From ericm at lne.com Sun Aug 1 08:29:49 2004 From: ericm at lne.com (Eric Murray) Date: Sun, 1 Aug 2004 08:29:49 -0700 Subject: On how the NSA can be generations ahead In-Reply-To: <20040801101818.L45634@ubzr.zsa.bet>; from measl@mfn.org on Sun, Aug 01, 2004 at 10:20:38AM -0500 References: <410C3E5C.8E8891C@cdc.gov> <20040801101818.L45634@ubzr.zsa.bet> Message-ID: <20040801082949.A11123@slack.lne.com> On Sun, Aug 01, 2004 at 10:20:38AM -0500, J.A. Terranson wrote: > On Sat, 31 Jul 2004, Major Variola (ret) wrote: > > > Tyler D asked about how the NSA could be so far ahead. > > Besides their ability to make 2" sq. chips at 10% yield (not > > something a commercial entity could get away with) > > What, exactly, would be the point of doing this? More gates == more processing. > > they can also *thin and glue* those chips into say stacks > > of 5 thinned die. > > As easily as you could do this to high efficiency chips. It's possible, using technologies like flip-chip. But its not as good as having everything on one die. The interconnects are limited in number and large in size, so they take up a lot of room. Stacked die are also more difficult to keep cool. > > 2" sq = 4 x performance > > How do you figure 4x performance on a 2" chip? Most of the chip > performance is tied to the total distance that signals must traverse > across the chip surface. 4x the gates (roughly) means 4x performance. Chip performance, especially for highly parellizable things like key cracking, is determined by the number of gates. Eric From measl at mfn.org Sun Aug 1 08:20:38 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 1 Aug 2004 10:20:38 -0500 (CDT) Subject: On how the NSA can be generations ahead In-Reply-To: <410C3E5C.8E8891C@cdc.gov> References: <410C3E5C.8E8891C@cdc.gov> Message-ID: <20040801101818.L45634@ubzr.zsa.bet> On Sat, 31 Jul 2004, Major Variola (ret) wrote: > Tyler D asked about how the NSA could be so far ahead. > Besides their ability to make 2" sq. chips at 10% yield (not > something a commercial entity could get away with) What, exactly, would be the point of doing this? > they can also *thin and glue* those chips into say stacks > of 5 thinned die. As easily as you could do this to high efficiency chips. > 2" sq = 4 x performance How do you figure 4x performance on a 2" chip? Most of the chip performance is tied to the total distance that signals must traverse across the chip surface. > 5 thinned die with GHz vias = 20 x performance. with any chip, regardless of design. > Both are uneconomical but feasible. Get it? No. > Any questions? Yes. See above. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From measl at mfn.org Sun Aug 1 09:41:41 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 1 Aug 2004 11:41:41 -0500 (CDT) Subject: Al-Q targeting NY corporations? Message-ID: <20040801113117.T45634@ubzr.zsa.bet> Article below. Just in case AQ is listening, I'd like to remind them that there are some other states that also have some *really* good targets ;-) But, if you're just "stuck" on New York, let me make my recommendations: (1) Citicorp Center. Thousands of people work in this one gargantuan and profoundly ugly building. As a bonus, it belongs to one of Israel's biggest finance sources ;-) (2) One Police Plaza. Not just for donuts anymore! This huge, purpose-built, multibuilding plaza houses a significant percentage of New York's police department. As a bonus, it is also a centralized facility which serves a large number of federal and state agencies as well. One Stop Shopping!!! (3) The George & Martha Washington Bridges. These two bridges share a single two level span which connects New York and New Jersey (the Martha bridge was an add-on to the George, when George turned out to be too small to carry all the traffic). Destruction of these two incredibly ugly and poorly designed bridges would be a boon for the esthetic flavor of the area (which is otherwise surrounded by some of the most beautiful areas in New York City proper), not to mention the air quality. And, for AQ, the resulting economic damages would amount ot a Gift That Keeps On Giving ;-) Happy Hunting! -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? ------------------------------------------------------------------------- http://www.reuters.com/newsArticle.jhtml;jsessionid=EVMVMWLEROJ22CRBAE0CFFA?type=topNews&storyID=5836688 NYPD Source: Al Qaeda May Target New York Firms Sun Aug 1, 2004 09:31 AM ET By Mark Egan NEW YORK (Reuters) - Top federal and local law enforcement officials met in New York during the weekend to discuss new intelligence about a possible al Qaeda attack against major corporations or high-profile buildings in Manhattan, a police source said on Sunday. The New York Police Department source told Reuters that increased intelligence "chatter" from overseas of a possible fresh attack of the city prompted meetings late Friday and early Saturday between NYPD chief Raymond Kelly and Pasquale Damuro, head of the FBI's office here. "The intelligence is not specific but we are taking it very seriously," the source said, noting that the intelligence was deemed "credible." New York was the city most affected by the Sept. 11, 2001, attacks with almost 2,800 people killed when hijacked planes destroyed the twin towers of the World Trade Center. The city has remained on a heightened alert since then and federal officials have said that the Republican National Convention at the end of August would make an attractive terrorist target. The threat was first reported by ABC News, which said the authorities were particularly disturbed that the information indicated attacks may be carried out by one or more suicide truck bombings. Following the meetings, the NYPD issued a statement that said, "Intelligence reporting indicates that al Qaeda continues to target for attack commercial and financial institutions, as well as international organizations, inside the United States." The police department said it "recommends that corporate and institutional security directors review their protection of HVAC (heating, ventilation and air conditioning) systems, parking installations, and security in general." However, the department said the alert level for New York is unchanged and remains at the second-highest level of "orange" or "high." At the Republican convention from Aug. 28 to Sept. 2, President Bush will be officially nominated to run for a second term in office. Thousands of delegates, a large contingent of media and as many as 200,000 protesters are expected in town for the event. U.S. Homeland Security Secretary Tom Ridge is scheduled to be in New York on Sunday and The New York Times quoted a law enforcement official saying he was expected to comment on the new information. From sunder at sunder.net Sun Aug 1 09:58:46 2004 From: sunder at sunder.net (Sunder) Date: Sun, 1 Aug 2004 12:58:46 -0400 (edt) Subject: Al-Q targeting NY corporations? In-Reply-To: <20040801113117.T45634@ubzr.zsa.bet> References: <20040801113117.T45634@ubzr.zsa.bet> Message-ID: I've a better idea for the terrorists who may be paying attention, why not just leave NYC alone and target something more useful to take out - like Microsoft, for example. IMHO, the planes that were targeted at the WTC would have been better directed at various Redmond, WA buildings. They're after all a very big company with a lot of billions - that would have been far more spectacular an attack than a couple of profitless eyesores blocking everyone's view of the Statue of Liberty. And what's with attacking the pentagon? They're the biggest sink of Evil American Taxpayer funds after all. Don't you want your enemies wasting billions of dollars on shitty airplanes and helicopters that crash themselves? Besides, if you want to piss off the NY Cops, don't attack One Police Plaza, take out Dunkin Donuts and Krispy Kreme joints... well, wait, I kinda like Krispy Kreme once in a while, ok, just Dunkin Donuts... Or better yet, don't! The artery clogging fat and the diabetes inducing sugar+starch already do plenty. Nah, if you're an Al Qaeda member, it's your duty to open up more donut shops and in fact, have a policy of free donuts to every cop. Infact, you should send crates of donuts to every police precinct several times a day. I'd suggest a 10:1 donut to officer ratio. Ditto for McDonalds foods. Add extra grease. The hydrogenated soybean kind! And why bother taking out the bridge to NJ - after all, NJ is where all the stench is (remember that old joke: Girlfriend "Kiss me where it smells," Boyfriend: "Ok, let's drive to NJ!" You're better off leaving that bridge alone, so commuters can be terrorized by the industrial stench as they drive through, and by all the delays. Infact, if you're an Al Qaeda engineer, you'll want to BUILD more bridges to NJ, so more Satan Loving American Infidels will get sickened by it. Oh yeah, and be sure to vote for Bush. He'll be sure to fuck the economy even worse and put more draconian laws into effect. You Al-Qaeda types hate us for having freedom, right? So Dubbya's your perfect boy for that. That's the real way to be a terrorist, not by wasting your time on some dumb ass fireworks by airplane. Pshaw, only amateur terrorists do it that way. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"I find it ironic that, on an amendment designed to protect /|\ \|/ :American democracy and our constitutional rights, the /\|/\ <--*-->:Republican leadership in the House had to rig the vote and \/|\/ /|\ :subvert the democratic process in order to prevail" \|/ + v + : -- Rep. Sanders re vote to ammend the US PATRIOT ACT. -------------------------------------- http://www.sunder.net ------------ On Sun, 1 Aug 2004, J.A. Terranson wrote: > Article below. > > Just in case AQ is listening, I'd like to remind them that there are some > other states that also have some *really* good targets ;-) But, if you're > just "stuck" on New York, let me make my recommendations: From bill.stewart at pobox.com Sun Aug 1 13:00:25 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Sun, 01 Aug 2004 13:00:25 -0700 Subject: Terror Threat Level Is Raised For Key U.S. Financial Buildings In-Reply-To: References: Message-ID: <200408012002.i71K2PR4011587@positron.jfet.org> At 12:00 PM 8/1/2004, R. A. Hettinga wrote: > >Terror Threat Level Is Raised For Key U.S. Financial Buildings >Associated Press >August 1, 2004 2:46 p.m. > >NEW YORK -- The federal government warned today of possible terrorist >attacks against "iconic" financial institutions in New York City, >Washington and Newark, N.J., saying a confluence of intelligence over the >weekend pointed to a car or truck bomb. In related news, Homeland Security reported that there have been sightings of a Big Scary Wolf near the edges of Your Village. "These aren't the usual Wolf reports - there's serious chatter among shepherd sources and we've interrogated a bunch of sheep lately who've confirmed that the Wolf is out there and identified a bunch of different parts of the village where the wolf may strike next." I'm getting really tired of the irresponsibility of the American press reporting this stuff uncritically. From jya at pipeline.com Sun Aug 1 14:51:01 2004 From: jya at pipeline.com (John Young) Date: Sun, 01 Aug 2004 14:51:01 -0700 Subject: Al-Q targeting NY corporations? In-Reply-To: <20040801113117.T45634@ubzr.zsa.bet> Message-ID: Not yet aware the NY-bound wetback had been nabbed we posted material and photos on July 29 about how Amtrak and Long Island Railroad Manhattan tunnels provide easy access to Madison Square Garden located above subterranean Penn Station and the nearby post office where the thousands of press are to be isolated from protestors: http://cryptome.org/rnc-prep-01.htm We noted that the tunnels are known to be highly hazardous due to lack of fire protection and emergency exits. Shortly a flood of hits started coming from federal, NY state and NYC security IPs -- Treasury, Homeland Security, DOT, GSA; Kallstrom's NYS Office of Public Security and a host of Albany agencies; NYPD, FDNY, the Transit Agency; Suffolk County adjoining NYC; various from New Jersey; and a slew of other locations. While some were familiar, a lot of these had not come around before. None telephoned or visited, maybe during the work week when the round-up begins as a result of squeezing the intruder. Presumably red-team postings -- call them chatter, or better: the naming of specific targets -- get fired off to tight-fisted financing agencies to cut loose some emergency bucks, in the Bush re-election manner. Many more to come before November. Perhaps some real, more more likely fabbed from odds and ends sucked from the ether of hard-up operatives -- NYPD Intelligence Commish is ex-CIA. Ridge has just named names of targets, being unable to get serious attention with over-used chatter. One notable target in every major city, perfect campaign fodder. We'll be providing more red-team tell-tales of what's wrong with security in NYC, pisspoor at warding off those who hate it, great at alluring the haters to its sin spots, Wall Street, finance cesses, et al, many such love-haters who will soon be convening to expurge their sins at the hallowed ground zip, praying for more of the golden natsec rain. From rah at shipwright.com Sun Aug 1 12:00:00 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 1 Aug 2004 15:00:00 -0400 Subject: Terror Threat Level Is Raised For Key U.S. Financial Buildings Message-ID: The Wall Street Journal August 1, 2004 2:46 p.m. EDT WORLD NEWS Terror Threat Level Is Raised For Key U.S. Financial Buildings Associated Press August 1, 2004 2:46 p.m. NEW YORK -- The federal government warned today of possible terrorist attacks against "iconic" financial institutions in New York City, Washington and Newark, N.J., saying a confluence of intelligence over the weekend pointed to a car or truck bomb. Specifically, the government named these buildings as potential targets: The Citicorp building and the New York Stock Exchange in New York City; The International Monetary Fund and the World Bank buildings in Washington; and the Prudential Financial building in Newark. The government said the new intelligence indicated the meticulous planning of al Qaeda. He identified explosives as the likely mode of attack, as opposed to a chemical or biological attack or a radiological "dirty" bomb. Mr. Ridge said the government's threat level for financial institutions in just these three cities would be raised to orange, or high alert, but would remain at yellow, or elevated, elsewhere. The government provided a wealth of detail that it had picked up in the past 36 hours, but a senior intelligence official described it only on condition of anonymity. The official described "excruciating detail" and meticulous planning "indicative of al Qaeda." The official said the intelligence included security in and around these buildings; the flow of pedestrians; the best places for reconnaissance; how to make contact with employees who work in the buildings; the construction of the buildings; traffic patterns; locations of hospitals and police departments; and which days of the week present less security at these buildings. To illustrate the level of detail obtained, the official cited these examples: midweek pedestrian traffic of 14 people per minute on each side of the street for a total of 28 people; that some explosives might not be hot enough to melt steel; and that the construction of some buildings might prevent them from falling down. The official said he had not seen such extraordinary detail in his 24 years in intelligence work. Mr. Ridge said it would be up to New York City officials to decide whether to move to the highest level, red. The city has remained on orange since the attacks of Sept. 11, 2001. The threat potential remains through the Nov. 2 elections, he said. The secretary said the government took the unprecedented step of naming specific buildings because of the level of specificity of the intelligence. "This is not the usual chatter. This is multiple sources that involve extraordinary detail," Mr. Ridge said. He said the government decided to notify the public because of the specificity of detail it had obtained. Mr. Ridge acknowledged that protecting these buildings, located in heavily populated areas, would require additional security measures, especially because thousands of cars and trucks travel through these cities daily. "Car and truck bombs are one of the most difficult tasks we have in the war on terror," Mr. Ridge said. Local and state officials were notified earlier in the day and Mr. Ridge said new security procedures were already being put in place. A White House spokeswoman, Erin Healy, said the intelligence on the threat was "very new, coming in during the last 72 hours." "The president made the final decision today agreeing with the recommendation of Secretary Ridge to go ahead and raise the threat level in these select areas," Ms. Healy said. This was the first time the color-coded warning system had been used in such a narrow, targeted way, Mr. Ridge said at a news conference at department headquarters. "With this kind of information comes action," he said. "This is sobering news." Referring to terrorists who are hostile to the U.S., Mr. Ridge said, "Iconic economic targets are at the heart of their interest." He said workers at the five specific buildings should get guidance from security officers at each site and remain alert as they go to work. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From camera_lumina at hotmail.com Sun Aug 1 14:23:24 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Sun, 01 Aug 2004 17:23:24 -0400 Subject: On how the NSA can be generations ahead Message-ID: Well, there's no doubt that what Variola says is basically correct. But it doesn't exactly apply to the specific situation I was referring to, which was whether something "inconspicuous" might be slipped into a CO unbeknownst to the rank-and-file (ie, the CO manager would probably receive some kind of order saying there'd be a special installation one day..."just leave those guys alone and don't worry about the little box they're putting in...it just measures traffic is all"). But the kind of iron that would be needed to unpackage and then pull out and record pretty much "everything" would still be a huge, power-hungry beast with mutliple racks and cards. Why do I say this? Well... When I spoke of 0.13um technology, my thought had nothing to do with the yield, but merely with the size/power of the device. Examination of current off-the-shelf chip architectures (and network processors are still a couple of years behind the ASICs) indicates that, unless a LOT of chips in that range are used, they wouldn't be able to do the above. This means they've got to do all this unpacking in some kind of central location (ie, not a CO), where I do believe what Variola speaks of is possible. BUT, they've got to get it all there. This means they'd either have to put in tons of lasers and gear (essentially creating a 1:1 copy of the current transport network), or else CALEA the most likely batches of traffic and then send it back. They probably WANT to get it all (GIG-BE, anyone?) but they simply don't have the gear nor power nor footprint available to them. If nothing else, it would be hugely conspicious. There'd be no way to hide it from the craft, nor from the rest of the world (all that gear would need a big army of secret craftpersons). This leads me back to burst mode. I'm sure there are many uses for burst mode, but I'd also bet this is one of the drivers. It's probably worth examining whether they're putting a lot of money into signaling. Look for unheard of startups as paying members of OIF and the GMPLS fora. No, the NSA is probably generations ahead in some areas, but their fabs aren't much better than what's available commercially. -TD _________________________________________________________________ MSN Toolbar provides one-click access to Hotmail from any Web page  FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ From camera_lumina at hotmail.com Sun Aug 1 14:31:20 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Sun, 01 Aug 2004 17:31:20 -0400 Subject: Al-Q targeting NY corporations? Message-ID: "Nah, if you're an Al Qaeda member, it's your duty to open up more donut shops and in fact, have a policy of free donuts to every cop. Infact, you should send crates of donuts to every police precinct several times a day. I'd suggest a 10:1 donut to officer ratio." I'm pretty sure I saw bin Laden working in "Kabab King" in Jackson Heights. I know it's him 'cause when I ordered I saw him spit on my Kababs. I said, "yo Osama...what the fuck're you doin' to my Kebabs". His reply: "Fuck you infidel. You want Pakistani food go to a buffet down the street." As for targeting Financial Institutions, I went and painted a giant "JP Morgan" symbol on the roof of Madison Square Garden last week. Think it'll work? If it doesn't, like I said I'll try to sniff a hotspot from under the rubble for one last Cypherpunks post. -TD >From: Sunder >To: "J.A. Terranson" >CC: "cypherpunks at al-qaeda.net" >Subject: Re: Al-Q targeting NY corporations? >Date: Sun, 1 Aug 2004 12:58:46 -0400 (edt) > > > > >I've a better idea for the terrorists who may be paying attention, why not >just leave NYC alone and target something more useful to take out - like >Microsoft, for example. > >IMHO, the planes that were targeted at the WTC would have been better >directed at various Redmond, WA buildings. They're after all a very big >company with a lot of billions - that would have been far more spectacular >an attack than a couple of profitless eyesores blocking everyone's view of >the Statue of Liberty. > >And what's with attacking the pentagon? They're the biggest sink of Evil >American Taxpayer funds after all. Don't you want your enemies wasting >billions of dollars on shitty airplanes and helicopters that crash >themselves? > >Besides, if you want to piss off the NY Cops, don't attack One Police >Plaza, take out Dunkin Donuts and Krispy Kreme joints... well, wait, I >kinda like Krispy Kreme once in a while, ok, just Dunkin Donuts... Or >better yet, don't! The artery clogging fat and the diabetes inducing >sugar+starch already do plenty. Nah, if you're an Al Qaeda member, it's >your duty to open up more donut shops and in fact, have a policy of free >donuts to every cop. Infact, you should send crates of donuts to every >police precinct several times a day. I'd suggest a 10:1 donut to officer >ratio. > >Ditto for McDonalds foods. Add extra grease. The hydrogenated soybean >kind! > >And why bother taking out the bridge to NJ - after all, NJ is where all >the stench is (remember that old joke: Girlfriend "Kiss me where it >smells," Boyfriend: "Ok, let's drive to NJ!" You're better off leaving >that bridge alone, so commuters can be terrorized by the industrial stench >as they drive through, and by all the delays. Infact, if you're an Al >Qaeda engineer, you'll want to BUILD more bridges to NJ, so more Satan >Loving American Infidels will get sickened by it. > >Oh yeah, and be sure to vote for Bush. He'll be sure to fuck the economy >even worse and put more draconian laws into effect. You Al-Qaeda types >hate us for having freedom, right? So Dubbya's your perfect boy for that. > > >That's the real way to be a terrorist, not by wasting your time on some >dumb ass fireworks by airplane. Pshaw, only amateur terrorists do it that >way. > > > >----------------------Kaos-Keraunos-Kybernetos--------------------------- > + ^ + :"I find it ironic that, on an amendment designed to protect /|\ > \|/ :American democracy and our constitutional rights, the /\|/\ ><--*-->:Republican leadership in the House had to rig the vote and \/|\/ > /|\ :subvert the democratic process in order to prevail" \|/ > + v + : -- Rep. Sanders re vote to ammend the US PATRIOT ACT. >-------------------------------------- http://www.sunder.net ------------ > >On Sun, 1 Aug 2004, J.A. Terranson wrote: > > > Article below. > > > > Just in case AQ is listening, I'd like to remind them that there are >some > > other states that also have some *really* good targets ;-) But, if >you're > > just "stuck" on New York, let me make my recommendations: > _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee. Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From rah at shipwright.com Sun Aug 1 18:30:23 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 1 Aug 2004 21:30:23 -0400 Subject: Could U.S. Bid to Curb Gambling on the Web Go Way of Prohibition? Message-ID: The Wall Street Journal August 2, 2004 PORTALS Could U.S. Bid to Curb Gambling on the Web Go Way of Prohibition? By JULIA ANGWIN Staff Reporter of THE WALL STREET JOURNAL August 2, 2004 David Carruthers, a 46-year-old executive with thinning gray hair, is an unlikely outlaw. Recently, a wild moment for him was drinking a champagne toast in his banker's office after his company went public on the Alternative Investment Market, a London stock exchange. Nonetheless, many U.S. lawmakers and regulators would like to shut down Mr. Carruthers's London-based BetonSports, along with other operations that run Web gambling sites catering to Americans. Under the 1961 Federal Wire Act, betting on sports via telephone or the Internet is illegal in the U.S. But online gambling is legal in many other countries, and the U.S. can't do much to prevent companies operating abroad from accepting wagers from U.S. citizens. As a result, a gigantic online gambling market has sprung up overseas. Last year, world-wide revenue from online gambling totaled $5.7 billion, and a majority of the gamblers were American, according to Christiansen Capital Advisors, a market-research firm. BetonSports, which says 98% of its customers are U.S. based, had a profit of $26.8 million for the year ended Jan. 31. Mr. Carruthers and many other Internet gambling executives are betting that the U.S. will eventually have to drop its online-gambling prohibition. "What happened with alcohol was a disaster," he says. "Nobody wants this business, which is flourishing offshore, being pushed back onto the streets and the back alleys of the U.S." He also argues that "there's a huge missed opportunity here" to collect revenue. So far, the U.S. government isn't convinced. But that could change as the result of talks that will start this month between the tiny twin-island Caribbean nation of Antigua and Barbuda and the U.S. U.S. opposition to Web gambling has hurt Antigua and Barbuda. Until 1999, the island nation was a favorite spot for online companies catering to U.S. gamblers. The industry employed 3,000 people and was responsible for 8% to 10% of the nation's GDP. But then the U.S. cracked down. In 2000, the Justice Department successfully prosecuted Jay Cohen, a U.S. citizen who was running a betting operation called the World Sports Exchange from Antigua. In 2002, after New York Attorney General Eliot Spitzer went after Citibank and PayPal for processing credit-card payments for online gambling, both agreed to stop. Now, most U.S. credit-card issuers won't process online gambling payments. Last year, the Justice Department notified the National Association of Broadcasters that accepting money from Web gambling advertisers could be considered "aiding and abetting" an illegal activity, and it issued subpoenas to such media companies as radio giant Clear Channel Communications. Then, in April, U.S. marshals seized $3.2 million that Discovery Communications had accepted for ads from Tropical Paradise, a Web casino operation based in Costa Rica. The result: Online gambling ads vanished from Google, Yahoo and Howard Stern's radio show, among other venues. In part because of U.S. actions, Antigua and Barbuda says, its gambling industry has shrunk to only 31 licensed companies from a peak of 112, and it now employs fewer than 500 people. In response, Antigua and Barbuda took the highly unusual step last year of challenging the U.S. at the World Trade Organization. The island nation claimed that by permitting U.S. operators to offer gambling services in the U.S. but prohibiting offshore operations from doing so, the U.S. was violating the General Agreement on Trade in Services. In March, a WTO court sided with Antigua and Barbuda; the two sides have said they hope to negotiate a settlement by Aug. 23. Many in the online-gambling industry worry that the islands will cave in to U.S. pressure. But Mr. Carruthers, whose BetonSports has an Antigua subsidiary, says the island government has assured his company that it is sticking by the industry. If Antigua wins, other countries could bring similar charges against the U.S. Already, the U.K. has been working on a set of laws -- which could pass by the end of this year -- that will regulate and license online gambling operations. And the Australian government last month announced it had completed a review of online gambling and had decided not to ban the practice. In the face of such pressure, U.S. law-enforcement efforts are "like trying to empty the ocean with a teaspoon," says Joseph Kelly, a law professor who studies Internet gambling at the State University of New York College at Buffalo. Even if Antigua loses, the reality of the Internet is that no one government can control it. Despite world-wide crackdowns, spammers and pornographers continue to find dark corners of the world where they can operate. And fly-by-night online casinos occasionally shut down without paying out their winnings. In such a world, the best hand the U.S. can play may well be regulation. By legalizing and regulating online gambling, the U.S. government would make it safer for the 5.3 million Americans who are already gambling in offshore online casinos. After all, says Mr. Carruthers, "the voice of the people has spoken." -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From camera_lumina at hotmail.com Sun Aug 1 18:53:12 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Sun, 01 Aug 2004 21:53:12 -0400 Subject: Al-Q targeting NY corporations...ah well. Message-ID: Oh yeah... For those Cypherpunks that actually have sex with something other than their fist, the following statements are officially* fairly cypherpunkinsh: "Hey...if I have to take out that garbage then the terrrorists have won." "Ah well. We had a pretty good run. Let's face the fact that the party's over." "If you don't give me that blowjob tonight, then the terrorist have won." "Hey...bin Laden's MUCH safer than Washington Heights." "Why can't they blow up the goddam Hollywood sign...all those LA-LA-ers are just dying to have candlelight vigils and sing CoomByeYa." * Fuck you Variola...I just had a couple of dark Spatens ON TAP. I therefore declare that any Cypherpunk is officially authorized to make an official Cypherpunk statement, particularly if it a) Gets them some poontang, b) Gets them a few extra $$$, c) deflects any kind of bullzhit, real or perceived, or 4) Ya' just feel like making an official statement. Such official statements can completely contradict any other official statement, and that are by no means binding on any other subscriber to the Cypherpunks list (and of course they couldn't be). >From: "Tyler Durden" >To: sunder at sunder.net, measl at mfn.org >CC: cypherpunks at al-qaeda.net >Subject: Re: Al-Q targeting NY corporations? >Date: Sun, 01 Aug 2004 17:31:20 -0400 > >"Nah, if you're an Al Qaeda member, it's >your duty to open up more donut shops and in fact, have a policy of free >donuts to every cop. Infact, you should send crates of donuts to every >police precinct several times a day. I'd suggest a 10:1 donut to officer >ratio." > >I'm pretty sure I saw bin Laden working in "Kabab King" in Jackson Heights. > I know it's him 'cause when I ordered I saw him spit on my Kababs. I >said, "yo Osama...what the fuck're you doin' to my Kebabs". His reply: >"Fuck you infidel. You want Pakistani food go to a buffet down the street." > >As for targeting Financial Institutions, I went and painted a giant "JP >Morgan" symbol on the roof of Madison Square Garden last week. Think it'll >work? If it doesn't, like I said I'll try to sniff a hotspot from under the >rubble for one last Cypherpunks post. > >-TD > > > >>From: Sunder >>To: "J.A. Terranson" >>CC: "cypherpunks at al-qaeda.net" >>Subject: Re: Al-Q targeting NY corporations? >>Date: Sun, 1 Aug 2004 12:58:46 -0400 (edt) >> >> >> >> >>I've a better idea for the terrorists who may be paying attention, why not >>just leave NYC alone and target something more useful to take out - like >>Microsoft, for example. >> >>IMHO, the planes that were targeted at the WTC would have been better >>directed at various Redmond, WA buildings. They're after all a very big >>company with a lot of billions - that would have been far more spectacular >>an attack than a couple of profitless eyesores blocking everyone's view of >>the Statue of Liberty. >> >>And what's with attacking the pentagon? They're the biggest sink of Evil >>American Taxpayer funds after all. Don't you want your enemies wasting >>billions of dollars on shitty airplanes and helicopters that crash >>themselves? >> >>Besides, if you want to piss off the NY Cops, don't attack One Police >>Plaza, take out Dunkin Donuts and Krispy Kreme joints... well, wait, I >>kinda like Krispy Kreme once in a while, ok, just Dunkin Donuts... Or >>better yet, don't! The artery clogging fat and the diabetes inducing >>sugar+starch already do plenty. Nah, if you're an Al Qaeda member, it's >>your duty to open up more donut shops and in fact, have a policy of free >>donuts to every cop. Infact, you should send crates of donuts to every >>police precinct several times a day. I'd suggest a 10:1 donut to officer >>ratio. >> >>Ditto for McDonalds foods. Add extra grease. The hydrogenated soybean >>kind! >> >>And why bother taking out the bridge to NJ - after all, NJ is where all >>the stench is (remember that old joke: Girlfriend "Kiss me where it >>smells," Boyfriend: "Ok, let's drive to NJ!" You're better off leaving >>that bridge alone, so commuters can be terrorized by the industrial stench >>as they drive through, and by all the delays. Infact, if you're an Al >>Qaeda engineer, you'll want to BUILD more bridges to NJ, so more Satan >>Loving American Infidels will get sickened by it. >> >>Oh yeah, and be sure to vote for Bush. He'll be sure to fuck the economy >>even worse and put more draconian laws into effect. You Al-Qaeda types >>hate us for having freedom, right? So Dubbya's your perfect boy for that. >> >> >>That's the real way to be a terrorist, not by wasting your time on some >>dumb ass fireworks by airplane. Pshaw, only amateur terrorists do it that >>way. >> >> >> >>----------------------Kaos-Keraunos-Kybernetos--------------------------- >> + ^ + :"I find it ironic that, on an amendment designed to protect /|\ >> \|/ :American democracy and our constitutional rights, the /\|/\ >><--*-->:Republican leadership in the House had to rig the vote and \/|\/ >> /|\ :subvert the democratic process in order to prevail" \|/ >> + v + : -- Rep. Sanders re vote to ammend the US PATRIOT ACT. >>-------------------------------------- http://www.sunder.net ------------ >> >>On Sun, 1 Aug 2004, J.A. Terranson wrote: >> >> > Article below. >> > >> > Just in case AQ is listening, I'd like to remind them that there are >>some >> > other states that also have some *really* good targets ;-) But, if >>you're >> > just "stuck" on New York, let me make my recommendations: >> > >_________________________________________________________________ >Is your PC infected? Get a FREE online computer virus scan from McAfee. >Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > _________________________________________________________________ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ From shaddack at ns.arachne.cz Sun Aug 1 13:22:46 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sun, 1 Aug 2004 22:22:46 +0200 (CEST) Subject: Terrorists wear neckties. Message-ID: <0408012210560.-1317379548@somehost.domainz.com> I don't worry about car bombs nor hijacked airplanes. I have better chance of being killed in a standardized ISO-compliant CE-marked car crash than getting into mere visual contact with a bomb blast. On the other side, the streams of bureaucrap the Hellhole also known as Brussels spews every day are filling my heart with genuine fear. Forget about turbans. Real terrorists wear neckties. From adam at cypherspace.org Mon Aug 2 02:36:26 2004 From: adam at cypherspace.org (Adam Back) Date: Mon, 2 Aug 2004 05:36:26 -0400 Subject: you can't argue with economics (Re: On how the NSA can be generations ahead) In-Reply-To: <410C3E5C.8E8891C@cdc.gov> References: <410C3E5C.8E8891C@cdc.gov> Message-ID: <20040802093626.GA22379@bitchcake.off.net> But most cryptanalysis types of things are economic defenses. (ie you can spend $lots you can break; or you don't have enough $ to build because the $ at current tech is an astronomical multiple of the US national debt). So if the NSA are being stupid, and uneconomical with the black budget (and it's not that hard for large organizations even with competition to be stupid), then they will be even less likely to break things that they could break than if they outsourced the whole thing. Probably to their advantage, I presume they do in fact outsource many things and of course buy large expensive bits of machinery and components, as anyone must do. So anyway, doing uneconomical things with the black budge they would lessen their chance of breaking various things, not increase it. Now the sheer scale of the black budget allows some things, but no doubt their best strategy will be to do economical things wrt their objectives and priorities and put as much as they can out for commercial tender, and/or try to create internal competition or something. Adam On Sat, Jul 31, 2004 at 05:50:36PM -0700, Major Variola (ret) wrote: > Tyler D asked about how the NSA could be so far ahead. > Besides their ability to make 2" sq. chips at 10% yield (not > something a commercial entity could get away with) > they can also *thin and glue* those chips into say stacks > of 5 thinned die. > > 2" sq = 4 x performance > 5 thinned die with GHz vias = 20 x performance. > > Both are uneconomical but feasible. Get it? > > Any questions? > > ----- > all your burst-mode wall-chair-molding-bugs in the state dept are belong > to us... From rah at shipwright.com Mon Aug 2 05:31:18 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 2 Aug 2004 08:31:18 -0400 Subject: Prosecutors See Potential Break In Terrorism-Financing Probe Message-ID: The Wall Street Journal August 2, 2004 WORLD NEWS Prosecutors See Potential Break In Terrorism-Financing Probe By GLENN R. SIMPSON Staff Reporter of THE WALL STREET JOURNAL August 2, 2004; Page A4 WASHINGTON -- Federal prosecutors investigating terrorism financing said they hope to unravel the murky finances of some major fundamentalist groups, after winning cooperation from a key fund-raiser for Islamic causes in the U.S., Europe and the Middle East. Lawyers for the fund-raiser -- prominent Muslim activist Abdurahman Alamoudi -- said the Justice Department's belief that he has information on Islamist terror networks is a fantasy. Mr. Alamoudi on Friday pleaded guilty to tax and immigration fraud and violating terrorism sanctions on Libya, in a bargain with prosecutors. (See related article1.) "There is not a shred of evidence" linking Mr. Alamoudi to Islamist terror groups, his lawyer Stanley Cohen told reporters outside the courthouse in Alexandria, Va., where Mr. Alamoudi confessed. While Mr. Alamoudi admits to involvement in a plot to kill the Crown Prince of Saudi Arabia, "none of that involves Hamas, Al Qaeda or jihad," Mr. Cohen said. The government takes a very different view. "Alamoudi was a major player in the financial support of terrorism," said Paul McNulty, U.S. attorney for the Eastern District of Virginia. "Mr. Alamoudi's decision to cooperate with the government will help us gain additional insight into terrorist activities," added Gary Bald, assistant director of the Federal Bureau of Investigation's counterterrorism division. The contradictory statements suggest the government's "cooperation agreement" with Mr. Alamoudi is likely to be severely tested in coming weeks and months. While Mr. Alamoudi and his lawyer Mr. Cohen have seemed almost eager to give up his Libyan financial backers including Col. Muammar Gadhafi, the Libyan leader, it appears the Libyans aren't who the government really wants. The charges to which Mr. Alamoudi confessed do little to help build a case against Libya, which is in a diplomatic rapprochement with the U.S. after agreeing several months ago to give up its weapons of mass destruction. On the other hand, prosecutors do see Mr. Alamoudi as a central figure in their sprawling, multipronged investigation into fundamentalist fund-raising in Northern Virginia. Mr. Alamoudi, who was born in Eritrea, has little ideological loyalty to the Libyan regime, whose origins are secular, socialist and nationalist. His background is deeply Islamist and rooted in the Muslim Brotherhood, a militant fundamentalist society founded in Egypt that seeks world government under the Quran whose leaders often provide ideological justification for terrorism. Mr. Cohen is well known to federal prosecutors for his pro-Palestinian rhetoric and a client list that includes many Hamas and Al Qaeda figures. Still, Mr. Cohen doesn't deny the plain language of Mr. Alamoudi's deal. "He will provide honest and complete and candid cooperation," he promised. In several court filings, prosecutors have disclosed numerous links between Mr. Alamoudi and alleged terrorists and their supporters, including top Hamas leaders and some alleged supporters of al Qaeda. In addition, Mr. Alamoudi admitted in court that two prominent Saudi dissidents in London were key figures in the plot to kill Saudi Crown Prince Abdullah that was broken up last fall. The government has a good deal of leverage to get what it wants. Mr. Alamoudi won't be sentenced until Oct. 15, and while he faces as many as 23 years in prison, a good word from prosecutors could net him far less. Moreover, since he pleaded guilty to an immigration charge, his wife's status as a U.S. citizen is at the mercy of the government. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From dave at farber.net Mon Aug 2 05:31:48 2004 From: dave at farber.net (David Farber) Date: Mon, 2 Aug 2004 08:31:48 -0400 Subject: [IP] Bulk of 2004's virus infections pinned on one man Message-ID: Begin forwarded message: From measl at mfn.org Mon Aug 2 08:02:40 2004 From: measl at mfn.org (J.A. Terranson) Date: Mon, 2 Aug 2004 10:02:40 -0500 (CDT) Subject: Anonymizer outsourcing customer data? In-Reply-To: <20040802145126.9748A115C8@mail.cypherpunks.to> References: <20040802145126.9748A115C8@mail.cypherpunks.to> Message-ID: <20040802100139.D45634@ubzr.zsa.bet> On Mon, 2 Aug 2004, Anonymous via the Cypherpunks Tonga Remailer wrote: > Return-Path: ^^^^^ || || > Received: from anonymizer.lyris.net ([64.62.197.139]) > From: "Anonymizer.com" > Subject: PrivacyShield Alert - July 2004 > > [....] > > The previous mail messages appeared to have "local to Anonymizer" mail > delivery systems sending them. > > Does it bother anyone else that Anonymizer is outsourcing its customer > information? Yes, this bugs me. But the person they outsourced it *to* scares me even more! -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From rvh40 at insightbb.com Mon Aug 2 12:37:02 2004 From: rvh40 at insightbb.com (Randall) Date: August 2, 2004 12:37:02 AM EDT Subject: Bulk of 2004's virus infections pinned on one man Message-ID: (And he may even be guilty!) http://news.com.com/Bulk+of+year%27s+PC+infections+pinned+to+one+man/ 2100-7349_3-5287664.html?tag=st.pop Bulk of year's PC infections pinned to one man By Munir Kotadia Special to CNET News.com http://news.com.com/2100-7349-5287664.html Story last modified July 28, 2004, 2:08 PM PDT Sven Jaschan, self-confessed author of the Netsky and Sasser viruses, is responsible for 70 percent of virus infections in 2004, according to a six-month virus roundup published Wednesday by antivirus company Sophos. The 18-year-old Jaschan was taken into custody in Germany in May by police who said he had admitted to programming both the Netsky and Sasser worms, something experts at Microsoft confirmed. (A Microsoft antivirus reward program led to the teenager's arrest.) During the five months preceding Jaschan's capture, there were at least 25 variants of Netsky and one of the port-scanning network worm Sasser. Graham Cluley, senior technology consultant at Sophos, said it was staggering that one person could be responsible for so many infections. Richard Starnes, president of security industry group ISSA UK, was also impressed: "Is he going to put this on his CV?" he asked. Cluley said there is still a chance that others may be implicated in the Netsky virus, although so far no one else has been arrested. "The full story of the Netsky gang isn't known yet. We know some of his fellow students have been questioned, but the real motives are not fully known," said Cluley. According to Sophos, the Sasser worm came out on top with 26.1 percent of infections, while Netsky.p, Netsky.b and Netsky.d take second, third and fourth places respectively. The only non-Jaschan viruses in the top 10 are MyDoom.a (fifth place), Zafi.b (sixth place), Sober.c (ninth place) and Bagle.a (tenth place). "Sasser may have taken top spot, but six of the biggest viruses of the last six months were Netsky and Bagle variants--these caused a continued nuisance for PC users the world over as their authors entered into a very public game of virus writing one-upmanship," said Cluley. Starnes said that although Jaschan has been arrested, there are always other people willing to step into his shoes. "Virus writers tend to grow out of the hobby, but hackers do not tend to stop. There is a high turnover rate in the virus-writing community. There will always be somebody there to step in to fill the gap," he said. Cluley agreed, but pointed out that organized criminals are increasingly getting involved in virus writing and are less likely to be caught because they tend to be more careful. "There is a greater criminal element in virus writing than ever before. If you are an organized gang making money out of viruses and hacking, you don't go around bragging or having a playground scuffle that results in one of your number grassing you up to Microsoft," said Cluley. Munir Kotadia of ZDNet UK reported from London. ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From bill.stewart at pobox.com Mon Aug 2 14:18:38 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Mon, 02 Aug 2004 14:18:38 -0700 Subject: [Politech] A close look at John Kerry's *real* tech agenda [ip] In-Reply-To: <20040802103506.A19726@baltwash.com> References: <20040802103506.A19726@baltwash.com> Message-ID: <6.0.3.0.0.20040802135046.037c2810@pop.idiom.com> At 08:35 AM 8/2/2004, Declan wrote: >http://news.com.com/2010-1028-5291476.html John Kerry is not our friend on this issue. If you've read Alexander Cockburn's article on Kerry's Vietnam record, he's not good on peace issues either. On the other hand, he's not Bush. While he and Edwards both like PATRIOT, he's not as aggressive about it as Bush, and while he did murder people in Vietnam, he was doing it retail-level, while Bush does it wholesale. It's definitely a lesser-of-two-evils game, and it's more like Cthulhu vs. Hastur rather than Cthulhu vs. Bambi or even Godzilla. Fortunately, here in California, Bush looks like he's way behind, so it's safe to vote Libertarian (or Green, or Naderite, or other parties), but nationwide it's "Go, Hastur! Hastur! Hastur! aaarghff..." Meanwhile, Tom Ridge has raised the National Fearmongering Level from "wolf wolf wolf" to "wolf wolf wolf wolf" for NYC, DC, and NJ. From kelsey.j at ix.netcom.com Mon Aug 2 11:39:52 2004 From: kelsey.j at ix.netcom.com (John Kelsey) Date: Mon, 2 Aug 2004 14:39:52 -0400 (GMT-04:00) Subject: Email tapping by ISPs, forwarder addresses, and crypto proxies Message-ID: <8225785.1091471993457.JavaMail.root@kermit.psp.pas.earthlink.net> -----Original Message----- From: "Major Variola (ret)" Sent: Jul 30, 2004 10:25 PM To: "cypherpunks at al-qaeda.net" Subject: Re: Email tapping by ISPs, forwarder addresses, and crypto proxies The "profitably" part is a non-issue when you have black budgets, ie $400 toilet seats. This is silly. They have black budgets, but not infinite ones. Given their budget (whatever it is), they want to buy the most processing bang for their buck. I doubt they can do that substantially better than anyone else. I'd expect them to be really clever at finding tricks to optimize keysearch of various kinds, but not to have better microprocessor technology than the rest of the world. Bottom line: they're not ahead in tech, but they can make things that private-co engineeers only dream of. DesCrack is a suitcase, get it? So, then they can break 3-key 3DES with moderate numbers of texts as soon as they can build 2^{56} such suitcases, right? And power them, and get rid of their waste heat.... I'll let you speculate on AESCrack :-) Do the math, and you'll see how implausible 128-bit keysearch is. Maybe there are better attacks on AES (the algebraic stuff doesn't seem to have gone anywhere, but it still might), but if keysearch is all we have to worry about, and nontrivial quantum computers remain impractical to build, then 128-bit keys are as secure as we're ever likely to need, and 256-bit keys more or less eliminate keysearch of any kind from the list of things we need ever worry about again. --John From eugen at leitl.org Mon Aug 2 05:40:56 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 2 Aug 2004 14:40:56 +0200 Subject: [IP] Bulk of 2004's virus infections pinned on one man (fwd from dave@farber.net) Message-ID: <20040802124056.GC1400@leitl.org> ----- Forwarded message from David Farber ----- From nobody at cypherpunks.to Mon Aug 2 07:51:26 2004 From: nobody at cypherpunks.to (Anonymous via the Cypherpunks Tonga Remailer) Date: Mon, 2 Aug 2004 16:51:26 +0200 (CEST) Subject: Anonymizer outsourcing customer data? Message-ID: <20040802145126.9748A115C8@mail.cypherpunks.to> Recently I received the Anonymizer "PrivacyShield Alert", as an Anonymizer user, and was distressed to note that it appears Anonymizer has now outsourced its mail and marketing infrastructure. Partial headers from new mail system: From eugen at leitl.org Mon Aug 2 08:17:03 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 2 Aug 2004 17:17:03 +0200 Subject: Giesecke & Devrient Message-ID: <20040802151703.GN1400@leitl.org> Assuming I generate a key on a RSA smart card made by G&D, what kind of prestige track do these people have? They seem to be pretty secretive, that's not a good sign. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From eugen at leitl.org Mon Aug 2 08:45:20 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 2 Aug 2004 17:45:20 +0200 Subject: Giesecke & Devrient In-Reply-To: References: <20040802151703.GN1400@leitl.org> Message-ID: <20040802154520.GP1400@leitl.org> On Tue, Aug 03, 2004 at 03:36:45AM +1200, Peter Gutmann wrote: > G&D produce (or help produce) things like banknotes and passports (and have > been doing so for more than a century), the secrecy comes with the territory. I have no smart card background, unfortunately. I've heard G&D ignores requests from open source developer people, though. Are keywords like STARCOS SPK2.3 (Philips P8WE5032 chip), ITSEC E4 certification (with StarCert v 2.2.) etc. associated with a good security track? Features * ISO/IEC compatible * Secure messaging * Hierarchical ISO file system * DES, 3DES * State machine * Logical Channels support * Deletion of files (EF) and applications (DF) * Enhanced hardware security * High performance * Implementation of various access controls (authentication) * Data encryption with asymmetric RSA keys up to a key length of 1,024 * bits * Generation and verification of digital signatures with RSA and DSA * On-card RSA key generation up to a key length of 1,024 bits * The digital signature application StarCert is ITSEC E4 high certified STARCOS SPK2.3 is available on a Philips chip with 32 kByte. Symmetric (DES, 3DES) as well as asymmetric (DSA, RSA) cryptograhic methods are supported. For further information please contact: Industry & Government Team Phone: +49 (0)89 4119-1957 Fax: +49 (0)89 4119-2802 indgov.cards at de.gi-de.com -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From declan at well.com Mon Aug 2 15:00:08 2004 From: declan at well.com (Declan McCullagh) Date: Mon, 02 Aug 2004 18:00:08 -0400 Subject: TERRORISTS ARE AMONG US! (Was: A close look at John Kerry's *real* tech agenda ) In-Reply-To: <6.0.3.0.0.20040802135046.037c2810@pop.idiom.com> References: <20040802103506.A19726@baltwash.com> <6.0.3.0.0.20040802135046.037c2810@pop.idiom.com> Message-ID: <410EB968.5040801@well.com> Bill, Thanks for the cogent post. Of course this isn't an issue that would divide the Republicrat Party. Keep reading. -Declan House Select Committee on Homeland Security Democrats JIM TURNER, Ranking Member www.house.gov/hsc/democrats/. FOR IMMEDIATE RELEASE August 2, 2004 Contact: Moira Whelan (202) 226-8827 Turner: The Terrorists Are Among Us Congressman Jim Turner, Ranking Member of the Select Committee on Homeland Security, issued the following statement regarding continued terror warnings in the Northeast and the President's announcements today: The threats on New York, New Jersey and Washington DC serve as a reminder that the terrorists are among us here at home. We have no idea how many more are still in this country surveying our ports, chemical plants and public transportation. We must assume there are other targets beyond the 5 buildings being protected today. The President's announcement endorsing the creation of a Director of National Intelligence is a step in the right direction, but long overdue. The recommendation was made over 18 months ago by the Congressional Joint Inquiry. The 9/11 Commission report makes it clear that we have not moved fast enough to protect this country and have not closed the security gaps that threaten us today. It is critical that we move forward to provide stronger homeland security and that we do it with great haste. Our terrorist enemies will not wait, and neither can we. ### From eugen at leitl.org Mon Aug 2 09:34:07 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 2 Aug 2004 18:34:07 +0200 Subject: Giesecke & Devrient In-Reply-To: References: <20040802154520.GP1400@leitl.org> Message-ID: <20040802163407.GS1400@leitl.org> On Tue, Aug 03, 2004 at 03:57:02AM +1200, Peter Gutmann wrote: > Nothing you can't get from a pile of other vendors who will actually talk to > you. Unless you've got some business reason to deal with them, I wouldn't > bother (I have nothing against them per se, they just do business in a way > that isn't useful to me... and I'm sure they think the same of me). I'm just investigating alternative uses for stuff I already need for HBCI (a kraut homebanking standard). The state of the art (especially for open source smart card support) looks pretty rudimentary. The Dell Smart Card keyboard I've got has some CCID drivers which run under Win2k but refuse XP, and this thing isn't yet properly supported by the Muscle folks or libchipcard2. We're not even talking about higher order functionality yet (RSA and 3DES), just dumb data store. Gnucash on Fink doesn't seem to support HBCI at all yet, not even mentioning smart cards. What's weird is that the banks aren't pushing this to the customers (readers are somewhere between 50 and 100 EUR, and the cheapest RSA card some 13 EUR). The phishing issues aren't yet painful here apparently, due to predominance of PIN/TAN (the dead tree variant) in online banking. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From mv at cdc.gov Mon Aug 2 20:23:28 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 02 Aug 2004 20:23:28 -0700 Subject: Al-Q targeting NY corporations? Message-ID: <410F0530.B361447D@cdc.gov> At 12:58 PM 8/1/04 -0400, Sunder wrote: >You Al-Qaeda types >hate us for having freedom, right? You're not taken in by that mularky, are you? Read the Fatwa. Best summarized by a line from a 'Floyd song, get your filthy hands off my desert. Go for the Baltimore/Maryland prep schools. Soft targets, creamy centers. ------ Get your war on: http://www.mnftiu.cc/mnftiu.cc/war.html check the later ones... From mv at cdc.gov Mon Aug 2 20:29:28 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 02 Aug 2004 20:29:28 -0700 Subject: On how the NSA can be generations ahead Message-ID: <410F0698.BACFB002@cdc.gov> At 05:23 PM 8/1/04 -0400, Tyler Durden wrote: > >No, the NSA is probably generations ahead in some areas, but their fabs >aren't much better than what's available commercially. Yes, upon consideration I agreed, re critical dimensions. That's why I brought up uneconomically sized chips, and the tech of thinned wafers. The point being (yes, if you can cool them) that small = fast. 1 foot per nanosecond, remember? And some of the neato-analog stuff one can do does *better* with big honkin' micron sized features, albeit on exotic materials, and the large-area/thinned argument still holds. ---- M. Atta: an army of one. From mv at cdc.gov Mon Aug 2 20:37:06 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 02 Aug 2004 20:37:06 -0700 Subject: Al-Q targeting NY corporations...ah well. Message-ID: <410F0862.E3FD9A57@cdc.gov> At 09:53 PM 8/1/04 -0400, Tyler Durden wrote: >the following statements are officially* fairly cypherpunkinsh: >* Fuck you Variola...I just had a couple of dark Spatens ON TAP. I therefore >declare that any Cypherpunk is officially authorized to make an official >Cypherpunk statement, particularly if it a) Gets them some poontang Wouldn't that be cypherpinkish, then? Ok, Tyler, you're our official spokesman. We'll be sure to give your name when getting the no lawyers no charges no rights no shit treatment... ----- A few more Halliburton well loggers missing and we'll have enough for a crude urchin initiator... ------ "Can you hear me now?" -UBL From mv at cdc.gov Mon Aug 2 20:39:17 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 02 Aug 2004 20:39:17 -0700 Subject: Giesecke & Devrient Message-ID: <410F08E5.E5CA1A57@cdc.gov> At 05:17 PM 8/2/04 +0200, Eugen Leitl wrote: >Assuming I generate a key on a RSA smart card made by G&D, what kind of >prestige >track do these people have? > >They seem to be pretty secretive, that's not a good sign. FWIW: They make the SIMs for T-Mobile (ie Deutsche Telecom AG) so they are part of the telco world which is a fully 0wn3d subsidiary of the Beast. From mv at cdc.gov Mon Aug 2 20:56:28 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 02 Aug 2004 20:56:28 -0700 Subject: On what the NSA does with its tech Message-ID: <410F0CEC.23BA443A@cdc.gov> At 02:39 PM 8/2/04 -0400, John Kelsey wrote: >This is silly. They have black budgets, but not infinite ones. Given their budget (whatever it is), they want to buy the most processing bang for their buck. Yes. They can't break a 128 bit key. That's obvious. ("if all the atoms in the universe were computers..." goes the argument). What they can do is implement an advanced dictionary search that includes the kind of mnemonic tricks and regexps that folks typically use when coming up with "tough" passphrases. Cracking Italian anarchist PGP-equipt PDAs in their possession, things like that. If your keys are random 128, no dice (no pun intended). But if your keys are deterministically derived from something in your head, they can blaze. As well as the SIGINT stuff that takes a lot of DSP cycles. But agreed, and worth repeating, long keys can't be exhaustively searched, if they are truly random. As for WEP, GSM, etc cracking, voice recognition, etc, well, that is suitcase sized / real time stuff for them, if they want it. I imagine that the social network panopticon --eg who'se ever called whom-- might take some serious exabyte datacrunching too, something the bioinformaticists would envy. I don't think I overestimate the adversary when I suggest that he has plenty of uses for fast hardware, and that his hardware can be more than a decade faster thanks to cost being less of a concern, even if his transistors are no smaller/faster than TMSC's or IBM's. ----- I had never met a mathematician before. He had a good sense of humor, but no matter what you said to him, he was unimpressed. -Knuth From pgut001 at cs.auckland.ac.nz Mon Aug 2 08:36:45 2004 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue, 03 Aug 2004 03:36:45 +1200 Subject: Giesecke & Devrient In-Reply-To: <20040802151703.GN1400@leitl.org> Message-ID: Eugen Leitl writes: >Assuming I generate a key on a RSA smart card made by G&D, what kind of >prestige track do these people have? > >They seem to be pretty secretive, that's not a good sign. G&D produce (or help produce) things like banknotes and passports (and have been doing so for more than a century), the secrecy comes with the territory. Peter. From pgut001 at cs.auckland.ac.nz Mon Aug 2 08:57:02 2004 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue, 03 Aug 2004 03:57:02 +1200 Subject: Giesecke & Devrient In-Reply-To: <20040802154520.GP1400@leitl.org> Message-ID: Eugen Leitl writes: >I have no smart card background, unfortunately. I've heard G&D ignores >requests from open source developer people, though. Yup. It's standard banking-industry stuff, unless you're a large bank/government/whatever and are prepared to sign over your firstborn and swear eternal secrecy, they won't talk to you. >Are keywords like STARCOS SPK2.3 (Philips P8WE5032 chip), ITSEC E4 >certification (with StarCert v 2.2.) etc. associated with a good security >track? They're associated with good buzzword-compliance. Since it's impossible to get any technical details out of them, it's rather hard to say. If you've got something like a PKCS #11 driver off them then you should be OK, but if you want to do any low-level work with the card yourself, find another vendor. >Features Nothing you can't get from a pile of other vendors who will actually talk to you. Unless you've got some business reason to deal with them, I wouldn't bother (I have nothing against them per se, they just do business in a way that isn't useful to me... and I'm sure they think the same of me). Peter. From pcapelli at gmail.com Tue Aug 3 05:25:12 2004 From: pcapelli at gmail.com (Pete Capelli) Date: Tue, 3 Aug 2004 08:25:12 -0400 Subject: Al-Q targeting NY corporations? In-Reply-To: <410F0530.B361447D@cdc.gov> References: <410F0530.B361447D@cdc.gov> Message-ID: > Read the Fatwa. Best summarized by a line from a 'Floyd song, > get your filthy hands off my desert. Heh. So they can go back to being goatherders? trust-fund osama complaining about the evil west while taking its money is rich irony. From jya at pipeline.com Tue Aug 3 09:20:46 2004 From: jya at pipeline.com (John Young) Date: Tue, 03 Aug 2004 09:20:46 -0700 Subject: Al-Q targeting NY corporations? In-Reply-To: References: <410F0530.B361447D@cdc.gov> <410F0530.B361447D@cdc.gov> Message-ID: Indeed, this is the way of US founding fathers, as with today's corporations and citizenry enjoying global predation. Rebellion against authority using its tools and resources is the only rebellion that works. And the only one feared by authorities, knowing at they do from their own practice, stealing the money from where it is, is banking 101, Dillinger a pennyante banker like Osama. Now, if you were enjoying your stolen wealth wouldn't you demonize and kill those who tried to do the same? Machiavelli, ur bandit apologist, studied avidly at .mil academies and ever more war think tanks. -- At 08:25 AM 8/3/2004 -0400, you wrote: > >> Read the Fatwa. Best summarized by a line from a 'Floyd song, >> get your filthy hands off my desert. > >Heh. So they can go back to being goatherders? trust-fund osama >complaining about the evil west while taking its money is rich irony. From sunder at sunder.net Tue Aug 3 06:52:55 2004 From: sunder at sunder.net (Sunder) Date: Tue, 3 Aug 2004 09:52:55 -0400 (edt) Subject: Al-Q targeting NY corporations? In-Reply-To: <410F0530.B361447D@cdc.gov> References: <410F0530.B361447D@cdc.gov> Message-ID: Your sarcasm detector is down, please send it back to the manufacturer for repairs. Let's hope it's still under warranty. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"I find it ironic that, on an amendment designed to protect /|\ \|/ :American democracy and our constitutional rights, the /\|/\ <--*-->:Republican leadership in the House had to rig the vote and \/|\/ /|\ :subvert the democratic process in order to prevail" \|/ + v + : -- Rep. Sanders re vote to ammend the US PATRIOT ACT. -------------------------------------- http://www.sunder.net ------------ On Mon, 2 Aug 2004, Major Variola (ret) wrote: > At 12:58 PM 8/1/04 -0400, Sunder wrote: > >You Al-Qaeda types > >hate us for having freedom, right? > > You're not taken in by that mularky, are you? From camera_lumina at hotmail.com Tue Aug 3 09:34:24 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Tue, 03 Aug 2004 12:34:24 -0400 Subject: Al-Q targeting NY corporations? Message-ID: "Machiavelli, ur bandit apologist" Very amusing turn of phrase. >From: John Young >To: cypherpunks at al-qaeda.net >Subject: Re: Al-Q targeting NY corporations? >Date: Tue, 03 Aug 2004 09:20:46 -0700 > >Indeed, this is the way of US founding fathers, as with today's >corporations and citizenry enjoying global predation. > >Rebellion against authority using its tools and resources is the >only rebellion that works. And the only one feared by authorities, >knowing at they do from their own practice, stealing the money >from where it is, is banking 101, Dillinger a pennyante banker >like Osama. > >Now, if you were enjoying your stolen wealth wouldn't you >demonize and kill those who tried to do the same? > >Machiavelli, ur bandit apologist, studied avidly at .mil academies >and ever more war think tanks. > >-- > >At 08:25 AM 8/3/2004 -0400, you wrote: > > > >> Read the Fatwa. Best summarized by a line from a 'Floyd song, > >> get your filthy hands off my desert. > > > >Heh. So they can go back to being goatherders? trust-fund osama > >complaining about the evil west while taking its money is rich irony. > > _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar  get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From sunder at sunder.net Tue Aug 3 12:24:54 2004 From: sunder at sunder.net (Sunder) Date: Tue, 3 Aug 2004 15:24:54 -0400 (edt) Subject: Welcome to 1984 - almost. Message-ID: This speaks volumes as to where intentions lie. http://scoop.agonist.org/story/2004/8/3/84635/46365 Justice Department attempting to remove public documents from libraries American Library Association July 30, 2004 CHICAGO -- The following statement has been issued by President-Elect Michael Gorman, representing President Carol Brey-Casiano, who is currently in Guatemala representing the Association: By Anonymous in USA: Liberty Watch on Tue Aug 3rd, 2004 at 08:46:35 AM PDT Last week, the American Library Association learned that the Department of Justice asked the Government Printing Office Superintendent of Documents to instruct depository libraries to destroy five publications the Department has deemed not "appropriate for external use." The Department of Justice has called for these five public documents, two of which are texts of federal statutes, to be removed from depository libraries and destroyed, making their content available only to those with access to a law office or law library. The topics addressed in the named documents include information on how citizens can retrieve items that may have been confiscated by the government during an investigation. The documents to be removed and destroyed include: Civil and Criminal Forfeiture Procedure; Select Criminal Forfeiture Forms; Select Federal Asset Forfeiture Statutes; Asset forfeiture and money laundering resource directory; and Civil Asset Forfeiture Reform Act of 2000 (CAFRA). ALA has submitted a Freedom of Information Act (FOIA) request for the withdrawn materials in order to obtain an official response from the Department of Justice regarding this unusual action, and why the Department has requested that documents that have been available to the public for as long as four years be removed from depository library collections. ALA is committed to ensuring that public documents remain available to the public and will do its best to bring about a satisfactory resolution of this matter. Librarians should note that, according to policy 72, written authorization from the Superintendent of Documents is required to remove any documents. To this date no such written authorization in hard copy has been issued. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"I find it ironic that, on an amendment designed to protect /|\ \|/ :American democracy and our constitutional rights, the /\|/\ <--*-->:Republican leadership in the House had to rig the vote and \/|\/ /|\ :subvert the democratic process in order to prevail" \|/ + v + : -- Rep. Sanders re vote to ammend the US PATRIOT ACT. -------------------------------------- http://www.sunder.net ------------ From sunder at sunder.net Tue Aug 3 13:01:50 2004 From: sunder at sunder.net (Sunder) Date: Tue, 3 Aug 2004 16:01:50 -0400 (edt) Subject: On how the NSA can be generations ahead In-Reply-To: References: Message-ID: Some interesting URL's on how this can be technologically achieved. These are just from various news sources, nothing indicating one way or another that the boys in Ft. Meade are using any of this stuff - though DARPA is mentioned in the first link. :) http://news.com.com/Sun+chips+away+at+wireless+chip+connections/2100-1006_3-5291289.html http://www.uwtv.org/programs/displayevent.asp?rid=1844 So this gets around some of the limits of chip to chip interconnects, etc. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"I find it ironic that, on an amendment designed to protect /|\ \|/ :American democracy and our constitutional rights, the /\|/\ <--*-->:Republican leadership in the House had to rig the vote and \/|\/ /|\ :subvert the democratic process in order to prevail" \|/ + v + : -- Rep. Sanders re vote to ammend the US PATRIOT ACT. -------------------------------------- http://www.sunder.net ------------ From pgut001 at cs.auckland.ac.nz Mon Aug 2 22:11:23 2004 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue, 03 Aug 2004 17:11:23 +1200 Subject: TERRORISTS ARE AMONG US! (Was: A close look at John Kerry's *real* tech agenda ) In-Reply-To: <410EB968.5040801@well.com> Message-ID: >The threats on New York, New Jersey and Washington DC serve as a reminder >that the terrorists are among us here at home. He went on to remind citizens to stay alert, trust no-one, and keep their lasers handy. Peter. From rah at shipwright.com Tue Aug 3 16:12:21 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 3 Aug 2004 19:12:21 -0400 Subject: The Myth of Libertarian Neutrality Message-ID: Tech Central Station The Myth of Libertarian Neutrality By Edward Feser Published 08/03/2004 Editor's note: This is the third and final article in a debate over the nature of libertarianism between Edward Feser and Will Wilkinson. Read Feser's first article here and Wilkinson's response here. Wilkinson will have more to say on this piece at his website here. For more on this debate from TCS contributor Julian Sanchez click here. Also see more from Boston University Law Professor Randy Barnett, here. In my article "The Trouble with Libertarianism," I argued that there is no common core to the various theories usually classified as "libertarian," and that since these theories have very different moral and social implications, none can be said genuinely to be neutral between the various moral and religious worldviews prevalent in a modern pluralistic society. Will Wilkinson takes exception to my argument in his recent TCS piece. What follows is a brief reply. "Political Libertarianism" The egalitarian liberal philosopher John Rawls made a distinction in his book Political Liberalism between "comprehensive moral doctrines," which comprise detailed and controversial moral and metaphysical accounts of human nature and human society, and "political liberalism," which is intended to be neutral between such comprehensive doctrines and to provide a framework within which adherents of various doctrines can peacefully co-exist. His aim was to find a way of showing how liberalism can be defended without having to appeal to controversial moral and metaphysical claims. Inspired by Rawls, Wilkinson draws a parallel distinction between comprehensive moral doctrines on the one hand, and "political libertarianism" on the other. He suggests that political libertarianism is a neutral framework that can be defended without having to appeal to any particular comprehensive moral and metaphysical theory, including any of the moral and metaphysical theories proffered by various libertarian thinkers. The problem with my article, according to Wilkinson, is that I fail to see this distinction. My answer to Wilkinson is that I am well aware that many libertarians would try to make such a distinction, but I simply deny that they can do so successfully. Indeed, showing this was the whole point of my original article. Wilkinson's reply is thus little more than a prolonged exercise in begging the question. He says that: " libertarianism, construed as a practical political theory, does not require a 'deep' metaphysical justificatory theory. We needn't wait until the last libertarian utilitarian or natural rights theorist dies in the last ditch in order to say what libertarianism really is. The content of political libertarianism is to be found in the overlap between these different comprehensive libertarianisms. Something like: a relatively small state governed by a rule of law that protects rights to personal autonomy, contract, and private property from within the context of a robust and free market economy." But there are two problems with this characterization that reflect Wilkinson's failure seriously to address my argument. First, his definition doesn't say anything that an egalitarian liberal or non-libertarian conservative couldn't agree with; indeed, many egalitarian liberals and non-libertarian conservatives do in fact endorse "a relatively small state governed by a rule of law that protects rights to personal autonomy, contract, and private property from within the context of a robust and free market economy." So Wilkinson's definition fails to capture anything distinctively libertarian. The second, related, problem is that what counts as e.g. "rights to personal autonomy, contract, and private property" and a "relatively small state" -- something Wilkinson would have to elaborate upon in order to make his definition informative -- is itself extremely controversial, and controversial not only between libertarians and non-libertarians, but even among libertarians themselves. It is therefore no good to point to a commitment to "rights," "the rule of law," and the like either as the common core of all libertarian theories or as the one thing that all members of a pluralistic modern society can agree on, because the content of these ideas is precisely what everyone disagrees about. Wilkinson might as well argue that libertarianism, egalitarian liberalism, socialism, and communism are all really varieties of the same doctrine, because they "overlap" in their commitment to "freedom." Finding some terminology that adherents of various positions all use hardly suffices to demonstrate that there is some substantive view they all have in common; what needs to be shown is that they use that terminology in more or less the same way. To take two examples I appealed to in my original article, suppose we want to know whether Wilkinson's "political libertarianism" entails a right to abortion and/or same-sex marriage. One claim Wilkinson makes on behalf of "political libertarianism" (paralleling the claim Rawls makes on behalf of "political liberalism") is that it is a view that ought to appeal to a sense of justice shared by all the members of a pluralistic society. But either way one answers the question I just posed, it is blindingly obvious that "political libertarianism" does not have such an appeal. For many secularists and for the typical contractarian or utilitarian moral theorist (libertarian or otherwise), abortion and same-sex marriage are going to count as perfectly just, so that no prohibition of either of them can be justified. But for the pious Muslim, orthodox Jew, or traditional Christian, as well as for the typical natural law theorist (religious or secular), abortion and same-sex marriage are going to count as paradigms, not only of immorality, but of injustice: injustice in the first case because abortion is regarded by such people as murder, and injustice in the second case because the stability of the traditional family is regarded by them as the foundation of any just social order (libertarian or otherwise) and they typically regard same-sex marriage as a threat to such stability. So for one group, justice requires allowing abortion and/or same-sex marriage, and for the other, justice requires forbidding them. It follows that whether or not "political libertarianism" allows for abortion and same-sex marriage, it is inevitably going to be a conception which is far from neutral between competing comprehensive doctrines. And this becomes only more obvious when we consider that the reasons people differ over the justice or injustice of the practices in question are also going to entail differences over the justice or injustice of such practices as homosexual adoption, cloning, embryonic stem cell research, and so on and on. Moreover, since libertarian theorists themselves are going to disagree on these issues, it is obvious that there is no interesting common core to all the theories usually classified as "libertarian." A libertarian motivated by contractarianism might plausibly regard the outlawing of abortion as unjust, while a libertarian motivated by natural law considerations might plausibly regard the permitting of abortion as unjust. A libertarian of a utilitarian bent might plausibly regard the legalization of same-sex marriage as legitimate, while a Hayekian libertarian might plausibly regard it as a dangerous and unjustifiable tampering with inherited institutions. Their disagreements are going to derive not only from the very different foundations they give for libertarian conceptions of "justice," "rights," and the like, but also from the very different conceptions they thereby arrive at of what "justice" and "rights" amount to in the first place. A libertarian whose creed is based on an Aristotelian-natural law conception of morality, for example, doesn't just differ from a utilitarian libertarian in what grounds rights and justice; he has a totally different conception of what rights and justice are. As a result, the more socially and morally conservative sort of libertarian may well find that he is closer in theory and practice to the Burkean or natural law conservative than he is to "socially liberal" libertarians; while the more socially liberal libertarian might find that he is closer in theory and practice to the egalitarian liberal than he is to the morally conservative libertarian. This is why I suggested in my original article that when libertarians of various stripes "get clear about exactly what they believe and why they might find that their particular version of libertarianism commits them -- or ought to commit them -- to regard as rivals those they might once have considered allies." (The standard three-way classification of the most prominent views in American political thinking as "conservative, libertarian, and egalitarian liberal" might accordingly be less helpful and less revealing than an alternative two-way classification, such as "libertarian and non-libertarian conservatives versus egalitarian and non-egalitarian liberals.") In any event, Wilkinson's characterization of "political libertarianism" doesn't reveal a substantial common core to these various versions of libertarianism, but merely papers over their very real differences by appealing to a conception of rights and justice that is too vague to be informative. There is just no way plausibly to disengage the content of libertarianism from its philosophical foundations in the manner Wilkinson recommends. It helps not one whit for Wilkinson to suggest that the deep disagreements between comprehensive doctrines that exist in contemporary society can be mitigated within the context of "political libertarianism" by appealing to "evidence from psychology and the social sciences -- evidence not grounded in special, controversial, philosophical assumptions." For one thing, if Wilkinson really thinks that psychology and social science in general are free from "controversial philosophical assumptions," then he doesn't know much about either social science or philosophy. For another thing, even the harder sciences could surely do nothing to settle the deepest disagreements. Opponents of abortion would say that it is just a biological fact that the fetus is a human being from the point of conception, and then conclude, from this and from the moral premise that every human being has an inviolable right to life, that the fetus has a right to life. Defenders of abortion would claim either that the fetus is only "potentially human" or that while it might be human, it is not a "person"; and in either case, they would draw the inference that it has no right to life. At bottom, the dispute here is not scientific, but moral and metaphysical, and cannot be settled without addressing the underlying moral and metaphysical issues. The same thing is true of the debate over whether there is a right to same-sex marriage: what counts as "marriage," as a "right," and so forth, are issues that cannot even properly be understood, much less settled, outside the context of substantive moral theory. Social and natural science are in principle incapable of breaking the deadlock. A dilemma Now the point of all this (as I hasten to add for those readers about to bombard me with hysterical emails about abortion and same-sex marriage) isn't to decide here which view regarding abortion or same-sex marriage is correct. It is rather to note that both sets of views can be defended on grounds of justice by appealing to sophisticated comprehensive doctrines held by millions of people in contemporary pluralistic societies. As I noted in my original article, Rawls's way of dealing with this sort of problem was to hold that "political liberalism" need be neutral only between "reasonable" comprehensive doctrines. The result is that Rawls seems faced with a dilemma: he must either give so little content to the key concepts of "reasonable" and "political liberalism" that his view amounts to a useless tautology -- "political liberalism" is just whatever is compatible with all "reasonable" comprehensive doctrines, where a doctrine is "reasonable" only if it is compatible with "political liberalism" -- or he must give so much content to them that he will end up having to dismiss as "unreasonable" and "illiberal" a great many views held by a great many members of contemporary pluralistic societies, thus undermining his claim to be presenting a view that will solve the problem of showing how adherents of the competing comprehensive doctrines prevalent in such societies can peacefully co-exist. That Rawls opts for the second horn of the dilemma is evidenced by his incorporation into "political liberalism" of the redistribution of wealth entailed by his famous "difference principle," and by his notorious suggestion that opponents of legalized first-trimester abortions ought not to be regarded as "reasonable." But this just shows how disingenuous is his claim to "neutrality": Rawls's view is "neutral" only between those doctrines whose adherents are willing to submit to the standard egalitarian liberal line on social and economic questions. It can thus have no rational appeal for those who did not already agree with Rawls before they read his book, and his claim to be showing a way to divide through the most contentious issues facing modern pluralistic societies is revealed to be bogus. Wilkinson seems faced with the same dilemma. Now it might seem, from the vacuity of the definition he gives "political libertarianism," that he embraces the first horn. But given the tone of his piece -- especially the bizarre and unfounded accusation at the end of it that I want to force "Roman Catholicism and Aristotelian metaphysics" on everyone -- one suspects that Wilkinson is no fan of the conservative sort of morality often associated with natural law theory, and would probably like to formulate "political libertarianism" in such a way that a prohibition on abortion, say, is incompatible with it. (This is, I grant, just an educated guess, since Wilkinson is so extremely vague about what his position implies with respect to specific problem cases like abortion -- as he has to be if his view is to sound even remotely plausible.) As with Rawls, then, the second horn of the dilemma is probably the one Wilkinson would embrace, given his apparent broader commitments. But once he embraces it, it is also clear that the "neutrality" he favors is as phony as Rawls's. For natural law opponents of abortion would hold that it is a requirement of justice that all human beings, including the unborn, have their right to life protected by the state; in their view, no just government can allow abortion, any more than it can allow slavery. And any view that insists that abortion be legalized will, from the point of view of the natural law theorist, thereby be imposing a particular moral view (and a false one at that) upon others -- in particular, upon the unborn -- just as the institution of slavery was an imposition of slaveholders' erroneous moral views upon slaves. Like Rawls's "political liberalism," Wilkinson's "political libertarianism" would have to define away the problem this poses for his alleged "neutrality" by simply stipulating that the opponent of legalized abortion is "unreasonable." Moreover, since there are many libertarians (including some motivated by natural law theory) who would hold that a libertarian state cannot allow abortion (since they take abortion to violate the rights of the unborn), Wilkinson will also have to stipulate that such people are just not "real" libertarians after all. Both Rawls and Wilkinson start out promising a great breakthrough in political thought, one which promises at long last to solve the problem of pluralism; but the "solution" ends up being little more than a proposal to define those who disagree with them out of legitimate political discussion. When the semantic game-paying is put to one side, however, it is clear that, whatever one thinks of abortion, both pro-choice and pro-life advocates can be reasonable (in the everyday sense of "reasonable," rather than the ideologically loaded Rawlsian or Wilkinsonian sense); and it is also clear that any view (whether one chooses to call it "political libertarianism" or not) which requires either legalized abortion or a prohibition on abortion is not genuinely neutral between all reasonable worldviews. It is obvious too that a vast theoretical and practical gulf separates pro-life and pro-choice libertarians, just as a vast theoretical and practical gulf separated those believers in natural rights who held slavery to be legitimate from those who held it to be unjust. Differences this big cannot fail to reflect deep differences over the nature of justice, rights, and the bearers of rights. Both the claims of my original article are thereby confirmed: the differences between the various versions of libertarianism are more significant than the similarities; and once one gets clear about exactly which version of libertarianism one is talking about, one will see that it is not genuinely neutral between all reasonable comprehensive doctrines. Wilkinson writes that "The mark of political maturity is waking up to the irremediable complexity and diversity of our social world. Feser appears not to have awakened." But it is Wilkinson who is asleep; indeed, he's living in a dreamworld. For he fails to take seriously just how irremediably complex and diverse our social world is. It is in fact so complex that only a fool could believe that the deep moral disagreements that divide it can be ignored for the purposes of politics, that all "reasonable" people will inevitably abide by the allegedly "neutral" rules of Wilkinson's conception of "political libertarianism" -- a conception that one suspects just happens to square perfectly with Wilkinson's own personal moral predilections, whatever they are (even as Rawls's "neutral" framework just happens -- what are the odds?! -- to reflect precisely the sensibilities of the typical Ivy League university professor). Contrary to what some readers of my original piece suppose, I am not hostile to all versions of libertarianism; in fact I am partial to a version that combines elements drawn from the Aristotelian and the Hayekian traditions. But I would not for a moment pretend that this view is "neutral" between the comprehensive doctrines prevalent in modern pluralistic society. It is no more neutral than any other view is, least of all Wilkinson's. The Rawlsian quest to find some such neutral position is understandable given the depth and fierceness of the moral disagreements that plague contemporary political life, but it is a hopeless one. These disagreements and their inevitable political consequences cannot be wished away -- or defined away -- and libertarians do themselves no credit by pretending otherwise. Edward Feser (edwardfeser at hotmail.com) is the author of On Nozick (Wadsworth, 2003). Editor's note: This is the third and final article in a debate over the nature of libertarianism between Edward Feser and Will Wilkinson. Read Feser's first article here and Wilkinson's response here. Wilkinson will have more to say on this piece at his website here. For more on this debate from TCS contributor Julian Sanchez click here. Also see more from Boston University Law Professor Randy Barnett, here. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From mv at cdc.gov Tue Aug 3 19:45:06 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Tue, 03 Aug 2004 19:45:06 -0700 Subject: Al Qaeda crypto reportedly fails the test Message-ID: <41104DB2.AA5FDC87@cdc.gov> At 10:18 PM 8/3/04 +0100, Ian Grigg wrote: > http://www.thesmokinggun.com/archive/jihad13chap3.html >[Moderator's Note: One wonders if the document on the "Smoking Gun" >website is even remotely real. It is amazingly amateurish -- the sort >of code practices that were obsolete before the Second World War. --Perry] > Perry M. >The Cryptography Mailing List >Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com I work(ed) for a major kiretsu soon bringing crypto to public scanner/printer/copier to your airport or hotel. When I suggested that the paper that folks write strong passphrases on be backed by glass or metal instead of a pad of paper, they laughed. One form of "crypto" I was forced to manufacture was obviously succeptible to replay attacks if you merely leased the same model scanner/printer/copier for a week and had a pringles' can during transmission. Or rev-eng the driver. Convenience trumps security once again. Not surprising the dinosaurs largely died out, the more I see of them. Today I pointed out that their 802.11 blah gizmo was inside a Faraday cage ie a locked sheet metal cabinet. No wonder their wifi didn't work, eh? Not making this up... From rah at shipwright.com Wed Aug 4 05:47:10 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 4 Aug 2004 08:47:10 -0400 Subject: IRS may use First Data info for help in finding tax evaders Message-ID: The Denver Post IRS may use First Data info for help in finding tax evaders By Andy Vuong Denver Post Staff Writer Wednesday, August 04, 2004 - A federal judge has granted the Internal Revenue Service the right to seek information from First Data Corp. about certain credit-card transactions the company has processed. The IRS wants the information as part of its crackdown on tax evaders. Specifically, the IRS wants information about holders of American Express, Visa and MasterCard credit cards that were issued by or on behalf of certain offshore financial institutions. The government listed more than 30 offshore jurisdictions, including Aruba, the Bahamas, Bermuda, the Cayman Islands, Hong Kong, Singapore and Switzerland. The IRS said in a court filing that it believes those account holders "may fail, or may have failed, to comply with internal revenue laws." The IRS is targeting people who held such accounts between Dec. 31, 1999, and Dec. 31, 2003. The government is seeking the names of the account holders, their credit-card statements, their credit limit and information on when they opened their accounts. "We haven't seen the order, but we always comply with the law," said First Data spokeswoman Staci Busby. She declined to comment further about the order by U.S. District Judge Phillip Figa, which was made Monday. In 2003, Greenwood Village-based First Data processed 12.2 billion payment transactions, Busby said. Judges have granted so-called "John Doe" summons in five similar situations, the IRS said in court documents. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From nobody at cypherpunks.to Wed Aug 4 01:05:24 2004 From: nobody at cypherpunks.to (Anonymous via the Cypherpunks Tonga Remailer) Date: Wed, 4 Aug 2004 10:05:24 +0200 (CEST) Subject: Anonymizer outsourcing customer data? Message-ID: <20040804080524.BA1EE116DB@mail.cypherpunks.to> On Mon, 2 Aug 2004, J.A. Terranson wrote: > Yes, this bugs me. But the person they outsourced it *to* scares me even > more! They claim they have over 1 million users. Is a class action suit in order? Their privacy policy clearly states "We consider your email address to be confidential information. We will never rent, sell, or otherwise reveal it to any other party without prior consent, except under the conditions set forth in the User Agreement for spamming and related abuses of netiquette, or unless we are compelled to do so by court order." From gabe at seul.org Wed Aug 4 07:17:14 2004 From: gabe at seul.org (Gabriel Rocha) Date: Wed, 4 Aug 2004 10:17:14 -0400 Subject: IRS may use First Data info for help in finding tax evaders In-Reply-To: References: Message-ID: <20040804141714.GE13030@moria.seul.org> On Aug 04 2004, R. A. Hettinga wrote: | The IRS said in a court filing that it believes those account holders "may | fail, or may have failed, to comply with internal revenue laws." Standards of proof are going way down when "may have..." is enough to get a court order... From hal at finney.org Wed Aug 4 11:04:15 2004 From: hal at finney.org (Hal Finney) Date: Wed, 4 Aug 2004 11:04:15 -0700 (PDT) Subject: On what the NSA does with its tech Message-ID: MV writes: > Yes. They can't break a 128 bit key. That's obvious. ("if all the > atoms in the > universe were computers..." goes the argument). Not necessarily, if nanotechnology works. 128 bits is big but not that big. Eric Drexler, in Nanosystems, section 12.9, predicts that a nanotech based CPU fitting in a 400 nm cube could run at 1000 MIPS and consume 60 nanowatts, performing 10^16 instructions per second per watt. Let's design a system to break a 128 bit cipher. Let's suppose it has to do 2^10 instructions per test, so this is 2^138 instructions total, or about 10^41. Let's let it run for four months, which is 10^7 seconds, so our necessary processing rate is 10^34 instructions per second. This means we need 10^34 IPS / 1000 MIPS or 10^25 of Drexler's gigahertz cubes, call it 10^25 cubic microns or 10^7 cubic meters, a cube about 220 meters on a side. The system will consume 10^25 * 60 nanowatts or about 6 * 10^17 watts. Now, that's a lot. It's four times what the earth receives from the sun. So we have to build a disk four times the area (not volume) of the earth, collect that power and funnel it to our computers. Probably we would scatter the computers throughout the disk, which would be mostly composed of solar collectors. (Keeping the disk gravitationally stable is left as an exercise for the student, as is the tradeoff involved in making it smaller but moving it closer to the sun.) Fortunately, exhaustive key search is perfectly parallelizable so there is no need for complex communications or synchronizations between the processors. As you can see, breaking 128 bit keys is certainly not a task which is so impossible that it would fail even if every atom were a computer. If we really needed to do it, it's not outside the realm of possibility that it could be accomplished within 50 years, using nanotech and robotics to move and reassemble asteroids into the necessary disk. Now, 256 bit keys really are impossible, unless the whole contraption above can be made to operate as an enormous, unified quantum computer, in which case it could theoretically break even 256 bit keys. 512 bit keys... now those really are impossible. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From hal at finney.org Wed Aug 4 11:04:15 2004 From: hal at finney.org (Hal Finney) Date: Wed, 4 Aug 2004 11:04:15 -0700 (PDT) Subject: On what the NSA does with its tech Message-ID: <20040804180415.DB2C757E2A@finney.org> MV writes: > Yes. They can't break a 128 bit key. That's obvious. ("if all the > atoms in the > universe were computers..." goes the argument). Not necessarily, if nanotechnology works. 