:43 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 6 Nov 2003 18:00:43 +0100 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) Message-ID: <20031106170043.GS27591@leitl.org> ----- Forwarded message from Nick Barnes ----- From timcmay at got.net Thu Nov 6 20:22:01 2003 From: timcmay at got.net (Tim May) Date: Thu, 6 Nov 2003 20:22:01 -0800 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) In-Reply-To: <00c601c3a48a$5d5fd6f0$c71121c2@exchange.sharpuk.co.uk> Message-ID: On Thursday, November 6, 2003, at 09:20 AM, Dave Howe wrote: >> No Such Agency doesn't fab much of anything; they can't afford to. >> They >> and their ilk are far more interested in things like FPGAs and >> adapting >> numerical algorithms to COTS SIMD hardware, such as graphics >> processors >> (a la http://www.gpgpu.org/). > Why do they have their own fab plant if they don't fab anything? > http://www.globalsecurity.org/intell/facility/nsaspl.htm > The conventional--and convincing to me--story has been that they had National Semi (and maybe others) help them with local fabs. These are fabs for things like key chips (the ICs carrying keying material in whatever form, for Permissive Action Links, and ultra-sensitive kinds of stuff that they wouldn't the usual cranked-up fab workers in Sunnyvale or Nampa getting near). I heard ten years ago that the National Semi fab on-site was a lowly 2-micron fab. Which was enough for keying material. Crunching chips, for special purpose computers, don't carry the same security requirements, as the secret stuff in the code that is being run and not the fuses or links being blown. For this, they would use whatever is out there. --Tim May From mv at cdc.gov Thu Nov 6 21:38:36 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 06 Nov 2003 21:38:36 -0800 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) Message-ID: <3FAB2FDC.18554C30@cdc.gov> At 08:22 PM 11/6/03 -0800, Tim May wrote: >I heard ten years ago that the National Semi fab on-site was a lowly >2-micron fab. Which was enough for keying material. And rad-hard circuits for their buddies at the NRO. And 2 mics is fine for certain esoteric processes. Got GaAs? That's done on 6" wafers. Of import to those who like listening to the aether. But if you want a suitcase DESCracker (stuffing Sun chassis is so passe, though it was a fine recycling program and probably emptied some space in JG's garage :-) you use 90 nm FPGAs. NSA folks probably wear GSM and WEP crackers as cufflinks. Maybe they have competitions to see who can program those crackers on their kids' gameboys. From timcmay at got.net Thu Nov 6 23:58:03 2003 From: timcmay at got.net (Tim May) Date: Thu, 6 Nov 2003 23:58:03 -0800 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) In-Reply-To: <20031107005633.A12363@positron.mit.edu> Message-ID: <1D22D264-10F8-11D8-9473-000A956B4C74@got.net> On Thursday, November 6, 2003, at 09:56 PM, Riad S. Wahby wrote: > "Major Variola (ret)" wrote: >> At 08:22 PM 11/6/03 -0800, Tim May wrote: >>> I heard ten years ago that the National Semi fab on-site was a lowly >>> 2-micron fab. Which was enough for keying material. >> >> And rad-hard circuits for their buddies at the NRO. > > Probably not on a CMOS process, though. For the most part, > rad-hard==bipolar, even nowadays. > > Most ULSI today is BiCMOS, but Intel, Harris, and a bunch of others were making rad-hard CMOS nearly 20 years ago. The 80C86 rad hard part was and is used in a lot of critical apps. True enough, a project I consulted on picked the AMD 2901 for the Galileo Jupiter mission, and it was bipolar. And of course the concern with shrinking geometries has moved from "suntan" effects (long exposure) to SEUs. And here the advantages mostly are with SOI (as they were with SOS and SOI when I started working on SEUs in 1977). --Tim May From rsw at jfet.org Thu Nov 6 21:56:33 2003 From: rsw at jfet.org (Riad S. Wahby) Date: Fri, 7 Nov 2003 00:56:33 -0500 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) In-Reply-To: <3FAB2FDC.18554C30@cdc.gov>; from mv@cdc.gov on Thu, Nov 06, 2003 at 09:38:36PM -0800 References: <3FAB2FDC.18554C30@cdc.gov> Message-ID: <20031107005633.A12363@positron.mit.edu> "Major Variola (ret)" wrote: > At 08:22 PM 11/6/03 -0800, Tim May wrote: > >I heard ten years ago that the National Semi fab on-site was a lowly > >2-micron fab. Which was enough for keying material. > > And rad-hard circuits for their buddies at the NRO. Probably not on a CMOS process, though. For the most part, rad-hard==bipolar, even nowadays. -- Riad Wahby rsw at jfet.org MIT VI-2 M.Eng From declan at well.com Fri Nov 7 05:38:21 2003 From: declan at well.com (Declan McCullagh) Date: Fri, 07 Nov 2003 08:38:21 -0500 Subject: Bush grants pardons Message-ID: <6.0.0.22.2.20031107083813.02033858@mail.well.com> _________________________________________________________________________________________________ FOR IMMEDIATE RELEASE OPA THURSDAY, NOVEMBER 6, 2003 (202) 514-2008 WWW.USDOJ.GOV TDD (202) 514-1888 WASHINGTON, D.C. - President George W. Bush granted pardons to the following four individuals: Brianna Lea Haney Kamloops, BC, Canada Offense: Failure to report monetary instruments, 31 U.S.C. '' 5316 and 5322(a). Sentence: November 8, 1991; Western District of Washington; four and one-half months' community confinement and two years' supervised release. David Custer Heaston Las Vegas, Nevada Offense: False statement, 18 U.S.C. ' 1001. Sentence: April 22, 1988; District of Nevada; three years, probation, $1,000 fine. Bruce Louis Bartos Fort Lauderdale, Florida Offense: Transportation of a machine gun in foreign commerce, 18 U.S.C. '' 922(a)(4) and 924. Sentence: July 10, 1987; Southern District of Florida; two years' probation. Michael Robert Moelter Jim Falls, Wisconsin Offense: Conducting an illegal gambling business; 18 U.S.C. ' 1955. Sentence: September 15, 1988; Western District of Wisconsin; three years' probation, conditioned upon sixty days' residence in a community treatment center, $5,000 fine. ### From declan at well.com Fri Nov 7 05:49:26 2003 From: declan at well.com (Declan McCullagh) Date: Fri, 07 Nov 2003 08:49:26 -0500 Subject: Commerce Department, still at it Message-ID: <6.0.0.22.2.20031107084907.02f52e68@mail.well.com> Deadline to submit comments to the Department of Commerce's (DOC) Bureau of Industry and Standards (BIS), which is also known as the Bureau of Export Administration (BXA) regarding its proposal to amend its rules to "expand the availability of license exceptions for exports and reexports of computer technology and software, and microprocessor technology on the Commerce Control List (CCL) of the Export Administration Regulations (EAR) under Export Classification Control Numbers (ECCNs) 3E002, 4D001 and 4E001. These ECCNs control technology and software that can be used for the development, production, or use of computers, and development and production of microprocessors." Comments are due by November 24, 2003. See, notice in the Federal Register, October 24, 2003, Vol. 68, No. 206, at Pages 60891-60895. http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.a ccess.gpo.gov/2003/03-26788.htm From timcmay at got.net Fri Nov 7 08:55:08 2003 From: timcmay at got.net (Tim May) Date: Fri, 7 Nov 2003 08:55:08 -0800 Subject: Panther's FileVault can damage data In-Reply-To: <20031107155206.GG3534@leitl.org> Message-ID: <248BAF3E-1143-11D8-9473-000A956B4C74@got.net> On Friday, November 7, 2003, at 07:52 AM, Eugen Leitl wrote: > In case you've been using Apple OS X 10.3 (Panther)'s FileVault > (Rijndael128 > on ~/) there's a yet unfixed bug. Answer no if requested to regain > lost disk > space in encrypted directory[1] > > Notice that while the screen lock buffer overrun has been fixed, there > are > still unresolved issues with it[2] > > [1]http://www.theregister.co.uk/content/39/33769.html > > [2]http://www.securityfocus.com/bid/8912 > It's astounding to me that that Apple failed to do basic QC on its major new release. The problem with the Firewire 800 drives using the Oxford 922 chips is inexcusable. Did Apple never bother to run the new version of OS X with drives made by vendors other than Apple? (I'm assuming here the Firewire 800 problem is not present in Apple drives, about which I am not 100% convinced.) Apple should've had a team of testers running the new 10.3 version, as with each new version, on a variety of machine configurations, keeping careful track of incompatibilities and gotchas. That something so gross as trashing external drives (the very popular ones from LaCie and others) went unnoticed is just plain inexcusable. I have a perfectly new copy of "Panther" OS X 10.3 sitting ready to be installed on the machine I am on right now. But I won't install it until Apple does its QC. And since I'm still on a dial-up connection and cannot easily download 100 MB of "updated" versions, I plan to contact Apple when the new fix is released and tell them to send me a new CD-ROM. As an Apple shareholder since 1984, this really sucks. What does Apple think they are, Microsoft? --Tim May From DaveHowe at gmx.co.uk Fri Nov 7 01:46:03 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Fri, 7 Nov 2003 09:46:03 -0000 Subject: [s-t] needle in haystack digest #3 (fwd from Nick.Barnes@pobox.com) References: Message-ID: <009c01c3a514$016d11c0$c71121c2@exchange.sharpuk.co.uk> Tim May wrote: > On Thursday, November 6, 2003, at 09:20 AM, Dave Howe wrote: >>> No Such Agency doesn't fab much of anything; they can't afford to. >>> They and their ilk are far more interested in things like FPGAs and >>> adapting numerical algorithms to COTS SIMD hardware, such as graphics >>> processors (a la http://www.gpgpu.org/). >> Why do they have their own fab plant if they don't fab anything? >> http://www.globalsecurity.org/intell/facility/nsaspl.htm > I heard ten years ago that the National Semi fab on-site was a lowly > 2-micron fab. Which was enough for keying material. Hmm. according to the link I found and posted, they *started* at 1-micron and has been tracking its "industry partners" improvements in tech, 0.8 microns up to 1995 then .5 then onwards (with an eventual goal of 0.35, although the piece was written in 1995 so they are probably on copper now too) > Crunching chips, for special purpose computers, don't carry the same > security requirements, as the secret stuff in the code that is being > run and not the fuses or links being blown. For this, they would use > whatever is out there. Non-volitile keying material on-chip requires only standard proms - much cheaper just to buy those off the shelf; for that matter Industry standard "smartcards" usually possess cpu, eaprom program and eaprom data areas on a single chip (and the application would actually prefer some sort of dynamic memory whose contents will vanish if the power is removed from the onboard CPU but we can leave that aside for now - smartcard chips often have that too) Some of that capacity is no doubt used and intended to bridge real or artificial chip droughts (if a manu doesn't want to sell them a given chip, or raises the price drastically because he knows how essential it is to some secure device, the NSA can churn out a few thousand to fill in the gap) but there are advantages to having a completely custom chip - if no attacker could possibly know the layout, command set or capabilities of a chip, that makes his job so much harder (not quite STO - if an attacker has only one or two chips to attack, then every time he gets hit by a trap that removes a crackable device; custom chips can have such things as capacitive test pads (for detection of insulation removal) thin conductive (but visually identical) layers that must maintain continuity, and so forth.) From declan at well.com Fri Nov 7 06:56:48 2003 From: declan at well.com (Declan McCullagh) Date: Fri, 07 Nov 2003 09:56:48 -0500 Subject: 30-second "knock notice" case in California Message-ID: <6.0.0.22.2.20031107095238.02227dd8@mail.well.com> THE PEOPLE, Plaintiff and Respondent, v. JEAN MICHEL RABADUEX, Defendant and Appellant. C041818 COURT OF APPEAL OF CALIFORNIA, THIRD APPELLATE DISTRICT November 4, 2003, Filed PRIOR HISTORY: [*1] APPEAL from a judgment of the Superior Court of San Joaquin County No. TF030882A. Richard Guiliani, Judge. DISPOSITION: Affirmed. CORE TERMS: knock-notice, Fourth Amendment, knock, privacy, homeowner, motion to suppress, occupant, door, infringed, announce, search warrant, waited, bedroom, wait, deputy, electronic surveillance, destruction of property, refused admittance, conversation, suppression of evidence, execute, seizure, morning, search and seizure, privacy interest, police entry, destruction, invaded, violent, right to privacy COUNSEL: Peter Dodd, under appointment by the Court of Appeal, for Defendant and Appellant. Bill Lockyer, Attorney General, Robert R. Anderson, Chief Assistant Attorney General, Jo Graves, Senior Assistant Attorney General, Susan Rankin Bunting, Acting Supervising Deputy Attorney General, Patrick J. Whalen, Deputy Attorney General, for Plaintiff and Respondent. JUDGES: ROBIE, J.; Blease, Acting P.J., and Davis, J., concurred. OPINIONBY: ROBIE OPINION: Defendant Jean Michel Rabaduex was charged with 199 offenses arising out of his sexual acts with and electronic surveillance of his live-in girlfriend's daughter. Defendant moved to suppress evidence obtained from a search of his house because "the police did not comply with knock and announce principles, particularly by failing to wait a sufficient period of time after 'knock-notice' to infer a constructive refusal to enter." The court denied defendant's motion. He subsequently pled guilty to all counts and was sentenced to 35 years in prison. On appeal, defendant contends the trial court erred in denying his motion to suppress. [*2] Defendant argues that because police had reason to know the only person at home was asleep, it was unreasonable for them to enter the house only 30 seconds after first announcing their presence. Because the only person home at the time of the entry was defendant's girlfriend, we conclude defendant failed to show the violation of his Fourth Amendment rights necessary to require suppression of the evidence against him. Accordingly, the trial court did not err in denying defendant's motion to suppress, and we will affirm the judgment. FACTUAL AND PROCEDURAL HISTORY I Background In September 2001, Deborah S. was living at a house in Tracy with her 14-year-old daughter C.S. and defendant. Defendant had lived with Deborah S. for about eight years but was not married to her and was not C.S.'s father. In late September 2001, defendant's nephew Richard moved into the house. During his stay, Richard saw defendant touching C.S. inappropriately. Richard also discovered that hidden cameras had been installed in C.S.'s bedroom and bathroom. Richard found videotapes in defendant's bedroom depicting defendant and C.S. engaging in sexual intercourse. Richard then contacted [*3] the Tracy Police Department. A search warrant was issued for the house, and the resulting search, which was conducted on September 20, 2001, led to the seizure of numerous items, including two computers and various videotapes. The two computers contained over 1,000 images depicting child pornography. Police also determined that the video surveillance cameras set up in C.S.'s bedroom and bathroom were connected to a monitor in defendant's room. Several days after the search, officers interviewed C.S. C.S. initially told officers that she began having sex with defendant when she was about 12 years old. At the preliminary hearing, C.S. testified that she began having sex with defendant when she was 14. She stated that she loved defendant and that he was the only father she had ever known. II Suppression Hearing Deborah S. is employed as a nurse and had worked the night shift before the morning of the search. On the morning of the search, Deborah S. arrived home at 8:30 a.m. and went to bed about 10:30 a.m. Before going to bed, she spoke with defendant three or four times by telephone. The last call she received from defendant that morning was at 9:43 a.m. Deborah [*4] S. testified that she sleeps in the master bedroom at the top of the stairs with the door closed and that her dog sleeps in the room with her and barks whenever someone knocks on the door. There is a sign taped over the doorbell which reads, "Day sleeper. Do not ring doorbell." Deborah S. claimed that on the day police executed the search warrant, she neither heard the police knocking nor her dog barking. She awoke from the sound of her home alarm system and opened the bedroom door to find police officers on the landing outside her bedroom. A defense investigator testified that she went to the house with Deborah S. and waited inside the bedroom with the dog while defendant's lawyer rang the doorbell and knocked on the door. The investigator testified that the dog barked in response to both the knock and the doorbell. The parties stipulated that C.S. had given officers the key to the house on the morning the warrant was executed. The parties also stipulated that the police asked C.S. if anyone was home, and C.S. said, "'My mom, she's sleeping.'" The prosecutor did not argue that C.S. gave the police consent to enter the house. Detective Daniel Schnepple of the Tracy Police Department [*5] testified that on September 20, 2001, at approximately 11:30 a.m., he and more than one-half dozen other officers approached defendant's two-story house. Detective Schnepple recalled noticing a sign about a day sleeper. Detective Shawn Steinkamp knocked on the door very loudly with his bare hand and yelled, "Tracy Police Department. Search warrant. Demand entry." Detective Steinkamp waited approximately five to eight seconds and then knocked again and repeated the announcement. The officers waited approximately 20 more seconds before entering the house with the key C.S. had given them. Detective Schnepple testified that the total time from the first knock to entry was roughly 30 to 35 seconds. After entering the house, the officers looked around downstairs for approximately 35 to 45 seconds, maybe longer, then continued upstairs to find Deborah S. coming out of the master bedroom wearing a T-shirt and removing a sleep mask from her face. Detective Schnepple testified that Deborah S. appeared to be fumbling with earplugs; however, he never actually saw any earplugs. Deborah S. testified that she never wears earplugs because she needs to hear the phone ring in case of emergency. [*6] The trial court found that officers waited approximately 30 to 35 seconds after knocking and announcing their presence before entering the house and concluded this was a sufficient wait during the middle of the day. The court observed, "it may be that the officers constructively at least should have known that there was a sleeping person there," but the court concluded the officers did not have to wait longer based on that fact. The court stated: "Should the police have . . . waited five minutes because that's how much time it takes a sleeping person who happens to sleep in a certain clothing configuration to get downstairs? No. You know, it's the reasonableness of the police conduct to meet the policy generally of noticing people that police are about to come into their house. Not of this person specifically." The trial court expressed reservation about allowing more time for people with "do not disturb" or "day sleeper" signs to respond to police seeking to execute search warrants, noting that drug dealers might place such signs on their doors to buy themselves more time to destroy the evidence of their crimes. The court concluded that the police "have to wait the appropriate [*7] time" and that "the cases have fixed that somewhere around 30 seconds," which the court found was the amount of time the police waited in this case. Accordingly, the court denied defendant's motion to suppress. DISCUSSION Defendant contends the trial court erred in denying his motion to suppress because the court improperly concluded officers waited a reasonable time after knocking and giving notice of their presence and purpose before entering the house to execute the search warrant. Defendant contends that waiting only 30 to 35 seconds was unreasonable because officers knew the occupant of the house was likely to be asleep and they had no reason to make a quick entry. We conclude, however, that because the person who was at home at the time of the entry was defendant's girlfriend, and not defendant himself, the alleged knock-notice violation did not provide any basis for suppressing evidence against defendant. Therefore, the trial court did not err in denying defendant's motion to suppress. I Standard of Review In reviewing a trial court's ruling on a motion to suppress, we defer to the trial court's findings of fact, both express and implied, if supported by [*8] substantial evidence. However, we independently apply the pertinent legal principles to those facts to determine as a matter of law whether there has been an unreasonable search or seizure. (People v. Miranda (1993) 17 Cal.App.4th 917, 922.) II The Knock-Notice Rule Penal Code section 1531, which applies to the execution of search warrants, provides: "The officer may break open any outer or inner door or window of a house, or any part of a house, or anything therein, to execute the warrant, if, after notice of his authority and purpose, he is refused admittance." "[A]n entry effected in violation of the provisions of this statute renders any following search and seizure unreasonable within the meaning of the Fourth Amendment." (Garcia v. Superior Court (1973) 29 Cal. App. 3d 977, 980, 106 Cal. Rptr. 98.) As the United States Supreme Court has declared, "the common-law knock and announce principle forms a part of the Fourth Amendment reasonableness inquiry." (Wilson v. Arkansas (1995) 514 U.S. 927, 930 [131 L. Ed. 2d 976, 980, 115 S. Ct. 1914].) There is no dispute in this case that the officers [*9] seeking to search defendant's house gave notice of their authority and purpose, or that they "broke" into defendant's house within the meaning of Penal Code section 1531 when they used the key C.S. gave them to open the door. (See People v. Flores (1968) 68 Cal.2d 563, 567, 68 Cal. Rptr. 161, 440 P.2d 233 [entry by means of a key constitutes a "breaking" within the meaning of Penal Code section 1531], overruled on other grounds in People v. De Santiago (1969) 71 Cal.2d 18, 28, fn. 7, 76 Cal. Rptr. 809, 453 P.2d 353.) The issue here is whether, when the police entered the house, they had been "refused admittance." "Section 1531 permits an officer executing a search warrant to break into the premises only if he is refused admission after announcing 'his authority and purpose.' Even where the police duly announce their identity and purpose, forcible entry is not permitted under the statute if the occupants of the premises are not first given an opportunity to surrender the premises voluntarily." (Jeter v. Superior Court (1983) 138 Cal. App. 3d 934, 937, 188 Cal. Rptr. 351, italics added. [*10] ) There need not be an explicit refusal of admittance before officers are entitled to enter a house to execute a search warrant. "The failure to respond within a reasonable time under the circumstances may constitute a refusal within the meaning of the statute." (People v. Gallo (1981) 127 Cal. App. 3d 828, 838, 179 Cal. Rptr. 662.) "There is no convenient test for measuring the length of time necessary to support an implied refusal." (People v. Neer (1986) 177 Cal. App. 3d 991, 996, 223 Cal. Rptr. 555.) "[T]he test is whether 'the circumstances were such as would convince a reasonable man that permission to enter had been refused.'" (United States v. Bustamante-Gamez (9th Cir. 1973) 488 F.2d 4, 11, quoting McClure v. United States (9th Cir. 1964) 332 F.2d 19, 22; see also People v. Neer, supra, 177 Cal. App. 3d at p. 996 [question is whether there are "specific facts, such as shouting or running, to support an objectively reasonable belief the occupants had refused entry"].) III Defendant's Right to Raise the Alleged Knock-Notice Violation Because it was Deborah S., not [*11] defendant, who was at home when the police allegedly entered the house without waiting to be refused admittance, we asked the parties to brief the issue of whether defendant had "standing" to challenge the alleged failure of the police to comply with knock-notice requirements. Defendant contends the "standing" issue cannot be raised for the first time on appeal and, in any event, "a temporarily absent resident [has] 'standing' to object to an unannounced entry into the premises." The People contend that phrasing the issue in terms of "standing" "only confuses the analysis." According to the People, "the pertinent inquiry is whether this particular search . . . was reasonable as to defendant, an absent resident with no ownership interest in the property." n1 - - - - - - - - - - - - - - Footnotes - - - - - - - - - - - - - - - n1 The record of the suppression hearing is actually silent as to whether defendant had an ownership interest in the house. Deborah S. testified the mortgage on the house was in her name, and she qualified for the mortgage based on her income alone. While this evidence supports the inference that Deborah S. alone owned the house, it does not compel that conclusion. In any event, for reasons set forth below, the ownership issue is irrelevant. - - - - - - - - - - - - End Footnotes- - - - - - - - - - - - - - [*12] For the reasons set forth below, we conclude that because the alleged knock-notice violation in this case was not a violation of defendant's Fourth Amendment rights, his motion to suppress was properly denied. "'Fourth Amendment rights are personal rights which . . . may not be vicariously asserted.'" (Rakas v. Illinois (1978) 439 U.S. 128, 133-134 [58 L. Ed. 2d 387, 394, 99 S. Ct. 421], quoting Alderman v. United States (1969) 394 U.S. 165, 174 [22 L. Ed. 2d 176, 187, 89 S. Ct. 961].) "[S]ince the exclusionary rule is an attempt to effectuate the guarantees of the Fourth Amendment [citation], it is proper to permit only defendants whose Fourth Amendment rights have been violated to benefit from the rule's protections." (Rakas, at p. 134 [58 L. Ed. 2d. at p. 395].) Thus, the question in a case such as this is "whether the challenged search . . . violated the Fourth Amendment rights of [the] criminal defendant who seeks to exclude the evidence obtained during [the search]. That inquiry in turn requires a determination of whether the disputed search and seizure has infringed an interest of the defendant which the [*13] Fourth Amendment was designed to protect." (Id. at p. 140 [58 L. Ed. 2d. at p. 399].) With the question before us properly framed, we reject defendant's assertion that the issue cannot be raised for the first time on appeal. The issue we confront -- whether the challenged search violated defendant's Fourth Amendment rights -- is not new; it is the fundamental issue presented by defendant's motion to suppress. Subdivision (a)(1)(B)(iv) of Penal Code section 1538.5 authorizes a defendant to "move . . . to suppress as evidence any tangible or intangible thing obtained as a result of a search or seizure" when "[t]he search or seizure with a warrant was unreasonable because . . . [P] [t]he method of execution of the warrant violated federal or state constitutional standards." As the moving party, it was defendant's burden to prove the police entry violated his constitutional rights. (See People v. Moreno (1992) 2 Cal.App.4th 577, 582.) If he failed to carry this burden, then the motion to suppress was properly denied, regardless of the reason for the trial court's ruling. "'"No rule of decision is better or more firmly [*14] established by authority, nor one resting upon a sounder basis of reason and propriety, than that a ruling or decision, itself correct in law, will not be disturbed on appeal merely because given for a wrong reason. If right upon any theory of the law applicable to the case, it must be sustained regardless of the considerations which may have moved the trial court to its conclusion." [Citation.]'" (People v. Zapien (1993) 4 Cal.4th 929, 976, 846 P.2d 704, quoting D'Amico v. Board of Medical Examiners (1974) 11 Cal.3d 1, 19, 112 Cal. Rptr. 786, 520 P.2d 10.) Under the foregoing rule, "a respondent [on appeal] may assert a new theory to establish that an order was correct on that theory 'unless doing so would unfairly prejudice appellant by depriving him or her of the opportunity to litigate an issue of fact.'" (Bailon v. Appellate Division (2002) 98 Cal.App.4th 1331, 1339.) Relying on this exception, defendant contends "this court does not have all the facts necessary to make a determination as to whether [he] lacked 'standing' to object to the failure of the police to comply with knock-and-announce rules" [*15] because "trial counsel was not put on notice of the 'standing' issue so as to be able to develop whether [defendant] was within earshot or 'eyeshot' of the home." We disagree. In his written motion to suppress, defendant vaguely asserted that the police entry into the house violated knock-notice requirements because police entered "without giving adequate notice to the resident therein." In its written opposition to the motion, the prosecution asserted the search occurred "while the defendant was at work" and while Deborah S. was at home. At the subsequent hearing, defendant offered no evidence to dispute the assertion that he was at work. Instead, defendant's motion was premised on the ground that police did not give Deborah S., the "sleeping occupant [who] they knew or should have known was present in that home and asleep time to get down and answer the door." Furthermore, the evidence showed that from the time she arrived home from work at about 8:30 a.m. until 9:43. a.m., when she started to get ready for bed, Deborah S. received several telephone calls from defendant -- suggesting he was nowhere near the house. Under these circumstances, defendant's belated suggestion [*16] that he might have been able to prove he was "within earshot or 'eyeshot' of the home" when the police arrived about 11:30 that morning does not persuade us that defendant was denied a fair opportunity "to develop the pertinent facts" before the trial court. Having concluded the issue is properly before us, we turn to the question of whether defendant's Fourth Amendment rights were violated by the police conduct in this case. Four primary reasons underlie the knock-notice rule in California: "'"(1) The protection of the privacy of the individual in his home [citations]; (2) the protection of innocent persons who may also be present on the premises . . . [citation]; (3) the prevention of situations which are conducive to violent confrontations between the occupant and individuals who enter his home without proper notice [citations]; and (4) the protection of police who might be injured by a startled and fearful householder."'" (People v. Hoag (2000) 83 Cal.App.4th 1198, 1203.) Additionally, the privacy interest underlying the knock-notice rule has several aspects. "First, [the knock-notice rule] protects the homeowner from the outrage of having his ' [*17] castle' suddenly and violently broken into. [Citations.] . . . [P] Second, the rule may prevent embarrassing circumstances resulting from the unexpected exposure of private activities. [Citations.]" (United States v. Bustamante-Gamez, supra, 488 F.2d at pp. 11-12.) Third, because officers must wait to be refused admittance even under circumstances where immediate entry will not require the destruction of property, the "refused admittance" aspect of the knock-notice rule gives the homeowner an opportunity to consent to the entry of his or her home, rather than suffering the indignity of having law enforcement officers both enter and search without his or her permission. n2 - - - - - - - - - - - - - - Footnotes - - - - - - - - - - - - - - - n2 By referring to the homeowner's consent, we do not mean to suggest that the search pursuant to the warrant is transformed into a search pursuant to the homeowner's consent. The consent to which we refer is the homeowner's consent -- or rather, his opportunity to consent -- to the officers' entry to the property not to the search of it. - - - - - - - - - - - - End Footnotes- - - - - - - - - - - - - - [*18] As we have explained, the alleged knock-notice violation here was the failure of police to wait a reasonable time before entering the house. Assuming for the sake of argument the police did not wait a sufficient amount of time, and their premature entry into the house infringed on the privacy interests protected by the knock-notice rule, those interests were not those of defendant, because he was not home at the time and therefore was in no position either to be embarrassed by a premature entry or to let the police into the house in response to their demand. The only occupant of the house at the time of the search was Deborah S. The infringement on Deborah's rights to avoid embarrassing circumstances and to have a reasonable opportunity to let the police in, however, provides no basis for the suppression of evidence to be used against defendant. To successfully suppress evidence against him, defendant had to show that his Fourth Amendment rights were violated by the actions of the police. He failed to do so. We note that our conclusion is at odds with the conclusion in People v. Hoag on the same point. In Hoag, the court noted the rule that a defendant moving [*19] to suppress evidence "may not vicariously challenge the alleged violation of another's interests." (People v. Hoag, supra, 83 Cal.App.4th at p. 1203.) Nonetheless, under circumstances similar to those in this case, n3 the court concluded that the defendant, who was not home at the time of the police entry, had the right to challenge the alleged knock-notice violation that occurred in his absence. (Id. at pp. 1203-1207.) The court based its conclusion on the defendant's "personal interest in the safety of the mother of his child, who was present when the officers entered his residence," and on the defendant's "right to be protected from the unnecessary destruction of his property." (Id. at p. 1205.) - - - - - - - - - - - - - - Footnotes - - - - - - - - - - - - - - - N3 In Hoag, sheriff's deputies served a search warrant on the defendant's home one evening while he was away. (People v. Hoag, supra, 83 Cal.App.4th at p. 1202.) A deputy knocked and announced, "'Sheriff's Department, search warrant, we demand entry.'" (Ibid.) After hearing no response following a second knock and announcement, a second deputy turned the door handle and the deputies entered. (Ibid.) The entry occurred approximately 15 to 20 seconds after the deputies' first knock. (Ibid.) Deputies found the defendant's fiance inside studying. (Id. at pp. 1201-1202.) They searched the residence and found marijuana in the garage. (Id. at p. 1202.) - - - - - - - - - - - - End Footnotes- - - - - - - - - - - - - - [*20] We disagree with the Hoag court that the right to be protected from the unnecessary destruction of property provides a basis for a suppression motion based on a knock-notice violation where no such destruction occurs. To the extent knock-notice requirements protect a homeowner's right to avoid the unnecessary destruction of his property, that right is not even implicated -- let alone infringed -- when police entry occurs through an unlocked door (as in Hoag) or, as here, through a locked door opened with a key. Of course, such an entry may infringe the homeowner's right to privacy, or some other interest protected by knock-notice requirements. If that is the case, however, then the analysis properly focuses on whether the infringement of those other interests justifies the suppression of evidence. We can perceive no valid basis for holding that a person whose property is not damaged in the slightest by a premature entry in violation of knock-notice requirements is nonetheless entitled to the suppression of evidence seized following the entry because one of the purposes of knock-notice requirements in the abstract is the protection against the unnecessary destruction of property. [*21] We find the decision of the Arizona Court of Appeals in State v. Papineau (1985) 146 Ariz. 272 [705 P.2d 949] persuasive on this point. In Papineau, "officers waited five to ten seconds after knocking and announcing before entering, and . . . they entered [through an unlocked door] only after hearing 'rustling' movements within," while the defendant was not home. (Id. at p. 950.) In concluding the defendant had no "standing" to assert the knock-notice violation, the appellate court succinctly wrote: "Only one whose own rights have been violated may seek the remedy of exclusion. [Citation.] 'The right which knock and announce rules provide occupants is the right to be warned that their privacy is about to be legally invaded.' [Citation.] Also important are avoidance of violent confrontations attendant to unannounced entries, prevention of destruction of property, and preventing unexpected exposure of private activities. [Citations.] Entry through an unlocked door involves no destruction of property. While those present may have felt their privacy unjustifiably invaded and while the entry may have heightened the risk of violent confrontation, only [*22] those present would have rights that would be violated. One not present at the entry would lose nothing. No rights of the defendant having been invaded, he has no standing to assert the illegality of the entry." (Id. at pp. 950-951, italics omitted.) As we have noted, the question in a case such as this is "whether the disputed search and seizure has infringed on an interest of the defendant which the Fourth Amendment was designed to protect." (Rakas v. Illinois, supra, 439 U.S. at p. 140 [58 L. Ed. 2d. at p. 399].) An entry that does not destroy any property does not infringe on the defendant's right to avoid the unnecessary destruction of his property. Therefore, if such an entry is to provide a basis for the suppression of evidence, suppression can be justified only because the entry infringed on some other interest protected by knock-notice requirements. We also disagree with the Hoag court's conclusion that an absent defendant's "personal interest in the safety of [another] who was present when the officers entered his residence" provides a valid basis for a suppression motion based on a knock-notice violation. (People v. Hoag, supra, 83 Cal.App.4th at p. 1205.) [*23] In reaching that conclusion, the Hoag court relied on the decision of the Arkansas Supreme Court in Mazepink v. State (1999) 336 Ark. 171 [987 S.W.2d 648]. In Mazepink, the court concluded that because "at least one person was present to comply with the officers' request for entry so that they could execute their search warrant," "[i]t seems irrelevant . . . that Mazepink was not actually present at the time of entry; his standing to seek exclusion of the evidence obtained after the search is grounded in his right to exclude others and to be free from illegal police invasion of his privacy in his residence. Furthermore, Mazepink's legitimate expectation of privacy in his residence encompasses the right to expect not only privacy for himself, but for his family and invitees, including his live-in girlfriend . . . and her daughter." (Id. at p. 652.) Thus, the Mazepink court concluded that the defendant's legitimate expectation of privacy for himself and for his family and invitees in his home gave him the right to assert that a knock-notice violation that occurred in his absence violated his Fourth Amendment rights. In support of its conclusion, [*24] the Mazepink court cited the United States Supreme Court's decision in Alderman v. United States, supra, 394 U.S. 165, 179, fn. 11 [22 L. Ed. 2d at p. 190]. (Mazepink v. State, supra, 987 S.W.2d at p. 652.) Alderman, however, did not involve a knock-notice violation, but instead involved illegal electronic surveillance. In Alderman, the court reiterated that "Fourth Amendment rights are personal rights which, like some other constitutional rights, may not be vicariously asserted," and went on to conclude that a defendant "would be entitled to the suppression of government evidence originating in electronic surveillance violative of his own Fourth Amendment right to be free of unreasonable searches and seizures . . . if the United States unlawfully overheard conversations of [the defendant] himself or conversations occurring on his premises, whether or not he was present or participated in those conversations." (Alderman v. United States, supra, 394 U.S. at pp. 174, 176 [22 L. Ed. 2d at pp. 187-188].) The court explained that the defendant's presence was not necessary to render the electronic surveillance [*25] a violation of his Fourth Amendment rights because "[t]he rights of the owner of the premises are as clearly invaded when the police [illegally] enter and install a listening device in his house as they are when the entry is made to undertake a warrantless search for tangible property; and the prosecution as surely employs the fruits of an illegal search of the home when it offers overheard third-party conversations as it does when it introduces tangible evidence belonging not to the homeowner, but to others." (Id. at pp. 179-180 [22 L. Ed. 2d at p. 190].) That the Fourth Amendment protects a person against the unlawful electronic surveillance of his house, even when he is absent, does not mean, as the Mazepink court concluded, that the person has "the right to expect . . . privacy . . . for his family and invitees," (Mazepink v. State, supra, 987 S.W.2d at p. 652) such that a knock-notice violation that occurs in the person's absence necessarily constitutes a violation of his Fourth Amendment rights. Again, we point out that the pertinent question in a case such as this is "whether the disputed search and seizure has infringed [*26] an interest of the defendant which the Fourth Amendment was designed to protect." (Rakas v. Illinois, supra, 439 U.S. at p. 140 [58 L. Ed. 2d at p. 399], italics added.) The court in Alderman did not hold that a defendant has a legitimate interest in the privacy of others present in his house. Rather, the court held that unlawful electronic surveillance of a house violates the homeowner's legitimate right to privacy in his own house, even when the "fruit" of the unlawful search is a conversation that occurs between two other people when the homeowner is not even home. Furthermore, the legitimate expectation of privacy a person has for himself in his own house -- which was the interest at issue in Alderman -- is not implicated by a knock-notice violation that occurs when the person is absent. The Alaska Court of Appeals offered a cogent explanation of this point in State v. Johnson (Alaska.Ct.App. 1986) 716 P.2d 1006. In Johnson, the appellate court concluded the trial court had erred in suppressing evidence against two defendants (Robert Johnson and Michael Davey) who were not present when the knock-notice violation occurred. [*27] (Id. at p. 1010.) In explaining its conclusion, the court noted "the purposes of knock and announce requirements [are] as follows: [P] '(1) to protect the occupant's right to privacy . . .; (2) to safeguard the police who might be mistaken for prowlers and be shot . . .; and (3) to protect other persons who might be injured by violent resistance to unannounced entries. . . .'" (Id. at p. 1009, quoting Davis v. State (Alaska 1974) 525 P.2d 541, 544-545.) The court then explained: "Since Johnson and Michael Davey were not present, they were not vulnerable to injury as a result of any violent resistance [the occupant] might have interposed to the officers' entry. Johnson and Michael Davey had the same interest as any other citizen in preventing injury to the police officers. Thus, if the knock and announce rules were intended to protect them, it must be because of the first purpose announced in Davis, protection of the occupant's right to privacy. We assume, for purposes of this case, that Robert Johnson and Michael Davey had privacy interests protected by the fourth amendment in materials stored on the premises. Johnson argues [*28] that this privacy interest is identical to the privacy interest protected by the knock and announce rules. We disagree. As the Oregon Supreme Court pointed out in State v. Valentine, 264 Or. 54, 504 P.2d 84 (1972), cert. denied, 412 U.S. 948, 93 S. Ct. 3001, 37 L. Ed. 2d 1000 (1973), 'The only right of privacy protected by the announcement requirement is the right to know who is entering, why he is entering, and a few seconds to prepare for his entry.' Id. at 87. The knock and announce rules are not intended to protect an absent co-tenant's possessory and privacy interests in items stored on the premises. The requirement that the police obtain a warrant and limit their search to the scope of the warrant protects these interests. Consequently, since the knock and announce rules were not enacted to protect the rights of those who are not present when a warrant is executed, it necessarily follows that they cannot complain of a violation of those rules." (State v. Johnson, supra, 716 P.2d at pp. 1009-1010.) Johnson illustrates the proposition that the privacy interests infringed by a knock-notice violation are not [*29] the same as the privacy interest infringed by an invalid search that should not have occurred at all. In determining whether a knock-notice violation warrants the suppression of evidence, it is critical to focus on the interests protected by knock-notice requirements and whether any of those interests belong to the defendant seeking suppression. The Mazepink court failed to do this, and the Hoag court adopted the Mazepink court's faulty reasoning. Thus, we cannot follow Hoag on this point. IV Conclusion In summary, we conclude the search of the house did not violate defendant's Fourth Amendment rights because defendant was not present when the police made their allegedly premature, but nondestructive, entry into the house, and therefore no interest of defendant was infringed by the entry. Accordingly, the trial court did not err in denying defendant's motion to suppress. DISPOSITION The judgment is affirmed. Blease, Acting P.J., and Davis, J., concurred. From bill.stewart at pobox.com Fri Nov 7 10:30:19 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Fri, 7 Nov 2003 10:30:19 -0800 (PST) Subject: Blacknet - SF Chron: Credit agencies sending our files abroad Message-ID: <3928.216.240.32.1.1068229819.squirrel@smirk.idiom.com> More of Tim's Blacknet predictions coming true. (And they didn't mention that the Jamaican call center's comment on whether information might be used in ways that US laws didn't control was "No problem, mon"...) ---------------- Credit agencies sending our files abroad David Lazarus Friday, November 7, 2003 )2003 San Francisco Chronicle |Feedback URL: sfgate.com/article.cgi?file=/c/a/2003/11/07/MNG4Q2SEAM1.DTL Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas. For their part, the credit agencies say the trend is a necessary cost- cutting move in light of new legislation that would allow all consumers to obtain free copies of their credit reports. The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer. "A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year." Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday. The act would require credit agencies to provide copies of personal credit files to anyone who asks -- an expense that TransUnion, for one, estimates could cost the company as much as $350 million a year. A credit file serves as a snapshot of one's legal identity and financial status. It contains a person's name, address, date of birth, Social Security number and details of relationships with all credit-card issuers and other lenders. Emery also said the decision to "offshore'' a key customer service was necessitated by "the competition placed on us by Equifax and Experian." Equifax, he said, was the first major credit agency to move operations abroad, establishing a facility in the Caribbean. Experian, meanwhile, is "actively testing" work with an overseas affiliate, Emery said. "We had to get into this process for defensive reasons," he said. An Equifax spokesman's first response when asked about the Atlanta company's outsourcing was to insist that all customer service was handled at North American facilities. Confronted with TransUnion's remarks, though, a senior Equifax official later offered a different answer. "We have a vendor in Jamaica," said Rob Hogan, senior vice president of customer services. "The Jamaican workers handle data entry at the very beginning of the reinvestigation process (for disputed credit reports)." He said the overseas workers had "limited access" to consumers' credit files but were "closely supervised by our Atlanta office." Hogan acknowledged that Equifax had had "problems from time to time" with consumers' privacy being compromised. But he said each problem had led to improvements in security. He also said there had been no known security breaches in the four years that Equifax has outsourced to Jamaica. "We take great care of our data," Hogan stressed. "It's our livelihood." An Experian spokesman, Addrian Brooks, denied Trans Union's assertion that the Costa Mesa company is now "actively testing" an overseas operation. "We are confident that Trans Union doesn't know what our plans are because we don't know what their plans are," he said. However, Brooks repeatedly emphasized that Experian could outsource work abroad at any time. "We definitely are evaluating every option on the table, and offshoring is one of them," he said. "I don't want to be quoted as saying we'll never do it." Privacy advocates say the outsourcing of credit agencies' work abroad -- and hence access to U.S. consumers' credit files -- dramatically increases the chance that confidential information will get into the wrong hands. "Consumers should be worried," said Beth Givens, director of the Privacy Rights Clearing House in San Diego. "The infrastructure to protect information just isn't there in a lot of these places." Credit industry officials bristle at such talk. "Are we saying that Hindus are more criminal?" asked Stuart Pratt, president of the Consumer Data Industry Association, a trade group for credit- reporting agencies. "Are we saying that workers in India are less safe? That strikes me as xenophobic, and I don't want to go there." But privacy advocates say that this isn't a question of people's being more or less trustworthy in one place or another. It's a question of enforcement of strict U.S. laws. "The problem is not that they're in India," said Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington. "The problem is that American laws are not going to be enforced in India." In fact, the Indian government, largely at the urging of privacy- conscious European officials, is working on new legislation aimed at better controlling the country's rapidly growing data-processing industry. But privacy advocates note that India passed a similar cyber-crime law several years ago making it illegal to steal information from computers. Since then, only 11 people have been charged with violating the law and, of that number, only two cases are being prosecuted. "If you're an international crime ring, and you want Social Security numbers for identity theft, you're going to look at the weakest link," said Givens at the Privacy Rights Clearinghouse. "And that's quite possibly these overseas companies." The credit-rating agencies say that privacy and security are their most important considerations and that they hold overseas affiliates to the same high standards that they hold their domestic offices. However, California's two Democratic senators expressed alarm that the agencies are outsourcing work. "The application of American law in a foreign country is difficult, if not impossible," said Sen. Dianne Feinstein. "Therefore, the more companies move overseas, the less American law can control the uses for which personal data is put. And this can only represent an increasing threat to the privacy of our citizens." Sen. Barbara Boxer said she would ensure that the matter was raised as senators and House members completed changes to the Fair Credit Reporting Act. "This information is very significant, and I intend to make sure that the conferees who are finalizing the bill are aware of The Chronicle's investigation in hopes that they will protect Americans from such outrageous invasions of privacy," Boxer said. David Lazarus' column appears Wednesdays, Fridays and Sundays. He also can be seen regularly on KTVU's "Mornings on 2." Send tips or feedback to dlazarus at sfchronicle.com . )2003 San Francisco Chronicle |Feedback ------------------------------------- You are subscribed as billstewart at att.com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ From madduck at madduck.net Fri Nov 7 03:20:43 2003 From: madduck at madduck.net (martin f krafft) Date: Fri, 7 Nov 2003 12:20:43 +0100 Subject: Smashing Windows Message-ID: <20031107112043.GA15073@piper.madduck.net> Here's an interesting read http://www.guardian.co.uk/comment/story/0,3604,1078616,00.html -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! in the beginning was the word, and the word was content-type: text/plain [demime 0.97c removed an attachment of type application/pgp-signature] From madduck at madduck.net Fri Nov 7 05:29:47 2003 From: madduck at madduck.net (martin f krafft) Date: Fri, 7 Nov 2003 14:29:47 +0100 Subject: US outsourcing torture Message-ID: <20031107132947.GA19753@piper.madduck.net> http://www.kuro5hin.org/story/2003/11/5/94852/0804 sorry to all who's seen this already... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "... doch warum sollte nicht jeder einzelne aus seinem leben ein kunstwerk machen koennen?" -- michel foucault [demime 0.97c removed an attachment of type application/pgp-signature] From Nick.Barnes at pobox.com Fri Nov 7 07:00:37 2003 From: Nick.Barnes at pobox.com (Nick Barnes) Date: Fri, 07 Nov 2003 15:00:37 +0000 Subject: [s-t] needle in haystack digest #3 Message-ID: At 2003-11-06 17:51:14+0000, Robert Walsh writes: > > Yes. I wasn't intending to suggest an attack based solely on masks. > > Yes - it'd never work. I'm sure you're right. It was a fun strawman to build, though. Nick B ----------------------------------------------------------- From eugen at leitl.org Fri Nov 7 07:52:06 2003 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 7 Nov 2003 16:52:06 +0100 Subject: Panther's FileVault can damage data Message-ID: <20031107155206.GG3534@leitl.org> In case you've been using Apple OS X 10.3 (Panther)'s FileVault (Rijndael128 on ~/) there's a yet unfixed bug. Answer no if requested to regain lost disk space in encrypted directory[1] Notice that while the screen lock buffer overrun has been fixed, there are still unresolved issues with it[2] [1]http://www.theregister.co.uk/content/39/33769.html [2]http://www.securityfocus.com/bid/8912 -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From petard at sdf.lonestar.org Fri Nov 7 09:51:45 2003 From: petard at sdf.lonestar.org (petard) Date: Fri, 7 Nov 2003 17:51:45 +0000 Subject: Deniable data storage In-Reply-To: <3FA94872.14740.DEE36E@localhost> References: <3FA94872.14740.DEE36E@localhost> Message-ID: <20031107175144.GA17242@SDF.LONESTAR.ORG> On Wed, Nov 05, 2003 at 06:58:58PM -0800, James A. Donald wrote: > -- > I want fully deniable information storage -- information > theoretic deniable, not merely steganographic deniable, for > stenography can never be wholly secure. > > So I would have a fixed sized block of data containing a > variable number of smaller secret chunks of data. A random key > would extract a random length of gibberish, a valid key would > extract a stream of valid data, and revealing one secret key to > the adversary would not give the adversary any evidene that > more secrety keys were present or absent. > > Any good known algorithms for this? > rubberhose probably does what you want. is there some problem with it? http://www.rubberhose.org/ From petard at sdf.lonestar.org Fri Nov 7 09:59:02 2003 From: petard at sdf.lonestar.org (petard) Date: Fri, 7 Nov 2003 17:59:02 +0000 Subject: Panther's FileVault can damage data In-Reply-To: <248BAF3E-1143-11D8-9473-000A956B4C74@got.net> References: <20031107155206.GG3534@leitl.org> <248BAF3E-1143-11D8-9473-000A956B4C74@got.net> Message-ID: <20031107175902.GB17242@SDF.LONESTAR.ORG> On Fri, Nov 07, 2003 at 08:55:08AM -0800, Tim May wrote: > It's astounding to me that that Apple failed to do basic QC on its > major new release. > > The problem with the Firewire 800 drives using the Oxford 922 chips is > inexcusable. Did Apple never bother to run the new version of OS X with > drives made by vendors other than Apple? (I'm assuming here the > Firewire 800 problem is not present in Apple drives, about which I am > not 100% convinced.) > Which Apple drives? Is there such a thing as an Apple firewire drive, and if so does it use the Oxford 922 bridge chipset? This is the closest product I am aware of: http://www.apple.com/ipod/ It's firewire 400 and most assuredly does not use a 922 chip. If software companies were responsible for bugs in hardware that they do not manufacture, MS would be in much more trouble than it is already. petard From hseaver at cybershamanix.com Fri Nov 7 16:37:58 2003 From: hseaver at cybershamanix.com (Harmon Seaver) Date: Fri, 7 Nov 2003 18:37:58 -0600 Subject: Panther's FileVault can damage data In-Reply-To: <20031107175902.GB17242@SDF.LONESTAR.ORG> References: <20031107155206.GG3534@leitl.org> <248BAF3E-1143-11D8-9473-000A956B4C74@got.net> <20031107175902.GB17242@SDF.LONESTAR.ORG> Message-ID: <20031108003758.GA23726@cybershamanix.com> On Fri, Nov 07, 2003 at 05:59:02PM +0000, petard wrote: > > If software companies were responsible for bugs in hardware that they do not > manufacture, MS would be in much more trouble than it is already. Apple is both a software *and* a hardware company, however, and they've pretty much always been negligent about making sure that other vendor's hardware worked with theirs and/or their OS. Just sticking in a new hard drive gives you error messages (which you can ignore and bypass) when upgrading the OS. You get the idea that they want you to only buy their hardware. In fact the whole OS-X thing is like that -- they deliberately, after having all the betas running on older powermacs, wrote the production code to exclude anything but new G-3 based machines. Don't get me wrong, I like Apple and their hardware, but some of their policies suck. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com From mv at cdc.gov Fri Nov 7 20:06:55 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 07 Nov 2003 20:06:55 -0800 Subject: Panther's FileVault can damage data Message-ID: <3FAC6BDF.4C30A469@cdc.gov> At 06:37 PM 11/7/03 -0600, Harmon Seaver wrote: > Apple is both a software *and* a hardware company, however, and they've >pretty much always been negligent about making sure that other vendor's hardware >worked with theirs and/or their OS. I thought that was half the point of Apple ---you play only with us, and we make sure it all runs smoothly. (The other half being a once-superior UI). But you pay. If you want cheaper hardware that you have to wrestle with, you get a PC. Isn't that why Fry's has a return policy? A policy is a set of tradeoffs. Free people choose what they want. From cripto at ecn.org Sat Nov 8 11:06:05 2003 From: cripto at ecn.org (Anonymous) Date: Sat, 8 Nov 2003 20:06:05 +0100 (CET) Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off Message-ID: <53b5b1051cb213d8579fdafc02595be8@ecn.org> >Cryptome received a visit today from FBI Special Agents Todd Renner and Christopher >Kelly from the FBI Counterterrorism Office in New York, 26 Federal Plaza, telephone >212) 384-1000. Both agents presented official ID and business cards. Good stuff. Pigs getting concerned about cryptome means they are scared. From dwglobalreactm at globalreact.com Sat Nov 8 19:03:36 2003 From: dwglobalreactm at globalreact.com (Thomas Macdonald) Date: , 9 Nov 2003 -05:03:36 -0800 Subject: Don't put off your happy life Message-ID: <590873132.31514981285489@globalreact.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 861 bytes Desc: not available URL: From cpunk at lne.com Sun Nov 9 20:00:01 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 9 Nov 2003 20:00:01 -0800 Subject: Cypherpunks List Info Message-ID: <200311100400.hAA401EG013269@slack.lne.com> Cypherpunks Mailing List Information Last updated: Oct 13, 2003 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From anonymous at remailer.metacolo.com Sun Nov 9 14:32:48 2003 From: anonymous at remailer.metacolo.com (Anonymous Sender) Date: Sun, 9 Nov 2003 22:32:48 +0000 (UTC) Subject: Stanford security conference Message-ID: This looks interesting: --- Stanford Law School Media Release For Immediate Release: Thursday, October 30, 2003 CALIFORNIA ATTORNEY GENERAL BILL LOCKYER TO ADDRESS CYBERSECURITY AND VULNERABILITY DISCLOSURE AT STANFORD LAW SCHOOL Conference at Stanford Law School, Saturday November 22, 2003, 8:00 a.m. to 6:00 p.m. Early registration deadline is Nov 1, 2003. http://cyberlaw.stanford.edu/security/ --- Reported computer security breaches have almost doubled since last year, and the vast majority go unreported. In two high profile incidents earlier this year, hackers downloaded U.S. Navy credit card numbers and a worm paralyzed Bank of America's ATM network. In July, California became the first state to require businesses to notify consumers if hackers illegally obtain their personal information from company databases. California Attorney General Bill Lockyer will talk about enforcing this measure and other initiatives to achieve Internet security in the face of increasingly severe breaches of computer systems. His talk is part of a day-long conference hosted by the Stanford Law School Center for Internet and Society. Lockyer will join twenty top high-tech executives, encryption experts, and law professors, who will propose ways that technology vendors, their customers, government officials, researchers, and consumers can accelerate vulnerability research, computer security, and consumer privacy protection. The conference discussion will occur against the backdrop of a national debate as to how to respond to growing threats to cyberspace, and how to balance security needs against heightened exposure and the disclosure of proprietary information. On the one side are those who seek a federal measure like the one in California that mandates disclosure of security vulnerabilities. On the other are those who believe that non-disclosure ("security through obscurity") better protects privacy while continuing to enable research and development. The conference brings people from both camps together with technical experts to hammer out solutions and recommend policy for both industry and government. Other speakers include: Matt Blaze, AT&T Mary Ann Davidson, Oracle David L. Dill, Professor of Computer Science, Stanford University James Duncan, Cisco Gerhard Eschelbeck, Qualys Stephanie Fohn, Consultant Tiina Havana, Oulu University Secure Programming Group (OUSPG), Finland Shawn Hernan, CERT Steven B. Lipner, Microsoft David Litchfield, NGSSoftware Simple Nomad, NMRC, Bindview Len Sassaman, Anonymizer Bruce Schneier, Counterpane Peter P. Swire, Professor of Law at Ohio State University Hal Varian, Professor, University of California, Berkeley Vincent Weafer, Symantec Stephen Wu, InfoSec Law Group Chris Wysopal, @stake About Stanford Law School Center for Internet and Society (CIS): CIS is a public interest technology law and policy program within the umbrella Law, Science and Technology Program at Stanford Law School. CIS convenes scholars, legislators, programmers, security researchers, scientists and students to study the interaction between new technologies and the law, and determine how the synergy between the two can either promote or harm the public good. CIS works to advance technology and shape the direction of the law to protect free speech, privacy, public commons, diversity, and scientific inquiry. Center for Internet and Society Contact Information: Jennifer Granick, Executive Director, CIS, 650/724-0014, jennifer at law.stanford.edu Lauren Gelman, Assistant Director, CIS, 650/724-3358, gelman at stanford.edu Bill Lockyer's keynote address is scheduled from 12:15 p.m to 1:45 p.m. For a complete schedule of sessions, and to register for this event online, go to: http://cyberlaw.stanford.edu/security/. This event is free to the media. To obtain a press pass and reserve press seating, please contact: Judith Romero, Assistant Director of Communication for Stanford Law School, 650/723-2232 or judith.romero at stanford.edu About Stanford CIS: The Center for Internet and Society (CIS) is a public interest technology law and policy program at Stanford Law School and a part of Law, Science and Technology Program at Stanford Law School. The CIS brings together scholars, academics, legislators, students, programmers, security researchers, and scientists to study the interaction of new technologies and the law and to examine how the synergy between the two can either promote or harm public goods like free speech, privacy, public commons, diversity, and scientific inquiry. The CIS strives as well to improve both technology and law, encouraging decision makers to design both as a means to further democratic values. -end- From dog3 at eruditium.org Mon Nov 10 05:33:57 2003 From: dog3 at eruditium.org (cubic-dog) Date: Mon, 10 Nov 2003 08:33:57 -0500 (EST) Subject: Panther's FileVault can damage data In-Reply-To: <20031107175902.GB17242@SDF.LONESTAR.ORG> Message-ID: On Fri, 7 Nov 2003, petard wrote: > On Fri, Nov 07, 2003 at 08:55:08AM -0800, Tim May wrote: > > It's astounding to me that that Apple failed to do basic QC on its > > major new release. > > > > The problem with the Firewire 800 drives using the Oxford 922 chips is > > inexcusable. Did Apple never bother to run the new version of OS X with > > drives made by vendors other than Apple? (I'm assuming here the > > Firewire 800 problem is not present in Apple drives, about which I am > > not 100% convinced.) > > > Which Apple drives? Is there such a thing as an Apple firewire drive, and > if so does it use the Oxford 922 bridge chipset? This is the closest product > I am aware of: > http://www.apple.com/ipod/ > > It's firewire 400 and most assuredly does not use a 922 chip. > > If software companies were responsible for bugs in hardware that they do not > manufacture, MS would be in much more trouble than it is already. > > petard From s.schear at comcast.net Mon Nov 10 09:47:57 2003 From: s.schear at comcast.net (Steve Schear) Date: Mon, 10 Nov 2003 09:47:57 -0800 Subject: Review of Film: Uncovered: The Whole Truth About the Iraq War Message-ID: <5.2.1.1.0.20031110094614.0478b9c8@mail.comcast.net> Case For War Confected, Say Top U.S. Officials By Andrew Gumbel Independent UK Sunday 09 November 2003 An unprecedented array of US intelligence professionals, diplomats and former Pentagon officials have gone on record to lambast the Bush administration for its distortion of the case for war against Iraq. In their view, the very foundations of intelligence-gathering have been damaged in ways that could take years, even decades, to repair. A new documentary film beginning to circulate in the United States features one powerful condemnation after another, from the sort of people who usually stay discreetly in the shadows - a former director of the CIA, two former assistant secretaries of defence, a former ambassador to Saudi Arabia and even the man who served as President Bush's Secretary of the Army until just a few months ago. Between them, the two dozen interviewees reveal how the pre-war intelligence record on Iraq showed virtually the opposite of the picture the administration painted to Congress, to US voters and to the world. They also reconstruct the way senior White House officials - notably Vice-President Dick Cheney - leaned on the CIA to find evidence that would fit a preordained set of conclusions. "There was never a clear and present danger. There was never an imminent threat. Iraq - and we have very good intelligence on this - was never part of the picture of terrorism," says Mel Goodman, a veteran CIA analyst who now teaches at the National War College. The case for accusing Saddam Hussein of concealing weapons of mass destruction was, in the words of the veteran CIA operative Robert Baer, largely achieved through "data mining" - going back over old information and trying to wrest new conclusions from it. The agenda, according to George Bush Senior's ambassador to Saudi Arabia, Chas Freeman, was both highly political and profoundly misguided. "The theory that you can bludgeon political grievances out of existence doesn't have much of a track record," he says, "so essentially we have been neo-conned into applying a school of thought about foreign affairs that has failed everywhere it has been tried." The hour-long film - entitled Uncovered: The Whole Truth About the Iraq War - was put together by Robert Greenwald, a veteran TV producer in the forefront of Hollywood's anti-war movement who never suspected, when he started out, that so many establishment figures would stand up and be counted. "My attitude was, wow, CIA people, I thought these were the bad guys," Mr Greenwald said. "Not everyone agreed on everything. Not everyone was against the war itself. But there was a universally shared opinion that we had been misled about the reasons for the war." Although many elements in the film are not necessarily new - the forged document on uranium sales from Niger to Iraq, the aluminium tubes falsely assumed to be parts for nuclear weapons, the satellite images of "mobile biolabs" that turned out to be hydrogen compression facilities, the "decontamination vehicles" that were in fact fire engines - what emerges is a striking sense of professional betrayal in the intelligence community. As the former CIA analyst Ray McGovern argues with particular force, the traditional role of the CIA has been to act as a scrupulously accurate source of information and analysis for presidents pondering grave international decisions. That role, he said, had now been "prostituted" and the CIA may never be the same. "Where is Bush going to turn to now? Where is his reliable source of information now Iraq is spinning out of control? He's frittered that away," Mr McGovern said. "And the profound indignity is that he probably doesn't even realise it." The starting point for the tarnishing of the CIA was a speech by Vice-President Cheney on 26 August 2002, in which he told the Veterans of Foreign Wars in Nashville that Saddam was reconstituting his nuclear weapons programme and was thus threatening to inflict "death on a massive scale - in his own region or beyond". According to numerous sources, Mr Cheney followed up his speech with a series of highly unorthodox visits to CIA headquarters in Langley, Virginia, in which he badgered low-level analysts to come up with information to substantiate the extremely alarming - but entirely bogus - contents of his speech. By early September, intelligence experts in Congress were clamouring for a so-called National Intelligence Estimate, a full rundown of everything known about Iraq's weapons programmes. Usually NIEs take months to produce, but George Tenet, the CIA director, came up with a 100-page document in just three weeks. The man he picked to write it, the weapons expert Robert Walpole, had a track record of going back over old intelligence assessments and reworking them in accordance with the wishes of a specific political interest group. In 1998, he had come up with an estimate of the missile capabilities of various rogue states that managed to sound considerably more alarming than a previous CIA estimate issued three years earlier. On that occasion, he was acting at the behest of a congressional commission anxious to make the case for a missile defence system; the commission chairman was none other than Donald Rumsfeld, now Secretary of Defence and a key architect of the Iraq war. Mr Walpole's NIE on Iraq threw together all the elements that have now been discredited - Niger, the alumin- ium tubes, and so on. It also gave the misleading impression that intelligence analysts were in broad agreement about the Iraqi threat, relegating most of the doubts and misgivings to footnotes and appendices. By the time parts of the NIE were made public, even those few qualifications were excised. When President Bush's speechwriters got to work - starting with the address to Congress on 7 October that led to a resolution authorising the use of force against Iraq - the language became even stronger. Mr Tenet fact-checked the 7 October speech, and seems to have played a major role in every subsequent policy address, including Colin Powell's powerful presentation to the United Nations Security Council on 5 February. Of that pivotal speech, Mr McGovern says in the film: "It was a masterful performance, but none of it was true." More info on the Film: http://www.truthuncovered.com/ "[I]t is the leaders of the country who determine the policy and it is always a simple matter to drag the people along, whether it is a democracy, or a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked, and denounce the peacemakers for lack of patriotism and exposing the country to danger. It works the same in any country." --Reichsmarschall Hermann Goering From sunder at sunder.net Mon Nov 10 10:23:47 2003 From: sunder at sunder.net (Sunder) Date: Mon, 10 Nov 2003 13:23:47 -0500 (est) Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: <53b5b1051cb213d8579fdafc02595be8@ecn.org> Message-ID: Not scared, hungry. They're looking for more "collars" they can throw in jail so they meet their quotas. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Sat, 8 Nov 2003, Anonymous wrote: > >Cryptome received a visit today from FBI Special Agents Todd Renner and Christopher > >Kelly from the FBI Counterterrorism Office in New York, 26 Federal Plaza, telephone > >212) 384-1000. Both agents presented official ID and business cards. > > Good stuff. Pigs getting concerned about cryptome means they are scared. From camera_lumina at hotmail.com Mon Nov 10 11:09:35 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Mon, 10 Nov 2003 14:09:35 -0500 Subject: Disguising the Key length (Was...Has a change taken place in factoring RSA keys) Message-ID: "I think that's the source as well - when the most recent of the TWINKLE and TWIRL papers came out, Lucky Green was talking about whether it was still safe to use 1024-bit keys, and $1B for 1 key/day is similar to Shamir & Tromer's estimate of ( http://www.wisdom.weizmann.ac.il/~tromer/papers/cbtwirl.pdf ) $20M upfront plus $10M for a 1 key/year capacity." My first question is, how easy is it for them to estimate the key size of an encrypted message? Can they do this without actually "chewing" on the message for a while? (ie, if it doesn't crack in x minutes then there's a 99% probability of the key being Y in length...) Second question: Is it possible to make a message appear to have been encrypted with a shorter key than was actually used? -TD >From: "Bill Stewart" >To: >CC: >Subject: Re: Q: Has a change taken place in factoring RSA keys? >Date: Wed, 29 Oct 2003 14:50:00 -0800 (PST) > > >> In particular a claim was made that recent technology has come to > >> light that allows factoring of 1024 bit RSA keys at $1B (US)/day. The > >> basic gist was that > > > > Adi Shamir's TWINKLE, I guess. > >I think that's the source as well - when the most recent of the >TWINKLE and TWIRL papers came out, Lucky Green was talking about >whether it was still safe to use 1024-bit keys, >and $1B for 1 key/day is similar to Shamir & Tromer's estimate of > ( http://www.wisdom.weizmann.ac.il/~tromer/papers/cbtwirl.pdf >) >$20M upfront plus $10M for a 1 key/year capacity. > (The alternative is that it's people believing the usual FUD sources, > whether they're the pro-government serious FUD sources or the > fun-yanking-people's-chains clueless FUDsters.) > > >> There was some discussion about hacking GPG to generate 8k keys. > >But if 1024-bit keys are too weak, RSA is still near-exponential, >and 2048-bit keys are roughly 2**100 times harder to crack than 1024-bit, >vs. 4-8 times as slow to use. 4096 is a lot harder than that; >even if you allow for Moore's law and medium mathematical breakthroughs, >you're still not going to fit a 4096-bit cracker on the planet. > >Basically, by the time you're interesting enough for them to spend >$10M and a year to crack your machine, you'd better be using 2048-bit keys >for tactical applications and maybe 4096-bit for long-term military >secrets, >and since they're targeting YOU, it's a lot cheaper for them to >black-bag your PC or plant cameras in your ceiling or bribe your janitor. > > > That won't help unless you find a way to get random number as good as > > the keysize. > >Large random numbers aren't that hard if you're using them for >long-term signature keys, as opposed to DH or symmetric session keys; >it just takes a bit longer to generate the bits. >Also, once you're up above the 1024-bit range, incremental quality is >less important, because attacks on the keyspace are hard to combine >with factoring attacks on the keys, especially if you're whitening them. > >But as you say, taking GPG from 4kbit to 8kbit keys doesn't matter, >because it's no longer close to the weakest link by then. _________________________________________________________________ Is your computer infected with a virus? Find out with a FREE computer virus scan from McAfee. Take the FreeScan now! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From mv at cdc.gov Mon Nov 10 14:46:39 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 10 Nov 2003 14:46:39 -0800 Subject: Disguising the Key length (Was...Has a change taken place in factoring RSA keys) Message-ID: <3FB0154F.4217B7FE@cdc.gov> At 02:09 PM 11/10/03 -0500, Tyler Durden wrote: >My first question is, how easy is it for them to estimate the key size of an >encrypted message? Its not secret. But lets look at twiddling what the message header encodes. Suppose you relabel a 2Kbit key as a 1Kbit. Then what are the extra bits for, Eve will wonder. Suppose you claim a 1Kbit RSA key is 2Kbits. Now, the math works if you treat a 1Kbit key as 2Kbit. But the decrypt won't work unless the recipient modifies the header to specify 1Kbit to ignore the fake extra key bits. Which requires a secure OOB channel, see below. >Can they do this without actually "chewing" on the message for a while? (ie, >if it doesn't crack in x minutes then there's a 99% probability of the key >being Y in length...) "How can you have any pudding if you don't eat your meat? " Lets think about DES, which also has a publicly-visible keylength. If you've run through *all* the 56 bit keys, and found no solution, you know that either DES wasn't the algorithm (perhaps 3DES was, perhaps DES-X, perhaps Blowfish, AES, Skipjack, etc. You need to reconfigure your FPGAs for each algorithm.) And if you haven't run through all the keys, it could always be the *last* key you try. So although given *large sets of messages* you can say that 99% would have been cracked "by now", this kind of stats isn't really useful. "Close" is for hand grenades, horseshoes, and proximity fuzes; there is no "close" in crypto. >Second question: Is it possible to make a message appear to have been >encrypted with a shorter key than was actually used? That would cause the decrypting code to truncate significant digits which would not permit decryption. Suppose you did this and the recipient fixed the length so it would work. This wouldn't matter: Eve would wonder what all those extra random bits are for. A better approach *might* be to lie about the symmetric encryption you've used. Encrypt with AES-256, use RSA on that 256 bit key, but modify the message to claim you've used AES-128 or 3DES. However, this requires a secure out of band channel to communicate this to your recipient. And if you have such a channel, you may as well give them a nonstandard S-box initialization (eg "e times your SSN number" vs. "pi" in Blowfish) or a OTP. --- A SAM a day keeps the invaders away. From jya at pipeline.com Mon Nov 10 14:58:23 2003 From: jya at pipeline.com (John Young) Date: Mon, 10 Nov 2003 14:58:23 -0800 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: References: <53b5b1051cb213d8579fdafc02595be8@ecn.org> Message-ID: SA Renner did most of the talking and carried a manila folder with a file name on it beginning with "SP," I think. Couldn't see the remainder. He didn't open it during the session and it may have been a prop. They showed up without warning, no call ahead, got past our Doberman doorman (we're on the 6th floor) who usually calls us about visitors but didn't this time, and hasn't said a peep since the visit. (In contrast, when I got subpoenas for the Bell grand jury and trial, the doorman called up about the Treasury agents and I met them in the street level lobby.) Renner showed ID, asked to come in and talk. They were here about half an hour. I tried to get them to sit together but they carefully bracketed me. They asked who works with me on Cryptome, who funds it. Me and me alone, I said. The FBI agents asked about nobody except me. Renner asked for ID and I showed him Duncan's, or maybe it was Declan's. I sent an account to cpunks right after the visit but LNE never processed it, nor three more later. Hence this algebra late comer. From jones at cs.uiowa.edu Tue Nov 11 07:21:16 2003 From: jones at cs.uiowa.edu (Douglas W. Jones) Date: Tue, 11 Nov 2003 09:21:16 -0600 Subject: Thwarted Linux backdoor Message-ID: On 5 Nov 2003, an attempt to insert a very cleverly crafted backdoor into Linux was averted. This is a really good example of the subtle kinds of hacks a source code examiner must be waiting to catch if we want genuinely secure voting systems under the current model of proprietary DRE systems with a closed-door source code examination. Someone broke into a server at kernel.kbits.net and inserted the following code into the Linux kernel: if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; This was done in the code sys_wait4(). Larry McVoy caught the fact that the change had been made, and was annoyed because it wasn't logged properly. Matthew Dharm asked "Out of curiosity, what were the changed lines." Zwane Mwaikambo responded "That looks odd", and Andries Brouwer responded "Not if you hope to get root." So, an annoying violation of the software change logging requirements turned out to be an attempt to install a backdoor in Linux. At least two very experienced programmers looked at it and saw just slightly odd code, before the serious nature of the threat was actually discovered. This particular attack, by the way, is ruled out by the current voting system standards, not because they require a comprehensive security analysis, but because of their C-centered coding rules. Embedded assignment is forbidden. Current source code checks are good at finding embedded assignments and flagging them (as long as the code is written in C). No doubt, a hacker of the sophistication suggested by the attack illustrated above would strictly adhere to the coding guidelines in formulating their attack. For the complete story of this attack on Linux, including the actual E-mail exchange documenting the discovery of the attack, see: http://kerneltrap.org/node/view/1584 Linux: Kernel "Back Door" Attempt This attack has only made the mainstream media in one place, so far: http://www.smh.com.au/articles/2003/11/07/1068013371170.html Bid to backdoor Linux kernel detected - smh.com.au This is a pity, because I think this story is really important. ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From DaveHowe at gmx.co.uk Tue Nov 11 06:40:10 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Tue, 11 Nov 2003 14:40:10 -0000 Subject: Biometric ID cards to be "backdoored" in the UK Message-ID: <011801c3a861$bb886c80$c71121c2@exchange.sharpuk.co.uk> Students of UK politics should be aware that the british prime minister considered it a sign of "moral courage" to press ahead with an attack on iraq despite protests in the streets and massed opposition by politicians of all parties, and that forging evidence is fully justified by the results. That being given, it should come as no surprise that, despite public opposition by the people, other politicans and the prime minister himself, and repeated proofs that ID cards have no effect at all on terrorism (for instance, the 9/11 attackers all had ID) the Home Secretary is pressing forward with a road map to compulsory ID cards for all UK citizens by 2012. The "results summary" from a consultation process that was more than 70% opposed to introduction of ID Cards is here: http://www.official-documents.co.uk/document/cm60/6020/6020.htm Note that the preferred path is now to update passport and driving licence documents (at the citizen's expense) to include digital ID and biometric information; once 80% of citizens have been forced to accept ID cards by this backdoor process (no parlimentary debate required) it will seem only a small step to force the remaining 20% to purchase such a card. There will apparently not be any compulsion to *carry* the card (at this stage) but it will be required to be produced to obtain access to government controlled services such as healthcare.... From timcmay at got.net Tue Nov 11 21:01:00 2003 From: timcmay at got.net (Tim May) Date: Tue, 11 Nov 2003 21:01:00 -0800 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: <53b5b1051cb213d8579fdafc02595be8@ecn.org> References: <53b5b1051cb213d8579fdafc02595be8@ecn.org> Message-ID: <35B20BC1-14CD-11D8-9E9D-000A956B4C74@got.net> On Nov 8, 2003, at 11:06 AM, Anonymous wrote: >> Cryptome received a visit today from FBI Special Agents Todd Renner >> and Christopher >> Kelly from the FBI Counterterrorism Office in New York, 26 Federal >> Plaza, telephone >> 212) 384-1000. Both agents presented official ID and business cards. > > Good stuff. Pigs getting concerned about cryptome means they are > scared. > > I don't understand how this "Anonymous" can title a post with the phrase "told to fuck off" when John Young's account clearly said that he allowed the Feebs to enter his area and even had them sitting on either side of him. I cannot claim to know what I would do, or will do, if Feds ever visit my home, but I hope I will have the presence of mind to tell them to: a) get off my property b) or to arrest me In either case, talking to them will not help. The way the Reichssecuritat is getting convictions these days is to charge sheeple with "lying to Federal agents." Nothing in the Constitution allows compelled speech, except under limited (and I think unconstitutional) cases involving grand juries ordering a person to speak. (Or where use or blanket immunity has been granted, again, probably an unconstitutional measure, as it is compelling potentially self-incriminating evidence which may very well be used in either another case or be twisted to provide a basis for another case.) I hope I will have the self-presence to say "You are trespassing. Get off my property, right now!" Cooperating with cops snooping around looking for either thoughtcrime or "terrorist aid and support" is a lose, a big lose. Speculating wildly, the real target may be John Young himself. And nearly anything he said to these narcs may be construed, by them and by their malleable DAs, as "lying to a Federal investigator." People should not talk to the Feds. If the Feds come calling, refer them to one's lawyer. For those who don't have a lawyer on retainer, tell them that you need to consult with a lawyer first. Whether you do or you don't is beside the point. The point is to not talk to them. "Lying to a Federal investigator" is how they probably hope to get Cryptome shut down and John's kind of dissent quelled. --Tim May From s.schear at comcast.net Tue Nov 11 22:30:55 2003 From: s.schear at comcast.net (Steve Schear) Date: Tue, 11 Nov 2003 22:30:55 -0800 Subject: F.B.I.'s Reach Into Records Is Set to Grow Message-ID: <5.2.1.1.0.20031111222934.0566e020@mail.comcast.net> http://www.nytimes.com/2003/11/12/politics/12RECO.html November 12, 2003 F.B.I.'s Reach Into Records Is Set to Grow By ERIC LICHTBLAU ASHINGTON, Nov. 11 A little-noticed measure approved by both the House and Senate would significantly expand the F.B.I.'s power to demand financial records, without a judge's approval, from car dealers, travel agents, pawnbrokers and many other businesses, officials said on Tuesday. Traditional financial institutions like banks and credit unions are frequently subject to administrative subpoenas from the Federal Bureau of Investigation to produce financial records in terrorism and espionage investigations. Such subpoenas, which are known as national security letters, do not require the bureau to seek a judge's approval before issuing them. The measure now awaiting final approval in Congress would significantly broaden the law to include securities dealers, currency exchanges, car dealers, travel agencies, post offices, casinos, pawnbrokers and any other institution doing cash transactions with "a high degree of usefulness in criminal, tax or regulatory matters." Officials said the measure, which is tucked away in the intelligence community's authorization bill for 2004, gives agents greater flexibility and speed in seeking to trace the financial assets of people suspected of terrorism and espionage. It mirrors a proposal that President Bush outlined in a speech two months ago to expand the use of administrative subpoenas in terrorism cases. Critics said the measure would give the federal government greater power to pry into people's private lives. "This dramatically expands the government's authority to get private business records," said Timothy H. Edgar, legislative counsel for the American Civil Liberties Union. "You buy a ring for your grandmother from a pawnbroker, and the record on that will now be considered a financial record that the government can get." The provision is in the authorization bills passed by both houses of Congress. Some Democrats have begun to question whether the measure goes too far and have hinted that they may try to have it pulled when the bill comes before a House-Senate conference committee. Other officials predicted that the measure would probably survive any challenges in conference and be signed into law by President Bush, in part because the provisions already approved in the House and the Senate are identical. The intelligence committees considered the proposal at the request of George J. Tenet, the director of central intelligence, officials said. Officials at the C.I.A. and the Justice Department declined to comment on Tuesday about the measure. A senior Congressional official who supports the provision said that "this is meant to provide agents with the same amount of flexibility in terrorism investigations that they have in other types of investigations." "This was really just a technical change to reflect the new breed of financial institutions," the official added. Asked what had prompted the measure, the official said: "This is coming from 3,000 dead people. There's an ever-expanding universe of places where terrorists can hide financial transactions, and it's only prudent and wise to anticipate where they might be and to give law enforcement the tools that they need to find them." Christopher Wray, the Justice Department's assistant attorney general in charge of the criminal division, also addressed the issue last month at a Senate hearing. Mr. Wray said that compared with the antiterrorism law that allowed agents to demand business records with court approval, the F.B.I.'s administrative subpoenas were more limited. The administrative subpoenas "do provide for production of some records," he said, but "they don't cover as many types of business records." From zenadsl6186 at zen.co.uk Tue Nov 11 17:17:09 2003 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 12 Nov 2003 01:17:09 +0000 Subject: Deniable data storage In-Reply-To: <8a68127465263ac88c1b4db00de97f64@firenze.linux.it> Message-ID: Tarapia Tapioco wrote: > James A. Donald (jamesd at echeque.com) wrote on 2003-11-06: >> I want fully deniable information storage -- information >> theoretic deniable, not merely steganographic deniable, for >> stenography can never be wholly secure. Information-theoretic deniability is impossible (or impractical). You can have computationally-bounded secure deniability though. > > So, StegFS is not "deniable enough"? I'm not much of a theory buff, > but it sure sounds nice from the paper... > StegFS (if that's the one Markus Kuhn wrote, there is another program with a similar name which isn't as secure), and the other construction in Ross Anderson, Roger Needham and Adi Shamir's paper [1] are pretty good, at least as good as your outline construction. All hide ciphertext in random data, rather than in eg images, where there is no underlying pattern to the covertext which an adversary can use a better understanding of than the filing system has to extract and identify ciphertext. The moral? - hide ciphertext in random data, not "partly-random" data such as images. You might also want to look at Mnemosyne [2], but I haven't analysed it and have no idea whether it's any good. It also depends on whether your adversary is going to torture you, or take you to Court. There's not a great deal of difference in effect, but a torturer can harm you on suspicion only, whereby a Court can't jail you on suspicion alone but needs, at least in theory, proof beyond reasonable doubt. Getting a bit theoretical now, but still important: Two problems with all these systems are observability and secure deletion. If the database can be continuously observed (eg a NFS-based FS) then an adversary can ask why the SFS was modified. This can be overcome - I'm writing a paper on how to do that right now, but it's not finished yet. Secure deletion is harder - if someone can prove that some data is in the SFS (or, combining this with observability, that some data was at some time in the SFS) then they can demand a key - are you going to remember a zillion different keys/passwords, and what they refer to? If you store them somewhere then they can demand the key to the keys, so to speak. Problematic. I think secure deletion in observable SFS's is impossible, it seems obvious on information grounds - but there also seems to be just a teeny hint of a crack in that proof. I'm working on it. James, you might want to move this to eg the cryptography list if you want more technical answers. Or subject yourself to sci.crypt's abuse, which will at least stop some elementary mistakes. [1] http://www.cl.cam.ac.uk/ftp/users/rja14/sfs3.pdf [2] www.cs.rice.edu/Conferences/IPTPS02/107.pdf -- Peter Fairbrother From rah at shipwright.com Wed Nov 12 05:24:28 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 12 Nov 2003 08:24:28 -0500 Subject: Certicom Earns FIPS 140-2 Validation on Palm OS Message-ID: Nov. 12, 2003 Silicon Valley Biz Ink :: The voice of the valley economy Certicom Earns FIPS 140-2 Validation on Palm OS < back Security Builder GSE enables developers to quickly add a FIPS 140-2 validated cryptographic module to their government solutions MISSISSAUGA, ON, Nov. 12 /PRNewswire-FirstCall/ - Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that Security Builder(R) GSE(TM), Certicom's core developer toolkit for government, has earned the Federal Information Processing Standards (FIPS) 140-2 certification for the Palm OS 4.1 platform (certificate No. 351). This makes Security Builder GSE the first developer toolkit to provide a FIPS 140-2 validated module for multiple handheld operating systems. In June, Certicom announced FIPS 140-2 validation on Microsoft Windows and Microsoft Windows CE operating systems. By supporting multiple platforms, Security Builder GSE allows system integrators and original equipment manufacturers to use a common API to quickly and easily embed FIPS validated security into their devices and applications. Security Builder GSE is the core cryptographic module for all Certicom security applications which means movianVPN(TM) GSE for Palm and movianCrypt(TM) GSE for Palm also meet government security requirements. These products are particularly important to government agencies that need to securely extend their networks to wireless handhelds but are required to use only FIPS 140-2 validated applications. FIPS is considered a benchmark for security within U.S. and Canadian government departments and agencies and is becoming a de facto standard internationally. Products must undergo rigorous testing by an accredited independent lab to satisfy the governments' standards. FIPS 140-2 is awarded through the National Institute of Standards and Testing (NIST) and the Canadian Communication Security Establishment (CSE). "We're extremely pleased Certicom has received FIPS 140-2 validation on the Palm platform. This will now make it easier for government workers to better integrate their Palm-powered handhelds into their secure networks," said John Inkley, director of federal sales for palmOne. "Mobile workers want more than just secure access to email. They want access to corporate information and applications too. This validation provides not one, but many alternative solutions for everything from secure push e-mail to backend database access and updates. Now users can do it with the confidence that their security meets the government's most stringent guidelines." Since 1997, Certicom and Palm have worked together to enable mobile workers to protect sensitive information with a high level of security, without compromising the speed and flexibility of wireless devices. "Certicom makes it easy for agencies to adhere to the strict security guidelines mandated by the government while still using the platform of their choice," said Tony Rosati, Certicom's vice-president, marketing and product management. "This certification extends our relationship with Palm and underscores our commitment to provide strong security solutions for multiple platforms without impacting performance." Along with standard cryptography algorithms such as DES, 3DES, AES, SHA-1 and the RSA public key algorithm, Security Builder GSE also includes Elliptic Curve Cryptography (ECC), a public-key cryptography technique approved by the U.S. government and many standards organizations including ANSI, IETF, IEEE and NIST. Last month, the National Security Agency purchased licensing rights to some of Certicom's ECC intellectual property to protect mission critical national security information. Security Builder GSE is available immediately and is priced with a license fee and royalties based on the number of devices. For more information, visit http://www.certicom/gov. About Certicom Certicom is a leading provider of wireless security solutions, enabling developers, governments and enterprises to add strong security to their devices, networks and applications. Designed for constrained devices, Certicom's patented technologies are unsurpassed in delivering the strongest cryptography with the smallest impact on performance and usability. Certicom products are currently licensed to more than 300 customers including Texas Instruments, Palm, Research In Motion, Cisco Systems, Oracle and Motorola. Founded in 1985, Certicom is headquartered in Mississauga, ON, Canada, with offices in Ottawa, ON; Herndon, VA; San Mateo, CA; and London, England. Visit http://www.certicom.com. Certicom, Security Builder, Security Builder Crypto, Security Builder SSL, Security Builder PKI, Security Builder GSE, movianVPN, movianCrypt and movianMail are trademarks or registered trademarks of Certicom Corp. All other companies and products listed herein are trademarks or registered trademarks of their respective holders. Except for historical information contained herein, this news release contains forward-looking statements that involve risks and uncertainties. Actual results may differ materially. Factors that might cause a difference include, but are not limited to, those relating to the acceptance of mobile and wireless devices and the continued growth of e-commerce and m-commerce, the increase of the demand for mutual authentication in m-commerce transactions, the acceptance of Elliptic Curve Cryptography (ECC) technology as an industry standard, the market acceptance of our principal products and sales of our customer's products, the impact of competitive products and technologies, the possibility of our products infringing patents and other intellectual property of fourth parties, and costs of product development. Certicom will not update these forward-looking statements to reflect events or circumstances after the date hereof. More detailed information about potential factors that could affect Certicom's financial results is included in the documents Certicom files from time to time with the Canadian securities regulatory authorities. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From discord-nobody at erisiandiscord.de Wed Nov 12 00:10:40 2003 From: discord-nobody at erisiandiscord.de (Anonymous) Date: Wed, 12 Nov 2003 09:09:40 +0059 (CET) Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off Message-ID: >I tried to get them to sit together but they carefully >bracketed me. John, it's imaginable how it feels. It's very inconvenient when men with guns send their minions - and it wouldn't surprise me if it does, over time, change Cryptome's attitude. Avoid heroic stupidity. Optimize for the long run. As opposed to Mr.May, you are causing some real irritation. From rah at shipwright.com Wed Nov 12 06:29:52 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 12 Nov 2003 09:29:52 -0500 Subject: Certicom Earns FIPS 140-2 Validation on Palm OS Message-ID: --- begin forwarded text From timcmay at got.net Wed Nov 12 09:59:05 2003 From: timcmay at got.net (Tim May) Date: Wed, 12 Nov 2003 09:59:05 -0800 Subject: Campaign contribution limits and soft money...law of unintended consequences Message-ID: So the Dems who sought "campaign finance reform," via "McCain-Feingold" (*) are now trying to get an exception to allow George Soros to spend his "soft money" to help Dems. It seems the "legally collected" $160 million war chest that Shrub has collected is scaring the Dems, who have raised vastly less. They are looking with lust at the coffers of Soros and others, except the "campaign finance reform" laws they got passed are a problem... (* McCain is officially a Republican, but is actually deeply statist and is to the left of Ted Kennedy on many things) The Constitutional principle is crystal clear on all of these "limits on speech": there ain't none. If Tim May wants to speak out, buy ads, write articles, hire others to speak out, he can. Ditto for George Soros. Ditto for anyone else. Period. The fact that the Supreme Court has not said "Just what part of the First Amendment have you not read?" and struck down the laws is symptomatic of the sick adhocracy we now live in. I cannot wait for the mushroom cloud over D.C. --Tim May "Gun Control: The theory that a woman found dead in an alley, raped and strangled with her panty hose, is somehow morally superior to a woman explaining to police how her attacker got that fatal bullet wound" From declan at well.com Wed Nov 12 08:01:00 2003 From: declan at well.com (Declan McCullagh) Date: Wed, 12 Nov 2003 11:01:00 -0500 Subject: Gun ownership == using it in crime, Texas court rules Message-ID: <6.0.0.22.2.20031112105851.03819680@mail.well.com> Toby Wade Beyer, Appellant Vs. State of Texas, Appellee No. 11-02-00323-CR COURT OF APPEALS OF TEXAS, ELEVENTH DISTRICT, EASTLAND November 5, 2003, Filed PRIOR HISTORY: Appeal from the 266th District of Erath County. DISPOSITION: Affirmed. COUNSEL: For Plaintiff or Petitioner: Andrew Ottaway, Attorney At Law, Granbury, TX. For Defendant or Respondent: John Terrill, District Attorney, Stephenville, TX. JUDGES: Panel consists of: Arnot, C.J., and Wright, J., and McCall, J. OPINIONBY: TERRY McCALL OPINION: Appellant pleaded guilty to the first degree felony offense of the manufacture of methamphetamine. The jury assessed punishment at 20 years confinement and found that appellant used or exhibited a deadly weapon during the commission of the offense. The trial court entered a deadly weapon finding in its judgment. See TEX. CODE CRIM. PRO. ANN. art. 42.12, ' 3g(a)(2) (Vernon Supp. 2003). We affirm. In his sole point of error, appellant complains that the evidence was insufficient to support the jury's finding that he used or exhibited a deadly weapon in the commission of the offense. HN1To determine if the evidence is legally sufficient, we must review all of the evidence in the light most favorable to the verdict [*2] and determine whether any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt. Jackson v. Virginia, 443 U.S. 307, 61 L. Ed. 2d 560, 99 S. Ct. 2781 (1979); Jackson v. State, 17 S.W.3d 664 (Tex.Cr.App.2000). To determine if the evidence is factually sufficient, we must review all of the evidence in a neutral light and determine whether the evidence supporting guilt is so weak as to render the conviction clearly wrong and manifestly unjust or whether the evidence supporting guilt, although adequate when taken alone, is so greatly outweighed by the overwhelming weight of contrary evidence as to render the conviction clearly wrong and manifestly unjust. Vasquez v. State, 67 S.W.3d 229, 236 (Tex.Cr.App.2002); Goodman v. State, 66 S.W.3d 283 (Tex.Cr.App.2001); Johnson v. State, 23 S.W.3d 1, 11 (Tex.Cr.App.2000); Cain v. State, 958 S.W.2d 404 (Tex.Cr.App.1997); Clewis v. State, 922 S.W.2d 126 (Tex.Cr.App. 1996). HN2The Court of Criminal Appeals has defined the terms "use" and "exhibit" as they are used in Article 42.12, section 3g(a)(2). [*3] Gale v. State, 998 S.W.2d 221, 225 (Tex.Cr.App. 1999); Patterson v. State, 769 S.W.2d 938, 941 (Tex.Cr.App.1989). The "use" of a deadly weapon during the commission of a felony offense extends to any employment of a deadly weapon, even its simple possession, if such possession facilitated the associated felony. Patterson v. State, supra. A defendant's use of a deadly weapon in the sense of protecting and facilitating his possession of a controlled substance constitutes "use" of a deadly weapon under Article 42.12, section 3g(a)(2). Gale v. State, supra; Patterson v. State, supra. In this case, the evidence showed that law enforcement officers searched appellant's residence, pursuant to a search warrant, on December 12, 2001. Investigator Gerald Wayne Rogers of the S.T.O.P. Narcotics Task Force participated in the search. Investigator Rogers testified that, other than the officers, appellant was the only person present at the residence during the search. The officers discovered methamphetamine during the search. They also discovered a working methamphetamine laboratory in the residence and ingredients [*4] necessary to manufacture methamphetamine. Investigator Rogers said that appellant's residence was equipped with surveillance equipment. The officers saw their vehicles on the surveillance television in the living room to the left of the front door. The officers found a loaded sawed-off double-barreled shotgun on a couch that was near the television. Investigator Rogers said that a person sitting on the couch could watch the surveillance on the television and be ready to shoot the shotgun if anybody came in the front door. Investigator Rogers testified that, in his experience, individuals who are involved in manufacturing methamphetamine are generally well armed. Investigator Rogers said that the shotgun was a deadly weapon that was used in the commission of the offense of manufacturing the methamphetamine. Appellant does not deny that the shotgun was a deadly weapon or that he was in possession of it. Rather; he argues that there was no evidence to support the jury's finding that his possession of the shotgun facilitated the associated felony of manufacturing methamphetamine. We disagree. Based on the evidence, a rational trier of fact could find that the shotgun facilitated appellant's [*5] offense of manufacturing. The officers found the loaded shotgun on the couch near the surveillance television. The evidence was legally and factually sufficient to establish that appellant "used" the shotgun in the sense that it protected and facilitated his manufacturing of the methamphetamine. Gale v. State, supra; Patterson v. State, supra. Appellant's sole point of error is overruled. The judgment of the trial court is affirmed. TERRY McCALL JUSTICE From s.schear at comcast.net Wed Nov 12 12:28:20 2003 From: s.schear at comcast.net (Steve Schear) Date: Wed, 12 Nov 2003 12:28:20 -0800 Subject: Gun ownership == using it in crime, Texas court rules In-Reply-To: <6.0.0.22.2.20031112105851.03819680@mail.well.com> Message-ID: <5.2.1.1.0.20031112121945.04829640@mail.comcast.net> At 11:01 AM 11/12/2003 -0500, Declan McCullagh wrote: >Appellant does not deny that the shotgun was a deadly weapon or that he >was in possession of it. Rather; he argues that there was no evidence to >support the jury's finding that his possession of the shotgun facilitated >the associated felony of manufacturing methamphetamine. We disagree. Based >on the evidence, a rational trier of fact could find that the shotgun >facilitated appellant's [*5] offense of manufacturing. The officers found >the loaded shotgun on the couch near the surveillance television. The >evidence was legally and factually sufficient to establish that appellant >"used" the shotgun in the sense that it protected and facilitated his >manufacturing of the methamphetamine. Gale v. State, supra; Patterson v. >State, supra. Appellant's sole point of error is overruled. This sort of stupidity will likely lead to more un-intended consequences. Those that operate a business and possess firearms, to protect the business, will now have to think whether the possession could get them substantial jail time if they are also found to be somehow in violation of some other criminal statute. Imagine a liquor store in a violent neighborhood.that is occasionally selling to underage kids (counterfeit IDs are rampant). Imagine a drug dealer trying to protect their inventory from competitor expropriation. Some will forego having a firearm present and risk what protection it affords. Others will have to consider an uninvited police visit as a personal threat and preemptively open fire. This and 3-strikes laws are not good news for law enforcement. steve From amerritt at spasticmutant.com Wed Nov 12 14:55:05 2003 From: amerritt at spasticmutant.com (Spastic Mutant) Date: Wed, 12 Nov 2003 14:55:05 -0800 (PST) Subject: [s-t] How a backdoor in the Linux kernel was thwarted (fwd) Message-ID: Forwarded around quite a bit - I thought I'd pass it on and maybe some of the more Linux-involved s-t'ers can confirm or deny the story. I didn't see it on /., but I vaguely recall reading someplace random that the 2.6 CVS kernel tree was temporarily out of service last week, though I don't remember exactly the reason. http://kerneltrap.org/node/view/1584 Anne Marie -=-=-=- From timcmay at got.net Wed Nov 12 18:18:09 2003 From: timcmay at got.net (Tim May) Date: Wed, 12 Nov 2003 18:18:09 -0800 Subject: MacOS X (Panther) FileVault In-Reply-To: <20031113024011.B5517@cdc-ws19.cdc.informatik.tu-darmstadt. de> References: <20031113024011.B5517@cdc-ws19.cdc.informatik.tu-darmstadt.d e> Message-ID: On Nov 12, 2003, at 5:40 PM, Ralf-P. Weinmann wrote: > Panther's FileVault has already come up in a previous discussion, but > questions > which I thought were pretty obvious and which I had expected at least > SOMEONE > on cypherpunks to pose haven't come up... Sigh. > > Are there any whitepapers available on the design of FileVault? Except > for > impressive words from marketing droids (AES-128, industry-standard > cipher, > ) I have seen absolutely zilch on the implementation yet: i.e. is > encryption done on a per-file basis or is rather blockwise underneath > the > filesystem layer (ala loop-aes under Linux)? AES-128, fair enough; but > what > mode is used for encrypting the files/blocks? ECB? CBC? CTR? CCM? > > Maybe Apple ported PHK's GBDE [1], MacOS X having FreeBSD > underpinnings and all > that? > > What I'd like for Apple to do is step ahead and release the source > code of > FileVault for per review... > Loosely related to this, I was at the Hackers Conference this past weekend. At my last attendance, two years ago, Mac Titanium Powerbooks were fairly abundant, but faced good competition from x86 laptops. This time, whoah Nelly, hold the horses! There must have been 40 of them, from the small iBooks to the mid-sized Al- and older Ti-Powerbooks, to the mammoth 17-inch model. It was astounding to me, a long-term Mac user, to see the Mac laptops completely dominant. Looking into the audience, a sea of silvering Mac laptops with the distinctive white, illuminated Apple logo. A big hit was "Etherpeg," from www.etherpeg.com, which intercepts packets over a WiFi network and reconstructs the packets into JPEG images (if they exist). Since most of the Macs in the audience were on a local WiFi/"AirPort" network, arranged ad hoc, the output was put up on the LCD projector during one of the main talks. Images of naked chicks, oh my! ObCrypto: Some of the Linux advocates said they had switched to Macs partly because the small form factor x86 boxes shipped only with Palladium (or its equivalent...they were referring to IBM, so it's whatever IBM is now shipping on its ThinkPads as part of their "Digital Rights Management" b.s.). A few people had Debian Linux installed on their Mac Powerbooks, though they acknowledged that with OS X being built on BSD Unix, there was no actual need to have Linux. Interestingly, there were virtually no desktops of any sort at the Conference. Partly this is logistical--people have to decide to transport their machines. But the reports that laptops are now accounting for 50% of Apple's sales are showing up in what I saw at the Conference. I hope Apple realizes the marketing edge they are gaining in some circles and doesn't do what Sony and IBM are doing. AMD would also do well to realize that DRM and Palladium/Longhorn is a major marketing clusterfuck.xt --Tim May "Dogs can't conceive of a group of cats without an alpha cat." --David Honig, on the Cypherpunks list, 2001-11 From marshall at idio.com Wed Nov 12 19:55:30 2003 From: marshall at idio.com (Marshall Clow) Date: Wed, 12 Nov 2003 19:55:30 -0800 Subject: MacOS X (Panther) FileVault Message-ID: At 6:18 PM -0800 11/12/03, Tim May wrote: >A big hit was "Etherpeg," from www.etherpeg.com, which intercepts >packets over a WiFi network and reconstructs the packets into JPEG >images (if they exist). Since most of the Macs in the audience were >on a local WiFi/"AirPort" network, arranged ad hoc, the output was >put up on the LCD projector during one of the main talks. Images of >naked chicks, oh my! This was done for the hack contest at MacHack 2001, also. [ I have no idea if that was the first time, either. ] The following year (2002) it was enhanced to return fake banner ads, since machines on the "local" net could certainly answer before "ads.doubleclick.com" could. :-) -- -- Marshall Marshall Clow Idio Software Hey! Who messed with my anti-paranoia shot? From timcmay at got.net Wed Nov 12 20:01:51 2003 From: timcmay at got.net (Tim May) Date: Wed, 12 Nov 2003 20:01:51 -0800 Subject: MacOS X (Panther) FileVault In-Reply-To: References: <20031113024011.B5517@cdc-ws19.cdc.informatik.tu-darmstadt.d e> Message-ID: <1C557572-158E-11D8-B8A0-000A956B4C74@got.net> On Nov 12, 2003, at 7:13 PM, Marshall Clow wrote: > At 6:18 PM -0800 11/12/03, Tim May wrote: >> A big hit was "Etherpeg," from www.etherpeg.com, which intercepts >> packets over a WiFi network and reconstructs the packets into JPEG >> images (if they exist). Since most of the Macs in the audience were >> on a local WiFi/"AirPort" network, arranged ad hoc, the output was >> put up on the LCD projector during one of the main talks. Images of >> naked chicks, oh my! > > This was done for the hack contest at MacHack 2001, also. > [ I have no idea if that was the first time, either. ] > > The following year (2002) it was enhanced to return fake banner ads, > since > machines on the "local" net could certainly answer before > "ads.doubleclick.com" could. :-) > I didn't mean to give any impression that it was done by the HC attendees, just that it was a big hit. And since there were 30-50 Macs and PCs in the audience, with many on the ad hoc WiFi/AirPort network, and many links to the outside, there were a _lot_ of JPEGs whizzing by. Sometimes a blizzard of dozens per second, sometimes just a few per second. The dynamics were interesting, too. The JPEGs started out being from porn sites, then became related to whatever the speaker was talking about. For example, if someone mentioned the evening's keynote speaker, Don Norman, a bunch of sites and photos related to him would appear (about 10 seconds later). If someone mentioned snow on the roads (near Yosemite), weather maps would appear. --Tim May From goliard at mixolydian.org Wed Nov 12 17:08:04 2003 From: goliard at mixolydian.org (V Layne) Date: Wed, 12 Nov 2003 20:08:04 -0500 Subject: [s-t] How a backdoor in the Linux kernel was thwarted (fwd) Message-ID: > Forwarded around quite a bit - I thought I'd pass it on and maybe some of > the more Linux-involved s-t'ers can confirm or deny the story. I didn't > see it on /., Linux Kernel Back-Door Hack Attempt Discovered [Linux] [Software] Posted by simoniker on 12:37 AM November 6th, 2003 from the intrigue-and-skullduggery dept. http://slashdot.org/article.pl?sid=03/11/06/058249&mode=thread&tid=106&tid=18 5 ----------------------------------------------------------- From david at sentience.com Wed Nov 12 21:12:02 2003 From: david at sentience.com (David Shayer) Date: Wed, 12 Nov 2003 21:12:02 -0800 Subject: [Mac_crypto] MacOS X (Panther) FileVault Message-ID: >From: "Ralf-P. Weinmann" >Are there any whitepapers available on the design of FileVault? Except for >impressive words from marketing droids (AES-128, industry-standard cipher, >) I have seen absolutely zilch on the implementation yet: i.e. is >encryption done on a per-file basis or is rather blockwise underneath the >filesystem layer (ala loop-aes under Linux)? AES-128, fair enough; but what >mode is used for encrypting the files/blocks? ECB? CBC? CTR? CCM? I was told that FileVault replaces your home directory with an encrypted disk image, much like PGP Disk, so its probably blockwise underneath the file system layer. Files in your home directory are copied into the disk image, and some file system links redirect calls to the home directory to the disk image, and keep the user from seeing it as another mounted disk. File Vault will automatically expand or contract the disk image at certain points. It creates a new image, copies everything over, and deletes the old image. I don't know what mode of AES-128 it uses. -- David "If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy." - James Madison _______________________________________________ mac_crypto mailing list mac_crypto at vmeng.com http://www.vmeng.com/mailman/listinfo/mac_crypto --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From harley at argote.ch Wed Nov 12 12:25:16 2003 From: harley at argote.ch (Dr. Robert J. Harley) Date: Wed, 12 Nov 2003 21:25:16 +0100 (CET) Subject: More crap crypto broken (yawn) Message-ID: >From The Register: ----------------------------------------------------------------------------- - Nokia pledges to pursue N-Gage crack creators [...] Nokia today vowed to "aggressively pursue" the people behind the successful attempt to crack its N-Gage handheld console-cum-phone's copy protection mechanism. A Nokia spokesman told The Register the company had already begun working with ISPs and law enforcement agencies to track down the perpetrators. [...] As we reported earlier, the crack has been implemented in an application which when loaded onto an N-Gage or another Symbian-based Series 60 handset will detect encrypted games stored in the root directory of a memory card, decrypt the files onto the card then add the game in the handset's application launcher. [...] How the copy protection mechanism was cracked isn't known. The Nokia spokesman said the company's system was proprietary [...] [...] Skill is one thing, but as far as time goes, it has taken only a month from the console's release to the public for the code to be cracked. The Nokia spokesman admitted that the company had "expected this to happen" - which begs the question why, like the DVD Content Scrambling System, the copy protection developers didn't come up with something stronger in the first place. [...] ----------------------------------------------------------------------------- - See: http://www.theregister.co.uk/content/68/33938.html R .-. .-. / \ .-. .-. / \ / \ / \ .-. _ .-. / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / `-' `-' \ / \ / \ \ / `-' `-' \ / `-' `-' _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From eugen at leitl.org Wed Nov 12 12:31:24 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 12 Nov 2003 21:31:24 +0100 Subject: More crap crypto broken (yawn) (fwd from harley@argote.ch) Message-ID: <20031112203124.GF922@leitl.org> ----- Forwarded message from "Dr. Robert J. Harley" ----- From oxymoron at waste.org Wed Nov 12 20:10:42 2003 From: oxymoron at waste.org (Oliver Xymoron) Date: Wed, 12 Nov 2003 22:10:42 -0600 Subject: [s-t] How a backdoor in the Linux kernel was thwarted (fwd) Message-ID: On Wed, Nov 12, 2003 at 02:55:05PM -0800, Spastic Mutant wrote: > > Someone broke into a server at kernel.kbits.net and inserted the following > code into the Linux kernel: > > if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) > retval = -EINVAL; More precisely into the CVS mirror of the Linux kernel, which is primarily maintained with BitKeeper. This copy of the tree is unauthoritative, the only authoritative copy sits on Linus' personal machine. Thus for this copy to get merged into Linux proper, someone would have to pull a copy from CVS, generate a patch containing the bogus code, and then ship it off to Linus. Linus would then have to completely fail to notice the meaningless code in an unrelated patch and apply it. As the kernel is currently in deep freeze, possibly weeks away from release, this is a rather unlikely scenario. More importantly, this is a mirror, and immediately broke on the next mirror update, and updates happen multiple times a day. > This was done in the code sys_wait4(). Larry McVoy caught the fact that the > change had been made, and was annoyed because it wasn't logged properly. > Matthew Dharm asked "Out of curiosity, what were the changed lines." Zwane > Mwaikambo responded "That looks odd", and Andries Brouwer responded "Not if > you hope to get root." > > So, an annoying violation of the software change logging requirements turned > out to be an attempt to install a backdoor in Linux. At least two very > experienced programmers looked at it and saw just slightly odd code, before > the serious nature of the threat was actually discovered. Except Zwane in fact knew exactly what the code was doing when he commented on its oddness and had to suffer dozens of people writing to explain the code to him. > This particular attack, by the way, is ruled out by the current voting > system standards, not because they require a comprehensive security > analysis, but because of their C-centered coding rules. Embedded assignment > is forbidden. Current source code checks are good at finding embedded > assignments and flagging them (as long as the code is written in C). No > doubt, a hacker of the sophistication suggested by the attack illustrated > above would strictly adhere to the coding guidelines in formulating their > attack. There was very little sophistication in this attack. a) It attacked a secondary repository with no likely method of getting fed into the core b) It got noticed as corruption by the automatic update tools immediately c) The patch itself created unreachable code which current compilers will warn you about d) And it wasn't particularly subtle by kernel standards We haven't heard how the attack was planted yet, but I'm expecting we'll hear it was done with script-kiddie tools. If you want to get a backdoor in the kernel, a more likely approach is to stick it in some poorly audited peripheral code and submit it when there's not a code freeze on. Even then, odds are heavily against you. -- "Love the dolphins," she advised him. "Write by W.A.S.T.E.." ----------------------------------------------------------- From weinmann at cdc.informatik.tu-darmstadt.de Wed Nov 12 17:40:11 2003 From: weinmann at cdc.informatik.tu-darmstadt.de (Ralf-P. Weinmann) Date: Thu, 13 Nov 2003 02:40:11 +0100 Subject: MacOS X (Panther) FileVault Message-ID: <20031113024011.B5517@cdc-ws19.cdc.informatik.tu-darmstadt.de> Panther's FileVault has already come up in a previous discussion, but questions which I thought were pretty obvious and which I had expected at least SOMEONE on cypherpunks to pose haven't come up... Sigh. Are there any whitepapers available on the design of FileVault? Except for impressive words from marketing droids (AES-128, industry-standard cipher, ) I have seen absolutely zilch on the implementation yet: i.e. is encryption done on a per-file basis or is rather blockwise underneath the filesystem layer (ala loop-aes under Linux)? AES-128, fair enough; but what mode is used for encrypting the files/blocks? ECB? CBC? CTR? CCM? Maybe Apple ported PHK's GBDE [1], MacOS X having FreeBSD underpinnings and all that? What I'd like for Apple to do is step ahead and release the source code of FileVault for per review... Ralf [1] GBDE - GEOM based disk encryption http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf -- Ralf-P. Weinmann PGP fingerprint: 1024D/EF114FC02F150EB9D4F275B6159CEBEAEFCD9B06 From mv at cdc.gov Thu Nov 13 08:20:31 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 13 Nov 2003 08:20:31 -0800 Subject: Clipper for luggage Message-ID: <3FB3AF4F.82D6D5D3@cdc.gov> Fwded for your comic relief: ------ From the New York Times. Any guesses on how long it'll take before your local hacker will have a key which will open any piece of your luggage? - Tim A Baggage Lock for You and the Federal Screeners By JOE SHARKEY Published: November 11, 2003 AIRLINE passengers will be able to lock checked bags confidently again starting tomorrow, thanks to a new customer-service initiative between private enterprise and the Transportation Security Administration. Here's how the plan will work: Several major luggage and lock retailers in the United States will announce tomorrow the availability of new locks, made by various manufacturers, that T.S.A. inspectors will be able to readily identify and open on checked bags selected for hand searches at airports. T.S.A. screeners in airports around the country have already been trained in using secure procedures to open the new certified locks when necessary, and relock them after inspecting bags. "Literally since we began the process of screening every checked bag for explosives in December, one of the challenges has been the ability to get into bags without doing damage to them," said Brian Turmail, a spokesman for the T.S.A. The system, developed in cooperation with the T.S.A. and the Travel Goods Association, a trade group, was designed around "a common set of standards that any company that manufactures, or is interested in manufacturing, luggage or luggage locks could follow that would allow T.S.A. screeners to open the bag without doing damage to the bag, in a manner that would allow the bag to stay secured afterwards,'' Mr. Turmail said. "In other words, we can open it, but no one else can." The locks will be available in various manufacturers' designs. All will be geared around a uniform technology allowing them to be opened by T.S.A. inspectors using a combination of secure codes and special tools, according to John W. Vermilye, a former airline baggage-systems executive who developed the system through Travel Sentry, a company he set up for that purpose. All the locks will carry a red diamond-shaped logo to certify to screeners that they meet the Travel Sentry standards. Mr. Vermilye said his company would receive royalties from manufacturers. The system will ensure that passengers using the locks will not have to worry about a lock being broken or a locked bag being damaged if it is selected for hand inspection. It will also mean more peace of mind for passengers worried about reports of increased pilferage from unlocked bags. "The general feeling of airline passengers is, 'I don't like to have to keep my bags unlocked,' " added Mr. Vermilye, who once worked as a baggage handler. "As somebody in the business for 30 years, I don't like it either, because I know what goes on" in some baggage-handling areas, he said. An industry study showed that 90 percent of air travelers are now leaving checked bags unlocked, whereas before this year about 66 percent of them said they always locked their bags. "I travel all the time, and I always used to lock my bags" until this year, said Michael F. Anthony, the chairman and chief executive of Brookstone, a specialty retailer with 266 shops, including 30 in airports. Besides the worry about theft within the airline baggage-handling systems, Mr. Anthony said he was concerned on business trips about unlocked bags in the hands of cab and airport shuttle drivers, bellhops and others. Brookstone airport shops are planning to introduce the chain's own brand of new locks with in-store promotions tomorrow, Mr. Anthony said. A package of two four-digit Brookstone combination locks costs $20. Luggage and other accessories with the lock standards incorporated also will begin moving soon onto shelves at Brookstone and other retailers. Mr. Anthony said that the locks represented a needed air-travel customer-service breakthrough, "helping people reclaim a sense of security they had in the past" with their checked possessions. The T.S.A. mandated screening of all checked bags starting last Dec. 31. Since then, most of the estimated 1.5 million bags checked daily in domestic airports have been inspected by bomb-detecting machinery - but about 10 percent of checked bags are opened and inspected by hand. Initially, the T.S.A. planned to issue a blanket prohibition against locking bags, but the agency ultimately decided instead to merely suggest that passengers not lock them. The T.S.A. public directive on the subject says: "In some cases screeners will have to open your baggage as part of the screening process. If your bag is unlocked, then T.S.A. will simply open the bag and screen the bag. However, if the bag is locked and T.S.A. needs to open your bag, then locks may have to be broken. You may keep your bag locked if you choose, but T.S.A. is not liable for damage caused to locked bags that must be opened.'' With bags unlocked, many travelers, including business travelers who pack expensive electronic gear, worried that their checked possessions were far too vulnerable to theft, passing unlocked through T.S.A. hands and into the standard airline baggage-handling systems. Reports of pilferage rose this year, as did concern about who was legally responsible for claims of theft or damage, since both government and airline employees have custody of bags at various points. Mr. Vermilye is a former head of baggage operations for Eastern Airlines who later worked as a top executive of the International Air Transport Association, a trade group for airlines worldwide. After 9/11, he was part of a team of industry consultants working with the T.S.A. to improve customer service. Mr. Vermilye and Mr. Turmail at the T.S.A. agreed that the new system would probably make the screening chore easier for inspectors. "With this system, they know they don't have to break a lock or damage a bag. They go, 'Relax, I know I can open it.' It ceases to become an issue," Mr. Vermilye said. From jamie at mccarthy.vg Thu Nov 13 06:45:44 2003 From: jamie at mccarthy.vg (Jamie McCarthy) Date: Thu, 13 Nov 2003 09:45:44 -0500 Subject: [s-t] How a backdoor in the Linux kernel was thwarted (fwd) Message-ID: amerritt at spasticmutant.com (Spastic Mutant) writes: > Someone broke into a server at kernel.kbits.net and inserted > the following code into the Linux kernel: The code was inserted into a CVS mirror of the kernel. The kernel itself is stored and updated in BitKeeper, primarily on a machine of Linus's, and then copied to a public BitKeeper archive, and from there to the CVS mirror. Neither BitKeeper machine was not broken into and their code was not changed. So it's arguable whether the change, which was caught within 24 hours, constituted changing the Linux kernel. I would argue no. http://slashdot.org/article.pl?sid=03/11/06/058249 and I'm told that this coverage is good, but you and I aren't able to read it for a week :) http://lwn.net/Articles/57135/ -- Jamie McCarthy http://mccarthy.vg/ jamie at mccarthy.vg ----------------------------------------------------------- ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From eugen at leitl.org Thu Nov 13 02:35:30 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Nov 2003 11:35:30 +0100 Subject: [s-t] How a backdoor in the Linux kernel was thwarted (fwd) (fwd from amerritt@spasticmutant.com) Message-ID: <20031113103530.GB922@leitl.org> ----- Forwarded message from Spastic Mutant ----- From rah at shipwright.com Thu Nov 13 09:38:09 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 13 Nov 2003 12:38:09 -0500 Subject: [Mac_crypto] MacOS X (Panther) FileVault Message-ID: --- begin forwarded text From nicko at ncipher.com Thu Nov 13 05:15:03 2003 From: nicko at ncipher.com (Nicko van Someren) Date: Thu, 13 Nov 2003 13:15:03 +0000 Subject: [Mac_crypto] MacOS X (Panther) FileVault Message-ID: On 13 Nov 2003, at 5:12, David Shayer wrote: > I was told that FileVault replaces your home directory with an > encrypted disk image, much like PGP Disk, so its probably blockwise > underneath the file system layer. Files in your home directory are > copied into the disk image, and some file system links redirect calls > to the home directory to the disk image, and keep the user from seeing > it as another mounted disk. This is basically correct. FileVault uses an auto-mounting version of the encrypted disk image facility that was in 10.2, tweaked to allow the image to be opened even before your main key chain is available (since the key chain is stored inside your home directory). The standard encrypted image format uses a random key stored on your key chain, which is itself encrypted with a salted and hashed copy of the keychain pass phrase, which defaults to your login password. My suspicion is that for the FileVault there is some other key chain file in the system folder which stores the key for decrypting your home directory disk image and that the pass phrase for that is just your login password. > File Vault will automatically expand or contract the disk image at > certain points. It creates a new image, copies everything over, and > deletes the old image. Yup, it essentially does an "hdiutil compact" command when you log out. > I don't know what mode of AES-128 it uses. I believe that it uses counter mode, since it's efficient when doing random access to the encrypted data. Nicko _______________________________________________ mac_crypto mailing list mac_crypto at vmeng.com http://www.vmeng.com/mailman/listinfo/mac_crypto --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From s.schear at comcast.net Thu Nov 13 14:20:29 2003 From: s.schear at comcast.net (Steve Schear) Date: Thu, 13 Nov 2003 14:20:29 -0800 Subject: 'Smart stamps' next in war on terrorism In-Reply-To: Message-ID: <5.2.1.1.0.20031113141432.0568c030@mail.comcast.net> > "The postal notice itself says this is the first step to identify all >senders, so this is not a matter of paranoia, this is reality. The post >office is moving towards identification requirements for everyone," said >Chris Hoofnagle, associate director of the Electronic Privacy Information >Center. > Mr. Hoofnagle scoffed at the notion identification could prevent crimes >such as the anthrax attacks on members of Congress and news media two years >ago. > "Anyone resourceful enough to obtain anthrax can get a stamp" without >going through the new channels, Mr. Hoofnagle said. > A Treasury Department report from the Mailing Industry Task Force also >recommended that "the industry promote development of the 'intelligent' >mail piece by collaborating with the Postal Service to implement standards >and systems to make every mail piece - including packages - unique and >trackable." > "What happens if I buy stamps and you need one, is it legal for me to >give it to you?" Mr. Hoofnagle said. If this foolishness is implemented I'm sure stamp exchanges will become routine at many public and private meetings. Such exchanges could become a good business opportunity. > Ari Schwartz, associate director for the Center for Democracy and >Technology, said intelligent mail can play an important role and improve >the mail system. > However, privacy issues must be seriously addressed, and moving forward >with the rules on bulk mail could alleviate some concerns, he said. > "There is a right to anonymity in the mail. If you look back in the >history of this country, the mail has played an important role in free >expression and political speech and anonymous mail has provided that," Mr. >Schwartz said. As others have mentioned, the Supreme Court has ruled that anonymous correspondence is supported under freedom of political speech. The USPS is a quasi-governmental organization with exclusive legal rights to transport and deliver first-class mail to our mail boxes. Exactly the kind of mail, which if anonymous could be protected speech. It seems fair to me that if the USPS wanted to foreclose on our ability to use anonymous first-class mail then they should be willing to give up the exclusivity of their first-class mail franchise, so competitors who will offer this can deliver to postal mail boxes. steve --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From kelsey.j at ix.netcom.com Thu Nov 13 15:41:16 2003 From: kelsey.j at ix.netcom.com (John Kelsey) Date: Thu, 13 Nov 2003 18:41:16 -0500 Subject: Deniable data storage In-Reply-To: <3FA94872.10325.DEE3A0@localhost> References: <20030325092528.A22947@cluebot.com> <3E7F8732.24885.D5EF3A@localhost> Message-ID: <5.2.0.9.0.20031113182352.04670660@pop.ix.netcom.com> At 06:58 PM 11/5/03 -0800, James A. Donald wrote: >I want to store information deniably. ... >This would contain various items of information that one could >extract by supplyin a secret, symmetric, key. A random key would >extract a block of gibberish of random length There would be no >indication as to how many bits of meaningful data were stored in the >block, though obviously they would have to add up to less than the >size of the block. I believe one of Ross Anderson's students did something like this a few years ago, basically using error-correcting codes with a lot of redundancy. The basic idea is that you use some kind of massive error correction and use a different sequence of bits with each key, so that you're very unlikely to have enough of your message bits clobbered by another message to make it impossible to decode correctly. (It seems like there'd be a problem with information leakage about number of channels here, if you had a message encoded in that block of bits, because you would know when you decoded it how often you'd had bits flipped, but maybe they resolved that somehow.) --John Kelsey, kelsey.j at ix.netcom.com PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259 From bogus@does.not.exist.com Thu Nov 13 16:39:38 2003 From: bogus@does.not.exist.com () Date: Thu, 13 Nov 2003 19:39:38 -0500 Subject: [s-t] the thompson gambit digest #1 Message-ID: Re: needle in haystack digest #3 from Robert Walsh and Nick Barnes Re: How a backdoor in the Linux kernel was thwarted (fwd) from V Layne Re: How a backdoor in the Linux kernel was thwarted (fwd) from Oliver Xymoron Re: How a backdoor in the Linux kernel was thwarted (fwd) from Jamie McCarthy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From njohnsn at njohnsn.com Thu Nov 13 19:48:17 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Thu, 13 Nov 2003 21:48:17 -0600 Subject: Political Hyprocrisy in action. Message-ID: <200311132148.17239.njohnsn@njohnsn.com> I'm surprised no one has commented on Al Gore's speech (http://www.moveon.org/gore/speech2.html) where he talks about all the evil things that the Bush administration has done to to undermine our civil liberties. Got two words for ya Al: Clipper Chip -- Neil Johnson http://www.njohnsn.com PGP key available on request. From rah at shipwright.com Fri Nov 14 06:04:32 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 14 Nov 2003 09:04:32 -0500 Subject: [Mac_crypto] MacOS X (Panther) FileVault Message-ID: --- begin forwarded text From eugen at leitl.org Fri Nov 14 03:25:53 2003 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 14 Nov 2003 12:25:53 +0100 Subject: [s-t] the thompson gambit digest #1 Message-ID: <20031114112552.GL922@leitl.org> ----- Forwarded message from kaze no tani no potsicaa <> ----- From tips at spesh.com Fri Nov 14 05:04:32 2003 From: tips at spesh.com (Dave Green) Date: Fri, 14 Nov 2003 13:04:32 +0000 Subject: NTK now, 2003-11-14 Message-ID: _ _ _____ _ __ <*the* weekly high-tech sarcastic update for the uk> | \ | |_ _| |/ / _ __ __2003-11-14_ o join! sign up at | \| | | | | ' / | '_ \ / _ \ \ /\ / / o http://lists.ntk.net/ | |\ | | | | . \ | | | | (_) \ v v / o website (+ archive) lives at: |_| \_| |_| |_|\_\|_| |_|\___/ \_/\_/ o http://www.ntk.net/ "Using 'k3wl' instead of 'cool' and making sure the 'a' is always replaced by '4' may seem insignificant habits any teenager living in an SMS world might do. But by talking the talk and virtually walking the walk, IS/Recon has gained the trust of nearly 100 different [hacker] groups..." http://news.bbc.co.uk/2/hi/technology/3246375.stm ...and literally gigabytes of 0-day warez and serialz! >> HARD NEWS << shuffling in the pews Think you had a bad week? Well, you did. You just didn't hear about it. First up: after extraordinary scenes in the House of Lords on Wednesday, the government managed to push through its five standing orders of the apocalypse - to let a smorgasbord of local authorities monitor email and phone traffic, plus proposals to force ISPs to retain traffic data. All the proposals have been watered down a little since they were first aired. But it's all still pretty bad, as was indicated by the Tories' desperate attempt to introduce a "fatal amendment". Fatal amendments - which basically add "This house believes the following law should be taken outside and shot:" - are the Nuke-From-Orbit of the Lords' arsenal. They haven't been successfully used in the House for thirty years. Taken aback by this approach, the government went on the offensive, threatening to use similiar tactics on future Tory administrations. It all got a bit nastily party-political from there on in. When the mist cleared, the Lib-Dems had caved on data retention, the Tories went off muttering about doing some angry squeaking in the Commons, and we got a fistful of bad law. Worse: you didn't know any of it was happening until it was far too late. http://qwer.org/idcards.html - (from Hansard) LORD RICHARD: You're doing *what*? http://www.stand.org.uk/ - "not just bad, but maybe illegal too" The ID cards roadshow that Blunkett launched this week had a little more warning: and perhaps their longer timetable (due in 2013) will allow them to be stopped. Especially if the government keep on getting over-excited about the biometric bits. The reason we need new cards is because of this exciting new technology, goes the current spin. Exciting new technology, such as retinal scans, which haven't been proven to work with large populations, and are *just* like passwords, only you can't change them when they're compromised, and with a long history of false negatives. Particularly impressive is Fiona McTaggart's current pitch. An ex-chairwoman for Liberty and now a Minister in the government, she attributes her entire volte-face on ID cards down to the marvels of biometric magic. "If I'm honest, one unstated reason why I have opposed ID cards is my fear that this is another thing for me to lose", she gushes, before explaining that, because she can't lose her eyes or fingerprints, these new ID cards must be okay. We have to say: if the government's so excited about new tech, why did the ID card consultation still mistake thousands of responses from the STAND relay as being automated responses from "an organised opposition campaign"? http://www.official-documents.co.uk/document/cm60/6020/6020.pdf - paragraph 11. That's your democratic contribution right there http://www.guardian.co.uk/comment/story/0,3604,1083804,00.html - "another thing to lose". As if we're not losing enough here http://www.sideshow.idps.co.uk/smay03.htm#23at1537 - why Liberty isn't http://www.ntk.net/2003/11/14/dohpiracy.gif - EU targeting "large scale privacy outfits" too >> ANTI-NEWS << berating the obvious Arnie's response to sexual harassment claims - "Bring on der dancing girls!": http://www.ntk.net/2003/11/14/dohrevue.gif ... kids today, eh?: http://www.ntk.net/2003/11/14/dohlit.gif ... that "Army macho" culture goes a little further than you thought: http://www.ntk.net/2003/11/14/dohbum.gif (actually one of those expressions that means something different in the US): http://www.google.com/search?q=%22going+to+be+bummed%22 ... meanwhile, "Inclarity" telco offers global net "foaming": http://www.inclarity.co.uk/Prices/Calling_Card_Instructions.htm#vo ... old thrill revisited - return of Widdecombe of the Week: http://www.moneydemon.co.uk/result/keyword/UTTERLY+useless ... banner ads: http://www.ntk.net/2003/11/14/dohsquat.gif staying nice and morbid: http://www.ntk.net/2003/11/14/dohdrown.gif ... "War On Terror" apparently having the exact opposite of intended effect: http://www.ntk.net/2003/11/14/dohscare.gif , http://www.ntk.net/2003/11/14/dohterror.gif ... >> EVENT QUEUE << goto's considered non-harmful Assuming you're not busy helping Tim Ireland create a site where you can SMS pictures of your arse to George Bush (or should that be the other way round?), hopefully you haven't already missed too much of the DMZ MEDIA ARTS FESTIVAL (11am- 6pm, today and Saturday 2003-11-14 & 15, Limehouse Town Hall, London E14, free) featuring a wide range of usual suspects such as MUTE MAGAZINE, CONSUME.NET and no doubt a couple of wireless psychogeographic film-making co-operatives based in Hoxton and Eastern Europe. And if you're looking for a few quirky Xmas gift ideas, maybe Thomson & Craighead will bring along some of their Google tea-towels, "Teach Birds 2 Sing" ringtone CDs, or Walkmans fitted with endless play cassettes of genuine mobile phone conversations from the mid 1990s. http://www.bloggerheads.com/ - vs http://www.stopwar.org.uk/ (not literally!) http://www.ntk.net/2003/11/14/dohbush.gif - for that, you could buy everyone in the UK an ID card http://dmz.spc.org/talks.html - not making this up: http://www.dot-store.com/system/ http://www.uklanparty.com/ - tomorrow: all-day (free?) LAN party in Luton pub http://www.gamesmeet.net/ - advance warning of another bunker bash at the end of Jan >> TRACKING << sufficiently advanced technology : the gathering Good Ideas To Steal From MacOS X Applications, No. 443: VOODOOPAD is another app that wins by flipping the runs-on-server/runs-on-desktop bit. It's a local Wiki masquerading as a free-form database. You type, and WikiInterCapped words are automatically turned into links to fresh pages. Images and links can be dropped into the text; unicode is supported. And in case you still crave the wilds of the Web, it can also act as a responsive frontend for wikis that support author Gus Mueller's simple XMLRPC wiki API. Oh, and you can dump all your thoughts to HTML - or an iPod, should you be so freaky. http://flyingmeat.com/voodoopad.html - $20! You pay $20! http://www.macdevcenter.com/pub/a/mac/developer/2003/09/05/innovators.html - it won an award and yet still does not suck >> MEMEPOOL << contains a source of http://snackspot.org/ now *we* want some of that Britney "has a level 14 Cleric" Googlejuice: http://www.six-something.org/projectbritney.php ... ftp://www.japan.steinberg.net/ tagged - you're it... you know you've "arrived" when: http://lordrich.newmail.ru/ican/ (and is the original hosted under www.bbc.co.uk/dna/ because it's "mostly harmless"?)... don't want to know what they're up to here: http://www.ntk.net/2003/11/14/dohgrif.gif ... "These BOFH stickers on my monitor? Well, they each signify one of my 'support kills'": http://www.ntk.net/2003/09/12/dohbofh.gif ... caution - one of these pics is not safe for work like the others: http://www.altavista.com/image/results?q=potatoes ... (comparatively) new thrill - amusingly (in)appropriate GOOGLE TEXT ADS: http://www.ntk.net/2003/11/14/dohshuck.gif ... http://www.google.com/search?q=bluejacking - "Did you mean 'barebacking'?" (now *that* would surprise a stranger)... >> GEEK MEDIA << get out less TV>> it's not clear whether it's the collision detection, the level design, or the terrible cheerleader non-choreography that really lets down CGI would-be "Robot Wars" FIGHTBOX (7pm, Fri, BBC2)... what if Robin Ince and resident Friday Thing Photoshop-wiz Charlie Skelton were the "real" victims of extended "Gotcha Oscar" format THE PILOT SHOW? (11.15pm, Fri, C4)... and implausible-odyssey fan Ray Mears apologises for the Monster-Manual-meets-road-movie structure of THE BIG READ: THE LORD OF THE RINGS (9.15pm, Sat, BBC2)... at least it's Miranda Sawyer - and not, say, Jonathan King - explaining SEX BEFORE 16: WHY THE LAW IS FAILING (9pm, Sun, C4)... part of an "Adult at 14" season that also includes *another* "The Real Lord Of The Flies" reality show 14 ALONE (9pm, Tue, C4), plus web filth roundup KIDS ON PORN (10.40pm, Tue, C4)... though note that it's a pesky 17 year-old who shoots his parents then claims THE MATRIX DEFENCE (10.40pm, Wed, C4) - presumably that the act was entirely justified if we live in a VR illusion: http://www.interiorcastle.net/chapel/morality_and_matrix.htm ... yes, you can laugh at the weirdoes in CHILD PRODIGIES (9.30pm, Wed, BBC2) - but really you're chuckling at yourself ...speaking of which, Joel "rathergood.com" Veitch's cult Flash animations "are intercut with memorable music videos" in RATHER GOOD VIDEOS (1.50am, Wed, C4)... then HORIZON (9pm, Thu, BBC2) shouldn't have too many problems poking holes in the statistical coincidences that make up "The Bible Code": http://politics.guardian.co.uk/print/0,3858,4561031-107865,00.html ... FILM>> lots of staggered-release schedules right now, which means you've got more chance of previewing Will "Old School" Ferrell in what the posters imply is a film called ELF JAMES CAAN ( http://www.capalert.com/capreports/elf.htm : Christmas without Jesus; repeated display of provocative women's underwear, once in an implication of perversion)... compared to Robert Downey Jr/ Katie Holmes intertextual musical itcher THE SINGING DETECTIVE (imdb: based-on-tv-series/ remake)... the closest thing to a national release is Jackie Chan/ Lee Evans CGI-heavy "Indiana Jones"-lite actioner THE MEDALLION ( http://www.screenit.com/movies/2003/the_medallion.html : [Chan] and [Claire "Press Gang" Forlani] do some brief passionate kissing; comedic and misinterpretation-based homosexual innuendo)... otherwise at least you get a choice of older women living it up in LA arthouse romp LAUREL CANYON ( http://www.cndb.com/movie.html?title=Laurel+Canyon+%282003%29 : Kate [Beckinsale] has more exposure in this movie then anything she has done in 4-5 years)... or London comedy THE MOTHER ( http://www.cndb.com/movie.html?title=Mother%2C+The : Born 1935 Anne ["Dinnerladies"] Reid, in the title role, has two sex scenes with a young carpenter in which she's naked, but largely concealed by fancy editing)... >> SMALL PRINT << Need to Know is a useful and interesting UK digest of things that happened last week or might happen next week. You can read it on Friday afternoon or print it out then take it home if you have nothing better to do. It is compiled by NTK from stuff they get sent. Registered at the Post Office as "ntk.*net* Richard - if you don't mind" http://news.google.com/news?q=ntk.org NEED TO KNOW THEY STOLE OUR REVOLUTION. NOW WE'RE STEALING IT BACK. Archive - http://www.ntk.net/ Unsubscribe or subscribe at http://lists.ntk.net/ NTK now is supported by UNFORTU.NET, and by you: http://www.ntkmart.com/ (K) 2003 Special Projects. Copying is fine, but include URL: http://www.ntk.net/ Full license at: http://creativecommons.org/licenses/by/1.0 Tips, news and gossip to tips at spesh.com All communication is for publication, unless you beg. Remember: Your work email may be monitored if sending sensitive material. Sending >500KB attachments is forbidden by the Geneva Convention. Your country may be at risk if you fail to comply. ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From emc at artifact.psychedelic.net Fri Nov 14 13:44:18 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Fri, 14 Nov 2003 13:44:18 -0800 (PST) Subject: Jews Go Nuclear Message-ID: <200311142144.hAELiIOl025045@artifact.psychedelic.net> So much for non-proliferation of "weapons of mass destruction", right? http://observer.guardian.co.uk/international/story/0,6903,10613 ----- Israel deploys nuclear arms in submarines Peter Beaumont in London and Conal Urquhart in Jerusalem Sunday October 12, 2003 The Observer Israeli and American officials have admitted collaborating to deploy US-supplied Harpoon cruise missiles armed with nuclear warheads in Israel's fleet of Dolphin-class submarines, giving the Middle East's only nuclear power the ability to strike at any of its Arab neighbours. ... -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From emc at artifact.psychedelic.net Fri Nov 14 13:48:34 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Fri, 14 Nov 2003 13:48:34 -0800 (PST) Subject: Jews Go Nuclear In-Reply-To: <200311142144.hAELiIOl025045@artifact.psychedelic.net> Message-ID: <200311142148.hAELmYtm025207@artifact.psychedelic.net> Yes, I truncated the URL http://observer.guardian.co.uk/international/story/0,6903,1061381,00.html > So much for non-proliferation of "weapons of mass destruction", right? > > http://observer.guardian.co.uk/international/story/0,6903,10613 > > ----- > > Israel deploys nuclear arms in submarines > Peter Beaumont in London and Conal Urquhart in Jerusalem > Sunday October 12, 2003 > The Observer > > Israeli and American officials have admitted collaborating to deploy > US-supplied Harpoon cruise missiles armed with nuclear warheads in > Israel's fleet of Dolphin-class submarines, giving the Middle East's only > nuclear power the ability to strike at any of its Arab neighbours. > > ... > > -- > Eric Michael Cordian 0+ > O:.T:.O:. Mathematical Munitions Division > "Do What Thou Wilt Shall Be The Whole Of The Law" From eugen at leitl.org Fri Nov 14 05:51:16 2003 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 14 Nov 2003 14:51:16 +0100 Subject: NTK now, 2003-11-14 (fwd from tips@spesh.com) Message-ID: <20031114135116.GU922@leitl.org> ----- Forwarded message from Dave Green ----- From dog3 at eruditium.org Fri Nov 14 11:57:01 2003 From: dog3 at eruditium.org (cubic-dog) Date: Fri, 14 Nov 2003 14:57:01 -0500 (EST) Subject: Political Hyprocrisy in action. In-Reply-To: <200311132148.17239.njohnsn@njohnsn.com> Message-ID: On Thu, 13 Nov 2003, Neil Johnson wrote: > I'm surprised no one has commented on Al Gore's speech > (http://www.moveon.org/gore/speech2.html) where he talks about all the evil > things that the Bush administration has done to to undermine our civil > liberties. > > Got two words for ya Al: Clipper Chip Two more, Janet Reno And another two Louis Freeh It just goes on and on. Gore is just jealous. All the totalitarian ambitions dreamed of by the Clinton/Gore/Reno/ dynasty are being realized by the Bush/Cheney/Ascroft/ regime. From shamrock at cypherpunks.to Fri Nov 14 19:08:46 2003 From: shamrock at cypherpunks.to (Lucky Green) Date: Fri, 14 Nov 2003 19:08:46 -0800 Subject: New PGP Universal beta: PGP and S/MIME Message-ID: <000001c3ab25$cb949d80$6601a8c0@VAIO650> Cpunks, I spent the last few months working at PGP on a nifty new solution to an old problem: how to get email encryption deployed more widely without requiring user education. Since ideas for solving this problem have been discussed on this mailing list for over 10 years now, some of you might wish to take a peek at the solution that we came up with. The public beta of PGP Universal 1.1 is now yours to download for free from http://www.pgp.com/products/beta1.1.html One of the many interesting features of our approach is the ability to secure all users of a mail server, without the users needing to understand what encryption is or does, no need for MUA-specific plugins, interchangeable use of PGP keys or S/MIME, and much more. And yes, you can still keep your 4096-bit RSA key on your PC only. I am using PGP Universal myself. It is really cool. Note that the download of PGP Universal is 322MB in size and requires a dedicated x86 server to install. Have fun, --Lucky Green From jtrjtrjtr2001 at yahoo.com Fri Nov 14 21:37:01 2003 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Fri, 14 Nov 2003 21:37:01 -0800 (PST) Subject: Jews Go Nuclear In-Reply-To: <200311142144.hAELiIOl025045@artifact.psychedelic.net> Message-ID: <20031115053701.93624.qmail@web21205.mail.yahoo.com> hi, Enimies enemy=friend. but for how long? Sarath. --- Eric Cordian wrote: > So much for non-proliferation of "weapons of mass > destruction", right? > > http://observer.guardian.co.uk/international/story/0,6903,10613 > > ----- > > Israel deploys nuclear arms in submarines > Peter Beaumont in London and Conal Urquhart in > Jerusalem > Sunday October 12, 2003 > The Observer > > Israeli and American officials have admitted > collaborating to deploy > US-supplied Harpoon cruise missiles armed with > nuclear warheads in > Israel's fleet of Dolphin-class submarines, giving > the Middle East's only > nuclear power the ability to strike at any of its > Arab neighbours. > > ... > > -- > Eric Michael Cordian 0+ > O:.T:.O:. Mathematical Munitions Division > "Do What Thou Wilt Shall Be The Whole Of The Law" __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From mv at cdc.gov Sat Nov 15 07:31:00 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 15 Nov 2003 07:31:00 -0800 Subject: Jews Go Nuclear Message-ID: <3FB646B3.E62AA3EC@cdc.gov> At 01:44 PM 11/14/03 -0800, Eric Cordian wrote: >http://observer.guardian.co.uk/international/story/0,6903,10613 >Israel deploys nuclear arms in submarines You put nukes in subs to avoid getting them blown up esp. by a first strike. So whoever nukes Israel had best do so without a piece of real estate associated with it, because the sub nukes will persist. Even if the ground-based intel the subs might have relied on for targeting is smoking slag. The problem of real estate: Look what happened to the Afghans who gave ClintonBush a place to target. Yet another advantage to being a unlocalized organization. Or working out of an untouchable like Saudi arabia. From emc at artifact.psychedelic.net Sat Nov 15 10:45:57 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Sat, 15 Nov 2003 10:45:57 -0800 (PST) Subject: Jews Go Nuclear In-Reply-To: <3FB646B3.E62AA3EC@cdc.gov> Message-ID: <200311151845.hAFIjvu1024792@artifact.psychedelic.net> Major Variola wrote: > You put nukes in subs to avoid getting them blown up > esp. by a first strike. You mean like the Jews blew up the Iranian nuclear reactor? > So whoever nukes Israel had best do so without a > piece of real estate associated with it, because the sub > nukes will persist. Even if the ground-based intel > the subs might have relied on for targeting is smoking slag. What make your think Israel will have to be nuked in order to respond with its own nukes? I should think anything that threatens Israel's existence as a racist apartheid human rights violating state in perpetual contempt for the will of the international community would serve as a sufficient excuse for War Criminal Sharon to launch a nuclear attack. After which, of course, AmeriKKKa's Neocon Dictator, George W. Bush, would call a press conference to deliver the usual "Israel has a right to defend itself" line, and order his UN ambassador to veto all security council resolutions critical of Israel. The EU would be critical, the Jews would call them anti-Semites, and the US Congress would fall all over itself to suport the action, fleeing in terror to avoid becoming targets of AmeriKKKan jewish voters, and Zionist pressure groups. In other words, business as usual. > Yet another advantage to being a unlocalized organization. > Or working out of an untouchable like Saudi arabia. Saudi Arabia is hardly untouchable. It is simply not at the top of the list. The Neocons plan for all the Arab dominos to fall eventually. AmeriKKKa needs to purge itself of external influence on its government through covert non-foreign policy channels, especially by "Orientals." -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From weinmann at cdc.informatik.tu-darmstadt.de Sat Nov 15 04:03:33 2003 From: weinmann at cdc.informatik.tu-darmstadt.de (Ralf-P. Weinmann) Date: Sat, 15 Nov 2003 13:03:33 +0100 Subject: [Mac_crypto] MacOS X (Panther) FileVault Message-ID: On Thu, Nov 13, 2003 at 01:15:03PM +0000, Nicko van Someren wrote: > This is basically correct. FileVault uses an auto-mounting version of > the encrypted disk image facility that was in 10.2, tweaked to allow > the image to be opened even before your main key chain is available > (since the key chain is stored inside your home directory). The > standard encrypted image format uses a random key stored on your key > chain, which is itself encrypted with a salted and hashed copy of the > keychain pass phrase, which defaults to your login password. My > suspicion is that for the FileVault there is some other key chain file > in the system folder which stores the key for decrypting your home > directory disk image and that the pass phrase for that is just your > login password. Ahhhh... So FileVault actually is just a marketing term for the encrypted disk images! Thanks for the explanation! I just hope my login password can be longer than 8 characters then. > > > File Vault will automatically expand or contract the disk image at > > certain points. It creates a new image, copies everything over, and > > deletes the old image. > > Yup, it essentially does an "hdiutil compact" command when you log out. Do you know whether the source code to hdiutil and hdid respectively its 10.3 kernel equivalent is available? I can't seem to find it in the Darwin 7.0 public source. > > I don't know what mode of AES-128 it uses. > > I believe that it uses counter mode, since it's efficient when doing > random access to the encrypted data. Of course counter mode would be ideally suited for this application. The question is whether the people at Apple implementing this feature knew this :) I believe in peer-reviewed source code for crypto apps/features. Cheers, Ralf -- Ralf-P. Weinmann PGP fingerprint: 1024D/EF114FC02F150EB9D4F275B6159CEBEAEFCD9B06 --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From Freematt357 at aol.com Sat Nov 15 11:07:59 2003 From: Freematt357 at aol.com (Freematt357 at aol.com) Date: Sat, 15 Nov 2003 14:07:59 EST Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off Message-ID: <145.1c8a3431.2ce7d38f@aol.com> In a message dated 11/10/2003 3:02:47 PM Eastern Standard Time, jya at pipeline.com writes: > They showed up without warning, no call ahead, got > past our Doberman doorman (we're on the 6th floor) > who usually calls us about visitors but didn't this time, > and hasn't said a peep since the visit. > Why open the door to them? I have a few friends who as a matter of principle do not open their doors to people they do not know. Letting a Fedgoon in is akin to inviting a vampire into your house. Regards, Matt- From jya at pipeline.com Sat Nov 15 15:05:05 2003 From: jya at pipeline.com (John Young) Date: Sat, 15 Nov 2003 15:05:05 -0800 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: <145.1c8a3431.2ce7d38f@aol.com> Message-ID: Matt wrote: >Why open the door to them? I have a few friends who as a matter of principle >do not open their doors to people they do not know. Letting a Fedgoon in is >akin to inviting a vampire into your house. I was expecting someone else at about the same time. True, I could have refused entry after the agent showed his ID. However, it seemed too good an opportunity to pass up: it is pretty common for Cryptome to get unexpected contributions. We try to remain open lines of communication to unknown sources, if not a goodly amount of info would never come out way. For all I knew, and now know, the Special Agents were frauds, of which Cryptome gets a taste regularly, perhaps more than we know. As discussed here, spoofing is trivial to do. Toward the end of the visit I asked SA Kelly to see his ID up close and he displayed a wallet with a brass badge on the left and a two-leaf ID on the right: flip left, then flip up. Was it real? The two-leaf ID looked like the version SA Renner showed at the door. Trim haircuts and dark suits, healthy-looking young Caucasians, no facial hair, shined shoes, clean teeth, no noticeable mouth or body odor, no obvious weapon bulges, polite, actually not polite all the time: there were a few instances when mild friction occurred, low-key warnings sent my way about inadvertent threats to the nation with too much information like that on Cryptome. SA Renner was cooler than Kelly during questioning -- Kelly slightly bristled when I made a comment about free flowing information making the US stronger, the agent saying, yes, but information can be misused. He bristled a lot more when I said I would publish their names, "make them famous." At the word "famous" Kelly said, smiling "really, I haven't had that before." Renner was quieter on naming names, knowing that there was a CNN story out about him. But he too mildly protested with the "hazard to the family" shtick. Kelly said, "you know we can be found by knowing our names, get shot for what we do." That reminded me of Jeff Gordon, but I didn't snort. Kelly leaned forward in his wing-back chair, slightly aggressive, whereas Renner sat upright at a table, case file in front, posing most of the questions to me. Now, if I had refused the agents entry could I be telling this dinky inside story? Perhaps better will be the second visit, or door-busting and marching downstairs in handcuffs, or dark-van-snatch on the street, or my family and customers and friends questioned and warned, my assets seized and listed in the New York Times, gosh, what notoriety being a questionable patriot can lead to -- maybe right up there at the foot soles of the Special Agents, real or fraudulent. Confirming the allegation about idiot witnesses, I am sure I would not recognize either agent if I saw them again. The IDs yes, and the questions, but not the bland biometrics. From rah at shipwright.com Sat Nov 15 16:01:48 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Sat, 15 Nov 2003 19:01:48 -0500 Subject: [Mac_crypto] MacOS X (Panther) FileVault Message-ID: --- begin forwarded text From mv at cdc.gov Sat Nov 15 21:30:05 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 15 Nov 2003 21:30:05 -0800 Subject: Gestapo harasses [BUGS] John Young Message-ID: <3FB70B5D.BEBE5B04@cdc.gov> At 02:07 PM 11/15/03 EST, Freematt357 at aol.com wrote: >> They showed up without warning, no call ahead, got >> >Why open the door to them? I have a few friends who as a matter of principle >do not open their doors to people they do not know. Letting a Fedgoon in is >akin to inviting a vampire into your house. At some point one of the agents had to use the bathroom, I'll bet, so that JY didn't observe them both. Nice opportunity to bug the place, just in case things are spoken of at home which don't make the wiretap. Perhaps you can't intimidate JY, but if you get something on one of his relatives, game over. --- "all the normalities of the social contract are abandoned in war" Jack Valenti MPAA pres, in LATimes on Kerry's war crimes From nobody at nox.lemuria.org Sat Nov 15 19:35:52 2003 From: nobody at nox.lemuria.org (Anonymous) Date: Sun, 16 Nov 2003 04:35:52 +0100 (CET) Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off Message-ID: <36b19a2865c067e685aaeb5d1a005785@nox.lemuria.org> >Confirming the allegation about idiot witnesses, I am >sure I would not recognize either agent if I saw them >again. The IDs yes, and the questions, but not the >bland biometrics. You do have right to take pictures in your residence, no ? I am sure that "John Young's real time door webcam" would be a popular URL to look up. Maybe you could even sell some ad space there. From sti at cam.org Sun Nov 16 08:45:40 2003 From: sti at cam.org (Stirling Westrup) Date: Sun, 16 Nov 2003 11:45:40 -0500 Subject: Partition Encryptor In-Reply-To: <200311132148.17239.njohnsn@njohnsn.com> Message-ID: <3FB76364.19878.3B45F8D@localhost> Does anyone know of a good partition encryptor for Windows? I know of an accountant who would like to encrypt her client's financial data. She's stuck with Windows until such time as a major company starts shipping yearly tax software for linux. Something like PGPdisk, only open source, would be best. -- Stirling Westrup | Use of the Internet by this poster sti at cam.org | is not to be construed as a tacit | endorsement of Western Technological | Civilization or its appurtenances. From vab at cryptnet.net Sun Nov 16 10:02:48 2003 From: vab at cryptnet.net (V Alex Brennen) Date: Sun, 16 Nov 2003 13:02:48 -0500 Subject: Partition Encryptor In-Reply-To: <3FB76364.19878.3B45F8D@localhost> References: <3FB76364.19878.3B45F8D@localhost> Message-ID: <3FB7BBC8.3090506@cryptnet.net> Stirling Westrup wrote: > Does anyone know of a good partition encryptor for Windows? I know of an > accountant who would like to encrypt her client's financial data. She's stuck > with Windows until such time as a major company starts shipping yearly tax > software for linux. > > Something like PGPdisk, only open source, would be best. Given your requirements, you may want to run VMWare on a Linux host computer. The windows partition you'd like to encrypt would then appear as a file in a Linux partition which could be operated on by the tools and technologies available for Linux. - VAB From mv at cdc.gov Sun Nov 16 16:24:16 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 16 Nov 2003 16:24:16 -0800 Subject: Partition Encryptor Message-ID: <3FB81530.1386909D@cdc.gov> At 11:45 AM 11/16/03 -0500, Stirling Westrup wrote: >Does anyone know of a good partition encryptor for Windows? I know of an >accountant who would like to encrypt her client's financial data. She's stuck >with Windows until such time as a major company starts shipping yearly tax >software for linux. Look into Scramdisk. It works fine. Free, open source AFAIK. You can store & run your tools (eg email client) from the encrypted virtual partition easily, as well as store data. From cpunk at lne.com Sun Nov 16 20:00:00 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 16 Nov 2003 20:00:00 -0800 Subject: Cypherpunks List Info Message-ID: <200311170400.hAH400O7028973@slack.lne.com> Cypherpunks Mailing List Information Last updated: Oct 13, 2003 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From sunder at sunder.net Sun Nov 16 17:22:33 2003 From: sunder at sunder.net (Sunder) Date: Sun, 16 Nov 2003 20:22:33 -0500 (est) Subject: Partition Encryptor In-Reply-To: <3FB81530.1386909D@cdc.gov> Message-ID: Which only works on win9x, and no freeware updates exist for Win2k/XP/NT. i.e. worthless... There is this, but it too isn't free: http://www.pcdynamics.com/SafeHouse/ ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Sun, 16 Nov 2003, Major Variola (ret) wrote: > At 11:45 AM 11/16/03 -0500, Stirling Westrup wrote: > >Does anyone know of a good partition encryptor for Windows? I know of > an > >accountant who would like to encrypt her client's financial data. She's > stuck > >with Windows until such time as a major company starts shipping yearly > tax > >software for linux. > > Look into Scramdisk. It works fine. Free, open source AFAIK. > You can store & run your tools (eg email client) from the > encrypted virtual partition easily, as well as store data. From zooko at zooko.com Sun Nov 16 17:32:51 2003 From: zooko at zooko.com (Zooko Wooko) Date: 16 Nov 2003 20:32:51 -0500 Subject: [mnet-devel] Mac OS X binary package up Message-ID: I put up a Mac OS X binary package which is actually just a tarball with the Mnet.sh script as the way to launch it. I know that this doesn't make users want to lick the screen, so it is only a temporary measure. http://mnet.sf.net/download.php ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ mnet-devel mailing list mnet-devel at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mnet-devel --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Nov 16 18:03:45 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 16 Nov 2003 21:03:45 -0500 Subject: [mnet-devel] Mac OS X binary package up Message-ID: --- begin forwarded text From cripto at ecn.org Sun Nov 16 18:34:43 2003 From: cripto at ecn.org (Anonymous) Date: Mon, 17 Nov 2003 03:34:43 +0100 (CET) Subject: Cypherpunks meetings? Message-ID: <80e42173b3916bfd346e2535d814131c@ecn.org> Are the Bay Area Cypherpunks meetings finally dead? It's been ages since I've seen anything about them. From mv at cdc.gov Mon Nov 17 06:24:02 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Mon, 17 Nov 2003 06:24:02 -0800 Subject: Pellicano: encrypted files, wiretaps, pacbell on the take Message-ID: <3FB8DA01.287F66EC@cdc.gov> Pellicano Taking His Secrets With Him to Federal Prison Private investigator refuses to cooperate in FBI probe of alleged illegal wiretapping http://www.latimes.com/news/local/la-me-pellicano17nov17,1,3427559.story?coll=la-home-todays-times Federal agents searched Pellicano's offices three times and seized 36 electronic devices, including computer hard drives and storage drives of encrypted files, according to court documents. Law enforcement sources allege that the computers contained detailed bookkeeping records, wiretapping software and encrypted files of tapped phone conversation transcripts. Officials have notified two men that they are subjects of the wiretapping probe: Bert Fields, one of Hollywood's most prominent attorneys who employed Pellicano on a number of cases; and Ray Turner, a former Pacific Bell employee. From mv at cdc.gov Mon Nov 17 06:34:58 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Mon, 17 Nov 2003 06:34:58 -0800 Subject: State to take innocent kids' DNA Message-ID: <3FB8DC91.EDAA7D95@cdc.gov> FBI may collect juveniles' DNA By Richard Willing, USA TODAY WASHINGTON  DNA profiles from hundreds of thousands of juvenile offenders and adults arrested but not convicted of crimes could be added to the FBI's national DNA crime-fighting program under a proposed law moving through Congress. The law, if enacted, would be the greatest single expansion of the federal government's power to collect and use DNA since the FBI's national database was created in 1992. The FBI says its national DNA database holds genetic profiles from about 1.4 million adults convicted of state and federal crimes. http://www.usatoday.com/news/washington/2003-11-16-fbi-juvenile-dna_x.htm --- Let right be done, though the blackhawks should fall From DaveHowe at gmx.co.uk Mon Nov 17 04:43:43 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Mon, 17 Nov 2003 12:43:43 -0000 Subject: Partition Encryptor References: Message-ID: <01b701c3ad08$70cccf00$c71121c2@exchange.sharpuk.co.uk> Sunder wrote: > Which only works on win9x, and no freeware updates exist for > Win2k/XP/NT. i.e. worthless... There was a payware (but disclosed source) update for NT/2K, and of course E4M (on which the NT driver for scramdisk was based) was always NT compatable and very similar to Scramdisk. I don't think either works on XP though (and of course DriveCrypt by the authors of both scramdisk and E4M is both closed source and product activation - a dark path to walk) E4M can still be downloaded from http://www.samsimpson.co.uk/cryptography/scramdisk/ IIRC E4M could also mount existing scramdisks, but had trouble dismounting them cleanly on W2K. From bogus@does.not.exist.com Mon Nov 17 13:47:05 2003 From: bogus@does.not.exist.com () Date: Mon, 17 Nov 2003 13:47:05 -0800 Subject: [CSL Colloq] Improving the Security Structure through Code Identity * Message-ID: COMPUTER SYSTEMS LABORATORY COLLOQUIUM 4:15PM, Wednesday, November 19, 2003 NEC Auditorium, Gates Computer Science Building B03 http://ee380.stanford.edu[1] Topic: Improving the Security Structure through Code Identity Speaker: John Manferdelli Microsoft Corporation About the talk: What are the current insecurities in current operating systems and what repairs are being made to make the systems secure. About the speaker: [Portrait] As general manager of the Windows Trusted Platform Infrastructures (WTPI) group at Microsoft Corp., John Manferdelli is responsible for providing the strategic direction for the development and integration of security technologies in the Microsoft Windows operating system. (See the web posting for a full biography.) Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contact Infomration John Manferdelli Microsoft Embedded Links: [ 1 ] http://ee380.stanford.edu Distributed poC TINC: Jay Sulzberger Corresponding Secretary LXNY LXNY is New York's Free Computing Organization. http://www.lxny.org _______________________________________________ linux-elitists http://zgp.org/mailman/listinfo/linux-elitists ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 0.97c removed an attachment of type application/pgp-signature] From declan at well.com Mon Nov 17 12:45:20 2003 From: declan at well.com (Declan McCullagh) Date: Mon, 17 Nov 2003 14:45:20 -0600 Subject: Biting, probing questions of President Bush from WH press corps Message-ID: <20031117144520.A19984@baltwash.com> --- THE WHITE HOUSE Office of the Press Secretary _____________________________________________________________________ FOR IMMEDIATE RELEASE November 17, 2003 INTERVIEW OF THE PRESIDENT BY TREVOR KAVANAGH OF "THE SUN" The Oval Office November 14, 2003 9:31 A.M. EST THE PRESIDENT: Have you ever been in the Oval Office before? Q Once, just once -- THE PRESIDENT: Okay. The rug was designed by my wife. Every President gets to design his own rug. You probably didn't know that. Q Fabulous. THE PRESIDENT: I wanted mine -- mine was designed by my wife, Laura. And I wanted people to have a sense of optimism when they came in here, that this is a guy who kind of sees a better world, not a worse world. Sometimes the Oval can be foreboding, and I wanted it to be cheery. So I hope you felt that. This is called, "A Charge To Keep," it's based upon a Methodist hymn. One of America's great imports from England was John Wesley. And it talks about serving something greater than yourself, which speaks to my own personal faith; as a President, it speaks to my need to capture the spirit of America and call on people to serve. You've probably followed some of my domestic policy, but one of the things that's important is to call on people to serve their communities by helping neighbors who hurt. The de Tocquevillean view of America at that point was just, kind of, a civic fabric of loving organizations; part of my vision, as well, is to energize them. The paintings of Texas. That's kind of what my ranch looks like, by a guy named Onderdonk, he's a Texas landscape artist. The blue bonnets are not quite that big. Blair and I -- well, he's been there, and he would recognize kind of the look, if he were here. This is West Texas, where my wife's family was raised. We were both raised in West Texas, but this is farther west than where I was raised. It's called El Paso. But it's a famous Texas artist and historian who painted that. More Texas. The reason I have Texas up there is it's where I'm from. And in this job if you can't figure out who you are -- you better know who you are because of the pressures and the decision making process and all the noise of politics and all that (inaudible). Really quickly, this is a desk given to us by Queen Victoria. A famous desk called the HMS Resolute, and it's wood from the Resolute. The door was put on by Roosevelt to cover his infirmities. Out of the door poked John Kennedy's son -- Q Oh, yes, I remember. THE PRESIDENT: I chose to use this -- Ronald Reagan put the bottom on to make the desk high so it won't bump your knees. I love the desk. I love its history. It does speak to the great relationship between America and Great Britain, I'm sitting at a desk given to our country by Queen Victoria. And, finally, the Churchill bust is on loan from the Brits. Tony Blair knew I was a great admirer of Churchill, so here he sits, along with Lincoln and Eisenhower. That's it, welcome. Q Fantastic. Thank you very much, Mr. President. Where would you like me? THE PRESIDENT: Sit right here, take Vice President Cheney's seat. Q I'm more than a little impressed by being here and by sitting in this seat. THE PRESIDENT: Well, you know, this is a shrine to democracy and we treat it as such. And it's an honor to serve here. Q Well, I would like to thank you on behalf of our readers for giving them and me the time to talk to you. THE PRESIDENT: Well, I'm glad you're here, thanks. Q We're a very pro-American newspaper, and our readers were shocked and deeply moved by September the 11th. And they supported what happened subsequently in Afghanistan, and a little more reluctantly in Iraq, but, in fact, the majority of our readers were behind the action. I think what they would like to know -- we've talked with them in a way which is quite interesting, we actually spent a weekend with about 2,000 of our readers. THE PRESIDENT: Really? (Laughter.) Good marketing tool. (Laughter.) That's interesting. Q Yes. And the one question they wanted to ask you is, is the world a safer place after the conflict than it was before? THE PRESIDENT: Yes, much safer. It's safer for a couple of reasons. One, the free world has recognized the threat. In order to make the world safe you've got to actually see reality. And the reality is that there are cold-blooded killers who were trying to intimidate, create fear, create hostility and to shape the will of the civilized world. And a lot of countries have seen the threat for what it is. So, therefore, step one is recognizing the problem. Tony Blair recognizes the problem, Jose Maria Aznar recognizes the problem, Silvio Berlusconi recognizes the problem -- clearly, the United States recognizes the problem, after all, the clearest indication that we were at war and that the stakes had changed dramatically was September the 11th. After all, we were a country which was able to sit back in our -- kind of in our geographical posture and pick and choose where a threat might emerge and say, we may have to deal with that or we may not deal with it; we were pretty confident that we were protected ourselves by oceans. That changed. And one of my vows to the American people is I won't forget the lessons of September the 11th, 2001. Secondly, the world is safer because the actions we have taken will ultimately strengthen multi-national institutions. Take the theater in Iraq. The United Nations had recognized that Saddam Hussein was a threat, they recognized it in not one resolution, but multiple resolutions -- and, yet, didn't do anything about it. And, therefore, the resolutions became weak, became just words. And as a result of enforcing 1441, which said that you disarm or there will be serious consequences, now when multi-national institutions speak, hopefully, people will take them seriously. And in order to win the war on terror, there needs to be alliance and cooperation. Because these are killers that are capable of hiding in societies, they're patient, they're lethal, they pop up and will destroy. And, by the way, they don't care who they destroy. There are no rules for these people, they will kill children just as soon as they'll kill somebody in a military uniform. Thirdly, the world is safer because there is a -- and, by the way, multi-national forum doesn't necessarily mean U.N. It can also mean collaborations, like the collaboration that's now taking place with North Korea in dealing with Kim Jong-il, who is a threat to peace. And now it's not just the United States dealing with Kim Jong-il, it's the United States, China, South Korea, Japan and Russia in a collaborative effort. Or the fine work -- the initial fine work done by the foreign ministers of Great Britain, France and Germany in telling Iran to get rid of its nuclear ambitions. I say "initial fine work" because the Iranians, in the past, have had clandestine operations. And, therefore, in order to make sure that the words that have been issued to them are true, there must be transparency. Fourthly, we dealt al Qaeda. We are tough on al Qaeda. Now, you know, there are key figures still looming in caves and remote regions of the world, but we're dismantling them. If you were to look at al Qaeda as a business organization, middle management is no longer. That's not to say that they're not grooming junior executives to take over certain roles. But we're tough and we're on their trail and we're still hunting them down. Make no mistake about it. And as a result of dismantling al Qaeda, the world is safer. We've also dealt with the tyrants in Afghanistan, which is an incredibly dangerous regime -- dangerous not only to the free world because they provided housing, training, money, safe haven -- but also they were just tortuous and barbaric to their own people. And in Iraq, Saddam Hussein was clearly a threat to peace. And we can argue about the definition of "serious consequence," and I respect the debate, but no one can justify this man's behavior to his people. We've discovered mass graves with over 300,000 people there, rape rooms and torture rooms. He is paying suiciders to go kill innocent Israelis. He had a weapons program as discovered -- I promise you this is going to be a short answer, eventually; I saw you looking at the clock, your glance can't escape me. (Laughter.) This is an important question. It is the question. Q Of course, absolutely. THE PRESIDENT: David Kay discovered a weapons program that was in material breach of 1441. In other words, it was in violation of precisely what the United Nations had asked him not to do. Saddam Hussein, in 1991, it was assumed that he -- his nuclear weapons program would be active in the out years and, in fact, the inspectors discovered he's got nuclear ambitions, not only real and active, but his program was a lot farther along than we thought. And had he ever developed a nuclear weapon, had he been allowed to have a nuclear weapon, he would have been the ultimate source of international blackmail. And so the removal of Saddam Hussein makes the world safer. And, as importantly, the removal of Saddam Hussein gives the Iraqis a chance to live in freedom, which is the ultimate -- freedom is the ultimate route to security. I strongly believe that free nations are peaceful nations. Free nations are not terrorist havens, do not become terrorist havens. Free nations won't create conditions of strife and resentment that breeds anxiety and terror. And, therefore, the world is becoming safer, is safer and will be even more safe when Iraq becomes free. And Iraq will be free, and it'll be peaceful. And we need peace and freedom in that part of the world. Now, there's an interesting debate going on as to whether or not people, like the Iraqis, will ever adapt the habits of freedom. There's kind of an elitism that takes place -- in our country, in your country and elsewhere, feels, well, certain people can't be free, they can't adapt the habits of democracy. I strongly disagree. I strongly disagree. And so, yes, the world is safer and the world is more peaceful. Q Okay. That answer will resonate with our readers. Nonetheless, there is concern about the events, particularly in the last week or so, when things have escalated. I think this causes concern everywhere. Are we going to increase military presence there? Are we going to pull out? There's a fear that -- THE PRESIDENT: You don't have to worry about us pulling out. Q There's a famous t-shirt, slogan, which shows the American flag and the words, "these colors don't run." Do you stand by that? THE PRESIDENT: Yes, absolutely. Absolutely. Our will is being tested. See, the tactics of the terrorists is to kill as many innocent people as possible and, therefore, try to shape the will of the Iraqis. As progress is made -- and we're making interesting progress, and I'll cite some examples in a minute that I think are fascinating. But as the Iraqis begin to say, wait a minute, life can be better, and their instincts kick in about what it means to live in a free society, the terrorists want to shake that. They want to scare them. They want the police not to become police. And we've got over 118,000 people now, Iraqi citizens in uniform beginning to conduct operations for their own security. They, of course, want to kill our own soldiers, and, therefore, try to shake the will of the American people and the President and the command structure. They killed those Italians. And they were hoping that Berlusconi would say, oh, my goodness, this is too big a fight, we'll leave. We're not leaving. We're staying there to get the job done. Of course we mourn the death of any citizen. But I recognize that it is -- I still remember the death, what happened to us on September the 11th, as well. I was there at Ground Zero right after the attacks and I remember this kind of haze and the smells and the death and destruction. I'll always remember that, of course. And, as I've told you, I vowed not to forget the lessons. Q That changed everything? THE PRESIDENT: Absolutely. Look, what changed for me was sitting on Air Force One and getting the reports that we were under attack. And I made up my mind then, right then, that we didn't need a bunch of legal briefs, I didn't need a bunch of -- you know, let's kind of hold hands and hope to get the right answer -- we were at war and we were going to win the war. And I still feel that same exact determination today that I did then. Q So you'll stay in Iraq even -- THE PRESIDENT: We will do our job. Q -- after there's an interim council, a government which is -- THE PRESIDENT: Yes. There's a lot of talk right now about the political process, as there should be. And we are interested in the Iraqis assuming more responsibility on the political side and on the security side. And a political process in which the Iraqis assume more responsibility will make the security side come together quicker, as well, in our judgment. And, therefore, Bremer came here, he took instructions back from me to talk to the Governing Council to find out what is feasible when it comes to the passing of more power to the Governing Council. That's where we are right there. On the security side, absolutely we're there. The goal is for Iraq to be peaceful and free. I understand the consequences of a free and peaceful Iraq in the midst of the Middle East. We can have the debate all day long as to whether the Middle East will ever adapt the habits of democracy and freedom. I think they will, obviously; and I'm confident they will. I like to tell people in this country, freedom is not America's gift to the world, freedom is not Great Britain's gift to the world, Freedom is the Almighty's gift to everybody in the world. Q And this is what you'll tell the demonstrators? Or this is what you would tell the demonstrators if you had five minutes with them? THE PRESIDENT: Of course I would, absolutely. I will say, you may disagree with our tactics -- nobody likes war, war is my last choice -- if the demonstrators are there as anti-war protestors; they may be there for other reasons, as well, global trade, and I'd be glad to talk to them about that, as well. But in terms of war, I can understand why people are anxious about war. I can understand why citizens in Great Britain, protestor or not, wonders about why a President would commit to war. Because nobody likes war. On the other hand, I would tell them, the skeptics and the critics, that I have a job to protect the security of the United States of America, and that Saddam Hussein was a security risk, as witnessed by the international community speaking loudly on that subject 12 different times. But I would tell those who doubt our policy that we share a common goal, which is peace, and that free societies are peaceful societies. They may say, well, you can't possibly expect a country like Iraq to be free -- and then we'd have an interesting, philosophical debate, because I believe freedom exists in the heart of every single human being. It may take longer for people to accept freedom, if they've been tortured and brutalized like Saddam Hussein did. Secondly, I would tell the skeptics that not only is the world more secure as a result of the decisions we made, the Iraqi people now have a chance to live in a society which is hopeful and optimistic, a society in which you're able to speak your mind, a society in which you don't have to pay homage to a brutal tyrant and his two brutal sons -- which is precisely how they had to live in the past. Q So how do you respond to those people who were polled by the Europe commission and found that America was alongside Iran, North Korea is the second most powerful threat to world peace? THE PRESIDENT: You just have to tell them watch what happens. The world is going to be more peaceful and the free world will be more secure as a result of the decisions we've taken. Q Can I ask you about the special relationship, the role the British soldiers play in Iraq and are still playing? THE PRESIDENT: Sure. Q Would you like to tell me about you feel about our contribution? THE PRESIDENT: Yes, I'll tell you about your troops. They are well trained, they are well motivated and they're really good at what they do. And our soldiers and our generals and our commanders really appreciate being side-by-side with the Brits. They trust them, and that's important. Secondly, in Basra, the Brits have brought an interesting strategy in dealing in Basra because you have dealt in Northern Ireland. In other words, it was kind of a transfer of experience that has been incredibly useful and important. I am really proud of our -- not only our alliance, because it's close now and I intend to keep it that way. I've got a great personal relationship with Tony Blair. Let me tell you something about him just real quick, because it relates also to the trust of the troops. He's a man who comes in here and he says he's going to do something, and as I said -- as they say in Texas, you can book him when he says he's going to do something, you can take it to the bank. Because every time he has said something, he has done it, and I appreciate that a lot. It's not always the way it is in politics -- whether it be domestic or international politics. Sometimes they'll come and look you in the eye and say, "Oh, don't worry, Mr. President, we're with you and behind you," and it turns out they're way behind you, you can't find them when the heat gets on. But that's not the way Tony Blair is, and that's not the way the Brits' command structure is, and that's not the way the soldiers in the field have been. They've been tough and capable. And decent people. That's the other thing about militaries, both our militaries are full of compassionate people. Because not only are we chasing down people and bringing them to justice, as we say, but there are schools being built, orphanages being opened, hospitals being supplied, thanks to compassionate British troops, and American troops, as well, and other troops. It speaks to the honor of our respective militaries, these are honorable people. Q You're going to speak to some of the families of those who have already died in Iraq, and also September the 11th. THE PRESIDENT: Yes. Q You're going to see them, I guess, on Downing Street. THE PRESIDENT: Well, I'm not sure exactly where, but, you bet, I am going to see them. Q What are you going to say to them? THE PRESIDENT: Well, I'm going to first of all ask for God's blessings, because I understand how bad they hurt. I can't imagine what it would be like if I were a mother or a dad to have lost a child. I'm a proud dad, it's got to shatter a person's heart to lose a loved one. And I will do the best I can to provide some comfort. I have done this here in America, as well. It's part of my duty as the leader of this country to comfort those who have sacrificed. I'll also explain to them as best as I can that the sacrifices that their loved one has made is for a noble cause, and that's peace and freedom. I strongly believe that what we're doing today will make it easier for this person's grandchild to grow up in a free world and a peaceful world. I'll tell you an interesting story, kind of dawned on me a while ago. I was talking to Prime Minister Koizumi of Japan in Tokyo -- we were having dinner, actually. And I kind of reflected on what it would be like -- during our dinner, I reflected on what it would be like if America and the allies hadn't done a good job in post-World War II, would I be sitting with a Prime Minister of Japan, with whom I've got great relations, talking about how to deal with Kim Jong-il and North Korea? It's an interesting thought. Q Very interesting. THE PRESIDENT: Beyond that is whether or not somebody 50 years from now is going to be sitting with a leader from Iraq, or any other country in that region, saying, "Thank goodness George W. and Tony Blair held the line, because I'm now able to deal with terrorist threats or potential terrorist threats with an ally; I'm able to help bring more peace to the world." Presidents and Prime Ministers should never worry about their short-term history, how they're viewed in short-term history. There's no such thing as short-term history, except for the musings of somebody who's not very objective to begin with. Because if you set big goals and work on big items, the President or the Prime Minister won't be around to see the effects of those policies. And, therefore, I don't worry about the short-term history. I think in terms of long-term history I know what we're doing now is going to have an effect, a positive effect on this world. Q Can I just backtrack a little? THE PRESIDENT: Sure. Q You were talking earlier about the contributions countries like Britain and Italy have made and others. THE PRESIDENT: Spain, Poland, a lot of people. Q You didn't mention France and Germany in that -- you seem very critical of France. THE PRESIDENT: Look, my attitude is the past is there, it's past, and now let's go on. I'll tell you one example of why that attitude is important, and that is Germany's contribution in Afghanistan. And it's a positive contribution -- more than positive, it's incredibly helpful. They've got a number of troops there. It's the first deployment of German troops, as I understand, outside of their soil since World War II. It's a positive -- yes, I think that's right, check the facts. But, anyway, it's helpful, really helpful. Q And NATO? THE PRESIDENT: Yes, NATO is important. Q But France is a semi-detached member of NATO -- THE PRESIDENT: Well, it's a historic role -- Q They won't be a rival -- THE PRESIDENT: I certainly hope not. See, there's no need to rival the United States and our friends. Our goals are peace. Q But France wants to counter. THE PRESIDENT: You mean multi-polarity? Well, I think we need to work against multi-polarity, and the reason why I know we need to work against multi-polarity is a Europe working with American can do a lot together. A united Europe working with America can do a lot together. We can promote peace. We can fight off terror, which is necessary, and there needs to be full cooperation in order to defeat the terrorists. We can work on issues like global AIDS. I'm real proud of our country's contribution to global AIDS. Just to give you a sense of my feeling on this, we are a fortunate country. We're prosperous -- and by the way, we're becoming more prosperous, which is good news. Q I'd like to ask you about that. THE PRESIDENT: Okay. But I believe we owe a lot to the world's peace and we owe a lot to those who suffer, because of our fortune, because of our wealth. I'm proud of the fact that Congress has supported my initiative to provide a large sum of money. And, as importantly, I'm proud of our NGOs and faith-based organizations that are willing to help provide the infrastructure so that we can get help to beat this pandemic. We're a prosperous country, and yet in our world an entire generation is about to be wiped out. And I feel strongly about America's need to be involved and Europe's need to be involved in this issue, together, just like I feel strongly we need to provide food for the hungry, just like I feel strongly that when we see tyranny, that we need to work for freedom. Every situation, of course, doesn't require military action. I just repeat -- I want your readers to know, the military is my last choice, not my first choice. See, I understand the consequences of war. I understand the risks of war. I understand firsthand, particularly when I go and hug the moms and dads and brothers and sisters and sons and daughters of those who died. I also see the consequences of not acting, of hoping for the best in the face of these tyrannical killers. So, therefore, our foreign policy will be active, we'll work closely with our friends and allies, and we're going to stay on the offensive against the terrorists. Q Let me just ask you one quick question on the economy. THE PRESIDENT: Yes. Q It's going great guns. You're revising figures upwards. You introduced tax cuts. You promised tax cuts, you introduced them. Is this a message to the rest of the world, too? THE PRESIDENT: Well, I think people ought to look at pro-growth policies and how to stimulate the entrepreneurial spirit. To me, one of the unique qualities of our country is the individualism of our country and the willingness of people to take risks to better themselves. Most new jobs in America are created by small businesses, and that's an exciting aspect of our economy, because it not only is good economics to have the job hiring dispersed throughout society, it also is such a hopeful part of our economy. When you think about somebody in America can start their own business and grow it, and then actually own something. They become the owner of this piece of property. Our tax policy was very effective at stimulating small business growth, because most small businesses pay tax at the individual income tax level. When you hear small business or small corporation, you think, corporate tax. But in America most small businesses are sole proprietorships or Subchapter S's, so that when we cut all rates -- not trying to select rate cuts, but all rates -- it really affected capital formation in the small business. This economy, and this country, more importantly, is tough and resilient. We've been through a lot. When I showed up here, we were in recession. I guess we were headed into recession. But the first -- I show up -- Dick Cheney and I are here, we get sworn in, in late January, and the first quarter of '01 is recession, or the beginnings of a recession. And then the attacks hurt us, and we had corporate scandals. But I think the world is beginning to see America will deal with corporate scandals in a tough way. It doesn't matter whether you're -- we will hold people to account. I believe, in criminal matters, that there has to be consequences for bad behavior, and clear consequences, and that's how you deter bad behavior. And our SEC and our prosecutors are moving quickly. The war affected people. But we're overcoming that. It's not only good tax policy, but we've got to work on making sure Congress doesn't overspend, and that's tough. But I'm holding the line. We've done pretty good on our budget agreements, so far. We need better legal policy. I've been pushing tort reform at the national level on class action suits. All of which make it easier for people to kind of calculate risk when it comes to employing capital, which is the essence of promoting the entrepreneurial spirit. Trade is a very important element. I'll be dealing -- real quickly -- I'm going to take a good look at the steel issue. The International Trade Commission made a ruling. It said our industry was being harmed by imports. I felt I had an obligation to take that report seriously, which I did. I imposed tariffs to see whether or not, to give the -- breathing room for the industry to restructure. I'm not analyzing the extent to which they restructured. Having said that, I am a fierce free trader. I believe in free trade. I know free trade is important between America and Great Britain. And I will continue to resist any protectionist tendencies here. In order for us to be free traders, however, we've got to enforce the rules of free trade. And I was doing so through the International Trade Commission's report. Sorry I cut you off. Q Not at all. THE PRESIDENT: First Lady Bush is standing out there. We're getting ready to award the National Humanities Award here. Q Many thanks. THE PRESIDENT: See you over there. END 10:02 A.M. EST ----- End forwarded message ----- From nobody at cryptofortress.com Mon Nov 17 14:01:41 2003 From: nobody at cryptofortress.com (Anonymous) Date: Mon, 17 Nov 2003 16:01:41 -0600 (CST) Subject: Cypherpunks meetings? Message-ID: >Are the Bay Area Cypherpunks meetings finally dead? It's been ages since >I've seen anything about them. Well, chicks are gone, there is a risk from fatherland security troopers, many armchair cypherpunks are unemployed, the very few left cannot stand each other ... Having said that, if San Francisco can have those dumb but quite anonymous flash mobs, maybe it's time for ... SAN FRANCISCO FLASH CYPHERPUNKS ! Three locations will be given in downtown area this Sat, partitioning to be done by birthdate (or your PGP key fingerprint's last digit.) In each of these at exactly 1pm an 802.11b access point will come to life. You'll need to break 40-bit WEP to get in. Once there, attempt to access any http server will result in page describing the meeting location. From mv at cdc.gov Mon Nov 17 21:06:07 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Mon, 17 Nov 2003 21:06:07 -0800 Subject: crypto, surveillance, RF for uk bush burners Message-ID: <3FB9A8BF.B9FE7AF5@cdc.gov> Protest Is in the Airwaves on Eve of Bush UK Visit Mon Nov 17,10:46 AM ET By Bernhard Warner, European Internet Correspondent LONDON (Reuters) - With President Bush (news - web sites) due to touch down on British soil Tuesday, Internet message boards, mobile phones and pagers are buzzing with the sounds of protest, and police are scrambling to catch every word. Since the 1999 World Trade Organization (news - web sites) riots in Seattle, the protester's toolkit has gone noticeably high-tech, embracing the latest Internet and mobile technologies for everything from selling T-shirts for the cause to coordinating mass demonstrations. Handheld gadgets, equipped with global positioning systems and Internet access, are being used to mobilize groups quickly and catch police on the hop. "What you have now is the equivalent of battlefield soldiers. That's what the technology has created," said a London-based telecommunications security expert who advises law enforcement units. British police have a special task force that follows how everyday technologies are being used to plot mass demonstrations and avoid the long arm of the law should violence break out. Forces across Britain are preparing for anti-Bush protests this week which are expected to attract more than 60,000 demonstrators, by combing protest groups' Web sites and message boards for clues on their plans. A number of anti-war organizations, including Stop the War, have been openly detailing their plans for rallies and demonstrations. The group's site, www.stopthewar.org.uk, is expected to reach a one-day peak of 23,000 visitors on Monday, said John Rees, a group co-founder. The group has a small, but growing e-commerce business, selling various items, such as "wanted" posters of Bush and Prime Minister Tony Blair (news - web sites) for one pound ($1.69) and leaflets at 1,000 for 10 pounds. Rees said the group can reach thousands of people with a single e-mail and via mobile phone text alerts. "With new technology, we've moved with the times, not necessarily ahead of the times," he said. The bigger concern for police are groups that operate underground. Some use sophisticated encryption techniques favored by the military to disguise the content of e-mail messages and Internet postings, the security expert said. But it is the sophistication of hand-held devices that have police on the look-out. Internet-enabled phones and gadgets are capable of sending and receiving elaborate messages detailing meeting locations, maps and last-minute instructions to fellow protesters in the streets. The widespread use of picture phones is also a concern as the could be used to capture images of the police officers. "Some of these guys run counter-intelligence. They want to know who the cops are. With a mobile phone that's equipped with a camera you could start your own database of cops," he said. ($1=.5919 Pound) http://news.yahoo.com/news?tmpl=story2&cid=575&u=/nm/20031117/wr_nm/bush_britain_gadgets_dc_2&printer=1 ---- An RPG a day keeps the invaders away or at least not re-electable From shaddack at ns.arachne.cz Mon Nov 17 12:48:16 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Mon, 17 Nov 2003 21:48:16 +0100 (CET) Subject: OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier (fwd) Message-ID: <0311172147560.-1339673484@somehost.domainz.com> ---------- Forwarded message ---------- Date: Mon, 17 Nov 2003 10:56:58 -0800 Subject: OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier From: security at sco.com To: announce at lists.caldera.com, bugtraq at securityfocus.com, full-disclosure at lists.netsys.com, security-alerts at linuxsecurity.com From pgut001 at cs.auckland.ac.nz Mon Nov 17 03:51:52 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue, 18 Nov 2003 00:51:52 +1300 Subject: Partition Encryptor Message-ID: <200311171151.hAHBpqV31692@cs.auckland.ac.nz> "Stirling Westrup" writes: >Does anyone know of a good partition encryptor for Windows? I know of an >accountant who would like to encrypt her client's financial data. She's stuck >with Windows until such time as a major company starts shipping yearly tax >software for linux. > >Something like PGPdisk, only open source, would be best. ScramDisk (Win9x) or E4M (Win2K) will do it if she can handle a container- volume encryptor rather than a partition encryptor, both are open source. E4M needs some minor updates for XP by someone who knows about NT device drivers, otherwise you'll occasionally get problems unmounting volumes. Peter. From s.schear at comcast.net Tue Nov 18 09:25:35 2003 From: s.schear at comcast.net (Steve Schear) Date: Tue, 18 Nov 2003 09:25:35 -0800 Subject: Stego SPAM Message-ID: <5.2.1.1.0.20031118092453.05f95588@mail.comcast.net> http://www.spammimic.com/index.shtml Not new to this group but interesting. steve From declan at well.com Tue Nov 18 08:01:03 2003 From: declan at well.com (Declan McCullagh) Date: Tue, 18 Nov 2003 11:01:03 -0500 Subject: PELOSI and DASCHLE--Photo Op/Meeting with Seniors on Medicare Pre scription Drug Bill Today at 3:45 p.m. Message-ID: <6.0.0.22.2.20031118110003.021932a8@mail.well.com> Exciting. My camera is already charged up and ready to go. >News >From House Democratic Leader Nancy Pelosi >H-204, The Capitol, Washington D.C. 20515 > >http://democraticleader.house.gov > >Tuesday, November 18, 2003 >Contact: Brendan Daly/Jennifer Crider, 202-225-0100 > >Media Advisory > >Pelosi, Daschle, Others Hold Photo Op/Meeting with Seniors on Medicare >Prescription Drug Bill > >Washington, D.C. -- House Democratic Leader Nancy Pelosi, Senate >Democratic Leader Tom Daschle, and Senator Ted Kennedy, along with >Democratic Medicare conferees, will meet with seniors and Medicare >advocacy groups today to hear their concerns about the Republican Medicare >prescription drug bill. There will be a photo opportunity at the >beginning of the meeting. > >Who: Democratic Leadership and Democratic Medicare Conferees, >Seniors and Medicare Advocacy Groups: > > House Democratic Leader Nancy Pelosi > Senate Democratic Leader Tom Daschle > Senator Ted Kennedy > Senator Jay Rockefeller > Congressman John Dingell, Ranking Member, Energy and > Commerce Committee > Congressman Charlie Rangel, Ranking Member, Ways and > Means Committee > Congressman Marion Berry > Medicare advocacy groups > Seniors concerned about the legislation > >What: Meeting with seniors and advocacy groups and photo >opportunity on Medicare prescription drug bill > >When: Today, Tuesday, November 18; 3:45 p.m. > >Where: LBJ Room (S-211) > U.S. Capitol > ># # # From declan at well.com Tue Nov 18 10:29:52 2003 From: declan at well.com (Declan McCullagh) Date: Tue, 18 Nov 2003 12:29:52 -0600 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: <35B20BC1-14CD-11D8-9E9D-000A956B4C74@got.net>; from timcmay@got.net on Tue, Nov 11, 2003 at 09:01:00PM -0800 References: <53b5b1051cb213d8579fdafc02595be8@ecn.org> <35B20BC1-14CD-11D8-9E9D-000A956B4C74@got.net> Message-ID: <20031118122952.B31211@baltwash.com> On Tue, Nov 11, 2003 at 09:01:00PM -0800, Tim May wrote: > People should not talk to the Feds. If the Feds come calling, refer > them to one's lawyer. For those who don't have a lawyer on retainer, > tell them that you need to consult with a lawyer first. Whether you do > or you don't is beside the point. The point is to not talk to them. This is sound advice of course, as is the point about not inviting federal police into your home. When I was served with the Carl Johnson subpoena, I had had a party the night before and one fellow (a 20something sysadmin from Baltimore) was asleep on the couch in the front room. At the sound of the doorbell, he opened the door and let the federal process server into the front hallway. Moral of this story is to make sure your houseguests know your house rules. Even if you don't have a lawyer on retainer, and I suspect few folks here do, saying you need to consult with one will provide you with time to give the local ACLU affiliate a call. Also law school legal clinics can be useful sources of free advice in a pinch. -Declan From wk at gnupg.org Tue Nov 18 07:41:56 2003 From: wk at gnupg.org (Werner Koch) Date: Tue, 18 Nov 2003 16:41:56 +0100 Subject: OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier (fwd) In-Reply-To: <0311172147560.-1339673484@somehost.domainz.com> (Thomas Shaddack's message of "Mon, 17 Nov 2003 21:48:16 +0100 (CET)") References: <0311172147560.-1339673484@somehost.domainz.com> Message-ID: <871xs5znsr.fsf@alberti.g10code.de> On Mon, 17 Nov 2003 21:48:16 +0100 (CET), Thomas Shaddack said: > Subject: OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier > Advisory number: CSSA-2003-034.0 > Issue date: 2003 November 17 Cool SCO: One of the earliest advisories I have ever seen. The fixed GnuPG 1.2.2 and our security advisory have been released more than 6 months ago :-) Werner From jya at pipeline.com Tue Nov 18 19:51:58 2003 From: jya at pipeline.com (John Young) Date: Tue, 18 Nov 2003 19:51:58 -0800 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: <20031118122952.B31211@baltwash.com> References: <35B20BC1-14CD-11D8-9E9D-000A956B4C74@got.net> <53b5b1051cb213d8579fdafc02595be8@ecn.org> <35B20BC1-14CD-11D8-9E9D-000A956B4C74@got.net> Message-ID: Declan wrote: >Even if you don't have a lawyer on retainer, and I suspect few folks >here do, saying you need to consult with one will provide you with >time to give the local ACLU affiliate a call. Also law school legal >clinics can be useful sources of free advice in a pinch. I've consulted a lawyer or two about Cryptome, and their advice is don't do it, but if you do we're here. So I no longer ask for legal advice. My advice, and it's legally superior to legal advice: take care of yourself, the threats are not as bad as the advisors advise. Most lawyers I've dealt with advise to get along with the system, which may be sound legal advice but shitty for dissent. I spend several thousand dollars a year on legal services for business and personal matters, but not for Cryptome. Abiding legal advice would kill the varmint. I once proposed to Declan that he get thrown in jail for his reporting, to give a big boost to his credibility and career, to break away from the getalong pack. That was in Tacoma, in the Federal Courthouse cafeteria, taking a break from the Bell show trial. I'd like to visit Declan in the pokey, sneak him a tube of getalong lubricant. From ravage at einstein.ssz.com Tue Nov 18 18:02:45 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Tue, 18 Nov 2003 20:02:45 -0600 (CST) Subject: Physics News Update 662 (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 18 Nov 2003 11:34:46 -0500 From: physnews at aip.org To: ravage at SSZ.COM Subject: Physics News Update 662 PHYSICS NEWS UPDATE The American Institute of Physics Bulletin of Physics News Number 662 November 18, 2003 by Phillip F. Schewe, Ben Stein, and James Riordon A LIQUID WALL IN A FUSION ENERGY DEVICE has improved the performance [SSZ: text deleted] ELECTRON SPINS CAN CONTROL NUCLEAR SPINS in a semiconductor when trapped in a very confined space, a recent experimental development which calls upon laser science, solid-state physics, and nuclear magnetic resonance. David Awschalom and his colleagues at the Center for Spintronics and Quantum Computation at UC Santa Barbara begin by lithographically creating a quantum well, an extremely thin, practically two-dimensional region inside a semiconductor capable of trapping electrons. First, a laser pulse injects polarized electrons (their spins have a definite orientation determined by the laser's polarization) into the well. Once in the well, the tiny disk of electrons (with a radius of about 20 microns but a thickness of only 20 nm) can be controllably moved along one axis, much as an abacus bead can be slid along a wire, by simply changing a voltage. In this case, the disk can be positioned with nm-accuracy. The nuclei of atoms residing within the thin volume occupied by the spin-polarized electrons will in turn be polarized; that is, the spin of these nuclei will tend to align themselves with the spin of the electrons. The result is an extremely thin region---equivalent to the thickness of several tens of atoms--- of polarized nuclei which can be precisely positioned by changing a single voltage. These thin sheets of nuclear polarization could constitute the basic elements of an information storage device in which nuclear spin determines the logical state of the system. One may ask, why not take out the "middle man" and just use the electron spin to encode information? The answer: nuclear spins have a weaker interaction with the surrounding environment than electron spins. While harder to flip, once oriented, nuclear spins preserve their state longer than do electrons. One may also wonder, why not just use some large magnet to orient the nuclear spins? Why use electrons as intermediaries? The answer: all-electronic control of spin is desirable because electric fields are so much easier to control and create on a small scale than magnetic fields. They are scalable and easy to implement, while it is notoriously hard to produce large and localized magnetic fields. In addition, all of our current integrated circuit technology is based on charge and electric field; it would certainly be helpful to manipulate spin using "knobs" which are well developed and familiar to engineers. Awschalom (awsch at physics.ucsb.edu, 805-893-2121) believes this current result is the first step toward the establishment of an all-electrical manipulation of countable numbers of nuclear spins.(Poggio et al., Physical Review Letters, 14 November 2003) *********** PHYSICS NEWS UPDATE is a digest of physics news items arising from physics meetings, physics journals, newspapers and magazines, and other news sources. It is provided free of charge as a way of broadly disseminating information about physics and physicists. For that reason, you are free to post it, if you like, where others can read it, providing only that you credit AIP. Physics News Update appears approximately once a week. AUTO-SUBSCRIPTION OR DELETION: By using the expression "subscribe physnews" in your e-mail message, you will have automatically added the address from which your message was sent to the distribution list for Physics News Update. If you use the "signoff physnews" expression in your e-mail message, the address in your message header will be deleted from the distribution list. Please send your message to: listserv at listserv.aip.org (Leave the "Subject:" line blank.) From jays at panix.com Wed Nov 19 01:25:35 2003 From: jays at panix.com (Jay Sulzberger) Date: Wed, 19 Nov 2003 04:25:35 -0500 (EST) Subject: [linux-elitists] STANFORD LOCAL: Wednesday 19 November 2003: Microsoft will claim that Palladium is good for you, Richard Stallman asks your help in telling the truth Message-ID:
---------- Forwarded message ---------- Date: Tue, 18 Nov 2003 18:04:00 -0500 From: Richard Stallman Subject: Microsoft speech at Stanford where we need people to show up At this event tomorrow, Microsoft will try to present Palladium as a security measure. It would be useful if a few people who understand the issues of treacherous computing and security could show up there and point out flaws in that argument meant to justify Palladium. Flaws could include (1) that in practice this "solution" wouldn't solve the whole problem unless users' usage is grievously limited, and (2) you could do as much for security in other ways that won't attack the user's freedom. From adam at homeport.org Wed Nov 19 05:57:57 2003 From: adam at homeport.org (Adam Shostack) Date: Wed, 19 Nov 2003 08:57:57 -0500 Subject: Freedomphone In-Reply-To: <000001c3ab25$cb949d80$6601a8c0@VAIO650> References: <000001c3ab25$cb949d80$6601a8c0@VAIO650> Message-ID: <20031119135757.GB60803@lightship.internal.homeport.org> http://www.wired.com/news/technology/0,1282,61289,00.html?tw=wn_tophead_7 > "We allow everyone to check the security for themselves, because > we're the only ones who publish the source code," said Rop Gonggrijp > at Amsterdam-based NAH6. Gonggrijp, who helped develop the software, > owns a stake in Germany's GSMK. Alas, the phones are 3500 Euro a pair. > At that price it is targeting executives, lawyers and bankers who > regularly swap market sensitive information on mergers and lawsuits, > and for whom privacy is worth paying for. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From timcmay at got.net Wed Nov 19 09:29:30 2003 From: timcmay at got.net (Tim May) Date: Wed, 19 Nov 2003 09:29:30 -0800 Subject: Ashcroft's bake sale, no questions allowed, gvt-issued photo ID required In-Reply-To: <6.0.0.22.2.20031119113753.02b49488@mail.well.com> References: <6.0.0.22.2.20031119113753.02b49488@mail.well.com> Message-ID: On Nov 19, 2003, at 8:38 AM, Declan McCullagh wrote: > PRESS GUIDANCE > WEDNESDAY, NOVEMBER 19, 2003 > > ATTORNEY GENERAL > NOTE: Media must enter the Department at the center entrance on > Constitution Avenue, N.W., between Ninth and Tenth Street. ALL media > MUST PRESENT GOVERNMENT-ISSUED PHOTO ID (such as driver's license) as > well as VALID MEDIA CREDENTIALS. A mult-box will be available. Press > inquiries regarding logistics should be directed to Heather Cutchens > at (202) 532-5403. > "VALID MEDIA CREDENTIALS." Nice to know the AG is enforcing reporter licensing. --Tim May From eugen at leitl.org Wed Nov 19 01:44:04 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Nov 2003 10:44:04 +0100 Subject: [linux-elitists] STANFORD LOCAL: Wednesday 19 November 2003: Microsoft will claim that Palladium is good for you, Richard Stallman asks your help in telling the truth (fwd from jays@panix.com) Message-ID: <20031119094404.GF30063@leitl.org> ----- Forwarded message from Jay Sulzberger ----- From eugen at leitl.org Wed Nov 19 02:00:35 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 19 Nov 2003 11:00:35 +0100 Subject: [silk] bloody hell. (fwd from udhay@pobox.com) Message-ID: <20031119100035.GJ30063@leitl.org> ----- Forwarded message from Udhay Shankar N ----- From udhay at pobox.com Tue Nov 18 21:42:55 2003 From: udhay at pobox.com (Udhay Shankar N) Date: Wed, 19 Nov 2003 11:12:55 +0530 Subject: [silk] bloody hell. Message-ID: Suresh Ramasubramanian wrote [ at 07:23 AM 11/18/2003 ]: >That's all I can say after reading this - I'm speechless. > >http://observer.guardian.co.uk/uk_news/story/0,6903,1086397,00.html?=rss http://news.bbc.co.uk/1/hi/technology/3280611.stm BBC NEWS | Technology | Mobile users told to 'chase Bush' Last Updated: Tuesday, 18 November, 2003, 14:20 GMT Protesters angry about the "security bubble" around President George Bush on his UK visit are being asked to use gadgets to be heard and seen. The Chasing Bush campaign is asking people to "disrupt the PR" of the visit by spoiling stage-managed photos. They are being encouraged to send location reports and images by mobile to be posted on the Chasing Bush site. "We want to give people a chance to be a visible voice of dissatisfaction," said campaign organiser Tim Ireland. Not smiling Technologies like text messaging and weblogs have been successfully used in the past to co-ordinate routes and meet-up points for mass protests. But the gadgets are now being used more proactively to make protests more visible and disrupt any potential stage-managing of the President's visit. "We have been described as a second generation smart mob. We are encouraging people to use camera phones and send us e-mails with photos," campaign co-organiser Richard Wild explained to BBC News Online. "We are trying to spoil the PR, so we are not doing anything directly, but encouraging people to protest by turning their backs in press photos so they can't be used." The campaign organisers have also asked people to go into protest "exclusion zones" to send SMS updates and on-location reports about his appearances, and events at protests. "We want to show everyone in the world we are doing this and we using the web channels to influence mainstream channels as much as possible," said Mr Ireland. All the messages and pictures will be posted on the website as soon as they are received. The site has been designed to be low bandwidth so it can be updated in real time via appropriate mobile phones using GRPS or laptops from anywhere, said Mr Wild. Bush's 'bubble' The massive security measures for the President's visit are unprecedented. A huge #5m police operation has been mounted with 14,000 officers covering the visit. Tens of thousands of demonstrators are expected at an anti-war march on Thursday. Protests about Bush's visit began on Monday The security measures have been put in place in response to fears about public disorder, but also a heightened terrorist threat from al-Qaeda. A ring of 700 of the President's own secret service agents and security advisers will surround him in a mobile "bubble" amid fears of terror attacks. Some newspapers and websites were reporting mobile phone signals could be blocked for fear they could remote-control a bomb. But Scotland Yard has denied reports that police were considering shutting mobile phone masts during protests. A spokesperson told BBC News Online they were "not prepared to discuss matters of security". Although it "would be extremely unusual to do that, and authority would have to be cleared with all the appropriate regulators." -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 0.97c removed an attachment of type application/pgp-signature] From declan at well.com Wed Nov 19 08:38:21 2003 From: declan at well.com (Declan McCullagh) Date: Wed, 19 Nov 2003 11:38:21 -0500 Subject: Ashcroft's bake sale, no questions allowed, gvt-issued photo ID required Message-ID: <6.0.0.22.2.20031119113753.02b49488@mail.well.com> PRESS GUIDANCE WEDNESDAY, NOVEMBER 19, 2003 ATTORNEY GENERAL WASHINGTON, D.C.