128 bits is big but not that big. Eric Drexler, in Nanosystems, section 12.9, predicts that a nanotech based CPU fitting in a 400 nm cube could run at 1000 MIPS and consume 60 nanowatts, performing 10^16 instructions per second per watt. Let's design a system to break a 128 bit cipher. Let's suppose it has to do 2^10 instructions per test, so this is 2^138 instructions total, or about 10^41. Let's let it run for four months, which is 10^7 seconds, so our necessary processing rate is 10^34 instructions per second. This means we need 10^34 IPS / 1000 MIPS or 10^25 of Drexler's gigahertz cubes, call it 10^25 cubic microns or 10^7 cubic meters, a cube about 220 meters on a side. The system will consume 10^25 * 60 nanowatts or about 6 * 10^17 watts. Now, that's a lot. It's four times what the earth receives from the sun. So we have to build a disk four times the area (not volume) of the earth, collect that power and funnel it to our computers. Probably we would scatter the computers throughout the disk, which would be mostly composed of solar collectors. (Keeping the disk gravitationally stable is left as an exercise for the student, as is the tradeoff involved in making it smaller but moving it closer to the sun.) Fortunately, exhaustive key search is perfectly parallelizable so there is no need for complex communications or synchronizations between the processors. As you can see, breaking 128 bit keys is certainly not a task which is so impossible that it would fail even if every atom were a computer. If we really needed to do it, it's not outside the realm of possibility that it could be accomplished within 50 years, using nanotech and robotics to move and reassemble asteroids into the necessary disk. Now, 256 bit keys really are impossible, unless the whole contraption above can be made to operate as an enormous, unified quantum computer, in which case it could theoretically break even 256 bit keys. 512 bit keys... now those really are impossible. Hal From Poindexter at SAFe-mail.net Wed Aug 4 09:16:32 2004 From: Poindexter at SAFe-mail.net (Poindexter at SAFe-mail.net) Date: Wed, 4 Aug 2004 12:16:32 -0400 Subject: Data-Driven Attacks Using HTTP Tunneling Message-ID: http://www.securityfocus.com/infocus/1793 As more traffic across the Internet is coming under scrutiny and network administrators are making efforts to limit the traffic in and out of their networks, the one port that no one is willing to block en-masse is port 80. Users (and administrators) browse the web constantly, whether it is for work purposes or not. The lifeblood of a company's existence on the Internet requires a web presence in one fashion or another and this requires a web server, whether it is hosted by a service provider or located on a company's network. With every new worm, bug, or vulnerability found in IIS and Apache servers, network and secop administrators are trying to lock down these systems further at the router or firewall. To identify attacks many are turning to IDS and IPS. In this article we will look at a means to bypass the access control restrictions of a company's router or firewall. This information is intended to provide help for those who are legitimately testing the security of a network (whether they are in-house expertise or outside consultants). This article, by no means, condones the use of this information for the purpose of unauthorized access to a network or a system. Finally, this article will provide some pointers on how to defend against this attack. From lloyd at randombit.net Wed Aug 4 13:44:58 2004 From: lloyd at randombit.net (Jack Lloyd) Date: Wed, 4 Aug 2004 16:44:58 -0400 Subject: On what the NSA does with its tech In-Reply-To: <20040804180415.DB2C757E2A@finney.org> References: <20040804180415.DB2C757E2A@finney.org> Message-ID: <20040804204458.GB30228@acm.jhu.edu> On Wed, Aug 04, 2004 at 11:04:15AM -0700, "Hal Finney" wrote: [...] > The system will consume 10^25 * 60 nanowatts or about 6 * 10^17 watts. > Now, that's a lot. It's four times what the earth receives from the sun. > So we have to build a disk four times the area (not volume) of the earth, > collect that power and funnel it to our computers. Probably we would > scatter the computers throughout the disk, which would be mostly composed > of solar collectors. (Keeping the disk gravitationally stable is left > as an exercise for the student, as is the tradeoff involved in making > it smaller but moving it closer to the sun.) If I did my unit conversions right, such a disk would be over 30,000 miles in diameter. So we'll probably get some advance notice - "Hey, what's that big-ass thing orbiting around the Moon?" -Jack From adam at cypherspace.org Wed Aug 4 15:16:14 2004 From: adam at cypherspace.org (Adam Back) Date: Wed, 4 Aug 2004 18:16:14 -0400 Subject: planet sized processors (Re: On what the NSA does with its tech) In-Reply-To: <20040804204458.GB30228@acm.jhu.edu> References: <20040804180415.DB2C757E2A@finney.org> <20040804204458.GB30228@acm.jhu.edu> Message-ID: <20040804221614.GA17739@bitchcake.off.net> The planet sized processor stuff reminds me of Charlie Stross' sci-fi short story "Scratch Monkey" which features nanotech, planet sized processors which colonize space and build more planet-sized processors. The application is upload, real-time memory backup, and afterlife in DreamTime (distributed simulation environment), and an option of reincarnation. http://www.antipope.org/charlie/fiction/monkey/ Adam On Wed, Aug 04, 2004 at 04:44:58PM -0400, Jack Lloyd wrote: > On Wed, Aug 04, 2004 at 11:04:15AM -0700, "Hal Finney" wrote: > > [...] > > The system will consume 10^25 * 60 nanowatts or about 6 * 10^17 watts. > > Now, that's a lot. It's four times what the earth receives from the sun. > > So we have to build a disk four times the area (not volume) of the earth, > > collect that power and funnel it to our computers. Probably we would > > scatter the computers throughout the disk, which would be mostly composed > > of solar collectors. (Keeping the disk gravitationally stable is left > > as an exercise for the student, as is the tradeoff involved in making > > it smaller but moving it closer to the sun.) > > If I did my unit conversions right, such a disk would be over 30,000 miles in > diameter. So we'll probably get some advance notice - "Hey, what's that big-ass > thing orbiting around the Moon?" > > -Jack From mv at cdc.gov Wed Aug 4 18:59:51 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 04 Aug 2004 18:59:51 -0700 Subject: On what the NSA does with its tech Message-ID: <41119497.3B41FB29@cdc.gov> At 02:23 AM 8/5/04 +0200, Thomas Shaddack wrote: > >The impracticability of breaking symmetric ciphers is only a comparatively >small part of the overall problem. Indeed. Following Schneier's axiom, go for the humans, it would not be too hard to involutarily addict someone to something which the withdrawl from which readily compromises any human. Since torture is now legitimized in the US, or its proxies, have a beer (or stronger, etc) Mohammed. Of course, the green card offered to the housecleaning illegal is simpler. Ask Nikky Scarfo. And there's nothing like raping one's children to convince the reticent... particularly if one's halal meal has been doped with various psychopharms.. ------ The problem with quantum computing will be coercing the qubits to do you bidding (not just toy problems) without losing their waviness. Not relevent to the nano-args, but your energy consumption calcs do make it clear that Ft Meade will need some awfully big radiators :-) Then again, its not that far from the ocean, a rather extreme heatsink... Still I concede that Ft Meade has no finer features than IBM. But when economics *don't* dictate, as they do everywhere else, one has to ponder. Still, the 'tographers beat the 'analysts, as you say, for sufficiently large keys, and sufficiently different chained ciphers. Don't put all your squeamish ossifrage eggs in one basket, eh? And stay away from Athens, ok? From morlockelloi at yahoo.com Wed Aug 4 22:42:50 2004 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Wed, 4 Aug 2004 22:42:50 -0700 (PDT) Subject: On what the NSA does with its tech In-Reply-To: <41119497.3B41FB29@cdc.gov> Message-ID: <20040805054250.48060.qmail@web40606.mail.yahoo.com> >The impracticability of breaking symmetric ciphers is only a >comparatively small part of the overall problem. I see that "it can be done only by brute farce" myth is live and well. Hint: all major cryptanalytic advances, where governments broke a cypher and general public found out few *decades* later were not of brute-force kind. And if anyone thinks today's hobby/private cryptographers are any smarter (in a relative way) or more intelligent than their counterparts of 100 or 50 years ago (that were in dark for decades) ... well, you are an idiot. Today's crypto will be regarded in 2050 as Enigmas are regarded today. Development does not stop in any particular period just because you live in it and assume you're entitled to absolute knowledge. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail From eugen at leitl.org Wed Aug 4 13:56:09 2004 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 4 Aug 2004 22:56:09 +0200 Subject: On what the NSA does with its tech In-Reply-To: <20040804204458.GB30228@acm.jhu.edu> References: <20040804180415.DB2C757E2A@finney.org> <20040804204458.GB30228@acm.jhu.edu> Message-ID: <20040804205609.GR1400@leitl.org> On Wed, Aug 04, 2004 at 04:44:58PM -0400, Jack Lloyd wrote: > If I did my unit conversions right, such a disk would be over 30,000 miles in Drexler's estimate for computers are coservative (purely mechanical rod logic). SWNT-based reversible logic (in spintronics? even utilizing nontrivial amounts of entangled electron spins in solid state qubits for specific codes?) could do a lot better. So today's secrets perhaps won't be in a few decades. What else is new? Rather, who's passphrase has 128 bits of pure entropy? Certainly not mine. So the weakest link is elsewhere. > diameter. So we'll probably get some advance notice - "Hey, what's that big-ass > thing orbiting around the Moon?" By that time the question is rather "do you think that's air you're breathing?" Check out some of the stuff on http://moleculardevices.org/ you might get a surprise. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From robert.harley at gmail.com Wed Aug 4 16:10:32 2004 From: robert.harley at gmail.com (Robert Harley) Date: Thu, 5 Aug 2004 00:10:32 +0100 Subject: [FoRK] ECC and the web Message-ID: >Came across this today and thought it would be of interest to some of you... > >*Integrating elliptic curve cryptography into the web's security infrastructure * >Vipul Gupta, Douglas Stebila, Sheueling Chang Shantz >[...] Sheueling contacted me a couple of times a couple of years ago about the same stuff... described her research at Sun... enquired about working together but decided it wasn't a go-er since I was in Paris and her in the Bay area... >RSA is the most popular public-key cryptosystem on the Web today but long-term trends >such as [...] increasing security needs will make continued reliance on RSA more >challenging over time. [...] I've long doubted the security of RSA and have more concrete reasons for doubting these days... won't say more than that... ;) R _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From shaddack at ns.arachne.cz Wed Aug 4 17:23:27 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Thu, 5 Aug 2004 02:23:27 +0200 (CEST) Subject: On what the NSA does with its tech In-Reply-To: <20040804180415.DB2C757E2A@finney.org> References: <20040804180415.DB2C757E2A@finney.org> Message-ID: <0408050213570.10272@somehost.domainz.com> On Wed, 4 Aug 2004, Hal Finney wrote: > As you can see, breaking 128 bit keys is certainly not a task which is > so impossible that it would fail even if every atom were a computer. > If we really needed to do it, it's not outside the realm of possibility > that it could be accomplished within 50 years, using nanotech and robotics > to move and reassemble asteroids into the necessary disk. There are easier targets than the symmetric cipher algorithm itself. You may aim at RSA, try to break through the factorization problem, or find another weakness in it. Same for other algorithms of this class. You may aim at the passphrase, as several other people suggested. You may use nanotech to compromise the hardware, and/or to intercept the data. This includes "eating and duplicating" chips, including key storage tokens; just go layer after layer and rebuild it (or create its "virtual" image) including the levels of electric charge in the memory cells. How to design a token that would be resistant to nanoprobes? (Perhaps by equipping it with an "immune system" of nanoprobes of its own?) Quantum computers may be the way to break factoring-related algorithms. Nanotechnology can bring many ways for physical compromising of the targets and their vicinity (the "fly on the wall" attack). The impracticability of breaking symmetric ciphers is only a comparatively small part of the overall problem. From measl at mfn.org Thu Aug 5 03:16:17 2004 From: measl at mfn.org (J.A. Terranson) Date: Thu, 5 Aug 2004 05:16:17 -0500 (CDT) Subject: [Antisocial] An Omen - Please read. (fwd) Message-ID: <20040805051538.W56311@ubzr.zsa.bet> Crossposted here as a Rant In The Public View. The two list-locals mentioned, Travis and Becker are proud members of the Bible-Toting Brainless Fuckheads: "Well *Jesus* said that women are subhuman, therefore..." - you get the idea. The political commentary is straight from the hip. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? ---------- Forwarded message ---------- Date: Wed, 4 Aug 2004 23:23:12 -0500 (CDT) From: J.A. Terranson Reply-To: Antisocial To: antisocial at mfn.org Subject: [Antisocial] An Omen - Please read. I want everyone here to stop and consider for a second what happened yesterday in Missouri. First, the primary had the highest voter turnout since the state began keeping records. Put another way, at least one group "got the vote out". Second: the hate amendment didn't just pass, it passed by a better than 2 to 1 majority, out of a million and a half votes cast. Third: Those votes were evenly distributed across both city and state lines. Put another way, even the city of st. louis voted for this atrocity. Fourth: No group saw this coming. Both sides thought the amendment would be a very close vote. I think we all believed it would pass, but by only the slightest of a hair. This is an important detail - it shows that one of two things happened yesterday. Either there really is no support for treating humans evenly and without discrimination, or the side that has their shit together isn't getting the vote out. I'd like to think that the 57% who didn't bother yesterday were the majority that could have forced some kind of sanity onto the face of Missouri, but I just don't know. Fifth: If that 57% *is* the group that believes in doing the right thing, then we had better find a way to get them out the fucking door on Nov 2nd, or we are going to be in some very serious shit over the next four years. You've seen what that little midget fuck is like when he hasn't even won an election, can you imagine how he's going to behave if he thinks he's got some kind of *mandate*? Picture an entire government populated by clones of Travis and Becker. Not a pretty sight. Missouri is one of the most hotly contested states right now. It is one of the states that could literally decide the election. If you don't believe that what happened yesterday is a preview of things to come on Nov 2nd, then you are *blind*. This amendment vote must act as a wake-up call - the fascists are really at the gates. And they are organized, and getting their voters to the polls. If we can't find a way to get the other side out, in force, and right *now*, this country could really look like 1939 Germany in four years. Whole sections of the population are being turned on others, just for the sake of divide and conquer, and there is only one way to put a stop to this (short of taking up a collection to pay for a shooter for Bush's first legitimate oath of office) - we need to get people out to the polls in 90 days. This country is on the edge of a disastrous precipice. Get your family out there. Get your friends. Knock on doors and offer to drive the people in your neighborhoods, but *do something*! We cannot allow the apathy to get in the way this time - this is too serious. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? _______________________________________________ Antisocial mailing list Antisocial at mfn.org http://lists.mfn.org/mailman/listinfo/antisocial From btm at templetons.com Thu Aug 5 05:47:16 2004 From: btm at templetons.com (Brad Templeton) Date: August 5, 2004 5:47:16 PM EDT Subject: [IP] Your people are growing increasingly worried about a Message-ID: 'police state.' For such an educated audience, >Subj: Your people are growing increasingly worried about a 'police >state.' >For such an educated audience, they seem to lack any sense of >proportion, a sense of history or an > awareness of human nature. > Indeed, as you cite, there are many police states and history is littered with ones that have risen and fallen as well. Each time a police state rose, there were those who cried that a police state was coming and were called paranoid. There were those who actively assisted the police state in coming, seeking the security it promised. There were those who assisted the police state in coming, not wanting one, but feeling those who called out the warnings were paranoid. There were those who said and did nothing. Free states are the abberation in the history of mankind. Police states (for the level of technology of the day) the norm. So perhaps when Mr. Ashcroft erodes civil rights, you can make a valid claim that it introduces only a very slight risk of a police state, or is only the start of a trend. How much risk is enough? If events only presented a 1% chance of taking the path to a police state, would you want to tolerate it? Would you find it acceptable to teeter on the edge of a police state, because you were still on the free side of the line? Often, in the defence of free speech, we find ourselves defending people expressing ideas we loathe. Nazis, pedophiles and other scum. We do it not because we welcome a world full of their messages, but because we know that if the Holocaust deniers can publish, we are _really, really_ sure that we can publish. It's not paranoia. ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From jya at pipeline.com Thu Aug 5 10:28:32 2004 From: jya at pipeline.com (John Young) Date: Thu, 05 Aug 2004 10:28:32 -0700 Subject: Texas oil refineries, a White Van, and Al Qaeda In-Reply-To: <4112336B.7040708@students.bbk.ac.uk> References: Message-ID: Ken wrote: >Crazy authoritarianism. Rules for the sake of rules. They exist to >show who is boss. Like school uniforms or corporate dress codes - >the rule is made not to enforce any desirable behaviour but to >show who is where in the the hierarchy, who is able to make rules >and who has to obey them. Waiting in a public lobby of an educational facility in NYC I was asked to move by a dame at the security desk. Huh, I said, why? She said you're blocking my view, I have to see everything going on. So I moved two inches, grinned, said show me your tits, sure she'd like the Seinfeld line from Boy in A Bubble. Sgt Madam banged a 10-13 bell and six more dames encircled me aiming their protuberances terrifically. Whoa, I said, gobbling a 360 bubbling cheek-swipe of the twelve knobbies, 6 badges, 6 nym tags, ripping leaks and smearing Tyson's blood and spit on their mountainous blue fronts. Then the six-pack array-pivoted 180 and jack-rammed me senseless with hard butts, flashlights, cuffs, and swear-to-god hard leather pouches of powderpuffs and tampons, and, ass-clenching me upright, jitterbugged to the holding pen, where I was sloshed with a bucket of icewater, stripped searched, body cavitied, Abu Ghraibian privates ridiculed, magic-markered pederast to symbol who rules domestically, not the caucasian dodos peddling silly secrets of terrorists about to shit on civilization. From Mcget at aol.com Thu Aug 5 10:32:22 2004 From: Mcget at aol.com (Mcget at aol.com) Date: August 5, 2004 10:32:22 PM EDT Subject: a police state Message-ID: Well, since the fastest growing black household in America is the cellblock; since here in Philadelphia I still can hear cops step from their cars asking, "Where'd the nigger go?" in front of black onlookers; since Independence Hall now has a clearly visible surveillance camera in its tower and visitors to the Liberty Bell are searched and wanded multiple times; since the fastest growing group of armed police in the US are private security and prison guard, since without trying very hard, I can read more and more about police getting no-knock powers, about prisoners held incommunicado, etc. -- I think we shouldn't wait until we are all getting routinely Taser'd for getting smart at the latest "preventive" roadblock. It's enough like a police state--or a hall monitor's wet dream -- to get me nervous. --Michael McGettigan One recent example -- a friend of mine who worked transmitters for Motorola was sent to a crime-ridden North Philly high-rise project. His mission -- inspect a repeater transmitter that was inside a steel-doored room atop the building -- the transmitter's function was to boost the signals of the various law enforcement/drug authorities that raided it on a regular basis. They'd found that their hand radios often didn't work well enough. The idea that this high-rise should maybe be razed rather than rigged for a permanent state of drug busts didn't seem to occur to anyone. ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From kelsey.j at ix.netcom.com Thu Aug 5 07:39:37 2004 From: kelsey.j at ix.netcom.com (John Kelsey) Date: Thu, 5 Aug 2004 10:39:37 -0400 (GMT-04:00) Subject: On what the NSA does with its tech Message-ID: <21040548.1091716777742.JavaMail.root@daisy.psp.pas.earthlink.net> From: "Major Variola (ret)" Sent: Aug 2, 2004 11:56 PM To: "cypherpunks at al-qaeda.net" Subject: On what the NSA does with its tech ... What they can do is implement an advanced dictionary search that includes the kind of mnemonic tricks and regexps that folks typically use when coming up with "tough" passphrases. Cracking Italian anarchist PGP-equipt PDAs in their possession, things like that. Yep. This seems like the practical weak link in a lot of uses of cryptography. It can be made harder in a lot of ways (e.g., upping the iteration count, or doing Abadi's trick of generating a big salt value but not disclosing all of it), but all this ends up with the attacker's extra work linear in the user's extra work. Of course, if the user chooses good passwords, it's a pretty big linear factor, but it's still linear--I double my iteration count, and the attacker doubles his work, though he's always doing a million times as much work as I am. The only really good solution is to use some external device to mediate in password->key generation. But then you've got to make sure that device is always available, or you're unable to get at your data. And if that device is an online server somewhere, then password encryptions become partly traceable. --John Kelsey From eugen at leitl.org Thu Aug 5 01:56:07 2004 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 5 Aug 2004 10:56:07 +0200 Subject: planet sized processors (Re: On what the NSA does with its tech) In-Reply-To: <20040804221614.GA17739@bitchcake.off.net> References: <20040804180415.DB2C757E2A@finney.org> <20040804204458.GB30228@acm.jhu.edu> <20040804221614.GA17739@bitchcake.off.net> Message-ID: <20040805085607.GF1400@leitl.org> On Wed, Aug 04, 2004 at 06:16:14PM -0400, Adam Back wrote: > The planet sized processor stuff reminds me of Charlie Stross' sci-fi > short story "Scratch Monkey" which features nanotech, planet sized Not a coincidence, as he's been mining diverse transhumanist/extropian communities for raw bits. Kudos to his work, very nicely done. > processors which colonize space and build more planet-sized > processors. The application is upload, real-time memory backup, and > afterlife in DreamTime (distributed simulation environment), and an > option of reincarnation. http://www.aleph.se/Trans/ is a bit dated, but is still a very good resource. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From eugen at leitl.org Thu Aug 5 01:59:50 2004 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 5 Aug 2004 10:59:50 +0200 Subject: [FoRK] ECC and the web (fwd from robert.harley@gmail.com) Message-ID: <20040805085950.GH1400@leitl.org> ----- Forwarded message from Robert Harley ----- From sunder at sunder.net Thu Aug 5 08:35:26 2004 From: sunder at sunder.net (Sunder) Date: Thu, 5 Aug 2004 11:35:26 -0400 (edt) Subject: Ridge: "The Terrorists are comming! The Terrorists are coming!" (wag the media) Message-ID: http://www.theregister.co.uk/2004/08/03/us_terror_alert_political_football/print.html US terror alert becomes political football By Thomas C Greene (thomas.greene at theregister.co.uk) Published Tuesday 3rd August 2004 15:15 GMT Update As we reported recently (http://www.theregister.co.uk/2004/08/02/al_qaeda_cyber_terror_panic), the latest ratcheting up of the terror threat level in the United States was based on captured documents dating back some time. In that article, we observed that it was "not clear whether any of the information recently obtained relates to current or future schemes." "much of the information that led the authorities to raise the terror alert at several large financial institutions in the New York City and Washington areas was three or four years old, intelligence and law enforcement officials said on Monday. They reported that they had not yet found concrete evidence that a terrorist plot or preparatory surveillance operations were still under way." Why now? If anyone is wondering why terrorism, and especially attacks at home, should have been so fully hyped on such thin evidence, it's useful to consider the news cycle. Last week, John Kerry did a surprisingly good job of introducing himself to the nation as a plausible replacement for Bush. Politics But this rain dance was not undertaken from a security point of view. It was concocted with a political motive, and its purpose was to distract the public from the additive disasters in Iraq, and the unexpectedly strong showing by the Democrats in Boston last week. It was designed to make Junior look like the "strong leader" that his cheerleaders insist, against all evidence, that he really is. (We note that the true Prince of Darkness, Dick Cheney, has been dutifully silent, and conspicuously absent, during the recent national security festivities, to vouchsafe the limelight to Junior.) ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"War is Peace /|\ \|/ : Freedom is Slavery /\|/\ <--*-->: Ignorance is Strength \/|\/ /|\ : Bush is President" - Bret Feinblatt \|/ + v + : -------------------------------------- http://www.sunder.net ------------ From sunder at sunder.net Thu Aug 5 08:47:15 2004 From: sunder at sunder.net (Sunder) Date: Thu, 5 Aug 2004 11:47:15 -0400 (edt) Subject: Wired on Navy's new version of Onion Routing Message-ID: http://www.wired.com/news/print/0,1294,64464,00.html Onion Routing Averts Prying Eyes By Ann Harrison Story location: http://www.wired.com/news/privacy/0,1848,64464,00.html 02:00 AM Aug. 05, 2004 PT Computer programmers are modifying a communications system, originally developed by the U.S. Naval Research Lab, to help Internet users surf the Web anonymously and shield their online activities from corporate or government eyes. The Navy is financing the development of a second-generation onion-routing system called Tor, which addresses many of the flaws in the original design and makes it easier to use. The Tor client behaves like a SOCKS proxy (a common protocol for developing secure communication services), allowing applications like Mozilla, SSH and FTP clients to talk directly to Tor and route data streams through a network of onion routers, without long delays. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"War is Peace /|\ \|/ : Freedom is Slavery /\|/\ <--*-->: Ignorance is Strength \/|\/ /|\ : Bush is President" - Bret Feinblatt \|/ + v + : -------------------------------------- http://www.sunder.net ------------ From bbrow07 at students.bbk.ac.uk Thu Aug 5 06:17:31 2004 From: bbrow07 at students.bbk.ac.uk (ken) Date: Thu, 05 Aug 2004 14:17:31 +0100 Subject: Texas oil refineries, a White Van, and Al Qaeda In-Reply-To: References: Message-ID: <4112336B.7040708@students.bbk.ac.uk> An Metet wrote: >>The person in question was just somebody with a weakness for >> industrial architecture. *I've* taken pictures of oil-company installations in Houston and Galveston and points between. Who do I turn myself in to? I also walk or cycle all over London & take photos of just about everything from bridges to canals to private houses (aren't digital cameras wonderful?). No-one's bothered me ever. Though sometimes I've felt I was being a bit stupid wandering alone at night through large public housing projects openly carrying 800 quids worth of video camera. > The "no cameras" signs were very popular in east block countries. It > was forbidden to take pictures of bridges, government buildings, > airports, railway stations, industrial installations, water dams etc. Back in the 1970s I was on a camping holiday in what was then Yugoslavia with a friend. We arrived in Rijeka in Croatia by bus, started walking off to see if we could find a camp sight, and by the time we realised we were walking out of town the wrong way it was too late & too dark to do anything about it. So we slept on a small mound just off the road we were on. Next morning we saw that we were on what was basically a rubbish dump, overlooking the naval harbour, with a great view of all sorts of military activities. No-one seemed to be taking any notice of us though. [...] > In a depressingly predictable manner US of A is sliding into the same > mode of operation. And, depressingly, it works. Expect more > manufactured everyday threats, more citizen-informants, the works. > Contracting or subcontracting airborne demolition artists is not > practical on ongoing basis ... we need a terrorist threat everywhere, every day. In 1990 I and some colleagues were visiting a Texaco office in Houston for a work-related meeting. In the carpark we began to take some pictures of each other with the office building as background. The carpark attendant came up and demanded we stop insisting that there no photographs could be taken of the building. Not even an industrial location, just a high-rise office building in a Houston suburb (Bellaire), in full & close view of the street, some other commercial buildings, and dozens, if not hundreds, of private homes, and distantly visible to thousands - possibly hundreds of thousands - of people every day. Crazy authoritarianism. Rules for the sake of rules. They exist to show who is boss. Like school uniforms or corporate dress codes - the rule is made not to enforce any desirable behaviour but to show who is where in the the hierarchy, who is able to make rules and who has to obey them. From Yves.Roudier at eurecom.fr Thu Aug 5 06:23:48 2004 From: Yves.Roudier at eurecom.fr (Yves.Roudier at eurecom.fr) Date: Thu, 5 Aug 2004 15:23:48 +0200 (MEST) Subject: [p2p-hackers] ESORICS 2004 Call for Participation - reminder Message-ID: [Apologies for multiple copies of this announcement] CALL FOR PARTICIPATION ESORICS 2004 9th European Symposium on Research in Computer Security Sponsored by SAP, @sec, and Rigion PACA Institut Eurecom, Sophia Antipolis, French Riviera, France September 13-15, 2004 http://esorics04.eurecom.fr ESORICS 2004 will be collocated with RAID 2004 Since 1990, ESORICS has been confirmed as the European research event in computer security, attracting audience from both the academic and industrial communities. The symposium has established itself as one of the premiere, international gatherings on Information Assurance. This year's three days program will feature a single technical track with 27 full papers selected from almost 170 submissions. PRELIMINARY PROGRAM ------------------- Monday, September 13th ====================== 09:15 - 09:30 opening remarks 09:30 - 10:30 invited talk 10:30 - 11:00 coffee break 11:00 - 12:30 Access control -------------- Incorporating Dynamic Constraints in the Flexible Authorization Framework Shiping Chen, Duminda Wijesekera, Sushil Jajodia Access-Condition-Table-driven Access Control for XML Database Naizhen Qi, Michiharu Kudo An Algebra for Composing Enterprise Privacy Policies Michael Backes, Markus Duermuth, Rainer Steinwandt 12:30 - 14:00 lunch 14:00 - 15:30 Cryptographic protocols ----------------------- Deriving, attacking and defending the GDOI protocol Catherine Meadows, Dusko Pavlovic Better Privacy for Trusted Computing Platforms Jan Camenisch A Cryptographically Sound Dolev-Yao Style Security Proof of the Otway-Rees Protocol Michael Backes 15:30 - 16:00 coffee break 16:00 - 17:30 Anonymity and information hiding -------------------------------- A Formalization of Anonymity and Onion Routing Sjouke Mauw, Jan Verschuren, Erik de Vink Breaking Cauchy Model-based JPEG Steganography with First Order Statistics Rainer Bvhme, Andreas Westfeld Comparison between two practical mix designs Claudia Diaz, Len Sassaman, Evelyne Dewitte Tuesday, September 14th ======================= 09:00 - 10:30 Distributed data protection --------------------------- Signature Bouquets: Immutability for Aggregated/Condensed Signatures Einar Mykletun, Maithili Narasimha, Gene Tsudik Towards a theory of data entanglement James Aspnes, Joan Feigenbaum, Aleksandr Yampolskiy, Sheng Zhong Portable and Flexible Document Access Control Mechanisms Mikhail Atallah, Marina Bykova 10:30 - 11:00 coffee break 11:00 - 12:30 Information flow and security properties ---------------------------------------- Possibilistic Information Flow Control in the Presence of Encrypted Communication Dieter Hutter, Axel Schairer Information flow control revisited: Noninfluence = Noninterference + Nonleakage David von Oheimb Security Property Based Administrative Controls Jon A. Solworth, Robert H. Sloan 12:30 - 14:00 lunch 14:00 - 15:30 Authentication and trust management ----------------------------------- A Vector Model of Trust for Developing Trustworthy Systems Indrajit Ray, Sudip Chakraborty Parameterized Authentication Michael J. Covington, Mustaque Ahamad, Irfan Essa, H. Venkateswaran Combinatorial Design of Key Distribution Mechanisms for Wireless Sensor Networks Bulent Yener, Seyit A. Camtepe 15:30 - 16:00 coffee break 16:00 - 17:30 Cryptography ------------ IPv6 Opportunistic Encryption Claude Castelluccia, Gabriel Montenegro, Julien Laganier, Christoph Neumann On the role of key schedules in attacks on iterated ciphers Lars R. Knudsen, John E. Mathiassen A Public-Key Encryption Scheme with Pseudo-Random Ciphertexts Bodo Moller Wednesday, September 15th ========================= 09:00 - 10:30 Operating systems and architecture ---------------------------------- A Host Intrusion Prevention System for Windows Operating Systems Roberto Battistoni, Emanuele Gabrielli, Luigi Vincenzo Mancini Re-establishing Trust in Compromised Systems: Recovering from Rootkits that Trojan the System Call Table Julian Grizzard, John Levine, Henry Owen ARCHERR: Runtime Environment Driven Program Safety Ramkumar Chinchani, Anusha Iyer, Bharat Jayaraman, Shambhu Upadhyaya 10:30 - 11:00 coffee break 11:00 - 12:30 Intrusion detection ------------------- Sets, Bags, and Rock and Roll Analyzing Large Data Sets of Network Data John McHugh Redundancy and diversity in security Bev Littlewood, Lorenzo Strigini Discover Novel Attack Strategies from INFOSEC Alerts Xinzhou Qin, Wenke Lee ORGANIZING COMMITTEE -------------------- General Chair Refik Molva Institut Eurecom email: Refik.Molva at eurecom.fr Program Chairs Peter Ryan Pierangela Samarati University of Newcastle upon Tyne University of Milan email: Peter.Ryan at newcastle.ac.uk email: samarati at dti.unimi.it Publication Chair Publicity Chair Dieter Gollmann Yves Roudier TU Hamburg-Harburg Institut Eurecom email: diego at tuhh.de email: roudier at eurecom.fr Sponsoring Chair Marc Dacier Institut Eurecom email: dacier at eurecom.fr PROGRAM COMMITTEE ----------------- Vijay Atluri, Rutgers University, USA Giampaolo Bella, Universit` di Catania, Italy Joachim Biskup, Universitaet Dortmund, Germany Jan Camenisch, IBM Research, Switzerland Germano Caronni, Sun Microsystems Laboratories, USA David Chadwick, University of Salford, UK Ernesto Damiani, University of Milan, Italy Sabrina De Capitani di Vimercati, University of Milan, Italy Yves Deswarte, LAAS-CNRS, France Alberto Escudero-Pascual, Royal Institute of Technology, Sweden Csilla Farkas, University of South Carolina, USA Simon Foley, University College Cork, Ireland Dieter Gollmann, TU Hamburg-Harburg, Germany Joshua D. Guttman, MITRE, USA Sushil Jajodia, George Mason University, USA Sokratis K. Katsikas, University of the Aegean, Greece Maciej Koutny, University of Newcastle upon Tyne, UK Peng Liu, Pennsylvania State University, USA Javier Lopez, University of Malaga, Spain Roy Maxion, Carnegie Mellon University, USA Patrick McDaniel, AT&T Labs-Research, USA John McHugh, CERT/CC, USA Catherine A. Meadows, Naval Research Lab, USA Refik Molva, Institut Euricom, France Peng Ning, NC State University, USA LouAnna Notargiacomo, The MITRE Corporation, USA Eiji Okamoto, University of Tsukuba, Japan Stefano Paraboschi, University of Bergamo, Italy Andreas Pfitzmann, TU Dresden, Germany Bart Preneel, Katholieke Universiteit Leuven, Belgium Jean-Jacques Quisquater, Microelectronic laboratory, Belgium Steve Schneider, University of London, UK Christoph Schuba, Sun Microsystems, Inc., USA Michael Steiner, IBM T.J. Watson Research Laboratory, USA Paul Syverson, Naval Research Laboratory, USA Kymie M.C. Tan, Carnegie Mellon University, USA Dan Thomsen, Tresys Technology, USA Moti Yung, Columbia University, USA VENUE / TRAVEL -------------- ESORICS 2004 will be held on the French Riviera coast, about 20 km West of Nice and 15 km Northeast of Cannes. The conference will take place at Institut Eurecom / CICA, in the Sophia Antipolis science park, which can easily be reached thanks to the nearby Nice international airport. For more information, refer to: http://esorics04.eurecom.fr/visitor_information.html IMPORTANT DATES --------------- ESORICS conference dates: September 13-15, 2004 _______________________________________________ p2p-hackers mailing list p2p-hackers at zgp.org http://zgp.org/mailman/listinfo/p2p-hackers _______________________________________________ Here is a web page listing P2P Conferences: http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From eugen at leitl.org Thu Aug 5 06:38:37 2004 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 5 Aug 2004 15:38:37 +0200 Subject: [p2p-hackers] ESORICS 2004 Call for Participation - reminder (fwd from Yves.Roudier@eurecom.fr) Message-ID: <20040805133837.GT1400@leitl.org> ----- Forwarded message from Yves.Roudier at eurecom.fr ----- From pcapelli at gmail.com Thu Aug 5 12:54:46 2004 From: pcapelli at gmail.com (Pete Capelli) Date: Thu, 5 Aug 2004 15:54:46 -0400 Subject: On what the NSA does with its tech In-Reply-To: <4112856B.40409@gmx.co.uk> References: <20040805054250.48060.qmail@web40606.mail.yahoo.com> <4112856B.40409@gmx.co.uk> Message-ID: On Thu, 05 Aug 2004 20:07:23 +0100, Dave Howe wrote: > all generalizations are false, including this one. Is this self-referential? From rah at shipwright.com Thu Aug 5 15:14:08 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 5 Aug 2004 18:14:08 -0400 Subject: Hijacked by the 'Privocrats' Message-ID: The Wall Street Journal August 5, 2004 COMMENTARY Hijacked by the 'Privocrats' By HEATHER MAC DONALD August 5, 2004; Page A10 Even as the Bush administration warns of an imminent terror attack, it is again allowing the "rights" brigades to dictate the parameters of national defense. The administration just cancelled a passenger screening system designed to keep terrorists off planes, acceding to the demands of "privacy" advocates. The implications of this for airline safety are bad enough. But the program's demise also signals a return to a pre-9/11 mentality, when pressure from the rights lobbies trumped security common sense. The now-defunct program, the Computer Assisted Passenger Prescreening System, or Capps II, sought to make sure that air passengers are flying under their own identity and are not wanted as a terror suspect. It would have asked passengers to provide four pieces of information -- name, address, phone number and birth date -- when they make their reservation. That information would've been run against commercial records, to see if it matches up, then checked against government intelligence files to determine whether a passenger has possible terror connections. Depending on the outcome of those two checks, a passenger could have been screened more closely at the airport, or perhaps -- if government intelligence on him raised alarms -- not allowed to board. Privacy advocates on both the right and the left attacked Capps II from the moment it was announced. They called it an eruption of a police state, and envisioned a gallimaufry of bizarre hidden agendas -- from a pretext for oppressing evangelical Christians and gun owners, to a blank check for discriminating against blacks. Contrary to the rights lobby, Capps II was not: * A privacy intrusion. Passengers already give their name, address and phone number to make a flight reservation, without the slightest fuss. Adding birth date hardly changes the privacy ledger: The government and the private sector have our birth dates on file now for social security and commercial credit, among numerous other functions. Far from jealously guarding their name and address, Americans dispense personal information about themselves with abandon, in order to enjoy a multitude of consumer conveniences. (Anyone with a computer can find out reams more about us than is even hinted at in the Capps II passenger records.) * A surveillance system. Neither the government nor the airlines would have kept any of the information beyond the safe completion of a flight. The government would have had no access to the commercial records used to check a passenger's alleged identity; those would have remained with the commercial data providers contracted to provide identity verification. * A data mining program. This misunderstood technology seeks to use computers to spot suspicious patterns or anomalies in large data bases, sometimes for predictive analysis. Capps II had nothing to do with data mining; it was simply a primitive two-step data query system. The advocates' most effective strategy for killing off Capps II was to bludgeon airlines into not cooperating with its development. Northwest Airlines and Jet Blue were already facing billions of dollars in lawsuits for specious "privacy" violations, trumped up by the advocates in reprisal for those airlines' earlier cooperation with the war on terror. No other airline was willing to take on a similar risk and provide passenger data to stress-test Capps II. Without the capacity to be tested, Capps II was doomed. The Department of Homeland Security has already shown itself a weakling in bureaucratic turf battles; its capitulation to the "privocrats" means it is all but toothless. It was just such a cave-in by the Clinton administration that eased the way for the 9/11 attacks. Under pressure from the Arab and rights lobbies, the Clintonites agreed in 1997 that passengers flagged as suspicious by the then-existing flight screening system would not be interviewed. Allowing security personnel to interview suspicious flyers, it was argued, would amount to racial and ethnic profiling. On 9/11, the predecessor to Capps II identified nine of the 19 hijackers as potentially dangerous, including all five terrorists aboard American Airlines Flight 77. But pursuant to the rights-dictated rules, the only consequence of that identification was that the hijackers' checked luggage was screened for hidden explosives. Had the killers themselves been interviewed, there is a significant chance that their plot would've been uncovered. Since the demise of Capps II, the privocrats have tipped their hand: Their real agenda isn't privacy, but a crippling of all security measures. Leading advocate Edward Hasbrouck has decried both a voluntary "registered traveler" option, in which passengers agree to a background check in order to circumvent some security measures, and physical screening at the gate. Bottom line: Any security precautions prior to flight constitute a civil liberties violation. It is mystifying why the government should pay heed to people who so disregard the public good. It is difficult to know where we go from here. There is no way to keep a terrorist from flying without first trying to determine who he is. Yet the most innocuous identity verification system prior to a flight is now seen as tantamount to illegal surveillance. With the rights advocates back in the saddle of national security, al Qaeda can blithely get on with its business. Ms. Mac Donald is a contributing editor to the Manhattan Institute's City Journal. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From dave at farber.net Thu Aug 5 15:21:43 2004 From: dave at farber.net (David Farber) Date: Thu, 5 Aug 2004 18:21:43 -0400 Subject: [IP] Your people are growing increasingly worried about a 'police Message-ID: state.' For such an educated audience, X-Mailer: Apple Mail (2.618) Reply-To: dave at farber.net Begin forwarded message: From DaveHowe at gmx.co.uk Thu Aug 5 12:07:23 2004 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Thu, 05 Aug 2004 20:07:23 +0100 Subject: On what the NSA does with its tech In-Reply-To: <20040805054250.48060.qmail@web40606.mail.yahoo.com> References: <20040805054250.48060.qmail@web40606.mail.yahoo.com> Message-ID: <4112856B.40409@gmx.co.uk> Morlock Elloi wrote: > Hint: all major cryptanalytic advances, where governments broke a cypher and > general public found out few *decades* later were not of brute-force kind. all generalizations are false, including this one. most of the WWII advances in computing were to brute-force code engines, not solve them analytically. but yes - analysis has come a long way, and it is always going to be more cost effective for the NSA to hire mathematical geniuses (at however much it costs) than to build a brute-force cracker at the keysizes available today. And cheaper still to do an end-run around the crypto and access plaintext on the microsoft-dominated internet. From DaveHowe at gmx.co.uk Thu Aug 5 13:21:15 2004 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Thu, 05 Aug 2004 21:21:15 +0100 Subject: On what the NSA does with its tech In-Reply-To: References: <20040805054250.48060.qmail@web40606.mail.yahoo.com> <4112856B.40409@gmx.co.uk> Message-ID: <411296BB.5090001@gmx.co.uk> Pete Capelli wrote: > On Thu, 05 Aug 2004 20:07:23 +0100, Dave Howe wrote: >>all generalizations are false, including this one. > Is this self-referential? yes - some generalizations are accurate - and its also a quote, but I may have misworded it so I didn't quotemark it or supply an attributation :) From brian-slashdotnews at hyperreal.org Thu Aug 5 21:26:04 2004 From: brian-slashdotnews at hyperreal.org (brian-slashdotnews at hyperreal.org) Date: 6 Aug 2004 04:26:04 -0000 Subject: Tor: A JAP Replacement Message-ID: Link: http://slashdot.org/article.pl?sid=04/08/05/2352235 Posted by: CowboyNeal, on 2004-08-06 01:14:00 from the trust-no-one dept. [1]kid_wonder writes "Wired is running an article [2]describing an answer to this [3]previous /. story. Packets are sent through a network of randomly selected servers each of which knows only its predecessor and successor. Packets are unwrapped by a symmetric encryption key at each server that peels off one layer and reveals instructions for the next downstream node. As a 'connection-based low-latency anonymous communication system,' [4]Tor seems to be the answer to [5]JAP to allow anonymous networking activities of all kinds." References 1. http://.moc.nielk-ttocs..ta..nielks/ 2. http://www.wired.com/news/print/0,1294,64464,00.html 3. file://ask.slashdot.org/article.pl?sid=03/09/18/0051216&tid=158 4. http://www.freehaven.net/tor/ 5. http://anon.inf.tu-dresden.de/index_en.html/ ----- End forwarded message ----- Onion Routing Averts Prying Eyes By Ann Harrison Story location: http://www.wired.com/news/privacy/0,1848,64464,00.html 02:00 AM Aug. 05, 2004 PT Computer programmers are modifying a communications system, originally developed by the U.S. Naval Research Lab, to help Internet users surf the Web anonymously and shield their online activities from corporate or government eyes. The system is based on a concept called onion routing. It works like this: Messages, or packets of information, are sent through a distributed network of randomly selected servers, or nodes, each of which knows only its predecessor and successor. Messages flowing through this network are unwrapped by a symmetric encryption key at each server that peels off one layer and reveals instructions for the next downstream node. In contrast, messages traveling across the Internet are generally not encrypted, and the path of a message can be seen easily, linking users to activities like website visits. The Navy is financing the development of a second-generation onion-routing system called Tor, which addresses many of the flaws in the original design and makes it easier to use. The Tor client behaves like a SOCKS proxy (a common protocol for developing secure communication services), allowing applications like Mozilla, SSH and FTP clients to talk directly to Tor and route data streams through a network of onion routers, without long delays. Onion routing does not guarantee perfect anonymity. But it helps protect users from eavesdroppers who aren't watching both the initiator and recipient of the message at the time of the transaction. Developers say Tor can be used to prevent websites from tracking their users; block governments from collecting lists of website visitors; protect whistleblowers; and circumvent local censorship by employers, ISPs or schools that restrict access to certain online services. The Navy is financing Tor because it wants to hide the identity of government employees who have long used anonymous communications systems for intelligence gathering and politically sensitive negotiations. "The point of the Tor system is to spread the traffic over multiple points of control so that no one person or company has the ability to link people," said programmer Roger Dingledine. Dingledine and Nick Mathewson, both based in Boston, are building Tor as a research platform with a worldwide community of open-source software developers. Their goal is to blend together a wide range of users and avoid the weakness of many anonymizing services that are located on a handful of machines and vulnerable to a single point of failure. Companies could also use Tor for discreet competitive research, said Dingledine, or to route their employees' Web browsing so employment sites like Monster can't determine which of them are trolling for a job. "Plenty of people don't want their source IP listed in Web logs, especially .mil or .gov visitors," said Dingledine. The security of the Tor service is proportional to the number of nodes in the system. Tor is slowly scaling and looking for tens of thousands of participants who can provide enough nodes to prevent the service from being compromised by what the project website describes as "curious telcos and brute-force attacks." "The current Tor version very effectively builds on 20 years of development in anonymous designs," said cryptographer David Chaum, whose 1981 paper on untraceable e-mail, return addresses and digital pseudonyms set the groundwork for the Tor service. Tor is distributed as free software under the commonly used 3-clause BSD license. About 1,000 users (it's an anonymous network, so developers aren't exactly sure) are running the service in client or server mode. The Tor network currently includes 35 servers that forward each data stream at least three times. Each server averages 10 Kbps of bandwidth. Those with reliable Internet connections, who can support at least 1 Mbps in both directions, are being recruited as potential servers in the network. Users are permitted to operate an unrestricted number of nodes. But Dingledine pointed out that a well-funded adversary could sign up for a large number of servers and potentially take over the network. Those who want to operate Tor routers must therefore convince the Tor directory server operators that they are trustworthy and reliable. Dingledine said developers are trying to find ways to scale the system without having to have a human check the integrity of every new server that becomes part of the network. Dingeldine said the developers of another online anonymity project, called JAP, were forced by the German government to insert a backdoor into the program and were barred from revealing it. If anyone insisted on similar measures for Tor, Dingledine said the community of open-source developers who analyze source-code changes for each Tor revision would expose it -- as they did with JAP. "The reason Tor works is that it's free and available software," said Dingledine. "If it was a closed source or a proprietary system, there is no way to know." -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From dave at farber.net Fri Aug 6 01:56:51 2004 From: dave at farber.net (David Farber) Date: Fri, 6 Aug 2004 04:56:51 -0400 Subject: [IP] more on a police state Message-ID: Begin forwarded message: From jtrjtrjtr2001 at yahoo.com Fri Aug 6 04:58:08 2004 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Fri, 6 Aug 2004 04:58:08 -0700 (PDT) Subject: Wired on Navy's new version of Onion Routing In-Reply-To: Message-ID: <20040806115808.41176.qmail@web21202.mail.yahoo.com> hi, Since they are using symmetric keys, for a network of 'n' nodes, each node need to know the secret key that they share with the remaining (n-1) nodes.Total number of symmetric keys that need to be distributed is [n*(n-1)]/2. Key management is harder when they network gets larger. Sarath. --- Sunder wrote: > > > http://www.wired.com/news/print/0,1294,64464,00.html > Onion Routing Averts Prying Eyes > By Ann Harrison > > Story location: > http://www.wired.com/news/privacy/0,1848,64464,00.html > > 02:00 AM Aug. 05, 2004 PT > > Computer programmers are modifying a communications > system, originally > developed by the U.S. Naval Research Lab, to help > Internet users surf the > Web anonymously and shield their online activities > from corporate or > government eyes. > > > > The Navy is financing the development of a > second-generation onion-routing > system called Tor, which addresses many of the flaws > in the original > design and makes it easier to use. The Tor client > behaves like a SOCKS > proxy (a common protocol for developing secure > communication services), > allowing applications like Mozilla, SSH and FTP > clients to talk directly > to Tor and route data streams through a network of > onion routers, without > long delays. > > > > > ----------------------Kaos-Keraunos-Kybernetos--------------------------- > + ^ + :"War is Peace > /|\ > \|/ : Freedom is Slavery > /\|/\ > <--*-->: Ignorance is Strength > \/|\/ > /|\ : Bush is President" - Bret Feinblatt > \|/ > + v + : > > -------------------------------------- > http://www.sunder.net ------------ > > _______________________________ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com From rforno at infowarrior.org Fri Aug 6 08:22:46 2004 From: rforno at infowarrior.org (Richard Forno) Date: August 6, 2004 8:22:46 AM EDT Subject: New US Passport ID Technology Has High Error Rate Message-ID: Here is yet another example of security theater (the illusion of effective or enhanced security) being pursued as a matter of national security -- in this case, an unbelievable 50% error rate in the security technology being implemented is deemed acceptable enough by the US government to track passports. -rick Infowarrior.org Passport ID Technology Has High Error Rate http://www.washingtonpost.com/ac2/wp-dyn/A43944-2004Aug5? language=printer By Jonathan Krim Washington Post Staff Writer Friday, August 6, 2004; Page A01 The State Department is moving ahead with a plan to implant electronic identification chips in U.S. passports that will allow computer matching of facial characteristics, despite warnings that the technology is prone to a high rate of error. Federal researchers, academics, industry experts and some privacy advocates say the government should instead use more-reliable fingerprints to help thwart potential terrorists. The enhanced U.S. passports, scheduled to be issued next spring for people obtaining new or renewed passports, will be the first to include what is known as biometric information. Such data, which can be a fingerprint, a picture of parts of eyes or of facial characteristics, is used to verify identity and help prevent forgery. Under State Department specifications finalized this month for companies to bid on the new system, a chip woven into the cover of the passport would contain a digital photograph of the traveler's face. That photo could then be compared with an image of the traveler taken at the passport control station, and also matched against photos of people on government watch lists. The department chose face recognition to be consistent with standards being adopted by other nations, officials said. Those who drafted the standards reasoned that travelers are accustomed to submitting photographs and would find giving fingerprints to be intrusive. But federal researchers who have tested face-recognition technology say its error rate is unacceptably high -- up to 50 percent if photographs are taken without proper lighting. They say the error rate is far lower for fingerprints, which could be added to the chip without violating the international standard. < snip > The concerns come at a time of heightened terrorism alerts and urgent calls for changes in national security from the commission investigating the Sept. 11, 2001, attacks. Among its many recommendations were quick adoption of biometric passports and more secure drivers' licenses, though the commission did not specify which type of data should be used. < snip > "Facial recognition isn't going to do it for us at large scale," Wayman said. "If there's a 10 percent error rate with 300 people on a 747, that's a problem." According to tests by the National Institute for Standards and Technology, two fingerprints provide an accuracy rate of 99.6 percent. With face recognition, if the pictures are taken under controlled circumstances with proper illumination, angles and facial expression, the accuracy rate was 90 percent. < snip > ------ End of Forwarded Message ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From dave at farber.net Fri Aug 6 05:29:29 2004 From: dave at farber.net (David Farber) Date: Fri, 6 Aug 2004 08:29:29 -0400 Subject: [IP] New US Passport ID Technology Has High Error Rate Message-ID: Begin forwarded message: From eugen at leitl.org Thu Aug 5 23:48:16 2004 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 6 Aug 2004 08:48:16 +0200 Subject: [IP] Your people are growing increasingly worried about a 'police state.' For such an educated audience, (fwd from dave@farber.net) Message-ID: <20040806064816.GH1400@leitl.org> ----- Forwarded message from David Farber ----- From sunder at sunder.net Fri Aug 6 06:17:07 2004 From: sunder at sunder.net (Sunder) Date: Fri, 6 Aug 2004 09:17:07 -0400 (edt) Subject: Bluetooth Security Cavities Message-ID: http://www.wired.com/news/print/0,1294,64463,00.html Security Cavities Ail Bluetooth By Kim Zetter Story location: http://www.wired.com/news/privacy/0,1848,64463,00.html 02:00 AM Aug. 06, 2004 PT Serious flaws discovered in Bluetooth technology used in mobile phones can let an attacker remotely download contact information from victims' address books, read their calendar appointments or peruse text messages on their phones to conduct corporate espionage. An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. Most types of attacks could be conducted without leaving a trace. Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren't so far-fetched. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From sunder at sunder.net Fri Aug 6 07:53:25 2004 From: sunder at sunder.net (Sunder) Date: Fri, 6 Aug 2004 10:53:25 -0400 (edt) Subject: Don't smile for UK Big Brother's passport pix Message-ID: http://www.theregister.co.uk/2004/08/06/passport_scanners/print.html Original URL: http://www.theregister.co.uk/2004/08/06/passport_scanners/ Home Office prohibits happy biometric passports By Lucy Sherriff (lucy.sherriff at theregister.co.uk) Published Friday 6th August 2004 10:08 GMT The Home Office says all new passport photographs must be of an unsmiling face with its gob firmly shut because open mouths can confuse facial recognition systems. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From eugen at leitl.org Fri Aug 6 02:18:09 2004 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 6 Aug 2004 11:18:09 +0200 Subject: [IP] more on a police state (fwd from dave@farber.net) Message-ID: <20040806091809.GV1400@leitl.org> ----- Forwarded message from David Farber ----- From eugen at leitl.org Fri Aug 6 02:30:49 2004 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 6 Aug 2004 11:30:49 +0200 Subject: Tor: A JAP Replacement (fwd from brian-slashdotnews@hyperreal.org) Message-ID: <20040806093049.GB1400@leitl.org> ----- Forwarded message from brian-slashdotnews at hyperreal.org ----- From eugen at leitl.org Fri Aug 6 05:32:15 2004 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 6 Aug 2004 14:32:15 +0200 Subject: [IP] New US Passport ID Technology Has High Error Rate (fwd from dave@farber.net) Message-ID: <20040806123215.GL1400@leitl.org> ----- Forwarded message from David Farber ----- From camera_lumina at hotmail.com Fri Aug 6 12:09:33 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Fri, 06 Aug 2004 15:09:33 -0400 Subject: [IP] Your people are growing increasingly worried about a 'police state.' For such an educated audience, (fwd from dave@farber.net) Message-ID: "So perhaps when Mr. Ashcroft erodes civil rights, you can make a valid claim that it introduces only a very slight risk of a police state, or is only the start of a trend. How much risk is enough? If events only presented a 1% chance of taking the path to a police state, would you want to tolerate it?" Hell, for me it doesn't even get that far. I'm not willing to take a DROP of police state risk in order to enable our State's bloodlust. If we hadn't been systematically f*cking over the Moslems for the last 50 years, this might be an academic argument worth debating. -TD >From: Eugen Leitl >To: cypherpunks at al-qaeda.net >Subject: [IP] Your people are growing increasingly worried about a 'police >state.' For such an educated audience, (fwd from dave at farber.net) >Date: Fri, 6 Aug 2004 08:48:16 +0200 > >----- Forwarded message from David Farber ----- > >From: David Farber >Date: Thu, 5 Aug 2004 18:21:43 -0400 >To: Ip >Subject: [IP] Your people are growing increasingly worried about a 'police >state.' For such an educated audience, >X-Mailer: Apple Mail (2.618) >Reply-To: dave at farber.net > > > >Begin forwarded message: > >From: Brad Templeton >Date: August 5, 2004 5:47:16 PM EDT >To: dave at farber.net >Cc: NMunro at nationaljournal.com >Subject: Re: [IP] Your people are growing increasingly worried about a >'police state.' For such an educated audience, > > >Subj: Your people are growing increasingly worried about a 'police > >state.' > >For such an educated audience, they seem to lack any sense of > >proportion, a sense of history or an > awareness of human nature. > > > >Indeed, as you cite, there are many police states and history is >littered with ones that have risen and fallen as well. > >Each time a police state rose, there were those who cried that a police >state was coming and were called paranoid. There were those who >actively assisted the police state in coming, seeking the security it >promised. There were those who assisted the police state in coming, >not wanting one, but feeling those who called out the warnings were >paranoid. There were those who said and did nothing. > >Free states are the abberation in the history of mankind. Police states >(for the level of technology of the day) the norm. > >So perhaps when Mr. Ashcroft erodes civil rights, you can make a valid >claim that it introduces only a very slight risk of a police state, or >is only the start of a trend. > >How much risk is enough? If events only presented a 1% chance of >taking the path to a police state, would you want to tolerate it? > >Would you find it acceptable to teeter on the edge of a police state, >because you were still on the free side of the line? > >Often, in the defence of free speech, we find ourselves defending people >expressing ideas we loathe. Nazis, pedophiles and other scum. We >do it not because we welcome a world full of their messages, but because >we know that if the Holocaust deniers can publish, we are _really, >really_ >sure that we can publish. It's not paranoia. > >------------------------------------- >You are subscribed as eugen at leitl.org >To manage your subscription, go to > http://v2.listbox.com/member/?listname=ip > >Archives at: http://www.interesting-people.org/archives/interesting-people/ > >----- End forwarded message ----- >-- >Eugen* Leitl leitl >______________________________________________________________ >ICBM: 48.07078, 11.61144 http://www.leitl.org >8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE >http://moleculardevices.org http://nanomachines.net ><< attach3 >> _________________________________________________________________ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx From brian-slashdotnews at hyperreal.org Fri Aug 6 09:26:03 2004 From: brian-slashdotnews at hyperreal.org (brian-slashdotnews at hyperreal.org) Date: 6 Aug 2004 16:26:03 -0000 Subject: Ready, Aim, HACK! Message-ID: Link: http://slashdot.org/article.pl?sid=04/08/06/149207 Posted by: michael, on 2004-08-06 15:10:00 from the reach-out-and-touch-someone dept. [1]KD5YPT writes "According to a story on Wired, Adam Laurie and Martin Herfurt demonstrated that they can [2]hack a Bluetooth enabled phone from up to a mile away using a sniper rifle with yagi antenna. Kinda gives a new meaning to '1337 hAx0r2'." [3]Click Here References 1. mailto:stweitx16 at hotmail.com 2. http://www.wired.com/news/privacy/0,1848,64463,00.html 3. http://ads.osdn.com/?ad_id=4894&alloc_id=10418&site_id=1&request_id=5371386&o p=click&page=%2farticle%2epl ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From eugen at leitl.org Fri Aug 6 08:05:23 2004 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 6 Aug 2004 17:05:23 +0200 Subject: C# UAV Message-ID: <20040806150523.GR1400@leitl.org> Kindly ignore absence of Hellfire periphery and (worse) the M$ marketing waffle below: http://research.microsoft.com/displayArticle.aspx?id=685 Unmanned Flight with Windows XP Embedded by Suzanne Ross Project Specs: On-board Technoland PC/104+ form factor 800MHz Crusoe computer USB to serial device provides 4 additional RS232 communication ports Microsoft Windows XP Embedded Kids who graduated from balsa wood bi-planes to radio-controlled airplanes will love what's coming around the corner. Faculty and students at Cornell University have built an unmanned airplane with its own on-board, embedded control system. The large-scale model plane flies by accessing coordinates from an off-the-shelf GPS unit. "The plane is capable of GPS guided flight, surveillance, and is very modular," said Kevin Kornegay, one of the faculty advisors for the project. Last year, the group won an Innovation Excellence Award from Microsoft Research to continue their previous work in designing an autopilot system for a large scale model aircraft. Schools around the globe received awards from the Microsoft Research University Relations program to enable them to conduct research in emerging technologies. "Our previous design represented a very early prototype for an autonomous aircraft. The autopilot system was extremely heavy, it lacked software functionality, but it was a strong version one," said Kornegay. This year the system is based on a PC/104 form factor Windows XP Embedded computer and has a variety of navigational sensors. "The software is written in C#, and is broken into four large applications. The autopilot software resides on the airplane and allows the plane to fly complete missions without any assistance from the ground. The plane also has wireless modems, which it uses to relay telemetry to the ground, and to allow for updated mission guidelines," explains Kornegay. The client software is written to display telemetry to the end user, for instance, where the plane is on a map or how fast it is traveling. The group developed two applications, one for a laptop or desktop computer, and one for a Pocket PC. Students monitored the airplane's flight from the Pocket PC application. The students entered the resulting prototype in the second annual Association for Unmanned Vehicle Systems (AUVSI) student competition. In 2003, they placed first in the contest. This year, however, they lost most of their equipment in a fire just before the competition. "We still gave our software demonstration though, allowing us to place 'best of teams that didn't fly," said Kornegay. The mission for the competition requires the plane to take off manually or autonomously, then autonomously navigate a course with five to ten GPS waypoints while using an onboard video or camera system to locate a series of man-made objects on the ground. Each team has 30 minutes of flight time to complete their mission. The planes will be judged on time, aircraft cost and weight, navigation accuracy, efficiency, safety and ability to locate the objects. Cornell Student Team Karl Schulze Andrew Abramson Brian Rogan Ron Hose Jonathon Kron Aaron Kimball Joe Sullivan Will Aber To test their flight control algorithms, the group used Microsoft Flight Simulator 2004, running the algorithms for hundreds of hours. They used a SIG Rascal aircraft with a 110" wingspan. The aircraft is 75 >" long and weighs thirteen pounds. The students modified the vehicle for unmanned flight by replacing the factory tail with a custom lifting tail, which moved the center of gravity further towards the rear of the plane. They also installed large in-wing flaps because the wings on the airframe had a heavier than designed for load. The in-wing flaps allowed a slower stall speed and improved takeoff and landings. The system runs off two 512 MB compact flash cards, which provides a storage system with no moving parts able to withstand up to 10,000 Gs. One compact flash card holds the operating system in a protected write mode, while the other stores a real-time flight log - a 'black box' that can be examined to diagnose problems, even if the vehicle crashes. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From rah at shipwright.com Fri Aug 6 15:34:49 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 6 Aug 2004 18:34:49 -0400 Subject: Propagating Security Context Across a Distributed Web Services Environment Message-ID: SYS-CON Propagating Security Context Across a Distributed Web Services Environment Why, when, and how August 4, 2004 By Scott Morrison It's a problem as old as networked computing. Consider two applications. They negotiate a level of trust. How can that trust - or security context - be transferred to a third application, one that may exist in an entirely different security domain from the first? This problem has been solved before, but is limited by proprietary solutions that resist integration. The challenge now, which is a significant one, is to solve it again, but this time for Web services - a task complicated by the need to accommodate a broad range of established security procedures and legacy technologies. Context in Context Security context is an ambiguous term. Take, for example, the SSL protocol. Here, security context is largely cryptographic metadata - the master key, derived session keys, ciphers and hashes, etc. - which are associated by a public SSL session ID. The session ID exists precisely to allow reuse of these across independent connections and thus avoid the expensive public key-based handshakes that would be necessary to re-establish them. Authentication might not even be involved; such is the case with the Diffie-Hellman cipher suite. In this article, we will explore the more fundamental problem of transferring the security context established by an act of authentication - that is, a sufficiently substantiated claim of principle identity - between applications in a Web services environment. In doing so, we will use two important OASIS Web services standards, WS-Security (WSS) and the Security Assertions Markup Language (SAML). WSS and the Security Token Mechanism Back when I was still in high school, my parents gathered up the family and spent a summer traveling in China. During a few days in Beijing, I had a chop, or signature seal, carved with my name rendered phonetically in Chinese. In China, chops have been used as a means of signature and identity since the period of the Warring States, nearly 2500 years ago. The chop implements a security model called proof of possession. It is something physical you have, something you need to protect, and something you can use to create a security token that binds another object - a contract, a painting, etc. - to yourself. The binding consists of a stamp, most commonly rendered in red ink, of the name carved into the chop. The artistry of the carving establishes uniqueness and is a simple guard against forgery. Shortly after we returned home, thieves broke into our house. Along with the usual targets for theft - items like TVs and stereos - they took, oddly enough, my chop. I've always thought that this was a strange thing to steal: were they drawn to it because it was shiny and elegant; or was it an early example of identity theft? Perhaps there are checking accounts open in my name somewhere in Fujian. The real problem with my chop is that it really wasn't bound to my identity. It was fine for creating security tokens while I possessed it, but once lost, the thieves could create unlimited identity tokens with no real means for me to stop them. Security tokens, of course, come in many different forms and with varied purposes. A token could transport credentials; it might describe an authorization decision; it may encapsulate a key for a cryptography session. This diversity is one of the challenges faced by the technical committee developing WS Security. To this end, their specification does not attempt to mandate one form of security token over another; instead, it defines a simple encapsulation mechanism that should be able to accommodate most existing methods and technologies. Thus, in WSS, applications can make claims to identity, supported by tokens. The details of how to support a particular token mechanism is defined outside the main specification, in a separate document called a token profile. Security tokens appear as elements subordinate to the header, the block in a SOAP message under which all WS-Security related parameters appear. Most of the currently existing profiles are concerned with establishing a security context around identity. Consider, for example, username and password, probably the most familiar of all security token schemes. WSS defines a profile called - not surprisingly - the Web Services Security Username Token Profile. It defines a very simple and logical organization for usernames, passwords, and nonces; the latter enabling digest authentication schemes to provide credential validation without direct password transmission. WSS calls this type of token a proof-of-possession claim. Listing 1, taken directly from the specification, is an example. (the code is online at www.sys-con.com/websphere/sourcec.cfm) But what about transferring an existing context? You could argue against the need for this - after all, if you have a means of authentication, why not simply re-authenticate continuously with every independent transaction? HTTP basic authentication works in this way. When a browser successfully meets an authentication challenge, it will proactively insert credentials into the HTTP Authorize header for every subsequent request in the same realm. For some Web services applications, this is sufficient. For others, it can be tremendously expensive - the overhead of continuous credential validation can bring a directory to it knees. Furthermore, it may be unrealistic to believe that every server is capable of performing this operation. Often, this is because of access restrictions placed on central directories, perhaps due to topology, but often due to politics. Transferring a previously established identity context, then, is a valuable thing. But it's also difficult to carry out securely. WSS provides a means to do this within its abstract token profile mechanism. Under this use case, the tokens don't establish initial identity, but describe an existing security context. These tokens have to be authoritative, so that if a token is stolen - like my chop - it can't be used to hijack or destroy an existing application or cryptography session. This challenge is addressed by the WSS SAML profile. SAML and Context Transfer SAML is designed to pass security information between systems. The basis of SAML is a markup language for declaring assertions. Assertions are declarations of facts about a subject. You can think of a subject as the binding of an entity, such as a person or a computer, to an identity in a security domain. Assertions are generated by an issuing authority, which may front an existing identity server such as an LDAP directory. In SAML, there are three distinct kinds of assertions: * Authentication assertions: These statements describe acts of authentication that have already taken place. An authentication assertion does not describe another method to perform authentication, such as using an X509 certificate; it simply affirms that a subject S was authenticated by means M at time T. In listing 2, the authentication assertion declares that subject smorrison authenticated against the Layer 7 Technologies corporate directory using a password. * Authorization assertions: An SAML issuing authority can make an authorization decision to allow or deny access for a subject to a particular resource. * Attribute assertions: These assert that a subject is associated with a collection of attributes, represented as simple name/value pairs. For example, an SAML authority might declare that subject Scott is associated with group=developers and company=Layer 7 Technologies. By providing a generalized attribute mechanism, SAML makes an important point: that security context is more than just authentication and authorization, but also includes associated metadata that might be important in a security decision, such as a subject holding gold status in a frequent flyer system. In addition to assertions, SAML defines a request/response protocol for obtaining assertions from SAML authorities, bindings to protocols such as SOAP for transporting assertions and queries, and profiles, which take a more holistic approach to integrating SAML within an existing framework, such as SOAP messaging or conventional, HTML-oriented HTTP. While the vision behind SAML has been to produce a general-purpose language for communicating security context between distributed systems, its initial focus, growing out of a widespread and immediate need, has been on browser-based communications - in particular, single sign on (SSO) for the Web. SAML defines two additional profiles to address this, and in these, we can find a model for how SAML will ultimately support Web services (see Figures 1 and 2). Both scenarios are functionally similar. The user, authenticated on system A, clicks on a URL addressing content that resides on system B. The user should not have to re-authenticate on system B (thus establishing a separate, independent security context), but instead should transfer the existing context completely to B. To complicate matters further, B may reside in a different security domain from A, so B literally may not be able to validate the subject's credentials even if they are made available. Therefore, a trust relationship must be established between A and B, so that B relies on A's word that a subject has been necessarily and sufficiently identified. Virtually every large organization attempting to integrate their internal Web servers has encountered this problem. The difference between these profiles appears in implementation. Figure 1 depicts a pull scenario, in which a security token, called an SAML artifact, is passed to system B as a query parameter affixed to the URL. System B uses the artifact as a handle to take complete ownership of the security context from A; this is illustrated in the figure as a SOAP call from B to A, requesting control of the context and taking delivery as a collection of SAML assertions. SAML ensures that the server-side half of the context can only exist in a single place at any given instant. In contrast is the push scenario, which transports the context entirely within a message - in this instance, the assertions reside as a hidden field that's POSTed in a form. This eliminates the need for system B to retrieve the context from A, but requires that the assertions be signed to prevent tampering. This is actually closer to a typical Web services scenario, where context is a security token rendered into a SOAP message, but more on that later. In practice, this process usually involves a centralized issuing authority and clever use of HTTP redirects. But what is noteworthy here is the security model. These browser profiles rely on SSL and HTTP authentication mechanisms as a means to protect the confidentiality, integrity, and trust of assertions (or artifacts). It uses existing Web security to ensure that assertions are relayed only through the subject they describe. This eliminates the threat of replay attacks and session hijacking. It's a crucial point: an assertion, even signed by an issuing authority, needs to be bound to the subject presenting it. Otherwise, what's to stop an intruder from simply copying a signed authentication assertion and using this to stake claim to that assertion's correlated security context? Unbound from identity, an assertion is like my stolen chop. In the browser profiles, secure, authenticated channels are necessary to ensure that security tokens only pass between trusted entities. In Web services, where security is implemented on a message-by-message basis and no secure channel exists, there needs to be a different approach. WSS SAML Profile SAML, of course, fits cleanly into the WSS Security token structure. The real challenge, though, is more subtle than syntactic contracts. WSS is about providing security on a message-by-message basis. Furthermore, it is concerned with absorbing security into the message itself and decoupling it from channel strategies like SSL to be able to provide continuity in encryption, integrity, authentication, and reliability across a diverse set of transports and intermediates - from SMTP to MOM to plain text files, in as many hops as the application demands. The challenge, therefore, is binding a subject's identity to an assertion so that it is verifiable by the ultimate receiver of a SOAP message. SAML addresses this with an assertion element we have not encountered yet, . An SAML issuing authority uses SubjectConfirmation to bind a particular subject's identity to an assertion. There are various strategies for this, such as including Kerberos service tickets, and these are left for specification in the relevant profile. The WSS SAML Token Profile adopts an interesting approach. Within this element, the issuing authority can insert the subject's public key. Remember, the issuing authority is making a definitive statement about an act of authentication that has already taken place, so it's likely to hold the subject's public key. If the subject authenticated using its certificate under the WSS x509 Token Profile, the key is there. Alternatively, it should be able to retrieve the key from a trusted certificate server after firmly establishing the subject's identity under a different authentication scheme, such as username/password. The key resides within the SubjectConfirmation element, inside a standard block, a rich structure already described in the W3C XML Digital Signature specification. The issuing authority then signs the entire assertion, thus authoritatively binding assertion and key. In this way, it's not unlike a certificate, which uses the signature of a trusted party to bind a public key to an identity (represented as a DN). Consider also, what often makes a certificate useful is the additional information residing within it. An SSL certificate binds a DNS name to the CN, thus allowing clients to verify that the TCP socket they've opened is indeed connected to the Internet entity described in the certificate. E-mail addresses were added to support similar trust validation, and v3.0 extension fields in the x509 specification promote still richer models of trust. Listing 3 shows an authentication assertion, generated and signed by an SAML issuing authority. This signature binds the subject of the assertion to its DSA public key. It also includes its X509 certificate against which a receiver can compare a pre-existing trust relationship. So why is this useful? Precisely because now the subject can create an undeniable association between any SOAP message it authors and this assertion. Our problem up until now has been that, even though it is signed by the issuing authority, a plain assertion could be intercepted and used by anyone. In this way, it's like the thieves who stole my chop, and could forge unlimited new messages claiming to come from me. Suppose we are a SOAP receiver - say some arbitrary service downstream - and we take delivery of a SOAP message containing an assertion claiming that Scott was authenticated at noon on Tuesday. How can we be confident that the sender of the SOAP message really is subject Scott, described in the assertion? SubjectConfirmation is the key - or perhaps better, holds the key. WS-Security calls this an endorsed claim, as it's been sanctioned by a trusted third party. Figure 3 is a block diagram of a SOAP message that shows how it all comes together. It maps a typical message that a Web services consumer would compose while participating in an SSO scenario. Fundamentally, this is the same as the browser SSO model illustrated in Figure 2, with SOAP service invocations substituted for HTTP/HTML. In this use case, System A might be a centralized authentication service that consumes username and password credentials (under the WSS token profile described previously), and returns a signed SAML SSO assertion (an aggregate of an authentication assertion, time of validity, and other optional attribute fields). Bound in this assertion is the public key of the authenticated subject. To compose the message in Figure 3, the consumer copies the signed assertion into the SOAP message unchanged. To prove rightful ownership of this assertion, the subject signs the message body. Remember, only the actual can do this, as only the subject possesses the private key paired with the public key in the assertion. This establishes an irrefutable connection between the author of the SOAP message and the assertion describing an authentication event. It is the receiver's responsibility to process this message appropriately and take action on it based on its predetermined trust relationship with the SAML issuing authority. Under SAML, the ultimate receiver of the message is called the relying party - a logical piece of nomenclature, as the receiver relies on the trust it has with an issuing authority. Listing 4 shows what the SOAP message looks like, as it might be delivered to the receiver. It's becoming complex, because we now have signatures from two different parties: the SAML issuing authority (over the assertion only); and the SOAP sender (over the message body). The sender, could, of course, extend its signature across the entire envelope if that is the level of integrity that the application required. In the subject's signature block, the SecurityTokenReference element contains a reference back to the assertion, where we can retrieve the public key for signature validation. Ultimately, what we have created in a chain to a trust root, not unlike a certificate chain. It might help to refer back to the block diagram in Figure 3 to help navigate through this complexity. There's one important detail we have yet to cover. Find the element in the authentication assertion in Listing 4. It has a subordinate element called . In the example, ConfirmationMethod takes the value of the SAML-defined identifier urn:oasis:names:tc:SAML:1.0:cm:holder-of-key. This informs a receiver that, when processing any SOAP message containing this assertion, the attesting entity must prove their association with the assertion using a signature. An alternative processing model is called sender-vouches, indicated by the constant urn:oasis:names:tc:SAML:1.0:cm:sender-vouches. This addresses an issue found in another common Web services scenario. In sender-vouches, the attesting entity is not the subject described in the SAML assertion. However, it is acting on behalf of that subject. The receiver, therefore, must trust that this is indeed the case, that the sender has validated the true subject in some way and is working on its behalf. To make this work, the attesting entity must protect both the relevant parts of the SOAP message and the assertion itself to prove that it has made that association (after all, with nothing to conjoin these data, the aggregation could have come from anyone). Figure 4 depicts a typical scenario where this might take place. It's very similar to the classic three tier browser-based application - just substitute SOAP for HTTP/HTML, RMI or IIOP, and JDBC. System A is a Web services client. System B consumes and validates its credentials against an issuing authority. System C trusts that B validated A accurately, and processes messages from B with confidence that they are a consequence of an initial request of A. Conclusion Inside the WSS SAML token profile, we find the basic mechanism necessary to transfer one type of security context between applications using Web services. But don't lose sight of its limitations in scope and maturity. SAML - and by extension, WSS - does not deal with larger issues like cryptography or application sessions, global sign-out, or account linking. Some of these are more appropriately addressed in federation specifications like WS-Federation and Liberty. Some are addressed in other emerging standards efforts like WS-Secure Conversation and WS-Trust. Others will see light in SAML v2.0. Nevertheless, there is some very valuable work here by people who deeply understand the issues in distributed computing security, and elements of the specifications are relevant today. Which is good, because we've needed this for a long time. About the author Scott Morrison is director of Architecture at Layer 7 Technologies. Layer 7 provides technology for managing and coordinating Web services security and transaction policy across loosely coupled systems (more) Related Sites 7 Figure 1 7 Figure 2 7 Figure 3 7 Figure 4 7 Source Code -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From eugen at leitl.org Fri Aug 6 09:35:05 2004 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 6 Aug 2004 18:35:05 +0200 Subject: Ready, Aim, HACK! (fwd from brian-slashdotnews@hyperreal.org) Message-ID: <20040806163505.GW1400@leitl.org> ----- Forwarded message from brian-slashdotnews at hyperreal.org ----- From mv at cdc.gov Fri Aug 6 19:53:23 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 06 Aug 2004 19:53:23 -0700 Subject: Simpson scores Message-ID: <41144423.1714DC39@cdc.gov> http://www.technologyreview.com/articles/04/08/wo_garfinkel080404.asp Good article re secure hashing From brian-slashdotnews at hyperreal.org Sat Aug 7 06:26:02 2004 From: brian-slashdotnews at hyperreal.org (brian-slashdotnews at hyperreal.org) Date: 7 Aug 2004 13:26:02 -0000 Subject: Bluesniper Creator Interviewed on Gizmodo Message-ID: Link: http://slashdot.org/article.pl?sid=04/08/06/2242224 Posted by: michael, on 2004-08-07 12:19:00 from the long-shot dept. [1]carbolic writes "[2]Gizmodo interviews John Hering, one of the Bluedriving crew (of which I was one: [3]picture) and creator of the [4]Bluesniper rifle. Get the backstory on the recent 1.08 mile cellphone [5]Bluesnarf attack and find out his motivation for building the rifle and trying a snarf to a cellphone you can't even see." [6]Click Here References 1. http://www.wifi-toys.com/ 2. http://www.gizmodo.com/archives/imterview-with-bluetooth-hacking-flexiliss-jo hn-hering-019057.php 3. http://www.gizmodo.com/archives/images/team_flexilis.jpg 4. http://www.engadget.com/entry/3093445122266423/ 5. file://slashdot.org/article.pl?sid=04/08/06/149207&tid=172 6. http://ads.osdn.com/?ad_id=4826&alloc_id=10297&site_id=1&request_id=8513374&o p=click&page=%2farticle%2epl ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From eugen at leitl.org Sat Aug 7 08:31:16 2004 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 7 Aug 2004 17:31:16 +0200 Subject: Bluesniper Creator Interviewed on Gizmodo (fwd from brian-slashdotnews@hyperreal.org) Message-ID: <20040807153115.GE1400@leitl.org> ----- Forwarded message from brian-slashdotnews at hyperreal.org ----- From rah at shipwright.com Sun Aug 8 05:52:16 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 8 Aug 2004 08:52:16 -0400 Subject: Is Source Code Is Like a Machine Gun? Message-ID: Next: August 2, 2004 Up: August 6, 2004 Previous: August 6, 2004 Contents Is Source Code Is Like a Machine Gun? Eugene Volokh has posted a message on the Cyberprof email list seeking comments on a thought experiment as to whether the same scope of first amendment protection should be accorded to a sculpture which happens also to be a working automatic weapon as to the ``source code'' of a computer program that can be used for illegal activities.1 That inspired the following response on my part: Date: Thu, 05 Aug 2004 14:19:49 EDT To: CyberProf List . . . From: "Peter D. Junger" Subject: Re: Source code distribution restrictions as speech restrictions I will try to respond without quoting at length from Eugene's message since I think that the basic difference that we have has to do with our differing understandings of the nature of computer programs, including source code and that it is probably easier to address that difference directly. In the first place I cannot see how source code differs significantly from any other computer program or, for that matter, from any other data stored or transmitted as text, including as a string or stream of binary digits. Something very important seems to be missing from Eugene's thought experiment: any reference to a computer. Yet it is a computer, and not a computer program, that corresponds to Eugene's machine gun. The computer and the machine gun are both tangible objects that persist for a period of time in three dimensional space. Source code or any other data that is processable by a computer is, on the other hand, pure information--nothing more or less than a pattern or a number--and though a representation of that information can be stored in, or on, some tangible medium like a compact disk or a piece of paper, that compact disk or piece of paper is not the source code or other data. (This is, I believe, equivalent to the fact that in the law of copyright a copy of a work fixed in a tangible medium of expression is not the intangible work itself.) Come to think of it, one can merge the machine gun and the source code by etching the source code on the side of the machine gun, just as runes used to be etched on sword blades or the words ``drink me'' were affixed to the bottle that Alice came across at the bottom of the rabbit hole. Frankly I don't see how that could somehow make it unconstitutional for the state to outlaw the possession of the sword or the machine gun or the pure food and drug people to outlaw the sale and distribution of the liquid contents of Alice's bottle. But I would rather focus on the computer, rather than on the example of the compact disk, because a compact disk just sits there and doesn't do anything by itself whereas the computer --like the machine gun--actually does something and so is functional in the way that a machine gun is functional and source code, whether or not fixed in a tangible medium, isn't. There is, of course, an important distinction between the functionality of a machine gun and that of a computer. The function of a machine gun is to kill. The function of a computer, on the other hand, is to compute, and to compute is to process information. Computers, by the way, used to be people, who came equipped with ten digits. Modern computers, on the other hand, are machines that are wired (or otherwise structured) to process information represented as binary digits. Now, since the computer has to a large extent replaced printing presses and linotype machines, I find it difficult to believe that the freedom of the press protected by the first amendment would permit the outlawing of computers even though the need for a well regulated militia protected by the second amendment does not forbid the outlawing of machine guns. But Eugene's thought experiment does not deal with computers so I do not need to pursue the question of whether computers can be outlawed constitutionally. All that a computer does is process information. Data encoded in the form of binary digits--which can be called ``source code''--is fed into a computer which then processes that data in accordance with way in which it is wired and outputs other data encoded in the form of binary digits--which can, if one wishes, be called ``object code.'' Now rewiring a computer is called programming a computer, and that object code can--if it satisfies various syntactical requirements--be fed into the computer in a way that causes the computer to be reprogrammed, that is, to be rewired. But the program does not do anything and it certainly does not rewire the computer. To run the program someone must, directly or indirectly, flick a switch that causes the computer to rewire itself in accordance with the specifications (the ``instructions'' or the ``description'') contained in the program. And it is the computer that, like the machine gun, has the moving parts and thus does the functioning. Another way to put it is that all that a computer does is to manipulate text. The input is text, the program is text, and the output is text. And all that source code, or any other code, is is text. Now, of course, the protections of the first amendment are not absolute, so the writing and publication of source code, like any other text, can be forbidden if there is a strong enough justification. But, since code in no way resembles a machine gun, its resemblance to a machine gun cannot be that justification. And by the way, the fact that some text may be too ``functional'' to be copyrighted in no way suggests that it is not protected by the first amendment. If a text is useless there is, in fact, little reason to give it first amendment protection. This was written in considerable haste and undoubtedly contains large gaps in its reasoning. I have, however, some other work to do, and so I will end it here. After I posted that response to the Cyberprof list, I received the following inquiry off list: Just out of curiosity, would you liken software to the thought processes that are used to control the computer (and the machine gun)? If so, would restrictions on source code be more akin to thought control, rather then restrictions on devices? Here is my response to that question: [T]he quick answer is that I think of computers properly programmed as prosthetics that help us think (and perceive) like glasses and hearing aids and paper and pencils (and the invention of the alphabet and of mathematical notations) and so I do think that restrictions of software and also on computers amount to thought control. Consider the fact that there is hardly anyone left in the world who can calculate square roots now that it is so easy to do the calculation using a calculator. I consider doing arithmetical and logical calculations to be a (very small) part of what is involved in thought, but they definitely are thought processes. (I wouldn't say though that the thought processes are programs if one considers a program to be text. Programs are not processes, they are descriptions of or instructions for implementing a process.)2 For discussions of related issues see the entries on Expression Has Nothing to Do with It, Publishing Bombmaking Information and the First Amendment, and Copyright and the Confusion of ``Software''. Next: August 2, 2004 Up: August 6, 2004 Previous: August 6, 2004 Contents Peter D. Junger 2004-08-07 -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Aug 8 05:53:57 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 8 Aug 2004 08:53:57 -0400 Subject: Every Vote Counts - If It's Counted Message-ID: CJR Campaign Desk: Archives Critique and analysis of 2004 campaign coverage from Columbia Journalism Review The Longer View August 08, 2004 Every Vote Counts - If It's Counted By Susan Q. Stranahan On November 2, millions of Americans will vote on computers, many of which may be vulnerable to partisan hackers, disgruntled poll workers, or anyone else with a desire to alter the outcome of the election, writes Ronnie Dugger in the current issue of The Nation. "The result," he says, "could be the failure of an American presidential election and its collapse into suspicions, accusations and a civic fury that will make Florida 2000 seem like a family spat in the kitchen." Dugger's detailed analysis of the problems of electronic voting and the potential for fraud and error would seem to be a crucial election story of 2004, full of the stuff journalists love -- hints of skullduggery, cronyism, and conflicts of interest. But, with a few exceptions, the advent of e-voting has remained an issue hovering persistently beneath the media's radar. The stories that have appeared largely have been local, piecemeal and rarely rise much beyond the "he said/she said" level of reporting. As a result, the public -- to the extent that it's even aware of the controversy -- is left to its own devices to figure out a complex issue, with considerable ramifications. New York Times editorial page writer Adam Cohen is one of the very few who has delved into the subject, spending much of the year writing about the "mechanics" of democracy in a series entitled "Making Votes Count." Electronic voting -- and its lack of accountability -- has been a frequent topic. Cohen, a lawyer with an interest in politics and technology, opened his series last January with this warning: The morning after the 2000 election, Americans woke up to a disturbing realization: Our electoral system was too flawed to say with certainty who had won. Three years later, things may actually be worse. If this year's presidential election is at all close, there is every reason to believe that there will be another national trauma over who the rightful winner is, this time compounded by troubling new questions about the reliability of electronic voting machines. This is no way to run a democracy. Given the media's lack of interest in the subject, it can also be said: This is no way to cover one, either. Come November, can you be sure that your vote will be accurately recorded? It seems a rather fundamental question that cries out for an answer. About one-third of the expected computerized vote this fall will be tabulated by touch-screen machines that will provide no paper trail of a voter's choices, and, as a result, are vulnerable to tampering. Writes Dugger: "The United States therefore faces the likelihood that about three out of 10 of the votes in the national election this November will be unverifiable, unauditable and unrecountable." In Florida, where the outcome of the 2000 presidential election remained in limbo for 36 days due to voting irregularities, more than half the state's voters will rely on paperless touch-screen systems. Florida is a crucial swing state, with its winner garnering 27 electoral votes -- 10 percent of the total needed. Ironically, it was the chaos of the Florida returns four years ago that catapulted the nation towards electronic voting. In 2002, Congress passed the Help America Vote Act, and when President Bush signed it, he declared that "when problems arise in the administration of elections, we have a responsibility to fix them." But, as the Times' Cohen noted earlier this year, the president's budget provided only $40 million of the $800 million promised by Congress for election improvements at the state level. Wrote Cohen: "[N]either the president nor Congress is very serious about fixing the system." Some states scrambled to switch to electronic voting, and for the limited federal funds to buy new equipment. About 20 percent of the nation's 3,114 counties will have switched completely to computerized voting by November, according to Election Data Services, Inc., a Washington, D.C. research company. (Some of those machines offer a printed copy of the ballot as a backup; some do not.) But the states also discovered that there are no federal guidelines or security standards for the equipment. That will come at a later date, long after this presidential vote. (The Election Assistance Commission, appointed by President Bush to set those standards and oversee the transition, has been slow to get organized, in part because of a lack of funding.) The electronic voting market is dominated by a handful of companies, which stand to make huge profits from the shift to touch-screen computers and the software that runs them. Nearly 100 million votes will be cast on the computers operated by this tiny group, which has aggressively promoted its product and just as vigorously defended the secrecy and reliability of its technology. Diebold, Inc., of North Canton, Ohio, holds about 45 percent of the equipment market. Its track record thus far has been less than impressive, and not necessarily reassuring. As Dallas Morning News reporter Vikas Bajaj noted (registration required), Diebold has "become a lightning rod for the industry": In April, California Secretary of State Kevin Shelley, citing security concerns, banned Diebold machines in four counties. He has also required that any electronic voting machines the state buys must have verified paper trails. Ohio's legislature in May required that all electronic voting machines have paper trails by 2006. In July, the state's secretary of state, J. Kenneth Blackwell, stopped the use of Diebold machines in three counties, saying they hadn't met security requirements. Diebold's problems don't stop there. Critics cite a fund-raising letter written last year by the company's chairman and chief executive, Walden O'Dell, who said he was "committed to helping Ohio deliver its electoral votes to the president." He has since apologized. More worrisome to many experts, however, is the apparent vulnerability of the so-called source code used in the Diebold machines. "Given the gravity of the security failings the computer security community has documented, it is irresponsible to move forward without addressing them," Dr. Avi Rubin, a computer science professor and technical director of the Information Security Institute at Johns Hopkins University told a House committee last month. As Knight Ridder's Sumana Chatterjee wrote: "The main problem, according to Rubin, is that there's no way for election officials to be sure that electronic machines are free of codes designed to manipulate results. Companies are reluctant to share their 'source code,' the proprietary software that controls voting and tabulating results, so their software can be checked independently." Backers of computerized voting -- among them many state and local election officials -- dispute the critics' worries about vulnerability. Chatterjee quoted Linda Lamone, Maryland state administrator of elections, who also testified before the committee: "Although any electronic voting system is hypothetically 'hackable,' I am confident that the likelihood of this occurring is extremely remote." Hackers would need a working knowledge of the software's specific programming language and gain physical access to computer servers and voting machines, she testified. Unlikely, maybe, but the first of those two conditions has already been met. Bev Harris, a Seattle literary agent and voting rights advocate, has become something of a legend among critics of e-voting. Miami Herald columnist Jim Defede wrote about Harris last month: Concerned about the lack of security, Harris Googled Diebold, hoping to find a computer engineer or programmer who could put her fears to rest. Instead, she stumbled across a link to 40,000 files of the company's ultra-secret source codes, which she downloaded and posted on her own web site, asking experts for help in analyzing the information. Diebold obtained a court order shutting down her site. Ultimately the codes were posted on the congressional website of Democratic Rep. Dennis Kucinich. Diebold claims the code was outdated and no longer in use. In Georgia during the run-up to the 2002 Senate race, as The Times' Adam Cohen reported, Diebold machines were plagued by hardware and software problems, and the company on several occasions sent "patches" -- programming updates -- for installation. (The software was installed without the required review and approval by the Georgia Secretary of State.) When the votes were counted, Sen. Max Cleland, a Vietnam war hero and triple amputee, who held a strong lead in the polls before Election Day, suffered a decisive loss to challenger Saxby Chambliss (who also ran ads picturing Cleland with Osama bin Laden). Critics, like Bev Harris, questioned whether the patches could have converted Cleland votes into Chambliss votes. Because there was no paper trail, there was no evidence to prove or disprove the allegation. In his series, Cohen notes that the secrecy over source code may be a red herring. Source code can be produced, if authorities insist. Nevada gaming officials have instant access to source codes and all equipment at casinos in the state without compromising proprietary information. Ironically, he says, "gamblers are more protected than voters." Critics of e-voting come from two camps -- a growing number of local activist groups around the country which last month sponsored a national "The Computer Ate My Vote Day,' and computer security experts. The Nation's Dugger quotes one of the most outspoken, Dr. David Dill of Stanford University: Last fall during a public talk on "The Voting Machine War" for advanced computer-science students at Stanford, Dill asked, "Why am I always being asked to prove these systems aren't secure? The burden of proof ought to be on the vendor. You ask about the hardware. 'Secret.' The software? 'Secret.' What's the cryptography? 'Can't tell you because that'll compromise the secrecy of the machines.' ... Federal testing procedures? 'Secret'! Results of the tests? 'Secret'! Basically we are required to have blind faith." Dugger also quotes recent testimony from Johns Hopkins' Avi Rubin to the federal Election Assistance Commission: "I do not know of a single computer security expert who would testify that these machines are secure." Advocates of e-voting have portrayed criticism as coming from a handful of unhappy academics, or as being motivated by partisan politics -- claims the media have largely bought into. Among the chief proponents of the new system is Gov. Jeb Bush, who presided over the 2000 debacle from which his brother emerged with an official winning margin of 537 votes. As the Miami Herald reported last month, Gov. Bush has suggested that, as the paper put it, "people who repeatedly raise questions about the touch-screen machines were doing it to motivate their voters in the upcoming presidential election, in which Florida will be a battleground state." But that's not necessarily true elsewhere. The Republican secretaries of state in Nevada and Missouri -- both expected to be hotly contested this fall -- have expressed concerns about the reliability of the equipment. As a result, they have required that touch-screen voting machines also be equipped with a "voter-verified paper trail" in November. (This is an inexpensive add-on to the machine, which allows a voter to confirm manually his or her vote before it is cast; that confirmation is retained independently of the computer tally in the event a recount is required.) It is this type of backup that Adam Cohen and others believe will eliminate many of the potential problems with e-voting. Nevada's 2,000 electronic voting machines will all come equipped with printers this fall. Secretary of State Dean Heller told the Associated Press that paper receipts are "an intrinsic component of voter confidence." Nevada is the first state to institute such a policy statewide. Nationally, legislation requiring printed backups is pending in both the House and Senate -- but no action is expected before November. So, the question remains: Will this year's contested presidential election proceed smoothly, or will the scenario be closer to what a letter-writer to The New York Times predicted: "[T]he havoc wreaked by the butterfly ballot [in 2000] will soon be compounded by a plague of worms, the kind encoded in electronic voting machines that leave no 'voter verified paper trail.'" No one knows. But it sure sounds like a story worth pursuing by more than a few lonely souls like The Nation's Ronnie Dugger and the Times' Adam Cohen. Posted 08/08/04 at 12:01 AM -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From sonofgomez709 at yahoo.com Sun Aug 8 10:28:11 2004 From: sonofgomez709 at yahoo.com (PerformanceArt) Date: Sun, 8 Aug 2004 10:28:11 -0700 Subject: Every Vote Counts - If It's Counted References: Message-ID: <001501c47d6d$17b4d210$7b254e45@arnold> Jim Bell For President! --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.735 / Virus Database: 489 - Release Date: 8/6/2004 From mv at cdc.gov Sun Aug 8 11:40:38 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 08 Aug 2004 11:40:38 -0700 Subject: Wired on Navy's new version of Onion Routing Message-ID: <411673A6.915D2E4A@cdc.gov> At 04:58 AM 8/6/04 -0700, Sarad AV wrote: >Since they are using symmetric keys, for a network of >'n' nodes, each node need to know the secret key that >they share with the remaining (n-1) nodes.Total number >of symmetric keys that need to be distributed is >[n*(n-1)]/2. Key management is harder when they >network gets larger. That's not the problem ---if your node freely gives out its public key, no problem collecting them. The real problem is: how do you know its truly a given node's key? The web of trust is full of holes :-), trust isn't transitive, and Verislime is 1. not liable 2. 0wn3d by the Fedz. From mv at cdc.gov Sun Aug 8 11:52:48 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 08 Aug 2004 11:52:48 -0700 Subject: Bluesniper question Message-ID: <4116767F.BCD0C31A@cdc.gov> Why do the long range RF folks always use Yagis? Aren't Yagis supposed to be fairly broadband? Aren't there other highly-directional (ie high gain in one direction) antennae which (simply by virtue of being narrow bandwidth) would be better? Or is it that Yagi's broadband-ness allows for more slop in manufacturing, as when you're using pringles & hardware-store washers? BTW seems to me that a (wire-mesh, thank you Morlock) parabolic would be better. The optical scope can look right through the mesh. (Use a night vision scope and IR beacon on your target if the target agrees, or is in a parked car with hot brake pads. In Calif NV scopes can't be put on rifles that launch projectiles but you're not launching anything but photons (in the case of sending Bluetooth commands.) PS: From the photo the Yagi rifles look like they are polarization sensitive, having linear (vs + shaped) directors. From mv at cdc.gov Sun Aug 8 12:30:18 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 08 Aug 2004 12:30:18 -0700 Subject: Is Source Code Is Like a Machine Gun? Message-ID: <41167F4A.6E914473@cdc.gov> Re "Is Source Code Is Like a Machine Gun?" A better thought experiment would be a numerically controlled machine and a control tape, which, when the machine is turned on, produces sculpture that is also a machine gun (or merely the sear for a machine gun which can be dropped into a semi-automatic commodity rifle). The NCM is as neutral as the CPU. Also Junger is incorrect when he says "the function of a machine gun is to kill". The function of a machine gun is to propel bullets at a given rate, given a supply of cartridges, when asked to do so by a human. The human who points the machine gun decides whether to kill or merely punch holes in paper. If you don't understand the distinction you should probably avoid handling sharp objects. And you probably don't understand that a P2P program is not for ripping off hollywood but for free communication; its the user who decides what content to use the tool with. >> Eugene Volokh has posted a message on the Cyberprof email list seeking comments on a thought experiment as to whether the same scope of first amendment protection should be accorded to a sculpture which happens also to be a working automatic weapon as to the ``source code'' of a computer program that can be used for illegal activities.<< From emc at artifact.psychedelic.net Sun Aug 8 15:44:48 2004 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Sun, 8 Aug 2004 15:44:48 -0700 (PDT) Subject: IRS may use First Data info for help in finding tax evaders In-Reply-To: Message-ID: <200408082244.i78MimkY004152@artifact.psychedelic.net> RAH pasted: > A federal judge has granted the Internal Revenue Service the right to seek > information from First Data Corp. about certain credit-card transactions > the company has processed. > The IRS wants the information as part of its crackdown on tax evaders. > Specifically, the IRS wants information about holders of American Express, > Visa and MasterCard credit cards that were issued by or on behalf of > certain offshore financial institutions. > The government listed more than 30 offshore jurisdictions, including > Aruba, the Bahamas, Bermuda, the Cayman Islands, Hong Kong, Singapore and > Switzerland. > The IRS said in a court filing that it believes those account holders "may > fail, or may have failed, to comply with internal revenue laws." Anonymity good. Confidentiality bad. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From measl at mfn.org Sun Aug 8 14:29:07 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 8 Aug 2004 16:29:07 -0500 (CDT) Subject: name of the Tor twin? In-Reply-To: <20040808214417.GD1477@leitl.org> References: <20040808214417.GD1477@leitl.org> Message-ID: <20040808162857.G672@ubzr.zsa.bet> On Sun, 8 Aug 2004, Eugen Leitl wrote: > Date: Sun, 8 Aug 2004 23:44:17 +0200 > From: Eugen Leitl > To: cypherpunks at al-qaeda.net > Subject: name of the Tor twin? > > > I recall a TCP/IP traffic remixing network (not a socks proxy like > Tor) coming over the list a while back. My bookmarks are away, what's the > name of the thing? Not p2net, something similiar. > > Hello Brain, this is Pinky. Please help. Crowds? -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From rah at shipwright.com Sun Aug 8 16:19:19 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 8 Aug 2004 19:19:19 -0400 Subject: "...and Mr. Hughes wants to give it to him." Message-ID: Linux Journal - The Premier Magazine of the Linux Community Guest Editorial Date: Thursday, July 01, 1999 Topic: Linux Community Eric Hughes The average Joe wants something for nothing, and Mr. Hughes wants to give it to him. I paid for my university education, in that I paid an institution for access to its faculty and for use of its facilities. The knowledge was free; all I had to do was take advantage of the fact that it was there for the learning. I've told many people about things I learned in school. I didn't need to pay a license fee to tell other people about Hamiltonian mechanics or Gvdel incompleteness. The academics who created this body of knowledge published papers and gave away their knowledge. As far as I'm concerned, I got something for nothing from them. Michael Faraday discovered electromagnetic induction and thereby paved the way for the electricity and electronics industry. The value he captured from this development was nowhere near all the value he created for everyone else. Such was his station in life. He made the choice to freely give his time to the advancement of science. Many others have followed his example, but nowhere near a majority. Yet this tiny fraction of people has exerted a significant, disproportional change on the world. Such is the fate of certain knowledge workers. Get used to it. On first blush, software appears to follow this academic pathway. Yet software has users, who must find the software useful to keep it. Researchers do not have to make their output useful, just accurate, novel and potentially useful. To wit, researchers don't have to do market research. Clearly, software developers don't think they have to understand their users. Developers need to understand their users only when they expect to have users. The distribution of software clearly follows the model of academic knowledge--create it once for free, then make the user pay for its distribution. Yet the creation of software does not mirror the creation of knowledge quite so accurately. The principle of ``academic freedom'' is about as antithetical to the principle of ``attaining user benefit'' as possible. The two just don't fit and can't. The university never had a monopoly on creating knowledge--or on developing free software--and it never will. The university, however, does embody the understanding that some development requires nurturing that cannot be easily obtained elsewhere. Software development has no such analogous institutions, and it needs one that is not the university. This new institution should be a non-profit, tax-exempt corporation especially created to pay for the design, construction and delivery of public software. Let's be obvious about this: giving away software for free is about as close as possible to the center of the charitable purpose requirement of a tax-exempt company. Like the university, the staff--no, let us call them the talent--the talent working at this institution are not motivated by dreams of entrepreneurial riches, but by the advancement of the craft. The talent needs to come from a wide variety of disciplines, essentially all that are present at a for-profit software company. This new institution will always be in competition with commercial interests for talent, so it will have to pay for talent accordingly. Talent gets paid, the institution creates some well-needed feeling of solidity, and regular folks get free software. ``Public software'' is any software that people can obtain and use without any entanglement with intellectual property issues. Public software also denotes the ubiquity of the software and the corresponding expectation that people encounter it frequently. Some open-source software is public software, some is not. Public software is a concept rooted in the nature of its end use, not in the means of creating it. All the wrangling over license terms for derivative works has obscured the obvious point that the license is in service of some goal; if you don't name your goal, you can't possibly attain it. I know what my goal is--it is free beer. I still can't figure out how the claim that the GNU Public License encourages free speech is not utterly disingenuous. The GPL is the opposite of free speech; it's a highly detailed copyright agreement with the purpose of restricting the expression of derivative works. If I can't keep an expression to myself, I am restricted. All license agreements begin from the starting point of complete restriction, that is, total prohibition against use, and then work forward from that point. The summit of free speech is public domain expression--if you want to speak it again, go ahead, and for whatever purpose you care to seek. As much as I am an advocate of free speech and all other civil rights, my purpose with public software is not free speech--it's free beer. The crucial reason the GPL has achieved such limited success in scope is that its purpose is to benefit programmers who want access to code, not to benefit outside customers. Whatever benefit an outside customer gains is ancillary to the benefit to programmers. This observation also explains why most GPL code is in development tools and environments. To be blunt, the GPL is a selfish contract for selfish purposes which cannot possibly be generalized. The open-source model, by contrast, is a technique in search of goals. Open Source encompasses the goals of the GPL, and indeed found some of its initial inspiration there. Yet Open Source also encompasses other disparate goals, such as those for Mozilla. I want to promote Open Source, but as part of my desire to promote public software. My goal is compatible with Open Source, but I seek Open Source not to promulgate its own merits, but as an enabler of public software. Indeed, I fear sometimes that the Open Source movement may fall to the hazard that is the core selfishness of the GPL. In an attempt to seek openness, its promoters may forget that, whatever benefit they derive from access to code, they must place benefits to users first. By avoiding that hazard, I am confident good results will come from the hubbub of activity surrounding Open Source. I wish them well, but their effort is not identical to mine. My effort is toward public software. The natural venue for the release of public software is the new institution. The value of any software derives in large part from the solidity and gravity of the organization that creates it. Ferreting out those expectations about the future which affect the net present use value of software is another essay. Let me observe, without justification, that people overwhelmingly prefer code that is stable, architecture that is well-designed, products that can be repaired and upgraded, and companies that will endure. Most people lack the means to evaluate technical merit in software. Even more people prefer to do things other than evaluate software. For almost everybody, one's expectations about the institution stand in as a proxy for all that thinking. Since I want public software to become ubiquitous, I want the new institution to ship product. I have not yet mentioned sustainability of the new institution, because concerns about sustainability are concerns about means, not about goals. A coherent and organizing focus on what needs to be accomplished has been lacking; instead, we have had endless fretting about how to do it--whatever this ``it'' is. For all of its faults, at least Richard Stallman elucidated a clear goal for the GPL: ``Make all source code everywhere usable by me personally.'' A selfish goal, but at least it roused the mutually self-interested to action. I cannot name another general goal that has inspired more coherent effort in this area. There has been much agreement about techniques, but I have seen no successor--in goals--to the free software manifesto and the GPL. Nor do I want a single successor. I want to see many inspirations for creative technical work. Some may overlap; some may conflict--this is of no matter. I want to see manifestos that exult in the clarity of their vision. I want to see new approaches conceived in the understanding of the obstacles to victory. Here, for example, is one such possible goal for Linux: I want Linux to be the only conceivable choice for every commercial and personal use of operating systems. I want universal device support, instant installation, zero administration and a completely correct implementation. We will know we have succeeded when Microsoft's market capitalization suddenly drops to exactly its cash balance. No institution can survive on a single goal, for when that goal is accomplished, the purpose of the institution fades. The life spring of an institution, that whence all material support arises, is the stream of specific purposes that passes through it. Universities achieve this with tenure and academic freedom. The new institution, for its existence and its continuation, requires this same kind of stream of purposes. I want software for nothing; thus I require cooperation with others. Given my goal of just-use-it-ware, I propose the means of a new institution. As a means to a means, we now have to examine the grungy underbelly of institutional sustainability. Or, to wit, who pays? If you grant the desirability of the goal (no-fee software) and the usefulness of the means (the new institution), then we need not become spooked when we discover sustainability is hard. Once we know our goal, we may persevere in seeking it and not be distracted by less attractive or undesirable goals. The first, almost too-obvious place to look for resources is the existing network of public and government money that funds such non-profit endeavors as public broadcasting and particle accelerators. No one can do this alone. Who would give a few million dollars to a hastily organized bunch of technical guys who look suspiciously like the ``Hacker Development Environment League''? If the point of the institution is software that benefits the public directly as a whole (and not indirectly, with compilers), then we need representatives on the board who are believable and legitimate to the various constituencies who might provide funding. That means people outside the computer industry. As a rule of thumb, the university takes one-third of each grant to support the institution. This is simply the necessary overhead to have an institution and not just a group of researchers. Rather than worrying about the shibboleth of ``efficiency'' of the grant allocation, accept that the very existence of the institution is of separate efficacy. The institution creates value--value in solidity, value in stability, value in longevity--that individuals and informal groups can never provide. The total value of software is far more than the actual running code. Software of uncertain provenance and indeterminate future is mostly worthless. If you disbelieve this, go look at market share estimates. Put an institution behind that same code and it suddenly becomes valuable. To be generous, maybe one-quarter of the total value of software comes from the product. We can get the other three-quarters value from an institution and pay for the institution with only half the money we spend directly on talent. Still worried about efficiency? Three times the value for half the money, and institutional maintenance is looking six times more productive than the talent. It's not that the developers are unproductive. The mythos of the hacker community rests in the power of a small number of programmers to change the world. When put this way, the effort is discrete and the change is instantaneous. In other words, the formulation is one of magic, not of economics. Extensive change comes only from sustained effort by numerous people with aligned goals. Unless there are people who nurture the project without interruption, these efforts at change wither and become of no consequence. Those who have set their lives around the mythos of the magical coder urgently need assistance in completing their work. I believe in this mythos. I do not identify it as magical in order to kill it, but rather to feed it. The new institution I advocate herein is a completion of the creative spark at the heart of all good software. The activity here is not merely inventing such mechanisms and analyzing them, but also mounting experiments. The institution needs fiscal solidity in order to have the confidence to attempt new forms of support. A first, concrete funding goal would be to build an endowment fund. Rather than endowing a chair in which a single researcher sits, I want to endow a table around which a release committee shall meet. Here's a specific beginning goal for such a new institution: a $25 million endowment for the Linux Release Table. The residual investment income would be adequate for five members of the table, two paid interns and two administrative staff members, all full-time positions. This table would not do any technical work, but would coordinate planning, architecture, development and release. Now this table could not possibly encompass the breadth of activity generated from a ubiquitous, dominant Linux; clearly, more people and more money and more structures would be necessary. Yet this first endowment could be the seed of a full set of institutional structures surrounding Linux. The focus on endowed tables for release is one of the lessons learned from the open-source world and from Java. Namely, who matters more than how--the party who releases new versions of a product matters more than how the license terms read. The new institution needs to focus strategically on branding and compatibility as keystones to generating value for users. No matter what the licenses for intellectual property are, the association of the institution with the product is the critical element in delivering the value of the institution. Branding is the manifestation of this association and is the initial point of its delivery. Compatibility prevents pollution of the brand and thereby ensures its longevity. Trademark licensing enables control of the brand and subsequent control over compatibility. Sun has masterfully demonstrated with Java how to pull off this trick. How much better if one of the new institutions had pulled it off instead! I have suggested a new institution; I also suggest a new idea for an institution. A mature field of public software creation could not subsist on a single organization of this new type. No initial efforts in creating these new institutions should be taken as an excuse to defer one's own effort away from building a ``competing'' institution. The principle of the new institution is public and cooperative, not singular and nepotistic. I should hope for jockeying for position between institutions, only as a convivial process of mutual betterment. The average Joe wants something for nothing. With knowledge and information, we can come as close as possible to this ideal. Let the scarcity economists haggle over flesh. We won't appreciably change GDP figures. The new institution is an exercise in abundance economics. Free knowledge and information add untold real wealth to the world. Let our revenge upon scarcity be that its limitation upon wealth become miniscule. Eric Hughes (eric at sac.net) was one of the founders of cypherpunks, and has been worried about software infrastructure ever since. He is Chief Technology Officer of Signet Assurance Company, LLC, a development company soon to announce its first products and services. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From eugen at leitl.org Sun Aug 8 14:44:17 2004 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 8 Aug 2004 23:44:17 +0200 Subject: name of the Tor twin? Message-ID: <20040808214417.GD1477@leitl.org> I recall a TCP/IP traffic remixing network (not a socks proxy like Tor) coming over the list a while back. My bookmarks are away, what's the name of the thing? Not p2net, something similiar. Hello Brain, this is Pinky. Please help. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From eugen at leitl.org Sun Aug 8 22:54:29 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 9 Aug 2004 07:54:29 +0200 Subject: name of the Tor twin? In-Reply-To: <20040808155006.U48828@v2c.arg> References: <20040808214417.GD1477@leitl.org> <20040808155006.U48828@v2c.arg> Message-ID: <20040809055428.GI1477@leitl.org> On Sun, Aug 08, 2004 at 03:55:07PM -0700, jrandom wrote: > We're not ready for widespread use yet, but I've been working on it > fulltime for over a year, and we've made a lot of progress. I'll Thanks. I've just got spare bandwidth I'd like to put to good use (and increase the amount of opaque traffic). > post more when there's more to post. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From rah at shipwright.com Mon Aug 9 06:24:14 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 9 Aug 2004 09:24:14 -0400 Subject: Review: In Defense of Internment Message-ID: Townhall.com In Defense of Internment The Case for "Racial Profiling" in World War II and the War on Terror By Michelle Malkin Review by Peter-Christian Aigner There is no such thing as a "good decision" in war. Nations do what they must in order to survive. That sometimes means doing things that would otherwise be considered intolerable - suspending habeas corpus, for example, or using atomic weapons. While progressives don't favor this view, it is gifted to the critics to be idealists. Leaders must be utilitarian. This is the starting point from which Michelle Malkin offers her qualified defense of the internment of the Japanese during World War II. In a nutshell, she argues that the historians who take a moral purist's stand on Japanese internment forget that FDR and the generals could not see into the future. Theirs was not an immoral choice that stemmed from "wartime hysteria" or "racism" (at least primarily), but a responsible action based on solid intelligence, constitutional legality, and tough deliberation. While liberals will no doubt scream over this thesis, Malkin is no Ann Coulter controversialist. She makes a clear, reasoned, straightforward argument, picking apart the standard orthodoxy with methodical care. It is not iconoclasm for mere shock effect, though the book is quite shocking. Popular films such as Welcome to the Paradise and Snow Falling on Cedars leave the impression that Japanese internment was a cruel manifestation of bigotry, a groundless, irrational response to the attacks on Pearl Harbor. According to this reading of history, 120,000 scared patriotic innocents were rounded up and forced into "concentration camps," where they languished for the rest of the war under the heartless gaze of armed guards. Little of this is true. Less than two-thirds of the 112,000 removed from the West Coast were Japanese Americans; the rest were "enemy aliens," not citizens. This was not the first time internment or relocation had been used; it was a centuries-old, worldwide practice. The Alien Enemies Act enabled the executive of the United States to make such decisions in 1798, and that law remains on the books today. During World War I, 6,300 European resident aliens were interned; during World War II, almost 15,000 were. More would have been relocated, but the government estimated that 53 million Americans were of Axis-European heritage. Such an undertaking would have been impossible, as the total U.S. population at this time was just over 100 million. Instead, the government instituted curfews, forced aliens to register with local authorities, censored foreign-language newspapers, and excluded potential subversives from sensitive areas. Thousands of nationalists were deported, and thousands more were sent to relocation centers with the Japanese. But the most important factor in the decision to relocate and eventually intern the Japanese was an espionage network discovered in the western United States. As part of MAGIC, a top-secret project, over 5,000 cables were decrypted by the finest code-breakers in the government - just a sliver of the communication estimated overall. These messages revealed a clear, extensive, pro-Axis mole system in key industrial and military areas in California, Oregon, Washington, and Hawaii. In addition, investigators found detailed maps of Oahu in the cockpits of downed Japanese fighter planes in Pearl Harbor. The Japanese Empire relied on internal agents in the Philippines and other territories it conquered as well. This information was released in 1977, and though it was just as damning as the Venona papers released eighteen years later, it has been greatly ignored by current-day historians. Malkin apparently wants to reverse that neglect: she includes the documents that have been declassified in her appendix, which makes up half the book. Her point-by-point deconstruction of the racist-paranoid school on internment is also well-footnoted, and full of credible and well-respected sources. Detractors will have a hard time shooting her out of the sky on the basis of her non-academic credentials. The connections Malkin makes between Japanese internment and "racial profiling" during the War on Terror will inevitably enrage critics. While Malkin does not make any serious policy recommendations, she does use these topics to remind us that the inalienable rights listed by the Founders "do not appear in random order." Liberty and the pursuit of happiness cannot be secured and protected unless life is secured and protected as well. In Defense of Internment is a thoughtful book, recommended for persons concerned about both historical truth and civil liberties alike. Peter-Christian Aigner is an intern at the Heritage Foundation, and recently received his M.A. in American History from Fordham University, the Bronx. Further Reading: "Current Lessons from the Japanese-American Relocation of WWII." Townhall.com chat with Ken Masugi of The Claremont Institute, 11/14/01 -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From brian-slashdotnews at hyperreal.org Mon Aug 9 03:26:02 2004 From: brian-slashdotnews at hyperreal.org (brian-slashdotnews at hyperreal.org) Date: 9 Aug 2004 10:26:02 -0000 Subject: Estonia Tests "Contactless" ID-Cards Message-ID: Link: http://slashdot.org/article.pl?sid=04/08/08/1711239 Posted by: timothy, on 2004-08-09 08:19:00 from the man-exists-for-the-state dept. [1]borkee writes "[2]Estonian [3]MEAC and [4]CMB [5]start testing a new version of a [6]national ID card containing what they call 'contactless' extensions. Although they do not specifically disclose to us, taxpayers, what technology is used there, it must be quite obvious that it's nothing less than [7]RFID. Add to this, they'll have person's biometrics in memory. (Security gurus of course know: biometrics just don't work.) Soon you can track us poor Estonians by our GSM phones and by our ID cards too!" References 1. mailto:bmaroshe at itcollege.ee 2. http://www.cia.gov/cia/publications/factbook/geos/en.html 3. http://www.mkm.ee/eng/ 4. http://www.mig.ee/eng/ 5. http://www.postimees.ee/050804/esileht/141020.php 6. http://www.id.ee/pages.php/0303 7. http://www.eff.org/issues/rfid ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From dave at farber.net Mon Aug 9 07:33:00 2004 From: dave at farber.net (dave at farber.net) Date: Mon, 09 Aug 2004 10:33 -0400 Subject: [IP] The Surveillance Industrial Complex Message-ID: ___ Dave Farber +1 412 726 9889 ...... Forwarded Message ....... From: Barry Steinhardt To: David Farber Date: Mon, 09 Aug 2004 10:02:24 -0400 Subj: The Surveillance Industrial Complex Dave, The ACLU is releasing a new report today on the "Surveillance-Industrial Complex," an in-depth look at all the ways that the government is conscripting or recruiting private companies for its war individual privacy and liberty . The report is online at: www.aclu.org/surveillance In conjunction with the release of the report, we have created a new action Web page asking consumers to help us ask companies to take a "no-spy pledge" that they won't willingly cooperate with government demands for their customers' data. The action page is online at:www.aclu.org/privatize The No Spy Pledge says: 1. You will not turn individually identifiable data on your customers over to the government for security purposes unless legally required to do so. 2. You will use every legal means to fight government demands for data that are not authorized by current law, or which violate your Constitutional rights or those of your customers. 3. If the government serves you with a legally binding request to turn over customer information, you will notify customers that our information has been turned over (unless you are subject to a gag order prohibiting you from doing so under the Patriot Act or other legislation) In addition, companies called data aggregators are increasingly becoming a means by which the government accesses information on individuals. I would also like to ask whether you provide information about your customers to data aggregators or any other companies that are in the business of consolidating customer information. If so, which ones Thanks, Barry Steinhardt Director Technology and Liberty Project American Civil Liberties Union (ACLU) 125 Broad Street NYC 10004 www.aclu.org ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From eugen at leitl.org Mon Aug 9 03:27:28 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 9 Aug 2004 12:27:28 +0200 Subject: Estonia Tests "Contactless" ID-Cards (fwd from brian-slashdotnews@hyperreal.org) Message-ID: <20040809102728.GU1477@leitl.org> The EU is about to follow suit in a couple of years, no doubt. ----- Forwarded message from brian-slashdotnews at hyperreal.org ----- From ericm at lne.com Mon Aug 9 13:22:23 2004 From: ericm at lne.com (Eric Murray) Date: Mon, 9 Aug 2004 13:22:23 -0700 Subject: Olympics snooping Message-ID: <20040809132223.B24701@slack.lne.com> http://sports.yahoo.com/oly/news?slug=ap-securitytech&prov=ap&type=lgns Unprecedented electronic net over the Olympics By MIRON VAROUHAKIS, Associated Press Writer August 9, 2004 ATHENS, Greece (AP) -- If you're going to the Olympics, you'd better be careful what you say and do in public. Software will be watching and listening. Recent leaps in technology have paired highly sophisticated software with street surveillance cameras to create digital security guards with intelligence-gathering skills. `It is a very vast network and it is the first time it is being done on such a scale at an international level,'' Greek police spokesman Col. Lefteris Ikonomou told The Associated Press. The system -- developed by a consortium led by San Diego-based Science Applications International Corp., or SAIC -- cost about $312 million and took up a sizable chunk of Athens' record security budget of more than $1.5 billion. It gathers images and audio from an electronic web of over 1,000 high-resolution and infrared cameras, 12 patrol boats, 4,000 vehicles, nine helicopters, a sensor-laden blimp and four mobile command centers. Spoken words collected by the cameras with speech-recognition software are transcribed into text that is then searched for patterns along with other electronic communications entering and leaving the area -- including e-mail and image files. The system, which includes components already used by U.S. and British government intelligence agencies, covers all of greater Athens, nine ports, airports and all other Olympic cities. Ikonomou said it ``allows the users to manage a critical incident in the best way possible and in the shortest time possible because they have all the information in front of them.'' The software used for surveillance camera recordings is designed to spot and rank possible risks, said Dionysios Dendrinos, general manager of One Siemens in Greece, one of the companies in the consortium. ``They can distinguish the sound of a flat tire from an explosion or a gunshot and inform the user at the command center of the incident,'' he said. ``This is also the case with any anomaly in the picture, such as a traffic jam.'' Technology also allows the users of the system at the main command center to save and analyze data from the surveillance network and beyond. And the material from the closed circuit cameras is kept for seven days, Ikonomou said, so specific incidents can be analyzed in depth. Much of that analysis is enabled by software from London-based Autonomy Corp., whose clients include the U.S. National Security Agency, that parses words and phrases collected by surveillance cameras and in communications traffic. In June, the Greek government expanded surveillance powers to screen mobile and fixed-line telephone calls during the Olympics. ``It listens, reads and watches,'' Dominic Johnson, Autonomy's chief marketing officer, said of his company's software. Then it synthesizes. Beyond Greek and English the software understands Arabic, Farsi and all major European languages, Johnson said. Other companies in the SAIC consortium include Germany's Siemens AG; General Dynamics Corp. and Honeywell International Inc. of the United States; and the Israeli company Elbit Systems. Several Greek companies also are participating. According to the contract, the system was to be delivered by May 28, but due to construction delays at some Olympic venues -- such as the main Olympic stadium -- it was delivered just weeks before the opening ceremony. Nevertheless, Public Order Minister Giorgos Voulgarakis declared last week that all the security systems were in full deployment and working smoothly. There'll be other sniffing going on, of course. A network of sensors designed to detect chemical agents has also been deployed near Olympic venues and around the capital, including on the security blimp. Advanced technology is also used in the creation of the Olympic credentials, which use such security features as holograms. All cardholder information, such as a person's photo and passport number, are printed on a very thin film designed to make the cards impossible to forge. The digitally enhanced surveillance net may provide comfort to Olympics attendees, but not everyone is happy at authorities' computer-aided eyes and ears. Several groups have held protests in recent months against what they say is an invasion of their privacy, and some demonstrators have spray-painted street cameras, seeking to blind them. ``The Olympic Games are accompanied with extended security measures that are unprecedented for Greece,'' six human rights groups said in a protest letter to Greek Parliament in July. ``Although the state's right to take all necessary measures that it deems necessary is recognized, there is fear that these measures will have a negative impact on basic human rights.'' From pcapelli at gmail.com Mon Aug 9 10:35:08 2004 From: pcapelli at gmail.com (Pete Capelli) Date: Mon, 9 Aug 2004 13:35:08 -0400 Subject: Michael Moore in Cambridge (download speech) In-Reply-To: <20d1830f607a22119fb8cb95867f6824@dizum.com> References: <20d1830f607a22119fb8cb95867f6824@dizum.com> Message-ID: > The file will be available for download a short period of time. > > Michael shows us what the upcoming election is all about. It's all about a promotion tour for his movie? From eugen at leitl.org Mon Aug 9 06:00:31 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 9 Aug 2004 15:00:31 +0200 Subject: BBC on privacy Message-ID: <20040809130031.GZ1477@leitl.org> http://news.bbc.co.uk/nol/shared/spl/hi/programmes/analysis/transcripts/05_08 _04.txt Please note that this is BBC copyright and may not be reproduced or copied for any other purpose. RADIO 4 CURRENT AFFAIRS ANALYSIS PROTECTING PRIVACY TRANSCRIPT OF A RECORDED DOCUMENTARY Presenter: Frances Cairncross Producer: Chris Bowlby Editor: Nicola Meyrick BBC White City 201 Wood Lane London W12 7TS 020 8752 6252 Broadcast Date: 05.08.04 Repeat Date: 08.08.04 Tape Number: Duration: Taking part in order of appearance: Saul Klein Former Adviser on privacy protection at Microsoft Jonathan Bamford Assistant Information Commissioner Caolfhionn Gallagher Privacy Lawyer with Liberty Peter Swire Law Professor at Ohio State University Former Privacy Adviser to Bill Clinton James Harkin, writer and researcher on social trends Alistair Crawford Chief Executive Officer of 192.com CAIRNCROSS: Got your mobile phone switched on? If so, then somewhere there is a stranger who knows where you are. The electronic networks that link us together in so many convenient ways also peer into our lives even when we don.t realise it. KLEIN: The way it is is that you are being trapped, you are being monitored, you are being watched. And technology has the ability not just to do all of that but, nowadays, to do it in a way where all of that data can be stored and managed and manipulated at incredibly low cost; and not just by government any more, but by private companies as well. CAIRNCROSS: Saul Klein knows lots about what technology can do: he used to advise on privacy protection for Microsoft, the world.s biggest software company. All this tracking, monitoring and watching is a thriving commercial business. Government does it too and this has enormous consequences for people.s privacy. Jonathan Bamford is Assistant Commissioner for Information, which means that his job is to help the British government think about how technology affects privacy. How valuable is it? BAMFORD: It.s something that people cherish. I think it.s something that we do need to safeguard. I think it.s important to recognise that privacy, rather like trust and confidence - once you.ve lost it, it.s very, very difficult, if not possible, ever to regain. It.s something we need to work hard not to lose in the first place. CAIRNCROSS: One of the most powerful symbols of intrusion into privacy has been the ability of the authorities to watch over us. In that sense, George Orwell.s Big Brother is alive and well, and gleefully acquiring all the latest gadgetry. There are close-circuit television cameras on almost every street corner, speed cameras, and cameras that monitor people entering London.s congestion charging zone. Caoilfhionn Gallagher is a lawyer with Liberty, a campaigning group on civil liberties, and follows the latest monitoring technologies. What are her current concerns? GALLAGHER: The first one would be a very high tech new x-ray system that.s been developed and it.s being rolled out across the UK. And essentially what it involves is a virtual strip search. And people are unaware that it.s happening, which is of course the problem with a lot of these technologies . that while people.s rights are being invaded, they.re actually unaware of it, which is extremely unusual. But it.s a virtual strip search without any of the safeguards that accompany a traditional strip search. And another good example would be a US one, which is thermal imaging technology; and thermal imaging technology can monitor from the outside of a building how heat is generated within the building. While that might sound quite mundane, it.s been used for law enforcement purposes in the US to check up on houses where it.s suspected that cannabis is being grown, for example. If cannabis is being grown, there.ll have to be very high heat lamps being used. And what US law enforcement have started doing is using that imaging to monitor a suspect.s house without actually going and getting a search warrant or going through any of the traditional safeguards. CAIRNCROSS: But it.s not just officials who use new kinds of hi-tech spying in special circumstances, to keep watch at airports or on potential crooks. Every day, in myriad small ways, people give up some privacy. One of the latest intrusions is the camera phone, which allows a stranger to photograph you and send your picture to somebody you have never met without your knowledge. Is this a new threat, or merely an extension of an old one? Peter Swire, a professor at Ohio State University, who advised President Clinton on privacy issues. SWIRE: The big threat of the camera has been a big issue, but it was really a big issue about 1895 and that.s when Justice Brandeis, who later became Justice Brandeis, wrote his Right to Privacy article in the United States. He was worried about the cameras that were being used to look at the upper class people in Boston, and he thought this was a terrible threat that people walking down the street or being in their back garden could be taken pictures of by these cameras. The conclusion he came to is that we needed to have legal protections for privacy and called that The Right of Privacy, which he later called .the most precious of rights, the right to be let alone.. But then in the last period of years, we.ve really tried to figure out what it means to have information privacy or data privacy or what in Europe.s often called data protection. And I think the issues you.re asking about are really what about this data protection, how are we going to come up with new rules for our electronic age? CAIRNCROSS: What is different about this electronic age is the way that ever more powerful computers can process not just your image but also all kinds of other personal details. Your name and sometimes your face is already on any number of interconnected databases. When you use a plastic card to make a purchase, or go to a web site on the internet, or make a phone call, your movements will usually be recorded. Ring a call centre for a personal loan, and your name and address will swiftly tell the operator about your existing debts. How worried should we be about this loss of privacy? And can it be halted? Or should it be accepted as the price we pay for enjoying new technology.s potential to link us instantly with the world around? For example, mobile phones allow lots of people to reach you . and some to know where you are. James Harkin wrote a recent report for Demos, a think tank, called .Mobilisation., in which he celebrated the potential of life linked into new mobile networks. HARKIN: I mean it.s already possible, presumably, for you to pass a local retailer and get an offer of twenty percent off discount goods. If we could have location best services sent from local museums, places of historical interest, really all we would be doing would be completely re-mapping the city. CAIRNCROSS: I don.t think I want very much to be telephoned as I.m walking past a store and told there.s a special offer there. Are there other kinds of service that people are already using that rely on the fact that somebody knows . the mobile phone knows where they are? HARKIN: In Scandinavia and in Japan, you have services whereby young people can pass along street corners and they can be automatically hooked up via location based tracking to someone who meets their personal profile for the purposes of dating or finding a friend. CAIRNCROSS: So if Mr Right is just around the corner, your phone rings and tells you? HARKIN: Indeed - if you want that, of course. All of these things have a switch off mechanism, so people shouldn.t be too afraid of what they might find in a shopping mall. CAIRNCROSS: All these delights are available only to those who want them. In Britain, unlike some other countries, blue-jacking . using a technology called Bluetooth to send unsolicited messages to mobile phones . isn.t allowed. Companies that want to send advertisements to your mobile must first secure your consent. We may be happy to give up a bit of privacy in exchange for finding a bargain or a boyfriend. But the technology potentially changes not just our relationship with people who want to sell us things. It could also change the relationship between parent and child, and between boss and employee. Take, for example, the services offered by 192.com, a company whose main business is directory inquiries, but which is branching out to offer ways for people to track a mobile telephone on the internet. So a parent can locate a child, and a boss an employee. Alastair Crawford, founder of the company, is thrilled by the possibilities. CRAWFORD: We can track a mobile phone even if it.s not in use. As long as the phone is on, we can track it every minute of the day . in rural countryside, in cities. And, for example, in London we can track it right down to if somebody was in, for example, Earl.s Court Exhibition Centre, we can know they.re in that building. In rural countryside, it.s a little bit wide . I mean we.d know what hill they.re on. CAIRNCROSS: Now that.s wonderful if you.re a parent worrying about your child. But another usage is for companies to track their employees. And I think you suggest it is a way of making sure that your employee is secure if they are late returning to the office, but you and I know that what employers really want to know is is the guy in the pub or is he doing what he.s supposed to be doing. CRAWFORD: Yeah. CAIRNCROSS: The employee, presumably, doesn.t necessarily consent to being on the receiving end of this tracking system. Isn.t that a bit problematic in privacy terms? CRAWFORD: Well what we.re doing is we.re actually sending messages on a regular basis to phones to make sure they continue to consent. The employee would then receive messages saying that that phone is being tracked. He needs to know that that phone would have to be the company.s property, so really you know another way of looking at it is saying the company has a right to know where their property is. Obviously this is tracking which is during office hours, and it.s all been approved by the Information Commissioner who.s studied it very closely. CAIRNCROSS: On one estimate, 40,000 employees are now tracked this way. How far employers can invade the privacy of their employees is an especially tricky area for debate. The technologies now used in many workplaces allow all kinds of surveillance. The rights and wrongs are much less clear-cut in people.s minds than issues about privacy in the home. Because it.s an area that people haven.t thought about much in the past, the Information Commissioner.s Office has been working on new guidelines. So where does Assistant Information Commissioner Jonathan Bamford think that bosses should draw the line? BAMFORD: I don.t think that I would subscribe to the view that when you walk in through the front door of the office or the workplace in the morning that you give up all your rights to privacy. There.s no way that an employer should know everything about your affairs, I don.t think. The question is where.s the balance struck? If you.re using the employer.s resources for certain activities, I think it.s right they have some interest and control over those. If you.re going to damage the reputation of an employer by your actions in some way, it.s right that they have some interest in that. It.s where.s the balance struck. I don.t think it.s sensible from either party.s point of view to foster mistrust and create problems there as a result of some heavy handed monitoring system. CAIRNCROSS: Whatever the reservations about monitoring workers, tracking technology is advancing rapidly. It has all kinds of potential uses. Minute electronic tags placed in products will make them . and their users or owners . more traceable in the future. The government is thinking of using tracking much more extensively to keep tabs on offenders or perhaps even on asylum seekers. All this, argues Peter Swire, makes the defence of basic privacy principles in this area especially important. SWIRE: To start with an assumption that tracking is the norm, I think leads to the powerful to remain too powerful. People start to be chilled in how they feel they can express themselves, where they feel they can go. If they go to the wrong store or the wrong neighbourhood now, it.s on their permanent record. I think that could really affect the sense of freedom in a free society that we.d like to have. CAIRNCROSS: An increasing problem in privacy protection is the blurring between official and commercial information, as public databases acquire private uses. People who supply information for one purpose aren.t aware that it might be used for another. If I want to find out where you live, then even if you are ex- directory and not in the phone book, you will probably be listed on some electronic database if you.re on the electoral register, or if you are a company director who has to register a home address. True, you have some opportunities to block this kind of searching if you know it might happen, and you can also discover who has been searching for your information. But people don.t submit their details to the electoral register or to Companies House in order to help strangers who want to track down their address. Some companies recognise that they need to impose restraints of their own on the exploitation of customer information. Saul Klein now runs a DVD rental company called Video Island that does just that. KLEIN: One thing that is clear to a lot of companies born in the last ten years is that data and privacy is predicated on the notion of, one, is informed consent; and, two, the notion of value exchange is that if you.re asking someone for a piece of information then you have to be giving them something valuable back in return. You.ve got to be personalising their experience for them, you.ve got to be you know sending them an airline ticket, you have to be performing some kind of a valuable transaction. CAIRNCROSS: Over at 192.com, Alastair Crawford is not surprisingly keen to emphasise the valuable transactions that he has to offer his customers in exchange for their loss of privacy. CRAWFORD: People generally you know are not looking up people for anything other than good reasons. You know people are looking up old school friends, they.re wanting to check that you are who you say you are. They.re looking for evidence that validates the information you.re giving us. So I mean almost all the applications are good applications. When people remove themselves from the electoral roll it.s harder to get credit, it.s harder to prove who you say you are, you know. And why are you doing that? I mean you know removing oneself from the electoral roll is the sort of thing that fraudsters do and terrorists. CAIRNCROSS: But there.s an assumption that if you want to protect your privacy you must be a fraudster or a terrorist, isn.t there? CRAWFORD: Not at all. You know your name and your address is hard. it.s not private. I mean your name - it.s not biological data, it.s not sort of your medical files or your private financial information. You know people get confused between privacy as in terms of you know what happens inside my house or my bank records and so on and so forth with you know simply my public label of who I am and this is where I live. It.s a basic database which the economy needs in order to function, which people need because people need to get in touch with people. CAIRNCROSS: The problem is surely what happens when information that has always been publicly available, such as the electoral register, is put on an electronic database. Searching it becomes immensely fast and convenient. So it.s suddenly available to many more people, for many more uses than before. Once a technology exists, it.s tempting to use it. And the uses for a new technology may not be apparent until some time after it.s been invented. The astonishing popularity of sending text messages from mobile phones caught the industry totally by surprise. And only belatedly did Samsung, one of the big manufacturers of camera phones, wake up to the fact that they could be used for industrial espionage. It.s now banned them from its offices. The response of Scott McNealy, boss of Sun Microsystems and one of the most outspoken figures of Silicon Valley, to the challenge from electronic devices was famously blunt. .You have zero privacy,. he said. .Get over it.. Does Saul Klein, who once worked for Sun.s rival, Microsoft, share that view? KLEIN: You know what Scott McNealy said is completely glib. It.s not a case of get over it. I would say it.s a case of understand it, engage with it, help to sort of shape the environment and the implications of it. I think you know the key issue here is that regulation or regulators. knowledge and understanding of these issues lags well behind people.s use and technology.s ability to sort of bring forward some of these issues. What.s happening here is that people.s access and technology.s ability is moving far faster than either companies or governments. abilities to shape and regulate. CAIRNCROSS: Once the astonishing innovation of recent years settles down and we all grow used to the implications of electronic novelties, we.ll be better able to think up ways to deal with the issues they raise. One question much discussed in the high-tech world is the extent to which electronics can both undermine privacy and paradoxically protect it. Saul Klein thinks such principles might be broadened. KLEIN: In any regulated environment, you have your private space but you cede elements of access and control to that private space to other people or to companies or to institutions, and that.s just the nature of living in a society. What privacy technology.s allowing you to do is to decide who you want to share that space with. I think what the internet has created is a sense of personal space that is not necessarily physical. It.s a space that is remote from you, and that can be a place where you store your photos on the internet, it could be a place where you store your e-mail, it could be a place where you store all your correspondence. And then the question is who do you trust to help manage or control access to that personal space? CAIRNCROSS: Does that mean that the protection of privacy from the activities of nosy companies can safely be left to the market? Can people be left to choose how far they want to live in the backwoods and how far to enter the intrusive electronic world? Jonathan Bamford. BAMFORD: There.s self-interest for business and for governments in having the confidence of the people who they.re doing business with, but I don.t think you can just leave it to chance. I think we need data protection laws and regulatory bodies like the Information Commissioner to supervise the legislation to make sure people comply with it. I think in other areas, such as the US where they don.t have general data protection laws, you.ve seen companies there seeing the competitive advantage out of having strong privacy policies. But I think really we can.t just leave to chance the protection of privacy as a commercial advantage. I think we need at least a bottom baseline in data protection law to make sure that privacy.s not just for the virtuous; it.s actually for those who are required to comply with laws as well. CAIRNCROSS: For a regulator, perhaps that.s a predictable response. But it highlights one regulatory problem: the different approaches of different countries. The internet has little respect for national boundaries. But the legal treatment of privacy varies on the two sides of the Atlantic. Peter Swire has written a book comparing the European and the American approaches. SWIRE: The European Data Protection Directive, which went into effect in 1998, begins with the idea that basically all data in the commercial sphere, all data that.s being out there ought to be under a legal regime, and that legal regime has data protection commissioners . the registrar in Britain and so on. So this has an idea that there.s a comprehensive legal scheme. In practice, it.s gone somewhat well, in many instances, but probably lots of individual companies, lots of individual databases get operated without people being too darn careful about how they.re complying with the directive. The American approach has been quite different. There.s been a real reluctance to pass a comprehensive law. There.s been a fear, a sort of American laissez-faire approach - a fear that that would be too regulatory, would get the government too deep into people.s affairs. CAIRNCROSS: Do people really care about this issue? Is it something that worries ordinary folk or is it something that mainly worries campaigning organisations or individuals who.ve had particularly bad experiences? SWIRE: I think it worries ordinary folks. Leading up to the year 2000, the Wall Street Journal did a poll that asked what Americans feared most in the coming century, and the answer that got the biggest response, even ahead of global terrorism and such things, was erosion of personal privacy. And so I think that shows a widespread concern that somehow our sense of being is under assault from all these changes. Somehow we need to find ways to balance the power so individuals have a sense of freedom in the future. CAIRNCROSS: But today, people worry a lot more about terrorism than they did in the innocent days of 2000. Since the horror of 9/11, governments under pressure to fight terrorism are likely to use any weapon available, including the tracking and monitoring techniques that the private sector has developed for financial gain. Does this mean that governments are a bigger threat to privacy than private companies and their customers? Caoilfhionn Gallagher, privacy lawyer with Liberty. GALLAGHER: I think there are very large distinctions between government privacy issues and corporate privacy issues. Firstly, with a corporate privacy issue, you have a choice. You have a choice when you go into Sainsbury.s whether or not to actually go ahead and get a reward card, and you can weigh up yourself whether a potential impact on your privacy is worth you getting say a bottle of wine every three months at a lower price. However, when you.re dealing with government I think there.s very different concerns because in relation to government use of this data, the citizen doesn.t have the same kind of bargaining power that the Sainsbury.s customer does or that the mobile phone customer does because essentially you.re in a contract which is binding and from which you can.t escape. And quite often the expansion into the private lives of citizens, because it happens in an incremental way and often the information seems quite mundane, people don.t seem to realise quite what.s happening. It.s a moment of epiphany in which people realise that there.s a shift from a private society to a public one and so on, or to a transparent society, but it.s kind of being nibbled away by degrees. CAIRNCROSS: And often with popular consent. The fear of crime, and especially of crimes such as the Soham murders, creates a clamour for measures that nibble away privacy even further. When people say, .Nothing to hide, nothing to fear., you know that they.re trying to justify such measures. What does Caoilfhionn Gallagher make of these arguments? GALLAGHER: Obviously the implication of the theory of nothing to hide, nothing to fear is that privacy is a right which protects the guilty; privacy is a right which protects Ian Huntley rather than a right which protects the average, ordinary, law-abiding member of the public. But I think that that rationale is deeply flawed and that the average law-abiding citizen does have much to fear actually from privacy invasion . not because the citizen intends to do anything wrong or has done anything wrong, but I think that the state should assume that all individuals have nothing to hide unless it has a specific compelling reason to believe otherwise. SEGUE CRAWFORD: If you look back at the days when the phone book was first put in payphones in every street corner for anybody to look in, people were initially shocked at that idea. But actually this is the difference between perceived fear and real fear and everybody.s very concerned about eroding privacy. So it.s a very tough balance and, as we.ve seen in the past, that balance has moved. I mean five years ago, you could never have tracked a mobile phone; but then after the Soham murders, you know people now realise that there.s an enormous demand. Parents want to know where their children are. If their children don.t come home in the evening, they want to go to the internet and see where the mobile phone is. It.s completely secure. Society now demands a new balance. And in future that balance may change again. We have to just have to be responsive. CAIRNCROSS: Alastair Crawford. Others also think that the threat that new technology poses to privacy is greatly overblown. James Harkin believes that it springs from a mixture of anti-technology phobia and social panic. Take, for example, the fear of mobile phones as portable spy cameras or sinister tracking device. HARKIN: There seems to be huge and very needless social panic surrounding mobile phones, which say much less about mobile devices than they do about ourselves. Now I don.t know of any case so far in Britain of mobile tracking being used by a paedophile, I don.t know of any case in which a paedophile has used a picture message to photograph a child. And yet in February 2003 when these devices were coming on screen, you had these charities calling for a ban on picture messaging or limits on location tracking technology. And there were really no instances of this happening. I think that says quite a lot about our rather Luddite approach to new technologies . that all we can think of is that paedophiles might want to use these things. CAIRNCROSS: That note of caution may be justified. But few people imagined, in the internet.s early days, that criminals might want to use it to abduct youngsters or that teenagers might use it to view pornography. There have been some unpleasant surprises for advocates of new technology in the way that some choose to apply it. The big question is, are people prepared, in the name of privacy, to restrict the use of technologies that many find beneficial, or even liberating? Peter Swire thinks that public concern for privacy will assert itself as it has in the past. SWIRE: In the 1960s the big fear was that lie detectors would become part of the daily life of the workforce, but as a society we.ve decided we.re simply not going to do those kind of lie detectors, we.re not going to let the boss do that as part of the daily routine. And I think we.ve decided for internet surfing that at least the internet service providers in the United States do not keep track of every website I go to. That was a business decision that people wouldn.t use the net if they were being tracked. So I think periodically, but significantly, we have these victories. We carve out a space where surveillance isn.t going to happen. And privacy.s the word we use for these debates for this era . how we.re going to fight back, how we.re going to create a balance of power that leaves us with a sense of a free society. CAIRNCROSS: The trouble with Professor Swire.s optimism is that one of his examples, foregoing lie detection, may merely reflect the inadequacies of 1960s technology. As the electronic kit gets better, the temptation to use it will increase. Insurance companies are already experimenting with electronic means to discover if people who phone them with insurance claims are telling the truth. And most of the important websites you visit will discreetly leave in your computer an electronic calling card that says you have been there. So what can society do to reconcile the efficient use of new technologies with the traditional idea of a private life? Regulator Jonathan Bamford. BAMFORD: I think we have to recognise the fact that if people want to live lives the way they choose to, exploiting modern technology like the internet, like using mobile phones, all those other things which people see as bringing benefit to their lives, there.s potentially a danger there that enables their transactions to be tracked, recorded. I think the important thing is that whilst that potential for privacy.s been eroded, that actually there is a robust data protection regime which essentially provides that element of space for individuals, so there.s not an unwarranted infringement of their privacy. If a mobile phone record is necessary to deal with a very serious crime like a rape or a murder, then that.s something which I think as a society we.d accept there.s a warranted intrusion into people.s private lives. But that isn.t the same as that information being fair game more generally for commercial purposes or more generally for government purposes. CAIRNCROSS: Self-restraint in the use of a powerful new technology is incredibly difficult. Imaginative regulation is certainly worth a try. But, if monitoring and tracking bring benefits, to commerce or to public safety, there will be huge pressure to use it. The limits on personal privacy have shifted permanently. We.ve left the relative anonymity of the 20th century free world and we.re returning to the days of the village, where everybody knew a lot about what everybody else was doing. But, whereas it was possible then to escape the village and hide from view, now we may no longer have that option . at least, not if we want to take full advantage of the benefits of the electronic world. 13 -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From sunder at sunder.net Mon Aug 9 12:20:34 2004 From: sunder at sunder.net (Sunder) Date: Mon, 9 Aug 2004 15:20:34 -0400 (edt) Subject: stealth tempest wallpaper Message-ID: http://www.newscientist.com/news/print.jsp?id=ns99996240 or http://www.newscientist.com/news/news.jsp?id=ns99996240&lpos=home3 Stealth wallpaper keeps company secrets safe 10:00 08 August 04 Special Report from New Scientist Print Edition. Subscribe and get 4 free issues. A type of wallpaper that prevents Wi-Fi signals escaping from a building without blocking mobile phone signals has been developed by a British defence contractor. The technology is designed to stop outsiders gaining access to a secure network by using Wi-Fi networks casually set up by workers at the office. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From eugen at leitl.org Mon Aug 9 07:47:03 2004 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 9 Aug 2004 16:47:03 +0200 Subject: [IP] The Surveillance Industrial Complex (fwd from dave@farber.net) Message-ID: <20040809144703.GH1477@leitl.org> ----- Forwarded message from dave at farber.net ----- From nobody at dizum.com Mon Aug 9 08:40:01 2004 From: nobody at dizum.com (Nomen Nescio) Date: Mon, 9 Aug 2004 17:40:01 +0200 (CEST) Subject: Michael Moore in Cambridge (download speech) Message-ID: <20d1830f607a22119fb8cb95867f6824@dizum.com> Very interesting speech by Michael Moore in Cambridge July 27, 10 MB http://hem.bredband.net/b114631/tillf/Michael_Moore_in_Cambridge_04072 7.rm The file will be available for download a short period of time. Michael shows us what the upcoming election is all about. From jya at pipeline.com Mon Aug 9 20:19:35 2004 From: jya at pipeline.com (John Young) Date: Mon, 09 Aug 2004 20:19:35 -0700 Subject: NSA Overcomes Fiber-Optic and Encryption Message-ID: Excerpt below from a Baltimore Sun article of August 8, 2004. Some of it could be true, but. http://cryptome.org/dirnsa-shift.htm ----- Director of NSA shifts to new path By Scott Shane Sun National Staff August 8, 2004 ... Technology revolution Given the dire assessments a few years ago, it is notable that Hayden says the communications revolution has on the whole been a plus, not a minus, for the NSA. The NSA director declines to elaborate. But interviews with outside experts suggest that the agency has managed to overcome the challenges posed by fiber-optic cable and encryption. "My opinion is that at this point, those are little more than a speed bump to NSA," says Steve Uhrig, president of SWS Security, a Harford County firm that builds eavesdropping and counter-eavesdropping systems for U.S. and foreign police agencies. "They have a virtually unlimited budget, and they can put amazing resources to work on a problem." Several sources who regularly speak with NSA officials say they believe Uhrig is right. Although they do not know the details, they say the agency has almost certainly managed to tap fiber cables on a large-scale basis, making access to the information inside less of a problem than its overwhelming volume. The NSA has also found a silver lining to the use of encrypted e-mail: Even if a particular message cannot be read, the very use of encryption can flag it for NSA's attention. By tracking the relatively few Internet users in a certain country or region who take such security measures, NSA analysts might be able to sketch a picture of a terrorist network. Information 'in motion' And by focusing their electronic tricks on messages as they are first typed on a computer or when they are read on the other end - what security experts call "information at rest" - NSA technical experts might be able to bypass otherwise-unbreakable encryption used when the information is "in motion." Meanwhile, the popularity of e-mail and particularly of cell phones has worked to the NSA's advantage in the battle against terrorism. The NSA's computers can track and sort huge volumes of e-mail far more easily than they can manage telephone intercepts, because text is consistently represented in digital code. And cell phones - as handy for terrorist plotters as for everyone else - provide not just an eavesdropping target but also a way to physically track the user. Uhrig, who has installed cellular intercept systems in several countries, says that as cell phones have proliferated, the "cells" served by a tower or other antenna have correspondingly grown smaller. "A big hotel may have a cell for every other floor. Every big office building is its own cell," he says. Easier tracking By following a switched-on cell phone as it shifts from cell to cell, "you can watch the person move," Uhrig says. "You can tell the direction he's moving. If he's moving slow, he's walking. If he's moving fast, he's in a car. The tracking is sometimes of much more interest than the contents of a call." ----- From howie.goodell at gmail.com Mon Aug 9 21:06:39 2004 From: howie.goodell at gmail.com (Howie Goodell) Date: Tue, 10 Aug 2004 00:06:39 -0400 Subject: Michael Moore in Cambridge (download speech) In-Reply-To: References: <20d1830f607a22119fb8cb95867f6824@dizum.com> Message-ID: <20bf32b704080921062e58e279@mail.gmail.com> On Mon, 9 Aug 2004 13:35:08 -0400, Pete Capelli wrote: > > > The file will be available for download a short period of time. > > Michael shows us what the upcoming election is all about. > > It's all about a promotion tour for his movie? Yeah, and Paul Revere rode to Lexington to promote his silversmithing business. "A cynic is a man who knows the price of everything, and the value of nothing." Mr. Moore speaks eloquently for the Left, the Center, and even former right-wing folks like me to join forces to get rid of the most cynical, opportunistic, divisive, and un-American administration since Richard Nixon's. Don't whine next year about the terrible Administration if you don't take your chance this year to replace it with a much more reasonable one. Howie Goodell -- Howie Goodell hgoodell at cs.uml.edu http://goodL.org Hardware control Info Visualization User interface UMass Lowell Computer Science Doctoral Candidate From nobody at cryptofortress.com Tue Aug 10 03:02:35 2004 From: nobody at cryptofortress.com (Anonymous) Date: Tue, 10 Aug 2004 05:02:35 -0500 (CDT) Subject: NSA Overcomes Fiber-Optic and Encryption Message-ID: <61b7d2ac45bdf92d56211e8e9fbeeb07@remailer.cryptofortress.com> I can see fatherland securitat goons raiding a certain restaurant at Stanford next weekend ... assume all keys are compromised due to RH attack. >The NSA has also found a silver lining to the use of encrypted e-mail: >Even if a particular message cannot be read, the very use of encryption >can flag it for NSA's attention. By tracking the relatively few Internet >users in a certain country or region who take such security measures, NSA >analysts might be able to sketch a picture of a terrorist network. >... >And cell phones - as handy for terrorist plotters as for everyone else - >provide not just an eavesdropping target but also a way to physically >track the user. From rah at shipwright.com Tue Aug 10 04:46:12 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 10 Aug 2004 07:46:12 -0400 Subject: Internet Pirates Message-ID: The Wall Street Journal August 10, 2004 REVIEW & OUTLOOK Internet Pirates August 10, 2004; Page A10 If you own a movie or record copyright, and someone else "induces" people to start infringing it, should you be able to sue the inducer? Senator Orrin Hatch thinks so, and it's possible his bad idea could become bad law. Granted, he's trying to address a real copyright problem. Music labels and movie studios are playing a frustrating game of whack-a-mole, with new Internet file-sharing networks popping up faster than the recording industry can protest. The newest networks, including KaZaa and Morpheus, are run as for-profit piracy havens but have found ways to skirt copyright laws. They display advertising on users' desktops but make sure that individual users, rather than anyone in corporate HQ, handle the actual dirty work of infringing copyright. The network operators then claim to be shocked by the illegal activity of individual file traders -- even though they're well aware that their users aren't swapping Shakespeare. Trouble is, the facts don't support the idea that legal action against these network operators would help in the larger fight against piracy. Napster's court-ordered shutdown in 2001 might have been a symbolic triumph over intellectual property theft, but it caused only a minor hiccup in the supply chain for pirated media. The new firms that took its place (the ones that Mr. Hatch's bill targets) are housed outside the U.S., which makes it tough to make them pay a court judgment. Long after they're gone, old copies of their software will allow new swappers to join the party. And even if none of these problems existed, there is already a second tier of file sharing programs like BitTorrent created by hobbyists who don't profit from piracy, and make lean targets for lawsuits. Which brings us to Mr. Hatch's legislation, known as the Induce Act, which gives copyright holders a cause of action to sue anyone who "induces" the violation of their copyrights. While it wouldn't make much of a dent in the Internet piracy problem it's designed to solve, it would unleash a wave of frivolous lawsuits. Makers of technologies ranging from computers and multimedia software to portable music players could find themselves in the crosshairs, on the theory that their wares encourage infringement. Even if the industry's major players showed restraint in using their new power to sue, technology producers would have to contend with the most litigious of copyright holders. Winning such suits, as legitimate technology producers hopefully would, is financially burdensome, especially to startups. The prospect of costly court battles would deter new investments in technology. Mr. Hatch claims his bill would leave in place a Supreme Court ruling that protects the makers of general-purpose technologies from copyright liability. Even if he were right, the conceptual problem with criminalizing tools is inescapable. As long as the necessary legal umbrella protecting technology tools stays in place, the shadier network operators will find a way to shelter themselves under it. The better legal tools to stop file traders are hidden in plain sight, in pre-Internet U.S. copyright law. "Willful" infringement -- when the copier knows, or should know, that he's over the line -- carries a statutory penalty of $150,000 per illegal copy. The content industry can also continue to sue individual pirates. With penalties this high, it doesn't take very many suits to substantially increase the expected cost of pirating an album or film. These suits aren't popular with customers, which is why music and movie companies are asking Congress for other ways of stopping piracy. But it's high time providers and consumers alike bit the bullet and recognized that individual users who pirate content really do deserve steep punishment. That's a better solution than creating more causes of action for the trial bar. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 10 05:09:02 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 10 Aug 2004 08:09:02 -0400 Subject: The Turncoats on Niihau Island Message-ID: Townhall.com The Turncoats on Niihau Island Michelle Malkin (back to web version) | Send August 10, 2004 The following is an exclusive excerpt from Michelle Malkin's new book, In Defense of Internment: The Case for "Racial Profiling" in World War II and the War on Terror (Regnery). The Turncoats on Niihau Island "Are you a Japanese?" Those were the first English words spoken by downed Japanese fighter pilot Shigenori Nishikaichi on tiny Niihau Island, located about one hundred miles northwest of Honolulu. It was December 7, 1941. Nishikaichi had had a busy, bloody morning at Pearl Harbor. Now, with the aid and comfort of a Japanese-American couple, Nishikaichi was about to make the lives of the Niihau residents a living hell. Around 7:00 a.m., Nishikaichi boarded his Zero single-seat fighter plane and took off from the carrier Hiryu in the Pacific. An hour and a half later, the young Japanese pilot strafed planes, trucks, and personnel on Oahu. Headed back to his carrier, Nishikaichi and some fellow pilots encountered a group of American P36 fighter planes. During the air battle, Nishikaichi's plane took several hits. One punctured the Zero's gas tank. Nishikaichi steered the crippled plane toward the westernmost Hawaiian island: Niihau. Fewer than 200 Hawaiians plus three laborers of Japanese descent called Niihau home. Japan planned to use the island as a submarine pickup point for stranded pilots. Nishikaichi crash-landed the plane in a field near one of the ranch homes. The first to reach him was Hawila "Howard" Kaleohano, a burly Hawaiian. The island had no telephones. On that tranquil, late Sunday morning, none of the inhabitants was yet aware of the death and destruction that had just rained down on Pearl Harbor. Nonetheless, Kaleohano wisely confiscated the dazed Nishikaichi's gun and papers. Kaleohano, perhaps the most educated Hawaiian on Niihau, had been keeping tabs on world affairs through newspapers supplied by ranch owner Aylmer Robinson (who paid weekly visits to the island and lived twenty miles away on Kauai). Wary but warm, Kaleohano brought the enemy pilot to his home. Along the way, Nishikaichi asked Kaleohano if he was "a Japanese." The answer was an emphatic "No." After sharing a meal and cigarettes, Nishikaichi demanded that Kaleohano return his papers, which included maps, radio codes, and Pearl Harbor attack plans. Kaleohano refused. To make their communication easier, Kaleohano asked his neighbors to summon one of the island's three residents of Japanese descent to translate for Nishikaichi. They first brought a Japanese-born immigrant, Ishimatsu Shintani, to the house. He reluctantly exchanged a few words with the pilot in Japanese, but left in a hurry-apparently sensing trouble. The islanders then turned to Yoshio Harada and his wife Irene, both U.S. citizens, born in Hawaii to Japanese immigrants. Harada had moved from Kauai to California as a young man and lived there for seven years before relocating to Niihau with his wife in 1939. Instantly at ease with the Japanese-American couple, Nishikaichi dropped the bombshell news about the attack on Pearl Harbor. The Haradas did not inform their neighbors. That night, the hospitable Niihau residents learned about the Pearl Harbor attack on the radio. They decided to confine the pilot in the Haradas' home until help arrived. Exploiting their common ethnic ties and urging loyalty to the emperor, Nishikaichi won over the Haradas. They enlisted the other resident of Japanese descent-the skittish Shintani-in a conspiracy to retrieve Nishikaichi's papers from Kaleohano. On the afternoon of December 12, a reluctant Shintani visited Kaleohano and asked for the enemy pilot's papers. He offered his neighbor a wad of cash. Kaleohano refused. Shintani desperately told him to burn the papers. It was a matter of life and death, Shintani pleaded with Kaleohano. Kaleohano again refused. An hour later, Nishikaichi and the Haradas launched a campaign of terror against the islanders. They overtook the guard on duty and locked him in a warehouse. Mrs. Harada cranked up a phonograph to drown out the commotion. Yoshio Harada and Nishikaichi retrieved a shotgun from the warehouse and headed to Kaleohano's home. Kaleohano, who was in the outhouse, saw them coming and hid while Nishikaichi and his collaborators unsuccessfully searched for the pilot's papers. They recovered Nishikaichi's pistol and headed toward his grounded plane. Harada watched as the enemy pilot tried in vain to call for help on his radio. Meanwhile, Kaleohano fled from the outhouse and ran to the main village to warn his neighbors of Nishikaichi's escape. He returned to his house to retrieve the papers, hid them in a relative's home, and set out with a strong team of islanders in a lifeboat toward Kauai to get help. That night, Harada and Nishikaichi set both the plane and Kaleohano's home on fire. They fired off their guns in a lunatic rage and threatened to kill every man, woman, and child in the village. After gathering for a prayer meeting, many residents escaped to a mountaintop with kerosene lamps and reflectors in an attempt to signal Kauai. On the morning of December 13, Harada and Nishikaichi captured islander Ben Kanahele and his wife. Kanahele was ordered to find Kaleohano. In their own "Let's Roll" moment of heroism, the gutsy Kanaheles refused to cooperate. When Nishikaichi threatened to shoot Kanahele's wife, fifty-one-year-old Ben lunged for the enemy's shotgun. The young Japanese fighter pilot pulled his pistol from his boot and shot Kanahele three times in the chest, hip, and groin. Mrs. Kanahele pounced at Nishikaichi; her once-peaceful neighbor Harada tore her away. Angered, the wounded Kanahele summoned the strength to pick up Nishikaichi and hurl him against a stone wall, knocking him unconscious. Quick-thinking Mrs. Kanahele grabbed a rock and pummeled the pilot's head. For good measure, Ben Kanahele took out a hunting knife and slit Nishikaichi's throat. A desperate Harada turned the shotgun on himself and committed suicide. The Kanaheles' harrowing battle against a Japanese invader and his surprising collaborator was over. The significance of the Haradas' stunning act of disloyalty and Shintani's meek complicity in collaboration with Nishikaichi was not lost on the Roosevelt administration. The facts of the case "indicate a strong possibility that other Japanese residents of the Territory of Hawaii, and Americans of Japanese descent . . . may give valuable aid to Japanese invaders in cases where the tide of battle is in favor of Japan and where it appears to residents that control of the district may shift from the United States to Japan," wrote Lieutenant C. B. Baldwin after a naval intelligence investigation. The Haradas were neither radical nationalists nor professional spies. They were ordinary Japanese-Americans who betrayed America by putting their ethnic roots first. How many other Japanese-Americans-especially on the vulnerable West Coast-might be swayed by enemy appeals such as Nishikaichi's? How many more might be torn between allegiance for their country of birth and kinship with Imperial invaders? These were the daunting questions that faced the nation's top military and political leaders as enemy forces loomed on our shores. Michelle Malkin is a syndicated columnist and maintains her weblog at michellemalkin.com -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From pcapelli at gmail.com Tue Aug 10 06:00:51 2004 From: pcapelli at gmail.com (Pete Capelli) Date: Tue, 10 Aug 2004 09:00:51 -0400 Subject: Michael Moore in Cambridge (download speech) In-Reply-To: <20bf32b704080921062e58e279@mail.gmail.com> References: <20d1830f607a22119fb8cb95867f6824@dizum.com> <20bf32b704080921062e58e279@mail.gmail.com> Message-ID: On Tue, 10 Aug 2004 00:06:39 -0400, Howie Goodell wrote: > > Yeah, and Paul Revere rode to Lexington to promote his silversmithing > business. "A cynic is a man who knows the price of everything, and > the value of nothing." Mr. Moore speaks eloquently for the Left, the > Center, and even former right-wing folks like me to join forces to get > rid of the most cynical, opportunistic, divisive, and un-American > administration since Richard Nixon's. Don't whine next year about the > terrible Administration if you don't take your chance this year to > replace it with a much more reasonable one. Is there a viable third party candidate that I am unaware of? Other than Badnarik, that is. Being still currently undecided myself (although living in one of the 32 or so 'pre-ordained' states) I found this speech to be "most cynical, opportunistic, divisive, and un-American" ones I've listend to in awhile. (At least since the ones in Boston last week). I don't expect any better from the ones in NYC the fisrt week of september, either. I hope you're right, and that a Kerry administration would be more reasonable. From what he's said, however, I *am* cynical. In a nutshell, he would; -Continue the war in Iraq (Which he voted for as senator) -Continue the Patriot Act (Which he voted for as senator) -Raise taxes and increase spending -Increase entitlements -Prostrate the US to the UN and Europe Of other important policy decisions, he can't be pinned down to a specific answer. So now I can vote for Jack Johnson (Yale grad, skull & bones member, rich due to inheritance) or John Jackson (ditto). Pardon me for failing to see a difference. There is no more Democratic Party, or a Republican Party. There is only the Bureaocratic Party, beholden to themselves, worried only about their own perks and power. If you believe otherwise, then you've drank the Kool-aid too. From bill.stewart at pobox.com Tue Aug 10 09:56:44 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 10 Aug 2004 09:56:44 -0700 Subject: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement Message-ID: <6.0.3.0.0.20040810095633.05898268@pop.idiom.com> Rick Moen suggested we have a Cypherpunks meeting in August, so: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement General Info: DATE: Saturday 14 August 2004 TIME: 12:00 - 5:00 PM (Pacific Time) PLACE: Stanford University Campus - Tressider Union courtyard Agenda: "Our agenda is a widely-held secret." (This will be our first meeting since April 2003, so the agenda is somewhat up for grabs. Among upcoming events to note is the 7th annual Information Security Conference, aka ISC04, Sept. 27-29 at Xerox PARC, http://isc04.uncc.edu/ . Also of note: Our friendly Federalistas seem to be imposing unprecedented visa restrictions on visiting foreign cryptographers. Is it time for all international cryptography conferences to move off-shore? See: http://www.schneier.com/crypto-gram-0407.html#3 ) As usual, this is an "Open Meeting on US Soil", and the public is invited. Location Info: The meeting location will be familiar to those who've been to our outdoor meetings before, but for those who haven't been, it's on the Stanford University campus, at the tables outside Tressider Union, at the end of Santa Theresa, just west of Dinkelspiel Auditorium. We meet at the tables on the west side of the building, inside the horseshoe "U" formed by Tresidder. Ask anyone on campus where Tressider is and they'll help you find it. Food and beverages are available at the cafe inside Tresidder. Location Maps: Stanford Campus (overview; Tressider is dead-center). http://campus-map.stanford.edu/campus_map/bldg.jsp?cx=344&cy=471&zoomto=50&zoomfrom=30&bldgID=02-300 Tressider Union (zoomed detail view). http://campus-map.stanford.edu/campus_map/results.jsp?bldg=Tresidder Printable Stanford Map (407k). http://www.stanford.edu/home/visitors/campus_map.pdf [ This announcement sent to the following mailing lists: cypherpunks-announce at toad.com, meetingpunks at cryptorights.org, cypherpunks-request at minder.net, cryptography-request at metzdowd.com Mailing list complaints or address corrections to bill.stewart at pobox.com. Agenda and Location questions to Rick Moen, rick at linuxmafia.com ] ---- Bill Stewart bill.stewart at pobox.com From bill.stewart at pobox.com Tue Aug 10 09:56:44 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 10 Aug 2004 09:56:44 -0700 Subject: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement Message-ID: Rick Moen suggested we have a Cypherpunks meeting in August, so: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement General Info: DATE: Saturday 14 August 2004 TIME: 12:00 - 5:00 PM (Pacific Time) PLACE: Stanford University Campus - Tressider Union courtyard Agenda: "Our agenda is a widely-held secret." (This will be our first meeting since April 2003, so the agenda is somewhat up for grabs. Among upcoming events to note is the 7th annual Information Security Conference, aka ISC04, Sept. 27-29 at Xerox PARC, http://isc04.uncc.edu/ . Also of note: Our friendly Federalistas seem to be imposing unprecedented visa restrictions on visiting foreign cryptographers. Is it time for all international cryptography conferences to move off-shore? See: http://www.schneier.com/crypto-gram-0407.html#3 ) As usual, this is an "Open Meeting on US Soil", and the public is invited. Location Info: The meeting location will be familiar to those who've been to our outdoor meetings before, but for those who haven't been, it's on the Stanford University campus, at the tables outside Tressider Union, at the end of Santa Theresa, just west of Dinkelspiel Auditorium. We meet at the tables on the west side of the building, inside the horseshoe "U" formed by Tresidder. Ask anyone on campus where Tressider is and they'll help you find it. Food and beverages are available at the cafe inside Tresidder. Location Maps: Stanford Campus (overview; Tressider is dead-center). http://campus-map.stanford.edu/campus_map/bldg.jsp?cx=344&cy=471&zoomto=50&zoomfrom=30&bldgID=02-300 Tressider Union (zoomed detail view). http://campus-map.stanford.edu/campus_map/results.jsp?bldg=Tresidder Printable Stanford Map (407k). http://www.stanford.edu/home/visitors/campus_map.pdf [ This announcement sent to the following mailing lists: cypherpunks-announce at toad.com, meetingpunks at cryptorights.org, cypherpunks-request at minder.net, cryptography-request at metzdowd.com Mailing list complaints or address corrections to bill.stewart at pobox.com. Agenda and Location questions to Rick Moen, rick at linuxmafia.com ] ---- Bill Stewart bill.stewart at pobox.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From bill.stewart at pobox.com Tue Aug 10 10:14:36 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 10 Aug 2004 10:14:36 -0700 Subject: Iowa Deploys Cell-Phone GPS location-tracking for 911 Message-ID: <6.0.3.0.0.20040810101048.037a20e0@pop.idiom.com> Iowa's deploying cell-phone location-trackers for 911, and for whatever other purposes the cellphones support. > >http://www.WQAD.com/Global/story.asp?s=2150225 Des Moines, IA New technology will allow better response to 911 cell callers 08/09/04 10:35 AM DES MOINES, IOWA (AP) -- Cell phone users in Iowa are getting a 911 upgrade. The state is among the first in the nation to use the new technology that will help dispatchers pinpoint the emergency caller. Iowa 911 Program Manager John Benson says it's already being tested in Des Moines, and the end of the year, about half of the state's 125 dispatch centers will have the upgrade. About half of Iowa's 911 calls are placed by cell phones. That's about 50,000 a month. Current technology allows dispatchers to locate a cell phone 911 caller by the nearest cell tower, often miles away. The new global-positioning technology provides the latitude and longitude of the caller, which can be electronically displayed on a map. Copyright 2004, Associated Press. All Rights Reserved. This material cannot be published, broadcast, rewritten, or distributed. (looks like Fair Use to me...) From gkm at petting-zoo.net Tue Aug 10 10:46:27 2004 From: gkm at petting-zoo.net (glen mccready) Date: Tue, 10 Aug 2004 10:46:27 -0700 Subject: When good tags go bad... Message-ID: Forwarded-by: "Rex Burkheimer" Allowing motorists to obtain personalized plates provides them with an opportunity to obtain something distinctively unique, something that commands far more attention than the usual humdrum string of letters and digits. Sometimes, though, one's choice of license plate can command an unexpected and undesirable form of attention. In 1979 a Los Angeles man named Robert Barbour found this out the hard way when he sent an application to the California Department of Motor Vehicles requesting personalized license plates for his car. The DMV form asked applicants to list three choices in case one or two of their desired selections had already been assigned. Barbour, a sailing enthusiast, wrote down "SAILING" and "BOATING" as his first two choices; when he couldn't think of a third option, he wrote "NO PLATE," meaning that if neither of his two choices was available, he did not want personalized plates. Plates reading "BOATING" and "SAILING" had indeed already been assigned, so the DMV, following Barbour's instructions literally, sent him license plates reading "NO PLATE." Barbour was not thrilled that the DMV had misunderstood his intent, but he opted to keep the plates because of their uniqueness. Four weeks later he received his first notice for an overdue parking fine, from faraway San Francisco, and within days he began receiving dozens of overdue notices from all over the state on a daily basis. Why? Because when law enforcement officers ticketed illegally parked cars that bore no license plates, they had been writing "NO PLATE" in the license plate field. Now that Barbour had plates bearing that phrase, the DMV computers were matching every unpaid citation issued to a car with missing plates to him. Barbour received about 2,500 notices over the next several months. He alerted the DMV to the problem, and they responded in a typically bureaucratic way by instructing him to change his license plates. But Barbour had grown too fond of his plates by then to want to change them, so he instead began mailing out a form letter in response to each citation. That method usually worked, although occasionally he had to appear before a judge and demonstrate that the car described on the citation was not his. A couple of years later, the DMV finally caught on and sent a notice to law enforcement agencies requesting that they use the word NONE rather than NO PLATE to indicate a cited vehicle was missing its plates. This change slowed the flow of overdue notices Barbour received to a trickle, about five or six a month, but it also had an unintended side effect: Officers sometimes wrote MISSING instead of NONE to indicate cars with missing license plates, and suddenly a man named Andrew Burg in Marina del Rey started receiving parking tickets from places he hadn't visited either. Burg, of course, was the owner of a car with personalized plates reading "MISSING." Nonetheless, some motorists still choose personalized plates destined to land them in similar trouble. Jim Cara of Elsmere, Delaware, found that out the hard way when he selected the phrase "NOTAG" for the license of his Suzuki Hayabusa motorcycle in 2004: Jim Cara wanted a vanity license tag that would make people laugh. But when he chose "NOTAG" for the plate on his Suzuki Hayabusa, a sleek blue and silver motorcycle with a speedometer that reaches 220 mph, the joke backfired. The new tag arrived Saturday under an avalanche of Wilmington parking violations. "All the traffic tickets say, 'Notice of violation. License number: no tag,'" Cara said. City computers, talking to state Division of Motor Vehicles computers, had finally found an address for ticketed vehicles that lacked license tags: Cara's home in Elsmere. "I messed up the system so bad," Cara said. "I wonder if they can put me in jail or something?" He has received more than 200 violation notices. The mail carrier came twice on Saturday. Cara opened a few. They ranged from $55 to $125 for violations such as meter expirations. Cara, 43, who works for the American Motorcycle Association, said he's been a lifelong prankster. This time, though, "the cleanup is going to be worse than the joke," he said. http://www.snopes.com/autos/law/noplate.asp ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From camera_lumina at hotmail.com Tue Aug 10 11:39:01 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Tue, 10 Aug 2004 14:39:01 -0400 Subject: The Turncoats on Niihau Island Message-ID: Wow. What a dumb fuck this columnist is. No wait...this guy's got a gig and fuck the truth. I wonder how many of the Japanese in internment camps owned a Zero? And, if a Saudi citizen on our shores gets rowdy, should we round up Morrocans? (ie, Japan is a country and a nationality...Islam is neither.) -TD >From: "R. A. Hettinga" >To: cypherpunks at al-qaeda.net >Subject: The Turncoats on Niihau Island >Date: Tue, 10 Aug 2004 08:09:02 -0400 > > > >Townhall.com > >The Turncoats on Niihau Island >Michelle Malkin (back to web version) | Send > >August 10, 2004 > >The following is an exclusive excerpt from Michelle Malkin's new book, In >Defense of Internment: The Case for "Racial Profiling" in World War II and >the War on Terror (Regnery). > >The Turncoats on Niihau Island > >"Are you a Japanese?" > >Those were the first English words spoken by downed Japanese fighter pilot >Shigenori Nishikaichi on tiny Niihau Island, located about one hundred >miles northwest of Honolulu. It was December 7, 1941. Nishikaichi had had a >busy, bloody morning at Pearl Harbor. Now, with the aid and comfort of a >Japanese-American couple, Nishikaichi was about to make the lives of the >Niihau residents a living hell. > >Around 7:00 a.m., Nishikaichi boarded his Zero single-seat fighter plane >and took off from the carrier Hiryu in the Pacific. An hour and a half >later, the young Japanese pilot strafed planes, trucks, and personnel on >Oahu. Headed back to his carrier, Nishikaichi and some fellow pilots >encountered a group of American P36 fighter planes. During the air battle, >Nishikaichi's plane took several hits. One punctured the Zero's gas tank. >Nishikaichi steered the crippled plane toward the westernmost Hawaiian >island: Niihau. Fewer than 200 Hawaiians plus three laborers of Japanese >descent called Niihau home. Japan planned to use the island as a submarine >pickup point for stranded pilots. > >Nishikaichi crash-landed the plane in a field near one of the ranch homes. >The first to reach him was Hawila "Howard" Kaleohano, a burly Hawaiian. The >island had no telephones. On that tranquil, late Sunday morning, none of >the inhabitants was yet aware of the death and destruction that had just >rained down on Pearl Harbor. > >Nonetheless, Kaleohano wisely confiscated the dazed Nishikaichi's gun and >papers. Kaleohano, perhaps the most educated Hawaiian on Niihau, had been >keeping tabs on world affairs through newspapers supplied by ranch owner >Aylmer Robinson (who paid weekly visits to the island and lived twenty >miles away on Kauai). Wary but warm, Kaleohano brought the enemy pilot to >his home. Along the way, Nishikaichi asked Kaleohano if he was "a >Japanese." The answer was an emphatic "No." > >After sharing a meal and cigarettes, Nishikaichi demanded that Kaleohano >return his papers, which included maps, radio codes, and Pearl Harbor >attack plans. Kaleohano refused. To make their communication easier, >Kaleohano asked his neighbors to summon one of the island's three residents >of Japanese descent to translate for Nishikaichi. They first brought a >Japanese-born immigrant, Ishimatsu Shintani, to the house. He reluctantly >exchanged a few words with the pilot in Japanese, but left in a >hurry-apparently sensing trouble. > >The islanders then turned to Yoshio Harada and his wife Irene, both U.S. >citizens, born in Hawaii to Japanese immigrants. Harada had moved from >Kauai to California as a young man and lived there for seven years before >relocating to Niihau with his wife in 1939. Instantly at ease with the >Japanese-American couple, Nishikaichi dropped the bombshell news about the >attack on Pearl Harbor. The Haradas did not inform their neighbors. > >That night, the hospitable Niihau residents learned about the Pearl Harbor >attack on the radio. They decided to confine the pilot in the Haradas' home >until help arrived. > >Exploiting their common ethnic ties and urging loyalty to the emperor, >Nishikaichi won over the Haradas. They enlisted the other resident of >Japanese descent-the skittish Shintani-in a conspiracy to retrieve >Nishikaichi's papers from Kaleohano. On the afternoon of December 12, a >reluctant Shintani visited Kaleohano and asked for the enemy pilot's >papers. He offered his neighbor a wad of cash. Kaleohano refused. Shintani >desperately told him to burn the papers. It was a matter of life and death, >Shintani pleaded with Kaleohano. Kaleohano again refused. > >An hour later, Nishikaichi and the Haradas launched a campaign of terror >against the islanders. They overtook the guard on duty and locked him in a >warehouse. Mrs. Harada cranked up a phonograph to drown out the commotion. >Yoshio Harada and Nishikaichi retrieved a shotgun from the warehouse and >headed to Kaleohano's home. Kaleohano, who was in the outhouse, saw them >coming and hid while Nishikaichi and his collaborators unsuccessfully >searched for the pilot's papers. They recovered Nishikaichi's pistol and >headed toward his grounded plane. Harada watched as the enemy pilot tried >in vain to call for help on his radio. > >Meanwhile, Kaleohano fled from the outhouse and ran to the main village to >warn his neighbors of Nishikaichi's escape. He returned to his house to >retrieve the papers, hid them in a relative's home, and set out with a >strong team of islanders in a lifeboat toward Kauai to get help. That >night, Harada and Nishikaichi set both the plane and Kaleohano's home on >fire. They fired off their guns in a lunatic rage and threatened to kill >every man, woman, and child in the village. After gathering for a prayer >meeting, many residents escaped to a mountaintop with kerosene lamps and >reflectors in an attempt to signal Kauai. > >On the morning of December 13, Harada and Nishikaichi captured islander Ben >Kanahele and his wife. Kanahele was ordered to find Kaleohano. In their own >"Let's Roll" moment of heroism, the gutsy Kanaheles refused to cooperate. >When Nishikaichi threatened to shoot Kanahele's wife, fifty-one-year-old >Ben lunged for the enemy's shotgun. The young Japanese fighter pilot pulled >his pistol from his boot and shot Kanahele three times in the chest, hip, >and groin. Mrs. Kanahele pounced at Nishikaichi; her once-peaceful neighbor >Harada tore her away. > >Angered, the wounded Kanahele summoned the strength to pick up Nishikaichi >and hurl him against a stone wall, knocking him unconscious. Quick-thinking >Mrs. Kanahele grabbed a rock and pummeled the pilot's head. For good >measure, Ben Kanahele took out a hunting knife and slit Nishikaichi's >throat. A desperate Harada turned the shotgun on himself and committed >suicide. > >The Kanaheles' harrowing battle against a Japanese invader and his >surprising collaborator was over. > >The significance of the Haradas' stunning act of disloyalty and Shintani's >meek complicity in collaboration with Nishikaichi was not lost on the >Roosevelt administration. The facts of the case "indicate a strong >possibility that other Japanese residents of the Territory of Hawaii, and >Americans of Japanese descent . . . may give valuable aid to Japanese >invaders in cases where the tide of battle is in favor of Japan and where >it appears to residents that control of the district may shift from the >United States to Japan," wrote Lieutenant C. B. Baldwin after a naval >intelligence investigation. > >The Haradas were neither radical nationalists nor professional spies. They >were ordinary Japanese-Americans who betrayed America by putting their >ethnic roots first. How many other Japanese-Americans-especially on the >vulnerable West Coast-might be swayed by enemy appeals such as >Nishikaichi's? How many more might be torn between allegiance for their >country of birth and kinship with Imperial invaders? These were the >daunting questions that faced the nation's top military and political >leaders as enemy forces loomed on our shores. > >Michelle Malkin is a syndicated columnist and maintains her weblog at >michellemalkin.com > >-- >----------------- >R. A. Hettinga >The Internet Bearer Underwriting Corporation >44 Farquhar Street, Boston, MA 02131 USA >"... however it may deserve respect for its usefulness and antiquity, >[predicting the end of the world] has not been found agreeable to >experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' > _________________________________________________________________ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ From bill.stewart at pobox.com Tue Aug 10 15:28:10 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 10 Aug 2004 15:28:10 -0700 Subject: stealth tempest wallpaper In-Reply-To: References: Message-ID: <6.0.3.0.0.20040810152110.0592ca40@pop.idiom.com> What's interesting about the wallpaper is the ability to block some frequency bands while passing others. There's been good shielding wallpaper available for ~15 years, but that's for blocking everything including cellphones and pagers. At 12:20 PM 8/9/2004, Sunder wrote: >http://www.newscientist.com/news/print.jsp?id=ns99996240 >or http://www.newscientist.com/news/news.jsp?id=ns99996240&lpos=home3 > >Stealth wallpaper keeps company secrets safe >10:00 08 August 04 >Special Report from New Scientist Print Edition. Subscribe and get 4 free >issues. > >A type of wallpaper that prevents Wi-Fi signals escaping from a building >without blocking mobile phone signals has been developed by a British >defence contractor. The technology is designed to stop outsiders gaining >access to a secure network by using Wi-Fi networks casually set up by >workers at the office. From hal at finney.org Tue Aug 10 17:18:08 2004 From: hal at finney.org (Hal Finney) Date: Tue, 10 Aug 2004 17:18:08 -0700 (PDT) Subject: DAA and Credentials Message-ID: <20040811001808.296E957E2B@finney.org> A few weeks ago Adam Back sent me a pointer to a paper with what was basically a new anonymous credential system, by Brickell, Camenisch and Chen, http://www.hpl.hp.com/techreports/2004/HPL-2004-93.pdf. I've followed Jan Camenisch's work pretty closely over the years and although he is only the 2nd author here, the paper is very much based on his ideas. Actually the paper is about a very controversial topic, trusted computing: TCPA, TCG, TPM, the Fritz chip, etc. Despite the questions about that technology, the paper has some interesting ideas which could be applied more widely. One of the concepts in trusted computing is that the computer would have a chip in it with an embedded key. This chip is called the TPM officially but is widely known as the Fritz chip after the senator who was pushing some legislation that might mandate technology controls. Fritz Hollings is gone and so is his CBDTPA but now the FCC seems to be taking up the gauntlet. But that's another story. Anyway, the TPM generates a key internally and it gets certified by some kind of CA established by the TCG (the TCG is the new name for the TCPA). When someone wants to, say, download some DRM-protected data, they could prove they have a real TPM by providing this certificate from the TCG CA on their TPM key. This would let the data supplier know he was talking to a system with a genuine TPM that would protect the data and keep the user from defeating the DRM. That would be the simple way to work, but the TCG didn't do it that way, because having the user show his TPM certificate everywhere would violate his privacy. It may seem strange that a proposal which is built on the idea that the user is the enemy will care about his privacy, especially since most TCG uses will require the user to pay for things, meaning showing a credit card number, so he has no privacy anyway. But that's the political decision the TCG made. Instead, they came up with a "Privacy CA", where the user would in effect show his TPM certificate to the PCA, and the PCA would then certify a temporary "pseudonym key" that the user would then use in place of his TPM key and certificate. The problem here is that this doesn't protect privacy all that well, plus the PCA needs to have both high availability and high security, two requirements that don't work well together. So TCG has approved this new proposal, cryptographically based, called Direct Anonymous Attestation or DAA. There is no more Privacy CA. Instead, the user directly proves that he has a valid certificate on his TPM key, but he does it in zero knowledge. He doesn't reveal the TPM key or the certificate, nevertheless the verifier (which would typically be a seller of DRM'd content) gets convinced that he is talking to a real TPM. The way it works is a modification of a group signature. Camenisch has done a lot of work on these over the years, with various co-authors. But the general idea is the same, that group members each generate a key, which gets certified by a "group ownership manager" and that means they're officially part of the group. Then they can create signatures of which it can only be determined that they came from someone in the group, but you can't tell which one. This is done by the method described above, a zero knowledge proof that you know a key and you have a certificate (signature) on it by the group manager key. That establishes that you are a group member. One of the new ideas in the DAA paper relates to revocation. The TPM private keys are supposed to remain locked in the chip. But suppose someone uses some fancy lab equipment or perhaps a side channel attack and extracts one. They could spread it around to their friends, who could use it to pretend to have TPMs, download DRM-protected data and easily remove the protections. The TCG wanted to deal with this. The assumption is that a secret this good can't be kept quiet for long, so soon there will be lists of TPM-cracked keys floating out there. TCG-based vendors are assumed to have access to such a list, so when someone shows up with their ZK proof about having a good TPM, they want to know if the TPM key is on the list. The problem is that the TPM key is not revealed in the ZK proof. So the authors propose that, if the key is k, another value of the form u^k mod p gets revealed, where u is perhaps chosen by the vendor, or is perhaps random. This doesn't reveal k but there is a proof that the k used in u^k is the same k that got certified as a TPM key. Now the vendor can compare the reported u^k value with computed u^k based on all known "bad" keys. If it matches for any of them, he knows that he is being offered a bogus TPM key proof. That's the basic idea of the DAA, but there are two additional points of interest. The first is that DAA is really complicated, more so than most group signatures of this type I have seen. The main reason seems to be a desire to not make the TPM work too hard. The authors have cleverly and diligently split up the protocol so that as much work as possible is done by the host computer and not the TPM, even though the host is not trusted. The concept is similar to the old "wallet with observer" protocols of Chaum and Brands. But the effect is to add many extra phases and passes, which could probably be eliminated if we didn't care about that. The second point relates to the system as a credential system. This idea of proving in zero knowledge that you have a cert on your key is the basis of an earlier credential system from Camenisch and Lysyanskaya. The concept is that credentials are represented by particular signatures from particular signers. Say, AAA could give me a credential as a member for the year 2004 by a certain signature. Then I could show possession when I made a hotel reservation and get a discount, by proving that I had that signature by AAA on a key I owned. Doing it in ZK protects my privacy. I actually looked at implementing the C&L credential system a few years ago, but there was a big stumbling block right at the beginning. It would only work with an RSA key of a special form, one composed of the product of two strong primes (primes p and q where (p-1)/2 and (q-1)/2 were themselves prime). And worse, it was necessary to prove that the modulus was of that form, without of course revealing p and q. Well, Camenisch had a protocol for this, but it was very complicated. I implemented it and it was intolerably slow, it took many minutes or even hours. It just didn't appear feasible as the foundation for a practical credential system. One of the improvements in the new DAA system is that it escapes from the need to prove that the RSA key is built of strong primes. This means that it could conceivably be the foundation for a credential system that would actually be efficient enough to use. That's very exciting! Unfortunately, as I said the DAA system in its present form is not quite right; it is too complicated due to the need to split up the work between TPM and untrusted host. That complication is not necessary for a plain credentialling system. So some work would have to be done to clean it up and get it into a form that would work for credentials. Crypto is next week and I hope to see Jan there and ask him about this. If he thinks it would work then this is another project I might try in the near future. I would really like to see some kind of anonymous credential system available for people to experiment with. I had looked into doing one with ring signatures but it would not be very efficient. Camenisch's technology is far superior. Hal Finney From rah at shipwright.com Tue Aug 10 14:25:53 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 10 Aug 2004 17:25:53 -0400 Subject: Continued monitoring unfortunate Message-ID: The Nassau Guardian Online Guide Contact Us Tuesday, August 10, 2004 Continued monitoring unfortunate Sears argues against decision by the FATF to continue monitoring The Bahamas By MARTELLA MATTHEWS,Guardian Business Reportermartella at nasguard.com The snub The Bahamas' financial services industry received from the Financial Action Task Force (FATF) in the form of continued formal monitoring, highlights the urgent need for a more level playing field and the convening of a global forum on money laundering, Attorney General Alfred Sears said. After close to a month of silence following the release of this decision by the FATF outlined in the Annual Review of Non-Cooperative Countries and Territories (NCCT) in early July, Mr Sears, who recently ended his term as chairman of the regional arm of the organization, the Caribbean Financial Action Task Force (CFATF) told The Guardian that this development emphasised the need for "a level playing field and uniform application of the law." The Attorney General continued that if these two realities existed, countries like The Bahamas that have made enormous progress in the areas of money laundering and anti terrorism financing regimes would be recognised. "That is why we have been calling for a global forum on money laundering where all countries of the United Nations would have a right to sit down and help to make the rules and ensure that they are applied across the board in a uniform fashion," he said. Noting some of the changes made by the Bahamas immediately after being blacklisted by the FATF in 2000 as a NCCT, Mr Sears said that included in the bundle of financial legislation passed just a year later were the abolishment of practices still in force in some FAFT member countries. "We for example have abolished bearer shares," he said. "They still have bearer shares in the United States and other jurisdictions and FATF member countries." Regulation of gatekeepers like lawyers and accountants was another change made by The Bahamas that is still ongoing in other FATF member countries. In its annual review, the FATF stated that although it had ended the formal monitoring of other CFATF member countries blacklisted with The Bahamas in 2000 or immediately afterwards, concerns regarding adequacy in the areas of international cooperation required that the jurisdiction undergo continued monitoring. In the report, three CFATF member countries were granted an end to their formal monitoring process. Dominica was granted an end to its formal monitoring in October 2003, while the end of monitoring for Grenada and St. Vincent and the Grenadines was formally announced in the annual review. Responding to the slight, Attorney General Sears described the reason given by the international body for continued monitoring as unfortunate adding that The Bahamas had made enormous progress in the area of international judicial cooperation. "That has been acknowledged by the Americas group of the FATF, it's been acknowledged by the United States, it's been acknowledged by Canada and it's also been acknowledged by the United Kingdom and I have the written indications of such," he declared. He admitted however that there were aspects of international cooperation that still needed work. "We still have an outstanding issue in terms of regulators to regulate the cooperation and that relates to the Central Bank and the Securities Commission." Giving a present day example of the issues that were being addressed, Mr Sears said that in instances where information was given to the United States Securities Exchange, this body wanted to be able to share this information with the Justice Department. This presented a problem, as under Bahamian law, similar entities in The Bahamas cannot share information with their counter parts in an unrestricted manner. "The law requires that if the regulator receiving the information wishes to pass it on to another entity they get the approval of the Bahamian regulator," he said. The former CFATF chair told The Guardian that this particular problem was currently being worked out between the Bahamian government and the U.S. regulators. "I headed a delegation comprising of the Governor of the Central Bank, the Minister of Social Services, the Minister of Investments Allyson (Maynard) Gibson, Hillary Deveaux from the Securities Commission, (and) Michelle Martinborough," Mr Sears said. "We have had a very good negotiation with the (U.S.) Securities Commission and Exchange and we're working out a protocol now. Its my expectation that that issue will be satisfactorily resolved in short order." Expressing his disappointment at the move by the FATF, which others in the financial services community describe as a deliberate assault on the country's financial services sector, Mr Sears said: "What I would wish is that when we make progress that it is reflected in the statements out of the FATF... The Bahamas has certainly done more than most; we have gone in some instances further than most. I think we ought to be recognised and it ought to be acknowledged the enormous progress that we have made." -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 10 14:49:06 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 10 Aug 2004 17:49:06 -0400 Subject: "...Hold still for the camera, Mehdi..." Message-ID: >From Tyler's Iraq SLO-expat S-ISP CTO blog (): Al Sadr got himself a laminator. His goons, er, freedom fighters, have ID's now. Skip the arabic, notice the guy on the left in the first pic. BWAHAHAHAHA! Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From cmckie at dowco.com Tue Aug 10 18:56:35 2004 From: cmckie at dowco.com (Craig McKie) Date: Tue, 10 Aug 2004 18:56:35 -0700 Subject: Bamford: full text download for free Message-ID: http://livinglib.khsv.tk/Body.rar From mv at cdc.gov Tue Aug 10 19:20:25 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Tue, 10 Aug 2004 19:20:25 -0700 Subject: nukelear bones Message-ID: <41198268.977B1AFA@cdc.gov> At 09:00 AM 8/10/04 -0400, Pete Capelli wrote: >So now I can vote for Jack Johnson (Yale grad, skull & bones member, >rich due to inheritance) or John Jackson (ditto). Vote Osama, and clean up the Potomic! -the ministry of mental health From jamesd at echeque.com Tue Aug 10 19:49:18 2004 From: jamesd at echeque.com (James A. Donald) Date: Tue, 10 Aug 2004 19:49:18 -0700 Subject: "...Hold still for the camera, Mehdi..." In-Reply-To: Message-ID: <411926BE.1125.1118B87B@localhost> -- On 10 Aug 2004 at 17:49, R. A. Hettinga wrote: > > > Al Sadr got himself a laminator. His goons, er, freedom > fighters, have ID's now. > > Skip the arabic, notice the guy on the left in the first pic. Presumably the IDs do not display true names, but Sadr presumably has a database linking true names to ID tags. Of course, should that database fall into US hands, his entire organization is screwed. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG coAqlKplZQKw8k99OLGi4iC3tOe5nfoJXWb5ZXw1 4QGY4ri/TnUJjaPX8H30E7LUk0rLUXRrhVVIcT1D+ From eugen at leitl.org Tue Aug 10 10:51:24 2004 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 10 Aug 2004 19:51:24 +0200 Subject: When good tags go bad... (fwd from gkm@petting-zoo.net) Message-ID: <20040810175124.GS1477@leitl.org> ----- Forwarded message from glen mccready ----- From rah at shipwright.com Tue Aug 10 18:33:51 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 10 Aug 2004 21:33:51 -0400 Subject: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement Message-ID: --- begin forwarded text From rah at shipwright.com Tue Aug 10 18:41:48 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 10 Aug 2004 21:41:48 -0400 Subject: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement In-Reply-To: References: Message-ID: At 9:33 PM -0400 8/10/04, R. A. Hettinga wrote: >--- begin forwarded text > > >Date: Tue, 10 Aug 2004 09:56:44 -0700 >To: meetingpunks at cryptorights.org, cypherpunks at minder.net doh! I meant to send it to perrypunks. One more time. You won't even notice... :-) Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From shaddack at ns.arachne.cz Tue Aug 10 12:49:24 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Tue, 10 Aug 2004 21:49:24 +0200 (CEST) Subject: NSA Overcomes Fiber-Optic and Encryption In-Reply-To: References: Message-ID: <0408102110110.10349@somehost.domainz.com> On Mon, 9 Aug 2004, John Young wrote: > Excerpt below from a Baltimore Sun article of August 8, 2004. > Some of it could be true, but. > http://cryptome.org/dirnsa-shift.htm I think the correct title would be "sidesteps" instead of "overcomes". It's a fundamentally different way (though the result is the same). From rah at shipwright.com Tue Aug 10 21:07:28 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 11 Aug 2004 00:07:28 -0400 Subject: "...Hold still for the camera, Mehdi..." In-Reply-To: <411926BE.1125.1118B87B@localhost> References: <411926BE.1125.1118B87B@localhost> Message-ID: At 7:49 PM -0700 8/10/04, James A. Donald wrote: >Presumably the IDs do not display true names I would bet you're stretching the bounds of presumption, myself. Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "Several times a week, to enter a TV studio say, or to board a plane, I have to produce a tiny picture of my face." -- Christopher Hitchens From shaddack at ns.arachne.cz Tue Aug 10 18:01:33 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Wed, 11 Aug 2004 03:01:33 +0200 (CEST) Subject: The Turncoats on Niihau Island In-Reply-To: References: Message-ID: <0408110257350.10368@somehost.domainz.com> On Tue, 10 Aug 2004, R. A. Hettinga wrote: > The Turncoats on Niihau Island > Michelle Malkin (back to web version) | Send > ... > The Haradas were neither radical nationalists nor professional spies. They > were ordinary Japanese-Americans who betrayed America by putting their > ethnic roots first. How many other Japanese-Americans-especially on the > vulnerable West Coast-might be swayed by enemy appeals such as > Nishikaichi's? How many more might be torn between allegiance for their > country of birth and kinship with Imperial invaders? The ethnicity or religion or political affiliation are not the only risk factors. What about something so plain and simple as money? Would the author advocate rounding up the needy and the greedy? Have not enough money? You're a suspect. Have too much money? You're a suspect too. Now imagine the fun if these two categories would overlap... From Bosley.John at bls.gov Wed Aug 11 03:13:46 2004 From: Bosley.John at bls.gov (Bosley, John - BLS) Date: August 11, 2004 3:13:46 PM EDT Subject: Interesting interview with David Brin about privacy, etc. Message-ID: For IP if you wish, Dave. John http://www.govtech.net/magazine/story.php?id=90772 John Bosley Office of Survey Methods Research Room 1950, Bureau of Labor Statistics 202-691-7514 fax 202-691-7426 OS X Summary In this place, all the myriad cameras report their urban scenes straight to Police Central, where security officers use sophisticated image-processors to scan for infractions against the public order -- or perhaps against an established way of thought. ...Over by the mall, a teenage shoplifter is taken into custody gingerly, with minute attention to ritual and rights, because the arresting officer knows the entire process is being scrutinized by untold numbers who watch intently, lest her neutral professionalism lapse. ...There, any citizen may tune in on bookings, arraignments, and especially the camera control room itself, making sure that the agents on duty look out for violent crime, and only crime. ...Still, taking that into account, it does seem clearer every day that the 21st century simply has to feature positive-sum games -- or ways everybody can benefit while minimizing the bad. ...I cannot prove with utter certainty that we won't face some genuine tradeoffs between safety and freedom, but I am sick of hearing that it's automatic -- assumed -- that they work against each other, that I must choose between these precious things. ...Q: In one interview about The Transparent Society, you spoke of the need for constant public supervision to enforce accountability on government -- metaphorically a "leash" to remind our guard dogs that they serve us. Does the two-way aspect of information transparency create that leash? ...Not one thing we do will reduce the growing power of elites to look at us. Nor should that matter, or reduce our freedom an iota, so long as we fiercely embrace the other solution. ...There are dozens of potential ways to increase accountability, while at the same time allowing our paid protectors to do their jobs better. ...You can't count the number of times you've seen on TV a debate between some civil libertarian and a "security expert" -- screaming at each other about this so-called "tradeoff." ...Stand on a street corner, and spend five minutes doing a slow turn, taking time to notice all the things that work -- the traffic lights, the sewers, the clean water, all the people being courteous to each other and taking turns. ...I also like having skilled cops, who know they might be on video at any moment, and therefore have decided to stop being paid thugs and instead be the kind of great professionals we saw in fiction, say on Adam 12. ...It's great, and they're getting all sorts of new tools to become better at it -- software tools, cameras, spy tools, biometric ID and surveillance -- tools that might also become dangerous to freedom, if we aren't careful. But even assuming they use these tools both honorably and well, there's just no way anticipation will always work. ...The trend of the 20th century -- toward professionalization of everything -- simply cannot go on. The 21st century has to be a time when people gradually take back some control of their lives. ...Every Cabinet department and military service -- almost every agency -- has an inspector general, whose job is to make sure the law is obeyed by those entrusted with state power. ...Hey, you can look at the future and shiver with fear, or you can peer ahead and say, 'How can we maximize the good while minimizing the bad?' ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From rah at shipwright.com Wed Aug 11 05:46:14 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 11 Aug 2004 08:46:14 -0400 Subject: [osint] al-Qaida Stays Connected in Number of Ways Message-ID: --- begin forwarded text To: "Bruce Tefft" Thread-Index: AcR/fk5Um7mp7c8vSdOiPPsL86p8owAEU7Bw From: "Bruce Tefft" Mailing-List: list osint at yahoogroups.com; contact osint-owner at yahoogroups.com Delivered-To: mailing list osint at yahoogroups.com Date: Wed, 11 Aug 2004 06:40:59 -0400 Subject: [osint] al-Qaida Stays Connected in Number of Ways Reply-To: osint at yahoogroups.com al-Qaida Stays Connected in Number of Ways By PAUL HAVEN .c The Associated Press ISLAMABAD, Pakistan (AP) - If Osama bin Laden is directing plans for an attack on the United States - as Washington intelligence officials suspect - his instructions are likely coming out of the craggy mountains between Afghanistan and Pakistan on the back of a donkey or under the shawl of an unassuming-looking villager. After the arrests of several top lieutenants, bin Laden and his right hand man, Egyptian Ayman al-Zawahri, have learned their lessons well, Pakistani intelligence officials and international terrorism experts say. They don't use satellite or cellular phones, don't trust anyone outside their innermost circle and never come up for air. Messages from the men likely pass through the hands of many couriers, most of whom have no idea where they originated, before they are turned into e-mails or conveyed by phone calls to other militants. ``If bin Laden wants to convey something, he gives a letter to someone in his circle, who takes it a certain distance and then hands it to someone else, and then someone else until it reaches its final destination. Nobody knows who the letter is from except the first person who is one of bin Laden's most trusted men,'' said a senior Pakistani intelligence official who has been in on his nation's most sensitive counterterror operations. The Bush administration believes plans for a terror attack are being directed at the most senior levels of the al-Qaida leadership, including bin Laden, a U.S. intelligence official told The Associated Press in July. How much input the top men have is open to question, but a Pakistani government official told the AP that several captured al-Qaida men have told authorities they received instructions from bin Laden. ``Probably he is alive, and some al-Qaida suspects captured in Pakistan have talked about receiving verbal messages from him through different channels,'' he said of bin Laden. The American and Pakistani officials spoke on condition of anonymity. There has been no firm intelligence on bin Laden and al-Zawahri's whereabouts since they slipped away during a U.S.-Afghan assault on their mountain hideouts in Tora Bora in late 2001, but they are believed to be hiding in the mountainous no man's land between Pakistan and Afghanistan, protected by deeply conservative tribesmen who share their beliefs. With the exception of about a half-dozen audio taped messages that the CIA has authenticated as being his voice, there has been virtually no sign of bin Laden since shortly after the Sept. 11, 2001 attacks. That silence has lent him almost a mythic quality, especially among his followers, but officials say he is still very real, and very dangerous. The Pakistani intelligence official said one of the best leads came with the arrest of al-Qaida's No. 3 man, Khalid Shaikh Mohammed, who had a letter on him that he told interrogators he got directly from bin Laden, and which experts authenticated as being in bin Laden's handwriting. The letter was apparently personal and destined for several of bin Laden's relatives in Iran, the official said. He would give no further details. ``Khalid Shaikh Mohammed said he got the letter directly from bin Laden and was supposed to give it to someone else and it would eventually go to Iran,'' the official said. He said the letter proves bin Laden was alive as recently as early 2003. Mohammed was arrested in Pakistan on March 1, 2003 and is now in U.S. custody. Several top al-Qaida fugitives arrested in Pakistan have allegedly been tracked using satellite intercepts, including Abu Zubaydah and Ramzi Binalshibh. A tribal elder accused of sheltering foreign militants was killed in a bombing in Waziristan on June 18, hours after he used a satellite phone to call media to denounce the government. The importance of discretion has become even more apparent in recent weeks following the July 13 arrest of an alleged al-Qaida computer whiz named Mohammed Naeem Noor Khan. Intelligence gleaned from Khan and his computer has led to counterterrorism operations in Pakistan, Britain and the United Arab Emirates, and dozens of suspects have been arrested. Khan's computer contained a trove of information, including coded e-mails to other operatives. He is said to have cooperated with authorities and sent e-mails while in custody to militants so that authorities could arrest them. Armed with electronic intelligence, raids in Pakistan have netted Ahmed Khalfan Ghailani, a Tanzanian with a $25 million U.S. bounty on his head, and at least 19 other suspects. Authorities in Dubai detained Qari Saifullah Akhtar, a Pakistani with close links to bin Laden who ran an Afghan training camp through which some 3,500 militants passed. In Britain, a dozen suspects have been picked up, including a senior al-Qaida operative identified as Abu Eisa al-Hindi or Abu Musa al-Hindi who was reportedly involved in surveillance on financial institutions in Washington and New York. ``Terrorists, like the rest of us, are finding out that they cannot live without the Internet. It is very difficult to keep in touch with a lot of people over large distances without it,'' said Paul Wilkinson, chairman of the Centre for the Study of Terrorism and Political Violence at the University of St. Andrews in Scotland. He said al-Qaida operatives have used encrypted e-mails and other techniques, like hiding messages inside photographs, to conceal communications. But they can't always hide, and when authorities get diskettes or hard drives, they can deal terror groups a major blow. ``The technology that al-Qaida has used so effectively can also be its Achilles heel,'' he said. Pakistani authorities say bin Laden and al-Zawahri have shielded themselves, staying clear of the chatter between lower ranking operatives. Bin Laden is seen mostly as a financial backer and religious inspiration to his fighters, making regular communication unnecessary. ``Whenever we get hold of high profile al-Qaida activists there is a great deal of euphoria and excitement, and it leads to a lot of optimism ... that it will lead us to the eventual prize - the apprehension of Osama and al-Zawahri,'' said Interior Minister Faisal Saleh Hayyat. ``But we have to be very cautious. This network ... remains a potent threat to Pakistan, and to civilized humanity.'' The Pakistani intelligence official acknowledged that the lack of solid intelligence has been frustrating. ``You keep waving your sword in the air and you hope a bird will come along and you will hit it,'' he said. ``It's a matter of luck.'' Associated Press Writer Munir Ahmad in Islamabad contributed to this report. Source: AOL News, AP ------------------------ Yahoo! Groups Sponsor --------------------~--> Yahoo! Domains - Claim yours for only $14.70 http://us.click.yahoo.com/Z1wmxD/DREIAA/yQLSAA/TySplB/TM --------------------------------------------------------------------~-> -------------------------- Want to discuss this topic? Head on over to our discussion list, discuss-osint at yahoogroups.com. -------------------------- Brooks Isoldi, editor bisoldi at intellnet.org http://www.intellnet.org Post message: osint at yahoogroups.com Subscribe: osint-subscribe at yahoogroups.com Unsubscribe: osint-unsubscribe at yahoogroups.com *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> To unsubscribe from this group, send an email to: osint-unsubscribe at yahoogroups.com <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Wed Aug 11 05:52:30 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 11 Aug 2004 08:52:30 -0400 Subject: [osint] Al Qaeda's Travel Network Message-ID: --- begin forwarded text To: osint at yahoogroups.com User-Agent: eGroups-EW/0.82 From: "gwen831" Mailing-List: list osint at yahoogroups.com; contact osint-owner at yahoogroups.com Delivered-To: mailing list osint at yahoogroups.com Date: Wed, 11 Aug 2004 03:51:40 -0000 Subject: [osint] Al Qaeda's Travel Network Reply-To: osint at yahoogroups.com http://www.stratfor.com/free-scripts/comsite2.pl?page=BZdelivery&src_id=0224&trans_id=GEN20040810-257 Al Qaeda's Travel Network August 10, 2004 Summary With the recent arrests of al Qaeda operatives in Pakistan, the United Kingdom and the United Arab Emirates, small clues as to the structure, organization, communication and travel of al Qaeda members are emerging. The most recent detentions have revealed a transportation link between Pakistan, England and the United States that allows for the movement of militants and messages, and relies on several other countries for waypoints and key supplies. Analysis A series of detentions of suspected al Qaeda members in Pakistan, England and the United Arab Emirates, as well as the arrests of persons of interest in the southern United States, have shed light on some of the ways that al Qaeda moves messages and militants around the globe. In particular, the small piece of the al Qaeda network recently rounded up illustrates transportation links between Pakistan -- where the core leadership of the organization appears to reside -- the United Kingdom and the United States. Al Qaeda operatives rarely travel directly from Point A to Point B. Instead, they jump from country to country, with each destination having its own end use and with multiple stops between beginning and end. This method of travel serves to obfuscate the origin and destination of al Qaeda messengers and operatives, reducing the likelihood that the militants will be captured or traced back to the organization's core. Despite the arrests of several senior al Qaeda members, including Abu Zubaydah, Ramzi bin al Shibh and Khalid Sheikh Mohammed, the whereabouts of Osama bin Laden remains a mystery. The core of al Qaeda's planning leadership appears to be in Pakistan, not far from its pre-9/11 Afghanistan base. Pakistan is both a resting and planning location and, in some cases, a target for al Qaeda, which used specific attacks against the regime of President Gen. Pervez Musharraf to try to wrest some space and leeway for continued residence inside the country. Al Qaeda is cautious to not escalate actions against Islamabad for fear of losing what appears to be the final sanctuary for the jihadist network's brain. But al Qaeda is an international organization, both in scope of vision and in distribution of operatives. Moving messages, equipment and personnel requires a relatively secure transportation network, one that can hide the true origin of travelers and thus slip in under the radar screen of intelligence and law enforcement agencies who are watching certain flight routes and looking for named and profiled potential militants. One key transit point is the United Arab Emirates. The UAE was one of only three countries to recognize the Taliban's rule in Afghanistan, and al Qaeda loyalists still reside in the country. Just a few days before their July 25 arrest alongside wanted al Qaeda leader Ahmed Khalfan Ghailani, two South Africans -- Dr. Feroz Ganchi and Zubair Ismail -- flew from UAE to Lahore, Pakistan. Another African, a Nigerian named Mohammed Salman Eisa, was captured at the Lahore airport on Aug. 2 while trying to board a plane bound for UAE. Eisa reportedly was carrying messages to operatives in other countries. The UAE provides an excellent transit point because safe houses, friendly sympathizers and money likely can be found. Though travel to and from Pakistan might garner suspicion, the UAE is a country thought to be without an active militant presence, and makes a good neutral stop between Pakistan and other nations. Should al Qaeda operatives obtain a UAE passport, they would receive significantly less scrutiny by the U.S. government, avoiding the standard profiling of certain passports, such as those from Pakistan and Saudi Arabia. Another node on the transit hub is Britain. As Stratfor has discussed, Britain is a good staging ground for planning attacks. A large Muslim, and especially Pakistani, community means those travelers can come and go without arousing much suspicion with travel authorities. Britain has a number of clerics and scholars willing to help "jihadic causes," both through their rhetoric and with operatives. Britain offers a fairly neutral stop between red-flag destinations. Mohammed Naeem Noor Khan, the suspected al Qaeda communications specialist at the center of the series of arrests, reportedly traveled often between Britain and Pakistan, using free plane tickets procured by his father, who worked for Pakistan's state-run airline. Abu Eisa al-Hindi -- a key al Qaeda operations manager believed to be responsible for much of the surveillance work done in the United States that led to the recent heightened terror alerts in parts of the country -- also traveled to the United States from Britain, allegedly as part of a three-man team that surveyed targets including the New York Stock Exchange in early 2001. South Africa also is becoming more and more prominent as a travel. Like the UAE, South Africa is not considered a hotbed of Islamist militancy -- aside, perhaps, from Johannesburg -- and therefore is less likely to raise suspicion as a possible al Qaeda source point. South Africa also provides a good source of fraudulent passports, papers and recruits for al Qaeda, and British citizens can travel freely to South Africa and back without a visa. With Muslims representing 2 percent of the population and large communities in Johannesburg and Pretoria, both money and potential recruits can be found there. Porous borders and easy access to weapons also make South Africa a dream come true for al Qaeda operatives. Crime syndicates operating inside the Department of Home Affairs reportedly have sold or given "boxes and boxes" of South African passports to al Qaeda members or their associates operating in Europe. In recent weeks three people -- one woman, Farida Goolam Ahmed and two unnamed men -- have been stopped in Mexico or the southern United States with suspicious South African passports -- often with pages missing. This reveals another key component to the al Qaeda travel network: the use of Mexico -- and likely Canada -- as key entry points into the United States. Mexico and Canada share large, and sometimes unguarded, borders with the United States. Ahmed's success in sneaking across the U.S.-Mexican border attests to the ease with which would-be terrorists could enter the United States. Ahmed, who had a South African passport with no U.S. entry stamp, was stopped at the airport in McAllen, Texas, and had with her an itinerary that showed her flying from Johannesburg to Dubai, then to London and finally to Mexico City, from whence she smuggled herself into Texas by simply forging through the brush. Canada also poses a problem. Its 4,000-mile border with the United States has one guard for every eight to 16 miles and has largely forested areas that are extremely difficult to patrol. As early as 1999, an Algerian named Ahmed Ressam was stopped in Washington state, en route from Canada, with more than 130 pounds of explosives in the trunk of his car. He had planned to blow up Los Angeles International Airport. The complexities of the transportation networks reveal al Qaeda's strengths and weaknesses. By moving through countries with a lower profile, at least as far as al Qaeda is concerned, operatives can mask their origins. Several of the foreign al Qaeda operatives in the past, like Jose Padilla, would declare their passports missing and get new ones issued while in more neutral countries, thus erasing all previous travel records. With a South African network of passports available, that becomes easier, and new passports can be used to register journeys that appear to begin far from their true origin. Although it is easier to move and hide using such a network, it also can be somewhat limiting: The revelation of the waypoint countries suddenly puts them higher on the suspicion list. Disruption of a key waypoint, then, also serves to force al Qaeda to try alternative, and perhaps less secure, routes. Ultimately, however, what we are seeing is only a small sliver of a larger transportation network -- one that spans the globe. But as slices of al Qaeda are cut away, more nodes in the transport and communication network will be revealed, forcing al Qaeda to react and change its methods again. That puts al Qaeda on the defensive, rather than the offensive. Copyrights 2004 - Strategic Forecasting, Inc. All rights reserved. ------------------------ Yahoo! Groups Sponsor --------------------~--> Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar. Now with Pop-Up Blocker. Get it for free! http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/TySplB/TM --------------------------------------------------------------------~-> -------------------------- Want to discuss this topic? Head on over to our discussion list, discuss-osint at yahoogroups.com. -------------------------- Brooks Isoldi, editor bisoldi at intellnet.org http://www.intellnet.org Post message: osint at yahoogroups.com Subscribe: osint-subscribe at yahoogroups.com Unsubscribe: osint-unsubscribe at yahoogroups.com *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> To unsubscribe from this group, send an email to: osint-unsubscribe at yahoogroups.com <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From pcapelli at gmail.com Wed Aug 11 09:24:42 2004 From: pcapelli at gmail.com (Pete Capelli) Date: Wed, 11 Aug 2004 12:24:42 -0400 Subject: Michael Moore in Cambridge (download speech) In-Reply-To: <0408111708050.0@somehost.domainz.com> References: <20d1830f607a22119fb8cb95867f6824@dizum.com> <20bf32b704080921062e58e279@mail.gmail.com> <0408111708050.0@somehost.domainz.com> Message-ID: > > Being still currently undecided myself (although living in one of the > > 32 or so 'pre-ordained' states) I found this speech to be "most > > cynical, opportunistic, divisive, and un-American" ones I've listend > > to in awhile. > > Define "un-American", please? That was a direct quote from Howie Goodell's reply to me. I found it interesting that while the left continues to rail against everything Bush does, they use many (if not all) of the same tactics. Yet they are blind to that fact (willfully so). Neither side is willing to agree or concede on *any* point. While not a definition of 'un-american' in itself, is sure is a symptom. From rah at shipwright.com Wed Aug 11 09:32:12 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 11 Aug 2004 12:32:12 -0400 Subject: Paul Kocher to Address Researchers at CHES 2004 Conference Message-ID: Yahoo! Finance Press Release Source: Cryptography Research, Inc. Paul Kocher to Address Researchers at CHES 2004 Conference Wednesday August 11, 8:03 am ET Security Expert Shares Insights on the Future of Applied Crypto SAN FRANCISCO, Aug. 11 /PRNewswire/ -- As the use of secure smartcards and other embedded systems continues to grow, the security and tamper resistance of these devices is becoming increasingly important, according to Paul Kocher, president and chief scientist at Cryptography Research, Inc. Kocher will discuss his vision of the challenges and solutions ahead for these systems at the upcoming Cryptographic Hardware and Embedded Systems (CHES) 2004 conference. Kocher will present his views at an invited lecture, "From Proof to Practice: Real-World Cryptography," at CHES, the world's leading research conference in applied tamper resistance, at 9:00 a.m. on Friday, August 13 at the Boston Marriott Cambridge Hotel. A pioneer in the field of differential power analysis (DPA) and countermeasures, Kocher will discuss the issues involved in building trustworthy cryptographic components that provide relying parties with "rational confidence" in security. "You need to have security that is both effective and that is verifiable by relying parties, since either one without the other is useless," Kocher explains. According to Kocher, one of the most difficult unsolved research problems in security and cryptography is to find effective ways to manage the risks created by the combination of human fallibility and the increasing complexity of modern security systems. "Traditional engineering approaches simply do not produce robust security," Kocher said. "At Cryptography Research, we've been learning to manage this problem by applying risk mitigation approaches from more established industries, such as aviation and medicine." Kocher's talk will describe some of these approaches and lessons, as well as open research problems where additional work is needed. About Paul Kocher Paul Kocher has gained an international reputation for his consulting work and academic research in cryptography. His research projects have included designing and co-authoring SSL v3.0, discovering timing attack cryptanalysis, and architecting the record-breaking DES Key Search machine, Deep Crack. At Cryptography Research, he led the team that discovered Differential Power Analysis, as well as the countermeasures for securing smart cards and other devices against these attacks. About Cryptography Research, Inc. Cryptography Research, Inc. provides consulting services and technology to solve complex security problems. In addition to security evaluation and applied engineering work, CRI is actively involved in long-term research in areas including tamper resistance, content protection, network security and financial services. The company has a broad portfolio of patents covering countermeasures to differential power analysis and other vulnerabilities, and is committed to helping companies produce secure smart cards and other tamper resistant devices. Security systems designed by Cryptography Research engineers annually protect more than $60 billion of commerce for wireless, telecommunications, financial, digital television and Internet industries. For additional information or to arrange a consultation with a member of the technical staff, please contact Jennifer Craft at 415-397-0123, ext. 329 or visit www.cryptography.com. Source: Cryptography Research, Inc. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Wed Aug 11 10:00:05 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 11 Aug 2004 13:00:05 -0400 Subject: Privacy Showdown Message-ID: Forbes Business In The Beltway Privacy Showdown Ashlea Ebeling, 08.11.04, 6:00 AM ET The American Bankers Association, the Financial Services Roundtable and the Consumer Bankers Association have gone to the Ninth Circuit Court of Appeals to try to stop a California law that restricts how they can use customer information. The outcome of their appeal, filed Aug. 2, will decide the fate of the strictest state privacy law on the books, and the crucial issue of whether federal law preempts such state laws. Members of the three trade associations, such as Citigroup (nyse: C - news - people ), Bank of America (nyse: BAC - news - people ), Wells Fargo (nyse: WFC - news - people ) and Merrill Lynch (nyse: MER - news - people ), share customer information among their affiliates. Under the California Financial Information Privacy Act, commonly called SB1 after its bill number, they would have to either stop sharing among affiliates that are not in the same line of business (for example, a bank affiliate couldn't share with an insurance affiliate), or submit to the law's opt-out requirement. Under that rule, customers have the right to block, or opt-out, of the sharing of their information among affiliates. (A separate provision of the law requiring banks to get permission from customers before their information can be shared with third party companies is not under attack.) The bankers argue that the affiliate sharing restrictions are plainly preempted by the federal Fair Credit Reporting Act. But on June 30, Judge Morrison C. England Jr. of the U.S. District Court in Sacramento ruled that the FCRA, whose overriding purpose is to regulate the use and dissemination of consumer reports, does not preempt SB1. Instead, the judge said, the Gramm-Leach-Bliley Act, which sets forth basic privacy protections in non-credit reporting situations, is the relevant federal law and it does allow states to enact more stringent privacy controls. The California privacy law went into effect one day later on July 1. Financial institutions doing business in California now face penalties of up to $500,000 for negligent disclosure of nonpublic personal information, with no cap on what they can be fined for knowing and willful violations. Both state regulators and individual consumers can bring suit over alleged violations. On appeal, the industry groups argue that the district court incorrectly relied on the Gramm-Leach-Bliley Act, and that the FCRA, and 2003 amendments to it, expressly preempt SB1's affiliate sharing requirements. The state's reply brief is due September 1. "We think the district court got it right," says Susan Henrichsen, a California supervising deputy attorney general who is working on the case. Privacy advocates, including the Consumer Federation of California, Consumers Union and the Privacy Rights Clearinghouse, hope she's right. They spent years pushing for the law. California financial privacy legislation was introduced in 2000 and 2001, but died as industry lobbyists, and then-Gov. Gray Davis, worked to assure its defeat. California state Sen. Jackie Speier (D-San Francisco/San Mateo) introduced SB1 in December 2002. The industry groups spent $20 million trying to stop SB1, but eventually gave in, in light of an even graver threat. That threat came from a group called Californians for Privacy Now, organized and funded by E-Loan (nasdaq: EELN - news - people ) Chairman and Chief Executive Christian Larsen. It gathered 600,000 signatures for a ballot initiative that would have offered voters a chance to adopt even stricter privacy rules. For example, the initiative would have required companies to get permission before selling or sharing customer information, even among their own affiliates. With the passage of SB1, the group dropped its initiative drive. Gov. Davis too switched sides, and signed SB1 into law in August 2003. But industry groups apparently had other plans of attack to invalidate the affiliate sharing provisions of SB1: First, lobbying Congress to amend the FCRA, and second, suing in federal court. The fall 2003 amendments to the FCRA include a provision that broadens the law's preemptive scope--the bankers say this means the FCRA now preempts SB1. For now their battle is in the courts, but Congress may well be dragged into the privacy fight again. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From howie.goodell at gmail.com Wed Aug 11 10:27:42 2004 From: howie.goodell at gmail.com (Howie Goodell) Date: Wed, 11 Aug 2004 13:27:42 -0400 Subject: Michael Moore in Cambridge (download speech) In-Reply-To: <0408111708050.0@somehost.domainz.com> References: <20d1830f607a22119fb8cb95867f6824@dizum.com> <20bf32b704080921062e58e279@mail.gmail.com> <0408111708050.0@somehost.domainz.com> Message-ID: <20bf32b70408111027e5a977a@mail.gmail.com> Since I introduced the term referring to the Bush Administration -- a poor attempt at irony, but what I had in mind was the sort of American ideals embodied in our Declaration of Independence, preamble and Constitution and Bill of Rights, along with the ways these ideals worked in practice to help create a much more desirable society over the past couple centuries than countries similarly blessed with resources (Russia, Argentina.) So a few examples. More than any administration I can remember since Nixon's, this administration has disregarded, actively opposed, or perverted: Declaration of Independence: equality, human rights. Preamble to the Constitution: "a more perfect Union", justice, liberty Constitution -- torn down separation of powers, many others Bill of Rights -- read the list! Mr. Moore's speech was a rallying cry to take back our government. Would John Kerry drag us into Iraq? Would he run obscene deficits? (Hint: check his record from Graham Rudman on.) Would he raid the last of the Social Security surplus to line his friends' pockets? He may have voted for Patriot I (along with virtually the whole Congress), but he's making restoring our rights a major issue. I think one of the philosophers said the key to knowledge is not seeing similarities, but differences. Howie Goodell On Wed, 11 Aug 2004 17:08:29 +0200 (CEST), Thomas Shaddack wrote: > > > On Tue, 10 Aug 2004, Pete Capelli wrote: > > > Being still currently undecided myself (although living in one of the > > 32 or so 'pre-ordained' states) I found this speech to be "most > > cynical, opportunistic, divisive, and un-American" ones I've listend > > to in awhile. > > Define "un-American", please? > > > > > E3-I: This message has been scanned for viruses and dangerous content by UML's antivirus scanning services. > > -- Howie Goodell hgoodell at cs.uml.edu http://goodL.org Hardware control Info Visualization User interface UMass Lowell Computer Science Doctoral Candidate From shaddack at ns.arachne.cz Wed Aug 11 08:08:29 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Wed, 11 Aug 2004 17:08:29 +0200 (CEST) Subject: Michael Moore in Cambridge (download speech) In-Reply-To: References: <20d1830f607a22119fb8cb95867f6824@dizum.com> <20bf32b704080921062e58e279@mail.gmail.com> Message-ID: <0408111708050.0@somehost.domainz.com> On Tue, 10 Aug 2004, Pete Capelli wrote: > Being still currently undecided myself (although living in one of the > 32 or so 'pre-ordained' states) I found this speech to be "most > cynical, opportunistic, divisive, and un-American" ones I've listend > to in awhile. Define "un-American", please? From dave at farber.net Wed Aug 11 14:20:58 2004 From: dave at farber.net (David Farber) Date: Wed, 11 Aug 2004 17:20:58 -0400 Subject: [IP] Interesting interview with David Brin about privacy, etc. Message-ID: Begin forwarded message: From rah at shipwright.com Wed Aug 11 14:48:26 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 11 Aug 2004 17:48:26 -0400 Subject: A Billion for Bin Laden Message-ID: Tech Central Station A Billion for Bin Laden By James Miller Published 08/09/2004 The $25 million reward the U.S. is offering for Bin Laden's capture just isn't enough. Sure, $25 million would induce a Pakistani peasant to turn in Bin Laden, but it's not enough to attract the financial markets to the Bin Laden hunt. With the possibility of earning a $1 billion bounty, however, professional Bin Laden hunting firms would form, allowing the U.S. to enlist the efficiency and creativity of the free market in our fight against Osama. The twentieth century's economic battles between capitalism and socialism proved that the private sector is far more effective than the government at providing services. Unfortunately, though, for many activities such as terrorist tracking, private companies have little incentive to engage. But a $1 billion bounty would motivate firms to join the hunt for Bin Laden. With a $1 billion reward in place, an international group of intelligence, military and terrorist experts that could credibly claim to have, say, at least a 5% chance of finding Bin Laden could easily raise $20 million or so from the financial markets to finance their search. With several such organizations unleashed on the mountains of Afghanistan and Pakistan, Osama's margin of safety would shrink. If my $1 billion free market experiment were implemented and proved successful, the U.S. could offer very large rewards for other international villains. Firms would then likely come into existence that specialized in capturing different types of criminals, some, for example, going after South American drug barons while others concentrated on Middle Eastern terrorists. I suspect that different sub-branches of the U.S. government currently compete for the resources necessary to find Bin Laden. Given how most public organizations operate, however, these resources probably go to the best bureaucratic infighters rather than those with the best chance of finding our murderous prey. The world's financial markets excel (at least compared with governments) at picking possible winners, so we should give them the power to determine who gets the capital needed to find Bin Laden. Those who think $1 billion is too much to pay for one sick man's capture should consider the deterrent effect of this bounty. Our government doesn't seem to shine at locating single individuals, so if they're willing to go into hiding, would-be terrorist master-sickos might not fear our wrath. But knowing that a large bounty would be placed on them might give pause to a few of our potential enemies. If the billion dollar bounty failed and Bin Laden ended up being located by the CIA or the U.S. armed forces rather than the private sector, the bounty wouldn't cost the taxpayers anything. But it still would have sent a powerful signal to our enemies that the massive wealth of the U.S. can be deployed against those who strike us. Many other nations don't seem to care very much about whether we catch Bin Laden and $25 million certainly isn't enough to change their priorities. But $1 billion would make a difference to nations like Pakistan and perhaps motivate them to search seriously for our main enemy. President Bush is reportedly ready to announce major new initiatives at his Republican Convention. A billion dollar Bin Laden bounty would make for the perfect convention proposal since it fuses Bush's dedication to tracking down the 9/11 instigator with a Republican faith in the free markets. James D. Miller writes The Game Theorist column for TCS and is a Republican Candidate for the Massachusetts State Senate. Editor's note: For other articles proposing free market solutions to practical problems see: An Anti-Terrorism Defense Fund Doing Well Against Spam By Taking Revenge Markets Reward Eco-Terror. So Lets Fix Them. Airport Security -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From mv at cdc.gov Wed Aug 11 18:21:59 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 11 Aug 2004 18:21:59 -0700 Subject: Forensics on PDAs, notes from the field Message-ID: <411AC636.230A1946@cdc.gov> Saint John of Cryptome has a particularly tasty link to http://csrc.nist.gov/publications/drafts.html#sp800-72 which describes the state of the art in PDA forensics. There is also a link to a CDROM of secure hashes of various "benign" and less benign programs that the NIST knows about. Including a list of "hacker" programs. Including stego. Pigs use this to discount commonly-distributed software when analyzing a disk (or, presumably, your PDA's flash). See http://www.nsrl.nist.gov/ also http://www.nsrl.nist.gov/Untraceable_Downloads.htm Obvious lesson: Steganography tool authors, your programs should use the worm/HIV trick of changing their signatures with every invocation. Much harder for the forensic fedz to recognize your tools. (As suspicious, of course). The NIST CDROM also doesn't seem to include source code amongst its sigs, so if you compile yourself, you may avoid their easy glance. Notes from the Field: My paper & image handling kiretsu job has a fellow working on secure Linux disk-drive delete --even if you pull the plug, on power up it finishes the job. Nice. Thank you, HIPAA, banks, etc. From mv at cdc.gov Wed Aug 11 18:26:37 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 11 Aug 2004 18:26:37 -0700 Subject: [osint] Al Qaeda's Travel Network Message-ID: <411AC74C.4927C490@cdc.gov> >>Al Qaeda operatives rarely travel directly from Point A to Point B. Instead, they jump from country to country, with each destination having its own end use and with multiple stops between beginning and end.<< Hey, don't they know that onion-routing was patented by the Navy? Or that the mix network has prior art? If Alfred Queue has grokked traffic analysis, well its about time. All your Paki Inet Cafes are belong to us. From mv at cdc.gov Wed Aug 11 18:31:09 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 11 Aug 2004 18:31:09 -0700 Subject: A Billion for Bin Laden Message-ID: <411AC85D.2597C6DD@cdc.gov> >>With the possibility of earning a $1 billion bounty, however, professional Bin Laden hunting firms would form, allowing the U.S. to enlist the efficiency and creativity of the free market in our fight against Osama.<< This is brilliant, worthy of being called channelling Tim M. As it relies entirely on free association and the rational marketplace. Nevermind that the reward is stolen from the sheeple. What the DC future-corpses don't grok is that the Sheik's network is not financially or career motivated, unlike themselves. And xianity (or even amerikan patriotism which sometimes substitutes) is too neutered to counter it. Get your filthy hands off my desert, indeed, or else. See you in Athens. From rah at shipwright.com Wed Aug 11 18:40:34 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 11 Aug 2004 21:40:34 -0400 Subject: Insurer's In-Car Data-Gathering Draws Scrutiny Message-ID: The Wall Street Journal August 12, 2004 AUTOS Insurer's In-Car Data-Gathering Draws Scrutiny By KATHY CHU DOW JONES NEWSWIRES August 12, 2004 A small test group of consumers will soon be able to save money on auto insurance -- if they give up some privacy on the road. Next week, Progressive Corp. of Mayfield Village, Ohio, will begin a pilot program in Minnesota to track how often, how far and how fast people drive. The insurer will provide as many as 5,000 volunteers with a matchbox-sized electronic device to be installed in their cars to gather this information. The incentive to sign up? Drivers get a guaranteed auto-insurance discount of 5%, and savings of as much as 25%, depending on their driving habits. The program -- though on a small scale and with no guarantee of being rolled out nationwide -- is being watched closely by consumer advocates, who are concerned about the privacy of drivers' information. This becomes more of an issue if these data are eventually gathered from more consumers in additional states. Progressive doesn't plan to share with others the information it collects, according to Dave Huber, a manager at the company. Also, drivers can view their information before deciding whether to submit it to Progressive, he said. Another reason why the insurer's move is getting attention: It follows a recommendation last week by the National Transportation Safety Board to put black boxes into new cars. The proposal came out of a hearing into a 2003 car accident in California. The purpose of these devices is to gather data at the time of an automobile crash to improve car and driver safety. The recommendation raises questions about who would have access to this information and whether consumers should be notified about this device. Many cars already have rudimentary devices that gather some crash information. Some auto makers, including General Motors Corp., have gone a step further, putting in sophisticated electronic contraptions to track data such as car speed and seat-belt usage in crashes where the air bag has been deployed. Whenever driver data are collected, the concern is that law enforcement or lawyers could try to summon this information during, respectively, investigations or civil lawsuits, according to Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer-information program based in San Diego. "It may take a while for the privacy implications to become evident, but the main thing that individuals should be concerned about is the secondary use of that data," Ms. Givens said. For now, other insurers are watching Progressive's efforts. "We're always interested in finding methods of fine-tuning how we assess risk," said Dick Luedke, a spokesman for State Farm, one of the nation's largest auto insurers. In deciding whether to expand the current pilot program, Progressive will consider factors such as consumers' reactions to the devices and whether the company gets more customers. "We're hopeful all the while that this will allow us to attract safer drivers," Mr. Huber said. For some consumers, the financial benefits outweigh any privacy issues. Jacob Sevlie, 26 years old, was one of 250 drivers who accepted $25 to test out Progressive's device earlier this year, before it was offered to other consumers. Mr. Sevlie, who lives in Minneapolis, said he isn't concerned about the insurer knowing how fast and how often he is driving. "If it was tracking where I'm driving, that might be an issue, but how much I'm driving, that's not really private to me," said Mr. Sevlie, who hopes to get into the pilot program to get what he estimates will be a 15% discount on auto insurance. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From isn at c4i.org Thu Aug 12 00:13:41 2004 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Aug 2004 02:13:41 -0500 (CDT) Subject: [ISN] Hack . . . hack back . . . repeat Message-ID: http://www.nwfusion.com/news/2004/080904defcon.html By Rodney Thayer Network World 08/09/04 LAS VEGAS - Capture the flag might be only a game, but it was serious business at DefCon, the world's largest annual computer hacker convention. For 36 straight hours, eight teams of experienced hackers and serious security professionals played predator and prey as they tried to hack into competitors' networks while defending their own. From my front-row seat as a member of the winning team, Sk3wl of R00t (hacker slang for "School of Root," where "root" refers to gaining administrator access to a system), I got a bird's-eye view of how new - and not so new - attacks could be launched and thwarted. Each qualified team playing the game - organized by a Seattle security community group called the Ghetto Hackers - controlled a pair of Windows machines running a variety of network and Web-based services that were connected to each other and a central scoring mechanism called the Scorebot via a Gigabit Ethernet network. Rest assured, this hacker network was not connected to the Internet. As soon as the doors to the secluded hacker playground disguised as a hotel ballroom were opened at 10 a.m. July 30, the air was tense in this crowded room. The game scenario and the legitimately purchased Windows images were presented to participants two hours before the official noon start time. How would you like to have to lock down two Windows boxes in just two hours as you started to recognize that there were world-class exploit developers in the room - and on your network? A team scored by attacking rivals' servers and stealing flags (data strings stored within the servers). The successful hacker then presented the stolen flags to the scoring system for credit. The overall score was a combination of credit for attacking other teams' servers and successfully defending your own services. Penalties were issued for excessive consumption of bandwidth, so simple port scans and brute force attacks were not used, and denial-of-service attacks were forbidden. In the middle of the room sat the Ghetto Hackers' gear, necessary for keeping the game within bounds and blasting loud techno music for the entire 36-hour ride. We'd trained for the competition in small conference rooms with similar tunes blaring as white noise to desensitize. But by the time it was 2 a.m., and you were staring at a network trace flying by on a screen, you noticed that your heartbeat and your breathing synchronized with the music and the packet traffic. At that point, it was time to take a walk. At the beginning everyone was organized with their supplies. Our cooler was stocked with ice and Coke. As time dragged on, people started bringing in food and drinks. At first we were organized and sent out someone for bread and cold cuts. But by the middle of Day Two we gave up and started ordering pizza. We stuck with soda for the most part, but as the contest wore on, a beer or two appeared. As we scanned the room (discreetly, of course) we saw the other teams behaving the same way if not more so. One team had a steadily draining bottle of Southern Comfort on top of its server. The Ghetto Hackers' full-length equipment rack was ornamented by a large, red, wooden arch in the style of a Japanese archway complete with Asian script. Our Japanese language expert slunk over for a closer look and determined the writing on the wall to be complete gibberish, with no hidden message to help us crack the code. Each team carefully arranged its equipment - everything from laptop Macs to Cisco switches, some piled 3 feet high on the allotted two tables - around the periphery of the room. Teams were supposed to have a maximum of 15 members, but no one stuck to that upper limit as the flow in and out of the room easily boosted each roster to more than 20 people. The ground rules I agreed to dictate that I not divulge individuals' identities. But in general terms I can say the teams included at least two CTOs; security professionals from Ernst & Young, AOL and the University of California at Santa Barbara; and well-known and unknown hackers. Additionally, at least four teams had members hailing from the U.S. Department of Defense. We mostly kept to ourselves and minimized visible screen space to avoid becoming vulnerable to "shoulder surfing" or other forms of spying. You also had to do some reconnaissance to sniff out any secret deals being cut to share or trade information among teams. Think "Survivor," when it was good. There wasn't exactly a book on how to organize your team or set strategy for this sort of thing. But our winning strategy as a team was organization. We organized everything from a rotating "cat nap" schedule to divvying up jobs along lines of expertise. Because offense was 80% of the overall score, you had to maintain support for your front-line attackers. The trick was to not ignore your defenses. If your defenses slipped, other teams could get in and score. As the Ghetto Hackers pointed out at the awards ceremony, we were solid attackers - not significantly better than other teams - but we had very good defense and were able to keep other teams from stealing flags from us. Most attacks we saw were levied against information in the database. Someone would figure out how to run the Wiki (a piece of server software that lets users freely create and edit Web page content using any Web browser) and do some obscure set of queries that would reveal flag data. Or someone would go into the Multi-User Dungeon, online game environments that use a great deal of bandwidth, and figure out if you walked north through the forest just the right way you'd be able to pick up a flag. We saw many failed attacks. Someone tried to buffer overflow the Web server with 800,000-byte null packets. Someone else tried to go after SNMP services to gain entry. Teams even attempted to capture their incoming Scorebot traffic and replay that same traffic in the direction of our machines in the hopes that our services would mistake them for the actual Scorebot and give up flags to them. If I were to apply my experiences to a more everyday situation than what was taking place at the off-the-strip Alexis Park hotel, five points would bubble to the top of the security cauldron: Unsecure, unnecessary services - such as terminal services and SNMP - are running on most Windows machines. You've got to take care to shut down or firewall all unnecessary ports used by these services. * Passwords are revealed frequently. To defend against this, periodically change all passwords, including those that give access to Web services and databases. * Customized Web applications typically leak critical information. To defend against this, applications must be modified so they do not have commands that give too much information without proper authorization or let users modify objects out of turn. * Unmonitored services are dangerously open to attack. Watch your logs like a hawk. * Hack attacks happen. Be very, very afraid. Thayer is principal investigator with Canola & Jones, a security research firm in Mountain View, Calif. He can be reached at rodney at canola-jones.com. Acknowledgements Thanks to the Ghetto Hackers for running a great contest. They put together a complex game and made it run under very stressful conditions and it worked great. Thanks also to Sk3wl of R00t for letting me join in. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From isn at c4i.org Thu Aug 12 00:18:19 2004 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Aug 2004 02:18:19 -0500 (CDT) Subject: [ISN] Hackers download SIUE data, police say Message-ID: http://www.stltoday.com/stltoday/news/stories.nsf/News/Metro+East/A3F75AB9CA0230BB86256EEE0012DF3B?OpenDocument&Headline=Hackers+download+SIUE+data,+police+say By Trisha Howard Of the Post-Dispatch 08/11/2004 The names and passport information of more than 500 foreign students at Southern Illinois University Edwardsville was illegally downloaded last week by a fellow student at the school, according to a search warrant filed Wednesday by university police. Greg Conroy, an SIUE spokesman, said Wednesday that three students had been questioned Friday after university officials discovered the security breach. Conroy said he expected the university to seek criminal charges in the case. The search warrant, filed in Madison County Circuit Court, said that the hacker downloaded the information from a special database set up to comply with provisions of the federal Patriot Act. The data included names, dates of birth, Social Security numbers and visa information, Sgt. Marty Tieman of the SIUE Police Department said in his affidavit. Conroy said that employees in the university's Office of Information Technology found out about the breach on Friday while doing their daily check of activity logs. The log showed that someone had downloaded the information early that morning. Computer experts then tracked the computer to one of three students who share an apartment at Cougar Village, Conroy said. On Friday afternoon, police seized three computers from the apartment and questioned the three students, Conroy said. Tieman said in his affidavit that police were greeted at the door by one of the three students, who admitted that he had seen his roommate access the server and download the information. Conroy said that officials had not yet determined a motive. "For all I know, these students could have been doing this as a prank," Conroy said. "At this point, I don't know what they wanted to do with the information." Conroy said investigators from a Metro East law enforcement computer task force were examining all three computers for evidence. He emphasized that the system does not allow hackers to change vital information. But he said that the breach was possible because an employee had failed to disable a feature that gives people access to the system without a password. "The students were scanning the system, they found the flaw, and they started downloading files," Conroy said. "It's an unfortunate mistake, but it happened." _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From sunder at sunder.net Thu Aug 12 00:37:32 2004 From: sunder at sunder.net (Sunder) Date: Thu, 12 Aug 2004 03:37:32 -0400 (edt) Subject: A Billion for Bin Laden In-Reply-To: <411AC85D.2597C6DD@cdc.gov> References: <411AC85D.2597C6DD@cdc.gov> Message-ID: Yeah, about as brilliant as a turd. Didn't they recently call Al-Qaeda's network a hydra? correct me if I don't recall my Ancient Greek myths, but when you cut off one head on the hydra, two more grow back, so are we to assume that future heads that grow back will carry such bounties? A billion here, a billion there, and pretty soon you're talking real money. I guess they do realize that these guys are idologists and the allmighty dollar is anathema to them, so they have to raise the bounty in order to get someone to betray him... Never discount greed, no matter how ideological someone may be, at some ridiculous sum, someone somewhere will rat him out... perhaps just before the elections. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- On Wed, 11 Aug 2004, Major Variola (ret) wrote: > This is brilliant, worthy of being called channelling Tim M. As it > relies entirely on free association and the rational marketplace. > Nevermind > that the reward is stolen from the sheeple. > > What the DC future-corpses don't grok is that the Sheik's network > is not financially or career motivated, unlike themselves. > And xianity (or even amerikan patriotism which sometimes > substitutes) is too neutered to counter it. From shaddack at ns.arachne.cz Wed Aug 11 21:44:26 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Thu, 12 Aug 2004 06:44:26 +0200 (CEST) Subject: Forensics on PDAs, notes from the field In-Reply-To: <411AC636.230A1946@cdc.gov> References: <411AC636.230A1946@cdc.gov> Message-ID: <0408120630100.10414@somehost.domainz.com> On Wed, 11 Aug 2004, Major Variola (ret) wrote: > Obvious lesson: Steganography tool authors, your programs > should use the worm/HIV trick of changing their signatures > with every invocation. Much harder for the forensic > fedz to recognize your tools. (As suspicious, of course). It should be enough to do that at the installation time. The adversary in this model gets to analyze the file only once, and we want to make sure that nobody tampered with the file as a protection against other, more "active" threat models. What we want is to have a file and its hash, so we can make sure the file content is unchanged, but the hash has to be as globally-unique as possible. > The NIST CDROM also doesn't seem to include source code amongst its > sigs, so if you compile yourself, you may avoid their easy glance. A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses. Just adding a chunk of data to make the hash unique will work against the current generation of the described tools. But we should plan to the future, what moves the adversary can do to counter this step. Then there's the matching of date/time of the files to "real-life" events. Perhaps a countermeasure could be a modified vfat filesystem which assigns free clusters randomly instead of sequentially (on a solid-state medium fragmentation does not matter), which avoids the reconstruction of the file saving order by matching the position of their clusters (for the price of making undelete difficult), and an absence of timestamps (01-01-1970 is a nice date anyway). The file delete function in the filesystem driver can be modified to file overwrite-and-delete, for the price of higher wear of the FlashEPROM medium. Linux-based (and open-architecture in general) PDAs should offer much higher thug-resistance. From rah at shipwright.com Thu Aug 12 05:12:57 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 12 Aug 2004 08:12:57 -0400 Subject: [ISN] Hack . . . hack back . . . repeat Message-ID: --- begin forwarded text From rah at shipwright.com Thu Aug 12 05:14:35 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 12 Aug 2004 08:14:35 -0400 Subject: Hackers download College's Patriot database Message-ID: --- begin forwarded text From eugen at leitl.org Thu Aug 12 00:28:19 2004 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 12 Aug 2004 09:28:19 +0200 Subject: Brin is still a useful idiot Message-ID: <20040812072818.GJ1477@leitl.org> ----- Forwarded message from David Farber ----- From jya at pipeline.com Thu Aug 12 10:30:04 2004 From: jya at pipeline.com (John Young) Date: Thu, 12 Aug 2004 10:30:04 -0700 Subject: ABC News: Internet and Terrorism Message-ID: ABC News is offering a report this evening on how the Internet may be helping terrorism. For it Cryptome was grilled and taped yesterday for aiding and abetting. We confessed it's due to brain-liberating by the manchurian cypherpunks. From adam at cypherspace.org Thu Aug 12 11:41:40 2004 From: adam at cypherspace.org (Adam Back) Date: Thu, 12 Aug 2004 14:41:40 -0400 Subject: maybe he would cash himself in? (Re: A Billion for Bin Laden) In-Reply-To: References: <411AC85D.2597C6DD@cdc.gov> Message-ID: <20040812184140.GA22404@bitchcake.off.net> Maybe Bin Laden would turn himself in in return for a billion $ for his cause (through a middle-man of course). Seem to remember that Bin Laden was relatively wealthy himself (>100 M$?), but you'd have to balance these rewards to not be too excessively much more than net worth of the individual. As a rational adversary would include in his game plan swapping himself for the money for the cause. Especially if it could be arranged in a way which tends to cast Bin Laden in the martyr role him and encourage the hydra effect where it galvanizes leutenants to step in. Bin Laden would have to balance also with how valueable he thought his leader ship was. Of course the lieutenants themselves might do the calculation and figure they would be closer to their goals after cashing in Bin Laden. Adam On Thu, Aug 12, 2004 at 03:37:32AM -0400, Sunder wrote: > Yeah, about as brilliant as a turd. Didn't they recently call Al-Qaeda's > network a hydra? correct me if I don't recall my Ancient Greek myths, but > when you cut off one head on the hydra, two more grow back, so are we to > assume that future heads that grow back will carry such bounties? > > A billion here, a billion there, and pretty soon you're talking real > money. > > I guess they do realize that these guys are idologists and the allmighty > dollar is anathema to them, so they have to raise the bounty in order to > get someone to betray him... Never discount greed, no matter how > ideological someone may be, at some ridiculous sum, someone somewhere will > rat him out... perhaps just before the elections. From sunder at sunder.net Thu Aug 12 13:27:00 2004 From: sunder at sunder.net (Sunder) Date: Thu, 12 Aug 2004 16:27:00 -0400 (edt) Subject: maybe he would cash himself in? (Re: A Billion for Bin Laden) In-Reply-To: <411BBD21.3000800@gmx.co.uk> References: <411AC85D.2597C6DD@cdc.gov> <20040812184140.GA22404@bitchcake.off.net> <411BBD21.3000800@gmx.co.uk> Message-ID: Nah, if Bush already had him in a hole somewhere to produce him just in time for the elections, he'd collect the billion for himself as his personal reward. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- On Thu, 12 Aug 2004, Dave Howe wrote: > of course someone *really* cynical might think they already had him, but > needed to spring a billion towards shrub's reelection campaign.... From sunder at sunder.net Thu Aug 12 13:38:22 2004 From: sunder at sunder.net (Sunder) Date: Thu, 12 Aug 2004 16:38:22 -0400 (edt) Subject: 2+2=5 and mention of cryptome Message-ID: Original URL: http://www.theregister.co.uk/2004/08/11/al_q_geek_us_overthrow_plot/ Al-Qaeda computer geek nearly overthrew US By Thomas C Greene (thomas.greene at theregister.co.uk) Published Wednesday 11th August 2004 16:45 GMT Update A White House with a clear determination to draw paranoid conclusions from ambiguous data has finally gone over the top. It has now implied that the al-Qaeda computer geek arrested last month in Pakistan was involved in a plot to destabilize the USA around election time. Two and two is five As we reported here (http://www.theregister.co.uk/2004/08/03/us_terror_alert_political_football) and here (http://www.theregister.co.uk/2004/08/02/al_qaeda_cyber_terror_panic), so-called al-Qaeda "computer expert" Muhammad Naeem Noor Khan, a Pakistani, was arrested on 13 July in possession of detailed but rather old surveillance documents related to major financial institutions in New York, Newark, and Washington. Since that time, other intelligence has led the US security apparatus to imagine that a plot to attack the USA might be in the works. (No doubt there are scores of plots in the works, but we digress.) Therefore, last week, the ever-paranoid Bush Administration decided that Khan's building surveillance documents, and the hints of imminent danger, had to be connected. Indeed, if al Qaeda is to strike at all, it is most likely to strike the targets mentioned in Khan's documents, as opposed to thousands of others, the Bushies reasoned. New York, Newark and Washington were immediately put on high alert, at great expense, and to the inconvenience of millions of residents. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From rah at shipwright.com Thu Aug 12 15:32:53 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 12 Aug 2004 18:32:53 -0400 Subject: Cryptome on ABC Evening News? Message-ID: There's a teaser for tonight's 6:30 news about "a wesite that publishes pipeline maps and the names and addresses of government employees". The horror. :-) Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From mv at cdc.gov Thu Aug 12 19:39:08 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 12 Aug 2004 19:39:08 -0700 Subject: Forensics on PDAs, notes from the field Message-ID: <411C29CC.6F4EDF19@cdc.gov> Quoth Thomas Shaddack > Obvious lesson: Steganography tool authors, your programs > should use the worm/HIV trick of changing their signatures > with every invocation. Much harder for the forensic > fedz to recognize your tools. (As suspicious, of course). It should be enough to do that at the installation time. The adversary in this model gets to analyze the file only once, and we want to make sure that nobody tampered with the file as a protection against other, more "active" threat models. What we want is to have a file and its hash, so we can make sure the file content is unchanged, but the hash has to be as globally-unique as possible. > The NIST CDROM also doesn't seem to include source code amongst its > sigs, so if you compile yourself, you may avoid their easy glance. A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses. Just adding a chunk of data to make the hash unique will work against the current generation of the described tools. But we should plan to the future, what moves the adversary can do to counter this step. -------- Dear TS: you have very good ideas. From DaveHowe at gmx.co.uk Thu Aug 12 11:55:29 2004 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Thu, 12 Aug 2004 19:55:29 +0100 Subject: maybe he would cash himself in? (Re: A Billion for Bin Laden) In-Reply-To: <20040812184140.GA22404@bitchcake.off.net> References: <411AC85D.2597C6DD@cdc.gov> <20040812184140.GA22404@bitchcake.off.net> Message-ID: <411BBD21.3000800@gmx.co.uk> Adam Back wrote: > Maybe Bin Laden would turn himself in in return for a billion $ for > his cause (through a middle-man of course). > > Seem to remember that Bin Laden was relatively wealthy himself (>100 > M$?), but you'd have to balance these rewards to not be too > excessively much more than net worth of the individual. As a rational > adversary would include in his game plan swapping himself for the > money for the cause. > > Especially if it could be arranged in a way which tends to cast Bin > Laden in the martyr role him and encourage the hydra effect where it > galvanizes leutenants to step in. > > Bin Laden would have to balance also with how valueable he thought his > leader ship was. > > Of course the lieutenants themselves might do the calculation and > figure they would be closer to their goals after cashing in Bin Laden. > > Adam > > On Thu, Aug 12, 2004 at 03:37:32AM -0400, Sunder wrote: > >>Yeah, about as brilliant as a turd. Didn't they recently call Al-Qaeda's >>network a hydra? correct me if I don't recall my Ancient Greek myths, but >>when you cut off one head on the hydra, two more grow back, so are we to >>assume that future heads that grow back will carry such bounties? >> >>A billion here, a billion there, and pretty soon you're talking real >>money. >> >>I guess they do realize that these guys are idologists and the allmighty >>dollar is anathema to them, so they have to raise the bounty in order to >>get someone to betray him... Never discount greed, no matter how >>ideological someone may be, at some ridiculous sum, someone somewhere will >>rat him out... perhaps just before the elections. of course someone *really* cynical might think they already had him, but needed to spring a billion towards shrub's reelection campaign.... From rah at shipwright.com Thu Aug 12 17:06:41 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 12 Aug 2004 20:06:41 -0400 Subject: Hydan: Information Hiding in Program Binaries Message-ID: Hydan [hI-dn]: Old english, to hide or conceal. Intro: Hydan steganographically conceals a message into an application. It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions. It then encodes information in machine code by using the appropriate instructions from each set. Features: - Application filesize remains unchanged - Message is blowfish encrypted with a user-supplied passphrase before being embedded - Encoding rate: 1/110 Primary uses for Hydan: - Covert Communication: embedding data into binaries creates a covert channel that can be used to exchange secret messages. - Signing: a program's cryptographic signature can be embedded into itself. The recipient of the binary can then verify that it has not been tampered with (virus or trojan), and is really from who it claims to be from. This check can be built into the OS for user transparency. - Watermarking: a watermark can be embedded to uniquely identify binaries for copyright purposes, or as part of a DRM scheme. Note: this usage is not recommended as Hydan implements fragile watermarks. If you think of anything else, do let me know :) Platforms Supported: - {Net, Free}BSD i386 ELF - Linux i386 ELF - Windows XP PE/COFF Download: Version 0.13 News: Update: I've finally updated the hydan code, after a long time off. The encoding rate has been improved to 1/110 (thanks to a tip from sandeep!), and the code is now much cleaner too. In the mean time, hydan has been presented at: CansecWest 04 BlackHat Vegas 04 DefCon 04 A paper is to be published soon as well: Hydan: Hiding Information in Program Binaries Rakan El-Khalil and Angelos D. Keromytis. Which is to appear in the proceedings of the 6th International Conference on Information and Communications Security (ICICS), Malaga, Spain. To be published in Springer Verlag's LNCS. Hydan was initially presented at CodeCon on 02/23/2003. The following is a list of articles online from that presentation: - The Register: Hydan Seek (same article at BusinessWeek, and SecurityFocus) - Slashdot: Program Hides Secret Messages in Executables (could it be? crazyboy survived slashdotting?) - Punto-Informatico: Un tool cela segreti nei programmi (intl coverage! been getting a lot of hits from them) - Bruce Schneier's Crypto-Gram: March 15, 2003 Issue (and not in the snake-oil section either ;) Like my Work? Buy me books! Contact: Rakan El-Khalil -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Thu Aug 12 17:09:21 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 12 Aug 2004 20:09:21 -0400 Subject: Cryptome on ABC Evening News? In-Reply-To: <0408130039010.10433@somehost.domainz.com> References: <0408130039010.10433@somehost.domainz.com> Message-ID: At 12:49 AM +0200 8/13/04, Thomas Shaddack wrote: >Can somebody record it in MPEG or DivX, please? :) It's difficult to get >ABC News across the Atlantic without a dish. I didn't see anything. But, like an idiot, I surfed out of it. ADD's a bitch. :-). Anyone see the whole show? Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From jya at pipeline.com Thu Aug 12 20:41:05 2004 From: jya at pipeline.com (John Young) Date: Thu, 12 Aug 2004 20:41:05 -0700 Subject: Cryptome on ABC Evening News? In-Reply-To: References: <0408130039010.10433@somehost.domainz.com> <0408130039010.10433@somehost.domainz.com> Message-ID: There a text version of the report on abcnews.com and a video is available to subscribers. To keep the nation secure the web site is not named. Google search appears to do it based on hate mail coming in. From rah at shipwright.com Thu Aug 12 18:06:14 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 12 Aug 2004 21:06:14 -0400 Subject: Too Much Information? Message-ID: Too Much Information? Web Site Raises Questions About Public Access to Sensitive Government Info By JakeTapper ABCNEWS.com Aug. 12, 2004- John Young, a 69-year-old architect, was contacted a few weeks ago by Department of Homeland Security officials, who expressed concern about what he was posting on his Web site. Officials questioned Young about information he had posted about the 2004 Democratic National Convention, including satellite photos of the convention site and the location of specific police barricades referred to on the site as "a complete joke." In response to a complaint, two special agents from the FBI's counterterrorism office in New York City interviewed Young in November 2003. "They said, 'Why didn't you call us about this? Why are you telling the public?' And we said, 'Because it's out there and you can see it. You folks weren't doing anything,' " Young told ABC News. The agents, according to Young, stressed they knew that nothing on the site was illegal. Young added: "They said, 'What we'd like you to do, if you're approached by anyone that you think intends to harm the United States, we're asking you to let us know that.' " "I know there are a lot of people in the government who find him troublesome," said former White House terrorism adviser Richard Clarke, now an ABC News consultant. "There is a real tension here between the public's right to know and civil liberties, on the one hand, and security on the other." But Young argues his actions enhance national security, since he points out to the public vulnerabilities the government does not want to acknowledge. Like others who run similar Web sites, Young does so by using information from the public domain, such as: * Photographs of preparations for the upcoming Republican National Convention at New York City's Madison Square Garden * Detailed maps of bridges and tunnels leading in and out of Manhattan * Maps of New York City's single natural gas pipeline * The location of an underground nuclear weapons storage complex in New Mexico Enabling the Enemy? "I think it's very, very bad for the country to have anyone putting together information that makes it easier for anyone that wants to injure Americans to do so," said Rep. Chris Cox, R-Calif., chair of the House Homeland Security Committee. Law enforcement officials were particularly upset that Young posted the satellite photos and addresses for the homes of top Bush administration officials. "We think public officials should be totally transparent. There should be no secrecy," said Young. "We are opposed to government secrecy in all of its forms." Officials call that argument outrageous and argue some secrecy is necessary. "The Department of Homeland Security has taken aggressive measures to protect critical infrastructure across the country," said a Department of Homeland Security spokeswoman. "We discourage Web posting of detailed information about critical infrastructure. This information is not helpful to our ongoing efforts to protect the American people and our nation's infrastructure." When asked how he would respond to those who consider his Web site unpatriotic since it could provide useful information for those who seek to harm the United States, Young said, "If this is not done, more Americans are going to die. More harm is going to come to the United States. It is more patriotic to get information out than to withhold it." Officials acknowledge there is not much they can do; Young has not broken any laws. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From camera_lumina at hotmail.com Thu Aug 12 18:08:23 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Thu, 12 Aug 2004 21:08:23 -0400 Subject: 2+2=5 and mention of cryptome Message-ID: Nah. They wanted to cock-block Kerry and his high visibility as a result of the DNC. As for inconveniencing this New Yorker, it was barely worse than it usually is going down to Wall Street. The RNC will be another story altogether, however. -TD >From: Sunder >To: cypherpunks at al-qaeda.net >Subject: 2+2=5 and mention of cryptome >Date: Thu, 12 Aug 2004 16:38:22 -0400 (edt) > > >Original URL: >http://www.theregister.co.uk/2004/08/11/al_q_geek_us_overthrow_plot/ > >Al-Qaeda computer geek nearly overthrew US >By Thomas C Greene (thomas.greene at theregister.co.uk) >Published Wednesday 11th August 2004 16:45 GMT > >Update A White House with a clear determination to draw paranoid >conclusions from ambiguous data has finally gone over the top. It has now >implied that the al-Qaeda computer geek arrested last month in Pakistan >was involved in a plot to destabilize the USA around election time. > >Two and two is five > >As we reported here >(http://www.theregister.co.uk/2004/08/03/us_terror_alert_political_football) >and here >(http://www.theregister.co.uk/2004/08/02/al_qaeda_cyber_terror_panic), >so-called al-Qaeda "computer expert" Muhammad Naeem Noor Khan, a >Pakistani, was arrested on 13 July in possession of detailed but rather >old surveillance documents related to major financial institutions in New >York, Newark, and Washington. > >Since that time, other intelligence has led the US security apparatus to >imagine that a plot to attack the USA might be in the works. (No doubt >there are scores of plots in the works, but we digress.) Therefore, last >week, the ever-paranoid Bush Administration decided that Khan's building >surveillance documents, and the hints of imminent danger, had to be >connected. Indeed, if al Qaeda is to strike at all, it is most likely to >strike the targets mentioned in Khan's documents, as opposed to thousands >of others, the Bushies reasoned. > >New York, Newark and Washington were immediately put on high alert, at >great expense, and to the inconvenience of millions of residents. > > > >----------------------Kaos-Keraunos-Kybernetos--------------------------- > + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ > \|/ :They never stop thinking about new ways to harm our country /\|/\ ><--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ > /|\ : \|/ > + v + : War is Peace, freedom is slavery, Bush is President. >------------------------------------------------------------------------- > _________________________________________________________________ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx From camera_lumina at hotmail.com Thu Aug 12 18:13:16 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Thu, 12 Aug 2004 21:13:16 -0400 Subject: Cryptome on ABC Evening News? Message-ID: >To keep the nation secure the web site is not named. Google >search appears to do it based on hate mail coming in. How 'bout posting those hate email addresses on Cryptome! (You might also recommend that they use an anonymous remailer next time!) -TD _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From rah at shipwright.com Thu Aug 12 18:44:55 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 12 Aug 2004 21:44:55 -0400 Subject: ONLamp.com: Anonymous, Open Source P2P with MUTE Message-ID: Published on ONLamp.com (http://www.onlamp.com/) http://www.onlamp.com/pub/a/onlamp/2004/08/12/mute.html See this if you're having trouble printing code examples Anonymous, Open Source P2P with MUTE by Howard Wen 08/12/2004 The ongoing battle between users of file-sharing programs and media copyright-enforcement organizations (most notably the RIAA) has seemingly become a daily ping-pong match of lawsuits, threats of lawsuits, countersuits, office raids of commercial P2P services, and soda pop promotional gimmicks encouraging people to download music from legal music downloading services. Regardless of all the threats, intimidation, and spoofed music files clogging networks, P2P services in which users engage in "copyright infringement" (or "file sharing," if you prefer) continue to thrive. Activity on them still far surpasses the traffic of the legal music download sites, such as iTunes Music Store and the now legit Napster. One weakness of the P2P networks, including the infamous KaZaA, is the fact that it's so easy to identify a user's IP address. The Recording Industry Association of America (RIAA) has managed to use such extracted information to subpoena ISPs for the identities of potential defendants. Jason Rohrer has devised what could be the next technological headache for organizations like the RIAA: a P2P system that can mask the identity (or, at least, the IP address) of each user connected to it. Figuratively, he's done it by letting out the ants to ruin the RIAA's picnic. Rohrer, a 26-year-old programmer from Potsdam, New York, found inspiration in the way ants stream toward a food source. From observing the creatures' behavior, he mapped out a networking method that functions similarly - essentially, a shared file is the food source, and clients on the network are the ants seeking the food. He then wrote his own P2P program putting this theory to practice and christened it MUTE. Developed entirely in C++ and released as open source, the program runs on Linux, Win32, and Mac OS X. Figure 1. The MUTE file-sharing program running on Linux. Rohrer spoke with me for the O'Reilly Network, explaining how the ways of the ant could hold the key to anonymity for P2P users. Howard Wen: Give us a basic technical summary: What's the big difference between how the MUTE network works versus the traditional P2P method, such as KaZaA? Jason Rohrer:Traditional P2P networks can best be described as "direct download" systems. Nodes are linked together in a "mesh network," with each node connecting to a small number of neighbors. Certain pieces of information are broadcast and routed through the mesh, such as search requests and results. Downloads are not passed through the mesh - the downloader establishes a new, direct connection to the file source to start the transfer. Of course, a direct transmission means that the downloader needs to know the IP address of the file source. If you use TCP sockets - or UDP packets - properly, a direct transmission also means that the file source can find out the downloader's IP address. The RIAA has demonstrated that, with a subpoena or lawsuit, an IP address can easily be translated into a human name and postal address. In other words, any system that relies on direct downloads is not anonymous, due to intrinsic properties of Internet routing. A MUTE network is very similar in form to a traditional P2P network: MUTE nodes connect to each other in a mesh network, with each node maintaining a small number of direct links to neighbor nodes. In addition to routing search requests and results through the mesh, MUTE routes everything else, including file transfers. Thus, a downloader does not need to know the IP address of a file source, since the downloader never needs to make a direct connection, and a download is routed through the chain of nodes that separate the downloader from the file source. Routed downloads are what separates MUTE from other search-and-download P2P networks. Of course, routed downloads alone do not provide anonymity. Even more crucial is the way that MUTE routes messages anonymously. Each MUTE node generates a random virtual address for itself at startup. Messages are tagged as being "from" one virtual address and "to" another virtual address, though only the sending node knows that it owns the "from" address, and only the receiving node knows that it owns the "to" address. None of the other nodes in the network know which node owns either of these addresses. As messages travel through the network, they leave behind local "scent" - or routing - information for their "from" address at each node that they pass through. For example, if a message from Alice passes through a node, the node records that it has received messages from Alice from one of its neighbors. In the future, if that node receives a message to Alice, it can use this scent to direct the message onward through that neighbor. Each node essentially maintains directional hints about which direction Alice is in, though no one knows for sure which node is actually Alice. HW: What are the inherent difficulties in designing a P2P, or shared network, system, overall? JR: I have developed several P2P applications in the past, including applications that rely heavily on cryptography, so those aspects weren't really a challenge this time around. However, MUTE was the first platform-independent C++ application for which I wanted to develop a true, natively compiled GUI, and this was a major challenge. I evaluated several toolkits, and several factors weighed into my decision. First, I had three target platforms in mind: GNU/Linux, Mac OS X, and Win32. So, I needed a toolkit that supported all of them. Second, I couldn't afford to pay for a toolkit, so I needed a toolkit with an unrestrictive license. Third, I wanted a toolkit that would make use of C++, since object-oriented abstractions seem particularly well-suited for GUIs. These factors essentially ruled out every toolkit except for wxWindows [Editor's note: now known as wxWidgets.] The real challenge came in learning a new toolkit. wxWindows is powerful and feature-rich, but the API is a little quirky. In addition, there were wxWindows build hurdles for the various platforms. For example, my customary Win32 compiler - I sheepishly admit that it was an outdated version of CodeWarrior - couldn't compile the wxWindows library, so I had to switch to a completely different, and unfamiliar, build environment: MinGW. I also had to grudgingly accept that my chosen GUI library was between 2 and 4 times larger than the rest of my application. I detest code bloat, but I really had no choice. The upshot is that MUTE can be downloaded and run natively on both Mac OS X and Win32, even though my development platform was GNU/LinuxPPC. The code that generates and runs the GUI is identical on all three platforms. HW: Have you theorized other aspects of ant behavior that could be applied to effective networking, besides masking a user's identity? JR: In nature, ants tend to find the shortest path between their nest and a food source. Many different paths are traversed at first, but since ants can complete roundtrips more frequently on the shorter paths, the shorter paths receive more traffic and thus more pheromone scent, which in turn leads to more traffic - ants move toward the strongest scents. Eventually, the scent on the shortest path is so strong that all of the ants travel along this path. MUTE's ant-routing also discovers "short" paths between a sender and receiver. However, the fast roundtrip time is what makes a path attractive to MUTE messages. In low-traffic situations, the fastest path will often be the shortest one with the fewest hops. As traffic increases, however, a short path may become slower if it is overloaded, and a longer path with less traffic may be faster. Thus, using only local routing clues, MUTE can automatically balance load throughout the network and avoid congested routes. Of course, you only need this kind of load-balancing if you are routing, and routing only makes sense if you are trying to protect anonymity. While load-balancing is a nice feature and will help MUTE's scalability, it is by no means a standalone selling point for MUTE. In other settings, such as ad-hoc wireless networks, ant-based routing is very attractive and heavily researched. Because MUTE is built as an overlay network on top of the TCP socket abstraction, its ant-routing cannot be used out-of-the box to improve performance in an ad-hoc network. However, MUTE can be seen as a good research platform for exploring the properties of ant-routing, since it is one of the first widely deployed networks to use it. HW: What are the limitations of MUTE? Does it scale up well in performance compared to the other P2P methods? I've read theories suggesting that MUTE might not be able to handle the load if the number of users on it is too large. How many people would you hazard to guess MUTE can effectively serve, in its current version? JR: If you want uploader/downloader anonymity, you simply cannot use direct downloads. Indirect downloads always involve a substantial performance and scalability hit. Even if you ignore the effect on overall transfer speed, you still have at least one additional node involved in each download, which in turn increases the load induced by each download. For example, suppose you have a direct download network of 100 nodes that can support 50 simultaneous transfers - half the nodes are uploaders and half are downloaders. If you now force each transfer to involve an additional intermediary node, while keeping similar bandwidth constraints, you can only support 33 simultaneous transfers: one-third uploading, one third-downloading, and the other third relaying. I will claim that using a single relay or proxy for each transfer doesn't provide enough anonymity. How can you trust your chosen proxy? What if the adversary happens to be operating the proxy that you choose? The same holds true for any system that uses fixed number of proxies for each transfer. If all transfers use two proxies, and you happen to pick two "adversary" nodes to proxy your transfer, your anonymity is compromised. MUTE uses a variable number of intermediary nodes for each transfer, with the network topology dictating how long each transfer chain is. No matter how many nodes in a transfer chain are controlled by the adversary, the adversary can never be sure that it controls all of the nodes in the chain. Thus, the adversary can never obtain the identity of the uploader or downloader with any degree of certainty. Since there is no fixed limit to how many nodes a MUTE transfer can pass through, there is also no limit on how much load is induced by a transfer or how slow that transfer will be, and this is where the scalability concerns arise. Each additional user in the network is likely to initiate additional downloads, which will each increase the load on the network. Of course, if you want decent anonymity, you must make this kind of tradeoff. To answer questions about how well MUTE will scale, we need to answer other questions first: How slow must a transfer become before it is considered useless? How much bandwidth will the average user dedicate to the MUTE network? How many downloads will each user be requesting? As an extreme example, consider the case in which no one is downloading anything: MUTE can scale limitlessly. At the other extreme, if everyone expects fast transfers and wants to be downloading 100 files simultaneously, MUTE won't scale beyond a handful of users. Also, I think it depends on how much users value anonymity. A slow anonymous download may be more valuable than a fast download that could land you in court. The same tradeoff operates for quantity: one anonymous download a day may be more valuable than 100 non-anonymous downloads. As an example, we can assume that a transfer is worthwhile as long as it is coming in at over 5KB/second. If we assume that everyone has a cable modem with a tight upstream bottleneck, then each node can handle relaying or uploading about three files simultaneously. Next, we can assume that each download passes through four intermediary nodes on average. If we have a network of 1,000 nodes, then we can support at most 600 simultaneously downloads at decent rates - each download taxes the upstream bandwidth of five nodes, and each node can handle being taxed by three simultaneous transfers. Of course, these calculations change as the assumptions change, but we have just laid out assumptions that would suggest that MUTE could support 60% of its users downloading one file each at worthwhile rates. As the percentage of downloaders increase in this network, the download rates would decrease throughout the network. With the above assumptions, each additional node contributes three transfers worth of bandwidth, but would consume five such units of bandwidth if it were to download. If we reduce the worthwhile transfer rate to 3KB/second, then we achieve a balance: Each additional node can request a download, since it contributes the same amount of bandwidth that its download consumes, so MUTE could support 100% of its users downloading one file each. If users curb how many simultaneous downloads they request and are content with the resulting transfer rates, then MUTE can scale limitlessly. However, if everyone else is "playing nice," you can increase your personal gain by initiating additional downloads for yourself and abusing the network. Keeping this kind of greed in check is difficult, especially in an anonymous network. HW: Could the MUTE technology be used for other things, besides file-sharing? JR: Before I even thought about applying MUTE to file-sharing, I wrote modules that performed anonymous chat and web-serving over MUTE. Given the current legal landscape, the file-sharing problem was much more pressing, so I have completely switched gears to focus on that. However, MUTE can certainly be used for other anonymous communication applications. HW: What features do you plan to add to future versions of MUTE? JR: I have always intended to keep MUTE simple: It provides anonymous file-sharing, and to my knowledge it is the first application to do so. I want to avoid having MUTE be a catchall for the latest, snazziest file-sharing and user-interface features. I have been improving the robustness of download retries to ensure that downloads can weather traffic spikes and routing problems without failing unnecessarily - several user-submitted patches have been very helpful here. I am also adding a few simple user-interface elements that make MUTE nicer to use, such as a user-submitted patch for better upload statistics. Once MUTE is a solid, usable, and comfortable file-sharing application, my work will be done. Those who want all of the fancy, trendy features can start their own project, add the features, and release their own version of MUTE. My contribution is anonymous file-sharing. HW: Do you need volunteers? What skills and contributions do you need the most? JR: I have been looking for people who have an idea for a feature that can be added to MUTE in a modular fashion, with a clean API separating it from the rest of the MUTE code. HW: What advice do you have for those who might want to modify the MUTE source? JR: MUTE is a layered architecture. The bottom layer is a secure socket implementation that is used to encrypt the contents of neighbor connections. Above that is the MUTE routing layer, which features a very clean API for controlling a MUTE node and sending or receiving messages through it. The file-sharing layer is built on top of the routing API, and it has a clean API of its own, which supports various file-sharing operations, like searching and downloading. The user interfaces are built on top of the file-sharing API, and two are included in the source: a text-based interface and a wxWindows GUI. If you want to build your own communication service on top of MUTE routing, I would suggest taking a look at the routing API. If you want to build a new client for file sharing - for example, a platform-specific GUI, then the file-sharing API will be useful. Understanding these layer APIs will also help you to modify the existing MUTE client. HW: As a programmer, what are some of the things you've been learning as you've been working on MUTE? JR: I have been programming for years, but my coding techniques improve every day. I'm always looking for more elegant ways to do things, and looking back at last year's code can be frustrating. I find the same to be true for any creative process, including writing, visual arts, and music: Since you constantly improve, your past work feels particularly shoddy in retrospect. My coding has improved in many subtle ways that I cannot necessarily put my finger on. In terms of more dramatic changes, the use of a layered architecture has made the MUTE project very easy to manage and understand. I have never used a layered architecture before, but I plan to use it in the future. HW: Have you considered the legal ramifications of what you're doing and prepared for any possible legal action? As everybody knows, the RIAA and its international counterparts have been going after both users and developers of P2P software quite aggressively. JR: So far, these organizations have confined their attacks to corporations that are peddling P2P and making money off of it. There is no precedent for a suit against an individual P2P developer who is releasing non-commercial, open-source software. Selling a product that helps people break the law is very different from giving it away. Furthermore, there is no explicit law against software like MUTE. That said, I could always be the precedent, and I am ready for anything. I believe that coding is part of my right to free speech, and I also believe that I have the right to encourage people to break an unjust law as a form of social protest. Many people look at the MUTE web site, which refers directly to how MUTE circumvents the RIAA's spy tactics, and say, "Whoa, friend, I would be careful if I were you." Sure, many other P2P developers and companies blatantly lie about what their software is for, but I refuse to lie. You can write a book that encourages people to break the law - for example, The Anarchist Cookbook. Why can't I write a web site that does the same thing? To be honest, I think it is highly unlikely I will be sued, but only time will tell. HW: It's inevitable that a third-generation P2P service is probably on the horizon. Will you be so bold to say that yours, MUTE, is it? JR: Whatever the third-generation P2P system will be, it will certainly be anonymous. All past P2P innovations have been spurred by the legal tactics of the day. I don't see why the next leap will be any different. MUTE is probably more of a vanguard than the be-all, end-all third-generation P2P system, much like Gnutella was the vanguard for the second generation. Other P2P developers may be inspired by MUTE and start thinking about how to make P2P anonymous. Unfortunately, if history repeats itself, the most popular third-generation network may be owned by a corporation that was ultimately inspired by my work on MUTE. It would be nice to see an open-source and open-protocol network win this round, if only to ensure that at least one open-source application was on the majority of people's desktops. Howard Wen is a freelance writer who has contributed frequently to O'Reilly Network and written for Salon.com, Playboy.com, and Wired, among others. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From shaddack at ns.arachne.cz Thu Aug 12 15:49:07 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Fri, 13 Aug 2004 00:49:07 +0200 (CEST) Subject: Cryptome on ABC Evening News? In-Reply-To: References: Message-ID: <0408130039010.10433@somehost.domainz.com> Can somebody record it in MPEG or DivX, please? :) It's difficult to get ABC News across the Atlantic without a dish. On Thu, 12 Aug 2004, R. A. Hettinga wrote: > There's a teaser for tonight's 6:30 news about "a wesite that publishes > pipeline maps and the names and addresses of government employees". The > horror. > :-) > Cheers, > RAH From morlockelloi at yahoo.com Fri Aug 13 10:27:48 2004 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Fri, 13 Aug 2004 10:27:48 -0700 (PDT) Subject: Forensics on PDAs, notes from the field In-Reply-To: <0408131813530.0@somehost.domainz.com> Message-ID: <20040813172748.66002.qmail@web40624.mail.yahoo.com> > A cool thing for this purpose could be a patch for gcc to produce unique > code every time, perhaps using some of the polymorphic methods used by > viruses. The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file or look for stego, right? The last time I checked the total number of PDA programs ever offered to public in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be trivially checked for. Any custom-compiled executable will stand out as a sore thumb. You will suffer considerably less bodily damage inducing you to spit the passphrase than to produce the source and the complier. Just use the fucking PGP. It's good for your genitals. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail From kelsey.j at ix.netcom.com Fri Aug 13 10:46:52 2004 From: kelsey.j at ix.netcom.com (John Kelsey) Date: Fri, 13 Aug 2004 13:46:52 -0400 (GMT-04:00) Subject: Forensics on PDAs, notes from the field Message-ID: <18816345.1092419213097.JavaMail.root@donald.psp.pas.earthlink.net> >From: "Major Variola (ret)" >Sent: Aug 11, 2004 9:21 PM >To: "cypherpunks at al-qaeda.net" >Subject: Forensics on PDAs, notes from the field ... >Obvious lesson: Steganography tool authors, your programs >should use the worm/HIV trick of changing their signatures >with every invocation. Much harder for the forensic >fedz to recognize your tools. (As suspicious, of course). I would have thought the obvious lesson was to keep all your important work on an encrypted disk partition, with a good password and a high iteration count. This is true not just for criminals and terrorists, but for anyone who doesn't want the information on their hard drive read by anyone who happens to steal their computer. --John From sunder at sunder.net Fri Aug 13 11:11:36 2004 From: sunder at sunder.net (Sunder) Date: Fri, 13 Aug 2004 14:11:36 -0400 (edt) Subject: Forensics on PDAs, notes from the field In-Reply-To: <20040813172748.66002.qmail@web40624.mail.yahoo.com> References: <20040813172748.66002.qmail@web40624.mail.yahoo.com> Message-ID: On Fri, 13 Aug 2004, Morlock Elloi wrote: > The purpose would be that they do not figure out that you are using some > security program, so they don't suspect that noise in the file or look for > stego, right? > > The last time I checked the total number of PDA programs ever offered to public > in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be > trivially checked for. Any custom-compiled executable will stand out as a sore > thumb. How? Not if you get something like a Sharp Zaurus and compile your own environment. "Hey, I want to get as much performance out of this shitty little ARM chip as I can." > You will suffer considerably less bodily damage inducing you to spit the > passphrase than to produce the source and the complier. What makes you think they'll have enough of a clue as to how to read the files off your PDA without booting it in the first place? 99% of these dorks use very expensive automated hardware tools that do nothing more than "dd" your data to their device, then run a scanner on it which looks for well known jpg's of kiddie porn. If you're suspected of something really big, or you're middle eastern, then you need to worry about PDA forensics. Otherwise, you're just another geek with a case of megalomania thinking you're important enough for the FedZ to give a shit about you. > Just use the fucking PGP. It's good for your genitals. And PGP won't stand out because.... ? ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From sunder at sunder.net Fri Aug 13 12:06:13 2004 From: sunder at sunder.net (Sunder) Date: Fri, 13 Aug 2004 15:06:13 -0400 (edt) Subject: Forensics on PDAs, notes from the field In-Reply-To: <0408132034300.0@somehost.domainz.com> References: <20040813172748.66002.qmail@web40624.mail.yahoo.com> <0408132034300.0@somehost.domainz.com> Message-ID: Right, in which case GPG (or any other decent crypto system) is just fine, or you wouldn't be looking for stego'ing it inside of binaries in the first place. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- On Fri, 13 Aug 2004, Thomas Shaddack wrote: > In the world of industrial espionage and divorce lawyers, the FedZ aren't > the only threat model. From pascal.junod at epfl.ch Fri Aug 13 06:32:29 2004 From: pascal.junod at epfl.ch (Pascal Junod) Date: Fri, 13 Aug 2004 15:32:29 +0200 Subject: Joux found a collision for SHA-0 ! Message-ID: Hi ! This has appeared on a french mailing-list related to crypto. The results of Joux improve on those of Chen and Biham which will be presented next week at CRYPTO'04. Enjoy ! Thursday 12th, August 2004 We are glad to announce that we found a collision for SHA-0. First message (2048 bits represented in hex): a766a602 b65cffe7 73bcf258 26b322b3 d01b1a97 2684ef53 3e3b4b7f 53fe3762 24c08e47 e959b2bc 3b519880 b9286568 247d110f 70f5c5e2 b4590ca3 f55f52fe effd4c8f e68de835 329e603c c51e7f02 545410d1 671d108d f5a4000d cf20a439 4949d72c d14fbb03 45cf3a29 5dcda89f 998f8755 2c9a58b1 bdc38483 5e477185 f96e68be bb0025d2 d2b69edf 21724198 f688b41d eb9b4913 fbe696b5 457ab399 21e1d759 1f89de84 57e8613c 6c9e3b24 2879d4d8 783b2d9c a9935ea5 26a729c0 6edfc501 37e69330 be976012 cc5dfe1c 14c4c68b d1db3ecb 24438a59 a09b5db4 35563e0d 8bdf572f 77b53065 cef31f32 dc9dbaa0 4146261e 9994bd5c d0758e3d Second message: a766a602 b65cffe7 73bcf258 26b322b1 d01b1ad7 2684ef51 be3b4b7f d3fe3762 a4c08e45 e959b2fc 3b519880 39286528 a47d110d 70f5c5e0 34590ce3 755f52fc 6ffd4c8d 668de875 329e603e 451e7f02 d45410d1 e71d108d f5a4000d cf20a439 4949d72c d14fbb01 45cf3a69 5dcda89d 198f8755 ac9a58b1 3dc38481 5e4771c5 796e68fe bb0025d0 52b69edd a17241d8 7688b41f 6b9b4911 7be696f5 c57ab399 a1e1d719 9f89de86 57e8613c ec9e3b26 a879d498 783b2d9e 29935ea7 a6a72980 6edfc503 37e69330 3e976010 4c5dfe5c 14c4c689 51db3ecb a4438a59 209b5db4 35563e0d 8bdf572f 77b53065 cef31f30 dc9dbae0 4146261c 1994bd5c 50758e3d Common hash value (can be found using for example "openssl sha file.bin" after creating a binary file containing any of the messages) c9f160777d4086fe8095fba58b7e20c228a4006b This was done by using a generalization of the attack presented at Crypto'98 by Chabaud and Joux. This generalization takes advantage of the iterative structure of SHA-0. We also used the "neutral bit" technique of Biham and Chen (To be presented at Crypto'2004). The computation was performed on TERA NOVA (a 256 Intel-Itanium2 system developped by BULL SA, installed in the CEA DAM open laboratory TERA TECH). It required approximatively 80 000 CPU hours. The complexity of the attack was about 2^51. We would like to thank CEA DAM, CAPS Entreprise and BULL SA for their strong support to break this challenge. Antoine Joux(*) (DCSSI Crypto Lab) Patrick Carribault (Bull SA) Christophe Lemuet, William Jalby (Universit'e de Versailles/Saint-Quentin en Yvelines) (*) The theoretical cryptanalysis was developped by this author. The three others authors ported and optimized the attack on the TERA NOVA supercomputer, using CAPS Entreprise tools. $hexdump fic1.bin 0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b322 0000010 1bd0 971a 8426 53ef 3b3e 7f4b fe53 6237 0000020 c024 478e 59e9 bcb2 513b 8098 28b9 6865 0000030 7d24 0f11 f570 e2c5 59b4 a30c 5ff5 fe52 0000040 fdef 8f4c 8de6 35e8 9e32 3c60 1ec5 027f 0000050 5454 d110 1d67 8d10 a4f5 0d00 20cf 39a4 0000060 4949 2cd7 4fd1 03bb cf45 293a cd5d 9fa8 0000070 8f99 5587 9a2c b158 c3bd 8384 475e 8571 0000080 6ef9 be68 00bb d225 b6d2 df9e 7221 9841 0000090 88f6 1db4 9beb 1349 e6fb b596 7a45 99b3 00000a0 e121 59d7 891f 84de e857 3c61 9e6c 243b 00000b0 7928 d8d4 3b78 9c2d 93a9 a55e a726 c029 00000c0 df6e 01c5 e637 3093 97be 1260 5dcc 1cfe 00000d0 c414 8bc6 dbd1 cb3e 4324 598a 9ba0 b45d 00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 321f 00000f0 9ddc a0ba 4641 1e26 9499 5cbd 75d0 3d8e $ hexdump fic2.bin 0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b122 0000010 1bd0 d71a 8426 51ef 3bbe 7f4b fed3 6237 0000020 c0a4 458e 59e9 fcb2 513b 8098 2839 2865 0000030 7da4 0d11 f570 e0c5 5934 e30c 5f75 fc52 0000040 fd6f 8d4c 8d66 75e8 9e32 3e60 1e45 027f 0000050 54d4 d110 1de7 8d10 a4f5 0d00 20cf 39a4 0000060 4949 2cd7 4fd1 01bb cf45 693a cd5d 9da8 0000070 8f19 5587 9aac b158 c33d 8184 475e c571 0000080 6e79 fe68 00bb d025 b652 dd9e 72a1 d841 0000090 8876 1fb4 9b6b 1149 e67b f596 7ac5 99b3 00000a0 e1a1 19d7 899f 86de e857 3c61 9eec 263b 00000b0 79a8 98d4 3b78 9e2d 9329 a75e a7a6 8029 00000c0 df6e 03c5 e637 3093 973e 1060 5d4c 5cfe 00000d0 c414 89c6 db51 cb3e 43a4 598a 9b20 b45d 00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 301f 00000f0 9ddc e0ba 4641 1c26 9419 5cbd 7550 3d8e $ diff fic1.bin fic2.bin Binary files fic1.bin and fic2.bin differ $ openssl sha fic1.bin SHA(fic1.bin)= c9f160777d4086fe8095fba58b7e20c228a4006b $ openssl sha fic2.bin SHA(fic2.bin)= c9f160777d4086fe8095fba58b7e20c228a4006b -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Pascal Junod http://crypto.junod.info * * Security and Cryptography Laboratory (LASEC) * * Swiss Federal Institute of Technology (EPFL), CH-1015 Lausanne * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From camera_lumina at hotmail.com Fri Aug 13 12:57:05 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Fri, 13 Aug 2004 15:57:05 -0400 Subject: Forensics on PDAs, notes from the field Message-ID: Sunder wrote... >And PGP won't stand out because.... ? Just wondering. Is it possible to disguise a PGP'd message as a more weakly encrypted message that then decrypts to something other than the true message? OK...perhaps we stego an encrypted message, then encrypt that photo using something weaker. Not like they haven't already thought of that, though. And it seems to me to be a difficult task getting ahold of enough photos that would be believably worth encrypting. -TD >From: Sunder >To: Morlock Elloi >CC: "cypherpunks at al-qaeda.net" >Subject: Re: Forensics on PDAs, notes from the field >Date: Fri, 13 Aug 2004 14:11:36 -0400 (edt) > >On Fri, 13 Aug 2004, Morlock Elloi wrote: > > > The purpose would be that they do not figure out that you are using some > > security program, so they don't suspect that noise in the file or look >for > > stego, right? > > > > The last time I checked the total number of PDA programs ever offered to >public > > in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can >be > > trivially checked for. Any custom-compiled executable will stand out as >a sore > > thumb. > >How? Not if you get something like a Sharp Zaurus and compile your own >environment. "Hey, I want to get as much performance out of this shitty >little ARM chip as I can." > > > You will suffer considerably less bodily damage inducing you to spit the > > passphrase than to produce the source and the complier. > >What makes you think they'll have enough of a clue as to how to read the >files off your PDA without booting it in the first place? 99% of these >dorks use very expensive automated hardware tools that do nothing more >than "dd" your data to their device, then run a scanner on it which looks >for well known jpg's of kiddie porn. > >If you're suspected of something really big, or you're middle eastern, >then you need to worry about PDA forensics. Otherwise, you're just >another geek with a case of megalomania thinking you're important enough >for the FedZ to give a shit about you. > > > Just use the fucking PGP. It's good for your genitals. > >And PGP won't stand out because.... ? > > >----------------------Kaos-Keraunos-Kybernetos--------------------------- > + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ > \|/ :They never stop thinking about new ways to harm our country /\|/\ ><--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ > /|\ : \|/ > + v + : War is Peace, freedom is slavery, Bush is President. >------------------------------------------------------------------------- > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From mv at cdc.gov Fri Aug 13 16:19:05 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 13 Aug 2004 16:19:05 -0700 Subject: yes, they look for stego, as a "Hacker Tool" Message-ID: <411D4C69.38D822FB@cdc.gov> >> A cool thing for this purpose could be a patch for gcc to produce unique >> code every time, perhaps using some of the polymorphic methods used by >> viruses. > >The purpose would be that they do not figure out that you are using some >security program, so they don't suspect that noise in the file or look for >stego, right? Yes, they do. Check the link. The CDROM of file hashes contains a category "Hacker Tools" that includes the Stego tools they could download from the 'net. Any jpg which looks like noise will be of interest. And any stego program will make them look at your images (etc) more closely :-) Most of the programs they've hashed is so the forensic pigs can discount them. But they would find known-stego tools very interesting. And they would find them, even if renamed, from their sigs; but not if polymorphic or encrypted, but then they would be in the "unknown" category, along with user-created files. And programs :-) To be manually inspected by a forensic dude. These hash-CDROMs are also useful for finding unlicensed software and music.... ---- Osama sez: Always use original images and sounds as stego carriers. And keep your tools encrypted, or on memory sticks you can flush or snap with your fingers. From mv at cdc.gov Fri Aug 13 16:35:26 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 13 Aug 2004 16:35:26 -0700 Subject: Forensics on PDAs, notes from the field Message-ID: <411D503E.ECC006D@cdc.gov> At 01:46 PM 8/13/04 -0400, John Kelsey wrote: >>From: "Major Variola (ret)" >>Obvious lesson: Steganography tool authors, your programs >>should use the worm/HIV trick of changing their signatures >>with every invocation. Much harder for the forensic >>fedz to recognize your tools. (As suspicious, of course). > >I would have thought the obvious lesson was to keep all your important work on an >encrypted disk partition, with a good password and a high iteration count. This is true not >just for criminals and terrorists, but for anyone who doesn't want the information on their >hard drive read by anyone who happens to steal their computer. If you include "PDA & Cellphone" as computer; or include "flash eeprom" as a "hard drive", then we agree. Most Persons of Interest will have secrets on their mobile gizmos (which use flash memory) as well as their PC's spinning disks. Sync'ing the PDA + PC means the security boundary includes them both. The important lesson is that all your gizmos will be seized and analyzed. And that the world needs good Linux-based-PDA & flash-mem-compatible security tools. And don't forget the epoxy... From mv at cdc.gov Fri Aug 13 16:38:31 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 13 Aug 2004 16:38:31 -0700 Subject: Forensics on PDAs, notes from the field Message-ID: <411D50F7.71FD5D31@cdc.gov> At 02:11 PM 8/13/04 -0400, Sunder wrote: >If you're suspected of something really big, or you're middle eastern, >then you need to worry about PDA forensics. Otherwise, you're just >another geek with a case of megalomania thinking you're important enough >for the FedZ to give a shit about you. Perhaps you're a geek working for people who think they're important enough? In any case, its not just the FedZ, the locals send the tricky shit to the FedZ if they don't have the LabZ. Same as with arson, poisonings, etc. So we all fall under the same logic-analyzer-panopticon. From mv at cdc.gov Fri Aug 13 16:44:16 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 13 Aug 2004 16:44:16 -0700 Subject: Forensics on PDAs, notes from the field Message-ID: <411D5250.E04502DD@cdc.gov> >On Fri, 13 Aug 2004, Thomas Shaddack wrote: >> In the world of industrial espionage and divorce lawyers, the FedZ aren't >> the only threat model. At 03:06 PM 8/13/04 -0400, Sunder wrote: >Right, in which case GPG (or any other decent crypto system) is just fine, >or you wouldn't be looking for stego'ing it inside of binaries in the >first place. I don't think Sunder grasps how much fun divorce lawyers can be. So, Mr. Smith, what *do* you hide with your crypto tools? And why won't you let the court examine the plaintext in camera, if your content is so benign? (Or are your ex-wife's accusations true?) Also, public schools prohibit the use of encryption. No kidding. And finding a crypto tool on a .mil slave's personal machine may be indicting evidence, given their lack of civilian legal processes, when accused by their own. Since mere possession of lockpick tools is criminal, do you really think you can possess crypto tools freely? From mv at cdc.gov Fri Aug 13 16:47:47 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 13 Aug 2004 16:47:47 -0700 Subject: Forensics on PDAs, notes from the field (your teenage son's homemade porn) Message-ID: <411D5323.31294BB3@cdc.gov> At 10:07 PM 8/13/04 +0200, Thomas Shaddack wrote: >On Fri, 13 Aug 2004, Tyler Durden wrote: > >> And it seems to me to be a difficult task getting ahold of enough photos >> that would be believably worth encrypting. > >Homemade porn? Your 16 year old son's homemade porn. [google on Heidl & rape; a deputy sheriff's teen son makes a porn movie with a passed out teen and gets busted] From rah at shipwright.com Fri Aug 13 15:45:52 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 13 Aug 2004 18:45:52 -0400 Subject: Joux found a collision for SHA-0 ! Message-ID: --- begin forwarded text From shaddack at ns.arachne.cz Fri Aug 13 09:53:08 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Fri, 13 Aug 2004 18:53:08 +0200 (CEST) Subject: Forensics on PDAs, notes from the field In-Reply-To: <0408120630100.10414@somehost.domainz.com> References: <411AC636.230A1946@cdc.gov> <0408120630100.10414@somehost.domainz.com> Message-ID: <0408131813530.0@somehost.domainz.com> On Thu, 12 Aug 2004, Thomas Shaddack wrote: > > The NIST CDROM also doesn't seem to include source code amongst its > > sigs, so if you compile yourself, you may avoid their easy glance. > > A cool thing for this purpose could be a patch for gcc to produce unique > code every time, perhaps using some of the polymorphic methods used by > viruses. > > Just adding a chunk of data to make the hash unique will work against the > current generation of the described tools. But we should plan to the > future, what moves the adversary can do to counter this step. We can do some in-depth changes of the executable, using the "Steganography in executable files" approach described here (and on Slashdot) recently. See eg. here: http://www.informit.com/articles/article.asp?p=102181&seqNum=6 The difference is we don't want to store anything to the file itself but just to change its content without changing its function. We can use the Hydan approach, using random data as what to store inside. Adding a command dd if=/dev/urandom count= | $HYDAN_STEGO $exefile (where $HYDAN_STEGO is the steganography-adding program and $exefile is the product of the compilation by an unmodified compiler) into the makefile of the project could make the signatures unique for every compilation. Same applies to installation scripts. As we shouldn't trust our tools completely, a suite of suitable test vectors should be run afterwards. This can be used in combination with executable packers (eg. UPX), or some wrappers for "copy-protection", which wrap and optionally encrypt the executable and refuse to run it when eg. a dongle (which can contain the key) is not present in the computer. It doesn't work for copyprotection too well, but can slow down the adversary (or making some of their attack methods impossible or impractical to use) in other scenarios. If the usage scenario is plausible, the deployment of the protection technology may "make sense", so its presence won't have to necessarily raise suspicion. (We have to always keep in mind that the presence of any given technology can be a factor on its own.) The adversary then has to resort to heuristic analysis of the code segments, or hashing data segments, or maintaining sets of characteristics of the executables other than the hashes of the complete file (code/data segments size, addresses of jumps...), or relying on the strings in the file, or other options, all of them more difficult than hashing a file, and potentially requiring better-trained forensics people... From shaddack at ns.arachne.cz Fri Aug 13 10:44:09 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Fri, 13 Aug 2004 19:44:09 +0200 (CEST) Subject: Forensics on PDAs, notes from the field In-Reply-To: <20040813172748.66002.qmail@web40624.mail.yahoo.com> References: <20040813172748.66002.qmail@web40624.mail.yahoo.com> Message-ID: <0408131934270.10452@somehost.domainz.com> On Fri, 13 Aug 2004, Morlock Elloi wrote: > > A cool thing for this purpose could be a patch for gcc to produce unique > > code every time, perhaps using some of the polymorphic methods used by > > viruses. > > The purpose would be that they do not figure out that you are using some > security program, so they don't suspect that noise in the file or look for > stego, right? In better case, this. In worse case, to force the adversary to face an unknown, unexpected situation they aren't trained to handle. > The last time I checked the total number of PDA programs ever offered to public > in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be > trivially checked for. Any custom-compiled executable will stand out as a sore > thumb. Until a Gentoo-like Linux distro for PDAs appears. Then custom-compiled code becomes quite common in that segment of consumers. Another possible way for wrecking the set of file signatures "in the wild" could be releasing a product (which then would have to become popular, so it has to be useful) to do a function modifying the executables - may be a code packer (flash space is still a premium in the PDAs), may be a realtime patcher (for eg. protecting against some generic code exploits), in extreme cases may be an otherwise benign trojan or worm. > You will suffer considerably less bodily damage inducing you to spit the > passphrase than to produce the source and the complier. Yes, but the same applies to your colleague. Would you like it to be easy for your colleague to betray you? > Just use the fucking PGP. It's good for your genitals. Unless the adversary beats the passphrase from your colleague and then comes for you. Don't be so selfish. :) From mv at cdc.gov Fri Aug 13 20:14:19 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 13 Aug 2004 20:14:19 -0700 Subject: yes, they look for stego, as a "Hacker Tool" Message-ID: <411D838B.2F72401A@cdc.gov> At 01:48 AM 8/14/04 +0200, Thomas Shaddack wrote: >Then you have >the forest where every tree is marked and the leprechaun is laughing. Love that story. But the self-watermarking you later mention is a problem. Even if you map a particular hash into one of a million known-benign values, which takes work, there are multiple orthagonal hash algorithms included on the NIST CD. (Eg good luck finding values that collide in MD5 & SHA-1 & SHA-256 simultaneously!) >> These hash-CDROMs are also useful for finding unlicensed software and >> music.... > >Another reason for making your data unique. In that case, yes, although ultimately the RIAA could hire offshore Indians to listen to your stego'd/uniquified Madonna song and identify it. (Of course, they don't know if you own the vinyl for it... and software can be sold by the original purchaser, too, right?) >> And keep your tools encrypted, or on memory sticks you can flush or >> snap with your fingers. > >Beware of destruction of memory sticks Yes something like a Tomlinson (_Big Breach_) sleight of hand with a Psion card is a good idea, as is the microwave oven trash can next to your machine :-) >A neat trick to lower the suspicion-factor for stego in JPEG or video >could be releasing a closed-source program for Windows as either freeware >... and there still is a segment of consumers who think that >when it is free, it's worthless) And a larger segment which will stick any CD they get in the mail into their bootable drive.. LOL >The sheeple don't have to be only a threat. They can be useful, if their >gullibility is properly exploited. Sorta like the National Forests... resource of many uses... may as well include a mixmaster payload in that worm :-) which also provides some other overt free benefit like antivirus or anti-helmetic or defrag or game or bayesian spamfilter or chat or screensaver or anon remailing client or free ringtone :-) From shaddack at ns.arachne.cz Fri Aug 13 11:35:44 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Fri, 13 Aug 2004 20:35:44 +0200 (CEST) Subject: Forensics on PDAs, notes from the field In-Reply-To: References: <20040813172748.66002.qmail@web40624.mail.yahoo.com> Message-ID: <0408132034300.0@somehost.domainz.com> On Fri, 13 Aug 2004, Sunder wrote: > If you're suspected of something really big, or you're middle eastern, > then you need to worry about PDA forensics. Otherwise, you're just > another geek with a case of megalomania thinking you're important enough > for the FedZ to give a shit about you. In the world of industrial espionage and divorce lawyers, the FedZ aren't the only threat model. From rah at shipwright.com Fri Aug 13 19:01:39 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 13 Aug 2004 22:01:39 -0400 Subject: Bush backs banks' appeal of Calif's financial privacy law Message-ID: KESQ NewsChannel 3 Palm Springs, CA: Bush backs banks' appeal of Calif's financial privacy law SACRAMENTO The Bush administration stepped into a lawsuit challenging California's landmark financial privacy law today. The administration is urging a federal judge to side with banks that want to overturn restrictions on how they can share customer information. The new state law requires banks to get permission from customers before giving nonaffiliated companies customers' financial information like their bank balance or spending habits. Copyright 2004 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. All content ) Copyright 2002 - 2004 WorldNow and KESQ. All Rights Reserved. For more information on this site, please read our Privacy Policy and Terms of Service. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From shaddack at ns.arachne.cz Fri Aug 13 13:07:47 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Fri, 13 Aug 2004 22:07:47 +0200 (CEST) Subject: Forensics on PDAs, notes from the field In-Reply-To: References: Message-ID: <0408132207170.10458@somehost.domainz.com> On Fri, 13 Aug 2004, Tyler Durden wrote: > And it seems to me to be a difficult task getting ahold of enough photos > that would be believably worth encrypting. Homemade porn? From shaddack at ns.arachne.cz Fri Aug 13 16:48:06 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 14 Aug 2004 01:48:06 +0200 (CEST) Subject: yes, they look for stego, as a "Hacker Tool" In-Reply-To: <411D4C69.38D822FB@cdc.gov> References: <411D4C69.38D822FB@cdc.gov> Message-ID: <0408140123430.10470@somehost.domainz.com> On Fri, 13 Aug 2004, Major Variola (ret) wrote: > Any jpg which looks like noise will be of interest. And any stego > program will make them look at your images (etc) more closely :-) > > Most of the programs they've hashed is so the forensic pigs can discount > them. But they would find known-stego tools very interesting. And they > would find them, even if renamed, from their sigs; but not if > polymorphic or encrypted, but then they would be in the "unknown" > category, along with user-created files. And programs :-) To be > manually inspected by a forensic dude. Run a tool for signature changing preemptively, on *all* the files in the system that can be changed without changing their function? Then you have the forest where every tree is marked and the leprechaun is laughing. > These hash-CDROMs are also useful for finding unlicensed software and > music.... Another reason for making your data unique. > ---- > Osama sez: Always use original images and sounds as stego carriers. DV camcorders are becoming increasingly popular. Is there any software to stego the data into DV streams? Such files are suitable as carriers, as it is easy to produce gigabytes and gigabytes of meaningful data from a single friend's wedding - which allows even sparse encoding without having improbable amount of data. > And keep your tools encrypted, or on memory sticks you can flush or > snap with your fingers. Beware of destruction of memory sticks; as long as the Flash chip is intact, even if its casing itself is broken, it is easy for a properly equipped lab to get the chip out of the case and bond it to new casing. The Flash chips used in the USB disks have serial interfaces, which makes the task of connecting them again rather easy, if you have the right toys (available for anybody who does eg. thick-layer hybrid circuits). A neat trick to lower the suspicion-factor for stego in JPEG or video could be releasing a closed-source program for Windows as either freeware or easy-to-hack (or without the time check at all) shareware (we don't want the money here, but we want the people to think it's doing a lot of good for them, and there still is a segment of consumers who think that when it is free, it's worthless), which is touted loudly for enhancing the images. While all it can be doing is to slightly manipulate brightness and contrast in the too dark or too light areas, smear or sharpen the image a little bit; may be just couple NetPBM tools cobbled together with a nice interface added (we'll violate the licence here, but that's a minor detail - which can further serve to bring attention to the tool). And, last but not least, inserting a steganographed random data into them. May be something meaningful, may be just random data, may be perhaps random data chunked to packets looking like a GPG-encrypted file. Put it online, wait until the news are slow, and get some computer graphics magazines interested in it, writing articles about it. Perhaps run an astroturf campaign, guerrilla marketing. Get it distributed on the CDs shipped with them. Even with just fraction of % of the images "in the wild" there will be a lot of them looking like stegoed, serving as a convenient smokescreen for the "real" ones. The sheeple don't have to be only a threat. They can be useful, if their gullibility is properly exploited. From shaddack at ns.arachne.cz Fri Aug 13 18:32:34 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 14 Aug 2004 03:32:34 +0200 (CEST) Subject: yes, they look for stego, as a "Hacker Tool" In-Reply-To: <0408140123430.10470@somehost.domainz.com> References: <411D4C69.38D822FB@cdc.gov> <0408140123430.10470@somehost.domainz.com> Message-ID: <0408140326560.0@somehost.domainz.com> On Sat, 14 Aug 2004, Thomas Shaddack wrote: > > polymorphic or encrypted, but then they would be in the "unknown" > > category, along with user-created files. And programs :-) To be > > manually inspected by a forensic dude. > > Run a tool for signature changing preemptively, on *all* the files in the > system that can be changed without changing their function? Then you have > the forest where every tree is marked and the leprechaun is laughing. BEWARE! You should keep in mind this deals with the problem of well-known signatures by making the files globally unique, but it introduces a vulnerability by the same mechanism: the files are unique and can be linked with you. You may mitigate this by "reuniquing" the files in every case you are giving them away, but you should keep this risk firmly in mind. From shaddack at ns.arachne.cz Fri Aug 13 20:30:27 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 14 Aug 2004 05:30:27 +0200 (CEST) Subject: yes, they look for stego, as a "Hacker Tool" In-Reply-To: <411D838B.2F72401A@cdc.gov> References: <411D838B.2F72401A@cdc.gov> Message-ID: <0408140520490.10485@somehost.domainz.com> On Fri, 13 Aug 2004, Major Variola (ret) wrote: > Even if you map a particular hash into one of a million known-benign > values, which takes work, there are multiple orthagonal hash algorithms > included on the NIST CD. (Eg good luck finding values that collide in > MD5 & SHA-1 & SHA-256 simultaneously!) Argh. You misunderstood me. I don't want to find hash collisions, to create a false known hash - that is just too difficult. I want to make every file in the machine recognized as "unidentifiable". > >> These hash-CDROMs are also useful for finding unlicensed software and > >> music.... > > > >Another reason for making your data unique. > > In that case, yes, although ultimately the RIAA could hire offshore > Indians to listen to your stego'd/uniquified Madonna song and identify > it. (Of course, they don't know if you own the vinyl for it... and > software can be sold by the original purchaser, too, right?) The adversary has acoustic fingerprinting software. Even cheaper than the Indians. The signature busting of MP3s has a disadvantage, though: makes their sharing back to the P2P pool more difficult, and a lot of programs relying on their hash (emule, Kazaa(?),...) instead of their file name will consider them a different file, which causes problems with multisource download (though the problem won't be on your side). > Yes something like a Tomlinson (_Big Breach_) sleight of hand with a > Psion card is a good idea, as is the microwave oven trash can next to > your machine :-) Or a small propane torch or a lighter (the kind that makes the hissing blue high-temperature flame), or even a sticker with magnesium shavings to burn through the chip when lit. > >... and there still is a segment of consumers who think that > >when it is free, it's worthless) > > And a larger segment which will stick any CD they get in the mail into > their bootable drive.. LOL Didn't realize this. Seems I still overestimate Them the People. > Sorta like the National Forests... resource of many uses... may as well > include a mixmaster payload in that worm :-) which also provides some > other overt free benefit like antivirus or anti-helmetic or defrag or > game or bayesian spamfilter or chat or screensaver or anon remailing > client or free ringtone :-) Free ringtones. Good attractant these days. I tend to forget about them as I tend to shun fancy tones - telephones should have a distinctive ring but "distinctive" does not have to mean "orchestral". But apparently there are large sets of people who like it. Weird... From camera_lumina at hotmail.com Sat Aug 14 09:08:12 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Sat, 14 Aug 2004 12:08:12 -0400 Subject: yes, they look for stego, as a "Hacker Tool" Message-ID: >Sorta like the National Forests... resource of many uses... may as well >include a mixmaster payload in that worm :-) which also provides some >other >overt free benefit like antivirus or anti-helmetic or defrag or game or >bayesian spamfilter >or chat or screensaver or anon remailing client or free ringtone :-)" Well, shit there's an idea. Particularly if the virus is benign enough not to get noticed too often. A mini-mixmaster is a particularly wonderful idea, if you could get it to work....in fact, imagine a mixmaster network where each node only exists for a short amount of time. Your P2P ID messages for the mixmaster network should be invisible to users of the ostensible services of course. -TD >From: "Major Variola (ret)" >To: "cypherpunks at al-qaeda.net" >Subject: Re: yes, they look for stego, as a "Hacker Tool" >Date: Fri, 13 Aug 2004 20:14:19 -0700 > >At 01:48 AM 8/14/04 +0200, Thomas Shaddack wrote: > >Then you have > >the forest where every tree is marked and the leprechaun is laughing. > >Love that story. But the self-watermarking you later mention is a >problem. >Even if you map a particular hash into one of a million known-benign >values, which takes work, there are multiple orthagonal hash algorithms >included on the NIST CD. (Eg good luck finding values that collide in >MD5 & SHA-1 & SHA-256 simultaneously!) > > > >> These hash-CDROMs are also useful for finding unlicensed software and > > >> music.... > > > >Another reason for making your data unique. > >In that case, yes, although ultimately the RIAA could hire offshore >Indians to listen >to your stego'd/uniquified Madonna song and identify it. (Of course, >they don't >know if you own the vinyl for it... and software can be sold by the >original purchaser, too, right?) > > >> And keep your tools encrypted, or on memory sticks you can flush or > >> snap with your fingers. > > > >Beware of destruction of memory sticks > >Yes something like a Tomlinson (_Big Breach_) sleight of hand with a >Psion >card is a good idea, as is the microwave oven trash can next to your >machine :-) > > >A neat trick to lower the suspicion-factor for stego in JPEG or video > >could be releasing a closed-source program for Windows as either >freeware > >... and there still is a segment of consumers who think that > >when it is free, it's worthless) > >And a larger segment which will stick any CD they get in the mail into >their >bootable drive.. LOL > > >The sheeple don't have to be only a threat. They can be useful, if >their > >gullibility is properly exploited. > >Sorta like the National Forests... resource of many uses... may as well >include a mixmaster payload in that worm :-) which also provides some >other >overt free benefit like antivirus or anti-helmetic or defrag or game or >bayesian spamfilter >or chat or screensaver or anon remailing client or free ringtone :-) > > > > > _________________________________________________________________ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ From mv at cdc.gov Sat Aug 14 16:43:52 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 14 Aug 2004 16:43:52 -0700 Subject: yes, they look for stego, as a "Hacker Tool" Message-ID: <411EA3B8.991705DB@cdc.gov> At 05:30 AM 8/14/04 +0200, Thomas Shaddack wrote: >On Fri, 13 Aug 2004, Major Variola (ret) wrote: > >> Even if you map a particular hash into one of a million known-benign >> values, which takes work, there are multiple orthagonal hash algorithms >> included on the NIST CD. (Eg good luck finding values that collide in >> MD5 & SHA-1 & SHA-256 simultaneously!) > >Argh. You misunderstood me. I don't want to find hash collisions, to >create a false known hash - that is just too difficult. I want to make >every file in the machine recognized as "unidentifiable". No, I understood this. In a later post it was brought up that this is essentially watermarking your content with a unique ID, which can be bad for P2P tracing purposes. So I was suggesting that by using a finite set of 'watermarks' one could avoid essentially embedding a unique label to one's copy of some content, at some cost in Cycles. >The signature busting of MP3s has a disadvantage, though: makes their >sharing back to the P2P pool more difficult, and a lot of programs relying >on their hash (emule, Kazaa(?),...) instead of their file name will >consider them a different file, which causes problems with multisource >download (though the problem won't be on your side). True. But I've found some manual intervention to be required anyway, sometimes you find a few copies of the same content stored as independent files due to slight differences in naming or truncation. >> Sorta like the National Forests... resource of many uses... may as well >> include a mixmaster payload in that worm :-) which also provides some >> other overt free benefit like antivirus or anti-helmetic or defrag or >> game or bayesian spamfilter or chat or screensaver or anon remailing >> client or free ringtone :-) > >Free ringtones. Good attractant these days. I tend to forget about them as >I tend to shun fancy tones - telephones should have a distinctive ring but >"distinctive" does not have to mean "orchestral". But apparently there are >large sets of people who like it. Weird... It was disturbing that, as the bottom fell out of telecom, and handsets became commoditized, faceplates and ringtones were highly profitable. Faceplates are at least made of atoms. There are several lessons there, from economic to sociobiological (if there's a difference), none of which are terribly pleasing in my aesthetic. Fortunately the whole PDA vs. cell vs. camera vs GPS vs. smartcard vs MP3 player vs. email-pager etc bat-belt [1] frenzy will resolve in a few years, and perhaps some of the Linux based solutions will not be involuntary citizen-tracking devices and will support privacy of data stored, and in transit, including voice data. And free ring tones :-) All that's needed is one of the hardware-selling companies to start the process, making money off the atoms, and possibly Sharp's Zaurus (?) already has? Perhaps there's a biz model in buying a 3-D color prototyping machine for $40K and setting up a custom faceplate biz for the integrated gizmo of the near future. Hmm, with freedom-enabling software being distributed on the side, it sounds like a Heinlein novel... [1] Batman (tm) wore a belt with too many gizmos. Some widget-fetishist friends/early adopters are similarly afflicted. From bill.stewart at pobox.com Sat Aug 14 17:44:16 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Sat, 14 Aug 2004 17:44:16 -0700 Subject: Cryptome on ABC Evening News? In-Reply-To: References: Message-ID: <6.0.3.0.0.20040814174010.058c32d8@pop.idiom.com> At 03:32 PM 8/12/2004, R. A. Hettinga wrote: >There's a teaser for tonight's 6:30 news about "a website that publishes >pipeline maps and the names and addresses of government employees". The >horror. Speaking unofficially for the telecom industry, we're really happy to have the site there showing pictures of cable landings, antennas, etc. I've seen them used in internal training about submarine cables and I think we've probably used them in talks to customers as well. Separately, of course, we have bureaucrats who don't want to publish the addresses of telecom POPs, ignoring the fact that you can't buy physically diverse access to a location if you don't know where it is, and also ignoring the fact that 90% of a certain large 3-1/2-letter-acronym long distance carrier's POPs are in the same buildings as the local telcos so everybody knows where they are anyway, even though everybody's forgotten the derivation of V&H coordinates... ---- Bill Stewart bill.stewart at pobox.com From rah at shipwright.com Sat Aug 14 18:12:19 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sat, 14 Aug 2004 21:12:19 -0400 Subject: [osint] FBI Warns Storage Unit Operators Message-ID: --- begin forwarded text To: "Bruce Tefft" Thread-Index: AcSAr6Y/Mj9PmYHqQZO/G2/Eo29FYgAgaLTg From: "Bruce Tefft" Mailing-List: list osint at yahoogroups.com; contact osint-owner at yahoogroups.com Delivered-To: mailing list osint at yahoogroups.com Date: Fri, 13 Aug 2004 08:30:35 -0400 Subject: [osint] FBI Warns Storage Unit Operators Reply-To: osint at yahoogroups.com FBI Warns Storage Unit Operators Terrorist alert is extended to self-storage units Joyce Lavoy is a manager for South Toledo Self Storage. Lavoy says she was stunned when an FBI agent walked into her office and told her to be on the lookout for possible terrorist activity. Local FBI agents are visiting about 350 storage places in 19 northwest Ohio communities, including Toledo, Lucas County, and Sandusky. They're handing out alerts to owners and employees on potential terrorist activity in storage facilities. Federal sources tell 13 Action News in the past, terror suspects have been known to use storage units to devise their plans. Everytime Joyce Lavoy unlocks an empty storage unit and lifts the door, she's looking for the warning signs of possible terrorist activity. Lavoy has worked in the storage business for five years. She says she's never had an FBI agent walk into her office. "I thought there was someone renting a storage unit he was looking for." That wasn't the case. Lavoy says FBI agents wanted to put managers on alert that terrorists have been known to store and mix deadly chemicals in storage units. The FBI alert cautions storage owners and employees to be on the lookout for: suspicious people who visit the storage facility late at night or at unusual times. unusual fumes, liquids, residues or odors emanating from their storage unit. explosives, blasting caps, fuses, weapons, and ammunition. flight manuals or other similar materials. Lavoy says security cameras are in place and she's taking extra trips around the building with her employees looking for anything suspicious. Source: _http://abclocal.go.com/wtvg/news/811_storageunits.html_ (http://abclocal.go.com/wtvg/news/811_storageunits.html) This information is provided by PURE PURSUIT as a service to members of the Military and Air Defense Community with the purpose of offering relevant and timely information on defense, aviation, emergency, law enforcement and terrorism issues. Posts may be forwarded to other individuals, organizations and lists for non-commercial purposes. For new subscriptions please send an e-mail with "Pure Pursuit" in the subject line to Nena Wiley at : coyotearz at aol.com ------------------------ Yahoo! Groups Sponsor --------------------~--> Yahoo! Domains - Claim yours for only $14.70 http://us.click.yahoo.com/Z1wmxD/DREIAA/yQLSAA/TySplB/TM --------------------------------------------------------------------~-> -------------------------- Want to discuss this topic? Head on over to our discussion list, discuss-osint at yahoogroups.com. -------------------------- Brooks Isoldi, editor bisoldi at intellnet.org http://www.intellnet.org Post message: osint at yahoogroups.com Subscribe: osint-subscribe at yahoogroups.com Unsubscribe: osint-unsubscribe at yahoogroups.com *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> To unsubscribe from this group, send an email to: osint-unsubscribe at yahoogroups.com <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From shaddack at ns.arachne.cz Sat Aug 14 17:43:54 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sun, 15 Aug 2004 02:43:54 +0200 (CEST) Subject: yes, they look for stego, as a "Hacker Tool" In-Reply-To: <411EA3B8.991705DB@cdc.gov> References: <411EA3B8.991705DB@cdc.gov> Message-ID: <0408150219280.10492@somehost.domainz.com> On Sat, 14 Aug 2004, Major Variola (ret) wrote: > >Argh. You misunderstood me. I don't want to find hash collisions, to > >create a false known hash - that is just too difficult. I want to make > >every file in the machine recognized as "unidentifiable". > > No, I understood this. In a later post it was brought up that this is > essentially watermarking your content with a unique ID, which can be bad > for P2P tracing purposes. So I was suggesting that by using a finite > set of 'watermarks' one could avoid essentially embedding a unique label > to one's copy of some content, at some cost in Cycles. We can also periodically "reuniquize" the shared files, in some sane period, say every weekend. (That pollutes the shared-files pool with a lot of almost-the-same copies, diminishing the advantage of multisource download. So perhaps is it better to just use encrypted data storage and anonymized P2P network, and keep uniquicity only of the system executables?) > >on their hash (emule, Kazaa(?),...) instead of their file name will > >consider them a different file, which causes problems with multisource > >download (though the problem won't be on your side). > > True. But I've found some manual intervention to be required anyway, > sometimes you find a few copies of the same content stored as > independent files due to slight differences in naming or truncation. Yes. However, depending on the system, same files (with the same hash) differing only by name will look as a single file (eg. edonkey or WinMX). Other systems, depending on the file name only (eg. OpenNap), will show files with different names as different, even if identical inside. > It was disturbing that, as the bottom fell out of telecom, and handsets > became commoditized, faceplates and ringtones were highly profitable. > Faceplates are at least made of atoms. There are several lessons there, > from economic to sociobiological (if there's a difference), none of > which are terribly pleasing in my aesthetic. Care to elaborate further, please? > Fortunately the whole PDA vs. cell vs. camera vs GPS vs. smartcard vs > MP3 player vs. email-pager etc bat-belt [1] frenzy will resolve in a few > years, and perhaps some of the Linux based solutions will not be > involuntary citizen-tracking devices and will support privacy of data > stored, and in transit, including voice data. And free ring tones :-) > All that's needed is one of the hardware-selling companies to start the > process, making money off the atoms, and possibly Sharp's Zaurus (?) > already has? Or buy an Enfora Enabler GSM/GPRS module, add a Gumstix module with built-in bluetooth, slap in a suitable display and keyboard, eventually add a GPS receiver, and we're set. All features and security modes we can imagine, and then some. Preventing spatial tracking is difficult though, as we're dependent on the cellular network for staying online. Though if the given area has wifi mesh coverage, it could be easier. (And if the device becomes widely popular, the handsets can serve as mesh nodes themselves - but that's a song of rather far future.) > Perhaps there's a biz model in buying a 3-D color prototyping machine > for $40K and setting up a custom faceplate biz for the integrated gizmo > of the near future. Hmm, with freedom-enabling software being > distributed on the side, it sounds like a Heinlein novel... Why not? :) Isn't the main purpose of science-fiction (at least its certain kinds) to be the inspiration for the future? On the other hand, perhaps it's cheaper to just get a bulk supply of "blank" faceplates and hire an artist with an airbrush and a talent. It's also possibly easier (and cheaper) to make the parts in more classical way, eg. by casting them from resin. The rapid prototyping machines so far usually don't provide parts that are both nice-looking, accurate, and with suitable mechanical properties at once. > [1] Batman (tm) wore a belt with too many gizmos. Some widget-fetishist > friends/early adopters are similarly afflicted. There is nothing like "too many" gizmos! (Well, you could call such situation "almost enough", but never "too many".) From rah at shipwright.com Sun Aug 15 04:29:14 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 07:29:14 -0400 Subject: Websites, Passwords, and Consumers (Re: CRYPTO-GRAM, August 15, 2004) In-Reply-To: <4.2.2.20040814232401.00b37890@counterpane.com> References: <4.2.2.20040814232401.00b37890@counterpane.com> Message-ID: At 11:26 PM -0500 8/14/04, Bruce Schneier wrote: > Websites, Passwords, and Consumers > > > >Criminals follow the money. Today, more and more money is on the >Internet. Millions of people manage their bank accounts, PayPal >accounts, stock portfolios, or other payment accounts online. It's a >tempting target: if a criminal can gain access to one of these >accounts, he can steal money. > >And almost all these accounts are protected only by passwords. > >If you're reading this essay, you probably already know that passwords >are insecure. In my book "Secrets and Lies" (way back in 2000), I >wrote: "Over the past several decades, Moore's Law has made it >possible to brute-force larger and larger entropy keys. At the same >time, there is a maximum to the entropy that the average computer user >(or even the above-average computer user) is willing to >remember.... These two numbers have crossed; password crackers can now >break anything that you can reasonably expect a user to memorize." > >On the Internet, password security is actually much better than that, >because dictionary attacks work best offline. It's one thing to test >every possible key on your own computer when you have the actual >ciphertext, but it's a much slower process when you have to do it >remotely across the Internet. And if the website is halfway clever, >it'll shut down an account if there are too many -- 5?, 10? -- >incorrect password attempts in a row. If you shut accounts down soon >enough, you can even make four-digit PINs work on websites. > >This is why the criminals have taken to stealing passwords instead. > >Phishing is now a very popular attack, and it's amazingly >effective. Think about how the attack works. You get an e-mail from >your bank. It has a plausible message body, and contains a URL that >looks like it's from your bank. You click on it and up pops your bank >website. When asked for your username and password, you type it >in. Okay, maybe you or I are aware enough not to type it in. But the >average home banking customer doesn't stand a chance against this kind >of social engineering attack. > >And in June 2004, a Trojan horse appeared that captured passwords. It >looked like an image file, but it was actually an executable that >installed an add-on to Internet Explorer. That add-on monitored and >recorded outbound connections to the websites of several dozen major >financial institutions and then sent usernames and passwords to a >computer in Russia. Using SSL didn't help; the Trojan monitored >keystrokes before they were encrypted. > >The computer security industry has several solutions that are better >than passwords: secure tokens that provide one-time passwords, >biometric readers, etc. But issuing hardware to millions of electronic >banking customers is prohibitively expensive, both in initial cost and >in customer support. And customers hate these systems. If you're a >bank, the last thing you want to do is to annoy your customers. > >But having money stolen out of your account is even more annoying, and >banks are increasingly fielding calls from customer victims. Even >though the security problem has nothing to do with the bank, even >though the customer is the one who made the security mistake, banks are >having to make good on the customers' losses. It's one of the most >important lessons of Internet security: sometimes your biggest security >problems are ones that you have no control over. > >The problem is serious. In a May survey report, Gartner estimated that >about 3 million Americans have fallen victim to phishing >attacks. "Direct losses from identity theft fraud against phishing >attack victims -- including new-account, checking account and credit >card account fraud -- cost U.S. banks and credit card issuers about >$1.2 billion last year" (in 2003). Keyboard sniffers and Trojans will >help make this number even greater in 2004. > >Even if financial institutions reimburse customers, the inevitable >result is that people will begin to distrust the Internet. The average >Internet user doesn't understand security; he thinks that a gold lock >icon in the lower-right-hand corner of his browser means that he's >secure. If it doesn't -- and we all know that it doesn't -- he'll stop >using Internet financial websites and applications. > >The solutions are not easy. The never-ending stream of Windows >vulnerabilities limits the effectiveness of any customer-based software >solution -- digital certificates, plug-ins, and so on -- and the ease >with which malicious software can run on Windows limits the >effectiveness of other solutions. Point solutions might force >attackers to change tactics, but won't solve the underlying >insecurities. Computer security is an arms race, and money creates >very motivated attackers. Unsolved, this type of security problem can >change the way people interact with the Internet. It'll prove that the >naysayers were right all along, that the Internet isn't safe for >electronic commerce. > >Phishing: > >0149> or > >The Trojan: >/2100-7349_3-5251981.html> or > > >A shorter version of this essay originally appeared in IEEE Security >and Privacy: > -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Aug 15 04:33:24 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 07:33:24 -0400 Subject: Apparently one can spell "Snake Oil" in Capital Letters, too (Re: CRYPTO-GRAM, August 15, 2004) In-Reply-To: <4.2.2.20040814232401.00b37890@counterpane.com> References: <4.2.2.20040814232401.00b37890@counterpane.com> Message-ID: At 11:26 PM -0500 8/14/04, Bruce Schneier wrote: >From: "Ken Lavender" >Subject: ICS Atlanta > >I am APPAULED at your "comments" that you had made on your website: > > > >You have statements are nothing but slander & defamation. They shall >be dealt with accordingly. > >Lie #1: "How do they demonstrate Tree's security? 'Over 100 >professionals in mathematics & in computer science at Massachusetts >Institute of Technology & at Georgia Tech, had sample encoded messages >submitted to them. Not a single person could break this code!'" That >is not the ONLY way we prove it. We have examples & offer to allow >people to submit their OWN messages to have encoded to SEE how good the >code is. So there are THREE methods, NOT just ONE as you IMPLY. > >Lie #2: "These guys sent unsolicited e-mails..." HOW do you KNOW that >this was the case? Have any PROOF of such? NO! > >Lie #3: "And if all that isn't enough to make you run screaming from >these guys, their website proudly proclaims: 'Tree Encoded Files Can Be >"Zipped."'" Because they can be "zipped" does NOT mean that it is "bad >encoding." The "code talkers" of ww2 used LANGUAGE to "code" the >messages, and THOSE COULD BE "ZIPPED"!!! And that code was NEVER BROKEN!!! > >Lie #4: "That's right; their encryption is so lousy that the >ciphertext doesn't even look random." AGAIN, HOW would you >KNOW??? Did you break it? NO! And what is "random"??? > > random : without definite aim, direction, rule, or method > >"So lousy"? HOW WOULD YOU KNOW??? You would have to KNOW how we >encode BEFORE you can make such a statement, & YOU DO NOT KNOW >HOW!!! If it is SO LOUSY, how come NOBODY HAS BROKEN IT YET??? And we >have people ALL THE TIME trying to, with ZERO SUCCESS. > >I do not like you slandering something that you do not >understand. ATALL!!! > >The ONLY question you asked was "how long is the key" AND THAT WAS >IT! HOW long was the key that the 'code talkers' used? ZERO!!! JUST AS >OUR IS. The encoding routine was created, tested, & verified on PAPER >& PENCIL WITHOUT COMPUTERS! A child could encode data using our >routine. The computer is merely used to "speed-up" the process, NOT TO >CREATE IT. Our routine is based on LANGUAGE, NOT MATH. So all of you >"comments" are just false, misleading & just plain ole lies! SHOW & >PROVE that it is NOT random. What is the PATTERN THEN??? > >I am DEMANDING A FULL RETRACTION OF YOUR COMMENTS & A FULL, COMPLETE >APOLOGY TO THESE AND ALL STATEMENTS. > >I am a person who tries to work with people as a man w/o having to >"drag" others into the mess. Others? THE COURTS. You have violated >Calf law by your statements. > >[Text of California Civil Code Section 46 deleted.] > >Your LIES have damaged my respect in my job & has damaged any sales of >this routine. You have ZERO proof of your "comments," ANY OF >THEM!!! I beseech of you, do the RIGHT THING and comply. I DO NOT >wish to escalate this matter any higher. And remember this, Tree is >based on LANGUAGE, NOT MATH!!!!!!!!!!!!!!!!! > >[Phone number deleted out of mercy.] -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From hal at finney.org Sun Aug 15 10:43:09 2004 From: hal at finney.org (Hal Finney) Date: Sun, 15 Aug 2004 10:43:09 -0700 (PDT) Subject: RPOW - Reusable Proofs of Work Message-ID: <20040815174309.6B65257E2D@finney.org> I'd like to invite members of this list to try out my new hashcash-based server, rpow.net. This system receives hashcash as a Proof of Work (POW) token, and in exchange creates RSA-signed tokens which I call Reusable Proof of Work (RPOW) tokens. RPOWs can then be transferred from person to person and exchanged for new RPOWs at each step. Each RPOW or POW token can only be used once but since it gives birth to a new one, it is as though the same token can be handed from person to person. Because RPOWs are only created from equal-value POWs or RPOWs, they are as rare and "valuable" as the hashcash that was used to create them. But they are reusable, unlike hashcash. The new concept in the server is the security model. The RPOW server is running on a high-security processor card, the IBM 4758 Secure Cryptographic Coprocessor, validated to FIPS-140 level 4. This card has the capability to deliver a signed attestation of the software configuration on the board, which any (sufficiently motivated) user can verify against the published source code of the system. This lets everyone see that the system has no back doors and will only create RPOW tokens when supplied with POW/RPOW tokens of equal value. This is what creates trust in RPOWs as actually embodying their claimed values, the knowledge that they were in fact created based on an equal value POW (hashcash) token. I have a lot more information about the system at rpow.net, along with downloadable source code. There is also a crude web interface which lets you exchange POWs for RPOWs without downloading the client. This system is in early beta right now so I'd appreciate any feedback if anyone has a chance to try it out. Please keep in mind that if there are problems I may need to reload the server code, which will invalidate any RPOW tokens which people have previously created. So don't go too crazy hoarding up RPOWs quite yet. Thanks very much - Hal Finney From mv at cdc.gov Sun Aug 15 11:04:57 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 15 Aug 2004 11:04:57 -0700 Subject: yes, they look for stego, as a "Hacker Tool" Message-ID: <411FA5C8.25CF980A@cdc.gov> At 02:43 AM 8/15/04 +0200, Thomas Shaddack wrote: >On Sat, 14 Aug 2004, Major Variola (ret) wrote: >> It was disturbing that, as the bottom fell out of telecom, and handsets >> became commoditized, faceplates and ringtones were highly profitable. >> Faceplates are at least made of atoms. There are several lessons there, >> from economic to sociobiological (if there's a difference), none of >> which are terribly pleasing in my aesthetic. > >Care to elaborate further, please? I found it troubling that the tech was becoming commoditized, since this disturbs the innovation that I find attractive. OTOH cheap products are nice. And commoditization is the end-game for tech anyway. Selling ringtones (static bits, not even a service) struck me as oldschool as selling music, enforced in this case by proprietary cellphone "standards". That "personalization" features were lucrative I found to be a comment on human nature. Or human-teens' nature. Since I tend to have an engineer's aesthetic, which I take to be fairly spartan/functional, as well as believing that personalization should be done by the person desiring it, I found mass-market faceplates kind of silly. But then I don't own any Nike baseball caps or Coke t-shirts to express myself. I am un-Amerikan, clearly. There is something I clearly don't "get". Herd mentality, perhaps. Besides, the phones should be covered in conformal photocells to trickle charge them. >> Fortunately the whole PDA vs. cell vs. camera vs GPS vs. smartcard vs >> MP3 player vs. email-pager etc bat-belt [1] frenzy will resolve in a few >> years, and perhaps some of the Linux based solutions will not be >> involuntary citizen-tracking devices and will support privacy of data >> stored, and in transit, including voice data. And free ring tones :-) >> All that's needed is one of the hardware-selling companies to start the >> process, making money off the atoms, and possibly Sharp's Zaurus (?) >> already has? > >Or buy an Enfora Enabler GSM/GPRS module, add a Gumstix module with >built-in bluetooth, slap in a suitable display and keyboard, eventually >add a GPS receiver, and we're set. All features and security modes we can >imagine, and then some. I liked the Handspring's modularity, but don't know how they did in the marketplace. I do think that the cell makers have a decent enough market share to take over the PDA/camera/email etc. market, and they know that and are working on it. I read recently that in 5 years only pros will own digital cameras that do nothing else. Similarly with GPS, PDAs, MP3 renderers & recorders, calculators, authentication tokens, smart cards, etc. How much extra does a hifi audio ADC or DAC cost than an 8 Khz telecom one? Why not let users see their location, even if its only triangulated and not satellite based? Non-volitile memory is only getting cheaper, smaller, with less power requirements or awkward properties like page-based access. >Preventing spatial tracking is difficult though, as we're dependent on the >cellular network for staying online. Though if the given area has wifi >mesh coverage, it could be easier. (And if the device becomes widely >popular, the handsets can serve as mesh nodes themselves - but that's a >song of rather far future.) Yes, but a nice Heinleinian corollary. >> Perhaps there's a biz model in buying a 3-D color prototyping machine >> for $40K and setting up a custom faceplate biz for the integrated gizmo >> of the near future. Hmm, with freedom-enabling software being >> distributed on the side, it sounds like a Heinlein novel... > >Why not? :) Isn't the main purpose of science-fiction (at least its >certain kinds) to be the inspiration for the future? > >On the other hand, perhaps it's cheaper to just get a bulk supply of >"blank" faceplates and hire an artist with an airbrush and a talent. > >It's also possibly easier (and cheaper) to make the parts in more >classical way, eg. by casting them from resin. The rapid prototyping >machines so far usually don't provide parts that are both nice-looking, >accurate, and with suitable mechanical properties at once. I was thinking there are too many models to keep the things in stock on a little beachside storefront; and you could add custom textures with a prototyping machine. Its also possible I'm enamoured of 3D printers which have no place right now in making consumer products. >> [1] Batman (tm) wore a belt with too many gizmos. Some widget-fetishist >> friends/early adopters are similarly afflicted. > >There is nothing like "too many" gizmos! (Well, you could call such >situation "almost enough", but never "too many".) Aesthetics and convenience. OTOH when your Everything Gizmo dies, you are seriously out of luck. Much like when your combo fax/printer/copier/scanner power supply dies, you have zero functionality, instead of the degraded functionality you'd have if each were a separate machine. And sometimes the integrated gizmo does nothing very well, eg early cell-phone cameras. But integration (done well, and reliably) does sell. My $50 prepaid cell phone does voice recognition. Its the 21st century, and I want my Dick Tracy watch now! And it better run Java, or Python, damnit! (I was impressed that the Zaurus PDA can be a web server, BTW.) From Novmgtco at aol.com Sun Aug 15 12:59:11 2004 From: Novmgtco at aol.com (Novmgtco at aol.com) Date: Sun, 15 Aug 2004 15:59:11 EDT Subject: Richard Rahn's "How to Find Osama" (The Washington Times) Message-ID: The Washington Times www.washingtontimes.com How to find Osama By Richard W. Rahn Published August 15, 2004 Having just finished reading the report of the September 11 commission, I was shocked; shocked to learn major U.S. government bureaucracies are incompetent. Washington being Washington, most of the solutions proposed revolved around reorganizing and creating more bureaucracies. It seems not to have occurred to anyone there are market solutions for many information problems the intelligence community faces. Two examples follow. The first is the general problem of economic intelligence, and the second is using the market to find a particular someone -- Osama bin Laden. A couple of decades ago, I became aware the CIA was systematically overstating the size of the Soviet and Eastern European economies, An article I wrote about it was published in 1984. My critique, and those of others then, had no impact. At the end of the Cold War, we indeed found real per capita incomes in the Soviet Union and Eastern Europe were on average about one-third the CIA estimates. The CIA greatly overestimated the size of these countries' civilian economies because the agency overrelied on the translations of official documents and periodicals rather than have agents or embassy personnel walk about and see what goods were available at what price. This is "market research." Those of us who had spent time in the former communist countries before and during the economic transition were well aware few goods in the old Soviet Union actually were available in any quantity at official prices. For example, the Soviet press might state the official price of a refrigerator was 100 rubles, but in fact there were no refrigerators available at that price. With luck, a Soviet citizen might actually have been able to find a refrigerator on the black market for 400 rubles. That there were far fewer goods at much higher prices was well known to many in the Western press and business community, but the CIA ignored much of this evidence -- I suspect partly because it would have diminished the perceived threat. Intelligence agencies should do much more "contracting out." There are economic and market research firms operating in virtually every country with considerable local expertise. For the right price, they could provide the CIA much better information, at a far less cost, than it would likely obtain on its own. Using principles of market economics should not be limited to gathering economic intelligence, but greatly expanded to gathering information on weapons systems and terrorists. At some price, there is almost always someone who will reveal secrets any government might like to know -- and usually this price is far lower than other ways of seeking the information. For instance, after three years and expenditure of many tens of billions of dollars, we (i.e., the CIA and others) still have not found Osama bin Laden. A couple of years ago, the U.S. government offered a bounty of $25 million for his head. Many in Washington believe this shows bounties don't work. In fact, it shows the price was too low. Suppose we increased the bounty $5 million a month until he was brought in dead or alive. What do you think would happen? The reason $25 million has not worked is that getting bin Laden is both dangerous and expensive, and you would probably need a team to do it. So by the time you add up your expenses and divide the net amount after taxes among your team, the risk-reward ratio is not sufficiently attractive. At some price, getting bin Laden becomes attractive to many reasonably competent people, and some brave and enterprising soul would get him. At the moment, $25 million plus $5 million a month since September 11, 2001, adds up to a bounty of about $200 million. That may sound like a lot of money, but it only works out less than a dollar for each American, and we have already spent many times that sum trying to find him. I expect $200 million is a large enough pot to even induce thousands of American trial lawyers to start combing the hills of Afghanistan, like gold prospectors in California in 1849 -- and nothing could be more beneficial to the U.S. economy. Richard W. Rahn is a senior fellow of the Discovery Institute and an adjunct scholar of the Cato Institute. Copyright ) 2004 News World Communications, Inc. All rights reserved. --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Aug 15 13:23:00 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 16:23:00 -0400 Subject: How to Find Osama Message-ID: --- begin forwarded text From rah at shipwright.com Sun Aug 15 14:11:25 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 17:11:25 -0400 Subject: Cyber Fears On Fed's Web Plan Message-ID: The New York Post CYBER FEARS ON FED'S WEB PLAN By HILARY KRAMER Email Archives Print Reprint August 15, 2004 -- With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month - a move critics say could open the U.S.'s banking system to cyber threats. The Fed moves about $1.8 trillion a day on a closed, stand-alone computer network. But soon it will switch to a system called FedLine Advantage, a Web-based technology. Proponents say the system is more efficient and flexible. The current system is outdated, using DOS - Microsoft's predecessor to the Windows operating system. But security experts say the threat of outside access is too big a risk. "The Fed is now going to be vulnerable in two distinct ways. A hacker could break in to the Fed's network and have full access to the system, or a hacker might not have complete access but enough to cause a denial or disruptions of service," said George Kurtz, co-author of "Hacking Exposed" and CEO of Foundstone, an Internet security company. "If a security breach strikes the very heart of the financial world and money stops moving around, then our financial system will literally start to collapse and chaos will ensue." FedLine is expected to move massive amounts of money. Currently, Fedwire transfers large-dollar payments averaging $3.5 million per transaction among Federal Reserve offices, financial institutions and federal government agencies. Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution. "Of course, we will not discuss the specifics of our security measures for obvious reasons," she said. "We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intru sion detection and Federal Reserve conducted reviews." Ron Gula, president of Tenable Network Security and a specialist in government cyber security, said he's sure the Fed is taking every precaution. But no system is 100 percent foolproof. "If the motive was to manipulate the money transferring, there are Tom Clancy scenarios where there are ways to subvert underlying technologies," Gula said. "For example, a malicious programmer can put something in the Fed's network to cause the system to self-destruct or to wire them money." The biggest concern isn't the 13-year-old who hacks into the Fedwire and sends himself some money - it's terrorism. On July 22, the Department of Homeland Security released an internal report saying a cyber attack could result in "widespread disruption of essential services ... damag(ing) our economy and put(ting) public safety at risk." But the Fed's undertaking of this massive overhaul is considered a necessity. "Our strategy is to move to Web-based technology because there are inherent limitations with DOS based technology and our goal is to provide better and robust product offerings to meet our customers' needs," said Laura Hughes, vice president of national marketing at the Chicago Fed, which has spearheaded this program. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Aug 15 14:24:12 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 17:24:12 -0400 Subject: Cyberspace Gives Al Qaeda Refuge Message-ID: Yahoo! Cyberspace Gives Al Qaeda Refuge Sun Aug 15, 7:55 AM ET By Douglas Frantz, Josh Meyer and Richard B. Schmitt Times Staff Writers ISTANBUL, Turkey - In December, Al Qaeda operatives posted a manifesto on the Internet calling for attacks inside countries allied with the United States in Iraq (news - web sites). Spain, with elections approaching, was singled out as a target. On March 11, terrorists set off bombs on four commuter trains in Madrid and killed 191 people. Three days later, Spanish voters replaced the pro-war government with a party whose leader had promised to withdraw the country's 1,300 troops from Iraq. The posting of the strategy and the timing of the Madrid bombings shocked even the most hardened Al Qaeda watchers recently when they reviewed the little-known manifesto. "It's quite extraordinary in that you have a group of people talking about influencing a political process and then having it happen," said a U.S. national security official who analyzed the 54-page posting and spoke on condition that his name not be used. "Reading through this thing, it is just mind-blowing." Since Osama bin Laden (news - web sites) and his followers were driven from their bases in Afghanistan (news - web sites), the Al Qaeda terrorist network has demonstrated an increasing ability to exploit the Internet as it reconfigures itself as a semi-leaderless global extremist movement far more elusive than the original incarnation. Websites run by Al Qaeda and its backers have become virtual classrooms for terrorists, offering instructions for activities such as kidnapping and using cellphones to set off bombs, like the ones used in Madrid. Independent Al Qaeda cells and the network's loose hierarchy use easily available encoding programs and simple techniques to exchange virtually undetectable messages between Internet cafes in Karachi and libraries in London. The Internet's importance to Al Qaeda was highlighted this month by the disclosure that Pakistani authorities had apprehended Mohammed Naeem Noor Khan, a suspected Al Qaeda computer engineer, and collected a wealth of electronic material. E-mail and other information from Khan's computers led to the arrests of 13 suspects in Britain and sent investigators scrambling to unravel electronic links among militants in Pakistan, Europe and the United States, British, U.S., and Pakistani authorities said. The discovery of files on financial institutions in New York and Washington among Khan's trove also played a role in prompting the Bush administration to issue a terrorist warning. Although it has long been known that Al Qaeda used the Internet to conduct reconnaissance on potential U.S. targets, the disks and hard drives taken from Khan disclose much about the resiliency and adaptability of a far-flung network hiding in plain sight, said U.S. and foreign intelligence officials and outside experts interviewed for this report. "The Internet allows the organization to become a virtual self-perpetuating and changing entity in cyberspace that provides technological guidance and moral inspiration to a new generation," said Magnus Ranstorp, a counter-terrorism expert at the University of St. Andrews in Scotland. Rather than the computer whizzes often described by government officials and the press, the Al Qaeda operatives are more often people with everyday skills who have harnessed the Internet in a campaign against the United States and its allies. Even Khan, whom senior U.S. officials describe as extremely computer savvy, used skills available to many people with computer training. Over time, they developed and shared techniques to avoid detection. An Al Qaeda survival manual warned adherents not to use the same Internet cafe too many times. Messages should be written on a word processor and pasted into an e-mail to avoid keeping the computer connected to the Internet for too long, it said. The result is a changing definition not only of Al Qaeda but also of the threat from what is known as cyber-terrorism. After Sept. 11, the biggest fear of terrorists using the Internet was their potential to disable air traffic control systems or disrupt the electric power grid of the United States. Billions were spent shoring up infrastructure defense. Although those concerns remain, authorities said no incident of cyber-terrorism has been recorded and worries have receded. Instead, the discovery of the December manifesto, the arrest in Pakistan last month and the accumulation of other evidence are leading to recognition that for now, at least, cyberspace is not a weapon for Al Qaeda, but a tool - one more difficult to counter than gunmen huddled in caves and tents. James Lewis, director of technology policy at the Center for Strategic and International Studies in Washington, said one clear advantage for Al Qaeda is that the Internet gives it a communications system that rivals that of a superpower without the accompanying risk. "There is no central headquarters," he said. "There is no central place you can knock out." U.S. and foreign authorities interviewed in recent days generally agreed with a report last spring by the U.S. Treasury and Justice departments, which concluded that the Internet poses tough challenges "because it is largely anonymous, geographically unbounded, unregulated and decentralized." Al Qaeda is not a newcomer to the Internet. In 2000, the group hacked into the e-mail and bank accounts of a U.S. diplomat in Saudi Arabia as part of an effort to track his movements and plot an assassination attempt, which was later abandoned, Ranstorp and a security official in the region said. In the final stages of planning the Sept. 11 attacks, hijacker Mohamed Atta sent a coded message over the Internet that said: "The semester begins in three more weeks. We've obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts and the faculty of engineering." After the Sept. 11 attacks on the World Trade Center and Pentagon (news - web sites), the camps and safe houses in Afghanistan where Atta and his accomplices had once trained were destroyed in the U.S. air assaults. Thousands of Al Qaeda adherents fled to hiding places in the tribal areas along the Afghan-Pakistani border, to Pakistan and to dozens of other countries. They left behind computers with files on how to build nuclear bombs, diagrams of U.S. buildings and software for stealing passwords off the Internet. In the months that followed, key leaders were killed or captured. Bin Laden has remained so deeply hidden that most intelligence officials think he no longer exercises much control over the network. The U.S. and its allies worked with some success to shut down the flow of money to Al Qaeda through Saudi charities, wealthy benefactors and other means. Faced with this multi-pronged assault, Al Qaeda reinvented itself, with a new reliance on the Internet. Manuals from the training camps were posted on websites. Praise for the "holy war" and appeals for money to continue the fight started popping up. Information was shared among members, and alliances with local and regional extremist groups were formed through cyberspace. More recent Internet postings reflected the adaptations of the new Al Qaeda, with its independent cells and new, often untrained recruits scattered throughout the Middle East, Europe and Africa. In late May, a website linked to Al Qaeda in Saudi Arabia published detailed instructions for carrying out a kidnapping. Three weeks later, U.S. aerospace engineer Paul M. Johnson Jr. was kidnapped in Riyadh, the Saudi capital, and later beheaded. Saudi extremists have proved particularly adept at using the Internet to communicate with other Al Qaeda groups and to promote their aim to topple the royal family, security officials in the country said. But the posting that called for attacks on U.S. allies in Iraq - and its chilling effectiveness - has proved the most startling. "It shows that they are very strategic in what they are doing," the U.S. national security official said. The document was posted on a website run out of the Middle East. Its language, religious references and other telltale signs convinced U.S. experts that an Al Qaeda member wrote it, though they have not identified the author. Titled "Jihad in Iraq: Hopes and Dangers," the posting advocated attacking countries aligned with the U.S. that were most vulnerable to pressure to withdraw their troops from Iraq. Italy and Spain were singled out, with a special mention of Spain's approaching elections. "Withdrawal of Spanish or Italian forces would put immense pressure on the British presence in a way that Tony Blair (news - web sites) might not be able to bear," it said in one of several paragraphs underlined for emphasis. "In this way the dominoes will begin to fall quickly." At another point, the posting said, "We think that the Spanish government could not tolerate more than two, maximum three blows, after which it will have to withdraw as a result of popular pressure." The posting was available on one of the hundreds of Arabic-language websites that cater to extremists and moderates alike. Many of them are watched by intelligence and law enforcement agencies, but experts say there are far too many to monitor thoroughly. Evan Kohlmann, a Washington-based terrorism analyst who has been a consultant to the U.S. government, said he was monitoring an Internet chat room frequented by Islamic extremists last month when someone posted copies of the complete Windows desktop of a U.S. soldier serving in South Korea (news - web sites). The soldier had apparently installed a program to access his work computer through another computer and the hacker found a back door and took control of the machine by using simple techniques, Kohlmann said. Simplicity seems to work best. One common method of communicating over the Internet is essentially an e-mail version of the classic dead drop. Members of a cell are all given the same prearranged username and password for an e-mail account on an Internet service provider, or ISP, such as Hotmail or Yahoo, according to the recent joint report by the Treasury and Justice departments. One member writes a message, but instead of sending it, he puts it in the "draft" file and then logs off. Someone else can then sign onto the account using the same username and password, read the draft and then delete it. "Because the draft was never sent, the ISP does not retain a copy of it and there is no record of it traversing the Internet - it never went anywhere, its recipients came to it," the report said. Secure messages also can be transmitted using widely available encryption tools. Slightly more advanced methods allow messages to be embedded in image, sound or other files transferred over the Internet through a process called "steganography." The files cannot be distinguished without a decoding tool. The difficulty of intercepting and deciphering messages has given rise to a game of cyber cat and mouse, according to government and independent experts. In an effort to gather information on potential recruits and donors, U.S. law enforcement agencies operate websites that are set up to resemble extremist Islamic sites. Visitors leave an electronic trail when they enter the site. On the other side, Al Qaeda can transmit false information to determine whether its members are being monitored by law enforcement. The Internet offers stealth to its users, but authorities can get valuable information if they can get their hands on data stored in computers or on disks. U.S. and foreign investigators still are sifting through the material taken from Khan. By cross-referencing the data with old files on people, places and methods of attacks, they hope to get a new picture of the organization's operations and identify its operatives, senior U.S. law enforcement officials say. They also are getting a closer look at the role of the Internet in Al Qaeda's strategies - and a rare chance to turn the tables on the organization's computer prowess. "Al Qaeda relies on the Internet just like everyone else, and increasingly more so," a senior Justice Department (news - web sites) official said. "But that reliance could also come back to bite them." (BEGIN TEXT OF INFOBOX) Background: Mohammed Naeem Noor Khan Mohammed Naeem Noor Khan, right, a suspected Al Qaeda computer expert, was arrested July 15 in Pakistan. Khan reportedly has told his FBI (news - web sites) interrogators that the terrorist network has monitored top U.S. political officials so closely that its operatives know where they live and the names of their neighbors. Authorities believe Khan may have been a key link among Al Qaeda cells in Pakistan, Britain and the United States. He was arrested while uploading information to several Al Qaeda-affiliated websites at an Internet cafe in Karachi. He reportedly was in the process of sending an e-mail death threat to President Bush (news - web sites), claiming that it was from Al Qaeda. - Los Angeles Times -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Aug 15 14:24:53 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 17:24:53 -0400 Subject: MSNBC - Terrorism: Leads From a Laptop Message-ID: MSNBC.com Terrorism: Leads From a Laptop Newsweek Aug. 23 issue - As frightening as the recent terror warnings about attacks on the homeland have been, U.S. intelligence officials are still stumped by one key question: did any of the plots represent live threats or had Al Qaeda shelved the plans long ago? Raids in Pakistan and Britain over the past few weeks led to a windfall of intelligence about terrorist cells, operations and tradecraft. The major bonanza was a computer and related gear seized from captured Qaeda fixer Muhammed Neem Noor Khan-who, U.S. officials tell NEWSWEEK, was in at least indirect contact with Osama bin Laden. It was from Khan's computer disks that the Feds learned about plans to attack major financial targets in New York and Washington. But intel officials also revealed that the operatives cased the potential targets more than three years ago, suggesting the plot may not have been active. What they have not disclosed, NEWSWEEK has learned, was intelligence that strongly suggested terrorists were actively planning to strike somewhere in Britain. Sources say Khan and Babar Ahmad, a cousin in London who ran pro-bin Laden Web sites, had recently exchanged messages about such an operation. The plotters apparently researched numerous targets, but none in depth, suggesting they had not made any final decision or that, in the words of a senior U.S. law-enforcement official, "They were very flexible." (The method of attack is unclear.) Sources close to the case say that Ahmad-who was arrested by British authorities on a U.S. extradition warrant earlier this month-recently quit his job and moved to sell his house in South London, possibly in preparation for leaving the country. (Ahmad's lawyers failed to respond to requests for comment.) A British official acknowledged that authorities were aware of possible plots but said "there is no specific identification of targets-either individuals or locations." British authorities have spent nearly two weeks questioning several other suspects, one of whom is Esa al-Hindi, the high-level Qaeda operative who is believed to have written some of the surveillance reports of financial buildings in New York and Washington that were found in Khan's computer. U.S. officials say al-Hindi is the author of a jihad recruitment book published in Birmingham, England, which describes him as a Hindu convert who once served as an instructor in an Afghan training camp. A representative of the publisher told NEWSWEEK he met al-Hindi once, and that he was short and spoke with a London accent. U.S. officials, NEWSWEEK has learned, have photos of al-Hindi that they are eager to make public and show to employees in the cased buildings, hoping to jog memories, especially about possible accomplices. But they have so far been blocked from doing so by British authorities who say such premature publicity could blow their case. British law requires that al-Hindi and other suspects be released or charged early this week-at which time the photos are likely to be released. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From mv at cdc.gov Sun Aug 15 19:05:42 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 15 Aug 2004 19:05:42 -0700 Subject: Trust no one: backdoored CPUs Message-ID: <41201675.9BBAA4C@cdc.gov> We worried about compromized OSes, BIOSes, read last week about a PNG library bug that lets images run buffer exploits, now CPUs can be backdoored: >From Scheier's Crypto-gram: Here's an interesting hardware security vulnerability. Turns out that it's possible to update the AMD K8 processor (Athlon64 or Opteron) microcode. And, get this, there's no authentication check. So it's possible that an attacker who has access to a machine can backdoor the CPU. or From mv at cdc.gov Sun Aug 15 21:11:23 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 15 Aug 2004 21:11:23 -0700 Subject: Israelis voting for Bush defeated Gore Message-ID: <412033EB.E133727C@cdc.gov> Contrary to widespread belief, it was more likely American voters in Israel, not Florida, who put George W. Bush in the White House four years ago  a phenomenon that has Kerry's supporters in Israel vowing to do whatever it takes to make certain that doesn't happen again in November. Those who doubt that Americans living abroad could tip the balance in 2004 might consider this: Various chads aside, Al Gore (news - web sites) received 202 more votes than George W. Bush on Election Day 2000 in Florida. Only after all the overseas votes were counted, including more than 12,000 from Israel alone, was Bush's election victory certified. The margin was 537 votes. ... But in the 2000 presidential election, Zober points out, it made no difference how Israeli immigrants from New York voted. All that mattered was how expatriates from Florida cast their ballots. Israel is home to roughly 6,000 former Floridians  expatriates who tend to be more conservative than Jewish voters in New York and many of whom voted for Bush in the last election, Zober said. http://news.yahoo.com/news?tmpl=story&u=/ap/20040815/ap_on_el_ge/election_the_overseas_factor From measl at mfn.org Sun Aug 15 19:18:21 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 15 Aug 2004 21:18:21 -0500 (CDT) Subject: Trust no one: backdoored CPUs In-Reply-To: <41201675.9BBAA4C@cdc.gov> References: <41201675.9BBAA4C@cdc.gov> Message-ID: <20040815211657.K43073@ubzr.zsa.bet> On Sun, 15 Aug 2004, Major Variola (ret) wrote: > We worried about compromized OSes, BIOSes, read last week about > a PNG library bug that lets images run buffer exploits, now CPUs > can be backdoored: > > > >From Scheier's Crypto-gram: > > Here's an interesting hardware security vulnerability. Turns out that > it's possible to update the AMD K8 processor (Athlon64 or Opteron) > microcode. And, get this, there's no authentication check. So it's > possible that an attacker who has access to a machine can backdoor the > CPU. > > 7&Thread=1&entryID=35446&roomID=11> or Old news. The ability to update CPU microcode has been around (publicly) since the Pentium Pro. I have no proof (other than vague memories), but I believe this was around even earlier on some of the more archaic CPU lines in the middle 80's. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From jamesd at echeque.com Sun Aug 15 21:28:19 2004 From: jamesd at echeque.com (James A. Donald) Date: Sun, 15 Aug 2004 21:28:19 -0700 Subject: [e-gold-list] An interesting technology for cashlike tokens. Message-ID: -- Reusable Proofs of Work by Hal Finney rpow.net Hal Finney has an interesting technology for electronic money. The intended application is electronic postage, an anti spam measure. The same technique could be used to anonymously transfer certificates of possession of gold. The method is like trusted computing in reverse. Instead of the client computer needing to prove to the server it is trustworthy, the server must prove to the client it is trustworthy. For transactions that involve substantially greater periods than email, a money based on gold is better than a money based on proofs of computational work, since the cost of mining gold changes only slowly, while the cost of doing computations diminshes rapidly, but for the intended application, a high inflation rate is not a problem. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG qaxLVMrKlZJuFzjYAxmdhu7F4wsAds1g0b9s1d2G 4fcchBYWopL00KqdJyRYp/27QCChV9H4oizZtSKGc s --- You are currently subscribed to e-gold-list as: rah at shipwright.com To unsubscribe send a blank email to leave-e-gold-list-507998N at talk.e-gold.com Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses. --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Aug 15 18:46:53 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 21:46:53 -0400 Subject: The New Digital Media: You Might Have It, But Not Really Own It Message-ID: Anyone who knows about cryptography quickly comes to the conclusion that if it's encrypted, and I have the key it's *my* property. It doesn't matter what the lawyers say -- or even the guys they hire with guns at your friendly local geographic force monopoly. :-). Now if we can figure out a way to pay for that property cheap enough that nobody *cares* who owns it, as long as they get paid... Cheers, RAH ------- The Wall Street Journal August 16, 2004 PORTALS The New Digital Media: You Might Have It, But Not Really Own It By NICK WINGFIELD Staff Reporter of THE WALL STREET JOURNAL August 16, 2004 Buying music used to be simple: You coughed up $14 or so for a CD, and as long as you didn't bootleg it or charge crowds of people to listen to it, the music was yours. The Internet and other technologies are changing all that, opening up a slew of new options for purchasing entertainment, be it music or movies or games. That's a good thing. The not-so-good thing is that in the next few years, the sheer number and complexity of those new options are likely to bewilder many consumers. You may no longer be able to "own a movie" or "own a CD," at least in the sense those phrases have been used. Instead, you will merely have "rights" to the content, enforced by technology. Those rights might change over time, even at the whim of the music or movie company you get them from. The technology allowing all this is called digital-rights management, or DRM. It's a kind of invisible software lock securely bolted onto a song or movie. Being software, it's a very flexible sort of lock. A music label, for example, might let you download a song free and then listen to it for a day, but then require you to pay up to keep on listening. For a taste of what DRM might bring, check out Apple Computer's iTunes Music Store, which sells songs for 99 cents. ITunes comes with a DRM system that prevents customers from playing those songs on more than five computers, or burning more than seven identical lists of songs onto CDs. (Before you can play a song on a sixth computer, you need to use the DRM software to "de-authorize" it from one of the first five machines.) Of course, no such technical limits exist on normal music CDs, though recording companies, especially in Europe, are experimenting with restrictions. Some iTunes users are grumbling. In June, science-fiction writer Cory Doctorow gave a talk critical of DRM technology in which he related how he hit Apple's limit on the number of computers he could play his music on -- three machines at the time. One computer was in the shop, another was at his parents' house and a third was a defective machine he had returned to Apple -- without first remembering to de-authorize his music on it so he could play it on another machine. As a result, Mr. Doctorow said he was unable to listen to hundreds of dollars worth of music. Apple says such problems aren't common, especially since the company upped its computer limit to five in April. But that change itself was a lesson in the power of DRM: Apple's increase was retroactive, and applied to all songs, not just those purchased after the change took effect. In this case, Apple gave users more liberal rights. (It also curbed some types of CD burning, but the change didn't apply to previously purchased music.) However, there's nothing preventing Apple from making its DRM retroactively more restrictive -- though the company says that's unlikely. Apple set up the iTunes DRM as a way of getting the big labels -- badly burned by the original Napster -- comfortable with music online. It deserves credit for helping legalize digital music: iTunes has had more than 100 million downloads. And even with the restrictions, iTunes customers more or less "own" their music once they've bought it. By contrast, consumers only "rent" music at subscription services like RealNetworks's Rhapsody, which typically charge a $10 or so monthly fee for playing as much music as customers want. The catch: Rhapsody subscribers can play their songs only on their PCs, not portable audio players, and only as long as they keep paying their monthly bills. That's the main reason these "rental" sites haven't done as well as iTunes. (By the end of this year, a new version of Microsoft's DRM will allow subscription users to transfer content to portable players.) It's not just Internet music that's getting more complicated. Most of today's movie DVDs contain restrictions that prevent users from copying them, or playing them in a different geographic region from where they are bought. But Hollywood studios, along with technology and consumer electronic companies, are working on a new generation of DVDs that will, in addition to holding more data for high-definition movies, also have a much more flexible DRM. As a result, different studios might end up imposing different DVD restrictions. You may, for instance, be able to make a copy of the "Toy Story 4" DVD for your laptop -- but not do the same thing with "Charlie's Angels 5." Those variations will likely require some form of labeling on DVDs so consumers will know what they're getting, according to companies involved in planning them. Alan Davidson, associate director of the civil liberties group Center for Democracy and Technology, says he isn't opposed to DRM, but worries consumers may not understand what rights come with content they purchase. "DRM underscores the point that consumers are going to have to become a lot more sophisticated about what they're buying," he says. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Sun Aug 15 19:41:43 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 15 Aug 2004 22:41:43 -0400 Subject: Children of criminals to be 'targeted' and 'tracked' Message-ID: The Independent Children of criminals to be 'targeted' and 'tracked' By Marie Woolf ,Chief Political Correspondent 16 August 2004 Children of criminals to be 'targeted' and 'tracked' Hazel Blears: Shedding new light on the old cops-and-robbers story Bruce Anderson: Blunkett and Howard are right to focus on the collapse of order and rising crime? Children of criminals are to be "targeted" and "tracked" from an early age by the Government to prevent them following their parents into a life of crime, as part of a campaign to tackle the next generation of offenders. In an offensive on youth crime, a programme to prevent 125,000 children whose fathers are in prison from joining them in jail, is being planned by the Home Office. In an interview with The Independent, Hazel Blears, the Policing minister, says she is optimistic that "tracking" and "targeting" can help prevent children becoming criminals like their parents. Studies showed that children with criminal fathers and "under-achievers" who grow up in local authority care have a significant chance of turning to crime themselves. "About 125,000 kids have got a dad in prison. That's a huge risk factor. Something like 65 per cent of those kids will end up in prison themselves," she said. "We need to track the children who are most at risk. We can predict the risk factors that will lead a child into offending behaviour." However, she is aware the plan, based on research showing children of criminals are far more likely to end up in jail than their peers, may lead to accusations they are being unfairly singled out. "I don't think it is stigmatising those children by targeting them," she said. "You can intervene at an early age and say 'your life can be different and we will help you and your parents make your life different.' Let's put the support in as early as we can." The Policing minister has been in talks with Margaret Hodge, the minister for Children, about an early intervention scheme to prevent children of burglars, muggers, and gangsters from breaking the law. She wants to use methods used in Labour's Sure Start programme for under-fives in deprived areas to give extra support to children from criminal backgrounds. Children would be tracked by the authorities from the time they are in nappies to their teenage years with extra support and help to nip disruptive behaviour in the bud. One study showed that the most violent offenders began to display bad behaviour as young as six. Another study which tracked children into adult life found "under-controlled" children who exhibited disruptive behaviour at the age of three were four times more likely to be convicted of violent offences. "If you can tackle the 125,000 kids with dads in jail by providing extra support and help there's a chance," Ms Blears said. Teenagers with criminal fathers would be monitored and offered extra support at school and by social services as well as being introduced to sport, drama and other after-school activities. "You can get the parents into parenting classes. We can get some of the older kids involved in arts, sports drama. Give them something to succeed at. If you go to school every day and everybody tells you you are rubbish you are never going to succeed," she said. Ms Blears also wants to see a crackdown on violence and bullying in schools. Studies show classroom bullies are more likely to be involved in muggings, car theft and attacks outside school. "I don't think you can afford to let it go. It's a bit like zero tolerance," she said. The judicial system should help offenders, including drug addicts who rob to fuel their habit, to change their ways. But if they refuse to change, the police should provide a "hostile environment" for them. "We will help you change your life but if you want to go back to robbing we will be on your doorstep," she said. Meanwhile, children up to the age of five are to be kept in prison with their mothers at Cornton Vale, near Stirling, it emerged yesterday. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From measl at mfn.org Sun Aug 15 21:34:58 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 15 Aug 2004 23:34:58 -0500 (CDT) Subject: Israelis voting for Bush defeated Gore In-Reply-To: <412033EB.E133727C@cdc.gov> References: <412033EB.E133727C@cdc.gov> Message-ID: <20040815233430.A43073@ubzr.zsa.bet> On Sun, 15 Aug 2004, Major Variola (ret) wrote: > 2000 in Florida. Only after all the overseas votes were counted, > including more than 12,000 from Israel alone, was Bush's election > victory certified. Yet another reason to nuke Israel. -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From rah at shipwright.com Mon Aug 16 05:22:01 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 08:22:01 -0400 Subject: France: Crypto-in-a-crime (was re: Crypto Law Survey updated - version 22.2) Message-ID: --- begin forwarded text Approved-By: Bert-Jaap Koops Date: Mon, 16 Aug 2004 12:28:12 +0200 Reply-To: Bert-Jaap Koops Sender: Mailinglist about existing and proposed laws and regulations on cryptography From: Bert-Jaap Koops Subject: Crypto Law Survey updated - version 22.2 To: CRYPTOLAW-L at NIC.SURFNET.NL I have updated my Crypto Law Survey to version 22.2. http://rechten.uvt.nl/koops/cryptolaw/ ============================================================ NEWS France has enacted the first law in the world that raises the maximum punishment for a crime when cryptography was used to prepare of facilitate a crime. ============================================================ AFRICA * Egypt ('02 mention of regulatory intention) * Ghana (no controls) * Kenya (no controls) * Mauritius (no controls) * Morocco ('02 mention of regulatory intention) * Rwanda ('98 report mentions regulatory intention) * South Africa (decryption order) * Tunisia (import and domestic regulations) EUROPE * France (elaborate new law, including raising punishments for crypto-enhanced crimes) * Russia (FAPSI > FSB) * United Kingdom (new OGEL) ASIA * Singapore (export controls) Any additions you may provide are greatly welcomed. Bert-Jaap Koops Tilburg University 16 August 2004 -------------------------- You may forward this message in its entirety. -------------------------- To unsubscribe from this mailing list, send a message to with in the body of the message "UNSUBSCRIBE CRYPTOLAW-L". To subscribe to this mailing list, send a message to with in the body of the message "SUBSCRIBE CRYPTOLAW-L". When you change your e-mail address, please unsubscribe the old address and subscribe the new one. --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Mon Aug 16 05:32:19 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 08:32:19 -0400 Subject: [e-gold-list] An interesting technology for cashlike tokens. Message-ID: And James makes the next step. The online gold systems, like goldmoney and e-gold, certainly have an enormously cheaper cost of entry than trying to plug into, say, the ATM system. Cheers, RAH --- begin forwarded text From rah at shipwright.com Mon Aug 16 08:03:53 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 11:03:53 -0400 Subject: Canadian Police chiefs want surveillance surcharge Message-ID: - CTV News, Shows and Sports -- Canadian Television Police chiefs want surveillance surcharge CTV.ca News Staff Updated: Mon. Aug. 16 2004 12:44 AM ET Canada's police chiefs propose a surcharge of about 25 cents on monthly telephone and Internet bills to cover the cost of tapping into the communications of terrorists and other criminals. The suggestion is intended to resolve a standoff between police forces and telecommunications companies over who should foot the expense of providing investigators with access to phone calls and e-mail messages. Police say they cannot -- and should not -- be forced to pay the often hefty costs involved in carrying out court-approved wiretaps and message searches, warning that investigations will suffer if they are expected to pick up the tab. "This is a very, very serious issue for us. It has a potential for really paralysing operations," said Supt. Tom Grue, a member of the law amendments committee of the Canadian Association of Chiefs of Police. But the country's largest phone company believes that telecommunications firms and law-enforcement agencies, not subscribers, should split the costs. "We think there should be more of a partnership between the agencies and us, rather than getting the public to pay for it," said Bell Canada spokeswoman Jacqueline Michelis. The matter has taken on new urgency as the federal government prepares legislation aimed at preventing criminals from using new digital technologies to shield their communications from police and intelligence agencies. Authorities argue the measures are needed to keep up with sophisticated criminals involved in such activities as terrorism, money laundering, child pornography and murder. The legislative proposals, outlined two years ago, have raised the hackles of privacy advocates and civil libertarians. Bubbling in the background is the equally thorny debate about money. Under the federal proposals, service providers would be required, when upgrading their systems, to build in the technical capabilities needed by police and intelligence agencies, such as the Canadian Security Intelligence Service, to easily tap communications. The controversy revolves around the ongoing costs of looking up phone numbers, hooking up to networks and relaying communications from one city to another - individual services that may cost anywhere from pocket change to thousands of dollars. Currently, a hodgepodge of payment practices applies, from negotiation of fees by the parties involved to refusal by some police forces to accept the bills. Grue, a member of the Edmonton police force, said the costs should be spread as widely as possible to avoid unduly burdening a small number of parties. The association of police chiefs, which represents the majority of Canadian forces, argues one way to accomplish that is adding a fee to each subscriber's monthly telephone, cellular or Internet bill. "We're thinking, amongst ourselves, 25 cents. Whether that would cover off all the costs, we don't know. We haven't done the analysis on it," Grue said. "But if you impose too great of a burden or put too high of a fee, then it becomes less and less attractive, obviously." Grue compares the proposed fee to the one customers already pay to support 911 emergency service, which ranges from about 25 to 50 cents a month depending on the type of telephone plan. Bell Canada's Michelis wants to pull the plug on the idea of a wiretap charge. "We don't really think the cost should be flipped over to the general public," she said. "I don't know how popular that's going to be, something like that. Twenty-five cents is a really significant amount to add to everybody's phone bill." Tom Copeland, a spokesman for the Canadian Association of Internet Providers, said tacking a fee on monthly bills "might work" but could create a burdensome administrative regime that hampers companies, especially small ones with few staff. Grue said it's "a bit of a mystery" to him why the industry is decidedly less than enthusiastic about the idea. "All companies would have that fee on the bill, so it's not like you're giving one company a competitive advantage over another company." Federal officials have convened meetings of the various players to try to work out the issues. Internal Justice Department notes prepared following a roundtable session in December stressed the need "not to further exacerbate the situation." Bell Canada says it has invested heavily in infrastructure to allow for wiretaps and is only trying to recover its costs on the day-to-day services provided to police and intelligence agencies. "Bell has already spent millions of dollars on this initiative and it's going to continue costing us a huge amount of money going forward," Michelis said. "We are looking to get some sort of compensation on the ongoing costs." For the police, it's a matter of principle. "From our perspective, it's a very slippery slope to start paying for the execution of search warrants or any kind of a court order," said Grue. Lucie Angers, a senior Justice Department lawyer, indicated the issues will be resolved at the political level. "You have different interests at stake," she said. "There's good sums of money that are involved in taking these decisions." Federal officials are interested in a solution that would "balance the costs," said Simone McAndrew, a spokeswoman for the Public Safety Department. "Any proposal that is brought forward will be considered." CSIS had no comment. Copeland said if subscribers end up funding the surveillance effort through monthly fees, Canadians would "demand a great deal more explanation" about the initiative and how it affects their constitutional and privacy rights. And should the money come from law-enforcement budgets, the public will be contributing "out the back door" through tax revenues, he noted. "One way or another, Canadians are going to pay." -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Mon Aug 16 08:08:45 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 11:08:45 -0400 Subject: Wrong Time for an E-Vote Glitch Message-ID: Wired News Wrong Time for an E-Vote Glitch By Kim Zetter? Story location: http://www.wired.com/news/evote/0,2645,64569,00.html 10:00 AM Aug. 12, 2004 PT It was simultaneously an uh-oh moment and an ah-ha moment. When Sequoia Voting Systems demonstrated its new paper-trail electronic voting system for state Senate staffers in California last week, the company representative got a surprise when the paper trail failed to record votes that testers cast on the machine. That was bad news for the voting company, whose paper-trail, touch-screen machine will be used for the first time next month in Nevada's state primary. The company advertises that its touch-screen machines provide "nothing less than 100 percent accuracy." It was good news, however, for computer scientists and voting activists, who have long held that touch-screen machines are unreliable and vulnerable to tampering, and therefore must provide a physical paper-based audit trail of votes. "It goes to our point that a paper trail is very much needed to (ensure) that the machine accurately reports what people press," said Susie Swatt, chief of staff for state Sen. Ross Johnson (R-Irvine), who witnessed the glitch in the Sequoia machine. With a paper-trail system, the voting machines would print out a record when voters cast ballots on a touch-screen machine. Voters could examine, but not touch, the record before casting their ballot. The paper would then drop into a secure ballot box for use in a recount. For nearly a year, voting companies and many election officials have resisted the call for a paper record. Election officials say that putting printers on voting machines would create problems for poll workers if the printers break down or run out of paper, and the paper records will cause long poll lines with voters taking more time to check the record. Voting activists maintain, however, that election officials don't want the paper trail because it opens the way for recounts and lawsuits if paper records don't match digital vote tallies. And they say that paper records would provide proof the machines are not as accurate as companies claim. Acting on public pressure for a paper trail, Sequoia became the first of the four largest voting companies to add printers to their voting machines earlier this year. Two smaller voting companies have had paper-trail machines for longer, but have had trouble selling the machines to election officials. During the demonstration of the Sequoia machine last week, the machine worked fine when the company tested votes using an English-language ballot. But when the testers switched to a Spanish-language ballot, the paper trail showed no votes cast for two propositions. "We did it again and the same thing happened," said Darren Chesin, a consultant to the state Senate elections and reapportionment committee. "The problem was not with the paper trail. The paper trail worked flawlessly, but it caught a mistake in the programming of the touch-screen machine itself. For some reason it would not record or display the votes on the Spanish ballot for these two ballot measures. The only reason we even caught it was because we were looking at the paper trail to verify it." Sequoia spokesman Alfie Charles said the problem was not a programming error but a ballot-design error. "It was our fault for not proofing the Spanish language ballot before demonstrating it," Charles said. "We had a demo ballot that we designed in a hurry that didn't include all of the files that we needed to have the machine present all of the voter's selections on the screen and the printed ballots. That would never happen in an election environment because of all the proofing that election officials do." Charles said the machine did record the votes accurately in its memory, but failed to record them on the paper trail and on the review screen that voters examine before casting their ballot. Swatt and Chesin could not confirm this, however, because the company did not show them evidence of the digital votes stored on the machine's internal memory. "We've been saying all along that these things are subject to glitches," Chesin said. "The bottom line is that the paper trail caught the mistake. Ergo, paper trails are a good idea." Charles agreed the paper trail worked exactly as it was supposed to work. "If this happened in an election, the first voter would see it and could call a pollworker. They would take the machine out of service if they saw a problem," he said. Ironically, just one week after the demonstration occurred, California took one step back from making sure voters in the state will have the reassurance that a paper trail provides. On Thursday, a Senate bill that would require a voter-verified paper trail on all electronic voting machines in the state by January 2006 suffered a setback when the Assembly Appropriations Committee, where the bill resided, decided not to push the bill forward during this legislative session, which ends Aug. 31. This means legislators will have to reintroduce a new bill next January when they reconvene. The bill (PDF), introduced by Johnson and state Senator Don Perata (D-Oakland), had bipartisan support and the backing of Secretary of State Kevin Shelley. "I'm a little mystified why the committee has stalled the bill," Swatt said. "E-voting machines, like them or not, are here to stay in California. It is clear that if we are going to be living with e-voting machines the only way to protect voters and to ensure that their votes are counted accurately is to have a paper trail." Swatt said she hoped the public would pressure the legislature to push the bill forward before the session ends. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Mon Aug 16 08:53:46 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 11:53:46 -0400 Subject: F.B.I. Goes Knocking for Political Troublemakers Message-ID: The New York Times August 16, 2004 F.B.I. Goes Knocking for Political Troublemakers By ERIC LICHTBLAU WASHINGTON, Aug. 15 - The Federal Bureau of Investigation has been questioning political demonstrators across the country, and in rare cases even subpoenaing them, in an aggressive effort to forestall what officials say could be violent and disruptive protests at the Republican National Convention in New York. F.B.I. officials are urging agents to canvass their communities for information about planned disruptions aimed at the convention and other coming political events, and they say they have developed a list of people who they think may have information about possible violence. They say the inquiries, which began last month before the Democratic convention in Boston, are focused solely on possible crimes, not on dissent, at major political events. But some people contacted by the F.B.I. say they are mystified by the bureau's interest and felt harassed by questions about their political plans. "The message I took from it," said Sarah Bardwell, 21, an intern at a Denver antiwar group who was visited by six investigators a few weeks ago, "was that they were trying to intimidate us into not going to any protests and to let us know that, 'hey, we're watching you.' '' The unusual initiative comes after the Justice Department, in a previously undisclosed legal opinion, gave its blessing to controversial tactics used last year by the F.B.I in urging local police departments to report suspicious activity at political and antiwar demonstrations to counterterrorism squads. The F.B.I. bulletins that relayed the request for help detailed tactics used by demonstrators - everything from violent resistance to Internet fund-raising and recruitment. In an internal complaint, an F.B.I. employee charged that the bulletins improperly blurred the line between lawfully protected speech and illegal activity. But the Justice Department's Office of Legal Counsel, in a five-page internal analysis obtained by The New York Times, disagreed. The office, which also made headlines in June in an opinion - since disavowed - that authorized the use of torture against terrorism suspects in some circumstances, said any First Amendment impact posed by the F.B.I.'s monitoring of the political protests was negligible and constitutional. The opinion said: "Given the limited nature of such public monitoring, any possible 'chilling' effect caused by the bulletins would be quite minimal and substantially outweighed by the public interest in maintaining safety and order during large-scale demonstrations." Those same concerns are now central to the vigorous efforts by the F.B.I. to identify possible disruptions by anarchists, violent demonstrators and others at the Republican National Convention, which begins Aug. 30 and is expected to draw hundreds of thousands of protesters. In the last few weeks, beginning before the Democratic convention, F.B.I. counterterrorism agents and other federal and local officers have sought to interview dozens of people in at least six states, including past protesters and their friends and family members, about possible violence at the two conventions. In addition, three young men in Missouri said they were trailed by federal agents for several days and subpoenaed to testify before a federal grand jury last month, forcing them to cancel their trip to Boston to take part in a protest there that same day. Interrogations have generally covered the same three questions, according to some of those questioned and their lawyers: were demonstrators planning violence or other disruptions, did they know anyone who was, and did they realize it was a crime to withhold such information. A handful of protesters at the Boston convention were arrested but there were no major disruptions. Concerns have risen for the Republican convention, however, because of antiwar demonstrations directed at President Bush and because of New York City's global prominence. With the F.B.I. given more authority after the Sept. 11 attacks to monitor public events, the tensions over the convention protests, coupled with the Justice Department's own legal analysis of such monitoring, reflect the fine line between protecting national security in an age of terrorism and discouraging political expression. F.B.I. officials, mindful of the bureau's abuses in the 1960's and 1970's monitoring political dissidents like the Rev. Dr. Martin Luther King Jr., say they are confident their agents have not crossed that line in the lead-up to the conventions. "The F.B.I. isn't in the business of chilling anyone's First Amendment rights," said Joe Parris, a bureau spokesman in Washington. "But criminal behavior isn't covered by the First Amendment. What we're concerned about are injuries to convention participants, injuries to citizens, injuries to police and first responders." F.B.I. officials would not say how many people had been interviewed in recent weeks, how they were identified or what spurred the bureau's interest. They said the initiative was part of a broader, nationwide effort to follow any leads pointing to possible violence or illegal disruptions in connection with the political conventions, presidential debates or the November election, which come at a time of heightened concern about a possible terrorist attack. F.B.I. officials in Washington have urged field offices around the country in recent weeks to redouble their efforts to interview sources and gather information that might help to detect criminal plots. The only lead to emerge publicly resulted in a warning to authorities before the Boston convention that anarchists or other domestic groups might bomb news vans there. It is not clear whether there was an actual plot. The individuals visited in recent weeks "are people that we identified that could reasonably be expected to have knowledge of such plans and plots if they existed," Mr. Parris said. "We vetted down a list and went out and knocked on doors and had a laundry list of questions to ask about possible criminal behavior," he added. "No one was dragged from their homes and put under bright lights. The interviewees were free to talk to us or close the door in our faces." But civil rights advocates argued that the visits amounted to harassment. They said they saw the interrogations as part of a pattern of increasingly aggressive tactics by federal investigators in combating domestic terrorism. In an episode in February in Iowa, federal prosecutors subpoenaed Drake University for records on the sponsor of a campus antiwar forum. The demand was dropped after a community outcry. Protest leaders and civil rights advocates who have monitored the recent interrogations said they believed at least 40 or 50 people, and perhaps many more, had been contacted by federal agents about demonstration plans and possible violence surrounding the conventions and other political events. "This kind of pressure has a real chilling effect on perfectly legitimate political activity," said Mark Silverstein, legal director for the American Civil Liberties Union of Colorado, where two groups of political activists in Denver and a third in Fort Collins were visited by the F.B.I. "People are going to be afraid to go to a demonstration or even sign a petition if they justifiably believe that will result in your having an F.B.I. file opened on you." The issue is a particularly sensitive one in Denver, where the police agreed last year to restrictions on local intelligence-gathering operations after it was disclosed that the police had kept files on some 3,000 people and 200 groups involved in protests. But the inquiries have stirred opposition elsewhere as well. In New York, federal agents recently questioned a man whose neighbor reported he had made threatening comments against the president. He and a lawyer, Jeffrey Fogel, agreed to talk to the Secret Service, denying the accusation and blaming it on a feud with the neighbor. But when agents started to question the man about his political affiliations and whether he planned to attend convention protests, "that's when I said no, no, no, we're not going to answer those kinds of questions," said Mr. Fogel, who is legal director for the Center for Constitutional Rights in New York. In the case of the three young men subpoenaed in Missouri, Denise Lieberman, legal director for the American Civil Liberties Union in St. Louis, which is representing them, said they scrapped plans to attend both the Boston and the New York conventions after they were questioned about possible violence. The men are all in their early 20's, Ms. Lieberman said, but she would not identify them. All three have taken part in past protests over American foreign policy and in planning meetings for convention demonstrations. She said two of them were arrested before on misdemeanor charges for what she described as minor civil disobedience at protests. Prosecutors have now informed the men that they are targets of a domestic terrorism investigation, Ms. Lieberman said, but have not disclosed the basis for their suspicions. "They won't tell me," she said. Federal officials in St. Louis and Washington declined to comment on the case. Ms. Lieberman insisted that the men "didn't have any plans to participate in the violence, but what's so disturbing about all this is the pre-emptive nature - stopping them from participating in a protest before anything even happened." The three men "were really shaken and frightened by all this," she said, "and they got the message loud and clear that if you make plans to go to a protest, you could be subject to arrest or a visit from the F.B.I." -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From sunder at sunder.net Mon Aug 16 10:37:51 2004 From: sunder at sunder.net (Sunder) Date: Mon, 16 Aug 2004 13:37:51 -0400 (edt) Subject: Gilmore VS Ashcroft opens today Message-ID: http://www.papersplease.org/gilmore/ In this corner we have John Gilmore. He's a 49 year-old philanthropist who lives in San Francisco, California. Through a lot of hard work (and a little luck), John made his fortune as a programmer and entrepreneur in the software industry. Whereas most people in his position would have moved to a tropical island and lived a life of luxury, John chose to use his fortune to protect and defend the US Constitution. He's challenging the unconstitutionally evil stench of the Asscruftinator! Who will win? Place your bets, place your bets, the courtroom showdown begins today: http://www.boingboing.net/2004/08/16/john_gilmore_vs_ashc.html Ding! ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From nulldev at cyberfrontier.org Mon Aug 16 16:16:21 2004 From: nulldev at cyberfrontier.org (Robert B.Z.) Date: Mon, 16 Aug 2004 19:16:21 -0400 Subject: [e-gold-list] Re: RPOW - Reusable Proofs of Work + Article Message-ID: "Of course, we will not discuss the specifics of our security measures for obvious reasons," ... because nobody here understands what our contractor (the cheapest geek that replied to the advert) is talking about. I seriously wonder who on Earth had the grand idea to do this, rather than replacing the current private network with a new private network... Cheers, Robert. --- You are currently subscribed to e-gold-list as: rah at shipwright.com To unsubscribe send a blank email to leave-e-gold-list-507998N at talk.e-gold.com Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses. --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Mon Aug 16 17:37:18 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 20:37:18 -0400 Subject: Not In The Cards (Re: Frank Barnako's Internet Daily: Internet goes lowercase at Wired News) In-Reply-To: <20040816230123.D85EA666659@bullae.ibuc.com> References: <20040816230123.D85EA666659@bullae.ibuc.com> Message-ID: At 10:51 PM -0400 8/16/04, CBS MarketWatch wrote: >NOT IN THE CARDS > >Credit card companies may have one less thing to worry about online: >being held liable for copyright infringements by customers, even when >said activity involves a card transaction. > >So ruled U.S. District Judge James Ware, freeing Visa, MasterCard and >other payment-related defendants from having to take responsibility for >sales of images pirated from Perfect 10, an adult entertainment venture >in Beverly Hills, Calif. > >Perfect 10 had sued the payment processors in an effort to recoup the >proceeds from unauthorized sales of Perfect 10's copyrighted material. > >"The ability to process credit cards does not directly assist the >allegedly infringing Web sites in copying plaintiff's works," Ware said >in a ruling handed down last week. "Defendants do not provide the means >for distributing those works to others, nor do they provide bandwidth or >storage space with which to transfer or store the works." -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Mon Aug 16 17:37:56 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 20:37:56 -0400 Subject: RPOW - Reusable Proofs of Work + Article Message-ID: --- begin forwarded text From mads at opencs.com.br Mon Aug 16 17:29:54 2004 From: mads at opencs.com.br (Mads Rasmussen) Date: Mon, 16 Aug 2004 21:29:54 -0300 Subject: No subject Message-ID: Gecko/20040803 To: Eric Rescorla , cryptography at metzdowd.com Subject: Re: SHA-1 rumors Sender: owner-cryptography at metzdowd.com Eric Rescorla wrote: >P.S. AFAIK, although Dobbertin was able to find preimages for >reduced MD4, there still isn't a complete break in MD4. Correct? > > Dobbertin published a complete break of MD4 (namely, a breaking algorithm and some collisions found with it) in the Journal of Cryptology. Mads --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From perry at piermont.com Mon Aug 16 19:29:24 2004 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 16 Aug 2004 22:29:24 -0400 Subject: HMAC? Message-ID: So the question now arises, is HMAC using any of the broken hash functions vulnerable? I can't answer that myself yet since I haven't given it a good enough think, but I'll will point people at the original HMAC paper at: http://www.research.ibm.com/security/keyed-md5.html The paper itself is at: http://www.research.ibm.com/security/bck2.ps Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Mon Aug 16 19:38:02 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 22:38:02 -0400 Subject: SHA-1 rumors Message-ID: --- begin forwarded text From rah at shipwright.com Mon Aug 16 19:38:20 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 22:38:20 -0400 Subject: SHA-1 rumors Message-ID: --- begin forwarded text From rah at shipwright.com Mon Aug 16 19:43:36 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 16 Aug 2004 22:43:36 -0400 Subject: HMAC? Message-ID: --- begin forwarded text From hal at finney.org Mon Aug 16 23:04:10 2004 From: hal at finney.org (Hal Finney) Date: Mon, 16 Aug 2004 23:04:10 -0700 (PDT) Subject: HMAC? Message-ID: My guess is that HMAC is not vulnerable. The basic structure of HMAC is Hash (key1 || Hash(key2 || Msg)) The attacker does not know the key(s) and is allowed to request MACs on chosen messages; then he must produce a valid MAC on a new message. The initial paper from Wang eg al announcing the results is unusual in that it merely exhibits the collisions, while providing no information whatsoever about how they were obtained. They are simply presented as a fait accompli, astonishing in their very existence. It reminds me of the story of how Cole demonstrated that the 67th Mersenne number was nonprime, by silently walking to the backboard and patiently working out the value of 2^67 - 1, and then the product of its two factors, by hand. The nature of the exhibited hash collisions is that they are values which differ in only a very few bits: 6 bits out of 1024 for the MD5 collisions; 4 bits out of 512 for the MD4. Obviously it's not the case that for most strings, you can toggle these 4 or 6 bits and produce a collision! Instead, the authors must have some technique to create very special strings which allow the changes made by these few bits to cancel each other out. If the attacker could find two messages such that there was an inner hash collision, Hash(key2 || Msg1) == Hash(key2 || Msg2), he could break HMAC. He'd get a MAC on Msg1 and then he could use that same MAC on Msg2. But it seems impossible to find a collision like this without knowing key2. These hash functions are highly nonlinear and the choice of Msg1 and Msg2 would be completely dependent on key2. Change 1 bit of key2 and half the bits of Msg1 and Msg2 would very probably have to change. If the attacker knew key2, it sounds like the new attacks would likely work to find an inner collision. But without knowing that, there would be no way to choose Msg1 and Msg2. Given the special form of the colliding values, it appears that the new technique does not solve hash inversion, or finding collisions with arbitrary bit differentials. The one possibility that I could imagine for a threat to HMAC is their comment that the attack on MD4 (for which collisions were already known) is so easy that it can be done by hand calculation. Maybe that would suggest that given the proper differentials, a non-negligible fraction of randomly chosen values would collide. Then conceivably you could get lucky and find a collision without even knowing key2. But that seems like a very remote possibility. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From johnblackjr at hotmail.com Mon Aug 16 23:13:00 2004 From: johnblackjr at hotmail.com (John Black) Date: Tue, 17 Aug 2004 00:13:00 -0600 Subject: SHA-1 rumors Message-ID: > >No, it was on the compression function, but not in any sense "reduced". But >you had to start with particular values of the chaining variables, and in >practice no-one knows how to do that, so MD5 (as a whole) isn't broken by >this, at least until tomorrow evening. The rumour here is that MD5, HAVAL, >and RIPE-MD are all goners. We know SHA-0 is toast too. There might also be >results against SHA-1. Hash functions are hard. > What I've heard (also at CRYPTO right now like Greg) is that the four Chinese researchers (Wang, Fang, Lai, Yu) have found collisions in MD4, MD5, HAVAL, and RIPEMD. They state that SHA-0 collisions can be found as well. However, the collision they list for MD5 doesn't produce work because the Chinese translation of [MOV] had an error which caused an endianness problem. So they have a collision for a PARTICULAR IV. One of the four researchers is back in China, so they are on the phone trying to fix the problem for the announcment tomorrow evening. However, they have announced nothing regarding SHA-1 or any of the larger-output SHA versions like SHA-256, etc. We haven't seen their methods yet, but one has to believe that their methods are fairly general given the range of hash functions they've attacked. This would SEEM to put the SHA family into jeopardy as well, but we should know more tomorrow evening. John Black [MOV] Menezes, van Oorschot, Vanstone; Handbook of Applied Cryptography, CRC Press. _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar  get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From bill.stewart at pobox.com Tue Aug 17 00:18:21 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 17 Aug 2004 00:18:21 -0700 Subject: Gilmore vs. Ashcroft goes to 9th Ckt. Court of Appeals Message-ID: <6.0.3.0.0.20040817001723.05a57440@pop.idiom.com> From Bill Scannell : ----------------------------------- On the 16th of August 2004, the 9th Circuit Court of Appeals begins work on the Gilmore vs. Ashcroft case. At stake is nothing less than the right of Americans to travel freely in their own country -- and the exposure of 'secret law' for what it is: an abomination. The man who is fighting the good fight is named John Gilmore. John made his fortune as a programmer and entrepreneur in the software industry. Whereas most people in his position would have moved to a tropical island and lived a life of luxury, John chose to use his wealth to protect and defend the US Constitution. On the 4th of July 2002, John Gilmore, American citizen, decided to take a trip from one part of the United States of America to another. At the airport, he was told he had to produce his ID if he wanted to travel. He asked to see the law demanding he show his 'papers' and was told after a time that the law was secret and no, he wouldn't be allowed to read it. He hasn't flown in has own country since. http://www.gilmorevsashcroft.com Can you put this out on wide-scan...it's important. Thanks, Bill 777 --- 777 777 --- 777 "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin ---- Bill Stewart bill.stewart at pobox.com From ggr at qualcomm.com Mon Aug 16 16:20:34 2004 From: ggr at qualcomm.com (Greg Rose) Date: Tue, 17 Aug 2004 09:20:34 +1000 Subject: SHA-1 rumors Message-ID: At 15:50 2004-08-16 -0400, Matt Curtin wrote: >Eric Rescorla writes: > > > P.S. AFAIK, although Dobbertin was able to find preimages for > > reduced MD4, there still isn't a complete break in MD4. Correct? > >Dobbertin's work on was reduced MD5. I haven't heard anything about >progress on that front for several years. No, it was on the compression function, but not in any sense "reduced". But you had to start with particular values of the chaining variables, and in practice no-one knows how to do that, so MD5 (as a whole) isn't broken by this, at least until tomorrow evening. The rumour here is that MD5, HAVAL, and RIPE-MD are all goners. We know SHA-0 is toast too. There might also be results against SHA-1. Hash functions are hard. And the reason you haven't heard any progress from Dobbertin is because his employers told him to either stop working on it, or stop talking about it, depending which version of the story you've heard. Since he works for the German NSA-equivalent, I guess he would take this seriously. Greg. Greg Rose INTERNET: ggr at qualcomm.com Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/ Gladesville NSW 2111/232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From hal at finney.org Tue Aug 17 09:21:56 2004 From: hal at finney.org (Hal Finney) Date: Tue, 17 Aug 2004 09:21:56 -0700 (PDT) Subject: RPOW - Reusable Proofs of Work Message-ID: A couple of quick responses to the questions on RPOW, as I am at Crypto this week. Taral asked about the attestation. It is based on a root key published in Appendix C of IBM's "IBM 4758 PCI Cryptographic Coprocessor Custom Software Interface Reference", available from http://www.ibm.com/security/cryptocards/html/library.shtml. It is also published on IBM's web page at http://www.ibm.com/security/cryptocards/html/faqcopvalidity.shtml This tells you that the attestation refers to a valid IBM 4758. Further, the attestation contains within it both a hash of the RPOW program, and a set of keys generated by that program. Using the methods described on the rpow.net web site, it is possible to take the RPOW source code and generate a hash which matches that reported in the attestation. This tells you that you have access to the actual source code running on the RPOW server. By studying the source you can confirm that the program never exposes its private keys or allows them to leave the board. This tells you that if you send a message encrypted to the RPOW communications key and get a meaningful response (messages are protected with HMAC), you are talking to the program described in the attestation. Lynn Wheeler mentions the IBM 4758 break by Mike Bond and Richard Clayton described at http://www.cl.cam.ac.uk/~rnc1/descrack/. This was not actually a break of the 4758 but an exploit of a cryptographic weakness in the application running on the board, which was IBM's CCA support software. RPOW does not use CCA and is not vulnerable to that attack, and IBM has since fixed the CCA. Of course it is possible that RPOW may have vulnerabilities and errors of its own, being my own work and far from perfect. I welcome review and comment on the RPOW source code which is open source and available from rpow.net. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From tgh at tgharold.com Tue Aug 17 08:10:58 2004 From: tgh at tgharold.com (Thomas Harold) Date: Tue, 17 Aug 2004 11:10:58 -0400 Subject: No subject Message-ID: Gecko/20040616 To: cryptography at metzdowd.com Subject: Re: MD5 collisions? Sender: owner-cryptography at metzdowd.com Eric Rescorla wrote: > Check out this ePrint paper, which claims to have collisions in > MD5, MD4, HAVAL, and full RIPEMD. > > http://eprint.iacr.org/2004/199.pdf > > The authors claim that the MD5 attack took an hour for the first > collision and 15 seconds to 5 minutes for subsequent attacks > with the same first 512 bits. I'll play the newbie and ask the question... how would this be used in a practical attack against MD5 (or the other hashing algorithms)? From my limited understanding, MD5 is usually used as a hash to detect tampering in a particular bitstream. In which case, the attacker's goal would be to calculate how to change bits in the bitstream without changing the MD5 output. (And hopefully without making the bitstream a different size.) Is this where collisions come into play? Alternatively, hash functions can be used to store passwords (salt + plain text password => hash function => password file). But I don't see where the attacker could use collisions for that. [Moderator's note: You might want to read up on hash functions and their uses -- "detecting tampering" in the sense you mean isn't the main use of hash functions these days though they are certainly employed in such applications. Hash functions are a primitive used in all sorts of places as part of MACs, as ways of enabling signature systems, as elements of commitment protocols etc. The use in commitment protocols is totally blown by the current results, btw. For purposes of things like x.509 certificates, as message integrity codes, etc., the current attacks don't provide an immediate way to attack the system, but they make one worried about the health of the algorithms -- probably sufficiently much to motivate quickly abandoning them for ones that are not vulnerable to these attacks. --Perry] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From hughejp at mac.com Tue Aug 17 10:39:09 2004 From: hughejp at mac.com (james hughes) Date: Tue, 17 Aug 2004 13:39:09 -0400 Subject: CRYPTO2004 Rump Session Presentations, was Re: A collision in MD5' Message-ID: Yes, my mistake. the link has an 'o' at the end. mms://128.111.55.99/crypto On Aug 17, 2004, at 1:07 PM, bmanning at vacation.karoshi.com wrote: >> Microsoft media server >> mms://128.111.55.99/crypt > > on my mac - > > "The file name, directory name, or volume lable syntax is incorrect" > > --bill --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 17 12:04:01 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 15:04:01 -0400 Subject: Dope-Slaps and the Imaginary Axis (Re: Cryptome on ABC Evening News?) In-Reply-To: <6.0.3.0.0.20040814174010.058c32d8@pop.idiom.com> References: <6.0.3.0.0.20040814174010.058c32d8@pop.idiom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 5:44 PM -0700 8/14/04, Bill Stewart wrote: >the site there >showing pictures of cable landings Wow. Didn't know that. I was *at* Spencer Beach on the Big Island last month, *looking*, :-), and I didn't see *anything*. I coulda looked at cryptome . I was at Morro Bay with Vin and Cyn once, popping over from SLO, but we weren't looking then for what is the other end of several other pipes fulla pan-pacific fiber... There sure isn't much else around Spencer Beach, though, and, besides, the wife likes Hilo anyway. (It's, um, dry there, at Spencer Beach. She hates ABQ's climate, too, where most of my, heh, addressable family lives: "My God!!! It looks like the *moon* out there!!!" she says to the plane window the first time out, "Where are the *trees*???" :-) A shopping trip to Old Town and a Death by Santa Fe Style outfit later she's over the problem. Gotta keep her away from Corpus, though, or I'm doomed. Or maybe I just show her a post-hurricane pic of the "T" and "L" heads, covered in beached yachts...) I was all depressed about maybe retiring to Hilo -- it was my idea we were there to begin with, c'punkly visions in my head about a financial-crypto lab/detox facility, or something -- until I saw the biz/lab-park up above UH-Hilo where all the observatories (except Keck in Waimea/"Kamuela") have their headquarters. Nice fat fiber pipes going in and out. Kewl. I knew there was fiber to Mauna Kea, a ranger named Pablo up there showed me a huge junction box(?); nice they ran it down the other side. I shoulda realized, as the Gemini scopes are all "We're Internet2, donchaknow...". The local "connectivity" providers, who sell WiFi to the touristas for $5/hr (or not, one says WiFi's "not safe", methinks he doth not know his firewall from his elbow), had no idea where the fiber, if any, was on the whole wet side of the island, so they weren't any help. The proximal cause of said depression, that was. Besides having flashbacks of various deep-and-recent past Caribbean Island-Time episodes. Anyway, there's bandwidth with a capital b, and I keep forgetting about the Island Time thing. Something about me and what Beaver called "the imaginary axis". Like a moth and a flame. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQSJVQMPxH8jf3ohaEQL+vgCg0Zo1xxbPInOfb40buM1zTxts0/YAn1TN BSV8PdaVmrXaC8Odr5nuk9If =lDFR -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 17 12:07:48 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 15:07:48 -0400 Subject: HMAC? Message-ID: --- begin forwarded text From rah at shipwright.com Tue Aug 17 12:09:09 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 15:09:09 -0400 Subject: SHA-1 rumors Message-ID: --- begin forwarded text From rah at shipwright.com Tue Aug 17 12:09:58 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 15:09:58 -0400 Subject: MD5 collisions? Message-ID: --- begin forwarded text From hughejp at mac.com Tue Aug 17 13:54:21 2004 From: hughejp at mac.com (james hughes) Date: Tue, 17 Aug 2004 16:54:21 -0400 Subject: CRYPTO2004 Rump Session Presentations, was Re: A collision in MD5' Message-ID: I have 2 items of note for this list. 1. The web site is updated with program and the times. http://www.iacr.org/conferences/crypto2004/rump.html 2. I was typing fast, and mistyped my title. I am General Chair this year, not 2002 as was stated. Enjoy. On Aug 17, 2004, at 1:39 PM, james hughes wrote: > Yes, my mistake. the link has an 'o' at the end. > > mms://128.111.55.99/crypto > > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From declan at well.com Tue Aug 17 17:33:08 2004 From: declan at well.com (Declan McCullagh) Date: Tue, 17 Aug 2004 19:33:08 -0500 Subject: MD5 collisions? In-Reply-To: ; from rah@shipwright.com on Tue, Aug 17, 2004 at 03:09:58PM -0400 References: Message-ID: <20040817193308.G25888@baltwash.com> The last eight messages I see on cypherpunks (sorted by date, threaded) are forwards of messages from Perry's crypto list. Perry's list is archived publicly on the web if anyone subscribing to cypherpunks but not his list is interested in the discussion -- so let me humbly suggest that might be possible not to forward each message. One is enough. Less is more. Let's eliminate redundancy, thus eliminating redundancy. -Declan "TCM" McCullagh On Tue, Aug 17, 2004 at 03:09:58PM -0400, R. A. Hettinga wrote: > --- begin forwarded text > > > Delivered-To: cryptography at metzdowd.com > Date: Tue, 17 Aug 2004 11:10:58 -0400 > From: Thomas Harold > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) > Gecko/20040616 > To: cryptography at metzdowd.com > Subject: Re: MD5 collisions? > Sender: owner-cryptography at metzdowd.com > > Eric Rescorla wrote: > > > Check out this ePrint paper, which claims to have collisions in > > MD5, MD4, HAVAL, and full RIPEMD. > > > > http://eprint.iacr.org/2004/199.pdf > > > > The authors claim that the MD5 attack took an hour for the first > > collision and 15 seconds to 5 minutes for subsequent attacks > > with the same first 512 bits. > > I'll play the newbie and ask the question... how would this be used in a > practical attack against MD5 (or the other hashing algorithms)? > > From my limited understanding, MD5 is usually used as a hash to detect > tampering in a particular bitstream. In which case, the attacker's goal > would be to calculate how to change bits in the bitstream without > changing the MD5 output. (And hopefully without making the bitstream a > different size.) Is this where collisions come into play? > > Alternatively, hash functions can be used to store passwords (salt + > plain text password => hash function => password file). But I don't see > where the attacker could use collisions for that. > > [Moderator's note: > > You might want to read up on hash functions and their uses -- > "detecting tampering" in the sense you mean isn't the main use of > hash functions these days though they are certainly employed in such > applications. Hash functions are a primitive used in all sorts of > places as part of MACs, as ways of enabling signature systems, as > elements of commitment protocols etc. The use in commitment protocols > is totally blown by the current results, btw. > > For purposes of things like x.509 certificates, as message integrity > codes, etc., the current attacks don't provide an immediate way to > attack the system, but they make one worried about the health of the > algorithms -- probably sufficiently much to motivate quickly > abandoning them for ones that are not vulnerable to these attacks. > > --Perry] > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com > > --- end forwarded text > > > -- > ----------------- > R. A. Hettinga > The Internet Bearer Underwriting Corporation > 44 Farquhar Street, Boston, MA 02131 USA > "... however it may deserve respect for its usefulness and antiquity, > [predicting the end of the world] has not been found agreeable to > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From declan at well.com Tue Aug 17 18:58:27 2004 From: declan at well.com (Declan McCullagh) Date: Tue, 17 Aug 2004 20:58:27 -0500 Subject: MD5 collisions? In-Reply-To: ; from rah@shipwright.com on Tue, Aug 17, 2004 at 09:06:20PM -0400 References: <20040817193308.G25888@baltwash.com> Message-ID: <20040817205827.I25888@baltwash.com> Oh, so it was RAH who was responsible for the repeated random useless forwards? I hadn't noticed. How uncharacteristic of him. Never would have guessed. -Declan On Tue, Aug 17, 2004 at 09:06:20PM -0400, R. A. Hettinga wrote: > At 7:33 PM -0500 8/17/04, Declan McCullagh wrote: > >One is enough. Less is more. Let's eliminate redundancy, thus eliminating > >redundancy. > > Yawn. > > "Let's" piss up a rope, shall we? > > Cheers, > RAH > > -- > ----------------- > R. A. Hettinga > The Internet Bearer Underwriting Corporation > 44 Farquhar Street, Boston, MA 02131 USA > "... however it may deserve respect for its usefulness and antiquity, > [predicting the end of the world] has not been found agreeable to > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From dahonig at cox.net Tue Aug 17 21:04:29 2004 From: dahonig at cox.net (David Honig) Date: Tue, 17 Aug 2004 21:04:29 -0700 Subject: MD5 collisions? In-Reply-To: References: <20040817193308.G25888@baltwash.com> <20040817193308.G25888@baltwash.com> Message-ID: <3.0.5.32.20040817210429.009886d0@pop.west.cox.net> At 09:04 PM 8/17/04 -0400, R. A. Hettinga wrote: >At 7:33 PM -0500 8/17/04, Declan McCullagh wrote: >>One is enough. Less is more. Let's eliminate redundancy, thus eliminating >>redundancy. LMAO RAH :-) ================================================= 36 Laurelwood Dr Irvine CA 92620-1299 VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP VOX: (949) 462-6726 (work -don't leave msgs, I can't pick them up) mnemonic: WIZ GOB MRAM ICBM: -117.7621, 33.7275 HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable) PGP PUBLIC KEY: by arrangement Send plain ASCII text not HTML lest ye be misquoted ------ "Don't 'sir' me, young man, you have no idea who you're dealing with" Tommy Lee Jones, MIB ---- No, you're not 'tripping', that is an emu ---Hank R. Hill From rah at shipwright.com Tue Aug 17 18:04:48 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 21:04:48 -0400 Subject: MD5 collisions? In-Reply-To: <20040817193308.G25888@baltwash.com> References: <20040817193308.G25888@baltwash.com> Message-ID: At 7:33 PM -0500 8/17/04, Declan McCullagh wrote: >One is enough. Less is more. Let's eliminate redundancy, thus eliminating >redundancy. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 17 18:06:20 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 21:06:20 -0400 Subject: MD5 collisions? In-Reply-To: <20040817193308.G25888@baltwash.com> References: <20040817193308.G25888@baltwash.com> Message-ID: At 7:33 PM -0500 8/17/04, Declan McCullagh wrote: >One is enough. Less is more. Let's eliminate redundancy, thus eliminating >redundancy. Yawn. "Let's" piss up a rope, shall we? Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 17 18:49:06 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 21:49:06 -0400 Subject: MD5 collisions? In-Reply-To: <20040817193308.G25888@baltwash.com> References: <20040817193308.G25888@baltwash.com> Message-ID: ...and another thing... At 7:33 PM -0500 8/17/04, Declan McCullagh wrote: >-Declan "TCM" McCullagh Does this mean you spend all day in a Barcolounger dry-jacking a Mossberg, muttering about Janet Reno? ;-) Cheers, RAH "Banks in Hong Kong and Shanghai", indeed... -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From declan at well.com Tue Aug 17 20:03:59 2004 From: declan at well.com (Declan McCullagh) Date: Tue, 17 Aug 2004 22:03:59 -0500 Subject: MD5 collisions? In-Reply-To: ; from rah@shipwright.com on Tue, Aug 17, 2004 at 10:17:55PM -0400 References: <20040817193308.G25888@baltwash.com> <20040817205827.I25888@baltwash.com> Message-ID: <20040817220359.J25888@baltwash.com> Sigh. RAH has descended to the level of a net.kook. Never would have guessed. -Declan From rah at shipwright.com Tue Aug 17 19:17:55 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 22:17:55 -0400 Subject: MD5 collisions? In-Reply-To: <20040817205827.I25888@baltwash.com> References: <20040817193308.G25888@baltwash.com> <20040817205827.I25888@baltwash.com> Message-ID: At 8:58 PM -0500 8/17/04, Declan McCullagh wrote: >I hadn't noticed. How uncharacteristic of him. Never would have guessed. ...and my mother dresses me funny? You can do better than that, Declan -- if you do say so yourself. Self-important git. -RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 17 19:44:45 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 22:44:45 -0400 Subject: CRYPTO2004 Rump Session Presentations, was Re: A collision in MD5' Message-ID: --- begin forwarded text From rah at shipwright.com Tue Aug 17 19:44:57 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 22:44:57 -0400 Subject: CRYPTO2004 Rump Session Presentations, was Re: A collision in MD5' Message-ID: --- begin forwarded text From perry at piermont.com Tue Aug 17 19:56:00 2004 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 17 Aug 2004 22:56:00 -0400 Subject: crypto '04 rump webcast Message-ID: I've been watching the webcast. The team that did the md4/md5/haval-128/ripemd attacks just presented, and although it was interesting it included precious few details of the attack beyond the fact that it was a twist on differential cryptanalysis. Is there any more information available at this point from anyone? Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Tue Aug 17 19:56:44 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 22:56:44 -0400 Subject: RPOW - Reusable Proofs of Work Message-ID: --- begin forwarded text From rah at shipwright.com Tue Aug 17 20:07:51 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Tue, 17 Aug 2004 23:07:51 -0400 Subject: crypto '04 rump webcast Message-ID: --- begin forwarded text From measl at mfn.org Tue Aug 17 22:02:48 2004 From: measl at mfn.org (J.A. Terranson) Date: Wed, 18 Aug 2004 00:02:48 -0500 (CDT) Subject: MD5 collisions? In-Reply-To: <20040817220359.J25888@baltwash.com> References: <20040817193308.G25888@baltwash.com> <20040817205827.I25888@baltwash.com> <20040817220359.J25888@baltwash.com> Message-ID: <20040818000219.C51794@ubzr.zsa.bet> On Tue, 17 Aug 2004, Declan McCullagh wrote: > Sigh. RAH has descended to the level of a net.kook. > > Never would have guessed. > > -Declan Since when is on-topic crossposting an issue here? -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From declan at well.com Tue Aug 17 22:40:11 2004 From: declan at well.com (Declan McCullagh) Date: Wed, 18 Aug 2004 01:40:11 -0400 Subject: MD5 collisions? In-Reply-To: <20040818000219.C51794@ubzr.zsa.bet> References: <20040817193308.G25888@baltwash.com> <20040817205827.I25888@baltwash.com> <20040817220359.J25888@baltwash.com> <20040818000219.C51794@ubzr.zsa.bet> Message-ID: <6.0.3.0.2.20040818013831.02a5f920@mail.well.com> At 01:02 AM 8/18/2004, J.A. Terranson wrote: >Since when is on-topic crossposting an issue here? Since forever. Since before either of us joined the list (and I first started reading a decade ago). It's a matter of politeness and degree. A pointer to a discussion archived on the web is more useful than dozens of forwarded messages. Hey, I have an idea! Why don't I write a script crossposting everything from sci.crypt to cypherpunks! How about a few dozen other "on-topic" newsgroups and mailing lists too? -Declan From jtrjtrjtr2001 at yahoo.com Wed Aug 18 04:29:33 2004 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Wed, 18 Aug 2004 04:29:33 -0700 (PDT) Subject: SHA-1 rumors In-Reply-To: Message-ID: <20040818112933.66448.qmail@web21205.mail.yahoo.com> --- "R. A. Hettinga" wrote: > This would > SEEM to put the SHA family into jeopardy as well, > but we should know > more tomorrow evening. > > John Black Wasn't the attack to find two chosen messages hashing to the same value? But that doesn't mean that it is easy to find a message M1:H(M1)= H(M2),given M2. Sarath. __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail From rah at shipwright.com Wed Aug 18 05:00:01 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 18 Aug 2004 08:00:01 -0400 Subject: MD5 collisions? In-Reply-To: <20040817220359.J25888@baltwash.com> References: <20040817193308.G25888@baltwash.com> <20040817205827.I25888@baltwash.com> <20040817220359.J25888@baltwash.com> Message-ID: At 10:03 PM -0500 8/17/04, Declan McCullagh wrote: >Sigh. RAH has descended to the level of a net.kook. > >Never would have guessed. You've exactly the same used the same rhetorical device twice now. Are you just lazy, or, more likely, have you just peaked too soon? How does it feel to be someone whose best years are a decade behind him, Declan? You are *sooo* boring. RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From mv at cdc.gov Wed Aug 18 08:15:46 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 18 Aug 2004 08:15:46 -0700 Subject: Plonk this Message-ID: <412372A1.F675D305@cdc.gov> At 09:20 AM 8/18/04 -0400, R. A. Hettinga wrote: >>Hey, I have an idea! Why don't I write a script crossposting >>everything from sci.crypt to cypherpunks! How about a few dozen >>other "on-topic" newsgroups and mailing lists too? > >Go ahead. Are you going to reformat them for legibility first, if >necessary? Are you going to personally decide, in *your* opinion, >what's worth forwarding and what isn't? >In the meantime, remember that Declan's main purpose here is to sniff >around for stories. Which is fine, until he starts pretending he's >Tim May (I knew Tim May -- he wished I didn't -- and, Mr. McCullagh 1. Having a mainstream meme injector like DMcC is occasionally useful, RAH (Consider that DHS lameass document security made it to the big time and was reported here first.) 2. How the hell can we be reading about crossposting *and* Tim May and *not anywhere* in your flame see the word "plonk" ??? With all the implied discussion about consumer-end technological filtering vs. central censorship? 3. In all honesty I think Declan's partial-quote followed by a and a URL saves bandwidth and also does positively reinforce the folks feeding the authors of the partially quoted content. Of course, subscription-only (or even registration-only) services don't get such caring treatment, they get fair-used 'with prejudice'. And you are free to abuse street-performer-protocols of course, such is the nature of things; and they are free to post their words as .GIFs. From rah at shipwright.com Wed Aug 18 06:20:36 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 18 Aug 2004 09:20:36 -0400 Subject: "Owning" Ones Own Words, Peaking Too Soon, The Cypherpunk Purity Test, and Bora-Bora (Re: MD5 collisions?) In-Reply-To: <6.0.3.0.2.20040818013831.02a5f920@mail.well.com> References: <20040817193308.G25888@baltwash.com> <20040817205827.I25888@baltwash.com> <20040817220359.J25888@baltwash.com> <20040818000219.C51794@ubzr.zsa.bet> <6.0.3.0.2.20040818013831.02a5f920@mail.well.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 1:40 AM -0400 8/18/04, Declan McCullagh trots out the Cypherpunk Purity Test, among other tasty bits of speciousness: >At 01:02 AM 8/18/2004, J.A. Terranson wrote: >>Since when is on-topic crossposting an issue here? > >Since forever. To elucidate this a bit, Declan believes in this obscure WELL.nonsense called "you own your own words". No. Seriously. *Nobody* can forward *anything* you say, *anywhere* on the net, without your permission. On the net. Without your permission. Pardon me. Almost 10 years after I heard of it, my stomach still hurts from laughing at this ignorant blend of "communitarian" hippy-logic and 19th century industrial-age legal nostrum. Hint, Declan: the definition of property, especially digital property in an age of perfect digital copies on a ubiquitous geodesic :-) internetwork, is that it's sitting, preferably encrypted, on my hard drive. The, um, bald, fact is, once it's there, I can send it, anywhere on the net, whenever I feel like it, without your "permission". Declan's actual subtext in this case is that he's written this nice summary article on ... wait... where do you work this week, Declan? Time Magazine? No. Not there anymore. Wired, right? No, not there either. Oh, that's it, CNET. Still there, right? CNET probably can't hire enough fact-checkers, so you're probably safe there for a while until the cacophony of protests from your misquoted article subjects rises above a dull roar. Reminds me of a cartoon in Tom Wolfe's "Mauve Gloves and Madmen, Currier and Vine" about the Guy Who Peaked Too Soon. Anyway, as usual, Declan has, dutifully, one imagines, ground out something he wants you to read instead of seeing (mostly relevant :-)) first sources in more or less real-time, on this list where you read it, instead of interrupting your flow to click around on the web for it. This way, though, he "owns" the words, you see. And, obviously, if you click the link, provided here as a courtesy, , he gets paid more money. Sooner or later. Or at least they might pay his way to more conferences, like they used to during the Clinton Internet Bubble :-). Maybe. Anyway, maybe if we all click it a lot of times, Dear Declan might sit down, shut up, and move that sock from his trousers to his pie-hole. By the way, the reason I didn't send *that* article to the list, too - -- before he pissed on my shoes -- is that he whines at you offline about it. And, before this, I took pity on the once-richer-now-poorer erst-ink-stained wretch. Fuck that. I expect to be getting a phone call from CNET's lawyers for copyright violations under COPA, or whatever, now, as a result, but what the hell. >Since before either of us joined the list (and I first started >reading a decade ago). Here we go, folks. The ol' cypherpunks purity trick. "My tenure on these lists longer than yours." Or, "I've been voting libertarian longer than you have." Or, "I play on Cato's Invisible Foot and you don't." Or, "I can dry-jack a Mossberg, or Nikon Coolpix, or whatever, faster than you can." Or whatever. For the record, I've been here since March or April of 1994. Whatever. This list, and it's lineal predecessors, is long past the time when cutting edge cryptography was discussed here for the first time instead of somewhere else. So, periodically, the tree of cypherpunks must be watered with the blood of other lists. Or something. :-) In the meantime, remember that Declan's main purpose here is to sniff around for stories. Which is fine, until he starts pretending he's Tim May (I knew Tim May -- he wished I didn't -- and, Mr. McCullagh you're... Oh, forget it), or, paradoxically for cypherpunks, that he owns the list somehow, and that, like Mighty Mouse, he's here to save the day and play list.policeman. >It's a matter of politeness and degree. True enough. And, frankly, I've respected both of those in what I've sent here over the years. The only people who've complained, at least until I've explained myself to their satisfaction, have been "professionals" who "owned their own words" and got scooped. If one can consider forwarding something important from cryptography to this list to be "scooping" the CNET Political Editor in Chief. Or whatever they say he is these days. >A pointer to a discussion archived >on the web is more useful than dozens of forwarded messages. >Hey, I have an idea! Why don't I write a script crossposting >everything from sci.crypt to cypherpunks! How about a few dozen >other "on-topic" newsgroups and mailing lists too? Go ahead. Are you going to reformat them for legibility first, if necessary? Are you going to personally decide, in *your* opinion, what's worth forwarding and what isn't? Are you going to be topical? More to the point, Declan, are you going to do it in such a way that the residents of the list actually *use* in further discussion? Or are you going to do it to "prove" that, reductio ad absurdum, *any* forwards are equivalent to *all* forwards? I thought not. Hey, I got an idea, myself. Let's just close down the list and do it *all* on the web? Maybe CNET can stick pop-up ads in our faces for the privilege, Declan an up his click-count, and CNET will send him to the Black Rock Desert, or Bora-Bora, or the Crimea, or wherever, for some conference or other. Or a Senate hearing. Or whatever. I mean, who needs that pesky 'd' key, anyway? In the meantime, Declan, own *these* words: don't be a putz. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQSNXn8PxH8jf3ohaEQJwTQCg+hpBwCoGQryuoJAdyYP4awO3nDYAoLKa UKwhmMOEdC2q2yA/JLjIbFuV =fO4K -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Wed Aug 18 06:21:53 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 18 Aug 2004 09:21:53 -0400 Subject: MD5 collisions? Message-ID: --- begin forwarded text From measl at mfn.org Wed Aug 18 09:28:19 2004 From: measl at mfn.org (J.A. Terranson) Date: Wed, 18 Aug 2004 11:28:19 -0500 (CDT) Subject: MD5 collisions? In-Reply-To: <6.0.3.0.2.20040818013831.02a5f920@mail.well.com> References: <20040817193308.G25888@baltwash.com> <20040817205827.I25888@baltwash.com> <20040817220359.J25888@baltwash.com> <20040818000219.C51794@ubzr.zsa.bet> <6.0.3.0.2.20040818013831.02a5f920@mail.well.com> Message-ID: <20040818112454.W53422@ubzr.zsa.bet> On Wed, 18 Aug 2004, Declan McCullagh wrote: > At 01:02 AM 8/18/2004, J.A. Terranson wrote: > >Since when is on-topic crossposting an issue here? > > Since forever. Since before either of us joined the list (and I first > started reading a decade ago). > > It's a matter of politeness and degree. A pointer to a discussion archived > on the web is more useful than dozens of forwarded messages. > > Hey, I have an idea! Why don't I write a script crossposting everything > from sci.crypt to cypherpunks! How about a few dozen other "on-topic" > newsgroups and mailing lists too? We're not talking about just sci.crypt chatter here, he has been forwarding posts on one of the single most interesting (to anyone crypto-inclined) topics in *years*. And not everyone (crypto-inclined or not) subs to all of the many sources: if you want to get the word out to the less than hard-core, this list is a great starting point. You complaints on this appear (based mostly on your banter with RAH) to be more a personal problem than anything else. Perhaps you should step back and look at the big picture here? > -Declan -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From ggr at qualcomm.com Tue Aug 17 20:11:22 2004 From: ggr at qualcomm.com (Greg Rose) Date: Wed, 18 Aug 2004 13:11:22 +1000 Subject: MD5 collisions? Message-ID: At 14:12 2004-08-17 -0300, Mads Rasmussen wrote: >Eric Rescorla wrote: > >>Check out this ePrint paper, which claims to have collisions in >>MD5, MD4, HAVAL, and full RIPEMD. >> >>http://eprint.iacr.org/2004/199.pdf >> >>The authors claim that the MD5 attack took an hour for the first >>collision and 15 seconds to 5 minutes for subsequent attacks >>with the same first 512 bits. >So what's the status?, the MD5 collisions has been confirmed by Eric >Rescorla (taken the type into consideration), the MD4 by David Shaw, what >about Haval and RipeMD?. > >I did a test on the RipeMD results and couldn't get the results written. >Anybody else having the same problems? > >Any news on Antoine Joux and his attack on SHA-0? how did he create the >collision previously announced on sci.crypt? Eli Biham -- has collisions on 34 (out of 80) rounds of SHA-1, but can extend that to probably 46. Still nowhere near a break. Antoine Joux -- his team announced the collision on SHA-0 earlier this week. There is concentration on the so-called "IF" function in the first 20 rounds... f(a,b,c) = (a & b) ^ (~a & c). That is, the bits of a choose whether to pass the bits from b, or c, to the result. The technique (and Eli's) depends on getting a "near collision" in the first block hashed, then using more near collisions to move the different bits around, finally using another near collision to converge after the fourth block hashed. This took 20 days on 160 Itanium processors. It was about 2^50 hash evaluations. Xiaoyun Wang was almost unintelligible. But the attack works with "any initial values", which means that they can take any prefix, and produce collisions between two different suffixes. The can produce the first collision for a given initial value in less than an hour, and then can crank them out at about one every 5 minutes. It seems to be a straightforward differential cryptanalysis attack, so one wonders why no-one else came up with it. The attack on Haval takes about 64 tries. On MD4, about 4 tries. RIPE-MD, about 2 hours (but can improve it). SHA-0 about 2^40 (1000 times better than Joux). Xuejia Lai clarified that the paper on E-print has been updated with correct initial values. They were initially byte-reversed, which they blamed on Bruce Schneier. Greg. >Regards, > >Mads Rasmussen >Open Communications Security > >--------------------------------------------------------------------- >The Cryptography Mailing List >Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com Greg Rose INTERNET: ggr at qualcomm.com Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/ Gladesville NSW 2111/232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From shaddack at ns.arachne.cz Wed Aug 18 06:42:05 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Wed, 18 Aug 2004 15:42:05 +0200 (CEST) Subject: Suggestion Message-ID: <0408181536100.-1155938748@somehost.domainz.com> I hereby suggest to postpone the flamewars for the winter, when the weather brings the need of some spare waste heat. I thought we're above name-calling here. But perhaps it was just a quiet period and the current situation will rectify on its own in couple days, as it usually does. Besides, the recent development around the hash functions is quite important to know about. From adam at cypherspace.org Wed Aug 18 13:33:12 2004 From: adam at cypherspace.org (Adam Back) Date: Wed, 18 Aug 2004 16:33:12 -0400 Subject: hash attacks and hashcash (SHA1 partial preimage of 0^160) In-Reply-To: <20040818180309.GA5806@certainkey.com> References: <4122A971.1030903@harvee.org> <4122AE14.9070108@silveronion.com> <20040818134313.GL2192@certainkey.com> <20040818163216.GA449@arion.soze.net> <20040818180309.GA5806@certainkey.com> Message-ID: <20040818203312.GB27766@bitchcake.off.net> (This discussion from hashcash list is Cc'd to cryptography and cypherpunks.) Hashcash uses SHA1 and computes a partial pre-image of the all 0bit string (0^160). Following is a discussion of what the recent results from Joux, Wang et al, and Biham et al on SHA0, MD5, SHA1 etc might imply for hashcash SHA1 (and for hypothetical hashcash SHA0, MD5 etc by way of seeing what it will mean if SHA1 eventually suffers similar fate to SHA0). (All as far as I understand so far). Hashcash stresses the SHA1 function in a different direction than sigantures and MACs -- in assuming partial pre-images are hard (ie an k-bit partial pre-image should take about 2^k operations). (Partial 2nd pre-images are also "interesting" against hashcash -- see below). (As a security argument if partial pre-images say up to m To be clear: > MD5 is borken. The whole thing: > http://www.md5crk.com/md5col.zip > SHA-0 is broken. The whole thing: > http://www.md5crk.com/sha0col > HAVAL-128 and RIPEMD-128 and MD4 are also broken using the same techniques. > > 56 round SHA-1 (out of a possible 80) is broken. > > The event of the pasat week cast heavy doubt on the current common techniques > used in hash algorithms. MD4 was the first to use this unblanced Fiezel > network. > > Wirlpool and Tiger are sometimes called "wide-trail" hashs. Different beasts > entirly. > > I suspect even SHA-256 and SHA-384/512 may be vulnerable to these attacks to > some extent. > > I expect there to be a flurry of new hashs proposed and adopted as > industry/government/international standards. From sunder at sunder.net Thu Aug 19 06:37:35 2004 From: sunder at sunder.net (Sunder) Date: Thu, 19 Aug 2004 09:37:35 -0400 (edt) Subject: Excerpts from Rudy Rucker's new Book Message-ID: >From Rudy Rucker's new book: "The Lifebox, the Seashell and the Soul." (The interesting bits to which Tim fantasizes to.) As seen on: http://www.boingboing.net/text/guestbar.html Rant at Start of Chapter on Society I write this book during a dark time. America.s government is in the hands of criminals and morons. I.d like to break through to a radically different way of talking about society, to throw a bucket of ice-water in the face of the sleep-walking sheep who think that history is about presidents and kings. A baby filling a diaper is infinitely more significant than a congress placing a movement on the floor. Twin Towers Facts: The twin towers fell. The terrorists were Saudis. Bush invaded Iraq. .Ah,. someone might say, .if nobody wanted to fight, we.d be invaded. Look at the twin towers. The world.s not safe... And I would submit that the administration.s reaction to the twin towers was exactly the wrong one. Instead of jumping into the repetitive tit-for-tat class two Israelis-versus-Palestinians mode, the government should have gone class four. What would make men kill themselves while destroying a part of our lovely New York City? What system produced them? Isn.t there a way to get in and jolt it in some totally unexpected way, something more original than rocket fire vs. car bombs? Emigration Before virtually every American presidential election, I.ve heard people say, .If so and so wins, I.m leaving the country.. But they never do. The only time my friends eve remigrated was during the Viet Nam war, a time when the hive mind was undertaking the wholesale slaughter of a generation. But most of the time, for most of us, things aren.t bad enough to make emigration seem reasonable. If the election is stolen again in Fall, 2004, the answer could be armed revolution, not emigration. If the Bush faction tries to retain power, a significant number of people may feel compelled to go to D.C. and fight in the streets until the tyrant is deposed. However long it takes, however dearly it costs. Would it be worth it? Hopefully he'll lose the election by too great a margin to fudge. But for that to happen, we have to vote. The popular vote margin matters, if not in the electoral college, then in the hearts and minds of our oppressed populace. If the margin were big enough, the house of cards could collapse. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From emc at artifact.psychedelic.net Thu Aug 19 23:50:03 2004 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Thu, 19 Aug 2004 23:50:03 -0700 (PDT) Subject: Another John Young Sighting Message-ID: <200408200650.i7K6o33Q000921@artifact.psychedelic.net> Was that our John Young on the Daily Show, talking about being visited by FBI agents, with the title "Anarchist" under his name? -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From bill.stewart at pobox.com Fri Aug 20 02:30:46 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Fri, 20 Aug 2004 02:30:46 -0700 Subject: Liechtenstein Prince Hands Power to Son Alois Message-ID: <200408200936.i7K9aZwT011322@positron.jfet.org> .... the article also has pictures http://apnews.myway.com//article/20040815/D84FU6700.html Liechtenstein Prince Hands Power to Son Aug 15, 6:26 PM (ET) By HARRY ROSENBAUM (AP) Prince Alois and Prince Hans-Adam II, right, of Liechtenstein toast each other in the park... VADUZ, Liechtenstein (AP) - Prince Hans-Adam II formally handed over day-to-day governing powers to his son Crown Prince Alois on Sunday - and then invited all 33,000 of Liechtenstein's people to a garden party. Hans-Adam, 59, retains overall authority over Liechtenstein, the tiny nation - one of Europe's smallest - wedged between Austria and Switzerland. After an open-air Mass, Alois gave his first speech as head of state. "Many people might ask ... 'Why should we change something that's working so well?'" said Alois, 36. But the country, which owes much of its wealth to being a financial center in the heart of Europe, is under pressure to crack down on global money laundering, he said. "The crisis in the financial center as well as the crisis in many European states show us how dangerous it can be if necessary, but perhaps unpleasant, reforms are not tackled promptly," Alois said. Like Switzerland, Liechtenstein has kept itself apart from Europe, remaining neutral in World War II and staying out of the European Union. Under constitutional changes made last year, the powers delegated to Alois include dismissing governments, vetoing new laws and casting the deciding vote on naming judges. The electorate has some checks on royal prerogative - it can force a referendum on any issue by gathering at least 1,500 signatures. But the Council of Europe, the continent's top human rights watchdog, has called last year's constitutional changes "a serious step backward" and says it is monitoring Liechtenstein's commitment to democracy because the prince has acquired such extensive powers. "Hans-Adam has been a provocateur," says Mario Frick, a former prime minister who opposed the prince's constitutional changes. "He liked to be in the middle of a quarrel. Many people hope Prince Alois ... will want to calm things down." Alois' spokeswoman Edith Schaedler told The Associated Press there were no plans to change Liechtenstein's foreign policy. "Prince Alois will focus initially more on internal affairs ... to secure pensions and health care for the long-term, and to ensure the best possible education," she said. The handover took place on the national holiday, celebrating Hans-Adam's father and coinciding with the Catholic feast of the Assumption. From bill.stewart at pobox.com Fri Aug 20 02:31:49 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Fri, 20 Aug 2004 02:31:49 -0700 Subject: Another John Young Sighting In-Reply-To: <200408200650.i7K6o33Q000921@artifact.psychedelic.net> References: <200408200650.i7K6o33Q000921@artifact.psychedelic.net> Message-ID: <200408200932.i7K9WQE4077315@outlier.minder.net> At 11:50 PM 8/19/2004, Eric Cordian wrote: >Was that our John Young on the Daily Show, talking about being >visited by FBI agents, with the title "Anarchist" under his name? Yup. Reruns of the Daily Show are usually on at 7pm the following day, though check your local cable schedule. From gabe at seul.org Fri Aug 20 02:39:10 2004 From: gabe at seul.org (Gabriel Rocha) Date: Fri, 20 Aug 2004 05:39:10 -0400 Subject: Another John Young Sighting In-Reply-To: <200408200932.i7K9WQE4077315@outlier.minder.net> References: <200408200650.i7K6o33Q000921@artifact.psychedelic.net> <200408200932.i7K9WQE4077315@outlier.minder.net> Message-ID: <20040820093909.GB19567@moria.seul.org> On Aug 20 2004, Bill Stewart wrote: | Yup. Reruns of the Daily Show are usually on at 7pm the following day, | though check your local cable schedule. Don't suppose anyone is willing to record and post for those of us who don't have access to US channels right now? From andrewt at nmh.co.za Fri Aug 20 00:05:58 2004 From: andrewt at nmh.co.za (Andrew Thomas) Date: Fri, 20 Aug 2004 09:05:58 +0200 Subject: First quantum crypto bank transfer Message-ID: <000201c48684$299c9830$018b140a@gfserver> Cryptography system goes underground (Aug 19) http://physicsweb.org/article/news/8/8/13 A group of scientists in Austria and Germany has installed an optical fibre quantum cryptography system under the streets of Vienna and used it to perform the first quantum secure bank wire transfer (A Poppe et al. 2004 Optics Express 12 3865). The quantum cryptography system consisted of a transmitter (Alice) at Vienna's City Hall and a receiver (Bob) at the headquarters of an Austrian bank. The sites were linked by 1.45 kilometres of single-mode optical fibre. -- Andrew G. Thomas From base at unm.edu Fri Aug 20 08:13:18 2004 From: base at unm.edu (Jeff) Date: Fri, 20 Aug 2004 09:13:18 -0600 (MDT) Subject: T. Kennedy == Terrorist says TSA In-Reply-To: <1093012197.17481.1.camel@daft> References: <1093012197.17481.1.camel@daft> Message-ID: oh yeah. I forgot -- "give unto Caesar what is Caesar's" I think Jesus, like Odysseus, would have recognized the need not to choose, or at least, no need to choose. -Hap. On Fri, 20 Aug 2004, Steve Furlong wrote: > On Fri, 2004-08-20 at 09:54, Sunder wrote: >> http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/08/20/MNGQ28BM1O1.DTL >> >> Washington -- Sen. Edward "Ted" Kennedy said Thursday that he was stopped >> and questioned at airports on the East Coast five times in March because >> his name appeared on the government's secret "no-fly" list. > > It was a mistake, of course. Chappaquiddick-boy should have been put on > the "no-drive" list. From base at unm.edu Fri Aug 20 08:15:27 2004 From: base at unm.edu (Jeff) Date: Fri, 20 Aug 2004 09:15:27 -0600 (MDT) Subject: T. Kennedy == Terrorist says TSA In-Reply-To: <1093012197.17481.1.camel@daft> References: <1093012197.17481.1.camel@daft> Message-ID: Oops. that's what I get for responding too hastily - that response was supposed to be to the mail indexed before this message ... though a little non-sequitur now and then ... Sorry. On Fri, 20 Aug 2004, Steve Furlong wrote: > On Fri, 2004-08-20 at 09:54, Sunder wrote: >> http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/08/20/MNGQ28BM1O1.DTL >> >> Washington -- Sen. Edward "Ted" Kennedy said Thursday that he was stopped >> and questioned at airports on the East Coast five times in March because >> his name appeared on the government's secret "no-fly" list. > > It was a mistake, of course. Chappaquiddick-boy should have been put on > the "no-drive" list. From sunder at sunder.net Fri Aug 20 06:54:03 2004 From: sunder at sunder.net (Sunder) Date: Fri, 20 Aug 2004 09:54:03 -0400 (edt) Subject: T. Kennedy == Terrorist says TSA Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/08/20/MNGQ28BM1O1.DTL Washington -- Sen. Edward "Ted" Kennedy said Thursday that he was stopped and questioned at airports on the East Coast five times in March because his name appeared on the government's secret "no-fly" list. "That a clerical error could lend one of the most powerful people in Washington to the list -- it makes one wonder just how many others who are not terrorists are on the list," said Reggie Shuford, a senior ACLU counsel. "Someone of Sen. Kennedy's stature can simply call a friend to have his name removed, but a regular American citizen does not have that ability. He had to call three times himself." ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From sfurlong at acmenet.net Fri Aug 20 07:29:57 2004 From: sfurlong at acmenet.net (Steve Furlong) Date: 20 Aug 2004 10:29:57 -0400 Subject: T. Kennedy == Terrorist says TSA In-Reply-To: References: Message-ID: <1093012197.17481.1.camel@daft> On Fri, 2004-08-20 at 09:54, Sunder wrote: > http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/08/20/MNGQ28BM1O1.DTL > > Washington -- Sen. Edward "Ted" Kennedy said Thursday that he was stopped > and questioned at airports on the East Coast five times in March because > his name appeared on the government's secret "no-fly" list. It was a mistake, of course. Chappaquiddick-boy should have been put on the "no-drive" list. From jya at pipeline.com Fri Aug 20 11:44:08 2004 From: jya at pipeline.com (John Young) Date: Fri, 20 Aug 2004 11:44:08 -0700 Subject: T. Kennedy == Terrorist says TSA In-Reply-To: <1093012197.17481.1.camel@daft> References: Message-ID: The ban on Teddie flying had nothing to do with natsec. Years ago it was tried due to his being drunk and his stench of piss, vomit and scotch. Later, it was tried due to his being drunk, stinking, and too fat to fit in a single seat, demanding two or more, depending on whether he could be propped upright. Nobody from the Kennedy clan could or would travel with him. Aides had to go ahead to prepare the way for public "Irish strut-stagger," so Kennedy never got refused until he was ready to make a federal case about it. To be sure, members of both parties behave in public as pigs at trough, laced with whiskey or dope or tranquilizers or all. Ban them from public transport, which they use only occasionally to appear to be a little piggy, pray for frayed wiring on their private means of transport. From mv at cdc.gov Fri Aug 20 12:01:10 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 20 Aug 2004 12:01:10 -0700 Subject: judges who get it Message-ID: <41264A75.C68B25CB@cdc.gov> Court rejects piracy claims against P2P file-sharing networks Friday, August 20, 2004 1:05:55 PM ET New Ratings NEW YORK, August 20 (New Ratings)  A federal appeals court in the US has declared that the online file-sharing software companies are not liable to copyright infringement charges. http://www.newratings.com/analyst_news/article_459109.html From bill.stewart at pobox.com Fri Aug 20 19:16:47 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Fri, 20 Aug 2004 19:16:47 -0700 Subject: T. Kennedy == Terrorist says TSA In-Reply-To: References: Message-ID: <200408210221.i7L2LPcf016860@positron.jfet.org> At 06:54 AM 8/20/2004, Sunder wrote: >http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/08/20/MNGQ28BM1O1.DTL > >Washington -- Sen. Edward "Ted" Kennedy said Thursday that he was stopped >and questioned at airports on the East Coast five times in March because >his name appeared on the government's secret "no-fly" list. Also Congressman John Lewis gets caught by this, though he can usually fly if he buys his tickets as "John R. Lewis". Unlike Kennedy, he tried going though channels to get off the lists, rather than starting with Ashcroft and working his way down. There's also a "Dr. John Lewis" who gets this kind of abuse, and registering as "Dr" or "John W. Lewis" doesn't seem to help him. From jya at pipeline.com Fri Aug 20 20:11:00 2004 From: jya at pipeline.com (John Young) Date: Fri, 20 Aug 2004 20:11:00 -0700 Subject: Another John Young Sighting In-Reply-To: <200408200650.i7K6o33Q000921@artifact.psychedelic.net> Message-ID: That was a surprise and I missed it. Saw the re-run just now. Pretty funny, ISTM. The clip was from an AP TV piece which was taped just before the recent AP story. One day a still photographer and video guy came to do a follow-up to a telephone interview by Tom Hays, the AP reporter. No fanfare like the ABC News gang. The two were in and out in 20 minutes. Each carried his own equipment, the TV guy packing a heavy shoulder camera. No lighting, no rigging, a mic, a recorder, the camera. He asked a couple of questions, said just talk, so I did. He said turn off the radio. Shot the barking carcass. He said walk down the corridor, don't talk. He shot a couple of scrolling screens, packed up, took off. The still camera guy was the only journalist over recent days who showed press ID, wore it around his neck. He was a black man, so it figures. He said, without prompting, you know it's amazing how people let the press into their homes and offices, no questions asked. We could be cops or feds and nobody'd know. He said a couple of guys showed up at his home while the baby-sitter and his daughter were alone, had talked their way past the doorman, said they were cops, but showed no ID. The baby-sitter said show me ID. The guys said we don't need to. The babysitter said go to hell and slammed the door. The next day, the photog called the precinct to see if its cops had come. Precinct said nobody from here went there, but maybe they were from another jurisdiction. He said he never learned who they were or why they came. A black women reporter came a couple of days ago, showed no ID but mesmerizing giant hooters in a deep-cut blouse. Don't remember what I told her, her name or who she worked for. Fought hard to look at her eyes, I think. From ptrei at rsasecurity.com Fri Aug 20 19:10:33 2004 From: ptrei at rsasecurity.com (Trei, Peter) Date: Fri, 20 Aug 2004 22:10:33 -0400 Subject: Another John Young Sighting Message-ID: <017630AA6DF2DF4EBC1DD4454F8EE29715A95C@rsana-ex-hq1.NA.RSA.NET> I caught the rerun. I have John's appearence as an mpg; 13 Mb at VCD qual, ~65 at DVD qual. I think <2 minutes of a 30 minute show counts as fair use. If someone can take that much as a mail attachment, or has an acessible ftp site, I'd be happy to send it. I'd prefer someone who can post it for others. It's funny, but not deep. Peter From rsw at jfet.org Fri Aug 20 21:55:08 2004 From: rsw at jfet.org (Riad S. Wahby) Date: Fri, 20 Aug 2004 23:55:08 -0500 Subject: Another John Young Sighting In-Reply-To: <017630AA6DF2DF4EBC1DD4454F8EE29715A95C@rsana-ex-hq1.NA.RSA.NET> References: <017630AA6DF2DF4EBC1DD4454F8EE29715A95C@rsana-ex-hq1.NA.RSA.NET> Message-ID: <20040821045508.GB18482@jfet.org> "Trei, Peter" wrote: > If someone can take that much as a mail attachment, > or has an acessible ftp site, I'd be happy to send it. > I'd prefer someone who can post it for others. You can send it to me as an attachment and I'll put it up somewhere with a nice fat pipe. -- Riad S. Wahby rsw at jfet.org From rsw at jfet.org Mon Aug 23 12:44:40 2004 From: rsw at jfet.org (Riad S. Wahby) Date: Mon, 23 Aug 2004 14:44:40 -0500 Subject: Another John Young Sighting In-Reply-To: <20040821045508.GB18482@jfet.org> References: <017630AA6DF2DF4EBC1DD4454F8EE29715A95C@rsana-ex-hq1.NA.RSA.NET> <20040821045508.GB18482@jfet.org> Message-ID: <20040823194438.GA2036@jfet.org> "Riad S. Wahby" wrote: > "Trei, Peter" wrote: > > If someone can take that much as a mail attachment, > > or has an acessible ftp site, I'd be happy to send it. > > I'd prefer someone who can post it for others. > > You can send it to me as an attachment and I'll put it up somewhere with > a nice fat pipe. The Daily Show clip is now available from http://web.mit.edu/rsw/Public/JohnYoung040820.mpg -- Riad S. Wahby rsw at jfet.org From mv at cdc.gov Mon Aug 23 14:47:31 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 23 Aug 2004 14:47:31 -0700 Subject: worm uses webcams to spy Message-ID: <412A65F3.4296D109@cdc.gov> ok, from /., but highly amusing Meet the Peeping Tom worm A worm that has the capability to using webcams to spy on users is circulating across the Net. http://www.theregister.co.uk/2004/08/23/peeping_tom_worm/ From measl at mfn.org Mon Aug 23 12:49:23 2004 From: measl at mfn.org (J.A. Terranson) Date: Mon, 23 Aug 2004 14:49:23 -0500 (CDT) Subject: Another John Young Sighting In-Reply-To: <20040823194438.GA2036@jfet.org> References: <017630AA6DF2DF4EBC1DD4454F8EE29715A95C@rsana-ex-hq1.NA.RSA.NET> <20040821045508.GB18482@jfet.org> <20040823194438.GA2036@jfet.org> Message-ID: <20040823144903.Y59275@ubzr.zsa.bet> On Mon, 23 Aug 2004, Riad S. Wahby wrote: > "Riad S. Wahby" wrote: > > "Trei, Peter" wrote: > > > If someone can take that much as a mail attachment, > > > or has an acessible ftp site, I'd be happy to send it. > > > I'd prefer someone who can post it for others. > > > > You can send it to me as an attachment and I'll put it up somewhere with > > a nice fat pipe. > > The Daily Show clip is now available from > http://web.mit.edu/rsw/Public/JohnYoung040820.mpg > John's an "anarchist" now! LMAO! -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From ptrei at rsasecurity.com Mon Aug 23 13:21:28 2004 From: ptrei at rsasecurity.com (Trei, Peter) Date: Mon, 23 Aug 2004 16:21:28 -0400 Subject: Another John Young Sighting Message-ID: <017630AA6DF2DF4EBC1DD4454F8EE29716172B@rsana-ex-hq1.NA.RSA.NET> After some hiccups, I got a copy to Riad S. Wahby, and he has posted it at http://web.mit.edu/rsw/Public/JohnYoung040820.mpg Thanks, Riad! Peter > -----Original Message----- > From: owner-cypherpunks at minder.net > [mailto:owner-cypherpunks at minder.net]On Behalf Of Trei, Peter > Sent: Friday, August 20, 2004 10:11 PM > To: John Young; cypherpunks at minder.net > Subject: RE: Another John Young Sighting > > > I caught the rerun. I have John's appearence as an mpg; > 13 Mb at VCD qual, ~65 at DVD qual. I think <2 minutes > of a 30 minute show counts as fair use. > > If someone can take that much as a mail attachment, > or has an acessible ftp site, I'd be happy to send it. > I'd prefer someone who can post it for others. > > It's funny, but not deep. > > Peter From camera_lumina at hotmail.com Mon Aug 23 17:11:21 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Mon, 23 Aug 2004 20:11:21 -0400 Subject: Another John Young Sighting Message-ID: So...does Mr Young want to describe the FBI non/encounter? (Perhaps he has but I've been out of town and the hotmail account barfed up most recent posts.) What I don't yet fully grasp is why they bother. I suppose there are the following, but I suspect there's one key thing in their minds: 1) Scope out potential sources of arrestability. 2) Intimidate into "straighten up and fly right" 3) Pre-BB or not so-BB-work: Readily available weapons, etc...in case of raid? 4) Just sniffing out the orietation/motivations...ie, raghead or non-raghead? Of the above I consider 3) Unlikely, 2) Not superlikely, 1) Fairly likely and 4) Most probable. -TD >From: "Trei, Peter" >To: "Trei, Peter" , "John Young" , > >Subject: RE: Another John Young Sighting >Date: Mon, 23 Aug 2004 16:21:28 -0400 > >After some hiccups, I got a copy to Riad S. Wahby, >and he has posted it at >http://web.mit.edu/rsw/Public/JohnYoung040820.mpg > >Thanks, Riad! > >Peter > > > > -----Original Message----- > > From: owner-cypherpunks at minder.net > > [mailto:owner-cypherpunks at minder.net]On Behalf Of Trei, Peter > > Sent: Friday, August 20, 2004 10:11 PM > > To: John Young; cypherpunks at minder.net > > Subject: RE: Another John Young Sighting > > > > > > I caught the rerun. I have John's appearence as an mpg; > > 13 Mb at VCD qual, ~65 at DVD qual. I think <2 minutes > > of a 30 minute show counts as fair use. > > > > If someone can take that much as a mail attachment, > > or has an acessible ftp site, I'd be happy to send it. > > I'd prefer someone who can post it for others. > > > > It's funny, but not deep. > > > > Peter > > > > > _________________________________________________________________ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx From jya at pipeline.com Mon Aug 23 20:50:18 2004 From: jya at pipeline.com (John Young) Date: Mon, 23 Aug 2004 20:50:18 -0700 Subject: Another John Young Sighting In-Reply-To: Message-ID: The FBI visit took place in November 2003. Here's an account: http://cryptome.org/fbi-cryptome.htm The John Stewart piece excerpted an AP-TV clip taped on August 16 which was a supplement to an AP story about FBI harassment of potential RNC protestors. AP, like ABC News, confused the unrelated November visit with the August RNC visits. What got their attention were Cryptome's aerials and maps -- red-team exposure of vulnerabilities around Madison Square Garden, and our accusation of NYC security by obscurity. No feds or LEs have inquired about those obvious weaknesses. During interviews we've tried to explain this but that didn't mean shit to the interviewers who were looking for people to brand anarchists who had been smeared by FBI visits. Why are you helping terrorists, they chant. We had no contact with the Daily Show. And didn't use the term anarchist in interviews although several interviewers urged it. We told one interviewer that anarchism was too mild for our intention to undermine civilization, to rid the earth of humanity, for the planet to shrivel into nothingness, to accept that the desire to be god was a useless passion. Oh shit, he said, you're a Sartrean. Merde, oui. From anmetet at freedom.gmsociety.org Mon Aug 23 18:09:40 2004 From: anmetet at freedom.gmsociety.org (An Metet) Date: Mon, 23 Aug 2004 21:09:40 -0400 Subject: Another John Young Sighting Message-ID: <43c34d8420c999e9a4f1bb106e748551@anonymous> >John's an "anarchist" now! LMAO! This is a perfect example of media bias and manufacture of enemies. Collecting public material at one place *is* anarchism today. You may laugh but 74% (or whatever is the % who believes Saddam personally piloted all 9/11 planes) of americans will believe it. So Mr. Young is anarchist for all practical purposes and consequences. And you are all his associates. From roy at rant-central.com Mon Aug 23 18:26:02 2004 From: roy at rant-central.com (Roy M. Silvernail) Date: Mon, 23 Aug 2004 21:26:02 -0400 Subject: Another John Young Sighting In-Reply-To: <1f0cc8a13634c7d39f69e434cfa6da24@freedom.gmsociety.org> References: <1f0cc8a13634c7d39f69e434cfa6da24@freedom.gmsociety.org> Message-ID: <1093310761.28511.12.camel@localhost> On Mon, 2004-08-23 at 21:09, An Metet wrote: > >John's an "anarchist" now! LMAO! > > This is a perfect example of media bias and manufacture of enemies. > > Collecting public material at one place *is* anarchism today. > > You may laugh but 74% (or whatever is the % who believes Saddam personally > piloted all 9/11 planes) of americans will believe it. > > So Mr. Young is anarchist for all practical purposes and consequences. > And you are all his associates. Thanks for reminding me. I'd been putting off ordering my CD set. OTGH, I'm noticing a fair number of self-described anarchists who say they'll vote Bush, but only because it will hasten the inevitable final breakdown. -- Roy M. Silvernail is roy at rant-central.com, and you're not "Progress, like reality, is not optional." - R. A. Hettinga SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com From mv at cdc.gov Tue Aug 24 08:50:21 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Tue, 24 Aug 2004 08:50:21 -0700 Subject: Another John Young Sighting Message-ID: <412B63BC.3D18FDC6@cdc.gov> At 09:09 PM 8/23/04 -0400, An Metet wrote: >You may laugh but 74% (or whatever is the % who believes Saddam personally >piloted all 9/11 planes) of americans will believe it. > >So Mr. Young is anarchist for all practical purposes and consequences. >And you are all his associates. "While acknowledging himself an Anarchist, he does not state to what branch of the organization he belongs" ---Discussing Leon Czolgosz' shooting of President William McKinley PS: I thought Tyler had nominated himself as leader? :-) Personally, I'm a sleeper cell for the Bill of Rights... From ptrei at rsasecurity.com Tue Aug 24 06:39:08 2004 From: ptrei at rsasecurity.com (Trei, Peter) Date: Tue, 24 Aug 2004 09:39:08 -0400 Subject: Another John Young Sighting Message-ID: <017630AA6DF2DF4EBC1DD4454F8EE29716172D@rsana-ex-hq1.NA.RSA.NET> Tyler Durden [mailto:camera_lumina at hotmail.com] > So...does Mr Young want to describe the FBI non/encounter? > (Perhaps he has > but I've been out of town and the hotmail account barfed up > most recent > posts.) > > What I don't yet fully grasp is why they bother. I suppose > there are the > following, but I suspect there's one key thing in their minds: > > 1) Scope out potential sources of arrestability. > 2) Intimidate into "straighten up and fly right" > 3) Pre-BB or not so-BB-work: Readily available weapons, > etc...in case of > raid? > 4) Just sniffing out the orietation/motivations...ie, raghead or > non-raghead? > > Of the above I consider 3) Unlikely, 2) Not superlikely, 1) > Fairly likely > and 4) Most probable. > > -TD While I agree on your assessment, don't forget 5) CYA. Since 9/11, the lower echelons of the security apparatus know that if Something Bad happens, and they are shown to have discounted any hint or suspicion concerning any person even very peripherally involved, their ass is grass and their career goes in the toilet. Peter From camera_lumina at hotmail.com Tue Aug 24 07:33:24 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Tue, 24 Aug 2004 10:33:24 -0400 Subject: Another John Young Sighting Message-ID: > > You may laugh but 74% (or whatever is the % who believes Saddam >personally > > piloted all 9/11 planes) of americans will believe it. > > > > So Mr. Young is anarchist for all practical purposes and consequences. > > And you are all his associates. Well, they did have the little info-stripe under John Young's face that said "Anarchist", so that proves it. Too bad they didn't use the shakey-letter scary font. -TD "Listen to the music...he's evil!" (Homer Simpson) _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From camera_lumina at hotmail.com Tue Aug 24 10:26:57 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Tue, 24 Aug 2004 13:26:57 -0400 Subject: Another John Young Sighting Message-ID: Variola wrote... >PS: I thought Tyler had nominated himself as leader? :-) No, almost the opposite. I propose that any 'Cypherpunk' can declare himself to be leader and make 'official statements' at any time. Of course, others can (and most probably will) choose to ignore the official statement, or even declare himself to be leader and 'officially' rescind that statement and/or issue a completely contradictory statement. This will be particularly useful when getting (for instance) public interest to move elsewhere. For instance, it might be usefulto have an official statement ready if/when the Cryptome press starts poking around Cypherpunks: FOR IMMEDIATE RELEASE Cypherpunks is a collection of diverse individuals dedicated to preserving the freedoms that all Americans value. As part of this effort, Cypherpunks periodically analyzes the systems used by terrorists and other enemies of freedom in an attempt to strengthen such systems and prevent their abuse. Indeed, Cypherpunks has good reason to believe that there are large cells of terrorists and other Men With Guns scattered throughout the nation, even in the DC Beltway area. Or, perhaps there's a "Suicide Girl" you've been stalking...erh, I mean trying to impress. You might try: FOR IMMEDIATE RELEASE Major Variola (Retired) was recently elected to be the President/Chief Executive Offiicer/King of the Cypherpunks Group(TM). Variola was considered by all to have not only formidable intellectual powers, but a large-ish penis as well. All members of the Cypherpunks list have promised to act upon any official statement by Variola, without delay or question, and around the world are toasting the new era of his leadership. All hail Variola. or "Dear Mr Mohammed: I am particularly interested in hearing more about your offer to transfer funds to an eGold account. Please send the money right away, and rest assured that you will have the full support of all members of the Cypherpunks list. And so on... -TD _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar  get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From emc at artifact.psychedelic.net Tue Aug 24 17:56:40 2004 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Tue, 24 Aug 2004 17:56:40 -0700 (PDT) Subject: Another John Young Sighting In-Reply-To: Message-ID: <200408250056.i7P0ueUt000870@artifact.psychedelic.net> Tyler Durden wrote: > I propose that any 'Cypherpunk' can declare himself > to be leader and make 'official statements' at any time. Of course, others > can (and most probably will) choose to ignore the official statement, or > even declare himself to be leader and 'officially' rescind that statement > and/or issue a completely contradictory statement. This will be particularly > useful when getting (for instance) public interest to move elsewhere. Sounds like the Discordian concept that everyone is a Pope, and therefore infallible, even when they disagree with one another. Hail Eris. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From die at dieconsulting.com Tue Aug 24 20:52:38 2004 From: die at dieconsulting.com (Dave Emery) Date: Tue, 24 Aug 2004 23:52:38 -0400 Subject: Digital camera fingerprinting... Message-ID: <20040825035238.GA9881@pig.dieconsulting.com> Just a random distraction from the normal topics (but not completely irrelevant either)... I happened to spend a few minutes yesterday talking with an individual who participated in the development of both low and high end digital cameras for the commercial mass market. He told me that especially in the low end camera market NO sensors used were completely free of anomalous pixels (black, white, dim, bright etc) and much of the actual processing in digital camera firmware was related to masking or hiding the inevitable defects which apparently can include (at least in CMOS sensors) entire rows or columns that are bad. This got me thinking - clearly these concealment patches are not completely undetectable in families of (multiple to many) images taken with the same exact camera... and for the most part the defects are born with the sensor and change little over time if at all. And with few exceptions they are random, and different for each sensor. Thus it ought to be possible to detect with reasonable probability that a particular image or (much easier) that a particular family of images was likely to have originated with a particular camera. A kind of digital fingerprint if you will... Cypherpunk relevance (marginal perhaps), but the ability to say that a particular image or set of images came from a particular camera COULD have legal consequences for those bent on activities someone thinks of as unfriendly to their interests... Of course the headers of jpegs from cameras (and maybe elsewhere) often contain serial numbers and other identifying information so to the first order this is irrelevant to average users, but interesting none the less. -- Dave Emery N1PRE, die at dieconsulting.com DIE Consulting, Weston, Mass 02493 From sunder at sunder.net Wed Aug 25 07:16:02 2004 From: sunder at sunder.net (Sunder) Date: Wed, 25 Aug 2004 10:16:02 -0400 (edt) Subject: Wired: Attacking the 4th Estate Message-ID: http://www.wired.com/news/politics/0,1283,64680,00.html?tw=wn_tophead_6 or, the HTML crap free version: http://www.wired.com/news/print/0,1294,64680,00.html Attacking the Fourth Estate By Adam L. Penenberg | Also by this reporter Page 1 of 2 next 02:00 AM Aug. 25, 2004 PT John Ashcroft and the Department of Justice must be stopped. There, I've said it. Of course, now I half expect federal agents to drag me off to prison for violating the No One Dare Question the Government While We Are Engaged in the War Against Terror Act. (Duration: perhaps forever.) Sure, you say, no such act exists. But Ashcroft himself once testified that bellyaching over what he called "phantoms of lost liberty" only serves to "aid terrorists" and "give ammunition to America's enemies." And recently FBI agents attempted to intimidate political activists by visiting them at their homes to warn about causing trouble at the upcoming Republican convention. More to the point, under Justice Department guidelines, Ashcroft must approve any subpoena of a journalist, so how do you explain the rash of subpoenas that Special Prosecutor Patrick J. Fitzgerald, the U.S. attorney from Chicago, has doled out to Time magazine, The New York Times, The Washington Post and NBC? Already one reporter -- Matthew Cooper from Time -- has been held in contempt by a federal judge for refusing to appear before the grand jury that Fitzgerald convened to investigate which Bush administration senior official(s) leaked a covert spy's identity to columnist Robert Novak. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From rah at shipwright.com Wed Aug 25 09:18:05 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 25 Aug 2004 10:18:05 -0600 Subject: Tilting at the Ballot Box Message-ID: Business 2.0 - Magazine Article - Printable Version - Tilting at the Ballot Box Entrepreneur David Chaum's e-money venture flopped. Now he wants to fix electronic voting. For once, is the brilliant inventor right on time? By John Heilemann, September 2004 Issue The legendary cryptographer David Chaum has just invented something amazing, and his timing is nearly perfect. At a moment when electronic voting has been turned -- by a confluence of clueless election officials, slipshod technologies, dodgy vendors, and ever vigilant geeks -- from a great leap forward into an abject fiasco, Chaum has unveiled an e-voting system that's everything the current gizmos aren't. It's incredibly secure. It guarantees anonymity. Its results are verifiable. It is, Chaum claims, "the first electronic mechanism that ensures both integrity and privacy." Indeed, as far as I can see, Chaum's invention has only one conceivable drawback: It won't be on the market in time to save us on Nov. 2. As veterans of the digital revolution will recall, solving apparently insoluble problems has always been Chaum's forte. Most famously, back in 1990, he founded the company DigiCash to commercialize his pioneering work on electronic money. Even by the standards of that heady time, Chaum's ambitions were lofty: propelling the international currency system into the digital age. But while everyone agreed that the technologies he invented were elegant and brilliant, the world, it turned out, wasn't nearly ready for the incursion of e-money. At the end of 1998, DigiCash bit the dust. Technology writer Steven Levy once described Chaum as "Don Quixote in Birkenstocks." Today the Birkenstocks are gone, but the beard, ponytail, and quixotic temperament all remain in place. Once again, the windmill he's tilting at is an entrenched and archaic system. And once again he's starting a new company to profit from his ingenuity. If there were any justice or logic in this world, his success would be guaranteed. But since the world we're talking about is national politics, I fear he faces an uphill fight. No one has thought longer or harder about e-voting than Chaum. As a graduate student at the University of California at Berkeley in the late 1970s, he wrote the first papers on the topic -- then moved on to other things. But after the Floridian fiasco of 2000, in which hanging chads and butterfly ballots vividly demonstrated how dangerously outmoded our electoral technology was, Chaum's interest was rekindled. At the time, election officials in scores of states were racing to embrace touchscreen voting terminals from suppliers such as Diebold and Sequoia. So Chaum considered the idea he was hatching "a totally academic exercise." Then, out of nowhere, all hell broke loose. Computer scientists and security experts declared the current generation of machines easily hackable and prone to tampering. In particular, the critics complained that because the machines leave no paper trail, their results are impossible to audit. (Any recount would rely on the same software that might have mangled or manipulated the votes to begin with.) Voting activists dug up a pile of evidence of past e-voting irregularities. A populist campaign, "The Computer Ate My Vote," erupted on the Internet. Meanwhile, Diebold's CEO, Walden O'Dell, unwittingly fed a thousand conspiracy theories by hosting a Bush fund-raiser -- and writing to the invited guests, "I am committed to helping Ohio deliver its electoral votes to the president next year." In the face of all this, states are scrambling to figure out what to do -- both in November and further in the future. The solution that's gained the most momentum is known as "verified voting." Here a printer attached to the touchscreen terminal spits out a hard copy of the voter's choices and displays it under a transparent barrier. Once the voter approves the receipt, it's put in a sealed ballot box, from which it can be retrieved and tallied in the case of a recount. The problem, however, as Chaum points out, is that the receipts are as vulnerable to fraud as ordinary paper ballots. "They can, for example, be tampered with between the vote and the recount," he says."In a sense, ballot-under-glass is no more secure than old-fashioned punch-card systems." Chaum's system, Votegrity, produces a paper trail too -- except Chaum throws cryptography into the mix, and that changes the equation. With Votegrity, the printer attached to the terminal generates two strips of paper, each of which holds your vote in encrypted form. Overlaid on top of one another and seen through a custom viewfinder, the strips, through some cryptographic voodoo, reveal your choices in plain English. Once you've verified your vote, the strips are separated, you pick one to take home as a receipt, and the bar-code-like image on that strip is stored digitally. When the time comes to tally the votes, the images are decrypted (using a complicated Chaumian mathematical process that's all but tamperproof). Meanwhile, the encoded images are posted on the Web, so that you can go online afterward and confirm that your vote was counted by using a serial number on your strip. There's no denying that Votegrity teeters on the brink of genius. By letting voters take receipts, Chaum's system would erect formidable hurdles to election fraud -- while simultaneously, through encryption, preserving the sacrosanct anonymity of the ballot box. That said, I can think of at least three glaring reasons to be skeptical of Votegrity's prospects. First, the system isn't exactly a paragon of simplicity; it took nearly four hours of explication by Chaum for me to get my head fully around it. Second, election officials are by inclination a deeply conservative lot, especially around new technology. A system combining cryptography and the Web isn't likely to set their pulses racing -- or cause their checkbooks to spring open. Third, there's verified voting. Whatever the imperfections of ballot-under-glass, I suspect that many people who distrust e-voting will consider it a good-enough safeguard. And as the history of technology makes abundantly clear, in a contest between perfect and good enough, the latter wins every time. Naturally, Chaum disagrees. Given the intensity of the uproar over the current touchscreen terminals, he believes that states will have no choice but to adopt a more sophisticated system. "The more people swear that the machines should be trusted, the less trust there is," he says. "Forget whether they're really secure or reliable. What matters is that major chunks of the public don't believe they are. We've got a crisis of voter confidence on our hands -- and it's not going to go away." As for verified voting, Chaum simply says, "I don't think a system that's equivalent to punch cards is going to cut it at this point." Depending on what happens in November, Chaum could be proven right. With the election only two months off, the backlash against e-voting has produced a situation bordering on chaos. At the start of the year, it appeared that some 50 million voters-roughly 30 percent of the total -- would be casting their ballots digitally. Now, who knows? In California, the secretary of state has banned the Diebold machines from use and decertified all the rest. In other states, there are movements afoot to require verified voting. In still others, officials are pressing ahead with the machines despite the hue and cry. All of which suggests one thing: If the election turns out to be as close as most polls suggest, we may be headed for a multistate postelection conflagration, complete with protests and litigation, that will make the contretemps over Florida in 2000 look like a schoolyard spat. For Chaum, who's in the process of rounding up investors and hiring executives for the firm he's starting around Votegrity, such a conflagration would be, perversely, the best news imaginable. Not that he's the kind of guy who'd root for such an outcome. A bone-deep do-gooder, a privacy crusader, he's an unabashed idealist whose desire to make the world better is so earnest it's slightly painful. When I asked him why he was still tilting at windmills even after the anguish of DigiCash, he smiled, shrugged, and softly replied, "This is really important stuff -- someone's got to do it." On that point he'll get no argument from me. No matter what transpires on Election Day and in its aftermath, Chaum and his allies have already rendered an invaluable service: not only exposing the flaws of e-voting today, but pointing toward something better for tomorrow. Coming up with that something -- a digital system that's secure, private, and verifiable -- will plainly be no mean feat. As more and more geeks take up the challenge, the odds will inevitably decline that Chaum's will be the system that triumphs. But I can't help hoping that, for once in his life, he kicks the windmill's ass.? John Heilemann wrote "Pride Before the Fall." His next book is "The Valley." -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From trunks at stackers.org Wed Aug 25 07:21:14 2004 From: trunks at stackers.org (kawaii ryuko) Date: Wed, 25 Aug 2004 10:21:14 -0400 Subject: Another John Young Sighting In-Reply-To: <200408250056.i7P0ueUt000870@artifact.psychedelic.net> Message-ID: <027301c48aae$c791cbe0$6500a8c0@nightfire> > -----Original Message----- > Sent: Tuesday, August 24, 2004 20:57 > > > Sounds like the Discordian concept that everyone is a Pope, > and therefore > infallible, even when they disagree with one another. > > Hail Eris. > All hail Discordia! > -- > Eric Michael Cordian 0+ > O:.T:.O:. Mathematical Munitions Division > "Do What Thou Wilt Shall Be The Whole Of The Law" Ever lovable and always scrappy, kawaii From mv at cdc.gov Wed Aug 25 10:26:23 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 25 Aug 2004 10:26:23 -0700 Subject: Digital camera fingerprinting... Message-ID: <412CCBBF.8B0E0708@cdc.gov> At 11:52 PM 8/24/04 -0400, Dave Emery wrote: > Just a random distraction from the normal topics (but not >completely irrelevant either)... Highly relevant sir. > He told me that especially in the low end camera market NO >sensors used were completely free of anomalous pixels (black, white, >dim, bright etc) and much of the actual processing in digital camera >firmware was related to masking or hiding the inevitable defects which >apparently can include (at least in CMOS sensors) entire rows or columns >that are bad. Kinda like disk drives and DRAM arrays. Its all about yield. Covering up mistakes transparently. > This got me thinking - clearly these concealment patches are not >completely undetectable in families of (multiple to many) images taken >with the same exact camera... and for the most part the defects are born >with the sensor and change little over time if at all. And with few >exceptions they are random, and different for each sensor. Perhaps, but the jpeg-ization might lose these, or at least the image "unicity distance" might require many more pictures than a careful steganographer will publish. > Cypherpunk relevance (marginal perhaps), but the ability to say >that a particular image or set of images came from a particular camera >COULD have legal consequences for those bent on activities someone >thinks of as unfriendly to their interests... Very relevant, traffic analysis and fingerprinting (intentional or not) are always tasty subjects. One question for the court would be, how many *other* cameras have column 67 disabled? One of every thousand? And how many thousand cameras were sold? Pope Major Variola (ret) From sunder at sunder.net Wed Aug 25 07:28:34 2004 From: sunder at sunder.net (Sunder) Date: Wed, 25 Aug 2004 10:28:34 -0400 (edt) Subject: Another John Young Sighting In-Reply-To: <027301c48aae$c791cbe0$6500a8c0@nightfire> References: <027301c48aae$c791cbe0$6500a8c0@nightfire> Message-ID: All Hail Cthulhu! Why worship the lesser evil? Vote for Cthulhu! Why vote for the lesser evil? ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- On Wed, 25 Aug 2004, kawaii ryuko wrote: > > Hail Eris. > > > > All hail Discordia! From kelsey.j at ix.netcom.com Wed Aug 25 07:42:12 2004 From: kelsey.j at ix.netcom.com (John Kelsey) Date: Wed, 25 Aug 2004 10:42:12 -0400 (GMT-04:00) Subject: Another John Young Sighting Message-ID: <17535524.1093444934091.JavaMail.root@fozzie.psp.pas.earthlink.net> >From: "Trei, Peter" >Sent: Aug 24, 2004 9:39 AM >To: Tyler Durden , jya at pipeline.com, > cypherpunks at minder.net, cypherpunks at al-qaeda.net >Subject: RE: Another John Young Sighting ... > 5) CYA. Since 9/11, the lower echelons of the >security apparatus know that if Something Bad >happens, and they are shown to have discounted >any hint or suspicion concerning any person >even very peripherally involved, their ass is >grass and their career goes in the toilet. Yep, I think you hit it on the head. I'll bet the list of suspected terrorists never get a name removed other than by death, if then. Who wants to be the guy who correctly assessent the evidence to remove someone's name, only to have the same guy blow up a plane a year later? IMO, this seems like a fundamental problem with watchlists. >Peter --John Kelsey From mv at cdc.gov Wed Aug 25 10:55:20 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 25 Aug 2004 10:55:20 -0700 Subject: Welcome to the Church of Strong Cryptography. Message-ID: <412CD287.3E2ADFE4@cdc.gov> At 01:26 PM 8/24/04 -0400, Tyler Durden wrote: >>PS: I thought Tyler had nominated himself as leader? :-) >No, almost the opposite. I propose that any 'Cypherpunk' can declare himself >to be leader and make 'official statements' at any time. Oh, then you'd be reformed cypherpunk. The orthodoxy is that the group has no head (an arch). I think of it as a grad student lounge with open doors, and a few conversations going on at once. Anyone can pop in (wearing a mask or not) and make a fool of himself, or enlighten others, or ask questions (as long as they're not homework), or even forward nominally relevent articles, or flame others for doing so. Of course, others >can (and most probably will) choose to ignore the official statement, or >even declare himself to be leader and 'officially' rescind that statement >and/or issue a completely contradictory statement. This will be particularly >useful when getting (for instance) public interest to move elsewhere. Or it will seem a petty schism like the Sierras or Athiests or Amerikan Xians etc.. The only coherence is an interest in crypto and society. This reasonably extends to privacy, opsec, surveillance and reverse-surveillance, OS bugs, hardware, censorship, finance, etc. Read the fatwa --er, the cyphernomicon :-) Read the Bill of Rights, (now a quaint obsolete historical document) and think about technology. >For instance, it might be usefulto have an official statement ready if/when >the Cryptome press starts poking around Cypherpunks: The useful statement is May's Cyphernomicon (ie an outline) and the bulk of the discussions of the last 12 years (better get a few reams of paper for the printout, Mr. Fed). PKZ's rant is also good introductory material IMHO. >FOR IMMEDIATE RELEASE >Cypherpunks is a collection of diverse individuals dedicated to preserving >the freedoms that all Americans value. As part of this effort, Cypherpunks >periodically analyzes the systems used by terrorists and other enemies of ^ and governments >freedom in an attempt to strengthen such systems and prevent their abuse. Even with my addenda your statement is too restrictive. E.g., some here, I have gathered, worry about corporations (but not LLCs) too. ......and now, some quotes for Tom Ridge to ponder..... Forget turbans, real terrorists wear neckties. "Stop shedding our blood to save your own and the solution to this simple but complex equation is in your hands. You know matters will escalate the more you delay and then do not blame us but blame yourselves. Rational people do not risk their security, money and sons to appease the White House liar." "Can you hear me now?" -UBL "Naturally the common people don't want war...But, after all, it is the leaders of a country who determine policy, and it is always a simple matter to drag the people along, whether it is a democracy or a fascist dictatorship, or parliament or a communist dictatorship. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in every country." --Hermann Goering, (1893-1946) Nazi Reichsmarschall, at the Nuremberg Trials, 4/18/46. From _Nuremberg Diary_ by Gustave Gilbert. The risks posed by ignorant politicians may yet be far more dangerous that the odd virus and software mistake..... Prof. Dr. Debora Weber-Wulff Additional case studies are needed, however, to determine which traits of chemical and biological terrorists might help identify them because charisma, paranoia, and grandiosity are alo found to varying degreees among, for example, leaders of political parties, large corporations, and academic depts. --John T Finn, _Science_ v 289 1 sept 2000 We have always been at war with Oceania bin Laden -Orwell In no part of the constitution is more wisdom to be found, than in the clause which confides the question of war or peace to the legislature, and not to the executive department. -James Madison "The tragedy of Galois is that he could have contributed so much more to mathematics if he'd only spent more time on his marksmanship." "Your children are not safe anywhere at any time." -IAMGodsniper commenting perhaps on the USG's propensity for using them as cannon fodder. "Quis custodiet ipsos custodes?" "When a man assumes a public trust, he should consider himself public property." Bluffs will be published if comical but otherwise ignored. -JY SAFETY RULES FOR US STRATEGIC BOMBERS 5.1. Don't use nuclear weapons to troubleshoot faults. http://cryptome.org/afi91-111.htm From sunder at sunder.net Wed Aug 25 08:01:26 2004 From: sunder at sunder.net (Sunder) Date: Wed, 25 Aug 2004 11:01:26 -0400 (edt) Subject: Reason on Gilmore VS Ashcroft Message-ID: http://www.reason.com/links/links082404.shtml ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From s.schear at comcast.net Wed Aug 25 11:25:09 2004 From: s.schear at comcast.net (Steve Schear) Date: Wed, 25 Aug 2004 11:25:09 -0700 Subject: Tilting at the Ballot Box In-Reply-To: References: Message-ID: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> At 09:18 AM 8/25/2004, R. A. Hettinga wrote: > > > >Business 2.0 - Magazine Article - Printable Version - > > >Tilting at the Ballot Box >Entrepreneur David Chaum's e-money venture flopped. Now he wants to fix >electronic voting. For once, is the brilliant inventor right on time? >By John Heilemann, September 2004 Issue Like a shoemaker who only has hammers in his toolkit, Chaum is trying to fix the wrong problem. The problems with voting in the U.S. aren't current or even potential fraud at the ballot box its a complete lack of proportional representation. Hey Dude, Where's My Rep? The rallying cry of American Colonists was "No Taxation Without Representation". Although U.S politicians frequently present their political system as some paragon of representative democracy, I am unaware of any country since the Civil War adopting this winner-take-all, gerrymandered, model. Almost all opted for a parliamentary system with proportional representation. Today, unless you vote either Republican or Democrat you are effectively denied representation. Almost no independent candidates are ever elected to U.S. state, not alone federal office, even though in other democracies some would surely have gotten members of their party seated. If one accepts that the American Colonists were right to refuse to pay taxes to the British Crown until they received representation then why should today's independent voters pay state and federal taxes? steve From camera_lumina at hotmail.com Wed Aug 25 11:35:14 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Wed, 25 Aug 2004 14:35:14 -0400 Subject: Welcome to the Church of Strong Cryptography. Message-ID: Goddam, Variola...I thought you had a sense of humor! >At 01:26 PM 8/24/04 -0400, Tyler Durden wrote: > >>PS: I thought Tyler had nominated himself as leader? :-) > >No, almost the opposite. I propose that any 'Cypherpunk' can declare >himself > >to be leader and make 'official statements' at any time. > >Oh, then you'd be reformed cypherpunk. The orthodoxy is that the >group has no head (an arch). Well, Duh...no "Alpha Cat" of course. But if you're able to reverse-scam someone or get some Qwality 'tang, then I won't cock-block you if you declare yourself Cypherpunk leader to an outside party, so long as you have zero expectations that the idea of a Cypherpunk 'leader' will have any practical effect on my actions. >and governments Well, shit Variola. Here's where I can tell you haven't gotten laid in a while. The 'release' was basically a gag...couched in Amerikan Rhetoric it was actually stating precisely this (eg..."even terrorist cells operating inside the DC Beltway..."). Done properly, the idea would be to have it go down the sheeple's throat nice-n-smooth like, see, until they get to the end and experience some dim glimmer of recognition as they realize who the real terrorists are. And by then it's too late...the sheeple has swallowed a 'poison pill' gaurunteed (Officially, by Cypherpunks, or your money back) to convert them one day into a little, tiny sleeper cell. >Forget turbans, real terrorists wear neckties. And don't forget those little American Flag lapel pins...the "mark of the beast"? -TD _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From sunder at sunder.net Wed Aug 25 11:50:23 2004 From: sunder at sunder.net (Sunder) Date: Wed, 25 Aug 2004 14:50:23 -0400 (edt) Subject: Digital camera fingerprinting... In-Reply-To: <412CCBBF.8B0E0708@cdc.gov> References: <412CCBBF.8B0E0708@cdc.gov> Message-ID: Yes, your holiness, but how much of that will survive jpeg compression, photshop (or GIMP) cleanups, and shrinking down to lower resolutions, and insertion of stego? Or what about those "disposable" digital cameras that are hackable? Perhaps there should be a cypherpunks pool to swap "disposable" digital cameras? ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- On Wed, 25 Aug 2004, Major Variola (ret) wrote: > Very relevant, traffic analysis and fingerprinting (intentional or not) > are > always tasty subjects. One question for the court would be, how many > *other* cameras have column 67 disabled? One of every thousand? > And how many thousand cameras were sold? > > Pope Major Variola (ret) From justin-cypherpunks at soze.net Wed Aug 25 09:31:10 2004 From: justin-cypherpunks at soze.net (Justin) Date: Wed, 25 Aug 2004 16:31:10 +0000 Subject: Another John Young Sighting In-Reply-To: References: <027301c48aae$c791cbe0$6500a8c0@nightfire> Message-ID: <20040825163110.GA1913@arion.soze.net> On 2004-08-25T10:28:34-0400, Sunder wrote: > > All Hail Cthulhu! Why worship the lesser evil? > Vote for Cthulhu! Why vote for the lesser evil? You're saying Cthulhu is a greater evil than Bush? Mr. Three Purple Hearts is fairly evil as well. I don't know whether he surpasses Cthulhu though. -- "When in our age we hear these words: It will be judged by the result--then we know at once with whom we have the honor of speaking. Those who talk this way are a numerous type whom I shall designate under the common name of assistant professors." -- Kierkegaard, Fear and Trembling (Wong tr.), III, 112 From jamesd at echeque.com Wed Aug 25 16:44:58 2004 From: jamesd at echeque.com (James A. Donald) Date: Wed, 25 Aug 2004 16:44:58 -0700 Subject: Wired: Attacking the 4th Estate In-Reply-To: Message-ID: <412CC20A.13859.1FAFBB7@localhost> -- On 25 Aug 2004 at 10:16, Sunder wrote: > Sure, you say, no such act exists. But Ashcroft himself once > testified that bellyaching over what he called "phantoms of > lost liberty" only serves to "aid terrorists" and "give > ammunition to America's enemies." And recently FBI agents > attempted to intimidate political activists by visiting them > at their homes to warn about causing trouble at the upcoming > Republican convention. Ashcroft is pretty good compared to recent Attorney generals. Under Reno, political extremists were not asked threatening questions. They were apt to get their dog shot, their son shot, their baby shot in its mother's arms, etc. If unpleasant people with intimidating questions was the worst menace to our liberty, we would be in mighty good shape. Ashcroft has completely failed to enforce all the "Child protection" legislation that congress passed against the internet - which makes him the nearest thing to a friend of liberty as you are likely to find in Washington. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG Mluq4gPKwTGMErQREoTDh8saWV7wEzjSVjNf6113 4ydEMtkhYfG6Q30GRB2AWjgyE/a40DE7VIEdxVgD2 From mv at cdc.gov Thu Aug 26 15:39:00 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 26 Aug 2004 15:39:00 -0700 Subject: sex & propoganda [psyops] Message-ID: <412E6684.EB55143A@cdc.gov> http://www.psywarrior.com/sexandprop.html "H.M.G.'s secret pornographer" http://www.seftondelmer.co.uk/hmg.htm From camera_lumina at hotmail.com Thu Aug 26 17:50:56 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Thu, 26 Aug 2004 20:50:56 -0400 Subject: the minder node... Message-ID: Sheeit. I think I'm the only one left on the minder node...I ain't gettin shit. A quick googling revealed nothing about how to subscribe to the al-qaeda node, which I have been avoiding doing (but then again, St Bernardus Belgian ale does not really help). Can someone send me the instructions? -TD _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From rah at shipwright.com Fri Aug 27 05:56:33 2004 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 27 Aug 2004 06:56:33 -0600 Subject: I Come to Bury Sender ID, Not to Praise It Message-ID: EWeek I Come to Bury Sender ID, Not to Praise It August 26, 2004 By Larry Seltzer It must have seemed like a good idea at the time: The effort to create an effective standard for SMTP authentication relied, and still relies, on quick adoption by the largest companies in the e-mail business, and Microsoft is a significant company in both the e-mail software and service business. Why not bring them into the process and make them a central part of the solution? But it was not to be. With just hours to go on their deadline under the IETF standard process, Microsoft finally released their revised license for their intellectual property rights claims in Sender ID. Microsoft has offered a royalty-free license to all implementers of their property and, it would appear, more than satisfied the needs of the IETF. But open-source advocates in the working group have emphatically rejected the proposed license. Those who would create a distribution of it must obtain one of these royalty-free licenses directly from and fax a signed license form to Microsoft. So if you have a license and wish to publish your source code for others to implement, you can't include the intellectual property rights with the distribution. This only applies to people creating new distributions of the software, not people who simply want to use software that implements Sender ID, even GPL software, or who want to create Sender ID records in DNS. Fed up with spam? Read eWEEK.com's special report "Canning Spam." The reasons for the license are defensive. The only people who can't get a license are those who are suing Microsoft over the intellectual property claims in it. As one participant said, any company with a sizable R&D staff will need to make such defensive moves, and the IETF has happily worked with standards that involved IPR licenses before, many more restrictive and burdensome than this. But Sender ID is different. It is intended for a software market that has had a large presence of open source software. There is some dispute in the working group over whether the license is or is not compatible with most open-source licenses, especially the GPL, but there is a consensus that it is at least problematic for those licenses and a poke in the eye of those who use them. And lawyers from the Free Software Foundation have stated that the license is not GPL-compatible. I tried to warn them, and I know I wasn't alone. Microsoft gave the impression that stopping spam, phishing and other abuses of e-mail was important to them, but it obviously wasn't important enough. For Sender ID to be successful it needs to be adopted widely, and the only way that was going to happen was if it was unencumbered by burdensome licenses. And it had to be obviously free in everyone's sense of the word so that everyone could feel free implementing it and getting to the important business of fixing the broken e-mail system on the Internet. Microsoft just couldn't bring themselves to do it. Instead they actually advise people, if they are unsure of how the license affects them, to hire a lawyer. Next page: We can do better anyway. There's another point that's bothering people, which is the exact scope of their IPR claims. Microsoft has said they have patent claims related to Sender ID, but haven't said exactly what they are. Microsoft set up an e-mail address (stdsreq at microsoft.com) to which people could send questions on the matter. I asked them, "Can you tell me what patents Microsoft holds that pertain to an implementation of Sender ID?" and haven't heard back. It appears that the claims have to do with the retrieval of the PRA (purported responsible address) from the message. It's just not worth scuttling Sender ID over that. And it could have turned out well. The merger of SPF and Microsoft's Caller ID may have been a bit ugly and scientifically worthy of South Park's Dr. Mephisto, but it would have improved on the current situation a great deal. And it would have been good to show that Microsoft can be cooperative even with their most unrelenting and unreasonable enemies when an important issue is at stake. In a way it's just as well, since the technical luster had come off Sender ID in the last couple of months, such as in the concern addressed here over the clogging up of DNS records. No approach that addressed all the major problems with e-mail fraud would lack some flaws, but even if there was a consensus on Sender ID it was not an overwhelming one. And with the licensing debacle the consensus has swung overwhelmingly against Sender ID and Microsoft in particular. Perhaps Microsoft thought that Sender ID was such a killer standard that they could push people around, but it's not. They've only boxed themselves out of the process. The rest of the SID standards process will now be a waste of time thanks to Microsoft, and the other participants will afterwards pick up the pieces and get the job done with another spec. Rest assured that enough alternatives were proposed that something can be found that will suffice and that will have none of the license issues. I feel sorry for the Microsoft participants in the process, principally Harry Katz of the Exchange Edge team, who I'm sure only wanted the whole thing to work and were restrained by persons senior to them, probably Microsoft's vaunted legal team who did such a good job for them in the past. Of course, we all know what Shakespeare said about lawyers. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rsw at jfet.org Fri Aug 27 05:20:56 2004 From: rsw at jfet.org (Riad S. Wahby) Date: Fri, 27 Aug 2004 07:20:56 -0500 Subject: the minder node... In-Reply-To: References: Message-ID: <20040827122055.GA3402@jfet.org> Tyler Durden wrote: > Sheeit. I think I'm the only one left on the minder node...I ain't gettin > shit. A quick googling revealed nothing about how to subscribe to the > al-qaeda node, which I have been avoiding doing (but then again, St > Bernardus Belgian ale does not really help). Can someone send me the > instructions? It's a standard majordomo thing; send a message with "subscribe cypheprunks" in the body to cypherpunks-request at al-qaeda.net. http://www.al-qaeda.net/cpunk/ -- Riad S. Wahby rsw at jfet.org From ptrei at rsasecurity.com Fri Aug 27 11:03:58 2004 From: ptrei at rsasecurity.com (Trei, Peter) Date: August 27, 2004 11:03:58 AM EDT Subject: Air travel without ID. Message-ID: [For IP, if you wish - pt] >From RISKS 23.50: http://catless.ncl.ac.uk/Risks/23.50.html#subj6 ----------------- U.S. air travel without government identification > Thu, 19 Aug 2004 19:41:02 -0500 Recently, John Gilmore has been publicly decrying the unstated Federal requirement that one must present government-issued identification (e.g., a driver's license) in order to travel via air within the U.S. Unfortunately for me, I got to test this requirement on a recent trip to give a talk at Fermilab when I managed to leave my driver's license at home. Here's what happened. For what it's worth, I've recently taken to carrying two wallets. The large one has my money, credit cards, receipts, and other assorted junk. The small one has my business cards and the two ID cards I most often need: my driver's license and my university ID card (a magstripe card that I need to get into my building after hours). In order to make my flight at the ungodly hour of 7:35am, I had to get up quite early. In the confusion of the morning, I managed to leave the little wallet at home. I didn't notice this oversight until I was standing in front of the ticket counter at 7:00am. In order to have gotten my driver's license, I would have had to miss my flight. Instead, I decided to see how the system would work without it. == Intercontinental Airport: Houston, Texas I pleaded my case to the Continental ticket agent. "Do you have any picture ID on you at all?" Nope. I showed her my Continental frequent flyer card, my credit card, and my social security card (which I probably shouldn't have had in my wallet, but that's a story for another day) as well as my boarding pass, printed that morning on my home computer. She escorted me to the security guard, with all my cards in her hand, and briefly described the situation. The guards expressed some confusion, but decided to let me through. After that, everything proceeded normally. == Fermilab: Suburban Chicago, Illinois My hosts at Fermilab had helpfully arranged a rental car for me. It dawned on me that I'd never get out of the rental car lot without a driver's license. I called Fermilab's travel agent and explained my predicament. As it turns out, Fermilab has a limo service that they regularly use. The travel agent made a reservation for me with the limo service, who happily picked me up at the airport and delivered me to Fermilab. If you're into high-energy physics, you know all about Fermilab. For the rest of us, they have a ring, about 1km in radius, around which they fling protons and anti-protons at very high energies, arranging for them to collide inside a massive detector. Those high-energy collisions cause all sorts of interesting subatomic particles to come flying out, hopefully to be detected by a variety of impressive devices. (My high school physics teacher quipped that it's like trying to learn how cars work by smashing them together and seeing what falls out.) Before September 11, the Fermilab campus was wide open, and the locals could go fishing in the lake, jogging around the ring, and so forth. These days, you have to go to a guard shack. Visitors get a limited pass and are instructed to only go to specific places where they're allowed (e.g., the education center). I'd been told that a badge would be waiting for me. The guard asked for my ID. "Let me tell you a story," I began. Ultimately, the guard had to telephone my hosts who drove down to the guard shack to pick me up. After that, it was smooth sailing. == O'Hare Airport: Chicago, Illinois Everybody to whom I'd told this story was amazed that I'd gotten as far as I did, and I was repeatedly warned that O'Hare security was quite stringent. Just to make sure, I had the limo get me to the airport a full two hours before my 11:00am flight. I printed out my boarding pass using the Continental kiosk, using my credit card to authenticate myself to the system, and then explained my story to the ticket agent. "Do you have any government issued ID?" Sorry, no. She wrote "SSSS" in big letters on my boarding pass, highlighted it in pink, and pointed me at the security checkpoint: the special security checkpoint without a line in front of it. I walked up and presented my boarding pass to the guard. "ID?" I began my story, but the only phrase that seemed to matter was "No ID", which she wrote onto my boarding pass. She then wrote "SSSS" again and circled it, also circling the original pink-highlighted copy. On I went. First the normal X-ray machine, take your laptop out, etc. Then, on the other side, they gave me the extended treatment, which normally occurs when I've been "randomly" selected. They X-rayed my shoes, swabbed my laptop for explosives, and unzipped every compartment of my luggage. After I passed all of those tests, they let me through, never once examining any of the cards I had in my wallet. Moral of the story While my story is hardly the same thing as a conclusive examination of the policies of all major U.S. airports, my experience shows that it is, indeed, possible to do interstate air travel without a driver's license. You're no longer using the "fast path" of the airport security apparatus, and there is clearly some variation in how the rules govern your slow path through the system. However, if you're willing to put up with the "SSSS" treatment, then it appears that you can legally travel by air within the U.S. without a government-issued ID. (Gilmore acknowledges this in his lawsuit, which is focused on finding out where the requirement for presenting ID came from, in the first place.) Postscript As a Continental frequent flyer, I was invited to show up at the airport to be measured for a new biometric-based system that they've installed in Houston. (I think it measures fingerprints, but I'm not entirely sure.) I was out of town, and thus unable to give that system a shot. They do require several forms of ID to get yourself registered, so it will have to wait for another day. Maybe I'll give it a try and write something about it later for RISKS. For all the known issues with biometric authentication, it's quite difficult to leave your fingerprints at home in the wrong trousers. ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From justin-cypherpunks at soze.net Fri Aug 27 04:12:46 2004 From: justin-cypherpunks at soze.net (Justin) Date: Fri, 27 Aug 2004 11:12:46 +0000 Subject: Tilting at the Ballot Box In-Reply-To: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> Message-ID: <20040827111246.GA4932@arion.soze.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2004-08-25T11:25:09-0700, Steve Schear wrote: > At 09:18 AM 8/25/2004, R. A. Hettinga wrote: > > > >Business 2.0 - Magazine Article - Printable Version - > > > >Tilting at the Ballot Box > >Entrepreneur David Chaum's e-money venture flopped. Now he wants to fix > >electronic voting. For once, is the brilliant inventor right on time? > >By John Heilemann, September 2004 Issue > > Like a shoemaker who only has hammers in his toolkit, Chaum is trying to > fix the wrong problem. The problems with voting in the U.S. aren't current > or even potential fraud at the ballot box its a complete lack of > proportional representation. Is this solvable? Chaum is solving a problem that evidently can be solved. Perhaps once those problems are solved it will be easier to direct public attention at other more fundamental problems with our representative democracy. > Hey Dude, Where's My Rep? > The rallying cry of American Colonists was "No Taxation Without > Representation". Although U.S politicians frequently present their > political system as some paragon of representative democracy, I am unaware > of any country since the Civil War adopting this winner-take-all, > gerrymandered, model. Almost all opted for a parliamentary system with > proportional representation. Today, unless you vote either Republican or > Democrat you are effectively denied representation. Almost no independent > candidates are ever elected to U.S. state, not alone federal office, even > though in other democracies some would surely have gotten members of their > party seated. If one accepts that the American Colonists were right to > refuse to pay taxes to the British Crown until they received representation > then why should today's independent voters pay state and federal taxes? You have a strange notion of what the Colonists meant by that phrase. You do have representation. The fact that your representatives are not the ones you wanted is irrelevant. Presidential elections are a mess, though. Most states' selection of electors for presidential selection may violate the intent of the Constitution's writers; the electors for most states were originally selected by legislators. The winning-party-take-all system in most states does seem to violate the intent of election mechanics. Notably, there is a difference between having 3 electors and having 1 elector with 3/538 of a say in president selection. The current system may be too much like the latter. IMO, your complaint about gerrymandering is valid. There are a variety of formulaic ways to ensure voting district compactness. See e.g. http://www.hmdc.harvard.edu/micah_altman/disab.shtml Nevertheless, there is a fundamental inconsistency between two requirements that everyone seems to want: 1) coherent voting districts 2) equal-population voting districts. No matter what criteria are used for creating equal-population voting districts, there are always going to be multiple ways to choose them, so someone will always complain. It's the same sort of thing as voting procedure itself; there are multiple ways to conduct a democratic election. The fact that most of the population is unaware of the alternatives (in the case that no option gets a majority: 1st/2nd/3rd choices, run-offs, no run-offs, etc.) doesn't mean they're any less serious. Perfectly democratic elections run by different rules have different results. It's amazing anyone even bothers to complain about the y2k election when there are issues like this lurking under the bridge. Clearly, no matter what you do, there are problems. If the district size is 1 million, there's a city of 499k and a city of 1501k, what then? The city of 499k is screwed unless there's a nearby population center with similar culture. Even then, the numbers won't be equitable, and someone, somewhere will whine about "lack of representation." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBLxcunH0ZJUVoUkMRAoOkAKCTrRtElXZa6lR6lGV1u3rQ6xSh9ACgms0X A//TbqG+hh5pGMLNuKrTlkI= =e/Cp -----END PGP SIGNATURE----- From dave at farber.net Fri Aug 27 08:42:19 2004 From: dave at farber.net (David Farber) Date: Fri, 27 Aug 2004 11:42:19 -0400 Subject: [IP] Air travel without ID. Message-ID: Begin forwarded message: From camera_lumina at hotmail.com Fri Aug 27 10:08:20 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Fri, 27 Aug 2004 13:08:20 -0400 Subject: [IP] Air travel without ID. (fwd from dave@farber.net) Message-ID: This actually pisses me off. Unlike more hard-line cypherpunks, I'm not (yet) convinced that government-originated laws are an inherent evil, even when I don't agree with them. The main problem comes when administration of these laws pretty much boils down to the whim of a local "authority". In this case the traveler didn't "look" like a terrorist, so he was OK. If the very same guy attempted this same procedure on the very next day, though wearing a "Stop Bush" shirt, I'd bet any amount of money he'd be denied the right to fly. So what it all boils down to is the personal whim of the law "enforcement" official, who at best is corrupt and at worst stupid and incompetant. -TD >From: Eugen Leitl >To: cypherpunks at al-qaeda.net >Subject: [IP] Air travel without ID. (fwd from dave at farber.net) >Date: Fri, 27 Aug 2004 18:40:55 +0200 > >----- Forwarded message from David Farber ----- > >From: David Farber >Date: Fri, 27 Aug 2004 11:42:19 -0400 >To: Ip >Subject: [IP] Air travel without ID. >X-Mailer: Apple Mail (2.619) >Reply-To: dave at farber.net > > > >Begin forwarded message: > >From: "Trei, Peter" >Date: August 27, 2004 11:03:58 AM EDT >To: dave at farber.net >Subject: Air travel without ID. > >[For IP, if you wish - pt] > >From RISKS 23.50: >http://catless.ncl.ac.uk/Risks/23.50.html#subj6 > >----------------- > >U.S. air travel without government identification > >> >Thu, 19 Aug 2004 19:41:02 -0500 > >Recently, John Gilmore has been publicly decrying the unstated Federal >requirement that one must present government-issued identification >(e.g., a >driver's license) in order to travel via air within the U.S. >Unfortunately >for me, I got to test this requirement on a recent trip to give a talk >at >Fermilab when I managed to leave my driver's license at home. Here's >what >happened. > >For what it's worth, I've recently taken to carrying two wallets. The >large >one has my money, credit cards, receipts, and other assorted junk. The >small one has my business cards and the two ID cards I most often need: >my >driver's license and my university ID card (a magstripe card that I >need to >get into my building after hours). In order to make my flight at the >ungodly hour of 7:35am, I had to get up quite early. In the confusion >of >the morning, I managed to leave the little wallet at home. I didn't >notice >this oversight until I was standing in front of the ticket counter at >7:00am. In order to have gotten my driver's license, I would have had >to >miss my flight. Instead, I decided to see how the system would work >without >it. > >== Intercontinental Airport: Houston, Texas > >I pleaded my case to the Continental ticket agent. "Do you have any >picture >ID on you at all?" Nope. I showed her my Continental frequent flyer >card, >my credit card, and my social security card (which I probably shouldn't >have >had in my wallet, but that's a story for another day) as well as my >boarding >pass, printed that morning on my home computer. She escorted me to the >security guard, with all my cards in her hand, and briefly described the >situation. The guards expressed some confusion, but decided to let me >through. After that, everything proceeded normally. > >== Fermilab: Suburban Chicago, Illinois > >My hosts at Fermilab had helpfully arranged a rental car for me. It >dawned >on me that I'd never get out of the rental car lot without a driver's >license. I called Fermilab's travel agent and explained my >predicament. As >it turns out, Fermilab has a limo service that they regularly use. The >travel agent made a reservation for me with the limo service, who >happily >picked me up at the airport and delivered me to Fermilab. > >If you're into high-energy physics, you know all about Fermilab. For >the >rest of us, they have a ring, about 1km in radius, around which they >fling >protons and anti-protons at very high energies, arranging for them to >collide inside a massive detector. Those high-energy collisions cause >all >sorts of interesting subatomic particles to come flying out, hopefully >to be >detected by a variety of impressive devices. (My high school physics >teacher quipped that it's like trying to learn how cars work by smashing >them together and seeing what falls out.) Before September 11, the >Fermilab >campus was wide open, and the locals could go fishing in the lake, >jogging >around the ring, and so forth. These days, you have to go to a guard >shack. > >Visitors get a limited pass and are instructed to only go to specific >places >where they're allowed (e.g., the education center). I'd been told that >a >badge would be waiting for me. The guard asked for my ID. "Let me >tell you >a story," I began. Ultimately, the guard had to telephone my hosts who >drove down to the guard shack to pick me up. After that, it was smooth >sailing. > >== O'Hare Airport: Chicago, Illinois > >Everybody to whom I'd told this story was amazed that I'd gotten as far >as I >did, and I was repeatedly warned that O'Hare security was quite >stringent. >Just to make sure, I had the limo get me to the airport a full two hours >before my 11:00am flight. I printed out my boarding pass using the >Continental kiosk, using my credit card to authenticate myself to the >system, and then explained my story to the ticket agent. "Do you have >any >government issued ID?" Sorry, no. She wrote "SSSS" in big letters on >my >boarding pass, highlighted it in pink, and pointed me at the security >checkpoint: the special security checkpoint without a line in front of >it. >I walked up and presented my boarding pass to the guard. "ID?" I began >my >story, but the only phrase that seemed to matter was "No ID", which she >wrote onto my boarding pass. She then wrote "SSSS" again and circled >it, >also circling the original pink-highlighted copy. On I went. First the >normal X-ray machine, take your laptop out, etc. Then, on the other >side, >they gave me the extended treatment, which normally occurs when I've >been >"randomly" selected. They X-rayed my shoes, swabbed my laptop for >explosives, and unzipped every compartment of my luggage. After I >passed >all of those tests, they let me through, never once examining any of the >cards I had in my wallet. > >Moral of the story > >While my story is hardly the same thing as a conclusive examination of >the >policies of all major U.S. airports, my experience shows that it is, >indeed, >possible to do interstate air travel without a driver's license. >You're no >longer using the "fast path" of the airport security apparatus, and >there is >clearly some variation in how the rules govern your slow path through >the >system. However, if you're willing to put up with the "SSSS" treatment, >then it appears that you can legally travel by air within the U.S. >without a >government-issued ID. (Gilmore acknowledges this in his lawsuit, which >is >focused on finding out where the requirement for presenting ID came >from, in >the first place.) > >Postscript > >As a Continental frequent flyer, I was invited to show up at the >airport to >be measured for a new biometric-based system that they've installed in >Houston. (I think it measures fingerprints, but I'm not entirely sure.) > I >was out of town, and thus unable to give that system a shot. They do >require several forms of ID to get yourself registered, so it will have >to >wait for another day. Maybe I'll give it a try and write something >about it >later for RISKS. For all the known issues with biometric >authentication, >it's quite difficult to leave your fingerprints at home in the wrong >trousers. > > >------------------------------------- >You are subscribed as eugen at leitl.org >To manage your subscription, go to > http://v2.listbox.com/member/?listname=ip > >Archives at: http://www.interesting-people.org/archives/interesting-people/ > >----- End forwarded message ----- >-- >Eugen* Leitl leitl >______________________________________________________________ >ICBM: 48.07078, 11.61144 http://www.leitl.org >8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE >http://moleculardevices.org http://nanomachines.net ><< attach3 >> _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From s.schear at comcast.net Fri Aug 27 13:14:47 2004 From: s.schear at comcast.net (Steve Schear) Date: Fri, 27 Aug 2004 13:14:47 -0700 Subject: Tilting at the Ballot Box In-Reply-To: <20040827111246.GA4932@arion.soze.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> <20040827111246.GA4932@arion.soze.net> Message-ID: <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> At 04:12 AM 8/27/2004, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 2004-08-25T11:25:09-0700, Steve Schear wrote: > > At 09:18 AM 8/25/2004, R. A. Hettinga wrote: > > > > > >Business 2.0 - Magazine Article - Printable Version - > > > > > >Tilting at the Ballot Box > > >Entrepreneur David Chaum's e-money venture flopped. Now he wants to fix > > >electronic voting. For once, is the brilliant inventor right on time? > > >By John Heilemann, September 2004 Issue > > > > Like a shoemaker who only has hammers in his toolkit, Chaum is trying to > > fix the wrong problem. The problems with voting in the U.S. aren't > current > > or even potential fraud at the ballot box its a complete lack of > > proportional representation. > >Is this solvable? Chaum is solving a problem that evidently can be >solved. Perhaps once those problems are solved it will be easier to >direct public attention at other more fundamental problems with our >representative democracy. Why would u guess this? These problems have been around since almost the founding of the republic. >You have a strange notion of what the Colonists meant by that phrase. > >You do have representation. The fact that your representatives are not >the ones you wanted is irrelevant. The Colonists had representatives too, its just that they were chosen by King George :) The fact that 'my' representatives are not the ones I wanted nor any of the independent independent party voters wanted is paramount. Representation is about interests and ideology. If a significant segment of voters don't get anyone to represent these interests and ideologies bad things can happen (e.g., they can become radicalized). Representation can be an important outlet for these disenfranchised voters. >IMO, your complaint about gerrymandering is valid. There are a variety >of formulaic ways to ensure voting district compactness. See e.g. >http://www.hmdc.harvard.edu/micah_altman/disab.shtml >Clearly, no matter what you do, there are problems. If the district >size is 1 million, there's a city of 499k and a city of 1501k, what >then? The city of 499k is screwed unless there's a nearby population >center with similar culture. Even then, the numbers won't be equitable, >and someone, somewhere will whine about "lack of representation." The problem is that use of voting districts seems to have always resulted in gerrymandering in our political system. A proportional system can eliminate these geopolitical distortions. steve From nobody at dizum.com Fri Aug 27 07:20:05 2004 From: nobody at dizum.com (Nomen Nescio) Date: Fri, 27 Aug 2004 16:20:05 +0200 (CEST) Subject: the minder node... Message-ID: Tyler Durden said: > Sheeit. I think I'm the only one left on the minder node...I ain't > gettin shit. A quick googling revealed nothing about how to > subscribe to the al-qaeda node, which I have been avoiding doing > (but then again, St Bernardus Belgian ale does not really help). > Can someone send me the instructions? I'm pretty sure you are not the only one there. I'm seing these in my mail so I guess I'm on minder too? And I do get mail. > Return-path: From eugen at leitl.org Fri Aug 27 09:40:55 2004 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 27 Aug 2004 18:40:55 +0200 Subject: [IP] Air travel without ID. (fwd from dave@farber.net) Message-ID: <20040827164055.GL1477@leitl.org> ----- Forwarded message from David Farber ----- From justin-cypherpunks at soze.net Fri Aug 27 14:49:51 2004 From: justin-cypherpunks at soze.net (Justin) Date: Fri, 27 Aug 2004 21:49:51 +0000 Subject: Tilting at the Ballot Box In-Reply-To: <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> <20040827111246.GA4932@arion.soze.net> <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> Message-ID: <20040827214951.GA5868@arion.soze.net> On 2004-08-27T13:14:47-0700, Steve Schear wrote: > At 04:12 AM 8/27/2004, you wrote: > > >On 2004-08-25T11:25:09-0700, Steve Schear wrote: > >> Like a shoemaker who only has hammers in his toolkit, Chaum is trying to > >> fix the wrong problem. The problems with voting in the U.S. aren't > >current > >> or even potential fraud at the ballot box its a complete lack of > >> proportional representation. > > > >Is this solvable? Chaum is solving a problem that evidently can be > >solved. Perhaps once those problems are solved it will be easier to > >direct public attention at other more fundamental problems with our > >representative democracy. > > Why would u guess this? These problems have been around since almost the > founding of the republic. What? I just said that without the distraction of outright voting fraud, voters may become more aware of the more subtle and more serious issues with democratic voting systems. > >You have a strange notion of what the Colonists meant by that phrase. > > > >You do have representation. The fact that your representatives are not > >the ones you wanted is irrelevant. > > The Colonists had representatives too, its just that they were chosen by > King George :) As I understand it (I wasn't there, but perhaps you were), their complaint was that their "representatives" weren't from the region they claimed to represent, and that they weren't chosen democratically. You and I have no such claim. I can't claim lack of representation just because my fellow citizens are idiots who subscribe to the Libertarian or Socialist or Zoroastrian platform yet vote for a Republican or Democrat. > The fact that 'my' representatives are not the ones I wanted nor any > of the independent independent party voters wanted is paramount. What you or I want has nothing to do with it. I don't get to redefine election procedure whenever my preferred candidate doesn't win an election. I'm not voting for either Bush or Kerry. Neither represents my views. No matter who wins, the winner is my president and my representative. I can't claim otherwise. The best I can do is blame all the idiot voters who cling to party-ID as if it were their only hope of survival. > Representation is about interests and ideology. If a > significant segment of voters don't get anyone to represent these interests > and ideologies bad things can happen (e.g., they can become > radicalized). Representation can be an important outlet for these > disenfranchised voters. Well, one district in TX managed to elect someone who's decent - Ron Paul. It's possible. The fact that libertarians or fascists everywhere don't get their candidates elected has more to do with the fact that they vote Republican or Democrat "because a vote for a third party is a wasted vote." Blame the morons in the electorate for not electing representatives that mirror their views. That's where the blame lies. What do you want? Do you want everyone to vote Democrat, Libertarian or Republican, then apportion the House of Representatives and the Senate appropriately? Who picks the representatives? The reason we don't have any socialists or libertarians or fascists in Congress is that not a single district votes for one. The U.S. has this fixation on voting for one of the two major parties. Other countries do not; that's why some of them have multi-(3+)-party representation in their parliaments. Incidentally, some northeastern state allows each congressional district to pick one elector, and the State as a whole picks two. (Electors = Senators + House Reps). If you're complaining about presidential elector selection, that blame lies with the States; the States dictate how their electors are chosen. > >IMO, your complaint about gerrymandering is valid. There are a variety > >of formulaic ways to ensure voting district compactness. See e.g. > >http://www.hmdc.harvard.edu/micah_altman/disab.shtml > > >Clearly, no matter what you do, there are problems. If the district > >size is 1 million, there's a city of 499k and a city of 1501k, what > >then? The city of 499k is screwed unless there's a nearby population > >center with similar culture. Even then, the numbers won't be equitable, > >and someone, somewhere will whine about "lack of representation." > > The problem is that use of voting districts seems to have always resulted > in gerrymandering in our political system. A proportional system can > eliminate these geopolitical distortions. State and Federal House of Reps. are proportional. (Yeah, I know Nebraska is unicameral, excuse the generalization). What part of the System isn't proportional other than most States' selection of presidential electors? -- "When in our age we hear these words: It will be judged by the result--then we know at once with whom we have the honor of speaking. Those who talk this way are a numerous type whom I shall designate under the common name of assistant professors." -- Kierkegaard, Fear and Trembling (Wong tr.), III, 112 From pgut001 at cs.auckland.ac.nz Fri Aug 27 04:04:37 2004 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri, 27 Aug 2004 23:04:37 +1200 Subject: Cheesecloth security for hard drives Message-ID: Globalwin has just introduced an external hard drive enclosure (http://www.htpcnews.com/main.php?id=dorri_1) with built-in 40-bit DES encryption (and if it's the HW I think it is, that's 40-bit DES in ECB mode, and the vendor generates the key for you). Peter. From eugen at leitl.org Sat Aug 28 00:39:56 2004 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 28 Aug 2004 09:39:56 +0200 Subject: [IRR] Army: JetBlue Data Use Was Legal Message-ID: <20040828073956.GI1051@leitl.org> Army: JetBlue Data Use Was Legal By Ryan Singel 02:00 AM Aug. 23, 2004 PT An Army data-mining project that searched through JetBlue's passenger records and sensitive personal information from a data broker to pinpoint possible terrorists did not violate federal privacy law, according to an investigation by the Army's inspector general. The inspector general's findings (PDF) were accepted by some, but critics say the report simply highlights the inability of the country's privacy laws to cope with 21st-century anti-terrorism efforts. News of the Army project came to light in September 2003 when JetBlue admitted it had violated its privacy policy by turning over 5.1 million passenger records to Torch Concepts , an Alabama-based defense contractor. Torch subsequently enhanced the JetBlue data with information about passengers' salaries, family size and Social Security numbers that it purchased from Acxiom , one of the country's largest data aggregators. The Army says it was testing the data-mining technology as part of a plan to screen visitors to Army bases. ... http://www.wired.com/news/politics/0,1283,64647,00.html ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From cypherpunks at al-qaeda.net Sat Aug 28 07:11:20 2004 From: cypherpunks at al-qaeda.net (Charles Bamber) Date: Sat, 28 Aug 2004 10:11:20 -0400 Subject: My we;bcam is up and ready for you to see! Message-ID: <067001c48d09$a0e061c1$19c0c95f@home> You must enable HTML to view this message. 6584.sae From nobody at dizum.com Sat Aug 28 03:10:05 2004 From: nobody at dizum.com (Nomen Nescio) Date: Sat, 28 Aug 2004 12:10:05 +0200 (CEST) Subject: nodes listing Message-ID: <5cd259f9652c6470617b81aa1cac135a@dizum.com> Can someone post a listing of all active CDR nodes please? Information from pages like this one lists some inactive nodes I'm sure http://www.al-qaeda.net/cpunk/ From bill.stewart at pobox.com Sat Aug 28 22:38:13 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Sat, 28 Aug 2004 22:38:13 -0700 Subject: JYA in NYT Message-ID: <200408290538.i7T5cTE4064216@outlier.minder.net> The JYA and Gas Pipelines story keeps having legs; at least one formerly well-marked pipeline fingered by JYA no longer has a sign, presumably because the Republicans are chicken that somebody will try to blow them up. (New York may be on Orange Alert, but they're still Yellow...) The on-line NYTimes requires registration - if the old "cypherpunks" login doesn't work, you can create your own fake id. http://nytimes.com/2004/08/29/nyregion/29pipeline.html Mapping Natural Gas Lines: Advise the Public, Tip Off the Terrorists By IAN URBINA Published: August 29, 2004 ---- Bill Stewart bill.stewart at pobox.com From bill.stewart at pobox.com Sat Aug 28 23:14:50 2004 From: bill.stewart at pobox.com (Bill Stewart) Date: Sat, 28 Aug 2004 23:14:50 -0700 Subject: JYA's 1st FBI visit? In-Reply-To: <20040829004701.P84671@ubzr.zsa.bet> References: <200408290538.i7T5cTE4064216@outlier.minder.net> <20040829004701.P84671@ubzr.zsa.bet> Message-ID: <200408290621.i7T6LCt0030134@positron.jfet.org> At 10:48 PM 8/28/2004, J.A. Terranson wrote: >On Sat, 28 Aug 2004, Bill Stewart wrote: > > > http://nytimes.com/2004/08/29/nyregion/29pipeline.html > > Mapping Natural Gas Lines: Advise the Public, Tip Off the Terrorists > > By IAN URBINA Published: August 29, 2004 > >"In fact, Mr. Young got his first visit from F.B.I. agents several weeks >ago." > >This can't be right. The *first*? Hell, I get a couple a year on a bad >year, and at least one every few years when I'm behaving. How can John >not get *any*??? You could check the cypherpunks archives to find out what kinds of cops have visited JYA at various times in the past, but I'd assume that at least some of the Feds have been FBI as opposed to Treasury, CIA, NSA, DEA, VOA, KGB, Mossad, Forest Service, etc. Some quick Google hits include November 2003 http://legalminds.lp.findlaw.com/list/politech/msg04860.html and July 2000 http://seclists.org/lists/politech/2000/Jul/0043.html . Looks like the NYT guy either got this entirely wrong or else was trying to say that a couple of weeks ago was when the FBI first showed up about _this_ particular issue. Bill From measl at mfn.org Sat Aug 28 22:42:19 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 29 Aug 2004 00:42:19 -0500 (CDT) Subject: JYA in NYT In-Reply-To: <200408290538.i7T5cTE4064216@outlier.minder.net> References: <200408290538.i7T5cTE4064216@outlier.minder.net> Message-ID: <20040829004154.G84671@ubzr.zsa.bet> On Sat, 28 Aug 2004, Bill Stewart wrote: > The on-line NYTimes requires registration - > if the old "cypherpunks" login doesn't work, > you can create your own fake id. cypherpunks01/cypherpunks01 still works > > http://nytimes.com/2004/08/29/nyregion/29pipeline.html > Mapping Natural Gas Lines: Advise the Public, Tip Off the Terrorists > By IAN URBINA Published: August 29, 2004 > > > ---- > Bill Stewart bill.stewart at pobox.com > > -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From measl at mfn.org Sat Aug 28 22:48:33 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 29 Aug 2004 00:48:33 -0500 (CDT) Subject: JYA's 1st FBI visit? In-Reply-To: <200408290538.i7T5cTE4064216@outlier.minder.net> References: <200408290538.i7T5cTE4064216@outlier.minder.net> Message-ID: <20040829004701.P84671@ubzr.zsa.bet> On Sat, 28 Aug 2004, Bill Stewart wrote: > http://nytimes.com/2004/08/29/nyregion/29pipeline.html > Mapping Natural Gas Lines: Advise the Public, Tip Off the Terrorists > By IAN URBINA Published: August 29, 2004 "In fact, Mr. Young got his first visit from F.B.I. agents several weeks ago." This can't be right. The *first*? Hell, I get a couple a year on a bad year, and at least one every few years when I'm behaving. How can John not get *any*??? > ---- > Bill Stewart bill.stewart at pobox.com -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From jg45 at mac.com Sun Aug 29 05:08:07 2004 From: jg45 at mac.com (Jock Gill) Date: August 29, 2004 5:08:07 PM EDT Subject: Surveillance blimp currently up over NYC Message-ID: Dave, For IP if you wish. A couple of questions about that surveillance blimp currently up over NYC. I understand it has some VERY sophisticated cameras on board with "exceptional" resolving power. I'd like to know who provided the camera and if it is actually legal. IE: If this is domestic spying, who is authorized to do it and who is prohibited? Secondly, what does such a surveillance blimp say about our constitutional rights to freely assemble without restraint or intimidation and our rights to free speech? Thirdly, who gets to see the pictures taken? Will they be subject to FOIA? Will they be archived in secret? What is their fate and should we be concerned? What recourse do we have? Regards, Jock Jock Gill www.jockgill.com (781) 577-2888 ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From jya at pipeline.com Sun Aug 29 07:20:14 2004 From: jya at pipeline.com (John Young) Date: Sun, 29 Aug 2004 07:20:14 -0700 Subject: JYA's 1st FBI visit? In-Reply-To: <20040829004701.P84671@ubzr.zsa.bet> References: <200408290538.i7T5cTE4064216@outlier.minder.net> <200408290538.i7T5cTE4064216@outlier.minder.net> Message-ID: The FBI has been set up next door since 1997. Their sole visit was due to stakeouts ringing the wrong door bell. The bastards bang on the wall when it's too quiet in here. Hey, they yell, "baby needs new shoes" -- the signal for us to punch F8 -- pre-recorded for the day's EOS. Wouldn't you play the FBI Terrorist Task Force's contracted EOS for $200K a year? This long-running Broadway hit got started with the Commies, whose babies needed on-the-dole shoes, too. No threat to the State, no need for the octupus. No police state, no need for anarchists. Lots of happy faces in NYC today. We photo'd a group of five "undercover" agents yesterday at one of the lift-gates at Madison Square Garden. Got their attention with the facial-recognition databanking, they not being sure we weren't with internal affairs, so they squint-eyed for the mug shots, the game tape assessment. We kept it up for ten minutes, me freely circling their station, them behind the barricades like penned protestors baiting the oppressors. Another photographer tried doing that and got busted by other officers ready to pounce. I got the orchestrated bust, pre-planned for TV, for DoJ's surveilling crew taping NYC internal affairs surveilling cops, cops surveilling thousands passing by indifferently. The feds seem to think NYC cops will betray the State for a salary boost, the people betray the police for a and end to taxation. Cops got in bed with the Commies, why not with thank-god-for-EOS GOP? Sorry, repeat the question. From mv at cdc.gov Sun Aug 29 09:59:06 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 29 Aug 2004 09:59:06 -0700 Subject: JYA in NYT Message-ID: <41320B59.FF199265@cdc.gov> At 10:03 AM 8/29/04 -0400, Sunder wrote: >Let's dissect this mother. Lets. >> "This tactic actually comes from our own playbook,'' said Thomas C. One man's blowback is another man's feedback. "Can you hear me now?" -UBL >Or did we sheeple forget about that incident there? What incident? Where's Afghanistan? Oh, that place we bombed between Yugoslavia and Iraq, you mean? Is goat-polo an olympic sport yet? >> to use natural gas to blow up three tall buildings, the authorities >> say. According to government documents, Mr. Padilla intended to rent >> apartments in three high-rise buildings that used natural gas, fill >> each apartment with fumes and detonate the three buildings >> simultaneously using timers. Undergrad chem question: How many 40 litre tanks of propane does it take to take out a few corner apts? Admittedly wiring the city for natural gas is more convenient, but any kind of barbeque is fun. Anyway you want to hit NYC infrastructure in the winter, when even the oil-burning heaters need electricity. -------- Sometimes a lesser devil goes and a greater devil takes over Moqtada al-Sadr The only language the American people understand is dead Americans. -EC From sunder at sunder.net Sun Aug 29 07:03:57 2004 From: sunder at sunder.net (Sunder) Date: Sun, 29 Aug 2004 10:03:57 -0400 (edt) Subject: JYA in NYT In-Reply-To: References: Message-ID: Let's dissect this mother. On Sun, 29 Aug 2004, Nomen Nescio wrote: > http://nytimes.com/2004/08/29/nyregion/29pipeline.html > > August 29, 2004 > Mapping Natural Gas Lines: Advise the Public, Tip Off the Terrorists > By IAN URBINA > > John Young says he is an agent for change, hoping to point out places > where the government needs to bolster national security. Since 1996, > he has been posting documents on his Web site, ranging from detailed > maps of nuclear storage facilities in New Mexico to aerial > photographs of police preparations for the Republican National > Convention. He has never attracted much attention from the > authorities, and what he does is fully legal. So where's the beef then? > But last month, Mr. Young, a 68-year-old architect originally from > Odessa, Tex., began publishing maps and pictures of natural gas > pipelines in New York City on his site (www.cryptome.org). One > photograph was of a large sign in Midtown Manhattan warning about the > presence of a major gas main, a sign that had been meant to prevent > deadly accidents. Within a week, the company that owns the pipeline > took the sign down. Yeah, those were pictures taken from public locations, I'd assume, right? No different than taking a picture of the Statue of Liberty or of the moon. > "They posted the signs because they thought someone might > accidentally blow the pipeline up,'' Mr. Young said. "Now, they're > taking them down because they think someone might intentionally blow > it up.'' Sounds like a lose lose situation to me. > For Mr. Young - and for a range of experts across the country - the > strange and unnoticed little episode in Manhattan underscores one of > the great tensions of the post-9/11 world: how to balance the desire > for secrecy with decisions on what is best for public safety. So there, you go, Mr. Young has become an expert. What's the problem? > Few issues highlight that tension better than the topic of natural > gas. Or perhaps flatulence? > Private industry and local governments have spent much of the last > several decades trying to make natural gas pipelines safer by > publicizing where they are. Natural gas, highly explosive and > transported in pipes underneath unknowing residents or uncharted > along waterways, has been the cause of scores of lethal accidents - > fiery explosions caused by misdirected backhoes or wayward boat > anchors. There you go. They've made their bed, now they can't complain when someone points at it and says "Uh, look at that!" > But recent concerns have pushed in the opposite direction. > Increasingly, gas companies have been clearing their Web sites of > pipeline maps previously used by contractors before excavating. > Almost all nautical charts once indicated where gas pipes run. Fewer > do now. So, we're back to someone accidentally dropping anchor in the wrong place and boom... can't have it both ways boys. > "Federal regulations require companies to make these lines as obvious > as possible and educate the public about where they are,'' said Kelly So John was simply helping the companies follow Federal Regulations. > Swan, a spokesman for Williams, the company that owns the pipe > supplying Manhattan. "But local laws indicate that we were allowed to > get rid of that particular sign, and after the recent publicity about > it, we did.'' Oops, too much publicity, couldn't handle the spin control. ... > Natural gas arrives in New York City through six so-called city > gates, reached after traveling thousands of miles in pipes running > from deposits deep beneath southeastern Texas and Sable Island, off > the east coast of Nova Scotia. Here it enters a local grid of smaller > pipes owned by Consolidated Edison in Manhattan, the Bronx and > portions of Queens, and owned by Keyspan in the rest of the city. The > gas is used for heating, cooking, and increasingly for fuel in city > power plants. And now the author of this article is feeding the terrorists vital intel - or following Federal regulations? > But natural gas is also at risk of sabotage. So is water, so is air, so is everything. Hell, if the CIA thought they could implant a transmitter in a cat and set the cat loose in a park where Soviets, Commies, and Spies (Oh My!) might talk, what's to stop the terrorists from doing the same style of thing? > "This tactic actually comes from our own playbook,'' said Thomas C. > Reed, the former secretary of the Air Force under President Gerald R. > Ford and the author of "At the Abyss: An Insider's History of the > Cold War.'' In 1982, the C.I.A. hacked into the software that > controlled Soviet natural gas pipelines, causing vital pumps, > turbines and valves to go haywire, he explained. The result, Mr. Reed > said, was the largest nonnuclear explosion and fire ever seen from > space and a major blow to Soviet sales of natural gas to Western > Europe. > > "The tactic was a stroke of genius,'' he said. Sure, why didn't he also say that flying 747's into high buildings were a stroke of genious too? Oh, but that would be telling. Never mind that they ran something called The School of the Americas that trained Terrorists^H^H^H^H^H^H^H^H^HFreedom Fighters in South Americas torture^H^H^H^H^H^H^H^Hinterrogation techniques, and never mind that when the USSR wanted to take over Afghanistan, our valiant boys were teaching the Afghani Freedom fighters the fine art of asymetrical warfare, some of which I'm sure now belong to Al Qaeda... Or did we sheeple forget about that incident there? > Jose Padilla, the former Chicago gang member who grew up in Brooklyn, > and who was accused of becoming an operative for Al Qaeda, intended > to use natural gas to blow up three tall buildings, the authorities > say. According to government documents, Mr. Padilla intended to rent > apartments in three high-rise buildings that used natural gas, fill > each apartment with fumes and detonate the three buildings > simultaneously using timers. Yeah, and Napoleon intended to be Emperor of the world too. Neither happened. And sure, lots of asteroids out there intended to hit the earth, but that didn't happen either. ... > A 2002 report conducted by the National Academy of Sciences drew the > same conclusion, explaining that restoring power after an attack on > the natural gas system could take several weeks since spare parts for > many of the mechanisms, especially those at compressor stations, are > expensive, hard to find and often made only overseas. The report also > predicted logistical challenges: every nonelectronic pilot light in > the city would have to be manually relighted to avoid explosions. Waaaa, we outsourced and didn't plan for an emergency... Waaaa.... Oh wait, what about that electric grid? IS that fixed yet? Well is it? No, don't ask Niagra Power, don't ask Con Ed, don't as Ohio Power, dig and find out what caused it. We still don't know. Some say it was a Windows virus - if so Billy G should pay for that, some say it was a moron at the switch. What did happen there? Yeah, were talking gas in this article, but denial of service is denial of service. Where's your research Ian? Aren't you just pining for that Pulitzer? do your homework. SPouting words like terrorists, fbi, and gas line ain't gonna get you that. So is every other cub on the beat. > "We take security of natural gas very seriously,'' a Con Ed Sure, and if you asked American Airlines if they took security seriously before 9/10, do you think they'd say "No?" If you asked my previous immediate boss (at a very sleazy dot.com) if he took security seriously, he said, and I quote from memory as he did say this infront of me to a client on the phone "Sure, we do quarterly scans of all the machines, and we're using a security company, which we're not at liberty to name, that does scans for Fortune 500 companies and they say we're secure." (And no, not a single scan was done, and no security company was hired, because they were cheap bastards. The only scan that was done, was by me, only because I wanted to play with Nessus, and boy, it said the opposite of secure, which I then had to patch all them boxes, but this was later on.) If you had asked the FBI if they cared about terrorists before 9/11, they would have said "Hell yeah, we're gonna get'em all." But if you worked at a Pilot school where a guy wanted to learn how to fly and not land, and you repeatedly called the FBI to look into it, what did the FBI do exactly? Bubkus? A-Yup.... so why do reporters bother talking to Spindocs from public relations instead of doing some investigative reporting and figuring out the truth instead of eating bullshit with a spoon and smiling for the camera like it's Frosted Flakes? they'rreee grrrreat! Mmmmm, public relations spinbullshit... yummmm! > "The fact that pipelines run largely underground reduces their > exposure to external threats,'' said a study concerning > infrastructure safety conducted by the Congressional Research Service Um, didn't we read about backhoes and anchor drops a bit earlier in this article? Is it red or is it blue? Is the sky falling or not? Oooh! Wait! I get it! they'll wait for an accident with a backhoe, or boat anchor - or when the wind blows out a pilot light so that they can blame it on the terrorists! Why? so they can collect on the insurance money and get some Federal Aid too! Ok, I see it now! > This is today's central conundrum, Mr. Young said, adding that he > will continue posting on his Web site the results of his daily prowls > searching for weak spots. In the meantime, he added, "I imagine law > enforcement will probably be keeping an eye on me.'' Yup, it's always the guy that points out the Emperor's New Clothes ain't that gets an extended visit at the dungeon, not the tailor, nor the emperor... > In fact, Mr. Young got his first visit from F.B.I. agents several > weeks ago. But the issue was not all the nuclear reactor information > he has put in the public domain. Rather, they wanted to talk about > the natural gas pipeline maps, he said. Oooh, John is an evil, evil man, he posted information about that there them Nucular thinggies too, ooh, ooh, like the same kind Saddam has, never mind, we'z just loookin' for'em, a-yup.... we'll find'em some day, maybe in 2009 or 20010 - but only if you elect me again... a-yup... but never minda dat, Saddam had to go, he was a very bad man, he didn't like our daddy... and John Young is just like Saddam... Lesss go rustle up some more of dem Nooo Yawk yankee fuck terrorists... vote for me, and I'll make you safe... From eugen at leitl.org Sun Aug 29 02:17:38 2004 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 29 Aug 2004 11:17:38 +0200 Subject: JYA in NYT In-Reply-To: <20040829004154.G84671@ubzr.zsa.bet> References: <200408290538.i7T5cTE4064216@outlier.minder.net> <20040829004154.G84671@ubzr.zsa.bet> Message-ID: <20040829091738.GA1051@leitl.org> On Sun, Aug 29, 2004 at 12:42:19AM -0500, J.A. Terranson wrote: > > The on-line NYTimes requires registration - > > if the old "cypherpunks" login doesn't work, > > you can create your own fake id. > > cypherpunks01/cypherpunks01 still works http://bugmenot.com/ Has Mozilla/Firefox extensions too, so you'll get hints via right mouse click on page. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] From nobody at dizum.com Sun Aug 29 02:30:05 2004 From: nobody at dizum.com (Nomen Nescio) Date: Sun, 29 Aug 2004 11:30:05 +0200 (CEST) Subject: JYA in NYT Message-ID: http://nytimes.com/2004/08/29/nyregion/29pipeline.html August 29, 2004 Mapping Natural Gas Lines: Advise the Public, Tip Off the Terrorists By IAN URBINA John Young says he is an agent for change, hoping to point out places where the government needs to bolster national security. Since 1996, he has been posting documents on his Web site, ranging from detailed maps of nuclear storage facilities in New Mexico to aerial photographs of police preparations for the Republican National Convention. He has never attracted much attention from the authorities, and what he does is fully legal. But last month, Mr. Young, a 68-year-old architect originally from Odessa, Tex., began publishing maps and pictures of natural gas pipelines in New York City on his site (www.cryptome.org). One photograph was of a large sign in Midtown Manhattan warning about the presence of a major gas main, a sign that had been meant to prevent deadly accidents. Within a week, the company that owns the pipeline took the sign down. "They posted the signs because they thought someone might accidentally blow the pipeline up,'' Mr. Young said. "Now, they're taking them down because they think someone might intentionally blow it up.'' For Mr. Young - and for a range of experts across the country - the strange and unnoticed little episode in Manhattan underscores one of the great tensions of the post-9/11 world: how to balance the desire for secrecy with decisions on what is best for public safety. Few issues highlight that tension better than the topic of natural gas. Private industry and local governments have spent much of the last several decades trying to make natural gas pipelines safer by publicizing where they are. Natural gas, highly explosive and transported in pipes underneath unknowing residents or uncharted along waterways, has been the cause of scores of lethal accidents - fiery explosions caused by misdirected backhoes or wayward boat anchors. But recent concerns have pushed in the opposite direction. Increasingly, gas companies have been clearing their Web sites of pipeline maps previously used by contractors before excavating. Almost all nautical charts once indicated where gas pipes run. Fewer do now. "Federal regulations require companies to make these lines as obvious as possible and educate the public about where they are,'' said Kelly Swan, a spokesman for Williams, the company that owns the pipe supplying Manhattan. "But local laws indicate that we were allowed to get rid of that particular sign, and after the recent publicity about it, we did.'' Edward M. Stroz, a retired F.B.I. agent who runs his own consulting firm on security issues, said many infrastructure companies found themselves caught between old risks and new threats. "The challenge is to make this infrastructure not so obvious that it's almost inviting to terrorists,'' he said, "while also not pulling so much information out of public reach that accidents occur.'' Natural gas arrives in New York City through six so-called city gates, reached after traveling thousands of miles in pipes running from deposits deep beneath southeastern Texas and Sable Island, off the east coast of Nova Scotia. Here it enters a local grid of smaller pipes owned by Consolidated Edison in Manhattan, the Bronx and portions of Queens, and owned by Keyspan in the rest of the city. The gas is used for heating, cooking, and increasingly for fuel in city power plants. But natural gas is also at risk of sabotage. "This tactic actually comes from our own playbook,'' said Thomas C. Reed, the former secretary of the Air Force under President Gerald R. Ford and the author of "At the Abyss: An Insider's History of the Cold War.'' In 1982, the C.I.A. hacked into the software that controlled Soviet natural gas pipelines, causing vital pumps, turbines and valves to go haywire, he explained. The result, Mr. Reed said, was the largest nonnuclear explosion and fire ever seen from space and a major blow to Soviet sales of natural gas to Western Europe. "The tactic was a stroke of genius,'' he said. Jose Padilla, the former Chicago gang member who grew up in Brooklyn, and who was accused of becoming an operative for Al Qaeda, intended to use natural gas to blow up three tall buildings, the authorities say. According to government documents, Mr. Padilla intended to rent apartments in three high-rise buildings that used natural gas, fill each apartment with fumes and detonate the three buildings simultaneously using timers. Security experts have repeatedly pointed to the natural gas pipeline system as a dangerous Achilles' heel in the domestic infrastructure. A report by the Council on Foreign Relations in 2002 said that city gates and compressor stations, which keep the gas moving through the pipelines, were most vulnerable. These critical nodes, the report explained, are usually above ground and sometimes protected only by chain-link fences and padlocks. If even one or two of these locations were disabled in any major city, the report said, it could result in a wide blackout since most new turbines being brought online in major cities are powered by natural gas. A 2002 report conducted by the National Academy of Sciences drew the same conclusion, explaining that restoring power after an attack on the natural gas system could take several weeks since spare parts for many of the mechanisms, especially those at compressor stations, are expensive, hard to find and often made only overseas. The report also predicted logistical challenges: every nonelectronic pilot light in the city would have to be manually relighted to avoid explosions. "We take security of natural gas very seriously,'' a Con Ed spokesman, Joe Petta, said. Since the Sept. 11 attacks, Con Ed has added fencing, cameras, and patrols around gas pipeline facilities, he said. The utility has also begun inspecting pipeline valves monthly, and four times a year it tests responses to city gate failures, he said. "None of that will help,'' said Mr. Young, standing about 30 feet and a chain-link fence from one of the four central pipes that feed natural gas to Manhattan. Even if certain facilities were patrolled around the clock, he said, and most are not, the rest of the system is still exposed. "The fact that pipelines run largely underground reduces their exposure to external threats,'' said a study concerning infrastructure safety conducted by the Congressional Research Service in 2002. But required markings alert emergency workers, homeowners and terrorists to the location of pipelines. This is today's central conundrum, Mr. Young said, adding that he will continue posting on his Web site the results of his daily prowls searching for weak spots. In the meantime, he added, "I imagine law enforcement will probably be keeping an eye on me.'' In fact, Mr. Young got his first visit from F.B.I. agents several weeks ago. But the issue was not all the nuclear reactor information he has put in the public domain. Rather, they wanted to talk about the natural gas pipeline maps, he said. Copyright 2004 The New York Times Company From camera_lumina at hotmail.com Sun Aug 29 09:03:37 2004 From: camera_lumina at hotmail.com (Tyler Durden) Date: Sun, 29 Aug 2004 12:03:37 -0400 Subject: JYA in NYT Message-ID: A nice little rant, I must say. BUT...there are some interesting undertones here. First and foremost, I see no mention of JYA being an 'anarchist', and indeed there's a slightly positive spin given to his efforts. The first (and lesser) implication of this is that NYT and its employees are smart enough after 9/11 to realize that their continued physical survival will depend on being fairly practical. A "don't look over here" approach didn't work before, and it won't work now. More than that, it may indicate that the business managers at major media are starting to realize that they can't continue pissing off huge chunks of the public and still sell papers, etc.... Note the move from "Iraqi terrorists" to "Iraqi insurgents". Wait for them to start calling al-Sadr "hardline" rather than "Radical". Wish I had some kind of punchline here, but it seems some kind of small tide has turned. -TD >From: Sunder >To: Nomen Nescio >CC: cypherpunks at al-qaeda.net >Subject: Re: JYA in NYT >Date: Sun, 29 Aug 2004 10:03:57 -0400 (edt) > >Let's dissect this mother. > >On Sun, 29 Aug 2004, Nomen Nescio wrote: > > > http://nytimes.com/2004/08/29/nyregion/29pipeline.html > > > > August 29, 2004 > > Mapping Natural Gas Lines: Advise the Public, Tip Off the Terrorists > > By IAN URBINA > > > > John Young says he is an agent for change, hoping to point out places > > where the government needs to bolster national security. Since 1996, > > he has been posting documents on his Web site, ranging from detailed > > maps of nuclear storage facilities in New Mexico to aerial > > photographs of police preparations for the Republican National > > Convention. He has never attracted much attention from the > > authorities, and what he does is fully legal. > >So where's the beef then? > > > But last month, Mr. Young, a 68-year-old architect originally from > > Odessa, Tex., began publishing maps and pictures of natural gas > > pipelines in New York City on his site (www.cryptome.org). One > > photograph was of a large sign in Midtown Manhattan warning about the > > presence of a major gas main, a sign that had been meant to prevent > > deadly accidents. Within a week, the company that owns the pipeline > > took the sign down. > >Yeah, those were pictures taken from public locations, I'd assume, right? >No different than taking a picture of the Statue of Liberty or of the >moon. > > > "They posted the signs because they thought someone might > > accidentally blow the pipeline up,'' Mr. Young said. "Now, they're > > taking them down because they think someone might intentionally blow > > it up.'' > >Sounds like a lose lose situation to me. > > > For Mr. Young - and for a range of experts across the country - the > > strange and unnoticed little episode in Manhattan underscores one of > > the great tensions of the post-9/11 world: how to balance the desire > > for secrecy with decisions on what is best for public safety. > >So there, you go, Mr. Young has become an expert. What's the problem? > > > Few issues highlight that tension better than the topic of natural > > gas. > >Or perhaps flatulence? > > > Private industry and local governments have spent much of the last > > several decades trying to make natural gas pipelines safer by > > publicizing where they are. Natural gas, highly explosive and > > transported in pipes underneath unknowing residents or uncharted > > along waterways, has been the cause of scores of lethal accidents - > > fiery explosions caused by misdirected backhoes or wayward boat > > anchors. > >There you go. They've made their bed, now they can't complain when >someone points at it and says "Uh, look at that!" > > > But recent concerns have pushed in the opposite direction. > > Increasingly, gas companies have been clearing their Web sites of > > pipeline maps previously used by contractors before excavating. > > Almost all nautical charts once indicated where gas pipes run. Fewer > > do now. > >So, we're back to someone accidentally dropping anchor in the wrong place >and boom... can't have it both ways boys. > > > "Federal regulations require companies to make these lines as obvious > > as possible and educate the public about where they are,'' said Kelly > >So John was simply helping the companies follow Federal Regulations. > > > Swan, a spokesman for Williams, the company that owns the pipe > > supplying Manhattan. "But local laws indicate that we were allowed to > > get rid of that particular sign, and after the recent publicity about > > it, we did.'' > >Oops, too much publicity, couldn't handle the spin control. > >... > > > > Natural gas arrives in New York City through six so-called city > > gates, reached after traveling thousands of miles in pipes running > > from deposits deep beneath southeastern Texas and Sable Island, off > > the east coast of Nova Scotia. Here it enters a local grid of smaller > > pipes owned by Consolidated Edison in Manhattan, the Bronx and > > portions of Queens, and owned by Keyspan in the rest of the city. The > > gas is used for heating, cooking, and increasingly for fuel in city > > power plants. > >And now the author of this article is feeding the terrorists vital intel - >or following Federal regulations? > > > But natural gas is also at risk of sabotage. > >So is water, so is air, so is everything. Hell, if the CIA thought they >could implant a transmitter in a cat and set the cat loose in a park where >Soviets, Commies, and Spies (Oh My!) might talk, what's to stop the >terrorists from doing the same style of thing? > > > > "This tactic actually comes from our own playbook,'' said Thomas C. > > Reed, the former secretary of the Air Force under President Gerald R. > > Ford and the author of "At the Abyss: An Insider's History of the > > Cold War.'' In 1982, the C.I.A. hacked into the software that > > controlled Soviet natural gas pipelines, causing vital pumps, > > turbines and valves to go haywire, he explained. The result, Mr. Reed > > said, was the largest nonnuclear explosion and fire ever seen from > > space and a major blow to Soviet sales of natural gas to Western > > Europe. > > > > "The tactic was a stroke of genius,'' he said. > >Sure, why didn't he also say that flying 747's into high buildings were a >stroke of genious too? Oh, but that would be telling. > >Never mind that they ran something called The School of the Americas that >trained Terrorists^H^H^H^H^H^H^H^H^HFreedom Fighters in South Americas >torture^H^H^H^H^H^H^H^Hinterrogation techniques, and never mind that when >the USSR wanted to take over Afghanistan, our valiant boys were teaching >the Afghani Freedom fighters the fine art of asymetrical warfare, some of >which I'm sure now belong to Al Qaeda... > >Or did we sheeple forget about that incident there? > > > Jose Padilla, the former Chicago gang member who grew up in Brooklyn, > > and who was accused of becoming an operative for Al Qaeda, intended > > to use natural gas to blow up three tall buildings, the authorities > > say. According to government documents, Mr. Padilla intended to rent > > apartments in three high-rise buildings that used natural gas, fill > > each apartment with fumes and detonate the three buildings > > simultaneously using timers. > >Yeah, and Napoleon intended to be Emperor of the world too. Neither >happened. And sure, lots of asteroids out there intended to hit the >earth, but that didn't happen either. > >... > > > A 2002 report conducted by the National Academy of Sciences drew the > > same conclusion, explaining that restoring power after an attack on > > the natural gas system could take several weeks since spare parts for > > many of the mechanisms, especially those at compressor stations, are > > expensive, hard to find and often made only overseas. The report also > > predicted logistical challenges: every nonelectronic pilot light in > > the city would have to be manually relighted to avoid explosions. > >Waaaa, we outsourced and didn't plan for an emergency... Waaaa.... Oh >wait, what about that electric grid? IS that fixed yet? Well is it? No, >don't ask Niagra Power, don't ask Con Ed, don't as Ohio Power, dig and >find out what caused it. We still don't know. Some say it was a Windows >virus - if so Billy G should pay for that, some say it was a moron at the >switch. What did happen there? Yeah, were talking gas in this article, >but denial of service is denial of service. Where's your research Ian? >Aren't you just pining for that Pulitzer? do your homework. SPouting >words like terrorists, fbi, and gas line ain't gonna get you that. So is >every other cub on the beat. > > > > "We take security of natural gas very seriously,'' a Con Ed > >Sure, and if you asked American Airlines if they took security seriously >before 9/10, do you think they'd say "No?" > >If you asked my previous immediate boss (at a very sleazy dot.com) if he >took security seriously, he said, and I quote from memory as he did say >this infront of me to a client on the phone "Sure, we do quarterly scans >of all the machines, and we're using a security company, which we're not >at liberty to name, that does scans for Fortune 500 companies and they say >we're secure." (And no, not a single scan was done, and no security >company was hired, because they were cheap bastards. The only scan that >was done, was by me, only because I wanted to play with Nessus, and boy, >it said the opposite of secure, which I then had to patch all them boxes, >but this was later on.) > >If you had asked the FBI if they cared about terrorists before 9/11, they >would have said "Hell yeah, we're gonna get'em all." But if you worked at >a Pilot school where a guy wanted to learn how to fly and not land, and >you repeatedly called the FBI to look into it, what did the FBI do >exactly? Bubkus? > >A-Yup.... so why do reporters bother talking to Spindocs from public >relations instead of doing some investigative reporting and figuring out >the truth instead of eating bullshit with a spoon and smiling for the >camera like it's Frosted Flakes? they'rreee grrrreat! Mmmmm, public >relations spinbullshit... yummmm! > > > "The fact that pipelines run largely underground reduces their > > exposure to external threats,'' said a study concerning > > infrastructure safety conducted by the Congressional Research Service > >Um, didn't we read about backhoes and anchor drops a bit earlier in this >article? Is it red or is it blue? Is the sky falling or not? > >Oooh! Wait! I get it! they'll wait for an accident with a backhoe, or >boat anchor - or when the wind blows out a pilot light so that they can >blame it on the terrorists! Why? so they can collect on the insurance >money and get some Federal Aid too! Ok, I see it now! > > > This is today's central conundrum, Mr. Young said, adding that he > > will continue posting on his Web site the results of his daily prowls > > searching for weak spots. In the meantime, he added, "I imagine law > > enforcement will probably be keeping an eye on me.'' > >Yup, it's always the guy that points out the Emperor's New Clothes ain't >that gets an extended visit at the dungeon, not the tailor, nor the >emperor... > > > In fact, Mr. Young got his first visit from F.B.I. agents several > > weeks ago. But the issue was not all the nuclear reactor information > > he has put in the public domain. Rather, they wanted to talk about > > the natural gas pipeline maps, he said. > >Oooh, John is an evil, evil man, he posted information about that there >them Nucular thinggies too, ooh, ooh, like the same kind Saddam has, never >mind, we'z just loookin' for'em, a-yup.... we'll find'em some day, maybe >in 2009 or 20010 - but only if you elect me again... a-yup... but never >minda dat, Saddam had to go, he was a very bad man, he didn't like our >daddy... and John Young is just like Saddam... > >Lesss go rustle up some more of dem Nooo Yawk yankee fuck terrorists... >vote for me, and I'll make you safe... _________________________________________________________________ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx From measl at mfn.org Sun Aug 29 10:17:50 2004 From: measl at mfn.org (J.A. Terranson) Date: Sun, 29 Aug 2004 12:17:50 -0500 (CDT) Subject: JYA in NYT In-Reply-To: References: Message-ID: <20040829121639.M84671@ubzr.zsa.bet> On Sun, 29 Aug 2004, Sunder wrote: > If you asked my previous immediate boss (at a very sleazy dot.com) if he > took security seriously, he said, and I quote from memory as he did say > this infront of me to a client on the phone "Sure, we do quarterly scans > of all the machines, and we're using a security company, which we're not > at liberty to name, that does scans for Fortune 500 companies and they say > we're secure." (And no, not a single scan was done, and no security > company was hired, because they were cheap bastards. The only scan that > was done, was by me, only because I wanted to play with Nessus, and boy, > it said the opposite of secure, which I then had to patch all them boxes, > but this was later on.) Woooaaahh!!! Savvis!!! "J"? Is that you? -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more? From sunder at sunder.net Sun Aug 29 09:28:56 2004 From: sunder at sunder.net (Sunder) Date: Sun, 29 Aug 2004 12:28:56 -0400 (edt) Subject: proof of censoring decisions they don't like under natsec Message-ID: http://www.thememoryhole.org/feds/justice_redaction.htm >>> Anybody who has read many official documents.including those making headlines in the last year or more.has seen plenty of redactions (those portions that are blacked out or otherwise made unreadable). This, we're told, is for legitimate reasons, such as "national security" or "protecting intelligence sources and methods." But now we have absolute, incontrovertible proof that the government also censors completely innocuous material simply because they don't like it. The Justice Department tipped its hand in its ongoing legal war with the ACLU over the Patriot Act. Because the matter is so sensitive, the Justice Dept is allowed to black out those passages in the ACLU's court filings that it feels should not be publicly released. Ostensibly, they would use their powers of censorship only to remove material that truly could jeopardize US operations. But in reality, what did they do? They blacked out a quotation from a Supreme Court decision: "The danger to political dissent is acute where the Government attempts to act under so vague a concept as the power to protect 'domestic security.' Given the difficulty of defining the domestic security interest, the danger of abuse in acting to protect that interest becomes apparent." The mind reels at such a blatant abuse of power (and at the sheer chutzpah of using national security as an excuse to censor a quotation about using national security as an excuse to stifle dissent). It's hard to imagine a more public, open document than a decision written by the Supreme Court. It is incontestably public property: widely reprinted online and on paper; poured over by generations of judges, attorneys, prosecutors, and law students; quoted for centuries to come in court cases and political essays. Yet the Justice Department had the incomprehensible arrogance and gall to strip this quotation from a court document, as if it represented a grave threat to the republic. Luckily, the court slapped down this redaction and several others. If it hadn't, we would've been left with the impression that this was a legitimate redaction, that whatever was underneath the thick black ink was something so incredibly sensitive and damaging that it must be kept from our eyes. Now we know the truth. Think about this the next time you see a black mark on a public document. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From nobody at dizum.com Sun Aug 29 03:30:04 2004 From: nobody at dizum.com (Nomen Nescio) Date: Sun, 29 Aug 2004 12:30:04 +0200 (CEST) Subject: EFGA? Message-ID: <15ade79d8f7f741352b679a519791347@dizum.com> What happened to Electronic Frontiers Georgia (efga.org)? Are they gone for good? They did operate the cracker remailer did they not? And they did have a newsletter on privacy issues? Anyone knows? From sunder at sunder.net Sun Aug 29 09:35:01 2004 From: sunder at sunder.net (Sunder) Date: Sun, 29 Aug 2004 12:35:01 -0400 (edt) Subject: OT: Any Questions? Read This! - Long Bush track record (fwd) Message-ID: ---------- Forwarded message ---------- Date: Sun, 29 Aug 2004 13:09:45 -0400 Subject: OT: Any Questions? Read This! - Long Bush track record I tried to find something wrong with this email... looks like facts to me. If anyone can find where this is Anti-Bush, let me know. Looks like reality speaks for itself. Dear Citizen: Just so you know: I attacked and took over 2 countries. I spent the U.S. surplus and bankrupted the US Treasury. I shattered the record for the biggest annual deficit in history (not easy!). I set an economic record for the most personal bankruptcies filed in any 12 month period. I set all-time record for the biggest drop in the history of the stock market. I am the first president in decades to execute a federal prisoner. In my first year in office I set the all-time record for most days on vacation by any president in US history (tough to beat my dad's, but I did). After taking the entire month of August off for vacation, I presided over the worst security failure in US history. I set the record for most campaign fund raising trips by any president in US history. In my first two years in office over 2 million Americans lost their jobs. I cut unemployment benefits for more out-of-work Americans than any other president in US history. I set the all-time record for most real estate foreclosures in a 12-month period. I appointed more convicted criminals to administration positions than any president in US history. I set the record for the fewest press conferences of any president, since the advent of TV. I signed more laws and executive orders amending the Constitution than any other US president in history. I presided over the biggest energy crises in US history and refused to intervene when corruption was revealed. I cut health care benefits for war veterans. I set the all-time record for most people worldwide to simultaneously take to the streets to protest me (15 million people), shattering the record for protest against any person in the history of mankind. I dissolved more international treaties than any president in US history. I've made my presidency the most secretive and unaccountable of any in US history. Members of my cabinet are the richest of any administration in US history. (The poorest multimillionaire, Condoleeza Rice, has a Chevron oil tanker named after her.) I am the first president in US history to have all 50 states of the Union simultaneously struggle against bankruptcy. I presided over the biggest corporate stock market fraud in any market in any country in the history of the world. I am the first president in US history to order a US attack AND military occupation of a sovereign nation, and I did so against the will of the United Nations and the vast majority of the international community. I have created the largest government department bureaucracy in the history of the United States, called the "Bureau of Homeland Security"(only one letter away from BS). I set the all-time record for biggest annual budget spending increases, more than any other president in US history (Ronnie was tough to beat, but I did it!!). I am the first president in US history to compel the United Nations remove the US from the Human Rights Commission. I am the first president in US history to have the United Nations remove the US from the Elections Monitoring Board. I removed more checks and balances, and have the least amount of congressional oversight than any presidential administration in US history I rendered the entire United Nations irrelevant. I withdrew from the World Court of Law. I refused to allow inspectors access to US prisoner! s of war and by default no longer abide by the Geneva Conventions. I am the first president in US history to refuse United Nations election inspectors access during the 2002 US elections. I am the all-time US (and world) record holder for most corporate campaign donations. The biggest lifetime contributor to my campaign, who is also one of my best friends, presided over one of the largest corporate bankruptcy frauds in world history (Kenneth Lay, former CEO of Enron Corporation). I spent more money on polls and focus groups than any president in US history. I am the first president to run and hide when the US came under attack (and then lied, saying the enemy had the code to Air Force 1) I am the first US president to establish a secret shadow government. I took the world's sympathy for the US after 9/11, and in less than a year made the US the most resented country in the world (possibly the biggest diplomatic failure in US and world history). I am the first US president in history to have a majority of the people of Europe (71%) view my presidency as the biggest threat to world peace and stability. I changed US policy to allow convicted criminals to be awarded government contracts. I set the all-time record for the number of administration appointees who violated US law by not selling their huge investments in corporations bidding for gov't contracts. I have removed more freedoms and civil liberties for Americans than any other president in US! history. I entered office with the strongest economy in US history and in less than two years turned every single economic category heading straight down. RECORDS AND REFERENCES: I have at least one conviction for drunk driving in Maine (Texas driving record has been erased and is not available). I was AWOL from the National Guard and deserted the military during time of war. I refuse to take a drug test or even answer any questions about drug use. (wink,wink) All records of my tenure as governor of Texas have been spirited away to my fathers library, sealed in secrecy and unavailable for public view. All records of any SEC investigations into my insider trading or bankrupt companies are sealed in secrecy and unavailable for public view. All minutes of meetings of any public corporation for which I served on the board are sealed in secrecy and unavailable for public view. Any records or minutes from meetings I (or my VP) attended regarding public energy policy are sealed in secrecy and unavailable for public review. With Love, GEORGE W. BUSH The White House, Washington, DC [demime 1.01d removed an attachment of type IMAGE/JPEG] [demime 1.01d removed an attachment of type IMAGE/JPEG] From dave at farber.net Sun Aug 29 14:12:16 2004 From: dave at farber.net (David Farber) Date: Sun, 29 Aug 2004 17:12:16 -0400 Subject: [IP] Surveillance blimp currently up over NYC Message-ID: Begin forwarded message: From shaddack at ns.arachne.cz Sun Aug 29 09:20:21 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sun, 29 Aug 2004 18:20:21 +0200 (CEST) Subject: JYA in NYT In-Reply-To: References: Message-ID: <0408291817580.10701@somehost.domainz.com> On Sun, 29 Aug 2004, Tyler Durden wrote: > More than that, it may indicate that the business managers at major media are > starting to realize that they can't continue pissing off huge chunks of the > public and still sell papers, etc.... Note the move from "Iraqi terrorists" to > "Iraqi insurgents". Wait for them to start calling al-Sadr "hardline" rather > than "Radical". It's also possible they want to prevent the continuing inflation of "power words". Once certain words become too common, they lose their magic and won't be bringing eyeballs to the TVs and making papers sell anymore. From shaddack at ns.arachne.cz Sun Aug 29 09:55:37 2004 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sun, 29 Aug 2004 18:55:37 +0200 (CEST) Subject: gmail as a gigabyte of an external filesystem Message-ID: <0408291853030.-1210261228@somehost.domainz.com> Cuuuute! :) Could be even more interesting if combined with a suitable kind of encryption; I don't know how much I should trust Google, they are way too big to not be more than attractive "focus point" for "carpet-watching" people. The author is aware of this issue. Question for the crowd: How difficult it would be to write a suitable crypto engine as a plug-in module for FUSE itself? Then we could have support for encrypted files on any filesystem accessible through FUSE. ----------- http://www.boingboing.net/2004/08/29/turn_gmail_storage_i.html What to do with all that extra, network-based storage that comes with your Gmail account? If you're using Linux, you can turn it into a mountable filesystem with GmailFS. GmailFS provides a mountable Linux filesystem which uses your Gmail account as its storage medium. GmailFS is a Python application and uses the FUSE userland filesystem infrastructure to help provide the filesystem, and libgmail to communicate with Gmail. GmailFS supports most file operations such as read, write, open, close, stat, symlink, link, unlink, truncate and rename. This means that you can use all your favourite unix command line tools to operate on files stored on Gmail (e.g. cp, ls, mv, rm, ln, grep etc. etc.). Link (via Waxy) posted by Cory Doctorow at 08:21:29 AM From s.schear at comcast.net Sun Aug 29 20:55:19 2004 From: s.schear at comcast.net (Steve Schear) Date: Sun, 29 Aug 2004 20:55:19 -0700 Subject: Tilting at the Ballot Box In-Reply-To: <20040827214951.GA5868@arion.soze.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> <20040827111246.GA4932@arion.soze.net> <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> <20040827214951.GA5868@arion.soze.net> Message-ID: <6.0.1.1.0.20040829203243.05225220@mail.comcast.net> At 02:49 PM 8/27/2004, Justin wrote: >On 2004-08-27T13:14:47-0700, Steve Schear wrote: > > At 04:12 AM 8/27/2004, you wrote: >As I understand it (I wasn't there, but perhaps you were), their >complaint was that their "representatives" weren't from the region they >claimed to represent, and that they weren't chosen democratically. You >and I have no such claim. I can't claim lack of representation just >because my fellow citizens are idiots who subscribe to the Libertarian >or Socialist or Zoroastrian platform yet vote for a Republican or >Democrat. Although some voters registered with minority parties do indeed cross lines and vote for the majority candidate they feel is the lesser of two evils, they are not the focus of my interest but rather what representation is afforded those that do vote with their registered parties. In almost all other democracies independent voter turnouts in the magnitude of U.S. elections would guarantee at least one seat in a state (equivalent) or national assembly. But in the U.S these voters are being denied effective representation (and here 'effective' cannot be defined to mean the choice of the majority when voting is by district which eliminates any practical chance that a minority party candidate can be seated). > > The fact that 'my' representatives are not the ones I wanted nor any > > of the independent independent party voters wanted is paramount. > >What you or I want has nothing to do with it. I don't get to redefine >election procedure whenever my preferred candidate doesn't win an >election. No, but voters should be able to withhold their tax money, where possible, until they do. I think these disenfranchised voters would feel much less damaged if they weren't financially supporting a such an undemocratic system. >I'm not voting for either Bush or Kerry. Neither represents my views. >No matter who wins, the winner is my president and my representative. I >can't claim otherwise. The best I can do is blame all the idiot voters >who cling to party-ID as if it were their only hope of survival. You are attempting to substitute an inherently winner-take-all contest for the legislative contests I have been discussing. One has nothing to do with the other. > > Representation is about interests and ideology. If a > > significant segment of voters don't get anyone to represent these > interests > > and ideologies bad things can happen (e.g., they can become > > radicalized). Representation can be an important outlet for these > > disenfranchised voters. > >Well, one district in TX managed to elect someone who's decent - Ron >Paul. It's possible. The fact that libertarians or fascists everywhere >don't get their candidates elected has more to do with the fact that >they vote Republican or Democrat "because a vote for a third party is a >wasted vote." Blame the morons in the electorate for not electing >representatives that mirror their views. That's where the blame lies. Its only 'wasted' because there is no chance that a majority in their voting district will also vote for the same candidate. >What do you want? Do you want everyone to vote Democrat, Libertarian or >Republican, then apportion the House of Representatives and the Senate >appropriately? Who picks the representatives? The manners for the selection of candidates under a proportional system are varied but well understood outside the U.S. Perhaps these links might educate: http://en.wikipedia.org/wiki/Proportional_representation and http://www.mtholyoke.edu/acad/polit/damy/BeginnningReading/howprwor.htm >The reason we don't have any socialists or libertarians or fascists in >Congress is that not a single district votes for one. The U.S. has this >fixation on voting for one of the two major parties. Other countries do >not; that's why some of them have multi-(3+)-party representation in >their parliaments. No, the reason the U.S. has a fixation on voting for one of two major parties is because of a lack of proportional representation like elsewhere. I am certain you have the cause and effect interchanged. >Incidentally, some northeastern state allows each congressional district >to pick one elector, and the State as a whole picks two. (Electors = >Senators + House Reps). If you're complaining about presidential >elector selection, that blame lies with the States; the States dictate >how their electors are chosen. I am not discussing presidential elections, this is another matter. > > The problem is that use of voting districts seems to have always resulted > > in gerrymandering in our political system. A proportional system can > > eliminate these geopolitical distortions. > >State and Federal House of Reps. are proportional. (Yeah, I know >Nebraska is unicameral, excuse the generalization). What part of the >System isn't proportional other than most States' selection of >presidential electors? The part that isn't proportional has to do with the very establishment of 'voting districts' within the states that are the key to the two major parties maintaining their electoral monopolies. steve From eugen at leitl.org Sun Aug 29 14:55:00 2004 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 29 Aug 2004 23:55:00 +0200 Subject: [IP] Surveillance blimp currently up over NYC (fwd from dave@farber.net) Message-ID: <20040829215500.GE1458@leitl.org> ----- Forwarded message from David Farber ----- From mv at cdc.gov Mon Aug 30 08:56:44 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 30 Aug 2004 08:56:44 -0700 Subject: RIAA can't stomache cassette recorders Message-ID: <41334E3C.D4EB19A9@cdc.gov> "We remain concerned about any devices or software that permit listeners to transform a broadcast into a music library," RIAA spokesman Jonathan Lamy said. http://wired.com/news/digiwood/0,1412,64761,00.html?tw=wn_tophead_6 From mv at cdc.gov Mon Aug 30 10:24:36 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 30 Aug 2004 10:24:36 -0700 Subject: drooling at tracking immigrant$, with contact$ Message-ID: <413362D4.C20EACA5@cdc.gov> http://www.dhs.gov/interweb/assetlibrary/Vendor_Day_List_FIN818.pdf The following list of companies have expressed an interest in the US-VISIT System requirement by participating in the Industry Conference and/or responding to the sources sought RFI. This list is being provided in an attempt to promote open dialogue for potential teaming and/or subcontracting discussions/arrangements. This listing does not imply that any of these companies have committed to submitting any proposal, nor is there any obligation on the part of the Government to acquire any products or services from those listed. To add your name to the list, or to modify information that is contained within, please contact the US-VISIT Program Office at (202) 305- 0845. Sample: Oki America, Inc. 2000 Bishops Gate Blvd Mount Laurel, NJ 08054 Guy Dela Rosa Manager, Business Development 856-222-7016 delarosa322 at oki.com Optimos Incorporated 4455 Brookfield Corporate Dr. Chantilly, VA 20151 Marc Blackman *703-488-6957 703-488-6958 mblackman at optimos.com Oracle Corporation 1910 Oracle Way Reston, VA 20190 Jennifer Bognet Account Manager *703-364-2212 703-217-9441 jennifer.bognet at oracle.com Orkland Corp., The 7799 Leesburg Pike Falls Church, VA 22043 Peter Rath 703-610-4550 prath at orkland.com From mv at cdc.gov Mon Aug 30 11:03:53 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 30 Aug 2004 11:03:53 -0700 Subject: John gets hassled, but those with $ are not Message-ID: <41336C08.47B3F562@cdc.gov> JY reports on the Fed nervousness about his publications; but anyone with a few hundred $ can buy a CDROM or nicely printed map of the same info. [listsig: surveillance, 1st amendment, everyone is a reporter] MAP DETAILS This 2003/2004 edition of the N. American Natural Gas System map is the most comprehensive (and eye-catching) gas system map on the market. http://public.resdata.com/rdimaps/html/DetailTemp.asp?d=1062&i=1715 The Electric Power System Atlas of North America on CD-ROM offers the most-detailed, most-comprehensive overview of the United States, Canadian and Mexican electric infrastructure available today, giving you the tools you need to make crucial analytical or market decisions. This atlas provides complete information for competitive analysis, plant siting, transportation to and from power plants, regional fuel mix, and territory coverage. It's convenient, portable, and easy to use. It displays 292 separate maps, plus 26 insets of important regions including major metropolitan areas such as Dallas, Los Angeles and New York. http://public.resdata.com/rdimaps/html/DetailTemp.asp?d=1&i=1520 From mv at cdc.gov Mon Aug 30 11:26:14 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 30 Aug 2004 11:26:14 -0700 Subject: Pigradio survey of anonymizing systems Message-ID: <41337146.9824E24A@cdc.gov> The pigs want to be able to send anonymous messages over IP or POTS using their emergency 700 Mhz comm system: http://www.ncs.gov/informationportal/Web_Proxy_Report.doc From DaveHowe at gmx.co.uk Mon Aug 30 03:44:27 2004 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Mon, 30 Aug 2004 11:44:27 +0100 Subject: JYA in NYT In-Reply-To: References: Message-ID: <4133050B.9040602@gmx.co.uk> Nomen Nescio wrote: > "This tactic actually comes from our own playbook,'' said Thomas C. > Reed, the former secretary of the Air Force under President Gerald R. > Ford and the author of "At the Abyss: An Insider's History of the > Cold War.'' In 1982, the C.I.A. hacked into the software that > controlled Soviet natural gas pipelines, causing vital pumps, > turbines and valves to go haywire, he explained. The result, Mr. Reed > said, was the largest nonnuclear explosion and fire ever seen from > space and a major blow to Soviet sales of natural gas to Western > Europe. I thought they had always claimed this wasn't hacking, but a "poison pill" in proprietary control software the soviets had stolen (and nah nah nanah nah)? Or have there been *two* massive russian pipeline explosions and I missed one? From justin-cypherpunks at soze.net Mon Aug 30 05:23:06 2004 From: justin-cypherpunks at soze.net (Justin) Date: Mon, 30 Aug 2004 12:23:06 +0000 Subject: Tilting at the Ballot Box In-Reply-To: <6.0.1.1.0.20040829203243.05225220@mail.comcast.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> <20040827111246.GA4932@arion.soze.net> <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> <20040827214951.GA5868@arion.soze.net> <6.0.1.1.0.20040829203243.05225220@mail.comcast.net> Message-ID: <20040830122306.GA12098@arion.soze.net> On 2004-08-29T20:55:19-0700, Steve Schear wrote: > I am not discussing presidential elections, this is another matter. Fine. > > Steve Schear wrote: > >> The problem is that use of voting districts seems to have always resulted > >> in gerrymandering in our political system. A proportional system can > >> eliminate these geopolitical distortions. > > > At 02:49 PM 8/27/2004, Justin wrote: > >State and Federal House of Reps. are proportional. (Yeah, I know > >Nebraska is unicameral, excuse the generalization). What part of the > >System isn't proportional other than most States' selection of > >presidential electors? > > The part that isn't proportional has to do with the very establishment of > 'voting districts' within the states that are the key to the two major > parties maintaining their electoral monopolies. Oh, you want to eliminate voting districts. I apologize for not reading your intentions into your earlier comments. Are States "geopolitical distortions" as well? Are countries? ---- If you're going to propose an alternate system, please clearly identify 1) the voting pool, and 2) what they're voting for. If the pool is voting for a party instead of individuals, how does a winning party pick representatives? Is that selection method fair? There are many, many ways to conduct elections, and your proportional representation system has serious problems of its own. It underrepresents regional interests, and doesn't guarantee a geographically diverse set of representatives. You could complain that geography (and in general physical boundaries) isn't important, but you'd be wrong IMO. -- "When in our age we hear these words: It will be judged by the result--then we know at once with whom we have the honor of speaking. Those who talk this way are a numerous type whom I shall designate under the common name of assistant professors." -- Kierkegaard, Fear and Trembling (Wong tr.), III, 112 From s.schear at comcast.net Mon Aug 30 17:40:25 2004 From: s.schear at comcast.net (Steve Schear) Date: Mon, 30 Aug 2004 17:40:25 -0700 Subject: Tilting at the Ballot Box In-Reply-To: <20040830122306.GA12098@arion.soze.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> <20040827111246.GA4932@arion.soze.net> <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> <20040827214951.GA5868@arion.soze.net> <6.0.1.1.0.20040829203243.05225220@mail.comcast.net> <20040830122306.GA12098@arion.soze.net> Message-ID: <6.0.1.1.0.20040830172117.052883b8@mail.comcast.net> At 05:23 AM 8/30/2004, Justin wrote: >On 2004-08-29T20:55:19-0700, Steve Schear wrote: > > I am not discussing presidential elections, this is another matter. > >Fine. > > > > Steve Schear wrote: > > >> The problem is that use of voting districts seems to have always > resulted > > >> in gerrymandering in our political system. A proportional system can > > >> eliminate these geopolitical distortions. > > > > > At 02:49 PM 8/27/2004, Justin wrote: > > >State and Federal House of Reps. are proportional. (Yeah, I know > > >Nebraska is unicameral, excuse the generalization). What part of the > > >System isn't proportional other than most States' selection of > > >presidential electors? > > > > The part that isn't proportional has to do with the very establishment of > > 'voting districts' within the states that are the key to the two major > > parties maintaining their electoral monopolies. > >Oh, you want to eliminate voting districts. I apologize for not reading >your intentions into your earlier comments. > >Are States "geopolitical distortions" as well? Are countries? > >---- > >If you're going to propose an alternate system, please clearly identify >1) the voting pool, and 2) what they're voting for. If the pool is >voting for a party instead of individuals, how does a winning party pick >representatives? Is that selection method fair? While this is certainly a value judgement, almost every other nation thinks so. Its fair if each party is free to select its own basis for selecting candidates. That way voters can take into consideration both the party and individual ideology and any geographical interests before deciding what party to vote for. The most important thing, in my opinion, is that the number of seats is awarded by, in our situation, state election results and not solely by district where independent candidates will almost never represent a majority and thus never get elected to office. In some countries parties select candidates to fill seats awarded in an election, in others candidates for each party are selected in a primary election and (e.g., based on votes per candidate received) seat the candidates in order of popularity, in still other countries voters are free to write in candidate names. I prefer some combination of the last two methods plus some localization means to prevent the major population centers from monopolizing candidate selection. This might involve some sort of district rotation or randomization so that primary election candidates would be required to come from only those districts in the rotation. I am sure there are other means to address this issue. >There are many, many ways to conduct elections, and your proportional >representation system has serious problems of its own. It >underrepresents regional interests, and doesn't guarantee a >geographically diverse set of representatives. You could complain that >geography (and in general physical boundaries) isn't important, but >you'd be wrong IMO. I agree that without geographic adjustments other unfairness would become problematic. steve From sunder at sunder.net Tue Aug 31 08:30:35 2004 From: sunder at sunder.net (Sunder) Date: Tue, 31 Aug 2004 11:30:35 -0400 (edt) Subject: Backdoor found in Diebold Voting Tabulators Message-ID: Oops! Is that a cat exiting the bag? http://www.blackboxvoting.org/?q=node/view/78 Issue: Manipulation technique found in the Diebold central tabulator -- 1,000 of these systems are in place, and they count up to two million votes at a time. By entering a 2-digit code in a hidden location, a second set of votes is created. This set of votes can be changed, so that it no longer matches the correct votes. The voting system will then read the totals from the bogus vote set. It takes only seconds to change the votes, and to date not a single location in the U.S. has implemented security measures to fully mitigate the risks. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- From s.schear at comcast.net Tue Aug 31 12:10:51 2004 From: s.schear at comcast.net (Steve Schear) Date: Tue, 31 Aug 2004 12:10:51 -0700 Subject: Tilting at the Ballot Box In-Reply-To: <20040831171014.GA22443@arion.soze.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> <20040827111246.GA4932@arion.soze.net> <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> <20040827214951.GA5868@arion.soze.net> <6.0.1.1.0.20040829203243.05225220@mail.comcast.net> <20040830122306.GA12098@arion.soze.net> <6.0.1.1.0.20040830172117.052883b8@mail.comcast.net> <20040831171014.GA22443@arion.soze.net> Message-ID: <6.0.1.1.0.20040831120051.0520c298@mail.comcast.net> At 10:10 AM 8/31/2004, Justin wrote: >On 2004-08-30T17:40:25-0700, Steve Schear wrote: > > At 05:23 AM 8/30/2004, Justin wrote: > > >Are States "geopolitical distortions" as well? Are countries? > > > > > >If you're going to propose an alternate system, please clearly identify > > >1) the voting pool, and 2) what they're voting for. If the pool is > > >voting for a party instead of individuals, how does a winning party pick > > >representatives? Is that selection method fair? > > > > While this is certainly a value judgement, almost every other nation > thinks > > so. > >Even if we used it here, the fate of legislation would still be >determined by the dominant party in the Senate, which would still rarely >if ever admit 3rd parties, and by the president's veto. While I agree that at, least initially, the Senate would continue be populated only by Republicrats, this could eventually change if minority parties gain a good enough foothold in the House. Both major parties contain major 'single issue' blocks (e.g., the Republican Party's fiscal conservatives and Christian fundamentalists) are only sometimes satisfied with the platforms and conduct of the major parties. These voters now have no alternatives, but if they thought they could have more legislative muscle through minority party seats they could well abandon the majors. >I assume you're criticizing only House election procedures because >that's the only thing that can be attacked without completely >restructuring the federal legislature. If it were possible, would you >prefer to see nation-wide proportional representation if it included >mandatory geographical distribution requirements like those you >described? Yes. steve From ericm at lne.com Tue Aug 31 12:29:01 2004 From: ericm at lne.com (Eric Murray) Date: Tue, 31 Aug 2004 12:29:01 -0700 Subject: Backdoor found in Diebold Voting Tabulators In-Reply-To: ; from sunder@sunder.net on Tue, Aug 31, 2004 at 11:30:35AM -0400 References: Message-ID: <20040831122900.B29323@slack.lne.com> On Tue, Aug 31, 2004 at 11:30:35AM -0400, Sunder wrote: > Oops! Is that a cat exiting the bag? > > > http://www.blackboxvoting.org/?q=node/view/78 Apparently so. Going to www.blackboxvoting.org now just gives: This Account Has Been Suspended Please contact the billing/support department as soon as possible. Interestingly, while the whois info is gone, the DNS records are still around: % dig blackboxvoting.org any ; <<>> DiG 8.3 <<>> blackboxvoting.org any ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 3 ;; QUERY SECTION: ;; blackboxvoting.org, type = ANY, class = IN ;; ANSWER SECTION: blackboxvoting.org. 4H IN A 69.73.175.26 blackboxvoting.org. 4H IN NS ns4.nocdirect.com. blackboxvoting.org. 4H IN NS ns2.nocdirect.com. blackboxvoting.org. 4H IN NS ns3.nocdirect.com. blackboxvoting.org. 4H IN SOA ns3.nocdirect.com. admin.nocdirect.com. ( 2004081101 ; serial 4H ; refresh 2H ; retry 5w6d16h ; expiry 1D ) ; minimum blackboxvoting.org. 4H IN MX 0 blackboxvoting.org. From mv at cdc.gov Tue Aug 31 14:01:12 2004 From: mv at cdc.gov (Major Variola (ret)) Date: Tue, 31 Aug 2004 14:01:12 -0700 Subject: Backdoor found in Diebold Voting Tabulators Message-ID: <4134E718.D6D000F3@cdc.gov> http://www.blackboxvoting.org/?q=node/view/77 is up Seems its due to an intentional, insider job, and not just as an "engineering backdoor" (c) Cisco Consumer Report: Part 2 - Problems with GEMS Central Tabulator Submitted by Bev Harris on Thu, 08/26/2004 - 11:38. Investigations This problem appears to demonstrate intent to manipulate elections, and was installed in the program under the watch of a programmer who is a convicted embezzler. According to election industry officials, the central tabulator is secure, because it is protected by passwords and audit logs. But it turns out that the GEMS passwords can easily be bypassed, and the audit logs can be altered and erased. Worse, the votes can be changed without anyone knowing, including the officials who run the election. Multiple sets of books (Click "read more" for the rest of this section) The GEMS program runs on a Microsoft Access database. It typically recieves incoming votes by modem, though some counties follow better security by disconnecting modems and bringing votes in physically. GEMS stores the votes in a vote ledger, built in Microsoft Access. Any properly designed accounting program will allow only one set of books. You can't enter your expense report in three different places. All data must be drawn from the same place, and multiple versions are never acceptable. But in the files we examined, we found that the GEMS system contained three sets of "books." The elections official never sees the different sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a "Statement of Votes Cast" (totals for each precinct). She has no way of knowing that her GEMS system uses a different set of data for the detail report (used to spot check) than it does for the election totals. The Access database, which contains the hidden set of votes, can't be seen unless you know how to get in the back door -- which takes only seconds. Ask an accountant: It is never appropriate to have two sets of books inside accounting software. It is possible to do computer programming to create two sets of books, but dual sets of books are prohibited in accounting, for this simple reason: Two sets of books can easily allow fraud to go undetected. Especially if the two sets are hidden from the user. A hidden trigger The data tables in accounting software automatically link up to each other to prevent illicit back door entries. In GEMS, however, by typing a two-digit code into a hidden location, you can decouple the books, so that the voting system will draw information from a combination of the real votes and a set of fake votes, which you can alter any way you see fit. That's right, GEMS comes with a secret digital "on-off" switch to link and unlink its multiple vote tables. Someone who tests GEMS, not knowing this, will not see the mismatched sets of books. When you put a two-digit code into a secret location can you disengage the vote tables, so that tampered totals table don't have to match precinct by precinct results. This way, it will pass a spot check -- even with paper ballots -- but can still be rigged. How and when did the double set of books get into GEMS? Black Box Voting has traced the implementation of the double set of books to Oct. 13, 2000, shortly after embezzler Jeffrey Dean became the senior programmer. Dean was hired as Vice President of Research and Development in September 2000, and his access to the programs is well documented through internal memos from Diebold. The double set of books appeared in GEMS version 1.17.7. Almost immediately, according to the Diebold memos, another Diebold programmer, Dmitry Papushin, flagged a problem with bogus votes appearing in the vote tables. The double set of books remained, though, going through several tweaks and refinements. From the time Jeffrey Dean was hired in September, until shortly before the Nov. 2000 election, GEMS went through over a dozen changes, all retaining the new hidden vote tables. For four years, anyone who has known how to trigger the double set of books has been able to use, or sell, the information to anyone they want. Black Box Voting Associate Director Andy Stephenson has obtained the court and police records of Jeffrey Dean. It is clear that he was under severe financial stress, because the King County prosecutor was chasing him for over $500,000 in restitution. During this time, while Jeffrey Dean was telling the prosecutor (who operated from the ninth floor of the King County Courthouse) that he was unemployed, he was in fact employed, with 24-hour access to the King County GEMS central tabulator -- and he was working on GEMS on the fifth floor of the King County Courthouse. (Dean may now be spending his nights on the tenth floor of the same building; after our investigations appeared in Vanity Fair and the Seattle Times, Dean was remanded to a work release program, and may be staying in the lockup on in the courthouse now.) Jeffrey Dean, according to his own admissions, is subject to blackmail as well as financial pressure over his restitution obligation. Police records from his embezzlement arrest, which involved "sophisticated" manipulation of computer accounting records, report that Dean claimed he was embezzling in order to pay blackmail over a fight he was involved in, in which a person died. So now we have someone who's admitted that he's been blackmailed over killing someone, who pleaded guilty to 23 counts of embezzlement, who is given the position of senior programmer over the GEMS central tabulator system that counts approximately 50 percent of the votes in the election, in 30 states, both paper ballot and touch screen. And just after he is hired, multiple sets of books appear in GEMS, which can be decoupled, so that they don't need to match, by typing in a secret 2-digit code in a specific location. Dr. David Jefferson, technical advisor for California voting systems, told Black Box Voting that he could see no legitimate reason to have the double set of books in a voting program. He surmised that it might be incredible stupidity. Dr. Jefferson should speak to Jeffrey Dean's partners and those who worked with him. "Stupid" is not how he is described. The descriptions we get, from Dean's former business partner, and from others who worked with him, are "sophisticated," "cunning," "very bright," "highly skilled," and "a con man." This is the man who supervised the programming for GEMS when the multiple set of books was installed. Diebold, however, is the company that did nothing about it. Internal memos show that Dean was sent the passwords to the GEMS 1.18.x files months after Diebold took over the elections company. Diebold clearly did not examine the GEMS program before selling it, or, if it did, chose not to correct the flaws. And after exposing this problem in 2003, Diebold still failed to correct it. Elections were run on this tamper-inviting system for more than three years, and anyone who knew could sell the vote-tampering secrets to anyone they wanted to, at any time. It has been a year since this report was first printed, and Diebold has never explained any legitimate reason for this design, which is rather elegant and certainly is not accidental. Consumer Report: Part 3 - More GEMS problems, and why current solutions / explanations won't work Submitted by Bev Harris on Thu, 08/26/2004 - 11:33. Investigations But do new security measures solve the problem? The MS Access database is not passworded and can be accessed illicitly through the back door simply by double-clicking the vote file. After we published this report, we observed unpassworded access on the very latest, GEMS 1.18.19 system in a county elections office. Some locations removed the Microsoft Access software from their GEMS computer, leaving the back door intact but, essentially, removing the ability to easily view and edit the file. However, you can easily edit the election, with or without Microsoft Access installed on the GEMS computer. As computer security expert Hugh Thompson demonstrated at the Aug. 18 California Secretary of State meeting, you simply open any text editor, like "Notepad," and type a six-line Visual Basic Script, and you own the election. Some election officials claim that their GEMS central tabulator is not vulnerable to this back door, because they limit access to the GEMS tabulator room and they require a password to turn on the GEMS computer. However... (Click "read more" for the rest of this section) Any county that uses modems to transfer votes may inadvertently be giving control of the entire central tabulator to anyone who gets at the computer through the modem phone lines (even if it is NOT attached to the Internet). This allows Diebold, or any individual, to manipulate votes at their leisure, from any personal computer anywhere in the world. Let's talk about getting at the central tabulator through telephone lines: Mohave County, Arizona, for example, has six modems attached to its GEMS computer on election night. King County, Washington has had up to four dozen modems attached at once. You will hear that the GEMS machine is stand alone, and is never connected to the Internet. It does have an Internet component, called "jresults," but nowadays most counties say that they do not hook GEMS up to the Internet. They say that they remove the disk from the GEMS computer and physically take it to another computer, from whence the Internet feed comes. Very nice -- BUT: You can access a computer through phone lines as well as through the Internet. In fact, famous hacker Kevin Mitnick liked to hack through telephone lines, not the Internet. If you have the dial-in numbers, it is possible to get at the GEMS computer from anywhere, using RAS. The dial-in protocols are given to poll workers, many people in Diebold have them, lots of temps have them, and the configurations have been sitting on the Internet for several years. What if your county doesn't use any modems at all? That's excellent, but here's what we found: Harris & Stephenson visited county elections officials to ask for lists of names. We asked who was allowed to access the central tabulator, after it was already turned on, and who is given a password and permission to sit at the terminal? Several officials told us they don't keep a list. Those who did, gave us the names of too many people -- County employees (sometimes limited to one or two). Diebold employees. Techs who work for the county, like county database technicians, also get access to GEMS. Printshops who do the ballots have some access also. Diebold "contractors," who are temporary workers hired by subcontractors to Diebold were also reported to have gained access to the GEMS tabulator. (Diebold accounts payable reports obtained by Black Box Voting indicate that Diebold advertises for temps on Monster.com, hotjobs.com, and uses several temporary employment firms, including Coast to Coast Temporary, Ran Temps Inc, and also works with many subcontractors, like Wright Technologies, Total Technical Services, and PDS Technical Services.) What if there is a password even to get onto the GEMS computer itself? There usually is. The problem is this: Once that computer is open and running GEMS (on election night, for example), that password doesn't much matter. Votes are pouring in pell-mell, and they aren't about to shut that computer down until hours later, sometimes days later. Also, Black Box Voting found another problem with the design of GEMS: Check out the Audit Log, which is supposed to record everything that happens. In every database, you find everyone logging is as the same person, "admin." There is a reason for this. We did not find a way in GEMS to log in as a new user unless you close GEMS and reopen the file. Now who, on election night, with votes pouring in, is going to close and reopen the file? They don't. Instead, everyone calls themselves the same name, "admin," thereby ruining the audit log (which can be easily erased and changed anyway.) What about counties that limit access to just one person, the county elections supervisor? We've found nowhere that actually does this. The reason: Elections officials are dependent on the vendor, Diebold, during the election. Suppose we have a computer whiz county official who is the ONLY person who can access GEMS? Unlikely, but if you do: "Trust, but verify." We should never have to trust the sanctity of a million votes to just one person. The following things can be done when you go in the back door in GEMS using Microsoft Access: 1) You can change vote totals. 2) You can change flags, which act as digital "on-off" switches, to cause the program to function differently. According to internal Diebold memos, there are 32 combinations of on-off flags. Even the programmers have trouble keeping track of all the changes these flags can produce. 3) You can alter the audit log. 4) You can change passwords, access privileges, and add new users. Let's talk about passwords How many people can have passwords to GEMS? A sociable GEMS user can give all his friends access to the vote database. We added 50 people, and gave them all the same password, which was "password" -- so far, we haven't found a limit to how many people can be granted access to the election database. Election meltdown: We found that you can melt down an election in six seconds, simply by using the menu items in GEMS. You can destroy all data with two mouse clicks, and with four mouse clicks, you can destroy the configuration of the election making it very difficult to reload the original data. Does GEMS even work as advertised? According to testimony given before the Cuyahoga Elections Board, the Microsoft Access database design used by Diebold's GEMS program apparently becomes unstable with high volume input. This problem, according to Diebold, resulted in thousands of votes being allocated to the wrong candidate in San Diego County in March 2004. The Audit Log Britain J. Williams, Ph.D., is the official voting machine certifier for the state of Georgia, and he sits on the committee that decides how voting machines will be tested and evaluated. Here's what he had to say about the security of Diebold voting machines, in a letter dated April 23, 2003: "Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to the audit log. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident. Since Dr. Williams listed the audit data as the primary security feature, we decided to find out how hard it is to alter the audit log. We went in the front door in GEMS and added a user named "Evildoer." We had Evildoer perform various functions, including running reports to check his vote-rigging work, but only some of his activities showed up on the audit log. When we had Evildoer melt down the election, by hitting "reset election" and declining to back up the files, he showed up in the audit log. No matter. It was a simple matter to eliminate Evildoer. We went in through the back door and simply deleted all the references to Evildoer. Microsoft Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if one deletes audit entries, a gap in the numbering sequence will appear. However, we found that this feature was disabled, allowing us to write in our own log numbers. We were able to add and delete from the audit without leaving a trace. Could the double set of books be legitimate? From a programming standpoint, there might be reasons to have a special vote ledger that disengages from the real one. For example, election officials might say they need to be able to alter the votes to add provisional ballots or absentee ballots. If so, this calls into question the training of these officials. If election officials are taught to deal with changes by overwriting votes, regardless of whether they do this in vote ledger 1 or vote ledger 2, this is improper. Also, if it was legitimate, it would be a menu item in the GEMS program, not executed in a hidden location triggered by a secret 2-digit code. Nothing in the GEMS documentation describes the use of any feature like this whatsoever. Here's why we need to involve CPAs in vote tabulation regulations, procedures, and design: If changing election data is required, the corrective entry must be made not by overwriting vote totals, but by making a corrective entry. It is never acceptable to make changes by overwriting. Data corrections should not be prohibited, but must always be done by indicating changes through a clearly marked line item that preserves each transaction. However, according to elections officials we interviewed, GEMS is improperly designed, and cannot perform an adjustment, and you can't journal changes that occur for weird reasons that really happen. (For example, a poll worker might accidentally run ballots through twice. You need to be able to correct this and still show your work.) Instead of doing an adjustment and showing the explanation, retaining a permanent record of everything that happened, a common procedure is to wipe out the mistake, and simply overwrite it with new data. This is completely improper, from an auditing standpoint. It is certainly improper to have the summary reports come from the second ledger, while pulling the spot check reports from the first ledger, with a provision in the back door to allow these two ledgers to be mismatched. But there is more evidence that these extra sets of books are illicit: If the extra set of books is legitimate, the county officials, whose jurisdiction paid for and own the voting system, should be informed of such functions. Yet Diebold has not explained to county officials why it is there at all, and in most cases, never even told them these functions exist. As a member of slashdot.org commented when we originally published this information: "This is not a bug, it's a feature." From sfurlong at acmenet.net Tue Aug 31 12:44:58 2004 From: sfurlong at acmenet.net (sfurlong at acmenet.net) Date: Tue, 31 Aug 2004 15:44:58 -0400 Subject: Backdoor found in Diebold Voting Tabulators In-Reply-To: <20040831122900.B29323@slack.lne.com> References: <20040831122900.B29323@slack.lne.com> Message-ID: <1093981498.4134d53a6b6cf@www.webmail.acmenet.net> Quoting Eric Murray : > On Tue, Aug 31, 2004 at 11:30:35AM -0400, Sunder wrote: > > Oops! Is that a cat exiting the bag? > > > > > > http://www.blackboxvoting.org/?q=node/view/78 > > > Apparently so. Going to www.blackboxvoting.org now just gives: Don't break out the tinfoil hats yet. Maybe they exceeded their bandwidth because that link was spread around. From sunder at sunder.net Tue Aug 31 12:49:28 2004 From: sunder at sunder.net (Sunder) Date: Tue, 31 Aug 2004 15:49:28 -0400 (edt) Subject: Backdoor found in Diebold Voting Tabulators In-Reply-To: <1093981498.4134d53a6b6cf@www.webmail.acmenet.net> References: <20040831122900.B29323@slack.lne.com> <1093981498.4134d53a6b6cf@www.webmail.acmenet.net> Message-ID: A-Yup: "We're sorry, the server is currently experiencing load issues. We apologize for the inconvenience. Please try again later." Got the above off this blog: http://www.boingboing.net/2004/08/31/diebold_voting_machi.html related links: http://www.technorati.com/cosmos/search.html?rank=&sub=mtcosmos&url=http://www.boingboing.net/2004/08/31/diebold_voting_machi.html Here's the text of part 1: Consumer Report Part 1: Look at this -- the Diebold GEMS central tabulator contains a stunning security hole Submitted by Bev Harris on Thu, 08/26/2004 - 11:43. Investigations Issue: Manipulation technique found in the Diebold central tabulator -- 1,000 of these systems are in place, and they count up to two million votes at a time. By entering a 2-digit code in a hidden location, a second set of votes is created. This set of votes can be changed, so that it no longer matches the correct votes. The voting system will then read the totals from the bogus vote set. It takes only seconds to change the votes, and to date not a single location in the U.S. has implemented security measures to fully mitigate the risks. This program is not "stupidity" or sloppiness. It was designed and tested over a series of a dozen version adjustments. Public officials: If you are in a county that uses GEMS 1.18.18, GEMS 1.18.19, or GEMS 1.18.23, your secretary or state may not have told you about this. You're the one who'll be blamed if your election is tampered with. Find out for yourself if you have this problem: Black Box Voting will be happy to walk you through a diagnostic procedure over the phone. E-mail Bev Harris or Andy Stephenson to set up a time to do this. For the media: Harris and Stephenson will be in New York City on Aug. 30, 31, Sep.1, to demonstrate this built-in election tampering technique. Members of congress and Washington correspondents: Harris and Stephenson will be in Washington D.C. on Sept. 22 to demonstrate this problem for you. Whether you vote absentee, on touch-screens, or on paper ballot (fill in the bubble) optical scan machines, all votes are ultimately brought to the "mother ship," the central tabulator at the county which adds them all up and creates the results report. These systems are used in over 30 states and each counts up to two million votes at once. (Click "read more" for the rest of this section) The central tabulator is far more vulnerable than the touch screen terminals. Think about it: If you were going to tamper with an election, would you rather tamper with 4,500 individual voting machines, or with just one machine, the central tabulator which receives votes from all the machines? Of course, the central tabulator is the most desirable target. Findings: The GEMS central tabulator program is incorrectly designed and highly vulnerable to fraud. Election results can be changed in a matter of seconds. Part of the program we examined appears to be designed with election tampering in mind. We have also learned that election officials maintain inadequate controls over access to the central tabulator. We need to beef up procedures to mitigate risks. Much of this information, originally published on July 8, 2003, has since been corroborated by formal studies (RABA) and by Diebold's own internal memos written by its programmers. Not a single location has yet implemented the security measures needed to mitigate the risk. Yet, it is not too late. We need to tackle this one, folks, roll up our sleeves, and implement corrective measures. In Nov. 2003, Black Box Voting founder Bev Harris, and director Jim March, filed a Qui Tam lawsuit in California citing fraudulent claims by Diebold, seeking restitution for the taxpayer. Diebold claimed its voting system was secure. It is, in fact, highly vulnerable to and appears to be designed for fraud. The California Attorney General was made aware of this problem nearly a year ago. Harris and Black Box Voting Associate Director Andy Stephenson visited the Washington Attorney General's office in Feb. 2004 to inform them of the problem. Yet, nothing has been done to inform election officials who are using the system, nor have appropriate security safeguards been implemented. In fact, Gov. Arnold Swarzenegger recently froze the funds, allocated by Secretary of State Kevin Shelley, which would have paid for increased scrutiny of the voting system in California. On April 21, 2004, Harris appeared before the California Voting Systems Panel, and presented the smoking gun document showing that Diebold had not corrected the GEMS flaws, even though it had updated and upgraded the GEMS program. On Aug. 8, 2004, Harris demonstrated to Howard Dean how easy it is to change votes in GEMS, on CNBC TV. On Aug. 11, 2004, Jim March formally requested that the Calfornia Voting Systems Panel watch the demonstration of the double set of books in GEMS. They were already convened, and the time for Harris was already allotted. Though the demonstration takes only 3 minutes, the panel refused to allow it and would not look. They did, however, meet privately with Diebold afterwards, without informing the public or issuing any report of what transpired. On Aug. 18, 2004, Harris and Stephenson, together with computer security expert Dr. Hugh Thompson, and former King County Elections Supervisor Julie Anne Kempf, met with members of the California Voting Systems Panel and the California Secretary of State's office to demonstrate the double set of books. The officials declined to allow a camera crew from 60 Minutes to film or attend. The Secretary of State's office halted the meeting, called in the general counsel for their office, and a defense attorney from the California Attorney General's office. They refused to allow Black Box Voting to videotape its own demonstration. They prohibited any audiotape and specified that no notes of the meeting could be requested in public records requests. The undersecretary of state, Mark Kyle, left the meeting early, and one voting panel member, John Mott Smith, appeared to sleep through the presentation. On Aug. 23, 2004, CBC TV came to California and filmed the demonstration. On Aug 30 and 31, Harris and Stephenson will be in New York City to demonstrate the double set of books for any public official and any TV crews who wish to see it. On Sept. 1, another event is planned in New York City, and on Sept. 21, Harris and Stephenson intend to demonstrate the problem for members and congress and the press in Washington D.C. Diebold has known of the problem, or should have known, because it did a cease and desist on the web site when Harris originally reported the problem in 2003. On Aug. 11, 2004, Harris also offered to show the problem to Marvin Singleton, Diebold's damage control expert, and to other Diebold execs. They refused to look. Why don't people want to look? Suppose you are formally informed that the gas tank tends to explode on the car you are telling people to use. If you KNOW about it, but do nothing, you are liable. LET US HOLD DIEBOLD, AND OUR PUBLIC OFFICIALS, ACCOUNTABLE. 1) Let there be no one who can say "I didn't know." 2) Let there be no election jurisdiction using GEMS that fails to implement all of the proper corrective procedures, this fall, to mitigate risk. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- On Tue, 31 Aug 2004 sfurlong at acmenet.net wrote: > Quoting Eric Murray : > > > On Tue, Aug 31, 2004 at 11:30:35AM -0400, Sunder wrote: > > > Oops! Is that a cat exiting the bag? > > > > > > > > > http://www.blackboxvoting.org/?q=node/view/78 > > > > > > Apparently so. Going to www.blackboxvoting.org now just gives: > > Don't break out the tinfoil hats yet. Maybe they exceeded their > bandwidth because that link was spread around. From justin-cypherpunks at soze.net Tue Aug 31 10:10:15 2004 From: justin-cypherpunks at soze.net (Justin) Date: Tue, 31 Aug 2004 17:10:15 +0000 Subject: Tilting at the Ballot Box In-Reply-To: <6.0.1.1.0.20040830172117.052883b8@mail.comcast.net> References: <6.0.1.1.0.20040825095222.05766930@mail.comcast.net> <20040827111246.GA4932@arion.soze.net> <6.0.1.1.0.20040827073940.048b6658@mail.comcast.net> <20040827214951.GA5868@arion.soze.net> <6.0.1.1.0.20040829203243.05225220@mail.comcast.net> <20040830122306.GA12098@arion.soze.net> <6.0.1.1.0.20040830172117.052883b8@mail.comcast.net> Message-ID: <20040831171014.GA22443@arion.soze.net> On 2004-08-30T17:40:25-0700, Steve Schear wrote: > At 05:23 AM 8/30/2004, Justin wrote: > >Are States "geopolitical distortions" as well? Are countries? > > > >If you're going to propose an alternate system, please clearly identify > >1) the voting pool, and 2) what they're voting for. If the pool is > >voting for a party instead of individuals, how does a winning party pick > >representatives? Is that selection method fair? > > While this is certainly a value judgement, almost every other nation thinks > so. Even if we used it here, the fate of legislation would still be determined by the dominant party in the Senate, which would still rarely if ever admit 3rd parties, and by the president's veto. I assume you're criticizing only House election procedures because that's the only thing that can be attacked without completely restructuring the federal legislature. If it were possible, would you prefer to see nation-wide proportional representation if it included mandatory geographical distribution requirements like those you described? -- "When in our age we hear these words: It will be judged by the result--then we know at once with whom we have the honor of speaking. Those who talk this way are a numerous type whom I shall designate under the common name of assistant professors." -- Kierkegaard, Fear and Trembling (Wong tr.), III, 112 From jya at pipeline.com Tue Aug 31 17:17:52 2004 From: jya at pipeline.com (John Young) Date: Tue, 31 Aug 2004 17:17:52 -0700 Subject: Backdoor found in Diebold Voting Tabulators In-Reply-To: References: <1093981498.4134d53a6b6cf@www.webmail.acmenet.net> <20040831122900.B29323@slack.lne.com> <1093981498.4134d53a6b6cf@www.webmail.acmenet.net> Message-ID: No problem accessing blackbox.org and Parts 1 and 2 of the file at 5:15 PM EST. Perhaps there are blocks on some incoming routes.