- Attorney General John Ashcroft will deliver welcoming remarks at the Department of Justice Fallfest at 11:10 A.M. EST. Local farmers will offer herbs, jams, baked goods, and fresh-from-the-farm seasonal vegetables for purchase. CFC charities that work to reduce hunger in our community will be present. There will be no questions and answers. WHO: Attorney General Ashcroft WHAT: Remarks at the Department of Justice Fallfest WHEN: 11:10 A.M. EST Media arrival and registration BY 10:00 A.M. EST due to extra security measures WHERE: The Great Hall Main Justice Building Constitution Avenue NW Washington, D.C. 20530 NOTE: Media must enter the Department at the center entrance on Constitution Avenue, N.W., between Ninth and Tenth Street. ALL media MUST PRESENT GOVERNMENT-ISSUED PHOTO ID (such as driver's license) as well as VALID MEDIA CREDENTIALS. A mult-box will be available. Press inquiries regarding logistics should be directed to Heather Cutchens at (202) 532-5403. Attorney General John Ashcroft will hold a photo-op with Solicitor General of Canada Wayne Easter at 12:00 P.M. EST. There will be no questions and answers. From s.schear at comcast.net Wed Nov 19 12:59:36 2003 From: s.schear at comcast.net (Steve Schear) Date: Wed, 19 Nov 2003 12:59:36 -0800 Subject: Freedomphone In-Reply-To: References: <20031119135757.GB60803@lightship.internal.homeport.org> Message-ID: <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> At 01:39 PM 11/19/2003 -0500, Jack Lloyd wrote: > > > "We allow everyone to check the security for themselves, because > > > we're the only ones who publish the source code," said Rop Gonggrijp > >"We are currently performing a internal round of reviews with a expert >group of security researchers and cryptographers. Depending on the results >of this review and the time it takes us to implement the relevant >recommendations, our current plan is to have the Source available for >Download: 23.11.2003" (http://www.cryptophone.de/html/downloads_en.html) > >We'll see. If and when this is accomplished the source could then be used, if it can't already, for PC-PC secure communications. A practical replacement for SpeakFreely may be at hand. The limitation of either direct phone or ISDN connection requirement is a problem though. steve From lloyd at randombit.net Wed Nov 19 10:39:15 2003 From: lloyd at randombit.net (Jack Lloyd) Date: Wed, 19 Nov 2003 13:39:15 -0500 (EST) Subject: Freedomphone In-Reply-To: <20031119135757.GB60803@lightship.internal.homeport.org> Message-ID: > > "We allow everyone to check the security for themselves, because > > we're the only ones who publish the source code," said Rop Gonggrijp "We are currently performing a internal round of reviews with a expert group of security researchers and cryptographers. Depending on the results of this review and the time it takes us to implement the relevant recommendations, our current plan is to have the Source available for Download: 23.11.2003" (http://www.cryptophone.de/html/downloads_en.html) We'll see. From s.schear at comcast.net Wed Nov 19 14:47:29 2003 From: s.schear at comcast.net (Steve Schear) Date: Wed, 19 Nov 2003 14:47:29 -0800 Subject: Freedomphone In-Reply-To: <058a01c3aee8$295ca910$01c8a8c0@broadbander> References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> Message-ID: <5.2.1.1.0.20031119144534.06aa0090@mail.comcast.net> At 09:57 PM 11/19/2003 +0000, Dave Howe wrote: >Steve Schear wrote: > > If and when this is accomplished the source could then be used, if it > > can't already, for PC-PC secure communications. A practical > > replacement for SpeakFreely may be at hand. The limitation of either > > direct phone or ISDN connection requirement is a problem though. >*nods* it is over a POTS or ISDN (ie, normal phone) conversation, not over >IP. have to wait and see what the code looks like to see exactly what crypto >and how it is keyed as well. > >as a related aside - does anyone know of a decent SIPS VoIP implimentation? >preferably one that uses some sort of PKI? No, but this may be of interest. http://www.technologyreview.com/articles/wo_hellweg111903.asp Its closed source but claims to use AES. steve From declan at well.com Wed Nov 19 12:17:50 2003 From: declan at well.com (Declan McCullagh) Date: Wed, 19 Nov 2003 15:17:50 -0500 Subject: 9th Cir. lets prisoners get books, rejects "encrypted" claim Message-ID: <6.0.0.22.2.20031119151624.02116a30@mail.well.com> TODD LEWIS ASHKER, Plaintiff-Appellee, v. CALIFORNIA DEPARTMENT OF CORRECTIONS; JAMES GOMEZ; G. BONNIE GARIBAY; S. BONACCORSO; M. JENSEN; S. CAMBRA; S. STEINBERG, M.D.; WINSLOW; DR. ASTORGA; C. GOLLIHAR; S. RICCI, M.T.A.; K. BUTCHER; B. PATTON; M. BILLINGTON; B. GRINSTEAD; JOE MCGRATH, Warden, Defendants-Appellants. No. 02-17077 UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT October 7, 2003, Argued and Submitted, San Francisco, California November 18, 2003, Filed PRIOR HISTORY: [*1] Appeal from the United States District Court for the Northern District of California. D.C. No. CV 97-1109 CW. Claudia Wilken, District Judge, Presiding. ... OPINION: TASHIMA, Circuit Judge: Defendants-Appellants, the California Department of Corrections and various prison officials (collectively, "CDC"), appeal an order of the district court granting summary judgment in favor of Plaintiff-Appellee, Todd Lewis Ashker, and issuing a permanent injunction against CDC. Ashker, a state prisoner housed in the Security Housing Unit ("SHU") at Pelican Bay State Prison ("PBSP"), challenged a prison policy requiring books and magazines mailed to the prison to have an approved vendor label affixed to [*2] the package. In a published opinion, the district court granted summary judgment in favor of Ashker because the policy unreasonably burdened Ashker's First Amendment rights and was not rationally related to a legitimate penological objective. Ashker v. Cal. Dep't of Corr., 224 F. Supp. 2d 1253, 1262 (N.D. Cal. 2002). The court further held that Ashker was entitled to injunctive relief and issued a permanent injunction enjoining PBSP from enforcing the book label requirement. Id. at 1263-64. Our jurisdiction is pursuant to 28 U.S.C. '' 1291 and 1292(a). n1 We affirm. ... Glen Rodman, a sergeant at PBSP in Receiving and Release ("R&R"), explained that the majority of SHU inmates are involved in gang activity and are therefore likely to receive contraband in the mail, such as books containing drugs or encrypted with gang messages. All items received by PBSP are inspected for contraband and may further be inspected by a fluoroscope machine. Because such machines cannot detect encrypted material, the book label requirement is an additional security measure designed "to help ensure that reading material comes directly from the vendor, as opposed to passing through an unknown third party." According to Rodman, "an additional purpose served by the book label requirement is to reduce the amount of material that is required to be individually screened by" the three R&R staff members who are responsible for tracking the mail, searching it for contraband, and delivering approved materials to inmates. ... We agree with the district court that the evidence submitted by both Ashker and CDC "refutes any common-sense connection between the book label policy and PBSP's legitimate goals of ensuring against contraband and providing prison safety." Ashker, 224 F. Supp. 2d at 1260. When the inmate presents such evidence, the state is required to "'present enough counter-evidence to show that the connection is not so remote as to render the policy arbitrary or irrational.'" Prison Legal News, 238 F.3d at 1150 (quoting Frost, 197 F.3d at 357). CDC has failed to do so. First, CDC already [*12] requires that books be sent directly from approved vendors. As the district court reasoned, prison staff can easily determine whether packages have been sent directly by vendors or have been sent to a third party first by checking address labels and invoices. See Ashker, 224 F. Supp. 2d at 1261. If the package had been sent to a third party, who then sent the package to the prisoner, the vendor's address label and invoice would indicate that fact. Requiring R&R staff to check the address label seems no more burdensome than requiring them to check for the vendor label and the vendor stamp in the appropriate box on the label. CDC has presented no evidence or argument to refute this reasoning. Second, all personal property received by inmates in the mail is searched prior to delivery. CDC contends that these searches are not always effective, pointing out that contraband has been missed due to human error. However, "CDC [has] articulated no scenario in which the book label policy provides a measure of security not afforded by these routine and mandatory searches." Id. CDC further argues that the fluoroscope machine does not detect weapons or encrypted messages. [*13] That the lack of a book label can act as a sort of "red flag," alerting prison staff to books sent by non-vendors when their routine search may have missed this fact may be a legitimate concern, but it is a concern that is quite lacking in substantial evidentiary support. The district court pointed out that Sergeant Rodman "provided absolutely no specific facts regarding the alleged incident" in which drugs escaped the detection of the fluoroscope machine, id., and, on appeal, CDC has pointed to no evidence in the record regarding the efficacy of the book label policy. Finally, at least with respect to contraband, there is no rational basis for CDC to impose an approved vendor label requirement on books, but not on tennis shoes, thermal clothing, or appliances. CDC has made no effort to explain why books are more susceptible to being used to deliver contraband than other items. "Common sense would dictate that PBSP's concern would extend to such items." Id. at 1262. Because the book label policy fails the first Turner factor, we do not address the other factors. n4 Morrison, 261 F.3d at 901. From helljerk at gmx.net Wed Nov 19 07:49:11 2003 From: helljerk at gmx.net (Heinz-Juergen 'Tom' Keller) Date: Wed, 19 Nov 2003 16:49:11 +0100 Subject: Freedomphone In-Reply-To: <20031119135757.GB60803@lightship.internal.homeport.org> References: <000001c3ab25$cb949d80$6601a8c0@VAIO650> <20031119135757.GB60803@lightship.internal.homeport.org> Message-ID: <20031119154911.GA30258@alien.lummerland.loc> On Wed, Nov 19, 2003 at 08:57:57AM -0500, Adam Shostack wrote: > http://www.wired.com/news/technology/0,1282,61289,00.html?tw=wn_tophead_7 > > > "We allow everyone to check the security for themselves, because > > we're the only ones who publish the source code," said Rop Gonggrijp > > at Amsterdam-based NAH6. Gonggrijp, who helped develop the software, > > owns a stake in Germany's GSMK. > > Alas, the phones are 3500 Euro a pair. > > > At that price it is targeting executives, lawyers and bankers who > > regularly swap market sensitive information on mergers and lawsuits, > > and for whom privacy is worth paying for. > > Adam More info: http://www.cryptophone.de/ In English. hjk -- God is a sound people make when they're too tired to think anymore. --Edward Abbey(1927-1989) From bill.stewart at pobox.com Wed Nov 19 16:49:21 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Wed, 19 Nov 2003 16:49:21 -0800 (PST) Subject: Ashcroft's bake sale, no questions allowed, gvt-issued photo ID required In-Reply-To: References: Message-ID: <4422.216.240.32.1.1069289361.squirrel@smirk.idiom.com> > Declan McCullagh (declan at well.com) wrote on 2003-11-19: > > There will be no questions and answers. > > To a non native speaker, this phrase seems to imply a scary > level of control over the media people. > "There will be no questions. Dissenters will be shot on the spot." Remember, the Government isn't speaking English, they're speaking Bureauspeak,which is a more verbose version of Newspeak, so most of us here are non-native speakers. There'll be lots of *questions*, like "Who's getting baked?" and "When can we impeach the Vegetable?", and "Oh, my, what absurdly offensive thing will they come up with this time?". On the other hand, the announcement only says that the _media_ need to have Government-Issued ID and Official Press Passes and come in the Embedded Servants' Entrance. Wear your overalls and bring a box of pumpkins and cabbage and you can walk on in the front door with the other farmers. Probably have to leave your pitchfork behind, because even the Bush League gets nervous around peasants with pitchforks, but no problem if you've got your cell-phone/camera/recorder. Too bad it's past tomato season on the East Coast.... Farmer Bill -- Bill Stewart bill.stewart at pobox.com From shaddack at ns.arachne.cz Wed Nov 19 07:51:16 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Wed, 19 Nov 2003 16:51:16 +0100 (CET) Subject: EDRI-gram: RFID-blocker wins German idea-contest Message-ID: <0311191649340.-1223617628@somehost.domainz.com> ---------- Forwarded message ---------- Date: Wed, 19 Nov 2003 16:26:40 +0100 (CET) Subject: EDRI-gram newsletter - Number 22, 19 November 2003 From: EDRI-gram newsletter To: edri-news at edri.org ================================================================== 6. RFID-DETECTOR WINS GERMAN IDEA-CONTEST ================================================================== The German civil rights and privacy-organisation FoeBuD is the winner of an idea-contest for a national awareness campaign about the infringement of civil liberties through new technologies. With the price of 15.000 Euro, FoeBuD wants to develop a 'Dataprivatizer', a tool to detect RFID's, minuscule spy-chips that are increasingly built into consumer goods. RFID (Radio Frequency Identification) are tiny computer chips with an antenna that can be read without touching or even seeing it. These transponders can be built into every yoghurt cup or piece of clothing. The chips can secretly divulge information about the buyer. With these data firms can set up profiles about the shopping behaviour and leisure activities of their customers. This is not a remote future. The German chain of supermarkets and DIY-stores Metro AG already won a Big Brother Award last month for implementing this technology. Idea contest (winner announced 06.11.2003) http://www.bridge-ideas.de From mv at cdc.gov Wed Nov 19 17:25:03 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Wed, 19 Nov 2003 17:25:03 -0800 Subject: secure cellphones go commericial, part II Message-ID: <3FBC17EF.B3F4486E@cdc.gov> Yes, from /. New Cellphone Offers Big Shots Eavesdrop-Proof Call Tue Nov 18,10:23 AM ET Add Technology - Reuters to My Yahoo! By Lucas van Grinsven, European Technology Correspondent AMSTERDAM (Reuters) - A German company launched a new mobile handset on Tuesday targeted at business executives that secures lines are free from eavesdroppers, sparking criticism that it could also make criminals harder to catch. Missed Tech Tuesday? Find the perfect tricked-out cell phone, plus best hybrid phones and great phone games. Berlin-based Cryptophone, a unit of privately held GSMK, developed the phone by inserting an encryption software inside a standard handheld computer phone. This ensures that calls can only be decoded by a similar handset or a computer running the software. But the phone is seen as a mixed blessing in some European countries. While the benefits for business managers exchanging sensitive information are obvious, such a device could potentially have the side effect of helping criminals. Security specialists in the Netherlands said the device could threaten criminal investigation by the Dutch police, which is one of the world's most active phone tappers, listening in to 12,000 phone numbers every year. But privacy lobbyists say the new handset is a "freedomphone" much more than a "terrorphone." "It's a tremendous step forward, because the level of surveillance by authorities is breathtaking," said Simon Davies, director of Privacy International in Britain. Cryptophone says unlike rivals such as Sweden's Sectra, Swiss Crypto AG and Germany's Rohde & Schwarz, it has no ties to national security and defense organizations and that there is no back door for government agencies. "We allow everyone to check the security for themselves, because we're the only ones who publish the source code," said Rop Gonggrijp at Amsterdam-based NAH6. Gonggrijp, who helped develop the software, owns a stake in Germany's GSMK. http://story.news.yahoo.com/news?tmpl=story&u=/nm/20031118/tc_nm/tech_cellphones_security_dc From bill.stewart at pobox.com Wed Nov 19 17:30:49 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Wed, 19 Nov 2003 17:30:49 -0800 (PST) Subject: Freedomphone In-Reply-To: <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> Message-ID: <1215.216.240.32.1.1069291849.squirrel@smirk.idiom.com> > If and when this is accomplished the source could then be used, > if it can't already, for PC-PC secure communications. > A practical replacement for SpeakFreely may be at hand. > The limitation of either direct phone or ISDN connection requirement > is a problem though. While the phone hardware is EU3500/pair, the Windows software is free - we'll see if they've set it up in a way that PC-to-PC connections work. I'm also interested in the question of whether they've learned some of the technical lessons that the SpeakFreely project learned (e.g. NAT, delay accumulation from TCP, tuning for Windows perfomance.) While this phone isn't Free Software in the RMSically-correct sense or even the BSD "leave our name on it and don't sue us" sense, it's at least openly published for inspection, though unless the programming environment that it supports is very resticted, the "compile the code and compare the binaries" approach is pretty lame, since optimizing compilers tend to make it difficult. Skype is a non-starter from a security perspective - too many proprietary parts, apparently including codecs, closed source, documentation written by people who don't understand cryptographic security beyond the buzzword level on a team that's small enough that you'd expect that that implies the coders don't either. On the other hand, if it gets more than 15 minutes of fame worth of use, it may be an interesting experiment in user interface and architecture, which somebody else could use with better crypto and policies. Bill From rah at shipwright.com Wed Nov 19 14:31:24 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 19 Nov 2003 17:31:24 -0500 Subject: 9th Cir. lets prisoners get books, rejects "encrypted" claim In-Reply-To: <6.0.0.22.2.20031119151624.02116a30@mail.well.com> References: <6.0.0.22.2.20031119151624.02116a30@mail.well.com> Message-ID: At 3:17 PM -0500 11/19/03, Declan McCullagh wrote: > Show off. ;-) Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Wed Nov 19 15:21:43 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 19 Nov 2003 18:21:43 -0500 Subject: How The Wright Brothers Blew It Message-ID: For the better part of a decade, now, I've compared David Chaum to the Wright Brothers... Read the article, and try to keep from laughing -- or blushing in the shock of recognition. National monopolies only worked for dynamite. The Chaum patents expire in less than a year. Cheers, RAH ----- Forbes A Century Of Flight How The Wright Brothers Blew It Phaedra Hise, 11.19.03, 7:00 AM ET The Flyer takes off from Kill Devil Hill, with Orville Wright at the controls, while his brother Wilbur looks on, on Dec. 17, 1903. In 1905 the Wright brothers enjoyed a complete monopoly on heavier-than-air aviation. They had the world's only working airplane, were the only two pilots able to fly it, and had applied for a formidable patent that would cover any plane with three-axis control. Yet within five years they would regularly be surpassed by competitors at home and abroad, and before what was remembered as the Golden Age of Aviation arrived in the 1920s, they would be out of the aircraft business entirely. What happened? -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From timcmay at got.net Wed Nov 19 19:58:21 2003 From: timcmay at got.net (Tim May) Date: Wed, 19 Nov 2003 19:58:21 -0800 Subject: Justice In-Reply-To: <20031119203754.A16362@baltwash.com> References: <6.0.0.22.2.20031119151624.02116a30@mail.well.com> <20031119203754.A16362@baltwash.com> Message-ID: On Nov 19, 2003, at 6:37 PM, Declan McCullagh wrote: > On Wed, Nov 19, 2003 at 05:31:24PM -0500, R. A. Hettinga wrote: >> Show off. >> >> ;-) > > Yeah, I need to find a better way to strip those internal links > when forwarding. > > -Declan > I assumed it was "stego in long URLs," a staple of the Resistance. (More comments elided because of the culture, now consumed in eulogies of a guy who really, really needed to be whacked in 1963. A real pity that other deserving dictators have been too well-protected in the decades since. Precisely why freedom fighters are so interested in Sarin and nukes...the only real way to reach the guilty.) END TRANSMISSION...LINE DEAD From declan at well.com Wed Nov 19 18:37:54 2003 From: declan at well.com (Declan McCullagh) Date: Wed, 19 Nov 2003 20:37:54 -0600 Subject: 9th Cir. lets prisoners get books, rejects "encrypted" claim In-Reply-To: ; from rah@shipwright.com on Wed, Nov 19, 2003 at 05:31:24PM -0500 References: <6.0.0.22.2.20031119151624.02116a30@mail.well.com> Message-ID: <20031119203754.A16362@baltwash.com> On Wed, Nov 19, 2003 at 05:31:24PM -0500, R. A. Hettinga wrote: > Show off. > > ;-) Yeah, I need to find a better way to strip those internal links when forwarding. -Declan From declan at well.com Wed Nov 19 18:42:25 2003 From: declan at well.com (Declan McCullagh) Date: Wed, 19 Nov 2003 20:42:25 -0600 Subject: Freedomphone In-Reply-To: <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net>; from s.schear@comcast.net on Wed, Nov 19, 2003 at 12:59:36PM -0800 References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> Message-ID: <20031119204225.B16362@baltwash.com> On Wed, Nov 19, 2003 at 12:59:36PM -0800, Steve Schear wrote: > If and when this is accomplished the source could then be used, if it can't > already, for PC-PC secure communications. A practical replacement for > SpeakFreely may be at hand. The limitation of either direct phone or ISDN FYI I did a Q&A with the Skype folks when I was in Stockholm last month that mostly focuses on privacy; it should be up on News.com within the week. --Declan From njohnsn at njohnsn.com Wed Nov 19 19:35:46 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Wed, 19 Nov 2003 21:35:46 -0600 Subject: Freedomphone In-Reply-To: <062f01c3aef5$7a7786a0$01c8a8c0@broadbander> References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119144534.06aa0090@mail.comcast.net> <062f01c3aef5$7a7786a0$01c8a8c0@broadbander> Message-ID: <200311192135.46586.njohnsn@njohnsn.com> On Wednesday 19 November 2003 05:33 pm, Dave Howe wrote: > Steve Schear wrote: > > No, but this may be of interest. > > http://www.technologyreview.com/articles/wo_hellweg111903.asp > > > > Its closed source but claims to use AES. > > *nods* > closed source, proprietory protocol, as opposed to SIP which is an RFC > standard (and interestingly, is supported natively by WinXP) > Might not be snakeoil, but I am giving it a wide berth anyhow. SIP is just the part of the VoIP protocols that handling signaling (off-hook, dialing digits, ringing the phone, etc.). The voice data is handled by Real-Time Streaming Protocol (RTSP), one stream for each direction. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From sfurlong at acmenet.net Wed Nov 19 18:55:40 2003 From: sfurlong at acmenet.net (Steve Furlong) Date: 19 Nov 2003 21:55:40 -0500 Subject: Ashcroft's bake sale, no questions allowed, gvt-issued photo ID required In-Reply-To: <4422.216.240.32.1.1069289361.squirrel@smirk.idiom.com> References: <4422.216.240.32.1.1069289361.squirrel@smirk.idiom.com> Message-ID: <1069296939.3919.3.camel@localhost.localdomain> On Wed, 2003-11-19 at 19:49, Bill Stewart wrote: > Too bad it's past tomato season on the East Coast.... Shit, we've (upstate NY, along the Mohawk River) already had our first snow. Didn't stick, but the chill in the air is literal, not figurative. From DaveHowe at gmx.co.uk Wed Nov 19 13:57:42 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Wed, 19 Nov 2003 21:57:42 -0000 Subject: Freedomphone References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> Message-ID: <058a01c3aee8$295ca910$01c8a8c0@broadbander> Steve Schear wrote: > If and when this is accomplished the source could then be used, if it > can't already, for PC-PC secure communications. A practical > replacement for SpeakFreely may be at hand. The limitation of either > direct phone or ISDN connection requirement is a problem though. *nods* it is over a POTS or ISDN (ie, normal phone) conversation, not over IP. have to wait and see what the code looks like to see exactly what crypto and how it is keyed as well. as a related aside - does anyone know of a decent SIPS VoIP implimentation? preferably one that uses some sort of PKI? From DaveHowe at gmx.co.uk Wed Nov 19 15:33:01 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Wed, 19 Nov 2003 23:33:01 -0000 Subject: Freedomphone References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> <5.2.1.1.0.20031119144534.06aa0090@mail.comcast.net> Message-ID: <062f01c3aef5$7a7786a0$01c8a8c0@broadbander> Steve Schear wrote: > No, but this may be of interest. > http://www.technologyreview.com/articles/wo_hellweg111903.asp > > Its closed source but claims to use AES. *nods* closed source, proprietory protocol, as opposed to SIP which is an RFC standard (and interestingly, is supported natively by WinXP) Might not be snakeoil, but I am giving it a wide berth anyhow. From mixmaster at remailer.privacy.at Wed Nov 19 15:03:58 2003 From: mixmaster at remailer.privacy.at (privacy.at Anonymous Remailer) Date: Thu, 20 Nov 2003 00:03:58 +0100 (CET) Subject: Ashcroft's bake sale, no questions allowed, gvt-issued photo ID required Message-ID: Declan McCullagh (declan at well.com) wrote on 2003-11-19: > There will be no questions and answers. To a non native speaker, this phrase seems to imply a scary level of control over the media people. "There will be no questions. Dissenters will be shot on the spot." From mv at cdc.gov Thu Nov 20 06:41:16 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 20 Nov 2003 06:41:16 -0800 Subject: Freedomphone Message-ID: <3FBCD28C.547104A7@cdc.gov> At 12:59 PM 11/19/03 -0800, Steve Schear wrote: >If and when this is accomplished the source could then be used, if it can't >already, for PC-PC secure communications. They claim to be releasing code for PCs for free. A practical replacement for >SpeakFreely may be at hand. The limitation of either direct phone or ISDN >connection requirement is a problem though. Since they use GSM *data* services, and since quality affects *delay* in their setup, they may be hindered by users acceptance. However, it might also be a reminder to the users of why they payed the kiloEuros. Read their FAQ. They have total clue. No one should think less of them for trying to make a Euro at first, paid by users well able to pay the price, endure the problems, and Metcalfe's law inconveniences. That's techonomics -CD players cost a kilobuck at first, and not every content was available. ----- An RPG a day keeps the invaders away. From mv at cdc.gov Thu Nov 20 08:52:03 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Thu, 20 Nov 2003 08:52:03 -0800 Subject: israeli torture center reason for no satellite pix? Message-ID: <3FBCF133.3FE618A3@cdc.gov> The US has restrictions on even commercial satellite photos of Israel. http://www.guardian.co.uk/israel/Story/0,2763,1084796,00.html might indicate why --the torture center is airbrushed out of other pix. ---- The price of empire is death. From roy at rant-central.com Thu Nov 20 07:54:29 2003 From: roy at rant-central.com (roy at rant-central.com) Date: Thu, 20 Nov 2003 10:54:29 -0500 Subject: Cisco pushes for license to surf In-Reply-To: <20031120140705.GQ7350@leitl.org> References: <20031120140705.GQ7350@leitl.org> Message-ID: <20031120155429.GA28524@mesmer.rant-central.com> On Thu, Nov 20, 2003 at 03:07:05PM +0100, Eugen Leitl wrote: > Dumb, dumb idea. Almost as bad as Palladium. Worse than Palladium. With Palladium, you can opt out (using OSS or whatever) and you lose the use of apps that require Palladium. This plan has the same effect, but to opt out means losing use of the net. -- Roy M. Silvernail is roy at rant-central.com, and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin->procmail->/dev/null->bliss From DaveHowe at gmx.co.uk Thu Nov 20 06:46:45 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Thu, 20 Nov 2003 14:46:45 -0000 Subject: Freedomphone References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119144534.06aa0090@mail.comcast.net> <062f01c3aef5$7a7786a0$01c8a8c0@broadbander> <200311192135.46586.njohnsn@njohnsn.com> Message-ID: <025e01c3af75$28f2c8a0$01c8a8c0@broadbander> Neil Johnson wrote: > On Wednesday 19 November 2003 05:33 pm, Dave Howe wrote: > SIP is just the part of the VoIP protocols that handling signaling > (off-hook, dialing digits, ringing the phone, etc.). The voice data > is handled by Real-Time Streaming Protocol (RTSP), one stream for > each direction. *nods* and it is normally UDP, which is good for latency and lousy for NAT traversal. Partysip supports rtsp over tcp I believe - as a proxy, which adds yet another layer of latency *sigh* From eugen at leitl.org Thu Nov 20 06:07:05 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 20 Nov 2003 15:07:05 +0100 Subject: Cisco pushes for license to surf Message-ID: <20031120140705.GQ7350@leitl.org> Dumb, dumb idea. Almost as bad as Palladium. http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/11/19/ BUGP6351V31.DTL Cisco security initiative 4 major firms working to head off Net attacks David R. Baker, Chronicle Staff Writer Wednesday, November 19, 2003 In an unusual alliance among staunch competitors, Cisco Systems will collaborate with three of the largest computer security firms to fight virus and worm attacks. Cisco, Network Associates, Symantec and Trend Micro will develop a new system for protecting networks against infection. The system, which the four firms hope to start selling early next year, will be able to block network access to any computer or device that doesn't have its own security measures in place. Hackers' increasing sophistication -- as well as a little competitive pressure -- drove the companies to work together. In a conference call Tuesday, the chief executives of all four firms said virulent programs like Blaster and Slammer demanded a more coordinated defense, with security programs and hardware working together off a shared set of standards. "Clearly, nothing like this can be done without collaboration among industry leaders," said John Thompson, CEO of Symantec Corp. Cisco helped bring the competing security firms together by describing the initiative to customers and asking them to lobby Network Associates, Symantec and Trend Micro to participate, said Bob Gleichauf, Cisco's chief technology officer for security. And knowing that their competitors were interested, none of the firms wanted to be left out in the cold, he said. "Everybody realized that it was in their interests and in the customers' interests to do this," Gleichauf said in an interview. Other security firms will be allowed to join the initiative by licensing the necessary software. The system under development will allow a computer network to check the safety of incoming traffic. Any device trying to connect to the network will be checked to see whether it has security measures already in place. Those that don't can be denied access, shunted off into a quarantined segment of the network or forced to download a security program. The announcement of the collaboration had little effect on the companies' stocks. Cisco closed down 1.45 percent at $21.73. Network Associates slid 5.44 percent to $13.03, Symantec Corp. dropped 7.13 percent to $61.35, and Trend Micro gained 3.43 percent to close at $24.41. E-mail David R. Baker at dbaker at sfchronicle.com. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 0.97c removed an attachment of type application/pgp-signature] From mv at cdc.gov Thu Nov 20 15:35:00 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Thu, 20 Nov 2003 15:35:00 -0800 Subject: can you hear me now? Message-ID: <3FBD4FA3.97C963B3@cdc.gov> "The ultimate in paranoia is not when everyone is against you but when everything is against you." ---PKD An appeals court this week put the brakes on an FBI surveillance technique that turns an automobile driver's on-board vehicle navigation system into a covert eavesdropping device, after finding that the spying effectively disables the system's emergency and roadside assistance features ...in which agents obtained a court order compelling a telematics company to secretly activate the stolen vehicle recovery feature in a customer's car. The feature, designed to listen-in on car thieves as they cruise around in a stolen auto, turns on a dashboard microphone and pipes conversations out over a cellphone connection -- normally to the company's response center, but in this case to an FBI listening post. http://www.theregister.co.uk/content/55/34100.html From s.schear at comcast.net Thu Nov 20 16:59:36 2003 From: s.schear at comcast.net (Steve Schear) Date: Thu, 20 Nov 2003 16:59:36 -0800 Subject: article on Rivest and Micali's Peppercoin system In-Reply-To: <20031117163708.6CEB87B43@berkshire.research.att.com> Message-ID: <5.2.1.1.0.20031120165214.06ec7448@mail.comcast.net> At 11:37 AM 11/17/2003 -0500, Steve Bellovin wrote: >http://www.technologyreview.com/articles/huang1203.asp A nice puff piece but it steers clear of well know, if not respected, prognosticators that poo-poo any near-term potential for micro-payments. Conspicuously absent is e-gold which predates all of the listed vendors, does a daily average of $3 million in transactions, relatively simple to use, requires no special end-user software and internally cost effective enough to handle payments less than $0.01. It seems e-gold has been smeared (unfairly I think) in the press as only attracting gray market types. steve --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From morlockelloi at yahoo.com Thu Nov 20 17:41:32 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Thu, 20 Nov 2003 17:41:32 -0800 (PST) Subject: Freedomphone In-Reply-To: <20031121014033.A22311@cdc-ws1.cdc.informatik.tu-darmstadt. de> Message-ID: <20031121014132.9413.qmail@web40613.mail.yahoo.com> > From what I've gathered from the diagrams in [1], it seems to be using > AES-256 > in counter-mode XORed together with Twofish counter-mode output, Twofish also > being keyed with a 256 bit value. I sense paranoia here - but being paranoid > myself sometimes I very much welcome this decision! Those two keys are All I'd ask for in addition is ability for both sides to type in 10-40 digit secret key that they communicated in any way they chose, and have that XORed as well ... ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From frantz at pwpconsult.com Thu Nov 20 17:45:20 2003 From: frantz at pwpconsult.com (Bill Frantz) Date: Thu, 20 Nov 2003 17:45:20 -0800 Subject: Freedomphone In-Reply-To: <20031121014033.A22311@cdc-ws1.cdc.informatik.tu-darmstadt. de> References: <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net>; from s.schear@comcast.net on Wed, Nov 19, 2003 at 12:59:36PM -0800 <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> Message-ID: At 4:40 PM -0800 11/20/03, Ralf-P. Weinmann wrote: >Hmm.. Does this mean the users have to read of SHA-256 hash values to each >other after the connection has been established? Oh. Right. It says "Readout >hash based key authentication" on the left hand side of the spec. You probably don't have to read all 256 bits. One way this had been handled (in the Starium (sp?) phone), is to display a number derived from the hash. One person reads the first half of the number, and the other person reads the second half. If both halves verify, there is no man-in-the-middle. The length of the number determines the security, but since it is derived from the Diffie-Hellman exchange, neither side can control its value. Probably 6 digits is enough. >... There should be a means to cache credentials after an initial >trust relationship between communicating parties has been established. Cache entries would be a way for someone who obtains the phone to be able to trace your contacts. (So would a in-phone address book.) Automatic authentication also might make it easier to spoof the phone's owner. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032 From jtrjtrjtr2001 at yahoo.com Fri Nov 21 01:29:27 2003 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Fri, 21 Nov 2003 01:29:27 -0800 (PST) Subject: test mail-pls ignore Message-ID: <20031121092927.25714.qmail@web21204.mail.yahoo.com> test. __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From weinmann at cdc.informatik.tu-darmstadt.de Thu Nov 20 16:40:33 2003 From: weinmann at cdc.informatik.tu-darmstadt.de (Ralf-P. Weinmann) Date: Fri, 21 Nov 2003 01:40:33 +0100 Subject: Freedomphone In-Reply-To: <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net>; from s.schear@comcast.net on Wed, Nov 19, 2003 at 12:59:36PM -0800 References: <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> Message-ID: <20031121014033.A22311@cdc-ws1.cdc.informatik.tu-darmstadt.de> On Wed, Nov 19, 2003 at 12:59:36PM -0800, Steve Schear wrote: > At 01:39 PM 11/19/2003 -0500, Jack Lloyd wrote: > > > > "We allow everyone to check the security for themselves, because > > > > we're the only ones who publish the source code," said Rop Gonggrijp > > > >"We are currently performing a internal round of reviews with a expert > >group of security researchers and cryptographers. Depending on the results > >of this review and the time it takes us to implement the relevant > >recommendations, our current plan is to have the Source available for > >Download: 23.11.2003" (http://www.cryptophone.de/html/downloads_en.html) > > > >We'll see. > > If and when this is accomplished the source could then be used, if it can't > already, for PC-PC secure communications. A practical replacement for > SpeakFreely may be at hand. The limitation of either direct phone or ISDN > connection requirement is a problem though. >From what I've gathered from the diagrams in [1], it seems to be using AES-256 in counter-mode XORed together with Twofish counter-mode output, Twofish also being keyed with a 256 bit value. I sense paranoia here - but being paranoid myself sometimes I very much welcome this decision! Those two keys are derived by means of SHA-256 from the DH key exchange for which a 4096 bit modulus. Neat. The only thing I can't see clearly in the diagram is the authentication of the DH exchange. Maybe this is the third SHA-256 hash which goes back to "User" ? Hmm.. Does this mean the users have to read of SHA-256 hash values to each other after the connection has been established? Oh. Right. It says "Readout hash based key authentication" on the left hand side of the spec. Dunno whether I like that. There should be a means to cache credentials after an initial trust relationship between communicating parties has been established. But from what I understand, this type of scheme is exactly what the implementors wanted to avoid. Cheers, Ralf [1] GSMK CryptoPhone 100 technical specifications http://www.cryptophone.de/downloads/gsmk100.pdf -- Ralf-P. Weinmann PGP fingerprint: 1024D/EF114FC02F150EB9D4F275B6159CEBEAEFCD9B06 From mv at cdc.gov Fri Nov 21 08:16:53 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Fri, 21 Nov 2003 08:16:53 -0800 Subject: e voting Message-ID: <3FBE3A75.62E7E6C3@cdc.gov> Secretary of State Kevin Shelley is expected to announce today that as of 2006, all electronic voting machines in California must be able to produce a paper printout that voters can check to make sure their votes are properly recorded. http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story?coll=la-headlines-california From rah at shipwright.com Fri Nov 21 06:03:47 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 21 Nov 2003 09:03:47 -0500 Subject: AT&T Patents Trusted Intermediaries, Sues PayPal Message-ID: "PayPal and eBay have infringed AT&T's U.S. patent that covers transactions in which a trusted intermediary securely processes payments over a communications system such as the Internet." I wonder what American Express, VISA (and Plus), MasterCard (and Cirrus), Diner's Club, NASDAQ, Autex, Telerate, and even Quotron -- not to mention CRESTCo, DTC, and SWIFT -- would have had to say about *that*? *This* should be fun... :-) Cheers, RAH ------ ? Anglo-American history Thursday, November 20, 2003 AT&T Files Patent Infringement Suit Against PayPal, Inc., and eBay, Inc. AT&T Corp. today filed a patent infringement suit against PayPal, Inc. and eBay, Inc., in federal district court in Delaware. AT&T alleges that, through the use of their online payment systems, PayPal and eBay have infringed AT&T's U.S. patent that covers transactions in which a trusted intermediary securely processes payments over a communications system such as the Internet. The use of a trusted intermediary ensures that one party will not have to disclose sensitive information, such as a credit card number or bank account number, to the other party to the transaction. AT&T's lawsuit seeks compensation for PayPal's and eBay's unauthorized use of the patented technology. More than a year ago AT&T notified both PayPal and eBay that they were using technology covered by AT&T's patent in the PayPal and BillPoint payment systems. AT&T offered to license the patented technology to each of the companies. AT&T has attempted to reach an amicable agreement regarding this matter with eBay and PayPal. AT&T has invested hundreds of millions of dollars every year in research and development, and the company seeks to protect its inventions by licensing its patents to those who use its intellectual property. Because the two companies have refused to pay for a license to use the patented technology, AT&T has been forced to bring the matter to the court. AT&T's patent was originally filed with the U.S. Patent and Trademark Office in 1991. In July of 1994, the Patent and Trademark Office granted AT&T U.S. Patent No. 5,329,589 for its invention. About AT&T AT&T (www.att.com) is among the premier voice and data communications companies in the world, serving businesses, consumers, and government. The company runs one of the most sophisticated communications networks in the United States, backed by the research and development capabilities of AT&T Labs. A leading supplier of data, Internet and managed services for the public and private sectors, AT&T offers outsourcing and consulting to large businesses and government. The company is a market leader in local, long distance and Internet services, as well as transaction-based services like prepaid cards, collect calling and directory assistance. With approximately $37 billion of revenue, AT&T has about 40 million residential customers and 4 million business customers, who depend on AT&T for high-quality communications. AT&T has garnered several awards for outstanding performance and customer service. The foregoing contains "forward-looking statements" which are based on management's beliefs as well as on a number of assumptions concerning future events made by and information currently available to management. Readers are cautioned not to put undue reliance on such forward-looking statements, which are not a guarantee of performance and are subject to a number of uncertainties and other factors, many of which are outside AT&T's control, that could cause actual results to differ materially from such statements. For a more detailed description of the factors that could cause such a difference, please see AT&T's filings with the Securities and Exchange Commission. AT&T disclaims any intention or obligation to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. This information is presented solely to provide additional information to further understand the results of AT&T. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From timcmay at got.net Fri Nov 21 09:19:51 2003 From: timcmay at got.net (Tim May) Date: Fri, 21 Nov 2003 09:19:51 -0800 Subject: e voting In-Reply-To: <3FBE3A75.62E7E6C3@cdc.gov> References: <3FBE3A75.62E7E6C3@cdc.gov> Message-ID: On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: > Secretary of State Kevin Shelley is expected to announce today that as > of 2006, all electronic voting machines in California must be able to > produce a paper printout that voters can check to make sure their votes > are properly recorded. > > http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story? > coll=la-headlines-california > > Without the ability to (untraceably, unlinkably, of course) verify that this vote is "in the vote total," and that no votes other than those who actually voted, are in the vote total, this is all meaningless. I could rig a simple hack where a voter submits his ballot, which drops into a shredder even as a little printer is printing out his "proof" that he voted and that his vote was "accepted." It's blather to satisfy the sheeple. Besides, I expect what will happen is that an electronic voting system will be deployed and will be shut down by someone claiming a patent was issued to them "for the idea of electronic voting." Until Diebold pays off the Patent Office and the earlier idea is reviewed and found lacking. Face it, we are about to become an electronic kleptocracy. (There will also be some good hacks to scare the inner city welfare mutants into thinking the electronic machines will either track their votes, making them more likely to vote for the Establishment, or will steal their souls. I sense great possibilities here for disinformation.) --Tim May From timcmay at got.net Fri Nov 21 10:53:57 2003 From: timcmay at got.net (Tim May) Date: Fri, 21 Nov 2003 10:53:57 -0800 Subject: e voting In-Reply-To: <200311211312.09273.roy@rant-central.com> References: <3FBE3A75.62E7E6C3@cdc.gov> <200311211312.09273.roy@rant-central.com> Message-ID: <0F8DBF30-1C54-11D8-983A-000A956B4C74@got.net> On Nov 21, 2003, at 10:12 AM, Roy M. Silvernail wrote: > On Friday 21 November 2003 12:19, Tim May wrote: >> On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: >>> Secretary of State Kevin Shelley is expected to announce today that >>> as >>> of 2006, all electronic voting machines in California must be able to >>> produce a paper printout that voters can check to make sure their >>> votes >>> are properly recorded. >>> >>> http://www.latimes.com/news/local/la-me- >>> shelley21nov21,1,847438.story? >>> coll=la-headlines-california >> >> Without the ability to (untraceably, unlinkably, of course) verify >> that >> this vote is "in the vote total," and that no votes other than those >> who actually voted, are in the vote total, this is all meaningless. > > Quite true. But given the fact that we don't have that ability *now*, > what > exactly is the difference? Other than streamlining and centralizing > the > present distributed corruption? > The point being that this "electronic voting" is just "syntactic sugar," superficial glitter. None of the interesting and robust foundations from crypto are being used. (Not that I am necessarily advocating this.) For the next ten years there will be endless babble on television about "the revolution of electronic voting," when in fact it's just a g-job to give voting machine companies some new business. --Tim May From roy at rant-central.com Fri Nov 21 10:12:09 2003 From: roy at rant-central.com (Roy M. Silvernail) Date: Fri, 21 Nov 2003 13:12:09 -0500 Subject: e voting In-Reply-To: References: <3FBE3A75.62E7E6C3@cdc.gov> Message-ID: <200311211312.09273.roy@rant-central.com> On Friday 21 November 2003 12:19, Tim May wrote: > On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: > > Secretary of State Kevin Shelley is expected to announce today that as > > of 2006, all electronic voting machines in California must be able to > > produce a paper printout that voters can check to make sure their votes > > are properly recorded. > > > > http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story? > > coll=la-headlines-california > > Without the ability to (untraceably, unlinkably, of course) verify that > this vote is "in the vote total," and that no votes other than those > who actually voted, are in the vote total, this is all meaningless. Quite true. But given the fact that we don't have that ability *now*, what exactly is the difference? Other than streamlining and centralizing the present distributed corruption? From declan at well.com Fri Nov 21 12:00:46 2003 From: declan at well.com (Declan McCullagh) Date: Fri, 21 Nov 2003 15:00:46 -0500 Subject: Congress about to pass anti-spam bill -- the details Message-ID: <6.0.0.22.2.20031121145941.0213c0d0@mail.well.com> [...] ' 1037. (a) IN GENERAL.Whoever, in or affecting inter- 23 state or foreign commerce, knowingly 24 November 21, 2003 (2:42 p.m.) 13 (1) accesses a protected computer without au- 1 thorization, and intentionally initiates the trans- 2 mission of multiple commercial electronic mail mes- 3 sages from or through such computer, 4 (2) uses a protected computer to relay or re- 5 transmit multiple commercial electronic mail mes- 6 sages, with the intent to deceive or mislead recipi- 7 ents, or any Internet access service, as to the origin 8 of such messages, 9 (3) materially falsifies header information in 10 multiple commercial electronic mail messages and in- 11 tentionally initiates the transmission of such mes- 12 sages, 13 (4) registers, using information that materially 14 falsifies the identity of the actual registrant, for 5 15 or more electronic mail accounts or online user ac- 16 counts or 2 or more domain names, and inten- 17 tionally initiates the transmission of multiple com- 18 mercial electronic mail messages from any combina- 19 tion of such accounts or domain names, or 20 (5) falsely represents oneself to be the reg- 21 istrant or the legitimate successor in interest to the 22 registrant of 5 or more Internet protocol addresses, 23 and intentionally initiates the transmission of mul- 24 S:\WPSHR\LEGCNSL\XYWRITE\CON03\SPAMCOMP.3 November 21, 2003 (2:42 p.m.) 14 tiple commercial electronic mail messages from such 1 addresses, 2 or conspires to do so, shall be punished as provided in 3 subsection (b). 4 (b) PENALTIES.The punishment for an offense 5 under subsection (a) is 6 (1) a fine under this title, imprisonment for 7 not more than 5 years, or both, if 8 (A) the offense is committed in further- 9 ance of any felony under the laws of the United 10 States or of any State; or 11 (B) the defendant has previously been 12 convicted under this section or section 1030, or 13 under the law of any State for conduct involv- 14 ing the transmission of multiple commercial 15 electronic mail messages or unauthorized access 16 to a computer system; 17 (2) a fine under this title, imprisonment for 18 not more than 3 years, or both, if 19 (A) the offense is an offense under sub- 20 section (a)(1); 21 S:\WPSHR\LEGCNSL\XYWRITE\CON03\SPAMCOMP.3 [...] From rah at shipwright.com Fri Nov 21 12:19:37 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 21 Nov 2003 15:19:37 -0500 Subject: DigiCash Saves PayPal? Message-ID: >And Greg Aharonian, San Francisco-based patent expert, said eBay could get >the case dismissed if it finds a company or institution that developed its >own "trusted intermediary" or similar electronic payment system even >before AT&T researchers filed for their patent. Bingo. Somebody at First Data should haul out the old DigiCash pitch-ware they probably have laying around, and beat AT&T over the head with it... Cheers, RAH ------ Lycos AT&T: EBay, PayPal Infringe on Patents E-mail orPrint this story 20 November 2003, 6:03pm ET By RACHEL KONRAD AP Business Writer SAN JOSE, Calif. (AP) -- AT&T Corp. reached out and smacked eBay Inc. with a patent infringement lawsuit Thursday, claiming the online auction company has been using a payment system that the telecommunications giant developed more than a decade ago. The case, filed in federal court in Delaware, comes on the heels of an August verdict in which a Virginia judge ordered eBay to pay $29.5 million to an inventor who accused the company of stealing his ideas for fixed price sales formats. AT&T's suit demands that eBay pay an undisclosed amount in licensing fees because its lucrative PayPal division functions as a "trusted intermediary" between buyers and sellers who may not know each other. The system _ widely regarded as critical to eBay's gangbuster growth and a boon to e-commerce in general _ lets buyers provide credit card or bank account information to a reliable third party instead of individual sellers around the world. Buyers merely have to trust PayPal, and they don't have to worry about disreputable sellers using sensitive financial data for fraudulent purposes. AT&T says three senior engineers working for the phone company filed for a patent in 1991 for exactly such a process, which they called "Mediation of Transactions by a Communication System." The patent was granted in 1994, AT&T said. EBay spokesman Chris Donlay dismissed the lawsuit as "meritless," and he said customers should count on continuing to use PayPal. EBay acquired PayPal in October 2002, and the division immediately became an engine of profits for San Jose-based eBay, one of the few Silicon Valley companies to emerge unscathed from the dot-com collapse. PayPal produced $106.4 million in revenue in the third quarter of 2003, nearly twice what it generated in the same period last year. More than 11 million people used PayPal to conduct transactions from July to September, according to eBay's most recent earnings statement. Before PayPal, eBay relied on a similar system called Billpoint, which is also named in the lawsuit. Mentioned Last Change INDU 9605.7913.63 (0.14%) EBAY 51.800.23 (0.44%) T 19.630.53 (2.77%) AT&T spokesman Gary Morgenstern said the lawsuit is the result of more than a year of negotiations between the two companies. EBay refused to pay any licensing fees, he said. "AT&T invests hundreds of millions of dollars every year in our research and development efforts, which have yielded a sizable portfolio of patents _ that's what we're vigorously protecting here," Morgenstern said. "EBay and PayPal have refused to compensate us for patented technology, and so we're forced to take this to the courts." Numerous inventors and small companies have sued or threatened to sue eBay, and legal experts have been skeptical of many such claims. But some said the newest plaintiff's heft gives the AT&T lawsuit the credibility that cases brought by obscure inventors and operators of now-defunct dot-coms lacked. "To be sure, AT&T's involvement makes this case different from others," said Neil A. Smith of the San Francisco-based law firm Howard, Rice, Nemerovski, Canady, Falk & Rabkin. "AT&T's a well respected company that doesn't just wave around patent lawsuits unless there's some merit." Others, however, said that AT&T is unlikely to even force a settlement _ which is the way Amazon.com and Barnesandnoble.com resolved what might have been the last such high-profile legal skirmish over Internet sales strategies. That case, involving Amazon's "one-click" checkout method, was filed in 1999 and settled last year. The companies have refused to disclose the terms. David Pressman, a San Francisco patent lawyer and author of "Patent It Yourself," said at least half of all patent infringement lawsuits are won by the defense or eventually dropped before reaching the courtroom. And Greg Aharonian, San Francisco-based patent expert, said eBay could get the case dismissed if it finds a company or institution that developed its own "trusted intermediary" or similar electronic payment system even before AT&T researchers filed for their patent. "The question is, did anyone else have trusted third parties in the 1980s? My gut reaction is that they existed," said Aharonian, publisher of the daily Internet Patent News Service newsletter. "Some university professor could have written an article on this, but no one paid attention and no banks adopted it. Something like that could invalidate the lawsuit completely." ___ On the Net: http://www.att.com http://www.ebay.com -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From s.schear at comcast.net Fri Nov 21 15:21:58 2003 From: s.schear at comcast.net (Steve Schear) Date: Fri, 21 Nov 2003 15:21:58 -0800 Subject: [Politech] Congress finally poised to vote on anti-spam bill [sp] In-Reply-To: <20031121161312.A519@baltwash.com> Message-ID: <5.2.1.1.0.20031121151344.05e99e80@mail.comcast.net> At 04:13 PM 11/21/2003 -0600, Declan McCullagh wrote: >A copy of the bill is here: >http://news.com.com/pdf/ne/2003/FINALSPAM.pdf I interpret paragraph 1037(a)1 - 5 as possibly prohibiting the use of anonymous remailers, or proxies and nyms in registering email accounts, for the purpose of commercial speech. steve From sguthery at mobile-mind.com Fri Nov 21 12:51:13 2003 From: sguthery at mobile-mind.com (Scott Guthery) Date: Fri, 21 Nov 2003 15:51:13 -0500 Subject: DigiCash Saves PayPal? Message-ID: Not to mention the pneumatic tube systems in department stores that sent your charge plate upstairs for approval. "Those who do not learn from ..." Oh, never mind. Cheers, Scott -----Original Message----- From: R. A. Hettinga [mailto:rah at shipwright.com] Sent: Friday, November 21, 2003 3:20 PM To: cryptography at metzdowd.com; cypherpunks at lne.com; mac_crypto at vmeng.com; Digital Bearer Settlement List; fork at xent.com; epay at ca0.net; internet-payments at ls.fstc.org; DIGSIG at LISTSERV.TEMPLE.EDU; CYBERIA-L at LISTSERV.AOL.COM; InfoSec News; nettime-l at bbs.thing.net Subject: DigiCash Saves PayPal? >And Greg Aharonian, San Francisco-based patent expert, said eBay could get >the case dismissed if it finds a company or institution that developed its >own "trusted intermediary" or similar electronic payment system even >before AT&T researchers filed for their patent. Bingo. Somebody at First Data should haul out the old DigiCash pitch-ware they probably have laying around, and beat AT&T over the head with it... Cheers, RAH ------ Lycos AT&T: EBay, PayPal Infringe on Patents E-mail orPrint this story 20 November 2003, 6:03pm ET By RACHEL KONRAD AP Business Writer SAN JOSE, Calif. (AP) -- AT&T Corp. reached out and smacked eBay Inc. with a patent infringement lawsuit Thursday, claiming the online auction company has been using a payment system that the telecommunications giant developed more than a decade ago. The case, filed in federal court in Delaware, comes on the heels of an August verdict in which a Virginia judge ordered eBay to pay $29.5 million to an inventor who accused the company of stealing his ideas for fixed price sales formats. AT&T's suit demands that eBay pay an undisclosed amount in licensing fees because its lucrative PayPal division functions as a "trusted intermediary" between buyers and sellers who may not know each other. The system _ widely regarded as critical to eBay's gangbuster growth and a boon to e-commerce in general _ lets buyers provide credit card or bank account information to a reliable third party instead of individual sellers around the world. Buyers merely have to trust PayPal, and they don't have to worry about disreputable sellers using sensitive financial data for fraudulent purposes. AT&T says three senior engineers working for the phone company filed for a patent in 1991 for exactly such a process, which they called "Mediation of Transactions by a Communication System." The patent was granted in 1994, AT&T said. EBay spokesman Chris Donlay dismissed the lawsuit as "meritless," and he said customers should count on continuing to use PayPal. EBay acquired PayPal in October 2002, and the division immediately became an engine of profits for San Jose-based eBay, one of the few Silicon Valley companies to emerge unscathed from the dot-com collapse. PayPal produced $106.4 million in revenue in the third quarter of 2003, nearly twice what it generated in the same period last year. More than 11 million people used PayPal to conduct transactions from July to September, according to eBay's most recent earnings statement. Before PayPal, eBay relied on a similar system called Billpoint, which is also named in the lawsuit. Mentioned Last Change INDU 9605.7913.63 (0.14%) EBAY 51.800.23 (0.44%) T 19.630.53 (2.77%) AT&T spokesman Gary Morgenstern said the lawsuit is the result of more than a year of negotiations between the two companies. EBay refused to pay any licensing fees, he said. "AT&T invests hundreds of millions of dollars every year in our research and development efforts, which have yielded a sizable portfolio of patents _ that's what we're vigorously protecting here," Morgenstern said. "EBay and PayPal have refused to compensate us for patented technology, and so we're forced to take this to the courts." Numerous inventors and small companies have sued or threatened to sue eBay, and legal experts have been skeptical of many such claims. But some said the newest plaintiff's heft gives the AT&T lawsuit the credibility that cases brought by obscure inventors and operators of now-defunct dot-coms lacked. "To be sure, AT&T's involvement makes this case different from others," said Neil A. Smith of the San Francisco-based law firm Howard, Rice, Nemerovski, Canady, Falk & Rabkin. "AT&T's a well respected company that doesn't just wave around patent lawsuits unless there's some merit." Others, however, said that AT&T is unlikely to even force a settlement _ which is the way Amazon.com and Barnesandnoble.com resolved what might have been the last such high-profile legal skirmish over Internet sales strategies. That case, involving Amazon's "one-click" checkout method, was filed in 1999 and settled last year. The companies have refused to disclose the terms. David Pressman, a San Francisco patent lawyer and author of "Patent It Yourself," said at least half of all patent infringement lawsuits are won by the defense or eventually dropped before reaching the courtroom. And Greg Aharonian, San Francisco-based patent expert, said eBay could get the case dismissed if it finds a company or institution that developed its own "trusted intermediary" or similar electronic payment system even before AT&T researchers filed for their patent. "The question is, did anyone else have trusted third parties in the 1980s? My gut reaction is that they existed," said Aharonian, publisher of the daily Internet Patent News Service newsletter. "Some university professor could have written an article on this, but no one paid attention and no banks adopted it. Something like that could invalidate the lawsuit completely." ___ On the Net: http://www.att.com http://www.ebay.com -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From jwashburn at whittmanhart.com Fri Nov 21 14:07:56 2003 From: jwashburn at whittmanhart.com (John Washburn) Date: Fri, 21 Nov 2003 16:07:56 -0600 Subject: e voting Message-ID: <9A1CCCE54805534C80F5BD0FC19D1E6B13055F@chi-exch02.ffhq.ffconsulting.net> I agree. The paper printout may be unconnected to fraudulent tally numbers produced later for publication. This is better than the literal nothing produced at present. There is a small chance many voters could use there receipts to counter fraudulent tally in low-vote ward. -----Original Message----- From: Roy M. Silvernail [mailto:roy at rant-central.com] Sent: Friday, November 21, 2003 12:12 PM To: cypherpunks at lne.com Subject: Re: e voting On Friday 21 November 2003 12:19, Tim May wrote: > On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: > > Secretary of State Kevin Shelley is expected to announce today that as > > of 2006, all electronic voting machines in California must be able to > > produce a paper printout that voters can check to make sure their votes > > are properly recorded. > > > > http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story? > > coll=la-headlines-california > > Without the ability to (untraceably, unlinkably, of course) verify that > this vote is "in the vote total," and that no votes other than those > who actually voted, are in the vote total, this is all meaningless. Quite true. But given the fact that we don't have that ability *now*, what exactly is the difference? Other than streamlining and centralizing the present distributed corruption? From pbaker at verisign.com Fri Nov 21 16:20:34 2003 From: pbaker at verisign.com (Hallam-Baker, Phillip) Date: Fri, 21 Nov 2003 16:20:34 -0800 Subject: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] Message-ID: <2A1D4C86842EE14CA9BC80474919782E01113200@mou1wnexm02.vcorp.ad.vrsn.com> We need to consider the technical workings of the do-not-spam list and the requirements that we would like the FTC to meet. I propose as a minimum: 1) Allow individual subscribers to list their email addresses with the service. 2) Permit mail sender to quickly determine whether a given email is on the list 3) Be distributable in a form that does not permit use as a mailing list. 4) Permit the storage of attributes in association with each listing, minimally the date of subscription. In addition we might add: 5) Allow domain name owners to list their domains. 6) Provide for authentication of listing requests These requirements can be met using completely generic and to my knowledge unencumbered technology. For the purposes of avoiding patent encumberabces I disclose the following - I published note on the basic idea of using a one way hash to conceal an email address on a do not spam list in 1995, I also implemented the scheme at that time. The idea is not entirely novel, hash databases have been used for at least twenty years, there may also be similar ideas in the cryptography litterature. My proposal would be to use a message authentication function such as HMAC-SHA1 with a key such as SHA1 ("FTC Do Not Spam List") to create a unique digest function for the purpose. There is a security consideration here, use of a digest such as SHA1(email) might lead to chosen protocol attacks. To add an individual email address "alice at example.com" to the list we calculate HMAC ("alice at example.com") to create the key. A domain may be represented by the string "example.com". To determine whether the address "bob at example.com" is on the list it is necessary to test for both the specific email address and the domain. [This can be made to meet arbitrarily complex requirements] The list is distributed as a set of key/value pairs. Sorting the list according to the key values allows rapid lookups by means of binary search, or since the hash function is guaranteed homogenous using ranged search using the hash value as an estimator for the index position. It is not necessary to distribute the list sorted. There are also a few tricks that can be used to reduce the usefulness of such a list for address validation. This same concept can be used to conceal the filter terms used in cersorware. Phill From frantz at pwpconsult.com Fri Nov 21 17:30:51 2003 From: frantz at pwpconsult.com (Bill Frantz) Date: Fri, 21 Nov 2003 17:30:51 -0800 Subject: e voting In-Reply-To: References: <3FBE3A75.62E7E6C3@cdc.gov> <3FBE3A75.62E7E6C3@cdc.gov> Message-ID: At 9:19 AM -0800 11/21/03, Tim May wrote: >On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: > >> Secretary of State Kevin Shelley is expected to announce today that as >> of 2006, all electronic voting machines in California must be able to >> produce a paper printout that voters can check to make sure their votes >> are properly recorded. >> >> http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story? >> coll=la-headlines-california >> >> >Without the ability to (untraceably, unlinkably, of course) verify that >this vote is "in the vote total," and that no votes other than those >who actually voted, are in the vote total, this is all meaningless. David Chaum has described a system where each voter gets a piece of paper which includes their vote, encrypted so they can't prove how they voted. The images of these pieces of paper are also posted on a web page, so the voters can look up their encrypted ballots to verify that their votes are being counted. These votes are passed through a number of mixes, which may be run by different organizations before they are completely decrypted and counted. (The mixes prevent a decrypted ballot from being associated with an input, encrypted ballot.) The encryption of the ballots is performed by over-printing the plain-text ballots, so the voter can verify the ballot's correctness before it is encrypted. The mixes are verified by random inspection. This system seems to meet the above requirements. Now, I can think of some ways to cheat with this system, but they are all a lot more likely to be found than cheats with the current systems. The big knock on all-electronic voting machines is that they are a step backwards in independent verification and audit from paper ballots, or even punch cards. (Yes, you can argue about hanging chad, pregnant chad, dimpled chad etc., but at least you have something tangible that represents each ballot.) The saving grace of the old mechanical voting machines is that they are mechanical, and hard to modify for cheating. Most anyone on this list can imagine the program in an electronic voting machine being different from the one that was audited and approved. That's hard to do with a mechanical system. We have seen failures where the mechanical systems lost all the votes made on them however, a failure that seems possible with the electronic systems as well. IMHO, the problem with Chaum's systems is that it is complex. I think that saving a printed paper ballot, along with the electronic totals, gives much the same level of security and assurance, with a system that the average voter can understand. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032 From amichrisde at yahoo.de Fri Nov 21 08:41:04 2003 From: amichrisde at yahoo.de (Some Guy) Date: Fri, 21 Nov 2003 17:41:04 +0100 (CET) Subject: [mnet-devel] Grid Of Trust -- pre-design Message-ID: Hey guys who ever wants to take first peek at my baby DHT/premix idea please take a peek and crtitique it. It's a bit rough around the edges and there's plenty of room for modification, but I'm pretty sure the ideas are sound. http://de.geocities.com/amichrisde/Grid_Of_Trust.html The basic idea is to force data and nodes to be randomly distributed in a grid. This provides resistance against serveral types of attacks. Feel free to comment on or off list. __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Logos und Klingeltvne f|rs Handy bei http://sms.yahoo.de ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ mnet-devel mailing list mnet-devel at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mnet-devel ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 0.97c removed an attachment of type application/pgp-signature] From eugen at leitl.org Fri Nov 21 08:49:28 2003 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 21 Nov 2003 17:49:28 +0100 Subject: [mnet-devel] Grid Of Trust -- pre-design (fwd from amichrisde@yahoo.de) Message-ID: <20031121164928.GX7350@leitl.org> ----- Forwarded message from Some Guy ----- From DaveHowe at gmx.co.uk Fri Nov 21 09:49:46 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Fri, 21 Nov 2003 17:49:46 -0000 Subject: e voting References: <3FBE3A75.62E7E6C3@cdc.gov> Message-ID: <006d01c3b057$db1d26f0$01c8a8c0@broadbander> Tim May wrote: > Without the ability to (untraceably, unlinkably, of course) verify > that this vote is "in the vote total," and that no votes other than > those > who actually voted, are in the vote total, this is all meaningless. The missing step is that that paper receipt isn't kept by the voter - but instead, is deposited in a conventional voting box for use in recounts. From morlockelloi at yahoo.com Fri Nov 21 19:09:26 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Fri, 21 Nov 2003 19:09:26 -0800 (PST) Subject: Vivendi to Destroy MP3.com archive In-Reply-To: <20031122011310.E922B1F819D@gnu-darwin.org> Message-ID: <20031122030926.73064.qmail@web40602.mail.yahoo.com> > Somebody please tell me that this is a nightmare, and I am about to > wake up. Let's see ... was there a contract to keep things up ad infinitum ? This is a good step, part of waking up from the dream that there are free things on Internet. If there is no eyeball-catching value to be derived from offering "free" service the service will cease to exist. This may well happen with "free" e-mail accounts as well - I wonder who will be the first to eliminate the free service in face of diminishing advertizing revenue - Yahoo ? Hotmail ? ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From proclus at gnu-darwin.org Fri Nov 21 17:13:07 2003 From: proclus at gnu-darwin.org (proclus at gnu-darwin.org) Date: Fri, 21 Nov 2003 20:13:07 -0500 (EST) Subject: Vivendi to Destroy MP3.com archive Message-ID: <20031122011310.E922B1F819D@gnu-darwin.org> Vivendi et al. about to demonstrate how they value artists and their work. http://www.kuro5hin.org/story/2003/11/21/14616/561 Somebody please tell me that this is a nightmare, and I am about to wake up. Regards, proclus http://www.gnu-darwin.org/ -- Visit proclus realm! http://proclus.tripod.com/ -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GMU/S d+@ s: a+ C++++ UBULI++++$ P+ L+++(++++) E--- W++ N- !o K- w--- !O M++@ V-- PS+++ PE Y+ PGP-- t+++(+) 5+++ X+ R tv-(--)@ b !DI D- G e++++ h--- r+++ y++++ ------END GEEK CODE BLOCK------ [demime 0.97c removed an attachment of type APPLICATION/pgp-signature] From proclus at gnu-darwin.org Fri Nov 21 17:14:15 2003 From: proclus at gnu-darwin.org (proclus at gnu-darwin.org) Date: Fri, 21 Nov 2003 20:14:15 -0500 (EST) Subject: Vivendi to Destroy MP3.com archive Message-ID: <20031122011418.B136C1F81B9@gnu-darwin.org> Vivendi et al. about to demonstrate how they value artists and their work. http://www.kuro5hin.org/story/2003/11/21/14616/561 Somebody please tell me that this is a nightmare, and I am about to wake up. Regards, proclus http://www.gnu-darwin.org/ -- Visit proclus realm! http://proclus.tripod.com/ -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GMU/S d+@ s: a+ C++++ UBULI++++$ P+ L+++(++++) E--- W++ N- !o K- w--- !O M++@ V-- PS+++ PE Y+ PGP-- t+++(+) 5+++ X+ R tv-(--)@ b !DI D- G e++++ h--- r+++ y++++ ------END GEEK CODE BLOCK------ [demime 0.97c removed an attachment of type APPLICATION/pgp-signature] From pbaker at verisign.com Fri Nov 21 20:25:24 2003 From: pbaker at verisign.com (Hallam-Baker, Phillip) Date: Fri, 21 Nov 2003 20:25:24 -0800 Subject: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] Message-ID: <2A1D4C86842EE14CA9BC80474919782E01113202@mou1wnexm02.vcorp.ad.vrsn.com> Yeah, Yeah dictionary attacks... The key is that the search space is actually thinly populated enough to make dictionary attack hard. Most usernames are 6 characters or more, many include numbers, that is about 26^6 worth of search space per domain. Of course this is not evenly populated, but the odd thing is that the usernames turn out to be more random than the average password. This is because random is not unguessable. Many usernames are surnames, many are compounds of initial plus surname, only a relative handfull are commonly used names and those tend to get grabbed fast. so you have a pretty big search space, millions of possibilities and that for each one of fifty million domains. The same does not hold for do-not-call lists. The problem there is that something like 80% of the numbers available at active exchanges are already allocated. Most of the stock of unused numbers are on exchanges that have not yet been allocated. Since something like 30% of subscribers sign up for do not call the result is that dictonary attacks are easy. Also we add out of service addresses that get spammed anyway to the list. So the list is not an accurate way to find out if an address is in service or not. Alan knows quite a few addresses that get spammed that are invalid. > -----Original Message----- > From: Hallam-Baker, Phillip [mailto:pbaker at verisign.com] > Sent: Friday, November 21, 2003 7:21 PM > To: 'Steve Schear' > Cc: cypherpunks at lne.com; asrg at ietf.org > Subject: RE: [Asrg] Re: [Politech] Congress finally poised to vote on > anti -spam bill [sp] > > > We need to consider the technical workings of the do-not-spam > list and the > requirements that we would like the FTC to meet. > > I propose as a minimum: > > 1) Allow individual subscribers to list their email addresses with the > service. > 2) Permit mail sender to quickly determine whether a given > email is on the > list > 3) Be distributable in a form that does not permit use as a > mailing list. > 4) Permit the storage of attributes in association with each listing, > minimally the date of subscription. > > In addition we might add: > > 5) Allow domain name owners to list their domains. > 6) Provide for authentication of listing requests > > > These requirements can be met using completely generic and to > my knowledge > unencumbered technology. For the purposes of avoiding patent > encumberabces I > disclose the following - I published note on the basic idea > of using a one > way hash to conceal an email address on a do not spam list in > 1995, I also > implemented the scheme at that time. The idea is not entirely > novel, hash > databases have been used for at least twenty years, there may also be > similar ideas in the cryptography litterature. > > My proposal would be to use a message authentication function such as > HMAC-SHA1 with a key such as SHA1 ("FTC Do Not Spam List") > to create a > unique digest function for the purpose. There is a security > consideration > here, use of a digest such as SHA1(email) might lead to > chosen protocol > attacks. > > To add an individual email address "alice at example.com" to the list we > calculate HMAC ("alice at example.com") to create the key. A > domain may be > represented by the string "example.com". > > To determine whether the address "bob at example.com" is on the > list it is > necessary to test for both the specific email address and the domain. > > [This can be made to meet arbitrarily complex requirements] > > > The list is distributed as a set of key/value pairs. Sorting the list > according to the key values allows rapid lookups by means of > binary search, > or since the hash function is guaranteed homogenous using > ranged search > using the hash value as an estimator for the index position. It is not > necessary to distribute the list sorted. > > There are also a few tricks that can be used to reduce the > usefulness of > such a list for address validation. > > This same concept can be used to conceal the filter terms used in > cersorware. > > Phill > > _______________________________________________ > Asrg mailing list > Asrg at ietf.org > https://www1.ietf.org/mailman/listinfo/asrg From cypherpunks at salvagingelectrons.com Fri Nov 21 23:38:46 2003 From: cypherpunks at salvagingelectrons.com (Tim Meehan) Date: Sat, 22 Nov 2003 02:38:46 -0500 Subject: Drug policy activist *searched and detained* by notorious South Carolina principal after being invited onto school grounds Message-ID: Report by Dan Goldman (dan at ssdp.org) of Students for Sensible Drug Policy (http://www.ssdp.org) Forwarded from Loretta Nall (alabamamjparty at graffiti.net) of the US Marijuana Party (http://www.usmjparty.com) Loretta said: This just in from my buddy Dan Goldman who is still on the ground in South Carolina --- Now I promised you a good story and here it is... On Thursday when I went back to Stratford High School, I had a rather unexpected encounter. I started the day out as usual, passing out DPA's information, SSDP's stickers and a few of the SSDP t-shirts that I had left. At one point, a pair of teachers walked passed and I offered both of them the pamphlet and booklet. One of them asked "What is it?" and one of the students around him answered, "It has to do with keeping our school drug-free." A heavy-set man whose name I later learned was Mr. Green, took both the pamphlet and the booklet. The man next to him, a younger, smaller teacher whose name I later learned was Mr. McCombs refused my offer. In my youthful exhuberance, I said some snide remark to the effect of, "Way to set an example for your students by remaining ignorant." I know I shouldn't have said something like that and I didn't even think he heard me, but I was mistaken. Read on... Now, after most of the students dispersed, I did what I did the day before and walked through a muddy foot path, about 30 feet over to the school grounds to pass out a few more flyers. As I was walking back through the foot path to my car, I saw both of the teachers again and I kindly offered my last pamphlet to Mr. McCombs, who had neglected to take it before. This time he was very upset. He wanted to know why I would say what I said to him about staying ignorant. He said, "I've been to college and I've been teaching for 4 years, don't you think I may know a little something about keeping kids drug-free?" I said, "You may know a little something, but you probably haven't been exposed to what's in this pamphlet, so why don't you take one and find out?" He told me he didn't have time to read one and I suggested he do what most people do and put it in his pocket to read when he does have time. Mr. McCombs continued to wonder aloud why I thought it was necessary to undermine him in front of students and I continued to wonder to myself how one snide comment can undermine the authority of a teacher who has their attention every day for an hour? Now at this point, the two teachers began threatening me with this whole issue of tresspassing on school grounds. Since I was in fact on school grounds momentarily without permission, I really didn't want to get into it with them. I was about to leave with the excuse of another appointment (which was true, Ian Mance was arriving around 4:30pm and I wanted to see him as I've been staying at his parents' house for the last week) but then they made me an offer I couldn't refuse.... They offered to take me to see Principal McCrackin. Now, last week Mr. McCrackin had sent home a letter to parents offering to meet with any of them that still had concerns about the drug raid. However, according to the parents I've spoken with who've tried to meet with him, he's always busy. So I didn't think I would have the chance to meet the man behind the myth, and when the chance just presented itself like that, I thought it was too good to be true. Well, like everything too good to be true... It was! As I walked through the school, continuing my witty banter with the two teachers, we entered the principal's office and to my surprise, there were two officers of the law instead of one Principal. Immediately, one of them, a very big man named Cpl. Aucoin demanded my identification. Now having just seen BUSTED, I wasn't immediately inclined to give it to him. However I did tell him my name and I showed him the materials I was distributing. I asked Cpl. Aucoin if I was free to go and he said, "No," that he was detaining me. The two teachers insisted they caught me tressassing and I corrected them and explained they encountered me in between the back of strip mall and the school grounds on that muddy foot path. Then, in came McCrackin... I'm not sure how many of you have seen a picture of George McCrackin, but he's in his mid to late 50's, I would guess, dark hair that's greying but looks like he colors it. He's about 5 ft. 7in tall and maybe 170 lbs. He's a short, stout man, the kind with a Napolean complex of sorts. He looks tired beyond his years, like a man who has been at his job for too long. He's been principal of Stratford High School since it opened 20 years ago and before that he was assistant Superintendent of Schools in North Charleston and a principal and teacher for years before that, so the man has been in education for quite some time -- his entire adult life, in fact. That he cares for children was evident from speaking to many people in the community, but that he pre-judges people and labels them "good" or "bad" and then acts towards them accordingly, was also quite evident from speaking to his students, especially those who were at one time "good", but then did something to get themselves labeled "bad". They speak quite insightfully about how he treats his students. Upon speaking to Mr. McCrackin and being threatened with an arrest for tresspass, I decided to give up my ID. Cpl. Aucoin ran my ID as Mr. McCrackin disappeared with his two teachers to persumably view the videotape from one of the school's 70 surveillance cameras. He came back and said he had evidence I was "on his campus." I admitted to passing out a few materials to 6 students, said as much to him and apologized for not knowing I needed his permission to pass out flyers. (It wasn't as sarcastic as it sounds when you read this, honest.) He then asked me where I was parked, I think because he wanted to nail me for parking in "his lot" as well, but unfortunately as I told him, I was parked in the strip mall parking lot, which is off school grounds. Cpl. Aucoin asked if I saw the sign that said "For Customers Only" and I explained that I had purchased my lunch at the Subway in the strip mall, so I was indeed, a customer. Now at this point things got really weird. See earlier that afternoon, as school let out, a bunch of kids were speeding around the parking lot and burning the rubber on their tires. Then the police came and chased one of them. I believe Mr. McCrackin was rightly concerned with this incident, but seemed to place the blame in a strange place. (Does this sound framiliar?) When I told them I bought my lunch at Subway, he went on about how he was going to have that place closed down and what a dangerous situation it was causing. I couldn't understand how a sandwhich shop could be responsible for high school kids doing stupid things in their cars, but I guess it makes sense somewhere in McCrackin World. After he ended his subway tirade, I got to explaining about the "Safety First" philosophy and from what he said to me in response, I can say with 100% certainty that this man has lost his grip on reality. He told me he knew "Just Say No" wasn't working because they have Red Ribbon Week at school and although it's a school of 2700 people, there were 20-30 who were just going to do what they wanted to do anyways. I was honestly shocked that this man who has been an educator all his life, believes that there are only 20-30 students using drugs at his school. I spoke to at least 20-30 kids every day after school and I know I'm not hitting the lion's share of the drug using population at that school (most of whom are overwhelmingly marijuana smokers only), just the ones who happen to walk home that way or hang out in that area after school. So with what must have been a look of stupified incredulity on my face, the unexpected happened... George McCrackin told me to turn around and put my hands on my head with my fingers crossed. He said he was going to search me, as he had the right to search anyone in his school. He asked me if I had anything in my pockets I shouldn't have. The whole time I'm in utter disbelief that I'm being detained and searched by the principal of Stratford High School, Mr. George McCrackin. The irony was too much. After emptying my pockets and picking my pants back up for me (my belt wasn't tight enough) and not finding anything of interest in my pockets other than cash, keys and scraps of paper, I was told to sit down. He was still looking through my stuff when he asked me, "Who's Steve Silverman?" (I had Steve's name on a list of voicemail messages to return.) I told him "Mr. Silverman works for an organization called "Flex Your Rights" out of Washington, DC. It teaches young people to assert their constitutional rights during police encounters." Neither the cops nor the principal looked too thrilled to hear about that. There was another cop in the room this whole time, but he never said much. His name was Detective Brooder, and he used to work for the NYPD's bomb squad. He took much more interest in my ID than anyone else and kept bending it, I suspect to see if it was fake. (Earlier, when I was pulling out my ID, Cpl. Aucoin thought my expired International Student ID card was another license and he wanted to see that as well.) These folks in Goose Creek law enforcement just aren't too bright. At least on these two most recent searches, they're 0 for 2! Before I left, Mr. McCrackin took two copies of DPA's pamphlet and an SSDP sticker. He told me he would read the pamphlet even if I didn't believe him (which I assured him I did) and I apologized for not having anymore copies of the "Safety First" booklet on me to give to him. I then realized he took the copy of the pamphlet that had the names of the teachers and staff I had just encountered written on the back and when I asked for it back, in exchange for a different pamphlet, I was told, "I didn't need to have the names of his teachers." As if it was going to be so difficult to remember all four names. A tresspass warning was filled out with my name on it and my picture was taken by Cpl. Aucoin. ("No smiling!" he told me.) After he snapped my mug, I was given the warning which I was told to sign and I was reminded that it didn't have to be this way, they could have had me arrested, if they wanted. Now, having not lined up local counsel in advance, I wasn't too eager to spend an evening in the Berkeley County jail and frankly, I'm glad it didn't have to come to that. Before I left, I was also told to stay away from the strip mall behind the school and that I would be "run out" if I tried to come back there again. I guess tomorrow we'll see about that! I left the principal's office, walked off campus towards my car and on my way I ran into a few more students back in the strip mall parking lot. I told them what happened and we had a nice laugh. Dan Goldman McCrackin Victim #108 --- Dan Goldman is a 2001 graduate of the University of Wisconsin-Madison, where he received a B.A. in history. He has been active in SSDP since the first meeting of the UW-Madison chapter in the fall of 1999. Since then he has attended every national SSDP conference, and in the spring of 2001, he organized SSDP's first regional conference for SSDP activists throughout the midwest. Upon graduating, Dan worked for the Drug Reform Coordination Network in Washington, DC and most recently, he was the September 11th Detention Coordinator for the American Friends Service Committee's Immigrant Rights Program, in Newark, NJ. Dan currently resides in Madison, WI, where he is working on his first book. -- Tim Meehan, Communications Director Ontario Consumers for Safe Access to Recreational Cannabis tim at ocsarc.org * http://www.ocsarc.org * 416-844-2431 From cypherpunks at salvagingelectrons.com Fri Nov 21 23:51:50 2003 From: cypherpunks at salvagingelectrons.com (Tim Meehan) Date: Sat, 22 Nov 2003 02:51:50 -0500 Subject: Drug policy activist *searched and detained* by notorious South Carolina principal after being invited onto school grounds Message-ID: Report by Dan Goldman (dan at ssdp.org) of Students for Sensible Drug Policy (http://www.ssdp.org) Forwarded from Loretta Nall (alabamamjparty at graffiti.net) of the US Marijuana Party (http://www.usmjparty.com) Loretta said: This just in from my buddy Dan Goldman who is still on the ground in South Carolina --- Now I promised you a good story and here it is... On Thursday when I went back to Stratford High School, I had a rather unexpected encounter. I started the day out as usual, passing out DPA's information, SSDP's stickers and a few of the SSDP t-shirts that I had left. At one point, a pair of teachers walked passed and I offered both of them the pamphlet and booklet. One of them asked "What is it?" and one of the students around him answered, "It has to do with keeping our school drug-free." A heavy-set man whose name I later learned was Mr. Green, took both the pamphlet and the booklet. The man next to him, a younger, smaller teacher whose name I later learned was Mr. McCombs refused my offer. In my youthful exhuberance, I said some snide remark to the effect of, "Way to set an example for your students by remaining ignorant." I know I shouldn't have said something like that and I didn't even think he heard me, but I was mistaken. Read on... Now, after most of the students dispersed, I did what I did the day before and walked through a muddy foot path, about 30 feet over to the school grounds to pass out a few more flyers. As I was walking back through the foot path to my car, I saw both of the teachers again and I kindly offered my last pamphlet to Mr. McCombs, who had neglected to take it before. This time he was very upset. He wanted to know why I would say what I said to him about staying ignorant. He said, "I've been to college and I've been teaching for 4 years, don't you think I may know a little something about keeping kids drug-free?" I said, "You may know a little something, but you probably haven't been exposed to what's in this pamphlet, so why don't you take one and find out?" He told me he didn't have time to read one and I suggested he do what most people do and put it in his pocket to read when he does have time. Mr. McCombs continued to wonder aloud why I thought it was necessary to undermine him in front of students and I continued to wonder to myself how one snide comment can undermine the authority of a teacher who has their attention every day for an hour? Now at this point, the two teachers began threatening me with this whole issue of tresspassing on school grounds. Since I was in fact on school grounds momentarily without permission, I really didn't want to get into it with them. I was about to leave with the excuse of another appointment (which was true, Ian Mance was arriving around 4:30pm and I wanted to see him as I've been staying at his parents' house for the last week) but then they made me an offer I couldn't refuse.... They offered to take me to see Principal McCrackin. Now, last week Mr. McCrackin had sent home a letter to parents offering to meet with any of them that still had concerns about the drug raid. However, according to the parents I've spoken with who've tried to meet with him, he's always busy. So I didn't think I would have the chance to meet the man behind the myth, and when the chance just presented itself like that, I thought it was too good to be true. Well, like everything too good to be true... It was! As I walked through the school, continuing my witty banter with the two teachers, we entered the principal's office and to my surprise, there were two officers of the law instead of one Principal. Immediately, one of them, a very big man named Cpl. Aucoin demanded my identification. Now having just seen BUSTED, I wasn't immediately inclined to give it to him. However I did tell him my name and I showed him the materials I was distributing. I asked Cpl. Aucoin if I was free to go and he said, "No," that he was detaining me. The two teachers insisted they caught me tressassing and I corrected them and explained they encountered me in between the back of strip mall and the school grounds on that muddy foot path. Then, in came McCrackin... I'm not sure how many of you have seen a picture of George McCrackin, but he's in his mid to late 50's, I would guess, dark hair that's greying but looks like he colors it. He's about 5 ft. 7in tall and maybe 170 lbs. He's a short, stout man, the kind with a Napolean complex of sorts. He looks tired beyond his years, like a man who has been at his job for too long. He's been principal of Stratford High School since it opened 20 years ago and before that he was assistant Superintendent of Schools in North Charleston and a principal and teacher for years before that, so the man has been in education for quite some time -- his entire adult life, in fact. That he cares for children was evident from speaking to many people in the community, but that he pre-judges people and labels them "good" or "bad" and then acts towards them accordingly, was also quite evident from speaking to his students, especially those who were at one time "good", but then did something to get themselves labeled "bad". They speak quite insightfully about how he treats his students. Upon speaking to Mr. McCrackin and being threatened with an arrest for tresspass, I decided to give up my ID. Cpl. Aucoin ran my ID as Mr. McCrackin disappeared with his two teachers to persumably view the videotape from one of the school's 70 surveillance cameras. He came back and said he had evidence I was "on his campus." I admitted to passing out a few materials to 6 students, said as much to him and apologized for not knowing I needed his permission to pass out flyers. (It wasn't as sarcastic as it sounds when you read this, honest.) He then asked me where I was parked, I think because he wanted to nail me for parking in "his lot" as well, but unfortunately as I told him, I was parked in the strip mall parking lot, which is off school grounds. Cpl. Aucoin asked if I saw the sign that said "For Customers Only" and I explained that I had purchased my lunch at the Subway in the strip mall, so I was indeed, a customer. Now at this point things got really weird. See earlier that afternoon, as school let out, a bunch of kids were speeding around the parking lot and burning the rubber on their tires. Then the police came and chased one of them. I believe Mr. McCrackin was rightly concerned with this incident, but seemed to place the blame in a strange place. (Does this sound framiliar?) When I told them I bought my lunch at Subway, he went on about how he was going to have that place closed down and what a dangerous situation it was causing. I couldn't understand how a sandwhich shop could be responsible for high school kids doing stupid things in their cars, but I guess it makes sense somewhere in McCrackin World. After he ended his subway tirade, I got to explaining about the "Safety First" philosophy and from what he said to me in response, I can say with 100% certainty that this man has lost his grip on reality. He told me he knew "Just Say No" wasn't working because they have Red Ribbon Week at school and although it's a school of 2700 people, there were 20-30 who were just going to do what they wanted to do anyways. I was honestly shocked that this man who has been an educator all his life, believes that there are only 20-30 students using drugs at his school. I spoke to at least 20-30 kids every day after school and I know I'm not hitting the lion's share of the drug using population at that school (most of whom are overwhelmingly marijuana smokers only), just the ones who happen to walk home that way or hang out in that area after school. So with what must have been a look of stupified incredulity on my face, the unexpected happened... George McCrackin told me to turn around and put my hands on my head with my fingers crossed. He said he was going to search me, as he had the right to search anyone in his school. He asked me if I had anything in my pockets I shouldn't have. The whole time I'm in utter disbelief that I'm being detained and searched by the principal of Stratford High School, Mr. George McCrackin. The irony was too much. After emptying my pockets and picking my pants back up for me (my belt wasn't tight enough) and not finding anything of interest in my pockets other than cash, keys and scraps of paper, I was told to sit down. He was still looking through my stuff when he asked me, "Who's Steve Silverman?" (I had Steve's name on a list of voicemail messages to return.) I told him "Mr. Silverman works for an organization called "Flex Your Rights" out of Washington, DC. It teaches young people to assert their constitutional rights during police encounters." Neither the cops nor the principal looked too thrilled to hear about that. There was another cop in the room this whole time, but he never said much. His name was Detective Brooder, and he used to work for the NYPD's bomb squad. He took much more interest in my ID than anyone else and kept bending it, I suspect to see if it was fake. (Earlier, when I was pulling out my ID, Cpl. Aucoin thought my expired International Student ID card was another license and he wanted to see that as well.) These folks in Goose Creek law enforcement just aren't too bright. At least on these two most recent searches, they're 0 for 2! Before I left, Mr. McCrackin took two copies of DPA's pamphlet and an SSDP sticker. He told me he would read the pamphlet even if I didn't believe him (which I assured him I did) and I apologized for not having anymore copies of the "Safety First" booklet on me to give to him. I then realized he took the copy of the pamphlet that had the names of the teachers and staff I had just encountered written on the back and when I asked for it back, in exchange for a different pamphlet, I was told, "I didn't need to have the names of his teachers." As if it was going to be so difficult to remember all four names. A tresspass warning was filled out with my name on it and my picture was taken by Cpl. Aucoin. ("No smiling!" he told me.) After he snapped my mug, I was given the warning which I was told to sign and I was reminded that it didn't have to be this way, they could have had me arrested, if they wanted. Now, having not lined up local counsel in advance, I wasn't too eager to spend an evening in the Berkeley County jail and frankly, I'm glad it didn't have to come to that. Before I left, I was also told to stay away from the strip mall behind the school and that I would be "run out" if I tried to come back there again. I guess tomorrow we'll see about that! I left the principal's office, walked off campus towards my car and on my way I ran into a few more students back in the strip mall parking lot. I told them what happened and we had a nice laugh. Dan Goldman McCrackin Victim #108 --- Dan Goldman is a 2001 graduate of the University of Wisconsin-Madison, where he received a B.A. in history. He has been active in SSDP since the first meeting of the UW-Madison chapter in the fall of 1999. Since then he has attended every national SSDP conference, and in the spring of 2001, he organized SSDP's first regional conference for SSDP activists throughout the midwest. Upon graduating, Dan worked for the Drug Reform Coordination Network in Washington, DC and most recently, he was the September 11th Detention Coordinator for the American Friends Service Committee's Immigrant Rights Program, in Newark, NJ. Dan currently resides in Madison, WI, where he is working on his first book. -- Tim Meehan, Communications Director Ontario Consumers for Safe Access to Recreational Cannabis tim at ocsarc.org * http://www.ocsarc.org * 416-844-2431 From cypherpunks at salvagingelectrons.com Sat Nov 22 11:32:57 2003 From: cypherpunks at salvagingelectrons.com (Tim Meehan) Date: Sat, 22 Nov 2003 14:32:57 -0500 Subject: Toronto man charged with wardriving, possession of child pornography Message-ID: http://www.torontopolice.on.ca/newsreleases/release.php?id=4732 November 21, 2003 - 01:20 pm CHILD PORNOGRAPHY ARREST  USING STOLEN INTERNET SIGNAL Corporate Communications 416-808-7100 On Wednesday November 19th, 2003 at approximately 5:03am, Sgt. Don Woods (7167) of 11 Division observed the accused driving his car the wrong way on a one way street in a residential subdivision in Toronto. The accused was investigated and observed to be naked from the waist down. He had a laptop computer on the passenger seat and on the screen was a young girl performing a sex act on an older man. The laptop had a wireless adapter card (known as a WI-FI card) allowing the accused to access the Internet through any insecure wireless Internet signal. (known as War Driving) The accused was taken to 11 Division and members of the Child Exploitation Section of the Sex Crimes Unit were called in. A lengthy investigation revealed that the accused also had been downloading child pornography using KaZaa, a peer to peer file sharing program and had been posing as a younger man in chatrooms to meet young girls. With the assistance of the O.P.P.s Project P, a search warrant was executed at the residence of the accused in Delhi, Ontario. 10 Computers and hundreds of compact discs containing hundreds of thousands of images and movies of child pornography were recovered. Accused : Walter NOWAKOWSKI 36 years Delhi, Ontario Charged : Possession of Child Pornography (2 Counts) Accessing Child Pornography Distribute Child Pornography Theft of Telecommunications Make Child Pornography The accused is in custody and will appear in courtroom #101 at Old City Hall, on Monday November 24th, 2003, at 10:00 a.m. for a bail hearing.. The public is reminded that if they are operating a wireless network at their home or business, their system needs to be secured against such actions. Sgt. Jim Muscat for Detective Sergeant Paul Gillespie and Staff Inspector Bruce Smollet From shaddack at ns.arachne.cz Sat Nov 22 05:54:39 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 22 Nov 2003 14:54:39 +0100 (CET) Subject: Idea: GPG signatures within HTML Message-ID: <0311221436180.-1216855884@somehost.domainz.com> Sometimes a problem appears with publishing information on the Web, when the authenticity of document, especially a widely-distributed one, has to be checked. I am not aware about any mechanism available presently. A trick with HTML (or SGML in general) tag and a comment, a browser plugin (or manual operation over saved source), and a GPG signature over part of the HTML file should do the job, with maintaining full backward compatibility and no problems for the users not using this scheme. It should be possible to make this HTML construction: blah blah blah blah blah unsigned irrelevant part of the document, eg. headers and sidebars which change with the site design This is the PGP-signed part of the HTML document. the unsigned rest of the HTML document The ... tags are ignored by browsers that don't know them, and provide leads for eventual browser plugins. The comments are used to hide the signature from the user in standard browsers. The scheme is designed to allow signing only parts of documents, so they could be published in fast-changing environments like blogs or on dynamically generated pages, and to have many different signed parts on one page. It should also allow manual checking of the signature, eg. by curl http://url | gpg --verify Feel free to use the idea if it is good. Opinions, comments? From shaddack at ns.arachne.cz Sat Nov 22 06:24:48 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 22 Nov 2003 15:24:48 +0100 (CET) Subject: Idea: GPG signatures within HTML - problem with inline objects In-Reply-To: <0311221436180.-1216855884@somehost.domainz.com> References: <0311221436180.-1216855884@somehost.domainz.com> Message-ID: <0311221455380.0@somehost.domainz.com> There is a problem with images and other inline objects. There is a solution, too. The objects included into the document can get their hash calculated and included in their tag; eg, The tag has to be in the signed part of the document, so the hash can't be tampered with. Full digital signatures should be possible as well, eg. or some HTML code here This way doesn't depend on the part of the document being signed, as the signature can't be effectively tampered with undetected anyway. Same scheme could be used in tags, allowing automated checking of signatures or hashes of downloaded binary files. From henryk at ploetzli.ch Sat Nov 22 07:07:14 2003 From: henryk at ploetzli.ch (Henryk =?ISO-8859-1?Q?Pl=F6tz?=) Date: Sat, 22 Nov 2003 16:07:14 +0100 Subject: Idea: GPG signatures within HTML In-Reply-To: <0311221436180.-1216855884@somehost.domainz.com> References: <0311221436180.-1216855884@somehost.domainz.com> Message-ID: <20031122160714.59588c48.henryk@ploetzli.ch> Moin, Am Sat, 22 Nov 2003 14:54:39 +0100 (CET) schrieb Thomas Shaddack: > A trick with HTML (or SGML in general) tag and a comment, a browser > plugin(or manual operation over saved source), and a GPG signature > over part of the HTML file should do the job, with maintaining full > backward compatibility and no problems for the users not using this > scheme. > Opinions, comments? This is already done, although I'm not aware of any browser supporting an automated verification. For an example look at the HTML source of http://www.bundesverfassungsgericht.de/entscheidungen/frames/rk20030827_2bvr091103 -- Henryk Plvtz Gr|_e aus Berlin ~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~ ~ Help Microsoft fight software piracy: Give Linux to a friend today! ~ From mv at cdc.gov Sun Nov 23 17:43:08 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 23 Nov 2003 17:43:08 -0800 Subject: Toronto man charged with wardriving, possession of child pornography Message-ID: <3FC1622C.5BC0B1A7@cdc.gov> At 02:32 PM 11/22/03 -0500, Tim Meehan wrote: >On Wednesday November 19th, 2003 at approximately 5:03am, Sgt. Don Woods (7167) >of 11 Division observed the accused driving his car the wrong way on a one way >street in a residential subdivision in Toronto. The accused was investigated and >observed to be naked from the waist down. He had a laptop computer on the >passenger seat and on the screen was a young girl performing a sex act on an >older man. >The laptop had a wireless adapter card (known as a WI-FI card) allowing the >accused to access the Internet through any insecure wireless Internet signal. Interesting cultural differences. In some locales (eg New Hampshire) wardriving is legal, much like walking on land that isn't posted. Driving while naked is not, AFAIK, an offense under the CA DMV laws, although driving the wrong direction is. And in other locales (various US states) young girls (eg 14) having sex with older men is legal if they have a state license, and consensual filming and publishing of that would be legal. Only driving the wrong way harms others, ie is truly a crime, assuming that sexual activities are consensual. And of course mere *bits* don't hurt anyone. In some locales (eg under islamic law) mere images of humans are illegal. BTW, isn't it a bit chilly in Ontario to be driving half-dressed? Must have had the heater on. ----- The Taliban: A Faith-Based Organization From cpunk at lne.com Sun Nov 23 20:00:00 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 23 Nov 2003 20:00:00 -0800 Subject: Cypherpunks List Info Message-ID: <200311240400.hAO400pq021260@slack.lne.com> Cypherpunks Mailing List Information Last updated: Oct 13, 2003 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From timcmay at got.net Mon Nov 24 11:50:43 2003 From: timcmay at got.net (Tim May) Date: Mon, 24 Nov 2003 11:50:43 -0800 Subject: e voting In-Reply-To: References: Message-ID: <7D2CEDEC-1EB7-11D8-BF88-000A956B4C74@got.net> On Nov 24, 2003, at 9:51 AM, cubic-dog wrote: > On Fri, 21 Nov 2003, Major Variola (ret.) wrote: > >> Secretary of State Kevin Shelley is expected to announce today that as >> of 2006, all electronic voting machines in California must be able to >> produce a paper printout that voters can check to make sure their >> votes >> are properly recorded. > > Great! > Now when I sell my vote, I can produce this reciept for payment! > What a perfect system! > > Umm, weren't voter "receipts" outlawed some time back > because of this exact issue? > But it will allow unions to enforce compliance in the collective union vote. And wives can "hold out" unless hubby produces the proof that he vote for the feminista-approved candidate. Voting receipts really open up the democratic process. Of course, for those who think the problem with the West is too much democracy, not a good thing. --Tim May From dog3 at eruditium.org Mon Nov 24 09:49:53 2003 From: dog3 at eruditium.org (cubic-dog) Date: Mon, 24 Nov 2003 12:49:53 -0500 (EST) Subject: AT&T Patents Trusted Intermediaries, Sues PayPal In-Reply-To: Message-ID: On Fri, 21 Nov 2003, R. A. Hettinga wrote: > "PayPal and eBay have infringed AT&T's U.S. patent that covers transactions > in which a trusted intermediary securely processes payments over a > communications system such as the Internet." > > > I wonder what American Express, VISA (and Plus), MasterCard (and Cirrus), > Diner's Club, NASDAQ, Autex, Telerate, and even Quotron -- not to mention > CRESTCo, DTC, and SWIFT -- would have had to say about *that*? They won't say anything. They won't have to. Paypal and eBay are both dangerously close to being an underground economy. One is able to transact business without that transaction being tracked by Visa/mc et al. Just like the new banking moves are aimed at getting rid of "check cashing stores", these legal manuevers are aimed at getting rid of any kind of non-controlled commerce. Since the end of all of this is supposed to be a cashless society and an "end to violence" I wonder when john q public will realize that one can trade goods for crack and no money need change hands, hence these pushes are more likely to cause even worse crime, rather than less. From dog3 at eruditium.org Mon Nov 24 09:51:45 2003 From: dog3 at eruditium.org (cubic-dog) Date: Mon, 24 Nov 2003 12:51:45 -0500 (EST) Subject: e voting In-Reply-To: <3FBE3A75.62E7E6C3@cdc.gov> Message-ID: On Fri, 21 Nov 2003, Major Variola (ret.) wrote: > Secretary of State Kevin Shelley is expected to announce today that as > of 2006, all electronic voting machines in California must be able to > produce a paper printout that voters can check to make sure their votes > are properly recorded. Great! Now when I sell my vote, I can produce this reciept for payment! What a perfect system! Umm, weren't voter "receipts" outlawed some time back because of this exact issue? From bill.stewart at pobox.com Mon Nov 24 12:57:13 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Mon, 24 Nov 2003 12:57:13 -0800 Subject: Freedomphone In-Reply-To: References: <20031121014033.A22311@cdc-ws1.cdc.informatik.tu-darmstadt. de> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> <20031119135757.GB60803@lightship.internal.homeport.org> <5.2.1.1.0.20031119125744.06ad0ff8@mail.comcast.net> Message-ID: <5.1.0.14.2.20031124124755.022c7710@idiom.com> At 05:45 PM 11/20/2003 -0800, Bill Frantz wrote: >At 4:40 PM -0800 11/20/03, Ralf-P. Weinmann wrote: > >... There should be a means to cache credentials after an initial > >trust relationship between communicating parties has been established. >Cache entries would be a way for someone who obtains the phone to be able >to trace your contacts. (So would a in-phone address book.) Automatic >authentication also might make it easier to spoof the phone's owner. If you've got an in-phone address book, might as well let the user cache some randomly-generated password string with it. That doesn't protect you against someone stealing the phone, but it means you've got an authentic connection to your co-conspirator's stolen phone rather than to somebody else's phone. If your threat model assumes that they can trick your phone into doing things, you're already toast anyway. If you're worried that Interpol will subpoena your phone and show that the "Alice" and "Bob" passwords in your phone correspond to Alice the Narc and Bob, your prisoner's-dilemma ex-co-conspirator who's busy ratting you out, they can probably do the same thing just from the phone numbers (IP or otherwise.) From ptrei at rsasecurity.com Mon Nov 24 10:04:01 2003 From: ptrei at rsasecurity.com (Trei, Peter) Date: Mon, 24 Nov 2003 13:04:01 -0500 Subject: e voting Message-ID: cubic-dog [mailto:dog3 at eruditium.org] wrote: >On Fri, 21 Nov 2003, Major Variola (ret.) wrote: >> Secretary of State Kevin Shelley is expected to announce today that as >> of 2006, all electronic voting machines in California must be able to >> produce a paper printout that voters can check to make sure their votes >> are properly recorded. >Great! >Now when I sell my vote, I can produce this reciept for payment! >What a perfect system! >Umm, weren't voter "receipts" outlawed some time back >because of this exact issue? Thats not how it works. The idea is that you make your choices on the machine, and when you lock them in, two things happen: They are electronically recorded in the device for the normal count, and also, a paper receipt is printed. The voter checks the receipt to see if it accurately records his choices, and then is required to put it in a ballot box retained at the polling site. If there's a need for a recount, the paper receipts can be checked. I imagine a well designed system might show the paper receipt through a window, but not let it be handled, to prevent serial fraud. Peter Trei From mv at cdc.gov Mon Nov 24 14:30:58 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 24 Nov 2003 14:30:58 -0800 Subject: e voting (receipts, votebuying, brinworld) Message-ID: <3FC286A2.68A8D74C@cdc.gov> At 01:04 PM 11/24/03 -0500, Trei, Peter wrote: >Thats not how it works. The idea is that you make your choices on >the machine, and when you lock them in, two things happen: They >are electronically recorded in the device for the normal count, and >also, a paper receipt is printed. The voter checks the receipt to >see if it accurately records his choices, and then is required to >put it in a ballot box retained at the polling site. > >If there's a need for a recount, the paper receipts can be checked. > >I imagine a well designed system might show the paper receipt through >a window, but not let it be handled, to prevent serial fraud. Vinny the Votebuyer pays you if you send a picture of your face adjacent to the committed receipt, even if you can't touch it. Since the voting booth is private, no one can see you do this, even if it were made illegal. (And since phones can store images, jamming the transmission at the booth doesn't work.) You send your picture from the cellphone that took it, along with a paypal account number as a text message. Vinny knows the vote is committed at that point. Vinnie can bin diff compare pix to assure non-duplicates, hires someone (probably offshore :-) to verify its not a quick and dirty photoshop job, and that its a vote for the "right" candidate. Further resisting photoshop, Vinny accepts pictures only during voting hours. Vinny has some kind of front business which could be expected to pay lots of people in bursts --a political polling service that reimburses interviewees would be ideal. On a small scale (coerce your voting age household members) its untraceable. On a medium scale (free drinks if you can show you voted for Caesar) its easy too. On a larger scale you might need confidentiality for the image and traffic analysis resistance. Maybe anon cash. Fundamentally, its just like the analog hole for DRM ---you can't show a human a commit message without the human being able to reproduce it for others. The booths could cycle through fake commit messages for all possible candidates, so that you could take a picture of yourself with a bogus commit message, vote as you will, and still collect. That might be confusing but is a counter. NB: Collect = avoid retribution. From frantz at pwpconsult.com Mon Nov 24 15:52:32 2003 From: frantz at pwpconsult.com (Bill Frantz) Date: Mon, 24 Nov 2003 15:52:32 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <3FC286A2.68A8D74C@cdc.gov> Message-ID: At 2:30 PM -0800 11/24/03, Major Variola (ret) wrote: >At 01:04 PM 11/24/03 -0500, Trei, Peter wrote: >>Thats not how it works. The idea is that you make your choices on >>the machine, and when you lock them in, two things happen: They >>are electronically recorded in the device for the normal count, and >>also, a paper receipt is printed. The voter checks the receipt to >>see if it accurately records his choices, and then is required to >>put it in a ballot box retained at the polling site. >> >>If there's a need for a recount, the paper receipts can be checked. >> >>I imagine a well designed system might show the paper receipt through >>a window, but not let it be handled, to prevent serial fraud. > >Vinny the Votebuyer pays you if you send a picture of your >face adjacent to the committed receipt, even if you can't touch it. [more deleted] It depends on what happens to the receipt when you say commit. It could automatically go into the ballot box without delay, so you can't take such a photo. I expect that Vinny is already doing this with video of the touch screen verification screen and the voter pressing OK, but he hasn't make me an offer yet. I expect he gets better value for his money with TV ads, and last minute hit mailers. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032 From bill.stewart at pobox.com Mon Nov 24 16:15:32 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Mon, 24 Nov 2003 16:15:32 -0800 Subject: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] In-Reply-To: <2A1D4C86842EE14CA9BC80474919782E01113200@mou1wnexm02.vcorp .ad.vrsn.com> Message-ID: <5.1.0.14.2.20031124152120.01cdb360@idiom.com> At 04:20 PM 11/21/2003 -0800, Hallam-Baker, Phillip wrote: >We need to consider the technical workings of the do-not-spam list and the >requirements that we would like the FTC to meet. ... [reasonable goals] ... [hashed-form lists instead of plaintext]... >5) Allow domain name owners to list their domains. >6) Provide for authentication of listing requests Especially for domains, it's important to do some validation, though in the absence of widely-deployed DNSSEC, it's hard to do automatically. Perhaps 3-way-handshake email to postmaster at example.com or the whois administrative contact address. (This also has the side-effect of requiring people to actually use their postmaster addresses, at least for fifteen minutes or so :-) And while hashing has the obvious risk of dictionary attacks, it'll at least cut back on some of the abuses, especially if the list is dynamic and the spamware vendors who do the dictionary attacks want to charge lots of money for it. Also, the scale's a lot more annoying searching a million obvious names on each of 20 million domains with a hash that takes a second per hit, though Moore's Law will obviously erode the hash time. Obviously spammers will target popular mail systems first. However, there are two special email address forms that complicate this a bit - tagged addresses - username+tag at example.com There are several different syntaxes for this - plusses, dashes, etc., and either you just ignore the problem (let the user register however many tagged addresses they want), or else you special-case the rules so that bulk-emailers who want to send mail to a plus-tagged address also must check the untagged version. - per-user subdomains - anything at username.example.com Technically this is no different than any other per-domain blocking, but administratively it's different, because there's no whois record and there might not be a postmaster address. There's a scalability problem that has to be solved, which is how to prevent a DOS-by-signing-up-too-many-addresses attack. An example would be a Turing test image on a web page (which has the downside of preventing automated signups, as well as annoying blind people), or else requiring a hashcash puzzle that takes ten times as long as the list's hash function. From timcmay at got.net Mon Nov 24 20:04:26 2003 From: timcmay at got.net (Tim May) Date: Mon, 24 Nov 2003 20:04:26 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: References: Message-ID: <75AD404A-1EFC-11D8-9AB2-000A956B4C74@got.net> On Nov 24, 2003, at 3:52 PM, Bill Frantz wrote: > At 2:30 PM -0800 11/24/03, Major Variola (ret) wrote: >> At 01:04 PM 11/24/03 -0500, Trei, Peter wrote: >>> Thats not how it works. The idea is that you make your choices on >>> the machine, and when you lock them in, two things happen: They >>> are electronically recorded in the device for the normal count, and >>> also, a paper receipt is printed. The voter checks the receipt to >>> see if it accurately records his choices, and then is required to >>> put it in a ballot box retained at the polling site. >>> >>> If there's a need for a recount, the paper receipts can be checked. >>> >>> I imagine a well designed system might show the paper receipt through >>> a window, but not let it be handled, to prevent serial fraud. >> >> Vinny the Votebuyer pays you if you send a picture of your >> face adjacent to the committed receipt, even if you can't touch it. > [more deleted] > > It depends on what happens to the receipt when you say commit. It > could > automatically go into the ballot box without delay, so you can't take > such > a photo. If it goes in without any delay, without any chance for Suzie the Sheeple to examine it, then why bother at all? Simply issue an "assurance" to Suzie that her ballot was duly copied to an adjacent memory store or counting box. When she says "Then why did you people even bother?," just shrug and say "They told us to do it." As Major Variola said a few messages ago, as soon as human eyes can see it, machines and cameras and cellphones and eavesdroppers and Vinnie the Votebuyer can see it. I expect there may be some good solutions to this issue, but I haven't yet seen them discussed here or on other fora I run across. And since encouraging the democrats has never been a priority for me, I haven't spent much time worrying about how to improve democratic elections. And since a person should be completely free to sell his or her vote, 99% of the measures to stop vote-buying are bogus on general principles. --Tim May --Tim May, Occupied America "They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759. From timcmay at got.net Mon Nov 24 21:14:53 2003 From: timcmay at got.net (Tim May) Date: Mon, 24 Nov 2003 21:14:53 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <10.38c971b4.2cf433e0@aol.com> References: <10.38c971b4.2cf433e0@aol.com> Message-ID: <4D968AB6-1F06-11D8-9AB2-000A956B4C74@got.net> On Nov 24, 2003, at 8:26 PM, Freematt357 at aol.com wrote: > In a message dated 11/24/2003 11:12:38 PM Eastern Standard Time, > timcmay at got.net writes: > >> I expect there may be some good solutions to this issue, but I haven't >> yet seen them discussed here or on other fora I run across. > What part of "I expect there may be" was unclear to you? --Tim May "The whole of the Bill [of Rights] is a declaration of the right of the people at large or considered as individuals... It establishes some rights of the individual as unalienable and which consequently, no majority has a right to deprive them of." -- Albert Gallatin of the New York Historical Society, October 7, 1789 From frantz at pwpconsult.com Mon Nov 24 21:48:07 2003 From: frantz at pwpconsult.com (Bill Frantz) Date: Mon, 24 Nov 2003 21:48:07 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <75AD404A-1EFC-11D8-9AB2-000A956B4C74@got.net> References: Message-ID: At 8:04 PM -0800 11/24/03, Tim May wrote: >I expect there may be some good solutions to this issue, but I haven't >yet seen them discussed here or on other fora I run across. And since >encouraging the democrats has never been a priority for me, I haven't >spent much time worrying about how to improve democratic elections. You might check out David Chaum's latest solution at http://www.vreceipt.com/, there are more details in the whitepaper: http://www.vreceipt.com/article.pdf Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032 From morlockelloi at yahoo.com Mon Nov 24 22:42:33 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Mon, 24 Nov 2003 22:42:33 -0800 (PST) Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: Message-ID: <20031125064233.82034.qmail@web40605.mail.yahoo.com> > You might check out David Chaum's latest solution at > http://www.vreceipt.com/, there are more details in the whitepaper: > http://www.vreceipt.com/article.pdf That is irrelevant. Whatever the solution is it must be understandable and verifiable by the Standard high school dropout. Also, the trace must be mechanical in nature and readable sans computers, as there is no reason to trust anything that goes through gates for which one hasn't verifed masks, when stakes are high. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From Freematt357 at aol.com Mon Nov 24 20:26:08 2003 From: Freematt357 at aol.com (Freematt357 at aol.com) Date: Mon, 24 Nov 2003 23:26:08 EST Subject: e voting (receipts, votebuying, brinworld) Message-ID: <10.38c971b4.2cf433e0@aol.com> In a message dated 11/24/2003 11:12:38 PM Eastern Standard Time, timcmay at got.net writes: > I expect there may be some good solutions to this issue, but I haven't > yet seen them discussed here or on other fora I run across. Like what? Regards, Matt- From pbaker at verisign.com Tue Nov 25 06:02:11 2003 From: pbaker at verisign.com (Hallam-Baker, Phillip) Date: Tue, 25 Nov 2003 06:02:11 -0800 Subject: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] Message-ID: <2A1D4C86842EE14CA9BC80474919782E0111320D@mou1wnexm02.vcorp.ad.vrsn.com> > Especially for domains, it's important to do some validation, > though in the absence of widely-deployed DNSSEC, it's hard to > do automatically. DNSSEC is not happening, blame Randy Bush and the IESG for refusing the working group consensus and imposing their own idea that cannot be deployed. An experimental protocol that increases the volume of data in the .com zone by an order of magnitude (read Gbs of data) is simply unacceptable. We do not need DNSSEC, we just need a notice in the DNS. It would be a relatively easy task to walk the .com zone and dump out a list of all the zones which contain a 'do not spam' TXT property record. This has the secondary advantage that it is not necessary to actualy consult the list, the authoritative information is in DNS. > There's a scalability problem that has to be solved, > which is how to prevent a DOS-by-signing-up-too-many-addresses attack. I do not expect that to be a problem, that would be a problem for the contractor. Limit the number of direct registrations from a particular IP address within a given time interval. It is likely to result in the cost of the system being considerably more than the cost of a couple of mid range servers and some software. This is not a new phenomena. Phill From declan at well.com Tue Nov 25 06:03:38 2003 From: declan at well.com (Declan McCullagh) Date: Tue, 25 Nov 2003 09:03:38 -0500 Subject: Appeals court OKs no-knock warrant as perfectly appropriate Message-ID: <6.0.0.22.2.20031125090010.08ab0bd0@mail.well.com> UNITED STATES OF AMERICA, Plaintiff-Appellee, v. ROBERT JUNIOR WARDRICK, Defendant-Appellant. No. 02-4494 UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT September 24, 2003, Argued November 20, 2003, Decided OUTCOME: Defendant's convictions and sentence were affirmed. As Judge Widener has recently recognized, the knock and announce requirement serves three purposes: "(1) protecting the safety of occupants of a dwelling and the police by reducing violence; (2) preventing the destruction of property; and (3) protecting the privacy of occupants." United States v. Dunnock, 295 F.3d 431, 434 (4th Cir. 2002) (quoting Bonner v. Anderson, 81 F.3d 472, 475 (4th Cir. 1996)). We have recognized that, HN6[]under appropriate exigent circumstances, strict compliance with the knock and announce requirement may be excused. United States v. Grogins, 163 F.3d 795, 797 (4th Cir. 1998) (holding no-knock entry justified where officers had reasonable suspicion that entering drug "stash house" would be dangerous and drug dealer frequenting house could not be found elsewhere). When the authorities "have a reasonable suspicion that knocking and announcing their presence ...would be dangerous or futile, or that it would inhibit the effective investigation of []crime by, for example, allowing the destruction of the evidence," an entry without knocking [*13] is justified. Richards, 520 U.S. at 394; see also United States v. Ramirez, 523 U.S. 65, 140 L. Ed. 2d 191, 118 S. Ct. 992 (1998) (upholding no-knock entry where suspect had violent past, access to weapons, and vowed not to do "federal time"). In this situation, the state court judge made a specific determination that the circumstances explained in the Overfield Affidavit justified the issuance of a no-knock search warrant. As the Overfield Affidavit recounts, Wardrick had a violent criminal history, including a battery conviction stemming from resisting arrest. Moreover, the affidavit suggested that Wardrick, a convicted felon, illegally possessed firearms. Indeed, Wardrick had threatened, in the presence of Det. Overfield, that he always carried a loaded gun and that he "never missed." Lastly, Det. Overfield reasonably believed that Wardrick would be present when the warrant was executed. As the Overfield Affidavit reflects, several records indicated that 1808 Division Street was Wardrick's primary residence, and two automobiles registered in his name had been parked outside the residence only days before the search warrant was secured. Based on [*14] our review of the Overfield Affidavit, we agree with the district court that it was reasonable for Det. Overfield and the state court to believe that execution of the search warrant would be dangerous. See Ker v. California, 374 U.S. 23, 40-41 n. 12, 10 L. Ed. 2d 726, 83 S. Ct. 1623 (1963) HN7[](determining lawfulness of entry depends on "what the officers had reason to believe at the time of their entry") (emphasis in original). In such circumstances, the issuance of the no-knock search warrant was justified, and the district court did not err in declining to suppress the evidence on this basis. From zooko at zooko.com Tue Nov 25 06:37:31 2003 From: zooko at zooko.com (Zooko O'Whielacronx) Date: 25 Nov 2003 09:37:31 -0500 Subject: [mnet-devel] Grid Of Trust -- pre-design Message-ID: Some Guy wrote: > > Hey guys who ever wants to take first peek at my baby DHT/premix idea please take a peek and > crtitique it. It's a bit rough around the edges and there's plenty of room for modification, but > I'm pretty sure the ideas are sound. > > http://de.geocities.com/amichrisde/Grid_Of_Trust.html > > The basic idea is to force data and nodes to be randomly distributed in a grid. This provides > resistance against serveral types of attacks. > > Feel free to comment on or off list. Here is the text of that web page, for the sake of future generations who are required to read the mnet-devel archives as part of their education: Grid Of Trust This isn't a design document. It's more of a proposal for what could be to make sure all the attacks are really covered. Topology Nodes are distributed randomly into cells of a hypercube with d dimensionals. Each axis is broken down into g pieces such that the hypercube contains gd cells. Nodes in a cell can connect to all nodes in cells whose coordinates vary in at most one dimension. This is different than CAN where only dirrect neighbors have links. A DHT based on this type of a network should only require d hops to handle a request. The cost is of coarse a higher neihbor count. We will define x as the expected population or a cell and N as the total number of nodes. x = N/(gd) We will define m as the expected neighbor count. m = x(d*(g-1)+1) So let us visualize a small network with g=8 and d=2 which looks like a chess board. Let N=256 so x=4. Messages can move like rooks on this chess board, so requests can be handled in 2 hops. So we can caculate the neihbor count as: m = 4*(15) = 60 --todo add pretty picture Now let us consider a larger network g=10 d=6 and x=4, so N=4,000,000. Messages should be routable in 6 hops and for the niehbor count we get: m = 4*(6*9+1) = 220 This still would be acceptable for freenet like applications. When x and g are held constant m is O(log(N)) just like CAN. For large N the probability a cell is vacant is e-x. So at x=4 this chance is about 1.83%. This should be acceptable if some redundancy is used. Not that when a message has serveral dimensions to move along, the chance that there is no dirrect way becomes very low. Node Placement Nodes must be placed randomly into the network to prevent, serveral types of attacks which involve an adversary selecting the locations of the grid he would like to control. In order to do this a node is forced to pay for it's identity with a large hash cash calculation. The hash cash then determines the node's location in the grid. One space optimization, is to store all the identification in the public key. The first time user picks an N=pq. He then tries to make an e such that it's first 32 bits contain the julian date, it is relatively prime to (p-1)(q-1), and SHA-1() has the first h bits zero. We can then set h to be so high it takes a 1CPU-day to calculate the key. We then use some globaly defined salt per dimension Si, which we encript with the to give us the identities location L in the grid. Li = (Si emod N) mod g Boot Strapping Boot strapping is pretty straight forward. A new node must have contact with one node in the system. It uses this node to route a message to the target cell, a node there sends its IP:Port encripted with the public key of the identity back. The node the decrypts this to get the IP out. It never has dirrect contact to any of the other nodes along the routing path. Once the new node connects to the node in its home cell, it can get all the other IPs and keys from it. It could be the case that the cell is vacant, or that one doesn't want to trust the single node from the home cell. It is easy for such a boot strap message to be routed to find a node from a cell connected to the target cell. The same protocol can be used. So one might have to repeat the process d times to get nodes from all the dimensions. Note that this type of bootstrapping will probably only have to happen once for a node. Once a strip of g*x nodes all know each other, some of them can leave and join with out having to worry too much about not being able to find anyone when they come back. DHT Functionality Similar to the way in which a node must be kept from deciding what cell it wants to serve in, we must ensure that the cells to which keys for requests and inserts are mapped can not be selected by an advesary. Based on the application key of which there may be many types a routing key is calculated based on a small hash cash proportional to the some requirements of the key like: * size of the data * priority of messages * possiblity and maximum rate of rewrite * expiration rate of the data * expiration date of the key The hash cash which is calculated will then be given back to the application to use for the a pointer. The actual routing key is the hash of the hash cash and other key data that went into the hash cash calculation. This ensures that a hard hash cash calculation must be done before determining what node(s) will be responsible for handling the key. For example you want to make a pretty picture freesite. For your picture you know it's not going to change or at least nobody is going to link dirrectly to the picture, so you calculate a cheap on time hash cash for it, which is included in your HTML. For your HTML you decide you want to be able to change it once a day so you buy a more expensive hash cash for it. This is given to others who want to see or link to your site. Requests with substandard hash cash don't have to be dropped they can just be treated with lower priority. File sharing data should ooz slowly through a network, while browsing requests should skip over them. Premix Routing Tarzan provides a very good model for premix routing. One problem is that they rely on IP subnets as a resource to limit adversaries and they require all nodes to contact all other nodes periodically in order to verify identities. The Grid solves this problem. Since an advesary can only create a certain amount of valid identities and those identities are spread around evenly, there is no way for an advesarial node to present a large list of faulty neighbors. If the advesary provides the tunnel user with a very small list this would be obvious too. If that weren't enough, we could demand certificates from multiple nodes in a cell to verify neighbor lists. It should also be noted that the DHT traffic can provide perfect cover traffic. Resource Accounting Since the relationships between nodes are long term and identity isn't free, barder is a great economic model. Over the long term two neihbor nodes can add up how much work they did for each other, and do some simple statistics to see if anyone is being a "leach". No centralized authority is required. Premix bandwidth is always charged back the dirrection the tunnel originates from. Topology Aware Routing Since routing can go in multiple dimensions and mutliple nodes inhabit the same cells, there is great flexibility in which way messages can be routed. Messages can be forwarded along the path with the lowest latency and to nodes with low load. This is similare to how you navigate American streets with a car avoiding the streets and avenues with too much traffic. Attack Models Cancer Node Censorship Attack In this model an adversary runs a few nodes where particular requests are likely to be handled in order to drop or mishandle them. The Grid prevents this by randomly distributing expensive identities throughout. In that large 4,000,000 node network only 1 in a million identities would be in the target cell. If each identity cost 1 CPU-day, an adversary would have to buy lots of hardware and work really long. Spy and Flood There is a slightly better chance of getting a node to wind up connected to the target cell: 54/1,000,000. From here the advesary could lauch classic SYN floods or try to hack nodes in the target cell, since he would know thier IPs. This still is a prohibitive amount of work. A little bit of redundacy will also dramatically increase resistance further. DHT Flood In this attack model the advesary tries to generate messages, which all must be handeled by nodes in the target area. The hash cash should prevent this from happening for most types of keys. Since you have to pay first and then you know the route. Messages for things with more expensive hash cash could be processed first, to avoid shortcoming of cheaper key types. boconstrictor attack --naa Other Wacky Ideas Clusters Big Clusters Using levels to deal with heterogenity Baby Mode - Slower bootstrap setstats 1 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ mnet-devel mailing list mnet-devel at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mnet-devel ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 0.97c removed an attachment of type application/pgp-signature] From s.schear at comcast.net Tue Nov 25 09:57:54 2003 From: s.schear at comcast.net (Steve Schear) Date: Tue, 25 Nov 2003 09:57:54 -0800 Subject: Fwd: "Bedazzled" Log-in Method Whitepaper Message-ID: <6.0.1.1.0.20031125095653.0568cc18@mail.comcast.net> >"Bedazzled" Log-in Method Whitepaper > >Author: George Hara >(http://www.filematrix.xnet.ro/ideas/whitepapers/login.htm) > > >Introduction >------------ > >Using strings of characters as passwords has always been a security issue >because they are hard to remember and can be stolen by key-loggers or >screen-text harvesters. It will still be an issue for personal computers, >but there is another method available for authentication over the Internet >(where are the highest security concerns). This method involves no special >technologies, but simply a new vision on how to bring existing technologies >together. The method is easier to use than text passwords, but it requires, >from the users, the protection of their personal computers (where they need >text-password log-in and encryption), just as they do now. > >The "Bedazzled" log-in method uses a (public) user name / ID (for example, >the user's email address) and a number of images, called password images, >for authentication. The images have to be generated (by the authentication >service) during the creation of the account for which the authentication >will be later required. Each image is a small, PNG compressed, bulk of >pixels with random colors. The PNG compression is used because a true-color >image is compressed without losses, with a very high rate. In the case of >random images this doesn't help, but, as you'll read below, in the User >images section, this is the best format. > >Each image should contain something like 50 * 50 true-color pixels (24 >bits). This means that the total number of combinations of such a random >image is 24 ^ (50 * 50), that is over 10 ^ 3450. Basically, a particular >case is unbreakable through brute force search. > > >Authentication >-------------- > >The authentication is the classic method: the user is identified by his user >name, and then he is authenticated by comparing all images specified in the >log-in form, with the images stored on the computer which makes the >authentication. If all images are *identical*, and put in the same order (im >age 1 as password 1, image 2 as password 2...), the user is authenticated. >If they are not identical, the user is rejected. > > >Implementation >--------------- > >To make the "Bedazzled" log-in method easy to use, the password images must >be saved on the user's computer, preferably in encrypted files (see file >encryption under WindowsXP, or PGP encrypted drives). > >Since the "Bedazzled" log-in method is supposed to be used over Internet, it >is necessary for the user to be able to drag-and-drop each image onto the >browser, in the log-in form. This way, the log-in form has access to the >password images, and can download them to the authentication server when the >user clicks the "Log-in" button. > >As you can see, the method is very eay to use, but in order to make it even >easier, the log-in form should display a small file browser which should be >used to navigate to the password images (they should all be in the same >directory, for easy user access). The log-in form should save a cookie on >the user's computer in order to automatically open the file browser at the >same location, the next time the user attempts to authenticate himslef. > > >User images >------------ > >There is no need for the images to be random. The user could choose his own >images when he creates an authentication account, being only limited to a >specific file size (like 20 KB / image). He could simply take some images >from his computer and resize them to fit the size limit; the images should >be compressed without loss (preferably in a PNG format), just in case they >are lost but the original bigger images still exist and can be resized again >with the same algorithm (to generate the same password image). > >Another method requires a small program which takes a string of characters >typed by the user, and converts them through a hash algorithm into an >apparently random image. This method makes it possible to recreate the >password images if the user remembers the string of characters, without the >need of storing any information. > > >TEMPEST protection >---------------------- > >First of all, since the user doesn't need to type anything and the password >images don't need to be displayed, the passwords are protected from TEMPEST >atacks. However, the user may need to navigate through his pictures and >choose the correct password images for each log-in form. This would create a >potential security breach. > >The "Bedazzled" log-in method has intrinsic TEMPEST protection to this kind >of breach because when a monitor displays an image, the colors of each pixel >is not displayed exactly as indicated by the bits that make the picture. > >Each monitor has its own way of displaying the image. Besides, users always >alter the image by chaging various parameters of the monitor's image: >brightness, contrast, color balance, color temperature, gamma. > >On the other end of the TEMPEST technology, the "reader" takes a snapshot of >the image displayed by the monitor. This is like making a scan of a print of >a digital image. Though the resulting image looks similar with the original >for the human eye, the binary picture will be quite different. Actually, the >whole "reading" process makes it impossible to detect those minute details >(= changes in colors) of the original image, details that give to the owner >of the original picture a unique way to authenticate himself. > >Another help comes from the fact that when the user navigates through the >images, these are displayed as thumbnails, and thus altered (if the size of >the thumbnail is smaller than the size of the original image). > > >Last Word >----------- > >The "Bedazzled" log-in method makes key-loggers and screen-text harvesters >useless. However, there is still the danger of specially designed viruses >that would look for the password images. The only protection from such >malware I can think of, is for the log-in form to require quite a few >password images, and ask for them (using pictures of the picture order >index) in random order each time the user logs-in. > > >George Hara --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From nobody at dizum.com Tue Nov 25 01:00:05 2003 From: nobody at dizum.com (Nomen Nescio) Date: Tue, 25 Nov 2003 10:00:05 +0100 (CET) Subject: polygonal sequences Message-ID: <37f9fc71480f533729e5c7c93097140e@dizum.com> Hello I was trying to find some old references I used to have concerning an idea men tioned in sci.crypt way back. It was Phil Zimmermann I think who mentioned something about a possibly new idea for a new public key scheme. He called it "The cryptographic uses of polygonal sequences" and is found here I think: http://groups.google.com/groups?selm=12044%40ncar.ucar.edu&oe=UTF-8&output=gplain thanks From s.schear at comcast.net Tue Nov 25 10:12:19 2003 From: s.schear at comcast.net (Steve Schear) Date: Tue, 25 Nov 2003 10:12:19 -0800 Subject: Appeals court OKs no-knock warrant as perfectly appropriate In-Reply-To: <6.0.0.22.2.20031125090010.08ab0bd0@mail.well.com> References: <6.0.0.22.2.20031125090010.08ab0bd0@mail.well.com> Message-ID: <6.0.1.1.0.20031125100102.0569e5a8@mail.comcast.net> >We have recognized that, HN6[]under appropriate exigent circumstances, >strict compliance with the knock and announce requirement may be excused. >United States v. Grogins, 163 F.3d 795, 797 (4th Cir. 1998) (holding >no-knock entry justified where officers had reasonable suspicion that >entering drug "stash house" would be dangerous and drug dealer frequenting >house could not be found elsewhere). When the authorities "have a >reasonable suspicion that knocking and announcing their presence ...would >be dangerous or futile, or that it would inhibit the effective >investigation of []crime by, for example, allowing the destruction of the >evidence," an entry without knocking [*13] is justified. Richards, 520 >U.S. at 394; see also United States v. Ramirez, 523 U.S. 65, 140 L. Ed. 2d >191, 118 S. Ct. 992 (1998) (upholding no-knock entry where suspect had >violent past, access to weapons, and vowed not to do "federal time"). So, how does a non-criminal citizen protect themselves against armed home invaders who break down their front door or crash through a window to gain entry? Are citizens liable for injuries and deaths to law enforcement personnel who use such unannounced methods (esp. in the early morning hours)? I know that there have been cases which determined that its illegal to use an indiscriminate weapon (e.g., a shotgun tied to a door) to deter such entries, but what about a discriminate, automated, weapon system? By coupling night vision optics and a video pickup, image recognition software, a robotic gimbal and an semi-automatic firearm, such a system could discriminate forced entry situations from more normal entry means, target intruders and initiate deterrence. What then? steve From timcmay at got.net Tue Nov 25 10:54:13 2003 From: timcmay at got.net (Tim May) Date: Tue, 25 Nov 2003 10:54:13 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: References: Message-ID: On Nov 25, 2003, at 9:56 AM, Sunder wrote: > Um, last I checked, phone cameras have really shitty resolution, > usually > less than 320x200. Even so, you'd need MUCH higher resolution, say > 3-5Mpixels to be able to read text on a printout in a picture. > > Add focus and aiming issues, and this just won't work unless you carry > a > good camera into the booth with you. > 1. Vinnie the Votebuyer knows the _layout_ of the ballot. He only needs to see that the correct box is punched/marked. Or that the screen version has been checked. Pretty easy to see that "Bush" has been marked instead of "Gore." (For a conventional ballot. For a printed receipt is likely in the extreme that the text will be large, at least for the results.) 2. I don't know about cellphone cameras, but my 1996-vintage one megapixel camera has more than enough resolution, even at the "not so great" setting (about 360 x 500) to pick up text very well. (I used it to snap photos of some things with labels attached, for insurance reasons.) 3. If Vinnie is serious about this votebuying (I'm not even slightly convinced this would happen nationally, for obvious logistical and "who cares?" reasons, plus the inability of Palm Beach Jews to punch a conventional ballot, let alone work a digital camera and send the images to Vinnie), he can provide a camera he knows will do the job. Google shows that as of May 2003 the high-end cellphone cameras use CCDs with 640 x 480. This will become the baseline within a short time, certainly long before any of the "receipt" electronic voting systems are widely deployed. (e.g., this article at ) But the resolution of today's very inexpensive digital cameras, and probably those in today's cellphone cameras, is more than enough to handle a ballot or reasonable-font receipt. --Tim May From bill.stewart at pobox.com Tue Nov 25 11:12:06 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 25 Nov 2003 11:12:06 -0800 Subject: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] In-Reply-To: <2A1D4C86842EE14CA9BC80474919782E0111320D@mou1wnexm02.vcorp .ad.vrsn.com> Message-ID: <5.1.0.14.2.20031125110146.028d1248@idiom.com> At 06:02 AM 11/25/2003 -0800, Hallam-Baker, Phillip wrote: > > Especially for domains, it's important to do some validation, > > though in the absence of widely-deployed DNSSEC, it's hard to > > do automatically. > >DNSSEC is not happening, [...] >We do not need DNSSEC, we just need a notice in the DNS. >It would be a relatively easy task to walk the .com zone >and dump out a list of all the zones which contain a >'do not spam' TXT property record. I suppose you could do that, though it's probably harder to coordinate that for subdomains, whose owners are less likely to be directly managing their DNS records. > > There's a scalability problem that has to be solved, > > which is how to prevent a DOS-by-signing-up-too-many-addresses attack. > >I do not expect that to be a problem, that would be a >problem for the contractor. Limit the number of direct >registrations from a particular IP address within a given >time interval. You'd probably want to do special cases for large domains like AOL, etc., where the users have limited gateways to the internet. You're still vulnerable to DDOS-type attacks by armies of zombies, though of course they've got lots of other bad things they can do. >It is likely to result in the cost of the system being >considerably more than the cost of a couple of mid range >servers and some software. This is not a new phenomena. Too true. It's too bad, because you'd only need a couple hundred million records for the US, and signing up is the only part that's got real-time performance constraints. From sunder at sunder.net Tue Nov 25 09:56:51 2003 From: sunder at sunder.net (Sunder) Date: Tue, 25 Nov 2003 12:56:51 -0500 (est) Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <3FC286A2.68A8D74C@cdc.gov> Message-ID: Um, last I checked, phone cameras have really shitty resolution, usually less than 320x200. Even so, you'd need MUCH higher resolution, say 3-5Mpixels to be able to read text on a printout in a picture. Add focus and aiming issues, and this just won't work unless you carry a good camera into the booth with you. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Mon, 24 Nov 2003, Major Variola (ret) wrote: > Vinny the Votebuyer pays you if you send a picture of your > face adjacent to the committed receipt, even if you can't touch it. > Since the voting booth is private, no one can see you do this, > even if it were made illegal. (And since phones can store images, > jamming the transmission at the booth doesn't work.) > > You send your picture from the cellphone that took it, along with a > paypal > account number as a text message. From k-elliott at wiu.edu Tue Nov 25 12:57:22 2003 From: k-elliott at wiu.edu (Kevin Elliott) Date: Tue, 25 Nov 2003 12:57:22 -0800 Subject: [Mac_crypto] MacOS X (Panther) FileVault In-Reply-To: References: Message-ID: At 19:01 -0500 on 11/15/03, R. A. Hettinga wrote: >--- begin forwarded text > > >Status: U >Date: Sat, 15 Nov 2003 13:03:33 +0100 >From: "Ralf-P. Weinmann" >To: Nicko van Someren >Cc: mac_crypto at vmeng.com, "R. A. Hettinga" >Subject: Re: [Mac_crypto] MacOS X (Panther) FileVault > >On Thu, Nov 13, 2003 at 01:15:03PM +0000, Nicko van Someren wrote: >> This is basically correct. FileVault uses an auto-mounting version of >> the encrypted disk image facility that was in 10.2, tweaked to allow >> the image to be opened even before your main key chain is available >> (since the key chain is stored inside your home directory). The >> standard encrypted image format uses a random key stored on your key >> chain, which is itself encrypted with a salted and hashed copy of the >> keychain pass phrase, which defaults to your login password. My >> suspicion is that for the FileVault there is some other key chain file >> in the system folder which stores the key for decrypting your home >> directory disk image and that the pass phrase for that is just your >> login password. > >Ahhhh... So FileVault actually is just a marketing term for the encrypted >disk images! Thanks for the explanation! I just hope my login password can >be longer than 8 characters then. Yes/no. When your not logged in your home folder is stored as an encrypted DiskImage. In addition part of enabling FileVault was a complete rework of how login authentication was handled, part of which included removing the 8 char limitation. For the record, apple has always allowed passwords longer than 8 char, prior to 10.3, however, only the first 8 char were used to log you in, though the other characters were used to unlock your keychain. >> > File Vault will automatically expand or contract the disk image at >> > certain points. It creates a new image, copies everything over, and >> > deletes the old image. >> >> Yup, it essentially does an "hdiutil compact" command when you log out. > >Do you know whether the source code to hdiutil and hdid respectively its >10.3 kernel equivalent is available? I can't seem to find it in the >Darwin 7.0 public source. No they are not. Apple considers DiskImages to be a proprietary competitive advantage. >> > I don't know what mode of AES-128 it uses. >> >> I believe that it uses counter mode, since it's efficient when doing >> random access to the encrypted data. > >Of course counter mode would be ideally suited for this application. The >question is whether the people at Apple implementing this feature knew this :) It is a virtual certainty that Apple used Security.framework which includes a variety of algorithms (including AES) and secure/peer reviewed operation modes. I believe the security framework is open source, and in fact based on a broader standard (CDSA). If you'd like to know for certain I'd suggest you email dts at apple.com and/or file a bug report at bugreporter.apple.com (requires free registration) on the documentation. -- __________________________________________ Arguing with an engineer is like wrestling with a pig in mud. After a while, you realize the pig is enjoying it. __________________________________________ Kevin Elliott ICQ#23758827 AIM ID: teargo iChatAV: kelliott at mac.com (video chat available) __________________________________________ From Freematt357 at aol.com Tue Nov 25 10:50:10 2003 From: Freematt357 at aol.com (Freematt357 at aol.com) Date: Tue, 25 Nov 2003 13:50:10 EST Subject: Appeals court OKs no-knock warrant as perfectly appropriate Message-ID: <1d0.14cf0a74.2cf4fe62@aol.com> In a message dated 11/25/2003 1:23:08 PM Eastern Standard Time, s.schear at comcast.net writes: > I know that there have been cases which determined that its illegal to use > an indiscriminate weapon (e.g., a shotgun tied to a door) to deter such > entries, but what about a discriminate, automated, weapon system? By > coupling night vision optics and a video pickup, image recognition > software, a robotic gimbal and an semi-automatic firearm, such a system > could discriminate forced entry situations from more normal entry means, > target intruders and initiate deterrence. What then? > In the 1996 release of the film, "The People vs. Larry Flynt", there is a scene where a warrant is served on Flynt's home. His bedroom typified the ultimate "safe room" where the agents serving the warrant couldn't get in until the room was opened from the inside. Obviously everyone doesn't have the money that Flynt has in order to effectively harden ones house, but you can cheaply and rather effectively improve your haunts to allow more warning. The system you describe would in most jurisdiction still be considered illegal and premeditative. You're better off with passive measures. Regards, Matt- From ptrei at rsasecurity.com Tue Nov 25 11:21:38 2003 From: ptrei at rsasecurity.com (Trei, Peter) Date: Tue, 25 Nov 2003 14:21:38 -0500 Subject: e voting (receipts, votebuying, brinworld) Message-ID: Tim May [mailto:timcmay at got.net] wrote: >On Nov 25, 2003, at 9:56 AM, Sunder wrote: >> Um, last I checked, phone cameras have really shitty resolution, >> usually >> less than 320x200. Even so, you'd need MUCH higher resolution, say >> 3-5Mpixels to be able to read text on a printout in a picture. >> >> Add focus and aiming issues, and this just won't work unless you carry >> a >> good camera into the booth with you. >1. Vinnie the Votebuyer knows the _layout_ of the ballot. He only needs >to see that the correct box is punched/marked. Or that the screen >version has been checked. I realize you big city types (yes, Tim, Corralitos is big compared to my little burg) have full scale voting booths with curtains (I used the big mechanical machines when I lived in Manhatten), but out here in the sticks, the 'voting booth' is a little standing desk affair with 18 inch privacy shields on 3 sides. If someone tried to take a photo of their ballot in one of those it would be instantly obvious. All I want is a system which is not more easily screwed around with then paper ballots. Have some imagination - you could, for example, set things up so the voter, and only the voter, can see the screen and/or paper receipt while voting, but still make it impossible to use a camera without being detected. Peter From timcmay at got.net Tue Nov 25 15:26:18 2003 From: timcmay at got.net (Tim May) Date: Tue, 25 Nov 2003 15:26:18 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: References: Message-ID: On Nov 25, 2003, at 11:21 AM, Trei, Peter wrote: > Tim May [mailto:timcmay at got.net] wrote: > > >> On Nov 25, 2003, at 9:56 AM, Sunder wrote: >>> Um, last I checked, phone cameras have really shitty resolution, >>> usually >>> less than 320x200. Even so, you'd need MUCH higher resolution, say >>> 3-5Mpixels to be able to read text on a printout in a picture. >>> >>> Add focus and aiming issues, and this just won't work unless you >>> carry >>> a >>> good camera into the booth with you. > >> 1. Vinnie the Votebuyer knows the _layout_ of the ballot. He only >> needs >> to see that the correct box is punched/marked. Or that the screen >> version has been checked. > > I realize you big city types (yes, Tim, Corralitos is big compared to > my > little burg) have full scale voting booths with curtains (I used the > big > mechanical machines when I lived in Manhatten), but out here in the > sticks, > the 'voting booth' is a little standing desk affair with 18 inch > privacy > shields on 3 sides. If someone tried to take a photo of their ballot > in one > of those it would be instantly obvious. > > All I want is a system which is not more easily screwed around with > then > paper ballots. Have some imagination - you could, for example, set > things > up so the voter, and only the voter, can see the screen and/or paper > receipt > while voting, but still make it impossible to use a camera without > being > detected. But how could a restriction on gargoyling oneself be constitutional? If Alice wishes to record her surroundings, including the ballot and/or touchscreen she just voted with, this is her business. (I fully support vote buying and selling, needless to say. Simple right to make a contract.) I wasn't endorsing the practicality of people trying to use digital cameras of any sort in any kind of voting booth, just addressing the claim that cellphone cameras don't have enough resolution. Even 320 x 240 has more than enough resolution to show which boxes have been checked, or to mostly give a usable image with a printed receipt. As for creating tamper-resistant and unforgeable and nonrepudiable voting systems, this is a hard problem. For ontological reasons (who controls machine code, etc.). I start with the canonical model of a very hard to manipulate system: blackballing (voting with black or white stones or balls). Given ontological limits on containers (hard to teleport stones into or out of a container), given ontological limits on number of stones one can hold, and so on (I'll leave it open for readers to ponder the process of blackball voting), this is a fairly robust system. (One can imagine schemes whereby the container is on a scale, showing the weight. This detects double voting for a candidate. One lets each person approach the container, reach into his pocket, and then place one stone into the container (which he of course cannot see into, nor can he remove any stone). If the scale increments by the correct amount, e.g, 3.6 grams, then one is fairly sure no double voting has occurred. And if the voter kept his fist clenched, he as strong assurance that no one else saw whether he was depositing a black stone or a white stone into the container. Then if the stones are counted in front of witnesses, 675 black stones vs. 431 white stones is a fairly robust and trusted outcome. Details would include ensuring that one person voted only once (usual trick: indelible dye on arm when stones issued, witnesses present, etc. Attacks would include the Ruling Party depositing extra stones, etc. And consolidating the distributed results has the usual weaknesses.) Things get much more problematic as soon as this is electronified, computerized, as the normal "ontological" constraints evaporate. Stones can vanish, teleport, be miscounted, suddenly appear, etc. Designing a system which is both robust (all the crypto buzzwords about nonforgeability, satisfaction of is-a-person or one-person constraints, visibility, etc.) and which is also comprehensible to people who are, frankly, unable to correctly punch a paper ballot for Al Gore, is a challenge. I'm not sure either Joe Sixpack in Bakersfield or Irma Yenta in Palm Beach want to spend time learning about "all-or-nothing-disclosure" and "vote commitment protocols." I know about David Chaum's system. He has gotten interested in this problem. I am not interested in this problem. Moreover, I think working on electronic voting only encourages the political process (though implementing wide computer voting and then having more of the "winning totals posted before polls close" exposures of shenanigans might be useful in undermining support for the concept of democracy, which would be a good thing.) I don't say it's not a security problem worth thinking about. It reminds me a lot of the capabilities stuff, including Granovetter diagrams and boundaries. Probably a nice category theory outlook on voting lurking here (e.g., voting as a pushout in an appropriate category, or something whacky like that). Electronic voting of the type being pushed now is going to cause some major loss of faith in the system when some scandals emerge (and when even analyzing the protocols and talking about what one has learned results in a "cyst and decease" order from Diebold and that ilk). From eugen at leitl.org Tue Nov 25 06:43:32 2003 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 25 Nov 2003 15:43:32 +0100 Subject: [mnet-devel] Grid Of Trust -- pre-design (fwd from zooko@zooko.com) Message-ID: <20031125144332.GQ23337@leitl.org> ----- Forwarded message from Zooko O'Whielacronx ----- From timcmay at got.net Tue Nov 25 19:10:28 2003 From: timcmay at got.net (Tim May) Date: Tue, 25 Nov 2003 19:10:28 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <20031126010520.GA21168@mail.dadadada.net> References: <20031126010520.GA21168@mail.dadadada.net> Message-ID: <1687979E-1FBE-11D8-9AB2-000A956B4C74@got.net> On Nov 25, 2003, at 5:05 PM, BillyGOTO wrote: > On Tue, Nov 25, 2003 at 03:26:18PM -0800, Tim May wrote: >> (I fully support vote buying and selling, needless to say. Simple >> right >> to make a contract.) > > What's your take on this situation, then: > > BOSS: Get in that booth and vote Kennedy or I'll fire you. Take this > expensive camera with you so you can't pull any funny business. I have no problem with this free choice contract. You, in the rest of your comments, show yourself to be one of the many tens of millions who probably need to be sent up the chimneys for their crimes. Liberty's a mental chore, isn't it? --Tim May "You don't expect governments to obey the law because of some higher moral development. You expect them to obey the law because they know that if they don't, those who aren't shot will be hanged." - -Michael Shirley From billy at dadadada.net Tue Nov 25 17:05:20 2003 From: billy at dadadada.net (BillyGOTO) Date: Tue, 25 Nov 2003 20:05:20 -0500 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: References: Message-ID: <20031126010520.GA21168@mail.dadadada.net> On Tue, Nov 25, 2003 at 03:26:18PM -0800, Tim May wrote: > (I fully support vote buying and selling, needless to say. Simple right > to make a contract.) What's your take on this situation, then: BOSS: Get in that booth and vote Kennedy or I'll fire you. Take this expensive camera with you so you can't pull any funny business. If it were illegal for me to bring the camera, this would be an unenforceable order. I'll do whatever the hell I want when I get into the booth, thank you very much. Good for me. Good for everybody. He with the most slaves should not automatically win the election. Right Tim? From njohnsn at iowatelecom.net Tue Nov 25 22:12:30 2003 From: njohnsn at iowatelecom.net (Neil Johnson) Date: Wed, 26 Nov 2003 00:12:30 -0600 Subject: Patriot II provisions snuck through in spending bill. Message-ID: <200311242233.27241.njohnsn@njohnsn.com> Sigh.. http://www.wired.com/news/politics/0,1283,61341,00.html?tw=wn_tophead_1 From njohnsn at njohnsn.com Tue Nov 25 22:37:25 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Wed, 26 Nov 2003 00:37:25 -0600 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: References: Message-ID: <200311260037.25568.njohnsn@njohnsn.com> On Tuesday 25 November 2003 01:21 pm, Trei, Peter wrote: [snip] > All I want is a system which is not more easily screwed around with then > paper ballots. Have some imagination - you could, for example, set things > up so the voter, and only the voter, can see the screen and/or paper > receipt while voting, but still make it impossible to use a camera without > being detected. > > Peter I was thinking of those boxes with viewing ports that you look into to get your eyes tested when you renew your drivers license. You could have those out in the open, that way you'd have the privacy (only turn the display on if the viewing port is completely covered), but if you tried to use a camera it would be pretty obvious (or you could design the lens of the port to make it impossible to discern the ballot except with the human eye(s)). Here in the sticks we just use the ole' number two pencil to fill in the oval. Some fancy polling places run the ballot through a reader to verify that there aren't any problems (missing ovals, multiple votes, etc.). They'll let you have three tries at it. However, there doesn't seem to be anything to stop me from going back in a few hours later and claiming to be someone else at a different address other than the if the person has already voted or by relying on steel-trap memory of the volunteer elderly ladies than man the poll (of course in our small town that can be pretty effective) :) . -Neil -- Neil Johnson http://www.njohnsn.com PGP key available on request. From ericm at lne.com Wed Nov 26 08:18:43 2003 From: ericm at lne.com (Eric Murray) Date: Wed, 26 Nov 2003 08:18:43 -0800 Subject: Lucrative update Message-ID: <200311261618.hAQGIh3Y024799@slack.lne.com> Somoneone at monash.edu.au was resending old mails. From timcmay at got.net Wed Nov 26 09:18:42 2003 From: timcmay at got.net (Tim May) Date: Wed, 26 Nov 2003 09:18:42 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <20031126161059.GA24701@mail.dadadada.net> References: <20031126010520.GA21168@mail.dadadada.net> <1687979E-1FBE-11D8-9AB2-000A956B4C74@got.net> <20031126161059.GA24701@mail.dadadada.net> Message-ID: <95470B54-2034-11D8-9AB2-000A956B4C74@got.net> On Nov 26, 2003, at 8:10 AM, BillyGOTO wrote: >> >> I have no problem with this free choice contract. > > You can't sell your vote for the same reason that Djinni don't > grant wishes for "more wishes". A silly comment. I take it you're saying "Because the rules don't allow it." Or something similar to this. The "rules" are precisely what we are discussing. And "vote buying" is much more widespread than what happens at the lowest level we happen to be talking about here, where Alice is paid $10 to vote for some particular candidate. In fact, vote buying is much more common and more dangerous at the level of political representatives. Appealing to "the rules" (what your Djinni state as the rules) is nonproductive. Payoffs and kickbacks can be declared illegal, but they continue to happen in various ways. > >> You, in the rest of your comments, show yourself to be one of the many >> tens of millions who probably need to be sent up the chimneys for >> their >> crimes. >> >> Liberty's a mental chore, isn't it? > > Maybe I just don't understand Liberty. I need to meditate on it for a > while. I'll use your image of tens of millions of "criminals" going up > in smoke (myself included) as a starting point. > > PS: Is support of vote buying consistent with rejection of Democracy? > Liberty is characterized in the .sig below: ""Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote!" -- Ben Franklin From billy at dadadada.net Wed Nov 26 08:10:59 2003 From: billy at dadadada.net (BillyGOTO) Date: Wed, 26 Nov 2003 11:10:59 -0500 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <1687979E-1FBE-11D8-9AB2-000A956B4C74@got.net> References: <20031126010520.GA21168@mail.dadadada.net> <1687979E-1FBE-11D8-9AB2-000A956B4C74@got.net> Message-ID: <20031126161059.GA24701@mail.dadadada.net> On Tue, Nov 25, 2003 at 07:10:28PM -0800, Tim May wrote: > On Nov 25, 2003, at 5:05 PM, BillyGOTO wrote: > > >On Tue, Nov 25, 2003 at 03:26:18PM -0800, Tim May wrote: > >>(I fully support vote buying and selling, needless to say. Simple > >>right to make a contract.) > > > >What's your take on this situation, then: > > > >BOSS: Get in that booth and vote Kennedy or I'll fire you. Take this > > expensive camera with you so you can't pull any funny business. > > I have no problem with this free choice contract. You can't sell your vote for the same reason that Djinni don't grant wishes for "more wishes". > You, in the rest of your comments, show yourself to be one of the many > tens of millions who probably need to be sent up the chimneys for their > crimes. > > Liberty's a mental chore, isn't it? Maybe I just don't understand Liberty. I need to meditate on it for a while. I'll use your image of tens of millions of "criminals" going up in smoke (myself included) as a starting point. PS: Is support of vote buying consistent with rejection of Democracy? From mfidelman at civicnet.org Wed Nov 26 09:26:20 2003 From: mfidelman at civicnet.org (Miles Fidelman) Date: Wed, 26 Nov 2003 12:26:20 -0500 (EST) Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <200311260037.25568.njohnsn@njohnsn.com> Message-ID: > > All I want is a system which is not more easily screwed around with then > > paper ballots. I think it's called OCR. Paper ballots, marked by the voter, not by software, then counted by software: - the ballot and the audit document are one and the same - no opportunity for software to mess with the printed record - option for a quick and dirty recount by feeding the ballots through a different counting machine (maybe with different software, from a different vendor) - further option for a manual recount of the original ballots (which are probably more legible than any machine-printed receipts) Oh, and by the way, these are the only kind of electronic voting machines approved, so far, in Mass. Miles Fidelman ************************************************************************** The Center for Civic Networking PO Box 600618 Miles R. Fidelman, President & Newtonville, MA 02460-0006 Director, Municipal Telecommunications Strategies Program 617-558-3698 fax: 617-630-8946 mfidelman at civicnet.org http://civic.net/ccn.html Information Infrastructure: Public Spaces for the 21st Century Let's Start With: Internet Wall-Plugs Everywhere Say It Often, Say It Loud: "I Want My Internet!" ************************************************************************** From coderman at charter.net Wed Nov 26 13:03:53 2003 From: coderman at charter.net (coderman) Date: Wed, 26 Nov 2003 13:03:53 -0800 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <3FC51539.8030409@charter.net> ... delayed response > From: Peter Gutmann > "Lucky Green" <[EMAIL PROTECTED]> writes: > >... > >I fail to understand why VIA bothered adding AES support into the CPU. When > >was AES last the bottleneck on a general-purpose CPU? > > Apart from the obvious "what cool thing can we fit in -> <- this much spare > die space?", the obvious target is SOHO routers/firewall boxes. My spies tell > me that it's already being used in a number of products like this, and the > addition of AES will help the process. I am working on a linux distribution that is using the hardware RNG for seeding/rng in number of things (IPSEC, ssh, ssl, gpg, etc) and this is definitely the angle I am excited about. A 1Ghz proc goes a long way, but in a media intensive system (video, audio, streaming over wireless) you want to keep CPU load as light as possible so that latency is minimal. With the C5P you can now do VPN with AES, rng via the hardware entropy, and video offload via the CLE266. This leaves the CPU free to handle various interrupts for the wireless network, disk i/o, etc. Very nice move, I think. I have written some poor code and info regarding the C5XL (nehemiah) and linux: http://peertech.org/hardware/viarng/ [ I'll be cleaning code up and releasing new patches/srcs soon ] > Hardware SHA-1 in the next rev makes > it even better, since you can now do IPsec and SSL tunneling purely in > hardware (and then you lose it all again in the crappy Rhine II NIC, but > that's another story). A lot of peer networking applications use SHA digests for securely identifying resources in a network. The overhead of this for large volumes of content will make this a welcome addition :-) Also, Centaur indicated that with the SHA on die, they can produce statistically perfect RNG output. The von neumann whitener does let a small bias through for very large data sets IIRC (i.e. a statistical bias is detectable in 1G or more data) If you are using the hardware rng via a user space daemon feeding /dev/random then this is no longer an issue. > >The bottleneck tends to be modular exponentiations, yet VIA failed to include > >a modular exponentiation engine. Strange. > > Not for SOHO use it isn't, the initial handshake overhead is negligible > compared to the constant link encryption overhead. The alternative is to do > the crypto externally, for which you're paying for an expensive and power- > hungry crypto core capable of doing a zillion DH/RSA ops/sec that gets used > once every few hours. The alternative is to load or load your standard > firewall firmware into a Nehemiah and offload all the crypto and RNG stuff. I am also curious about crypto-loop file system acceleration / CPU offload. There are a number of uses I am anxious to try with this hardware. Best regards, From mfidelman at civicnet.org Wed Nov 26 11:24:29 2003 From: mfidelman at civicnet.org (Miles Fidelman) Date: Wed, 26 Nov 2003 14:24:29 -0500 (EST) Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <04e201c3b449$7945dda0$c71121c2@exchange.sharpuk.co.uk> Message-ID: On Wed, 26 Nov 2003, Dave Howe wrote: > Miles Fidelman wrote: > > - option for a quick and dirty recount by feeding the ballots through > > a different counting machine (maybe with different software, from a > > different vendor) > or indeed constructing said machines so they *assume* they will be feeding > another machine in a chain (so every party could have their own counter in > the chain if they wish to, and each gets a bite at the cherry in sequence) GREAT idea! Sort of like the Space Shuttle computers - 5 operating in parallel, one from a completely different hardware and software vendor. From billy at dadadada.net Wed Nov 26 11:35:11 2003 From: billy at dadadada.net (BillyGOTO) Date: Wed, 26 Nov 2003 14:35:11 -0500 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <95470B54-2034-11D8-9AB2-000A956B4C74@got.net> References: <20031126010520.GA21168@mail.dadadada.net> <1687979E-1FBE-11D8-9AB2-000A956B4C74@got.net> <20031126161059.GA24701@mail.dadadada.net> <95470B54-2034-11D8-9AB2-000A956B4C74@got.net> Message-ID: <20031126193511.GB18139@mail.dadadada.net> On Wed, Nov 26, 2003 at 09:18:42AM -0800, Tim May wrote: > On Nov 26, 2003, at 8:10 AM, BillyGOTO wrote: > >> > >>I have no problem with this free choice contract. > > > >You can't sell your vote for the same reason that Djinni don't > >grant wishes for "more wishes". > > A silly comment. I take it you're saying "Because the rules don't allow > it." Or something similar to this. > > The "rules" are precisely what we are discussing. In this case, the "rules" are implemented as the design requirements for the ballot box under discussion. A snoop-resistant ballot box can give the "rules" some huevos. If I sell you my Kennedy vote and then go into a Snoop-Proof(tm) box and cast it, you won't really be able to tell if I've ripped you off. > And "vote buying" is much more widespread than what happens at the > lowest level we happen to be talking about here, where Alice is paid > $10 to vote for some particular candidate. In fact, vote buying is much > more common and more dangerous at the level of political > representatives. And their ballots are generally not cast behind moldy blue curtains. From ptrei at rsasecurity.com Wed Nov 26 12:05:59 2003 From: ptrei at rsasecurity.com (Trei, Peter) Date: Wed, 26 Nov 2003 15:05:59 -0500 Subject: e voting (receipts, votebuying, brinworld) Message-ID: Miles Fidelman wrote: >Peter Trei wrote: >> All I want is a system which is not more easily screwed around with then >> paper ballots. >I think it's called OCR Actually, I think its called 'Optical Mark Sense'. >Paper ballots, marked by the voter, not by software, then counted by >software: >- the ballot and the audit document are one and the same - no opportunity >for software to mess with the printed record >- option for a quick and dirty recount by feeding the ballots through a >different counting machine (maybe with different software, from a >different vendor) >- further option for a manual recount of the original ballots (which are >probably more legible than any machine-printed receipts) >Oh, and by the way, these are the only kind of electronic voting machines >approved, so far, in Mass. >Miles Fidelman Indeed, thats where I live, and the tech we use. It pretty much fits all the requirements. The only complaints I've heard are: * It doesn't randomize the order of candidate presentation. * No provision for dealing with the blind. From camera_lumina at hotmail.com Wed Nov 26 14:36:34 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Wed, 26 Nov 2003 17:36:34 -0500 Subject: e voting (receipts, votebuying, brinworld) Message-ID: Doesn't make sense. Votes are already bought and sold, but there's so many middle men taking their cuts in the form of military bases or whatnot that the enduser barely gets some. -TD >From: Tim May >To: cypherpunks at lne.com >Subject: Re: e voting (receipts, votebuying, brinworld) >Date: Wed, 26 Nov 2003 09:18:42 -0800 > >On Nov 26, 2003, at 8:10 AM, BillyGOTO wrote: >>> >>>I have no problem with this free choice contract. >> >>You can't sell your vote for the same reason that Djinni don't >>grant wishes for "more wishes". > >A silly comment. I take it you're saying "Because the rules don't allow >it." Or something similar to this. > >The "rules" are precisely what we are discussing. > >And "vote buying" is much more widespread than what happens at the lowest >level we happen to be talking about here, where Alice is paid $10 to vote >for some particular candidate. In fact, vote buying is much more common and >more dangerous at the level of political representatives. > >Appealing to "the rules" (what your Djinni state as the rules) is >nonproductive. Payoffs and kickbacks can be declared illegal, but they >continue to happen in various ways. > > >> >>>You, in the rest of your comments, show yourself to be one of the many >>>tens of millions who probably need to be sent up the chimneys for their >>>crimes. >>> >>>Liberty's a mental chore, isn't it? >> >>Maybe I just don't understand Liberty. I need to meditate on it for a >>while. I'll use your image of tens of millions of "criminals" going up >>in smoke (myself included) as a starting point. >> >>PS: Is support of vote buying consistent with rejection of Democracy? >> > >Liberty is characterized in the .sig below: > > >""Democracy is two wolves and a lamb voting on what to have for lunch. >Liberty is a well-armed lamb contesting the vote!" >-- Ben Franklin _________________________________________________________________ Has one of the new viruses infected your computer? Find out with a FREE online computer virus scan from McAfee. Take the FreeScan now! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From DaveHowe at gmx.co.uk Wed Nov 26 10:16:52 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Wed, 26 Nov 2003 18:16:52 -0000 Subject: e voting (receipts, votebuying, brinworld) References: Message-ID: <04e201c3b449$7945dda0$c71121c2@exchange.sharpuk.co.uk> Miles Fidelman wrote: > - option for a quick and dirty recount by feeding the ballots through > a different counting machine (maybe with different software, from a > different vendor) or indeed constructing said machines so they *assume* they will be feeding another machine in a chain (so every party could have their own counter in the chain if they wish to, and each gets a bite at the cherry in sequence) From njohnsn at njohnsn.com Wed Nov 26 17:46:00 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Wed, 26 Nov 2003 19:46:00 -0600 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <95470B54-2034-11D8-9AB2-000A956B4C74@got.net> References: <20031126161059.GA24701@mail.dadadada.net> <95470B54-2034-11D8-9AB2-000A956B4C74@got.net> Message-ID: <200311261946.01097.njohnsn@njohnsn.com> On Wednesday 26 November 2003 11:18 am, Tim May wrote: > > Liberty is characterized in the .sig below: > > > ""Democracy is two wolves and a lamb voting on what to have for lunch. > Liberty is a well-armed lamb contesting the vote!" > -- Ben Franklin And if they are all armed ? They all starve. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From measl at mfn.org Wed Nov 26 20:39:42 2003 From: measl at mfn.org (J.A. Terranson) Date: Wed, 26 Nov 2003 22:39:42 -0600 (CST) Subject: Non-Withholding Employer Simkanin Trial Ends: Mistrial (fwd) Message-ID: Note the line: "the Court denied Simkanin the opportunity present any expert defense witnesses or legal evidence". This is what our country has come to. Secret courts; incarceration with no lawyers, trials, or even charges; "trials" where the defendants are prohibited from presenting any evidence; "Sneak & Peek" secret searches... "The Terrorists" have indeed won: they are running this asylum. -- Yours, J.A. Terranson sysadmin at mfn.org ---------- Forwarded message ---------- Date: Wed, 26 Nov 2003 10:06:23 -0600 From: "Bob Schulz (DO NOT REPLY - Unmonitored Mailbox)" To: measl at mfn.org Subject: [We The People] Non-Withholding Employer Simkanin Trial Ends: Mistrial Do not reply to this message -- it was sent from an unmonitored mailbox. If you can't read this, visit http://www.givemeliberty.org/mailroom to see the message. We respect your privacy. To REMOVE yourself or JOIN our e-mail list, see below. My WTP 11-26-03 Employer Simkanin Prosecution Ends in Mistrial Judge Stymies Both Jury & Defense DOJ Intends to Retry Simkanin ASAP Jury Hung at 11-1 Favoring Acquittal After almost 6 months of incarceration in isolation awaiting his federal trial, non-withholding employer Dick Simkanin's trial ended this evening in a mistrial after the jury was unable to reach a verdict on federal charges that Simkanin failed to Withhold taxes from his employees. Simkanin, a successful Bedford, Texas business owner, had been charged with 12 counts of Willful Failure to Withhold employment taxes for his employees and 15 counts of filing False Claims for requesting refunds of tax pre-payments that had been made by Simkanin on behalf of those employees. Facing years in federal prison, his trial lasted only hours, beginning and ending yesterday - largely because the Court denied Simkanin the opportunity present any expert defense witnesses or legal evidence regarding the contested legal obligations under US income tax statutes. Jury deliberations started this morning and the mistrial was declared around 6 PM Central time. Reports from sources close to the Simkanin team was that the jury hung 11-1 in favor of acquittal. (continued...) Click Here to read the Full Article Register On-Line Now! Give Me Liberty 2004 The First Annual We The People Foundation & Congress National Conference Washington DC, Thursday-Saturday, January 22-24, 2004 Click Here to read the Full Announcement _____ GO TO the WTP home page, www.GiveMeLiberty.org Join the historic class-action lawsuit against the U.S. Government. Read and sign the Petitions for Redress of Grievances regarding the Government's abuse of its limited war-making, taxing, and monetary powers and its ongoing assault on the Bill of Rights. Click Here to make a donation and help fund the soon-to-be-filed historic lawsuit and the ongoing efforts of WTP. You have our sincerest Thanks. Our secure, on-line system supports one-time, monthly and twice-monthly e-donations. We support all major credit cards and can process donations from your checking account and PayPal as well. Our subscription-type donations can be stopped or changed by you at anytime either on-line or by request to our offices. We can also process any form of donation via mail. Our mailing address is: WTP 2458 Ridge Road Queensbury, NY 12804. All donations to the WTP Foundation are tax deductible. This message was sent to address measl at mfn.org If this is NOT you, you are not on the WTP mailing list. We value and respect your privacy. To unsubscribe from our mailing list, click here: PLEASE DELETE ME If this message was forwarded to you by a friend and you'd like us to send you regular updates, please visit http://www.givemeliberty.org/mailroom/ and subscribe. Already on our list, and want to update your information? Visit http://www.givemeliberty.org/mailroom/. To send an email to Bob Schulz, click here . (mailto:bob at givemeliberty.org) From nobody at dizum.com Wed Nov 26 14:10:05 2003 From: nobody at dizum.com (Nomen Nescio) Date: Wed, 26 Nov 2003 23:10:05 +0100 (CET) Subject: e voting (receipts, votebuying, brinworld) Message-ID: Cameras in the voting booth? Jesus Christ, you guys are morons. If you want to sell your vote, just vote absentee. The ward guy will even stamp and mail it for you. Happens every election. From bill.stewart at pobox.com Thu Nov 27 00:49:45 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Thu, 27 Nov 2003 00:49:45 -0800 Subject: Removing SSZ - Re: Cypherpunks List Info In-Reply-To: <20031013075811.GA31445@spheno.jokeslayer.com> References: <4436.216.240.32.1.1066027187.squirrel@smirk.idiom.com> <200310130300.h9D301g0021969@slack.lne.com> <4436.216.240.32.1.1066027187.squirrel@smirk.idiom.com> Message-ID: <5.1.0.14.2.20031127004513.02959c60@idiom.com> At 12:58 AM 10/13/2003 -0700, Billy wrote: >I must ask if this is a bad thing? assuming answer of no now. Whats up >with the BACP meetings? we need to revive them, not that I am trying to >volunteer, but what is the current plan for them? > >Billy >On Sun, Oct 12, 2003 at 11:39:47PM -0700, Bill Stewart wrote: > > Jim Choate recently announced he was closing the SSZ cypherpunks > mailing list. I don't remember if I replied (my personal email system was hosed for a while), but there are some Usual Suspects who'll be in town soon, and we'll probably do some kind of get-together. It may get called a Cypherpunks meeting or it may just be an expedition. Of course, if you or anybody else would like to volunteer, announce a meeting and see what happens, and I'll be happy to help find the pieces of the mail system that the meetingpunks list lives on. Bill From anonymous at remailer.hastio.org Wed Nov 26 19:39:27 2003 From: anonymous at remailer.hastio.org (anonymous at remailer.hastio.org) Date: 27 Nov 2003 03:39:27 -0000 Subject: e voting (receipts, votebuying, brinworld) Message-ID: Major Variola (ret) (mv at cdc.gov) wrote on 2003-11-25: > Vinny the Votebuyer pays you if you send a picture of your > face adjacent to the committed receipt, even if you can't touch it. * Voter locks in choice on touch screen. * Paper receipt is printed and shown to voter. * Voter chooses 'great' -> receipt disappears into ballot box Voter chooses 'nope' -> receipt disappears into trash bin / can be taken home as a souvenir. > Since the voting booth is private, no one can see you do this, > even if it were made illegal. (And since phones can store images, > jamming the transmission at the booth doesn't work.) > > You send your picture from the cellphone that took it, along with a paypal > account number as a text message. The intention behind requiring receipts is not to get totally secure voting, but to get oting that is not much more insecure than the current paper process. I assume the 'take pic, show later' attack is also possible against the current system. From pbaker at verisign.com Thu Nov 27 07:15:56 2003 From: pbaker at verisign.com (Hallam-Baker, Phillip) Date: Thu, 27 Nov 2003 07:15:56 -0800 Subject: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] Message-ID: <2A1D4C86842EE14CA9BC80474919782E01113229@mou1wnexm02.vcorp.ad.vrsn.com> > Do you have any more details on this for those who don't > normally follow DNSSEC? It is a sad story. Politics and the magic circle. If people are wondering why the major industry players have abandoned the IETF read on. This is only one example of the type, other companies have similar issues. When VeriSign bought Network Solutions one of the main opportunities we saw was to deploy DNSSEC. There is a limit to what you can achieve in the context of DNS, anyone can get a domain name without providing authentication so proving that someone is the legitimate holder of example.com does not mean you want to give them your credit card number. On the other hand it would be quite feasible to deploy a class 1 level assurance system with low cost and ubiquitous coverage. The problem with the DNSSEC specification is the NXT record that links from one signed zone to the next. In the original specification you have to create a link record for every single domain in the zone. This causes the amount of data in the zone to increase enormously. This is fine if you have a typical zone with a few hundred or thousand entries. It is a completely different matter if you are running the dotCOM zone and you have several Gb of zone data already, a contract that specifies a very highl level of reliability and a constant series of DDoS and other attacks going on (about 1000 penetration attempts per day). There is no way that the people with responsibility for running the dotCOM zone are going to deploy a system that has such an immediate effect on operations. The amount of data expands by an order of magnitude. So we proposed a fix. The original security review was performed by myself and Warwick Ford. Instead of linking between every record you only link from one secured zone to the next. This was called 'optin'. This has exactly the same security as the original proposal but the impact on deployment is much less. The cost of deployment scales with the number of people using DNSSEC. The only change in the security is that with OPTIN there is a diferent way that an attacker can perform an insertion attack, that is causing someone to believe a zone is registered when it is not. The attack is not very plausible and at the end of the day the only impact is that we are out the six bucks for the registration. Anyone can insert domains into dotCOM, just see a registrar. The objection to the idea was that this is a VeriSign problem and the WG had zero responsibility for creating a specification that was deployable by the operators of large zones which should not exist anyway. There was also a claim that there was a personality issue, that if proponents of OPTIN had adopted the correct position as a supplicant that their petition might have been considered more favorably. The evidence is against this, every time the go with the flow strategy was attempted the DNS people would call me up six months later and say 'we have been screwed again'. This was understood by virtually everyone in the DNSSEC working group. The chair disagreed. It was at this point that I discovered that the IETF is not open and not inclusive. Every time the working group agreed on OPTIN the specification would be taken on a detour. The first time for consultation in a closed committee called the DNS Directorate. To cut a long story short the plan was filibustered for three years and then after finally comming to last call. After passing last call without objection the chair scheduled two further last calls before we finally came to a result where a clear majority of the group were in favor, four fifths were either in favor or willing to allow it to go forward and two individuals were opposed. So the chair used his perogative to impose his 'consensus' on the group. The result is that OPTIN is on the experimental track, not a proposed standard as the clear consensus of the group was that it should be. This in turn means that it is far more difficult to persuade ICANN to allow deployment of the specification with its experimental status. The IETF was designed the way it is to allow a small clique to hold power while pretending to be open and inclusive. All that Nomcon gumpf is really designed to make it impossible for the nominating committee to make more than a few changes to the IESG each time arround. The result of this type of behaviour is that the IETF has practically no influence in the industry. DNSSEC and IPv6 have been 'about to deploy' for over a decade now. There is still no clue as to how IPSEC works in any application beyond VPN, which is not what it is designed for. SSL makes a better remote access VPN protocol than IPSEC, works through NAT boxes without kludges for a start. The other industry players have similar stories. The industry is taking notice of the ideas comming out of this WG. But they are not very likely to accept a standards process unless it is based on bi-weekly teleconference calls and all major decisions are subject to vote. From mv at cdc.gov Thu Nov 27 11:46:55 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 27 Nov 2003 11:46:55 -0800 Subject: e voting (receipts, votebuying, brinworld) Message-ID: <3FC654AF.B571B7A5@cdc.gov> At 12:56 PM 11/25/03 -0500, Sunder wrote: >Um, last I checked, phone cameras have really shitty resolution, usually >less than 320x200. Even so, you'd need MUCH higher resolution, say >3-5Mpixels to be able to read text on a printout in a picture. > >Add focus and aiming issues, and this just won't work unless you carry a >good camera into the booth with you. Ever hear of Moore's law? How about electronic image stabilization? Piezo gyros optional. Don't you think the cellphone folks will do the more-pixels-game, trying to add features that distinguish their model from the nearly identical other models? Related: There are plans to put a couple of cameras in autos, to check where the driver is looking at, wakefulness, etc. All by 2010. (Src: EETimes) And you thought car telemetry recorders were privacy concerns. (There are *already* dozens of microcontrollers in low end cars, a hundred in high-end cars. So much for TJ Watson's "the world only needs five computers"...) From mv at cdc.gov Thu Nov 27 11:56:22 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 27 Nov 2003 11:56:22 -0800 Subject: e voting (receipts, votebuying, brinworld) Message-ID: <3FC656E6.284E15D1@cdc.gov> At 07:10 PM 11/25/03 -0800, Tim May wrote: >I have no problem with this free choice contract. The only ones allowed to buy votes are the ones running for office. And they are required to do it on credit. "A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the Public Treasury. From that moment on, the majority always votes for the candidate promising the most benefits from the Public Treasury with the result that a democracy always collapses over loose fiscal policy always followed by dictatorship." --Alexander Fraser Tyler From timcmay at got.net Thu Nov 27 12:05:31 2003 From: timcmay at got.net (Tim May) Date: Thu, 27 Nov 2003 12:05:31 -0800 Subject: Non-Withholding Employer Simkanin Trial Ends: Mistrial (fwd) In-Reply-To: References: Message-ID: <0D7FE15B-2115-11D8-9AB2-000A956B4C74@got.net> On Nov 26, 2003, at 8:39 PM, J.A. Terranson wrote: > Note the line: "the Court denied Simkanin the opportunity present any > expert > defense witnesses or legal evidence". > > This is what our country has come to. Secret courts; incarceration > with no > lawyers, trials, or even charges; "trials" where the defendants are > prohibited from presenting any evidence; "Sneak & Peek" secret > searches... > > "The Terrorists" have indeed won: they are running this asylum. > This has been the norm in American jurisprudence for many decades. Judges routinely decide which "theories of the case" may be presented and which may not. They dictate the language used, the witnesses called, even the legal precedents cited. For this list, we need look no further than a list contributor and meeting attendee from the mid-90s: Keith Henson. Google on Keith's case with the Church of Scientology and read about his conviction in a Riverside, California courtroom. Keith and his lawyers were prevented by order of the judge from presenting their defense. Basically, he was muzzled. And not because he was acting up in court or screaming obscenities. Rather, the Court decided he could neither bring up past behavior by the COS nor could he argue to the jury that saying he had a "Tom Cruise missile" aimed at the Gold Base facility was obviously a joke and that he did not in fact have any way to possess a cruise missile, Tom Cruise or otherwise. Welcome to the Beknighted States of America, where the "free press" is muzzled (or arrested, as in the New American Republic in Baghdad), where judges lay down a narrow track of allowable arguments in a court room, and where the police and government are no longer bound by the precise document which was created to bind them, the Bill of Rights. --Tim May From mv at cdc.gov Thu Nov 27 12:10:28 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 27 Nov 2003 12:10:28 -0800 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <3FC65A34.2088483F@cdc.gov> >Also, Centaur indicated that with the SHA on die, they can produce >statistically perfect RNG output. No kidding. With any crypto-quality hash, I can produce statistically perfectly uniformly distributed pseudorandom data from *successive integers*. The von neumann whitener does let >a small bias through for very large data sets IIRC (i.e. a >statistical bias is detectable in 1G or more data) Johnny's whitener removes a particular kind of bias but does not reduce other kinds of regularity at all. Whitening don't mean squat for entropy. (Perhaps you can think of it as spread-spectrum for regularity, if the whitener isn't crypto-secure.) Dataset size is irrelevent except for detectability, you need more samples to be sure that nuances you see are there. >If you are using the hardware rng via a user space daemon feeding >/dev/random then this is no longer an issue. You MUST use some "hardware" (analog) input, and you SHOULD use whitening on the output, and most probably should do other operations in between (mixing partially unbiassed but imperfect input with a pool, for instance). From mv at cdc.gov Thu Nov 27 12:14:38 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 27 Nov 2003 12:14:38 -0800 Subject: e voting (receipts, votebuying, brinworld) Message-ID: <3FC65B2E.EDC1B773@cdc.gov> At 11:10 PM 11/26/03 +0100, Nomen Nescio wrote: >Cameras in the voting booth? Jesus Christ, you guys are morons. If you >want to sell your vote, just vote absentee. The ward guy will even stamp >and mail it for you. Happens every election. For some reason I don't understand, people actually drive to queue up and vote in a booth on a given day. So that was the model addressed. Personally I vote absentee, so I have plenty of time to photoshop what I fax to Vinny. As well as being able to submit a new blank ballot if Vinny demands to see the original I faxed (but before its mailed in -that is my commit point, just like "opening the curtain" used to be on mechanical voting machines). From gsemones at treenleaf.com Thu Nov 27 10:33:03 2003 From: gsemones at treenleaf.com (Guerry Semones) Date: Thu, 27 Nov 2003 12:33:03 -0600 Subject: On Slashdot: GnuPG's ElGamal Signing Keys Compromised In-Reply-To: <3FC51539.8030409@charter.net> References: <3FC51539.8030409@charter.net> Message-ID: <3FC6435F.9050807@treenleaf.com> Just caught this on Slashdot: http://slashdot.org/articles/03/11/27/138242.shtml?tid=126&tid=128&tid=172&tid=93 G From pgut001 at cs.auckland.ac.nz Thu Nov 27 00:56:25 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 27 Nov 2003 21:56:25 +1300 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <200311270856.hAR8uPR06918@cs.auckland.ac.nz> coderman >I have written some poor code and info regarding the C5XL (nehemiah) and >linux: > > http://peertech.org/hardware/viarng/ I've got code to use it under Windows in the latest cryptlib snapshots (soon to be the 3.1 release), which you can grab via the download link at http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html. The RNG code is in misc/rndwin32.c, and is available under a dual license (BSD or GPL, your choice). Note though that I don't actually have a C5XL to play with, so at the moment I've only been able to verify that it won't crash when run on AMD and Intel CPUs. If anyone has a C5XL with Windows installed, I'd be interested in hearing about any problems. Peter. From pgut001 at cs.auckland.ac.nz Thu Nov 27 05:24:20 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri, 28 Nov 2003 02:24:20 +1300 Subject: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] Message-ID: <200311271324.hARDOKW07937@cs.auckland.ac.nz> "Hallam-Baker, Phillip" writes: >DNSSEC is not happening, blame Randy Bush and the IESG for refusing the >working group consensus and imposing their own idea that cannot be deployed. >An experimental protocol that increases the volume of data in the .com zone >by an order of magnitude (read Gbs of data) is simply unacceptable. Do you have any more details on this for those who don't normally follow DNSSEC? Peter. From njohnsn at njohnsn.com Fri Nov 28 09:12:34 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Fri, 28 Nov 2003 11:12:34 -0600 Subject: Now how they do that ? Message-ID: <200311281112.34833.njohnsn@njohnsn.com> From: http://story.news.yahoo.com/news?tmpl=story&cid=581&e=3&u=/nm/20031126/tc_nm/financial_wellsfargo_theft_dc SAN FRANCISCO (Reuters) - Police have arrested a California man in connection to a burglary in which a computer with sensitive information about Wells Fargo & Co. (NYSE:WFC - news) customers was stolen, officials said on Wednesday. (snip) Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers, White said. That enabled authorities to connect the computer's Internet Protocol address, a number that identifies a computer on the Internet, to Krastof's home address through his AOL account, White said. (snip) My guess that there was some sort of application (maybe an internally based IM client) that "phoned home" when the thief started up the computer. Or at least I hope .... -- Neil Johnson http://www.njohnsn.com PGP key available on request. From eric at tully.com Fri Nov 28 16:07:05 2003 From: eric at tully.com (Eric Tully) Date: Fri, 28 Nov 2003 19:07:05 -0500 Subject: Now how they do that ? In-Reply-To: <200311281112.34833.njohnsn@njohnsn.com> References: <200311281112.34833.njohnsn@njohnsn.com> Message-ID: <3FC7E329.20103@tully.com> Apparently the Yahoo (Reuters) story got it wrong. According to two other articles I read, he logged into the AOL account that was configured on the machine that he stole, not his *own* account. No "phone home" software, no MAC addresses, and no serial numbers in the CPU were used to find the machine. Of course, the more important question: If the computer had such sensitive data on it, why would it ever be granted network access? http://www.timesheraldonline.com/articles/2003/11/27/news/news05.txt http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/11/27/MNGUO3BN101.DTL ... Investigators knew where to look for the gear not because of unusually intrepid sleuthing but because Krastof allegedly used the computer to log on to an AOL account belonging to the system's owner, Peter Gascoyne. This allowed authorities to eventually trace the call back to Krastof's residence, said the Police Department's White, who acknowledged that cracking the case was, as much as anything, a matter of pure luck. Jun at Cryptography Research said most people don't realize that they announce their presence and leave an electronic trail any time they go online. "Using a stolen computer to log onto the Net is like taking a stolen credit card (and) buying gas for all your friends at a single service station, " he said. "It's pretty easy to get caught." White said investigators had asked AOL as a routine precaution to watch for any log-ons in Gascoyne's name. He said the world's biggest online service had reported a hit earlier this month but then dragged its feet in providing information about the phone line used in the connection. White said telecom giant SBC, in turn, had not been very helpful in offering information about the location of the residence where the AOL dial-up originated. SBC and AOL privacy policies both say information can be shared with law-enforcement officials. "We ended up taking a while with search warrants," White said. "Part of the difficulty was the lack of cooperation among various entities." AOL did not return calls seeking comment. An SBC spokesman said company officials had fulfilled investigators' requests the same day they were asked. Once all the pieces were in place, though, White said, authorities arrived at Krastof's home around 7 p.m. Tuesday and were let in by his girlfriend. ... - Eric Tully Neil Johnson wrote: >From: > >http://story.news.yahoo.com/news?tmpl=story&cid=581&e=3&u=/nm/20031126/tc_nm/financial_wellsfargo_theft_dc > >SAN FRANCISCO (Reuters) - Police have arrested a California man in connection >to a burglary in which a computer with sensitive information about Wells >Fargo & Co. (NYSE:WFC - news) customers was stolen, officials said on >Wednesday. > >(snip) > >Investigators traced the computer to Krastof when he logged onto his own >America Online account at home through one of the stolen computers, White >said. That enabled authorities to connect the computer's Internet Protocol >address, a number that identifies a computer on the Internet, to Krastof's >home address through his AOL account, White said. > >(snip) > >My guess that there was some sort of application (maybe an internally based IM >client) that "phoned home" when the thief started up the computer. > >Or at least I hope .... From emc at artifact.psychedelic.net Fri Nov 28 22:33:02 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Fri, 28 Nov 2003 22:33:02 -0800 (PST) Subject: Airplane Comedy Message-ID: <200311290633.hAT6X31P010905@artifact.psychedelic.net> http://www.tshirthell.com/shirts/tshirt.php?sku=a102 I'd love to see John Gilmore wear this on his next airline flight. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From shaddack at ns.arachne.cz Fri Nov 28 14:01:01 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Fri, 28 Nov 2003 23:01:01 +0100 (CET) Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <200311261946.01097.njohnsn@njohnsn.com> References: <20031126161059.GA24701@mail.dadadada.net> <95470B54-2034-11D8-9AB2-000A956B4C74@got.net> <200311261946.01097.njohnsn@njohnsn.com> Message-ID: <0311282257350.0@somehost.domainz.com> On Wed, 26 Nov 2003, Neil Johnson wrote: > > ""Democracy is two wolves and a lamb voting on what to have for lunch. > > Liberty is a well-armed lamb contesting the vote!" > > -- Ben Franklin > > And if they are all armed ? They all starve. Lambs can eat grass, which is usually unarmed. From mv at cdc.gov Sat Nov 29 11:22:50 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 29 Nov 2003 11:22:50 -0800 Subject: Now how they do that ? Message-ID: <3FC8F20A.F3608418@cdc.gov> At 11:12 AM 11/28/03 -0600, Neil Johnson wrote: >Investigators traced the computer to Krastof when he logged onto his own >America Online account at home through one of the stolen computers, White >said. That enabled authorities to connect the computer's Internet Protocol >address, a number that identifies a computer on the Internet, to Krastof's >home address through his AOL account, White said. > >My guess that there was some sort of application (maybe an internally based IM >client) that "phoned home" when the thief started up the computer. Conventionally, only the NIC's MAC is supposed to be unique. Nowadays there are other IDs including disk-drive serial numbers, motherboard SNs, OS SN's, etc. None of these are supposed to be sent upstream, and the NIC MAC ends at the first router. And of course doens't exist if Krastof used a modem. So yeah, a "phone home" app sounds likely ---even an *unintentional* one, like one that automatically checks a "home server" for updates, corporate news, etc. Then you merely snag the IP, find it comes from AOL (rather than your internal network) who looks up who occupied that address at that time. Krastof probably used his meatspace info, subpeona, no-knock, game over. From bill.stewart at pobox.com Sat Nov 29 12:05:53 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Sat, 29 Nov 2003 12:05:53 -0800 Subject: e voting (receipts, votebuying, brinworld) In-Reply-To: <3FC654AF.B571B7A5@cdc.gov> Message-ID: <5.1.0.14.2.20031129114559.0286d7f8@idiom.com> Optical Mark Sense - certainly the way to go if you want to computerize, except that the manufacturers aren't big Bush Republican donors. I'm used to mechanical lever machines in Delaware and New Jersey (which seem to mostly work well except for write-in votes), plus the punch-card things in California which are boring but workable. If somebody wanted to do an OMS system that had a fancy touch-screen interface, you could have the touch-screen machine print the OMS ballot, and lay out the printed version so it's human-readable, with a bit of extra assistance like checksums, plus have a verifier read it to make sure it's correctly machine-readable. That'd let you have big print for low-sighted people, voice readout for blind people, randomized order for random people, etc. At 11:46 AM 11/27/2003 -0800, Major Variola (ret) wrote: >At 12:56 PM 11/25/03 -0500, Sunder wrote: > >Um, last I checked, phone cameras have really shitty resolution, usually > >less than 320x200. Even so, you'd need MUCH higher resolution, say > >3-5Mpixels to be able to read text on a printout in a picture. Actually, it tends to be 352x288, which is the resolution of cheap CCD video camera chips. Some of the early cheap digital cameras used that, before going to 640x480 (good enough for web pictures) and then to higher resolutions. >... >Don't you think the cellphone folks will do the more-pixels-game, >trying to add features that distinguish their model from the >nearly identical other models? They're mostly starting to do 640x480, but they're somewhat limited by the low data rates that most of the phones get. Phones with EDGE or 1xRTT or other higher-speed data rates, and phones that use Bluetooth to upload to computers, are set to do more, but otherwise it tends to take too long to transmit (and remember that for phone-to-phone videos between Japanese teenagers, which are the market driver, it's the slower phone that counts.) From mv at cdc.gov Sat Nov 29 12:26:35 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Sat, 29 Nov 2003 12:26:35 -0800 Subject: US spying, directv, shades of global crossing Message-ID: <3FC900FB.3A69C6B8@cdc.gov> The parent company of DirecTV, the home satellite service, has promised several federal agencies that it can address concerns about foreign ownership of sensitive U.S. communications systems if it wins approval of its proposed merger with Australian-controlled News Corp. ... But the merger also has drawn the scrutiny of the Department of Homeland Security, the FBI and Justice Department divisions in addition to the antitrust department. The deal would bring DirecTV's five satellites and sophisticated communications system under the control of a company based outside the United States. Chief among the U.S. concerns is that a foreign-owned satellite system and communications system could be used for illegal surveillance on U.S. citizens and facilities, according to documents passed this week among Hughes, News Corp. and the federal government. "As the [FCC] is aware, the DOJ, FBI and DHS have taken the position that their ability to satisfy their obligations to protect the national security, to enforce the laws, and to preserve the safety of the public could be significantly impaired by transactions in which foreign entities will own or operate a part of the U.S. communications system, or in which foreign-located facilities will be used to provide domestic communications services to U.S. customers," read a letter filed at the FCC by the three law enforcement agencies last week. The Committee for Foreign Investment in the United States, a group made up of executive departments and representatives from the State, Defense, Treasury and Commerce departments, typically reviews transactions involving foreign ownership of businesses that serve the United States. In September, for instance, the committee approved the reorganization plan for Global Crossing, a telecommunications company being acquired out of bankruptcy by a Singapore-based firm. . http://www.washingtonpost.com/ac2/wp-dyn/A19987-2003Nov28?language=printer From measl at mfn.org Sat Nov 29 12:20:25 2003 From: measl at mfn.org (J.A. Terranson) Date: Sat, 29 Nov 2003 14:20:25 -0600 (CST) Subject: Now how they do that ? In-Reply-To: <3FC8F20A.F3608418@cdc.gov> Message-ID: On Sat, 29 Nov 2003, Major Variola (ret) wrote: > At 11:12 AM 11/28/03 -0600, Neil Johnson wrote: > >Investigators traced the computer to Krastof when he logged onto his > own > >America Online account at home through one of the stolen computers, > White > >said. That enabled authorities to connect the computer's Internet > Protocol > >address, a number that identifies a computer on the Internet, to > Krastof's > >home address through his AOL account, White said. > > > >My guess that there was some sort of application (maybe an internally > based IM > >client) that "phoned home" when the thief started up the computer. > > Conventionally, only the NIC's MAC is supposed to be unique. Nowadays > there are other IDs including disk-drive serial numbers, motherboard > SNs, OS SN's, etc. None of these are supposed to be sent upstream, > and the NIC MAC ends at the first router. And of course doens't exist > if > Krastof used a modem. So yeah, a "phone home" app sounds likely ---even > > an *unintentional* one, like one that automatically checks a "home > server" for > updates, corporate news, etc. Then you merely snag the IP, find it > comes from > AOL (rather than your internal network) who looks up who occupied that > address > at that time. Krastof probably used his meatspace info, subpeona, > no-knock, game over. The theif was using the accounts he found on the stolen computer, and was traced by CID. -- Yours, J.A. Terranson sysadmin at mfn.org Father, you are a great and mighty God. Help our governments to remember the lessons of our history and to appreciate the purpose of your son Jesus. Teach our representatives not to be so arrogant as to speak in one way, but doing another, for surely this not the way of truth. Help us to understand that your will is not death but life, not the darkness of hatred but the light of friendship in Christ. In the name of Jesus we pray. Amen. Merle Harton, Jr. From bill.stewart at pobox.com Sat Nov 29 16:01:34 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Sat, 29 Nov 2003 16:01:34 -0800 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: <36b19a2865c067e685aaeb5d1a005785@nox.lemuria.org> Message-ID: <5.1.0.14.2.20031129155933.029a7ea8@idiom.com> At 04:35 AM 11/16/2003 +0100, Anonymous wrote: > >Confirming the allegation about idiot witnesses, I am > >sure I would not recognize either agent if I saw them > >again. The IDs yes, and the questions, but not the > >bland biometrics. > >You do have right to take pictures in your residence, no ? > >I am sure that "John Young's real time door webcam" would be a popular URL >to look up. Maybe you could even sell some ad space there. Nope - too likely to take pictures of guests who are not unwanted - perhaps even some who wish to remain anonymous. However, the "agents"' folder was labeled "SP" - is this really the Feebs, or the Scientology Police hunting for Suppressive Persons ? From bill.stewart at pobox.com Sat Nov 29 19:18:26 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Sat, 29 Nov 2003 19:18:26 -0800 Subject: Disguising the Key length (Was...Has a change taken place in factoring RSA keys) In-Reply-To: Message-ID: <5.1.0.14.2.20031129160601.0293ce38@idiom.com> At 02:09 PM 11/10/2003 -0500, Tyler Durden wrote: >"I think that's the source as well - when the most recent of the >TWINKLE and TWIRL papers came out, Lucky Green was talking about >whether it was still safe to use 1024-bit keys, >and $1B for 1 key/day is similar to Shamir & Tromer's estimate of > ( http://www.wisdom.weizmann.ac.il/~tromer/papers/cbtwirl.pdf ) >$20M upfront plus $10M for a 1 key/year capacity." > >My first question is, how easy is it for them to estimate the key size of >an encrypted message? > >Can they do this without actually "chewing" on the message for a while? >(ie, if it doesn't crack in x minutes then there's a 99% probability of >the key being Y in length...) > >Second question: Is it possible to make a message appear to have been >encrypted with a shorter key than was actually used? The answer to both those questions is extremely dependent on the message formats (plus whether the public keys are published :-) PGP's formats may be ugly bit-twiddly stuff, but they're also highly visible unless you're using the add-on stealth packages. Most of the other formats for expressing bignum data also tell you how big the numbers are (or use a fixed-length key.) Some signature algorithms produce output that's shorter than the public key (such as 160-bit signatures), but if you can find the public key you can obviously tell. But for the second question, why bother? Use adequately long keys. From bill.stewart at pobox.com Sat Nov 29 22:48:49 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Sat, 29 Nov 2003 22:48:49 -0800 Subject: NSA and ECC parameters In-Reply-To: <3F9D4CCE.B2412536@cdc.gov> Message-ID: <5.1.0.14.2.20031129223504.0a0028c0@idiom.com> Sorry if this discussion At 08:50 AM 10/27/2003 -0800, Major Variola (ret) wrote: >At 10:01 PM 10/26/03 -0600, J.A. Terranson wrote: > >On Sun, 26 Oct 2003, Eugen Leitl wrote: > >> In the case of the NSA deal, the agency > >> wanted to use a 512-bit key for the ECC system. This is the > >> equivalent of an RSA key of 15,360 bits." > >Am I the only one here who finds this "requirement" excessive? My god: are > >we looking to keep these secrets for 50 years, or 50000 (or more) years? >.. >The NSA might be hedging against future algorithmic improvements. >If tomorrow you could factor numbers (or the ECC equivalent) >with twice the number of bits, will your spies die? >Cf. East German Stasi files, and some south-american files being cracked. "Excessive" implies a cost-benefit analysis - does anybody know how slow 512-bit ECC calculations are in practice? If they're similar in speed to 512-bit RSA, it's usually fine; if they're similar in speed to 15360-bit RSA, that's maybe a bit slow, but if encryption and decryption are only a bit slower than 2048-bit RSA, it doesn't usually matter if key generation is slower. Also, while there are _lots_ of applications where short keys rock, like James Donald's Crypto Kong signature lines, or dumb smartcards, 512-bit isn't too bad, and there are applications where it's usable and 4096-bit RSA keys take up too much space (e.g. including any signed data in a 576-byte TCP/IP packet.) But more importantly, the algorithms are only starting to be explored. We've got a few hundred years of understanding about primes and factoring, and even then the applications of computer technology to factoring have gotten a big Moore's Law hit since R,S,A,D,H, PRZ, and the Cypherpunks started messing with them; 384-bit RSA keys have gone the way of Bass-O-Matic. ECC is a much newer set of theory, especially for the kinds of attacks cryptographers care about, and it's exposed to risks from algorithm theory and number-crunching practice. From jya at pipeline.com Sun Nov 30 07:40:39 2003 From: jya at pipeline.com (John Young) Date: Sun, 30 Nov 2003 07:40:39 -0800 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off In-Reply-To: <5.1.0.14.2.20031129155933.029a7ea8@idiom.com> References: <36b19a2865c067e685aaeb5d1a005785@nox.lemuria.org> Message-ID: My comment about the SAs having no noticeable body odor came out the notion that persons on a dangerous mission emit an easily identifiable smell, a smell not unlike that emitted by an unwary target when suddently confronted with danger. Innocents need not worry about these unintentional fear emanations. Same for an old time warrior whose body has evolved to emit a persistent stench of constant fear that overrides transitory wafts of panic aerating an urge to flee or submit. Constant fear of being attacked comes from daily warfare in NYC, call it urban terrorism, where territorial dispute is unending, and there is nobody who is not out to grab what you got, most often under pretense of helping you, offering friendly advice, getting inside your defenses with the kind of behavior you are sure you'd never fall for -- upon later reflection on what happened to yor best laid plans to not be suckered. Over-confidence, in attacker and target, that lack of the odor of danger, is certain to draw attention to weaknesses ready for exploitation. This bunker is saturated with moth balls, still visitors complain of rotted carcass. BO plenty. From mv at cdc.gov Sun Nov 30 10:26:32 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 30 Nov 2003 10:26:32 -0800 Subject: Chaum's hand? Message-ID: <3FCA3657.41E06789@cdc.gov> Take a look at http://www.chaum.com/images/Photo_of_David.gif and tell me his hand isn't photoshopped. Is this for security reasons, or is his hand malformed? From mv at cdc.gov Sun Nov 30 10:34:56 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 30 Nov 2003 10:34:56 -0800 Subject: Gestapo harasses John Young, appeals to patriotism, told to fuck off Message-ID: <3FCA3850.503F306B@cdc.gov> At 07:40 AM 11/30/03 -0800, John Young wrote: >My comment about the SAs having no noticeable body odor >came out the notion that persons on a dangerous mission >emit an easily identifiable smell, a smell not unlike that >emitted by an unwary target when suddently confronted with >danger. Agents have their adrenal innervation snipped. From morlockelloi at yahoo.com Sun Nov 30 14:09:46 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Sun, 30 Nov 2003 14:09:46 -0800 (PST) Subject: FOIA Data Mining In-Reply-To: Message-ID: <20031130220946.8092.qmail@web40608.mail.yahoo.com> > One exception: the ***, which hand writes the address. Is Why do you assume that you can tell handwriting from machine-generated script? There are techniques far more advanced than static fonts, that can introduce randomness and be pretty much indistinguishable from the manual product. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From jya at pipeline.com Sun Nov 30 15:07:37 2003 From: jya at pipeline.com (John Young) Date: Sun, 30 Nov 2003 15:07:37 -0800 Subject: FOIA Data Mining In-Reply-To: <3FCA3850.503F306B@cdc.gov> Message-ID: We've made a few FOIA requests, but none have produced a flood of paper like that made to the US Army INSCOM for a list of military intelligence files provided by anonymous, most dating from the 1940s and 1950s but some up to the 70s and 80s. An aspect of the response has been INSCOM forwarding our request to a host of other agencies which originated certain files: State, Justice, FBI, CIA, other Army sections, Air Force, Navy, and so on. These have been dribbling in, nearly all heavily redacted or flat out refused. A characteristic of the responses has been the labels on the envelopes: nearly all typed and thereby capable of being added to, or already entered into, a database on me and Cryptome. One exception: the FBI, which hand writes the address. Is this due to crappy label printing capability (which we all share) or an attempt to obscure that the address has been, or could be, put in a data base? Transmittal letters are typed so that means the data has been digitized (or typewriter written), so why else the hand writing? Has the Bureau been sued for digital labelling correspondents? Do printed labels tell too much about the agency, source of toner, supplier of fonts and word-processing programs, paper manufacturer, tiny flecks of skin and/or fingerprints on the label adhesive? Does hand writing analysis show the origin of the ink, the birthplace and ethnicity of the writer, her/his state of mind -- on the verge of a nervous breakdown, ready to kill or leak or go over to the enemy, sexually drained by bosses horniness, a skinny dreaming of Twinkies -- thus does the laboratory investigate FOIA requests sent to the FBI directly and more importantly those forwarded by other the enemy: other agencies spilling the beans about vast data gathering. Redactions are an art form, there have been several NYC exhibits of redacted FBI files, and more coming from their twisted sisters. The great barrels of ink used to make redactions contains volumes of raw data which will be revealed when the ink disappears. From cpunk at lne.com Sun Nov 30 20:00:01 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 30 Nov 2003 20:00:01 -0800 Subject: Cypherpunks List Info Message-ID: <200312010400.hB1401h7012681@slack.lne.com> Cypherpunks Mailing List Information Last updated: Oct 13, 2003 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk