From rah at shipwright.com Wed Oct 1 12:19:58 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Wed, 1 Oct 2003 15:19:58 -0400 Subject: Cypherpunk card swap redux: Card Games Message-ID: The site under discussion is here: Cheers, RAH ------- October 1 - October 7, 2003 Card Games Should Buyers Beware of How Supermarkets Use "Loyalty Cards" to Collect Personal Data? ByJoab Jackson Everyone gets worn down and submits, eventually. Even the most resistant. Even Rob Carlson, a privacy-minded person who hated the idea of having a supermarket savings card. Living in Catonsville at the time, Web programmer Carlson usually foraged at the Metro Food Market on Baltimore National Pike, which he says had the lowest prices. Occasionally, he stopped by the Giant Food on Wilkens Avenue, since it was closer to where he lived. He wasn't happy about it, though. Once Giant offered what seemed to Carlson to be the lowest prices in the area, but when it introduced its Bonus Card in September 2000 it appeared that most of the sales quickly became exclusive to cardholders. Did these people know what they were giving up by signing onto these programs? Carlson thought. "My job is to design and maintain databases, and I'm constantly amazed at the things that can be discovered when you have enough data and you know how to ask the right questions," Carlson says. "I think a lot of people who use a supermarket club card either don't realize what data is being collected about them, or don't care." It was during one of his trips of convenience, to purchase a decorative fountain, when Carlson caved. The cashier noted he could save $15 if he used a Giant card. It would take only a minute to fill in the application with a name, address, and phone number. Can't argue with a $15 discount. And so Carlson slid into the fold, as do many of us. Still, does anybody actually want to carry around these cards? Some 80 percent of supermarket chains nationwide have card programs, plowing millions of dollars into them. They goad us into applying for cards. But why? What are supermarkets getting out of these cards, exactly? Just as card sharks read the telltale behavioral tics of their opponents to win more of their money, so supermarkets want to watch their customers' purchasing habits closely to better know how to sell to them. "What we get out of it is insight into the needs of our customers, so we can provide them better service," explains Frank Gallagher, a director of marketing planning and analysis for Giant. The information Giant keeps is basic stuff: the customer's name, address, and phone number (if he or she elects to submit it), along with a list of all the items he or she purchased with that card. In return, shoppers are rewarded with lower prices on certain items. But, if anything, the controversy of who is playing who has just begun. Privacy advocates worry about the data being collected and how it will be applied, and consumer watchdogs grumble about whether or not the cards actually save shoppers money. And coming down the road in a few years is a new technology--product-tracking tags--that will make shopping cards look like the ragged tricks of a small-town con artist. How did we end up carrying around a stack of shopper cards just to get some good deals? It's our own fault, say retail industry observers. We're shopping sluts, always looking for a quick fix, hastily plucking whatever item is cheapest from the shelf, from whatever store is nearest. Within the supermarket industry, these plastic rectangles are known as "loyalty cards," a term that amuses John Stanton, a professor of marketing at Philadelphia's St. Joseph's University and co-author of a book on product marketing titled Success Leaves Clues . Many consumers carry around thick stacks of the cards, he points out: "It's like if I said to my wife, 'I'll be loyal to you and four other women.'" On a sunny afternoon last month, I accosted about a dozen shoppers in the parking lots of three shopper-card-carrying local supermarkets. "Why do you shop here?" I asked. In almost every instance, I got the same response: convenience. "It was on the way home from work," said one patron outside the Charles Village Safeway, as he loaded parcels into the trunk of his car. Not one of the participants said that a loyalty card gave him or her the slightest motivation to go out of his or her way to shop at a specific store. Fifty or so years ago, grocery-store customers were a more predictable lot, says Ron Swift, a vice president of strategic customer relations for Teradata, a division of NCR, formerly National Cash Register Corp. Customers mostly shopped at their neighborhood store and bought the same basic items each time out. The grocer would have a pretty good idea of what would be in the register at the end of the day and what would need to be replaced on the shelves. Those days are gone. People got smarter. Hopping in their cars, they shopped around, compared prices, used coupons. So, like a spurned lover who turns to a private dick to learn more about a beloved's philandering ways, the supermarket chains turned to technology, hoping to find out more about what shoppers buy, and to understand why they buy it. While the local grocery market is stable, these companies feel competitive pressures from elsewhere, says Jeffrey Metzger, publisher of Food World , the Mid-Atlantic's regional supermarket trade journal. In the past five years or so nonsupermarkets--mostly Wal-Mart and drug-store chains like Rite Aid and CVS--have increasingly taken in more local grocery dollars. In an increasingly competitive landscape, a store's profits are hard won: A supermarket may make 3 cents on every dollar of merchandise it sells, Metzger says. This is where Teradata comes in. This Dayton, Ohio-based company sells data-mining systems, computer systems that can hold and analyze vast amounts of data. Ron Swift flies around the country selling supermarket companies on the idea that such powerful systems can easily characterize the purchasing habits of individual shoppers. Most of the companies buy into the idea, Swift says, and such a claim seems credible. In 2002 alone, Teradata sold about $1.1 billion of data warehouses across the retail sector, according to the company's public filings with the Securities and Exchange Commission. Stores have always known what they've sold, at least after a tally of the day's sales. And they have usually had at least a vague idea of what their customers want. Strong sales of Puppy Chow indicate that lots of dog lovers live nearby. But what data mining promises is "to know the customer's lifestyle and what they prefer," Swift says. Through sifting the data it collects, Teradata has found, for instance, that shoppers who buy a lot of baby supplies, such as diapers, tend to buy a lot of film for their cameras, too. Teradata's systems scour a market's records for such affinities, seeking strong bankable connections that supermarkets can utilize. Putting the steak sauce next to the steaks, so to speak. St. Petersburg, Fla.-based Catalina Marketing is another company that markets customer data-collection systems to grocery stores. Catalina installs systems at cash registers that spit out coupons with register receipts. By knowing who a shopper is through his or her use of a loyalty card, the company claims it can deliver a coupon tailored to that customer. If you don't know Catalina, chances are Catalina knows you. The company works with about 18,000 supermarkets nationwide (its Web site lists Giant, Safeway, Food Lion, and CVS as customers, among others), keeping a database of 100,000 households. Their shopping records stretch back "at least one year" in order to track long-term buying habits, says Trish Brynjolfsson, who is a Catalina vice president of retailer marketing. Brynjolfsson would not say how long Catalina keeps the records beyond one year. The company charts not only what items you buy but also how often you come into the store and how many items you buy when you do. It knows if you like to switch brands. While some consumers are doggedly brand-loyal, "there are certain customers who are promotionally sensitive--they are looking for savings," Brynjolfsson says. In fact, she estimates that 80 percent of shoppers switch brands frequently. By using the kind of data Catalina collects--in part through loyalty cards--manufacturers of competing products can pitch the switch-hitters with instant coupons for their own products. Turn over the back of a Catalina-generated receipt and you may very well find a coupon for a product you have thought of trying, from a secret admirer of your wandering ways. Companies like Catalina and Teradata use this data to spot trends and insist they have little use for individual information. Brynjolfsson says that it would be difficult--though possible--to single out and review one person's buying history, but that the company has no business interest in doing such. If this all sounds a little manipulative, remember these companies swear that a well-executed loyalty-card program can be a win-win for both shopper and shop. And they may have a point. See, it is bad marketing that offends people, Teradata's Swift says. People get irked at useless coupons stuffing their mailboxes, at telemarketing sales pitches for products they can't use. But if you were approached with a deal that might actually be of interest, you wouldn't see that as marketing, he argues. You'd see that as helpful. It'd also be cheaper for the stores. "Say a baby-food manufacturer want to target a new product," Giant's Gallagher says. "Instead of dropping 4 million coupons in the area, it may want to target customers shopping in our stores and already buying their products. It's more efficient for the manufacturer and for us as well." So why shouldn't we make use of data-mining technology to make our lives more convenient, to have our local grocery anticipate our needs like an attentive lover? But Rob Carlson, for one, was not ready to let his shopping history go so easily. "It's only an ignorant or apathetic consumer who is willing to trade a very personal profile of their home life every week for 30 cents off a gallon of milk," Carlson says. He thought about what he could do to raise awareness of how these loyalty-card systems worked. When he posted his thoughts to an Internet mailing list, someone else off-handedly mentioned that there was no reason that the bar-code label on the back of each Giant card couldn't be replaced. Reading this, Carlson had the flash of inspiration to set up Rob's Giant Bonus Card Swap Meet (http://epistolary. org/rob/bonuscard). Carlson's site works like this: You enter your Giant card number on a form. It puts this number into a pool of numbers gathered from participants. Drawing from this pool, it displays for each visitor a bar-code replica of someone else's number, allowing the visitor to print it out and tape onto his or her own card. Should you actually take the time to do this and then visit the local Giant to use this card, you are, to Giant, someone else. If enough people do this, the argument goes, Giant's shopper profiles are rendered muddied and ultimately useless. Online since January 2001, the site has gotten thousands of hits. Carlson has no illusions that there will ever be enough of a groundswell to make any difference to Giant, however. "The intent of a card swap or a site like mine is less about affecting the supermarket and more about educating the consumer," Carlson says. Giant wouldn't comment on Carlson's site, though Catalina's Brynjolfsson says that tricks like using a fake name or swapping cards has no effect on its records. Such tricks only cause the customer him- or herself to be deprived of the "the full benefit" of the system, Brynjolfsson says. Carlson is not alone in his misgivings. Katherine Albrecht founded Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN, to alert consumers of the potential dangers of supermarkets collecting extensive personal shopping histories through loyalty cards. "There are many, many things that nobody's got any business knowing about anybody else," the organization's Web Site ( www.nocards.org ) fumes. Although most stores say they don't sell the data to outside parties, they do frequently sell it to "partners" or companies that do business with the stores, CASPIAN claims. Giant does not sell its records to third parties, though it will mail coupons to Giant customers for third-party vendors, Gallagher says. While neither Safeway nor Super Fresh returned phone calls for this article, the privacy policies posted on Super Fresh and Safeway's Web sites look similar to Giant's. And with the data so freely available, it could be put to the wrong uses--even be used against you--CASPIAN spokeswoman Liz McIntyre says. When asked for past cases of supermarkets and their "partners" misusing data, however, McIntyre comes up short. The Web site doesn't offer up many specific cases of abuse, either. One supermarket chain turned over all its purchasing records to three federal law-enforcement agencies in the days after Sept. 11, 2001--without even being asked to do so--according to a July 2002 Village Voice article, but neither the supermarket nor the federal agency involved were named. Still, privacy concerns are worth noting. Most retail stores seem to have little problem in turning your records over to law-enforcement officials or subpoena-wielding lawyers. Remember a few years ago when Kramerbooks in Washington refused to hand over to special prosecutor Kenneth Starr's minions a list of the books Monica Lewinsky purchased on the grounds that it was an invasion of her privacy? Don't expect your supermarket to do the same for you. Gallagher says that if presented with the proper subpoenas, Giant would disclose shopper records. It even states as much on the card application form. After hearing the sales pitches of Teradata and Catalina, it's surprising to realize that not every store uses loyalty cards. Metro Food Markets, which operates 9 stores around Baltimore, eschews use of the cards, as does its parent company, Shoppers Food Warehouse. (Soon all Metros will be known as Shoppers Food Warehouses.) The company looked at using such systems, says Rick Rodgers, a senior vice president of merchandising for Shoppers, but didn't see the benefit to them. "We offer the same deal to all our customers. It works for us, and we feel our customers appreciate it," he says. Although not primarily a vendor of groceries, Wal-Mart, widely considered in the industry to be the most efficiently run retail business, is another no-card store. Food World publisher Jeffrey Metzger divides the grocery business into two general categories. Stores like Metro and Wal-Mart fall into a category Metzger calls "everyday low price stores." Such stores draw customers by cutting the prices of all items as much as possible. For these stores, there is little value in using in savings cards. They compete on price alone. The second category is what Metzger calls the "high-low stores." These are stores like Giant, Super Fresh, and Safeway that heavily discount selected items, hoping to entice people into the store for those savings. The store makes up the difference on other items the customer is likely to buy once inside. Consumers Against Supermarket Privacy Invasion and Numbering accuses such stores of jacking up their prices and offering items for cardholder-only sales at what would normally be the non-sale price, giving customers the warm, but false, feeling of saving money. So are savings cards a ruse? Do no-card everyday low price joints really offer lower prices every day? On the rainy night of Friday, Sept. 12, I visited four Baltimore supermarkets to compare some prices. I visited the Charles Village Safeway, the Rotunda Giant, the Super Fresh in Hampden, and the Metro Food in South Baltimore. I compared the prices of 36 items ranging from taco shells to Hamburger Helper. I picked eight items from each store that were on sale, and four more staple items. Admittedly, this study was unscientific, but this is what I found: Metro seems to be the cheapest, but just barely. If I were to buy all of the items on my list at Metro, it would cost me $66.52. But at Giant, using its Bonus Card, the total would nearly be the same, at $67.19. These items would cost a card-carrying Super Fresh member $72.71 and a Safeway loyalist $76.80. Keep in mind, this is a sample from sale items picked more or less at random. Since there's only a $10 spread between the least expensive and most expensive store, it could be entirely possible that with another 36 items Safeway could have come out ahead. Beyond raw price comparisons, however, other factors stood out. Each store had its share of good deals, as well as its share of high-priced items. (Giant charged $3.79 for a 15-ounce box of Cheerios, while the other markets had the cereal on sale for around $2 a box.) Overall, one store's patrons don't seem to get more overcharged than any other store's patrons. But no one store's loyal customer will come out that much ahead, either. But contrary to CASPIAN's contention, cardholders do enjoy good savings from time to time. With your Giant card, you could have scored a 100-ounce container of Tide liquid detergent for $4.99 on Sept. 12, while other markets in town--including no-card Metro--charged $7.79. But as CASPIAN contends, those club-card-driven savings the markets are proud to trumpet are equivalent to regular sales at stores with no cards. You may have a Super Savings Card, but it isn't a Super Duper Savings Card. You're probably not saving more than you would be in no-card stores. One last aspect leaps out: Defiance costs. If you're not using a card at a place that wants you to use them, you'll get screwed. Sans cards, my groceries that night would have cost $82.55 at Super Fresh, $86.28 at Safeway, and $76.77 at Giant. CASPIAN encourages consumers not to use cards when shopping as a way to send a message to the markets. Some message. Sending that message to Safeway would have cost you $9.48--payable directly to Safeway itself. So what is going on here, assuming that these stores offer groceries at more or less the same price? No-card stores like Metro and Mars Super Markets try to duke it out on price alone, hoping Wal-Mart doesn't come in and crush them. Meanwhile, the high-low stores offer similar savings but want to learn a bit more about you in return, like what you and people like you tend to buy. So the next time you come in for one item, they may better know what other items you might just throw another in the basket that you weren't consciously planning on purchasing. Especially items with high profit margins. In theory, anyway. The dirty little secret of data mining is that stores don't actually use these data mining systems very much. In many cases, chains install the systems at considerable expense (prices start at $500,000 to install Catalina's products in a small grocery chain's stores). Yet, after they are installed, the data they reap usually isn't analyzed, Professor Stanton says. Many chains have the old penny-pinching mentality. So they may invest in a data-collection system but not in the software and training needed to get full use of the resulting data. Food World 's Metzger agrees that the grocery stores in the Mid-Atlantic region don't fully use the collected data. Shoppers Food Warehouse's Rodgers says that part of the reason Metro doesn't use shopping cards is that it doesn't see a clear value in having all that data. Something else is needed to complete the puzzle. Enter the next technology that will be pitched to help supermarkets survive in their hypercompetitive, loyalty-starved world: tracking tags. The tags don't look like much. You can hardly see them, in fact--they are about the size of a head of a pin. They are called radio frequency identification tags, or RFID tags. If you don't know what they are today, you will in five years. They are widely expected to take the place of bar codes, and they also could be used to keep track of customers more closely than even the most wildly optimistic loyalty-card pitchman could dream. The future of this technology may spring from Columbia. There, a technology engineering company called Matrics has developed tags, antennas, and readers it hopes will be adopted by grocery stores and other retail outlets. It is but one small 50-person company among a sea of similar manufacturers getting ready to ramp up sales of these tags. Many belong to an industry body called the Auto-ID Center. A windowless room in Matrics' offices is set up for demonstrations. It resembles a mock store. On one side of the room are shelves of typical consumer items: some DVDs, a small rack of shirts, some coffee mugs, books, cans of coffee. Each of these items bears a small, nearly unnoticeable RFID tag. Joe White, Matrics' senior director of application engineering, shows me a tag, and that is exactly what it looks like: a tag with sticky adhesive on the back, one you could stick on a package of just about anything. The back peels off to reveal a tiny metal chip, .012 inches thick, with little silver threads (its antennas) stemming from it. The chips are passive. In other words, they have no power source, such as a battery. Instead, a transmitter sends out a radio wave of a certain frequency, which reverberates with the tags. Each tag holds a unique serial number that is read by the RFID antenna. White turns on a computer in the corner of the room and launches some software that scans everything in the room through antennas built into the wall. The software shows a virtual representation of the "store," showing where each and every item is located. Despite--or perhaps because of--their size, RFID tags could revolutionize the retail industry. Customers would like these tags mostly because, if they were affixed to products, those products would no longer have to be taken out of the cart to be paid for. A cashier (or an automated checkout machine) could just wave a wand over a cart full of items and spit out a grand total within a few seconds. Retailers would like them even more (which is why they are all but an inevitability, RFID manufacturers reason with fiscal optimism). A store can put readers throughout the shopping area and keep tabs on each and every item on its shelves. If a store were running out of one item, the manager would know it sooner and be able to restock it faster; supermarket chains could spot trends more quickly as well. RFID tags could also make shoplifting pretty much impossible: If an item is tagged, a manager will know if it is leaving the store without being paid for. Industry analysts predict that RFID tags may become widespread on consumer shelves by 2007 or so. Naturally, RFID tags have consumer advocacy groups spooked. The week of Sept. 15, CASPIAN staged a protest outside Chicago's McCormick Place Convention Center, where an RFID trade show was taking place, with companies such as Gillette and Procter and Gamble showing off how they could tag their products with the devices. Privacy advocates have called these RFID tags spy chips. While helpful inside the store, the potential problem is that these tags could be used outside the store, after the sale. Each tag is individually numbered and, in conjunction with the kind of records a loyalty-card system compiles, could theoretically be tracked back to the person who bought a particular item. CASPIAN's McIntyre paints a picture of a consumer-friendly Orwellian nightmare in an RFID world. For instance, she postulates, it would be possible, if not probable, for some fiendish corporation or government agency to collect a list of every item you own, using the tag numbers of the items you purchased. Then it could track you down, merely by scanning the landscape for those tag numbers. With such tags sprinkled about your person, a retail store could identify you the moment you enter the front door, identifying you from previous purchases you're wearing or carrying. "Immediately you can be tracked," McIntyre says. "They will know where you're going and how long you linger. How much comparison shopping you do." Earlier this year, the Auto-ID Center, recognizing a growing backlash against the technology, set forth specifications for ways that the tags could be turned off at the checkout counter, not unlike the way anti-shoplifting devices are neutralized--it's called a killtag function. McIntyre doubts companies would go for this, however. After all, there are plenty of good reasons for enticing customers to leave RFID tags active. An active tag could be used to identify products still under warranty, for instance. Kevin Ashton, executive director of the Auto-ID Center, pooh-pooh's CASPIAN's dystopian vision. First of all, he notes, it's highly doubtful retailers would ever voluntarily give away any information about who bought their products to other businesses: "Retailers are very unlikely to share this kind of information with their competition," Ashton says. Secondly, there are very real physical limits to how far away these tags can be identified. Tags without their own power supplies--which is to say most tags currently proposed--can only be read from a few feet away at most. Everyday barriers like water and metal block the signals. "While the technology is likely to improve over time, there are some fundamental limits that make things like reading RFID from outer space seem unlikely," Ashton says. Lastly, and most importantly for Ashton, the problem with this all-seeing RFID scenario "is that most customers would hate it, so it wouldn't be very effective," he says. Or maybe they just won't care. Outside the Charles Village Safeway, a woman pulls her plastic bags of groceries from her cart. "Doesn't it disturb you that the supermarkets are keeping records of what you buy?" I ask. "It doesn't bother me, " she says, shrugging. "It's only food." -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From kenhirsch at myself.com Wed Oct 1 17:09:34 2003 From: kenhirsch at myself.com (Ken Hirsch) Date: Wed, 1 Oct 2003 20:09:34 -0400 Subject: Wipe your Lamo notes now References: Message-ID: <00ef01c38879$7809bbb0$0201a8c0@DXHIRX1> From: "Tyler Durden" > Tim May wrote... > > "If it's a felony for _me_ to say "Sources tell me that Valerie Plame, the > wife of Ambassador Joseph Wilson, has been a CIA covert operative since > 1980," it is a felony for Robert Novak to do so." > > Hum. Particularly in the era of the Internet and blogs. Even if "The Press" > should have some special treatment, the clear and obvious thing to do is to > set up an Internet Press of some minimal sort, and start "reporting". There's not a special exemption for reporters. It is only a crime to reveal the identity of covert agent if you learn of it because of authorized access to classified information or your are engaged in "a pattern of activities intended to identify and expose covert agents and with reason to believe that such activities would impair or impede the foreign intelligence activities of the United States". http://www4.law.cornell.edu/uscode/50/421.html From nobody at dizum.com Wed Oct 1 13:10:06 2003 From: nobody at dizum.com (Nomen Nescio) Date: Wed, 1 Oct 2003 22:10:06 +0200 (CEST) Subject: Dan Geer Fired (was re: Technology Firm With Ties to Microsoft Fir Message-ID: The company I work for forbids its employees to discuss crypto issues in public forums like this one. That's why I only post anonymously. They have several concerns. One is the still-existent crypto export regulations which could be construed to forbid technical discussions of cryptography in public forums accessible to foreigners. Another is the danger that the employee might say something which could embarrass the company, such as admitting problems in the company's products. Employees may also find themselves talking to customers of the company and say things different from what the sales representatives are telling them, which leads to huge problems. There are actually many valid reasons to keep employees from talking publicly about technical issues in any field related to their employment. Add to this the many political and legal issues that are specific to cryptography and it is unsurprising that so many companies restrict what their employees can say, as a condition of employment. One thing I haven't heard in the Geer case is whether his employment contract did have such limitations. If not, he might conceivably have grounds for a wrongful termination suit, although even then the company could make a pretty good case that bad-mouthing one of the company's biggest customers is valid grounds for dismissal. It's also interesting that Geer claims in an interview [1] that he approached nine differrent academic researchers who refused to sign on to the report even though they agreed with its recommendations, because they were afraid of losing funding. I find this somewhat hard to believe, first because I don't agree with the conclusions of the report (although my analysis has been censored), and second because I don't think that Microsoft controls that much academic research funding. It's possible that Geer is exaggerating or that the researchers were not completely honest about the reasons for their lack of interest. [1] http://www.eweek.com/article2/0,4149,1304620,00.asp From jamesd at echeque.com Wed Oct 1 23:37:08 2003 From: jamesd at echeque.com (James A. Donald) Date: Wed, 1 Oct 2003 23:37:08 -0700 Subject: Return of the death of cypherpunks. In-Reply-To: <3AE04F68-E2FA-11D7-87EC-000A956B4C74@got.net> References: <5.2.1.1.0.20030909114314.04a30ec0@mail.comcast.net> Message-ID: <3F7B6524.6853.36A08AD@localhost> -- When a mailing list is full of crap, it dies, even though the regulars set killfiles to silence the offending posters. The reason is, no new people arrive. New people subscribe, see nothing but crap, unsubscribe. A mailing list or newsgroup needs a strong personality who is a prolific poster who keeps discussions on track, issues lots of good stuff, and reprimands trolls and nuts. That person, of course was Tim May. (past tense) It also needs a continual stream of new people, who bring new ideas, and unfamiliar ways of recognizing old ideas. The relentless mass spamming by professor rat and Jim Choate keeps new comers away, since 99% of the posts to the list is from people who hate the ideas that the list was created to further, and seek to shut it down, to prevent thought about and discussion of such ideas, and Tim May has succumbed to terminal grumps on discovering that the crypto transcendence is not coming soon. So when is the crypto trancendence coming? When does an encryption enabled internet start to undermine the power of the state? Well it is a little like web groceries. During the Dot.com hype, lots of web grocery companies popped up, and made about a cent on the dollar. They vanished, but, surprise surprise, there are now some real web grocery firms, and they are making a little bit of money. Darknet (frost over freenet) is going tolerably well, mostly in its Japanese incarnation, the repression being stronger in Japan. The Japanese experience tells us that any repression short of communist levels of repression will make darknet stronger, not weaker. The big threat to frost over freenet is the natifying of the net which makes more and more people into clients, not peers. Theoretically frost over freenet serves even those behind NATs, but really it does not, and cannot. Private money on the internet remains a small, non anonymous, backwater. There is no Chaumian anonymity. There is some "trust us" anonymity, located on offshore islands, controlled by people quite susceptible to US pressure. Account based money without true names or the mark of the beast is a tiny but profitable business. E-gold is probably the largest player, with about two million dollars a day changing hands, and twenty thousand micropayments a day (payments of less than a dollar) Two million a day is one five hundred thousandth of the turnover on the US$, and it is not growing very fast. Of course e-gold is just one of several, but it probably a large portion of the total. Suppose no-true-name account based money grows at thirty percent a year, which seems plausible. In due course some substantial portion of it will be chaumian. Then the US$ goes into crisis in 2060. As Adam Smith put it, "There is a lot of ruin in a nation.". Even if we suppose that the institutions of the crypto trancendence undergo remarkably rapid growth, the kind of growth that the dot bombs predicted in their business plans, the crypto trancendence does not hit until around 2025. But right now today, the internet is undermining the power of the state. The Japanese government went as far as democracy can go, and perhaps a bit further, to shut down file sharing. The result: Widespread adoption of software based on freenet. Cypherpunks 1, state 0. We have a long way to go, but we are going. Oh yeah, and once again I declare the mailing list that gave the name of this movement to be dead, though the fact that I am still posting on it would seem to prove it is alive, though breathing its last. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG dcuOonOpNgPgqZpgbJF0j6ClGa0j1it1Uk51kc/Q 4Nnby2D6L0GGqj2rwXsyWpY1xoKh901QBG9bsYjxG From mv at cdc.gov Thu Oct 2 00:33:16 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Thu, 02 Oct 2003 00:33:16 -0700 Subject: Your papers please? CAPSII and other abuses Message-ID: <3F7BD4BB.42B3EA73@cdc.gov> Note especially the high false-positive-to-hit ratio, and this: "Fatherland Security chief Tom Ridge, for example, has already approved the use of CAPPS II to identify fugitives wanted for violent crimes." Computer hunt for terrorists October 2, 2003 By Charles Piller and Ricardo Alonso-Zaldivar, Times Staff Writers A secret computer program detected something suspicious about the middle-aged passenger heading to Eugene, Ore. He traveled often, usually taking one-way flights on short notice. In the months following the Sept. 11 attacks, every time he tried to board a flight in Portland, he was pulled out of line and searched as a possible terrorist threat. The passenger was Peter A. DeFazio  congressman from Oregon, former Air Force officer and ranking Democrat on the House subcommittee overseeing airline security. "My constituents found it very amusing," DeFazio said. It soon became less humorous when he learned he could stop triggering the security checks by simply joining a frequent flier program, a trick that in the computer's mind transformed him from a suspect into a trusted customer. "A terrorist can't figure that out?" DeFazio asked. Since the Sept. 11 attacks, creating an effective system to screen out both known terrorists and would-be hijackers  plotters with spotless records but nefarious intent  from millions of airline passengers has become a top priority in the war against terrorism. But as DeFazio's experience showed, even the most elaborate current computer systems stumble when trying to decipher human motivations, and, like any security scheme, have been perpetually vulnerable to being gamed. In the face of such challenges, the federal government has embarked on a costly program to create a second-generation profiling system designed to verify the identity of every passenger and analyze their lives through a "black box" of government intelligence and law enforcement databases. Though details of the system are secret, security experts believe that more than 100 factors will be used to sniff out terrorists based on telephone records, travel patterns, law enforcement files and other sources. The system will turn the new federal Transportation Security Administration into one of the most intrusive government agencies, perhaps second only to the Internal Revenue Service  investigating about 70 million passengers who take 675 million trips by air annually. And possibly, all for an illusion of security. "The U.S. is so much oriented toward a technology [solution] that the people are serving the technology," said Offer Einav, former director of security for Israel's national airline, El Al, widely considered the world's most secure carrier. Like other aviation security experts, he views computer profiling as beneficial only if paired with seasoned security officials who exercise common sense and conduct their own psychological assessments of passengers  not part of the U.S. program. "They are dealing with enemies who are human beings. Human beings will always beat the technology," Einav said. Mixed Success No computer-based system has ever verifiably thwarted a hijacking or bombing, according to federal and private security experts. But given the enormousness of the task, the airline industry's current system  the Computer Assisted Passenger Pre-Screening system, or CAPPS  has occasionally shown flashes of brilliance. Its greatest success may have been on Sept. 11, 2001. In the 24 hours leading up to the hijackings, CAPPS would have checked more than 1.8 million passengers. It actually flagged six of the 19 terrorists later involved in the hijackings, according to the national commission on the Sept. 11 attacks. About 92,000 innocent travelers were also singled out. Unfortunately, only a brief luggage check for explosives and weapons was required. The hijackers  and the then-legal box cutters several were carrying  were all welcomed aboard their flights. CAPPS was deployed in 1998, following the crash of TWA Flight 800 off Long Island two years earlier. It was part of a package of anti-terrorism measures put in place  including baggage X-rays and bomb-sniffing dogs  even though mechanical failure was later blamed for the crash. The system largely relies on government watch lists and passenger travel histories. It provides a relatively rudimentary check that the industry designed as a compromise between maintaining efficiency in boarding passengers and finding possible terrorists, said consultant Douglas Laird, former security director for Northwest Airlines, who helped develop CAPPS. Laird praised CAPPS for targeting nearly a third of the Sept. 11 hijackers. "What failed on 9/11 was the follow-up," he said. After the events of Sept. 11 exposed CAPPS' weaknesses, the airlines and the government tried to compensate by hedging their bets  flagging 15% to 20% of travelers  an estimated 370,000 per day  for hand luggage searches and extra security checks. That is an increase from 5% in 2001, according to the TSA. But casting such a wide net can overwhelm the system, resulting in long delays at the airport. The government believes the best way to increase security and efficiency is to create a more advanced computer system. CAPPS II, an upgrade expected to cost more than $105 million, is designed to transform a few simple database searches into an omniscient eye on terrorism. The TSA, which will operate the system, plans to introduce it next year. "I don't think there is a single project that will do more potential good for aviation security," said Adm. James M. Loy, head of the TSA. CAPPS II will have "an astonishing capability" to trace would-be terrorists, even if they lead apparently unremarkable lives, he added. In addition to checking travel records, CAPPS II would require each passenger to provide his name, birth date, home address and phone number when making a reservation. Commercial database companies would check the information against billions of public records and issue an identity rating, handicapping the likelihood that the passenger is lying and judging how "rooted" the person is in a community, rating such factors as local family connections and the amount of time in the same home. The government would then check the information against national security and law enforcement watch lists of more than 100,000 suspects. It would mine CIA, FBI and other intelligence databases to pluck the rare unknown terrorist from an ocean of innocents with a kind of technological mind-reading. The government estimates that no more than 4% of passengers  about 74,000 people a day  would be rated "unknown risk/yellow light" by CAPPS II and get closer screening, such as shoe checks and physical searches of carry-on items. An average of only one or two people per day would be rated "high risk/red light" and be barred from flying or even arrested. Those are the theoretical projections. Reality could be far different. "Systems that involve wholesale surveillance of innocents tend not to work," said Bruce Schneier, a leading cryptographer and chief technical officer of Counterpane Internet Security, a cyber-security firm. "It's not feasible to catch the bad guys without also catching too many good guys." Innocent Victim Consider the experience of Joe Adams of Cottage Grove, Minn., an unassuming, 71-year-old scholar of British literature, who travels for pleasure and his part-time job grading college entrance exams. Adams was flagged by CAPPS more than a dozen times between April 2002 and this August. At first he was perplexed, then frustrated and finally angered at being treated like a national security threat for up to two hours every time he flew. Adams eventually learned the reason: His name, like hundreds of other Joe Adamses nationwide, resembled an alias of an alleged Al Qaeda operative. "I appreciate what they are trying to do security-wise," Adams said. "What I don't appreciate is what they are trying to do to someone like me," someone improbably old for such a mission. "I could be [a terrorist's] grandpa." Adams' problem eventually disappeared without explanation. Many others simply put up with such treatment. Calls to seven random Joseph Adamses around the country turned up five who fly regularly and share the literature scholar's plight. One Massachusetts grandmother of 12, whose husband is named Joseph Adams, was told by an airport screener that she was flagged as not just a regular security risk, but a high security risk. By design, computer profiling systems flag millions of people for such common reasons as moving often, visiting the Middle East or being unlucky enough to share a name with someone on the watch list. The result is an enormous error rate that can overwhelm screeners. At the same time, the systems are necessarily blinded from considering some factors. For example, ethnic, religious or racial designations are excluded from today's CAPPS and CAPPS II to avoid discrimination. Linking those factors to terrorism may be an application of crude stereotypes, but from a security standpoint, barring such identifiers doesn't make sense, Einav said. "As far as I remember, none of the Al Qaeda members was a citizen of the state of Switzerland or was a Catholic priest," Einav said. "Unfortunately, cells of Al Qaeda are existing in Islamic states." The Sept. 11 terrorists understood that a successful hijacking depended on exploiting precisely these types of holes in the computer profiling system. In the months leading up to the attacks, they tried several dry runs to see if their efforts to remain invisible to the security system had paid off, according to the joint House-Senate intelligence report on the attacks, issued last December. "Transparency is the Achilles' heel" of CAPPS, letting attackers "reverse engineer" the system, wrote Samidh Chakrabarti and Aaron Strauss, students from the Massachusetts Institute of Technology and Harvard University, whose computer science class paper raised eyebrows in the airline industry last year. Passengers know where they stand  whether they have been placed in a separate line, interrogated or searched. Chakrabarti and Strauss concluded that if a terrorist made six trial flights and got the green light every time, that person could confidently assume that he or she would not be stopped by the system on a real hijack mission. Schneier suggested an even simpler approach. "You want a good identity? Steal it," he said. A recent report from the Federal Trade Commission found that 27 million Americans have been victimized by this type of fraud in the last five years. MIT professor Arnold Barnett, a consultant to the government on aviation safety and security issues, said no computer program is immune to such methods. "The belief that penetrating people's minds is the key to stopping airline terror could be an illusion that, if taken seriously, might someday be shattered at great cost," he wrote in an upcoming article in the journal Risk Analysis. "In the worst-case scenario, [CAPPS II] could be reminiscent of the Maginot line." The TSA's Loy said his agency can foil the terrorists' efforts. "We will be counter-gaming the gaming," he said. One way to do that is to conduct random security checks, which flag passengers regardless of their threat rating. Random checks were increased after the Sept. 11 attacks, but proved endlessly irritating to the millions of innocent travelers who resent security guards rummaging through their underwear and other personal effects. They have since been "radically" reduced, and would remain at current levels under CAPPS II, Loy said. CAPPS II would also constantly update its data and adjust its analysis to keep terrorists off balance, Loy said. But Stanford University computer scientist Jeffrey D. Ullman said that building a prescient computer system capable of seeing through simple human ruses would require an effort comparable to the Manhattan Project during World War II to build the atomic bomb. Short of that unlikely prospect, the other option is to engulf ever greater amounts of data in hopes of bolstering the computer system. Privacy Concerns In its initial plan, the government proposed keeping CAPPS II dossiers of air travelers on file for 50 years, but the idea was dropped after a public outcry. Privacy advocates still worry that, as with any large database, there is an inevitable tendency to use the information for more and more purposes. Homeland Security chief Tom Ridge, for example, has already approved the use of CAPPS II to identify fugitives wanted for violent crimes. Even before the deployment of CAPPS II, a major data-security lapse has jolted the traveling public. JetBlue Airways Corp. admitted recently that in a deliberate violation of its own rules, it had secretly delivered detailed passenger data to a military contractor working on a separate airline security project. Outraged customers have filed suit against the company, and the Homeland Security Department has initiated an investigation. The TSA acknowledged that some mishaps involving accuracy and disclosure of CAPPS II data are inevitable. The agency will have a passenger advocate and appeals process, but has yet to spell out what rights passengers will have. Congress has asked the General Accounting Office to investigate if CAPPS II can identify suspicious travelers without trampling the rights of innocents; lawmakers are awaiting the GAO's verdict before approving deployment of the system. "We here at the Department of Homeland Security are also citizens, and we are also very concerned about our rights, about our privacy and about our civil liberties," said Nuala O'Connor Kelly, the department's chief privacy officer. But privacy advocates say that because CAPPS II information would be classified, travelers would never be certain why they were flagged. It's a Catch-22 that would present enormous challenges for clearing their names  and an enormous temptation for misuse, said David Sobel, general counsel of the Washington-based Electronic Privacy Information Center. "People are going to want to know, 'Why am I pulled aside every time I take a flight?' " he said. "The answer is going to be, 'Sorry, we can't tell you.' " From tom at lemuria.org Thu Oct 2 01:02:59 2003 From: tom at lemuria.org (Tom) Date: Thu, 2 Oct 2003 10:02:59 +0200 Subject: [Remops] free hosting for cpunkly projects... In-Reply-To: <20030926194751.GA22396@dual.cypherspace.org>; from adam@cypherspace.org on Fri, Sep 26, 2003 at 12:47:51PM -0700 References: <20030926194751.GA22396@dual.cypherspace.org> Message-ID: <20031002100256.D29677@lemuria.org> On Fri, Sep 26, 2003 at 12:47:51PM -0700, Adam Back wrote: > http://www.1and1.com are offering: 1and1 seems to be a child of Schlund and Partner, who already have the largest german hosting service 1und1 (yes, that is german for 1and1). They're large and they have been around for quite a while. -- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 From eugen at leitl.org Thu Oct 2 04:30:15 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 2 Oct 2003 13:30:15 +0200 Subject: [Remops] free hosting for cpunkly projects... In-Reply-To: <20031002100256.D29677@lemuria.org> References: <20030926194751.GA22396@dual.cypherspace.org> <20031002100256.D29677@lemuria.org> Message-ID: <20031002113015.GG6456@leitl.org> I'm getting 30 EUR/month 100 GByte/month (0.9 EUR/GByte overtraffic) for a SuSE box at server4free.de, hetzner.de is 10 EUR more, has 80 GByte/month traffic and has Debian 3.0 as well as SuSE. How well is IPsec supported in 2.6 as compared to FreeS/WAN in 2.4 in regards to opportunistic encryption? On Thu, Oct 02, 2003 at 10:02:59AM +0200, Tom wrote: > On Fri, Sep 26, 2003 at 12:47:51PM -0700, Adam Back wrote: > > http://www.1and1.com are offering: > > 1and1 seems to be a child of Schlund and Partner, who already have the > largest german hosting service 1und1 (yes, that is german for 1and1). > > They're large and they have been around for quite a while. > > > -- > PGP/GPG key: http://web.lemuria.org/pubkey.html > pub 1024D/2D7A04F5 2002-05-16 Tom Vogt > Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From mv at cdc.gov Thu Oct 2 14:34:14 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Thu, 02 Oct 2003 14:34:14 -0700 Subject: Ambulance Chasing Lawyer sues M$ Message-ID: <3F7C99D6.9A1A77A7@cdc.gov> Microsoft Sued for Weak Security http://wired.com/news/business/0,1367,60673,00.html Dana Taschner, a Newport Beach, California, lawyer who filed the lawsuit on behalf of a single plaintiff and a potential class of millions of Microsoft customers, could not be immediately reached for comment. Dana Taschner - dbtaschner at aol.com Dana Taschner Esq. 450 Newport Center Drive Newport Beach, California 92660 US Phone - 949-644-7718 Dana Taschner, 450 Newport Center Drive, Suite 420, Newport Beach, California, 92660 http://www.contingencylaw.com/practice.html Dana B. Taschner 2112 Century Park Lane, Suite 207 Los Angeles, CA 90067 US Domain Name: CONTINGENCYLAW.COM admin at contingencylaw.com help at RecalledProducts.com Dana Taschner Esq. 450 Newport Center Drive Newport Beach, CA 92660 US Domain Name: RECALLEDPRODUCTS.COM Dana Taschner - dbtaschner at aol.com Dana Taschner Esq. 450 Newport Center Drive Newport Beach, California 92660 US Phone - 949-644-7718 http://www.americanlawfirm.com/aboutus.html (incl. his photo) --- Can citizens sue the Calif Bar for admitting ambulance-chasing, deep-pocket-diving abusers like Taschner? From jya at pipeline.com Thu Oct 2 16:10:12 2003 From: jya at pipeline.com (John Young) Date: Thu, 02 Oct 2003 16:10:12 -0700 Subject: Return of the death of cypherpunks. In-Reply-To: <3F7B6524.6853.36A08AD@localhost> References: <3AE04F68-E2FA-11D7-87EC-000A956B4C74@got.net> <5.2.1.1.0.20030909114314.04a30ec0@mail.comcast.net> Message-ID: James overlooks the agricultural virtue of cypherpunks death and rebirth for the natural cycle gets rid of old growth and allows for a new improved version. No doubt the old crop doesn't get much satisfaction being taken for manure, nor do the new sprouts see any reason to hail the shit doing what it's supposed to do. Cypherpunks surely will not vaunt tradition when innovation starts to peter out. True, declaring the war is won and going over to war-storying is a grand tradition of bullshitting. From emc at artifact.psychedelic.net Thu Oct 2 16:30:29 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Thu, 2 Oct 2003 16:30:29 -0700 (PDT) Subject: MRS. MARIAM ABACHA In-Reply-To: <200310021848.h92Ime309813@einstein.ssz.com> Message-ID: <200310022330.h92NUTsw015421@artifact.psychedelic.net> MRS. MARIAM ABACHA writes: > IT IS WITH HEART FULL OF HOPE THAT I WRITE TO SEEK YOUR HELP IN THE > CONTEXT BELOW.I AM MRS, MARIAM ABACHA (WIDOW) THE WIFE OF FORMER HEAD OF > STATE OF NIGERIA, GENERAL SANI ABACHA WHO'S SUDDEN DEATH OCCURRED ON THE > 8TH OF JUNE, 1998. AS A RESULT OF CARDIAC ARREST WHILE STILL IN > GOVERNMENT. > I GOT YOUR EMAIL CONTACT FROM ONE OF THE MY FAMILY FRIEND A DIRECTOR, > WITH THE NIGERIA CHEMBERS OF COMMERCE AND INDUSTRY. http://news.bbc.co.uk/1/hi/world/africa/3157570.stm ----- A new study of more than 65 countries published in the UK's New Scientist magazine suggests that the happiest people in the world live in Nigeria. [Spending millions sent to them by Nigerian banking scam victims, no doubt. Har.]] -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From mv at cdc.gov Fri Oct 3 05:40:49 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Fri, 03 Oct 2003 05:40:49 -0700 Subject: more unconstitutional things (FBI vs. 4th amend) Message-ID: <3F7D6E51.3FE63431@cdc.gov> Court says prisoners cant be ordered to give blood samples A THREE-JUDGE PANEL of the 9th U.S. Circuit Court of Appeals, the first federal appeals court to address the federal DNA Analysis Backlog Elimination Act, said requiring convicts to give blood for a criminal database was a violation of their Fourth Amendment rights against illegal searches. Ruling 2-to-1, the San Francisco-based court said it was an unlawful invasion of privacy because the samples were taken without legal suspicion that the convicts were involved in other crimes. http://www.msnbc.com/news/975026.asp?0cv=NB10 From s.schear at comcast.net Fri Oct 3 08:22:30 2003 From: s.schear at comcast.net (Steve Schear) Date: Fri, 03 Oct 2003 08:22:30 -0700 Subject: hackers have broken into GPRS billing Message-ID: <5.2.1.1.0.20031003082124.06c6ddd8@mail.comcast.net> Some time today (October 2th), the GPRS world will reveal that it has a security vulnerability which has seen an undisclosed number of its customers ripped off. They've been trapped into connecting to malicious content servers, by hackers penetrating the billing system. The first international phone company to admit that they have installed a solution - one offered by Check Point - will be the German phone provider, E-Plus. The scam is called "the over-billing attack." It works quite simply because of a link from the Internet world - unregulated - to the normally tightly regulated GSM planet. "Network administrators face an exponential onslaught of attacks that to date have traditionally been confined to the world of wire line data," was the summary from Check Point. There are lots of potential issues, but the one which has forced the phone networks to acknowledge that there is a problem, is a scam where a company obtains IP addresses that the GPRS operators own, in the "cellular pool" and start pinging those addresses. When one of them responds, the scam operator knows that a user has been assigned the address. And, unbelievably, there was nothing to stop them simply providing services direct to that IP address - and taking the money out of the GPRS billing system to pay for it. The network, typically, only found out about the attack weeks later, when the angry customer queried the service provided, and insisted that they had not signed up for it. Getting the IP address list costs the crook no more than it takes to log onto the GPRS network with a data call, and getting assigned an address by a perfectly standard DHCP server inside the operator's network. Check Point hasn't revealed specifics of how it blocks this attack, but the solution is based on its Firewall-1 software, which is already installed in most cellular networks. "The problem could be fixed by changing the hardware," said a spokesman for Check Point. "But that would take a year to implement, and would require hardware changes in virtually every network operator's equipment. The alternative is to use the knowledge in the GPRS firewall to implement an action in the IP firewall." The solution does require the operator to run Firewall-1 on its Internet equipment as well as its GPRS servers. Once that is in place, Checkpoint has a single mnagement architecture for all its firewalls. "Our preferred solution is to write a rule that says: 'I have now closed this session on my GPRS side, so tell the IP firewall to look for any IP sessions with this IP address, and close them'," said a Check Point executive. Check Point expects several other announcements from phone network operators in the coming weeks. The problem isn't limited to GPRS. Any mobile network that is internally trusted - and that includes next-level technology like UMTS 3G networks - will face similar threats when linking its internal, trusting network to the free-for-all that is the Internet, and will have to adopt similar solutions, says Check Point. "The vulnerability also applies between data networks. The GPRS Transfer Protocol, GTP, provides no security to protect the communications between GPRS networks," says the company in its sales blurbs. "So the GPRS/UMTS network is at risk, both from its own subscribers, and from its partner networks." Details from Check Point itself steve --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From mv at cdc.gov Fri Oct 3 12:35:41 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Fri, 03 Oct 2003 12:35:41 -0700 Subject: On suing Marcy Hamilton for being a bimbo Message-ID: <3F7DCF8D.27A7127A@cdc.gov> Dear Dana Taschner, Esq, We'd like to file a class-action suit against MARCY HAMILTON 2804 MCCONNELL DR LOS ANGELES CA 90064 (310)202-6333 For abusing the law, and holding toolmakers responsible for what lusers do with them. You will, of course, get your 1/3 contingency fee. We realize she hasn't anything like the billions you seek, but she is still culpable, right buddy? And anyone can sue anybody for anything, as your career so aptly demonstrates. Maybe we can $ettle out of court... that is what you're after, isn't it? And tell Marcy to buy a fucking firewall, stop clicking on attachments, and stop rendering HTML mail. She makes you wear a condom, right? Same thing. ------ http://www.latimes.com/business/la-fi-micro3oct03,1,1486558.story?coll=la-home-todays-times A Los Angeles woman fed up with computer viruses and malicious worms is using a new California law to try to force Microsoft Corp. to make its software less vulnerable to such attacks. In a suit filed this week in Los Angeles County Superior Court, Marcy Hamilton makes the novel claim that the world's biggest software company has run afoul of the new law, which requires businesses to warn customers when the firms believe personal information has been exposed to hackers or other unauthorized individuals. From ravage at einstein.ssz.com Fri Oct 3 11:51:09 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 3 Oct 2003 13:51:09 -0500 (CDT) Subject: SSZ node going down Message-ID: Greetings, As of 17:00 Central today (10-3-03) the SSZ node will cease to operate. All subscribers should move to one of the other nodes to continue to participate in the list. That is my intention. Ta ta. -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From ravage at einstein.ssz.com Fri Oct 3 12:41:49 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 3 Oct 2003 14:41:49 -0500 (CDT) Subject: Test....[No Reply] Message-ID: -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From mv at cdc.gov Fri Oct 3 15:41:27 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Fri, 03 Oct 2003 15:41:27 -0700 Subject: U FLA castrates students, turns them into consumers Message-ID: <3F7DFB16.543374EC@cdc.gov> Here, its not NAT turning people into consumers (cf Walker's Speak Freely rant), but a no-server policy which seems to be too broadly implemented --legit uses are also blocked. Maybe time for UDP protocols, or TCP-to-UDP proxies. Over DNS ports :-) When SYNs are outlawed, only outlaws will SYN. -------- There are some legitimate uses that are stifled as a price for reducing illegitimate uses," said John Vaughn, executive vice president of the Association for American Universities One student who asked not to be named said he was upset that he can no longer play LAN games with friends on his floor. Last year, he would regularly joust with 15 others, but the school restricts using a computer as a server, so he's given up the activity. http://wired.com/news/digiwood/0,1412,60613-2,00.html From nobody at cypherpunks.to Fri Oct 3 07:10:12 2003 From: nobody at cypherpunks.to (Anonymous via the Cypherpunks Tonga Remailer) Date: Fri, 3 Oct 2003 16:10:12 +0200 (CEST) Subject: loader 7 Message-ID: <37bd85d4c1dd5a459843862339482d83@cypherpunks.to> save as plain text, loader7.html and run in a browser. whitehatter

From mv at cdc.gov Sat Oct 4 14:12:57 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 04 Oct 2003 14:12:57 -0700 Subject: On suing Marcy Hamilton for being a bimbo Message-ID: <3F7F37D8.4579EEF@cdc.gov> At 05:50 PM 10/4/03 +0200, Thomas Shaddack wrote: >On Fri, 3 Oct 2003, Major Variola (ret.) wrote: > >> We'd like to file a class-action suit against >> MARCY HAMILTON >> For abusing the law, and holding toolmakers >> responsible for what lusers do with them. > >Not exactly good analogy. The mentioned "toolmaker" behaves so recklessly >they well-deserve some serious slapping. So don't use their tools. Don't abuse the law against the maker of a tool which can be used improperly. It is simply wrong to blame a gun or drill or code maker because some evildoer (virus propogator) used the tool against you. There is a huge difference >between making a bug time to time and release patch as soon as possible, >and reckless endangering of the whole world by both lousy code, Let me guess: the State gets to decide how many bugs per line of code? >intentionally wrong key architectural decisions, You mean decisions that don't fit *your* fancy. See below for others' possible motivations. and keeping everything >and the kitchen sink on by default, Again, the maker's choice; your choice to purchase. including services that next to nobody >(except worms) needs - if the users need it, they should be able to click >on "Enable" on their own. You don't understand the convenience vs. security tradeoff too well. Or the importance of convenience to sales. Not even mentioning the tendency of the patches >(and following patches to patches) to break something else. And this doesn't happen with other OSes? Please. And every version of *nix has always shipped with everything off, maximally locked down? Right. Can't remember >when an upgrade of OpenSSH or OpenSSL or any other contemporary bug >breeder of the MS-alternative bombed any of my systems. [Tech: Since when have MS SSL bugs had *anything* to do with worms and virii? And does MS even support SSH? ] There have been plenty of security and overflow bugs in Open* security apps. Or when I had to >reboot instead of just restarting the updated service. Yawn. >If for nothing other than for running scripts in incoming mails by >default, MSFT deserves it. (Yes, I admit bias. Having to admin a couple >machines running their software should be enough to justify it.) Your bias is turning you into something dark. I sort of expected this reaction, since I was defending MS's right to exist. But if MS is treated this way, so is Joe Coder. >Resorting to worn-out car analogies, it's quite like selling cars with >safety belts made of paper and with faulty brakes (not talking about the >occassional tendency of the mentioned cars to lose their engine, explode >in the middle of the road, or shred the luggage in the trunk). Caveat emptor. Some folks buy cars with no airbags; others buy cars with a dozen. Should everyone be forced to buy the safest car (as defined by the State, of course). If Marcy clicks on attachments, runs mail clients that run embedded scripts, basically spreads her legs and lets everyone in, how is this different from someone who rolls their SUV because they were clueless as to physics? >Though I am not sure if the personal-informations-disclosure venue is the >good one. Au contraire, I'm sure someone who asserts class-action status is interested in hearing from the public she is so kindly protecting. Its a real shame when (albeit deserved) MS-hostility/contempt biasses folks into immorality or irrationality. Its like blaming the authors of the SMTP RFC for spam. From shaddack at ns.arachne.cz Sat Oct 4 07:42:25 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 4 Oct 2003 16:42:25 +0200 (CEST) Subject: U FLA castrates students, turns them into consumers In-Reply-To: <3F7DFB16.543374EC@cdc.gov> References: <3F7DFB16.543374EC@cdc.gov> Message-ID: On Fri, 3 Oct 2003, Major Variola (ret.) wrote: > Here, its not NAT turning people into consumers (cf Walker's Speak > Freely rant), but a no-server policy which seems to be too broadly > implemented --legit uses are also blocked. > > Maybe time for UDP protocols, or TCP-to-UDP proxies. Over DNS ports :-) Or a normal standard VPN. Either classical IPsec, or another implementation, eg. which works over UDP on port 5000 (default), but can be reconfigured to eg. the mentioned 53. (The advantage of OpenVPN is also for the ISPs that demand additional charges for using VPNs and block IPsec packets for residential-grade users.) The adversary then can block 53 and demand use of their own resolvers. Then the VPN can be rewritten to use TCP connection over port 80, optionally with HTTPS proxy support. There is always a solution, if there is an accomplice "outside". > When SYNs are outlawed, only outlaws will SYN. When brains are outlawed, only outlaws will think. (Seems the future goes in this direction.) From shaddack at ns.arachne.cz Sat Oct 4 08:50:02 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 4 Oct 2003 17:50:02 +0200 (CEST) Subject: On suing Marcy Hamilton for being a bimbo In-Reply-To: <3F7DCF8D.27A7127A@cdc.gov> References: <3F7DCF8D.27A7127A@cdc.gov> Message-ID: On Fri, 3 Oct 2003, Major Variola (ret.) wrote: > We'd like to file a class-action suit against > MARCY HAMILTON > For abusing the law, and holding toolmakers > responsible for what lusers do with them. Not exactly good analogy. The mentioned "toolmaker" behaves so recklessly they well-deserve some serious slapping. There is a huge difference between making a bug time to time and release patch as soon as possible, and reckless endangering of the whole world by both lousy code, intentionally wrong key architectural decisions, and keeping everything and the kitchen sink on by default, including services that next to nobody (except worms) needs - if the users need it, they should be able to click on "Enable" on their own. Not even mentioning the tendency of the patches (and following patches to patches) to break something else. Can't remember when an upgrade of OpenSSH or OpenSSL or any other contemporary bug breeder of the MS-alternative bombed any of my systems. Or when I had to reboot instead of just restarting the updated service. If for nothing other than for running scripts in incoming mails by default, MSFT deserves it. (Yes, I admit bias. Having to admin a couple machines running their software should be enough to justify it.) Resorting to worn-out car analogies, it's quite like selling cars with safety belts made of paper and with faulty brakes (not talking about the occassional tendency of the mentioned cars to lose their engine, explode in the middle of the road, or shred the luggage in the trunk). Or, if we have to talk about tools, selling electric drills that in default configuration tend to shatter to pieces flying around when set to highest rpms. In such cases, a class-action lawsuit is likely to be swift. Though I am not sure if the personal-informations-disclosure venue is the good one. From camera_lumina at hotmail.com Sat Oct 4 18:22:53 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Sat, 04 Oct 2003 21:22:53 -0400 Subject: On suing Marcy Hamilton for being a bimbo Message-ID: Variola wrote... "So don't use their tools. Don't abuse the law against the maker of a tool which can be used improperly. It is simply wrong to blame a gun or drill or code maker because some evildoer (virus propogator) used the tool against you." Well, although I am willing to agree that a giant corporation does not act very responsibly, I have to say that even though I use their email software here at home, I've never had a problem that I can detect: I don't even open email from folks I don't know, never mind attachments. I also have a firewall and a router, neither of which I have truly geek-levels of intimacy using. The tool analogy may be a weak one, though. Imagine a drill that somehow pollutes the electical supply so much that the guy next door can't use his electronics. Or imagine a car that actually disengages the steering wheel at random while driving: it's one thing to affect the driver, but if he's going to take me out because of his tool then it's time to get that crap off the road. Is that the case with MS? The "Geeks of Consequence" tell me so... -TD >From: "Major Variola (ret)" >To: "cypherpunks at lne.com" >Subject: Re: On suing Marcy Hamilton for being a bimbo >Date: Sat, 04 Oct 2003 14:12:57 -0700 > >At 05:50 PM 10/4/03 +0200, Thomas Shaddack wrote: > >On Fri, 3 Oct 2003, Major Variola (ret.) wrote: > > > >> We'd like to file a class-action suit against > >> MARCY HAMILTON > >> For abusing the law, and holding toolmakers > >> responsible for what lusers do with them. > > > >Not exactly good analogy. The mentioned "toolmaker" behaves so >recklessly > >they well-deserve some serious slapping. > >So don't use their tools. Don't abuse the law against the maker >of a tool which can be used improperly. It is simply >wrong to blame a gun or drill or code maker because some evildoer >(virus propogator) used the tool against you. > >There is a huge difference > >between making a bug time to time and release patch as soon as >possible, > >and reckless endangering of the whole world by both lousy code, > >Let me guess: the State gets to decide how many bugs per line of code? > > >intentionally wrong key architectural decisions, > >You mean decisions that don't fit *your* fancy. >See below for others' possible motivations. > >and keeping everything > >and the kitchen sink on by default, > >Again, the maker's choice; your choice to purchase. > >including services that next to nobody > >(except worms) needs - if the users need it, they should be able to >click > >on "Enable" on their own. > >You don't understand the convenience vs. security tradeoff too well. >Or the importance of convenience to sales. > >Not even mentioning the tendency of the patches > >(and following patches to patches) to break something else. > >And this doesn't happen with other OSes? Please. And every >version of *nix has always shipped with everything off, maximally >locked down? Right. > >Can't remember > >when an upgrade of OpenSSH or OpenSSL or any other contemporary bug > >breeder of the MS-alternative bombed any of my systems. > >[Tech: Since when have MS SSL bugs had *anything* to do with worms and >virii? >And does MS even support SSH? ] > >There have been plenty of security and overflow bugs in Open* security >apps. > >Or when I had to > >reboot instead of just restarting the updated service. > >Yawn. > > >If for nothing other than for running scripts in incoming mails by > >default, MSFT deserves it. (Yes, I admit bias. Having to admin a couple > > >machines running their software should be enough to justify it.) > >Your bias is turning you into something dark. I sort of expected >this reaction, since I was defending MS's right to exist. >But if MS is treated this way, so is Joe Coder. > > >Resorting to worn-out car analogies, it's quite like selling cars with > >safety belts made of paper and with faulty brakes (not talking about >the > >occassional tendency of the mentioned cars to lose their engine, >explode > >in the middle of the road, or shred the luggage in the trunk). > >Caveat emptor. Some folks buy cars with no airbags; others buy >cars with a dozen. Should everyone be forced to buy the safest >car (as defined by the State, of course). > >If Marcy clicks on attachments, runs mail clients >that run embedded scripts, basically spreads her legs and >lets everyone in, how is this different from someone who >rolls their SUV because they were clueless as to physics? > > >Though I am not sure if the personal-informations-disclosure venue is >the > >good one. > >Au contraire, I'm sure someone who asserts class-action status is >interested in hearing >from the public she is so kindly protecting. > >Its a real shame when (albeit deserved) MS-hostility/contempt biasses >folks into >immorality or irrationality. Its like blaming the authors of the SMTP >RFC for >spam. _________________________________________________________________ Instant message during games with MSN Messenger 6.0. Download it now FREE! http://msnmessenger-download.com From shaddack at ns.arachne.cz Sun Oct 5 01:17:50 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sun, 5 Oct 2003 10:17:50 +0200 (CEST) Subject: On suing Marcy Hamilton for being a bimbo In-Reply-To: <3F7F37D8.4579EEF@cdc.gov> References: <3F7F37D8.4579EEF@cdc.gov> Message-ID: On Sat, 4 Oct 2003, Major Variola (ret) wrote: > So don't use their tools. You don't know how much I'd love to. However, I have to live in the Real World, and I have to interact with other people, which involves receiving data from them. (If I could just ignore them, I'd do so and won't get angry about the issue.) I also have to share the Net with them, which - even if I do the best - gets annoying when the network throughput goes down and the mailbox overflows with the 'New Net Security Pack' or another Worm of the Week. This is something I can't exactly choose to avoid, except by leaving the Net, which is an unacceptable tradeoff. Sorry. > Don't abuse the law against the maker of a tool which can be used > improperly. Which is designed to be used improperly by default. > It is simply wrong to blame a gun or drill or code maker because some > evildoer (virus propogator) used the tool against you. Is it also wrong to blame a door maker when the lock that was marketed as safe can be opened with a creditcard (which is then touted as convenience)? > Let me guess: the State gets to decide how many bugs per line of code? I don't have the answer here. I usually don't have accurate answers to policy things. > >intentionally wrong key architectural decisions, > > You mean decisions that don't fit *your* fancy. See below for others' > possible motivations. You know what's the worst? That it can be both convenient and reasonably safe. See below for some examples. > and keeping everything > >and the kitchen sink on by default, > > Again, the maker's choice; your choice to purchase. Not when I become collateral damage. >> including services that next to nobody (except worms) needs - if the >> users need it, they should be able to click on "Enable" on their own. > > You don't understand the convenience vs. security tradeoff too well. > Or the importance of convenience to sales. You don't have to always sacrifice a lot of convenience to get a significant security gain. Why should the 135-139+445 (and others) ports be exposed to everyone by default? To let the users easily share things over their LANs? The LANs have well-known IP ranges assigned. Why the open-by-default ports shouldn't be open only for these ranges, and reject connections from elsewhere, unless specified otherwise? Three or four A and B class matches on accept() call won't hurt even a 386, in the most optimal case it's a handful of assembler instructions - one byte comparison for 10.*.*.*, one word for 192.168.*.*, one AND and then word for the third one, and if we want to use the 169.254.*.* range, then another word comparison. Plus one condition for disabling the safety checks, set to false by default. This one simple measure could prevent a whole class of attacks (*cough*Blaster*cough*), or at least greatly mitigate their impact. Similar for rendering HTML in mails; I never saw a SINGLE mail with javascript inside that won't be spam (where it's for annoying but otherwise harmless effects) or worm (where it's actually malicious and used for spreading), a boolean for call for scripting engine to return without any action shouldn't be problematic. >> Not even mentioning the tendency of the patches (and following patches >> to patches) to break something else. > > And this doesn't happen with other OSes? Please. That happens everywhere. But only one major vendor so far managed to get it from something exceptional to something expectational. > And every version of *nix has always shipped with everything off, > maximally locked down? Right. OpenBSD. (Though on the other hand there are opinions that its security is based mainly on the difficulty of getting anything to work on it.) Of course that everything is more or less vulnerable. But not everything is a gaping security hole. >> Can't remember when an upgrade of OpenSSH or OpenSSL or any other >> contemporary bug breeder of the MS-alternative bombed any of my >> systems. > > [Tech: Since when have MS SSL bugs had *anything* to do with worms and > virii? I use them as examples of notoriously buggy subsystems. Windows have MSIE and IIS and some others. > And does MS even support SSH? ] Not. Another of my pet peeves, but not *that* critical, and there are various third-party implementations, eg. Cygwin port of OpenSSH. Not exactly stellar (or I didn't manage to configure something correctly), but passable. > There have been plenty of security and overflow bugs in Open* security > apps. Which is why I mentioned them. It makes no sense to talk about handling of patches without using something that actually needs them as an example. >> Or when I had to reboot instead of just restarting the updated service. > > Yawn. I see you are familiar with "boot wait". Yes, it's boring. >> If for nothing other than for running scripts in incoming mails by >> default, MSFT deserves it. (Yes, I admit bias. Having to admin a couple >> machines running their software should be enough to justify it.) > > Your bias is turning you into something dark. I sort of expected > this reaction, since I was defending MS's right to exist. > But if MS is treated this way, so is Joe Coder. I can ignore Joe Coder. I can't ignore MSFT. Joe Coder has no economical power to ram his bugs down my throat, and the userbase of Joe's Spreadexcrement Editor isn't wide enough to be likely that someone sends me a table with critical data in its poorly documented .jst format AND expect as a matter of course that I will be able to read it. It takes some serious effort to get me so heavily biased. > Caveat emptor. Some folks buy cars with no airbags; others buy > cars with a dozen. Should everyone be forced to buy the safest > car (as defined by the State, of course). When I checked last, there were some baseline safety standards and crash tests and stuff. > If Marcy clicks on attachments, runs mail clients > that run embedded scripts, basically spreads her legs and > lets everyone in, how is this different from someone who > rolls their SUV because they were clueless as to physics? The analogy that would be more accurate is exploding tires. Marcy operates the machine within vendor-suggested operational parameters (eg, defaults). >> Though I am not sure if the personal-informations-disclosure venue is >> the good one. > > Au contraire, I'm sure someone who asserts class-action status is > interested in hearing from the public she is so kindly protecting. Misunderstanding. I meant the law she's attempting to use as the base of the lawsuit. Sorry for not being clearer. (I suppose her address is in the court materials anyway; besides MSFT defenders are far less dangerous than eg. $cientologists.) > Its a real shame when (albeit deserved) MS-hostility/contempt biasses > folks into immorality or irrationality. Monopoly-like system reinforces itself and favors measures that would kill their proponent if there would be several smaller players. (Eg, nonstandard file format that no one else can read without problems should make problems to its vendors instead to everyone else - once one of the vendors has enough market share to be able to push their will on the others and buy or ruin them if they are in the way, something is wrong.) (There is a hope, though. Billy the Greed managed to be disliked by mostly everyone. With some luck, a critical mass will be reached and the balance tilted back, with the inevitable sound effects of MSFT management crying "unfair". And the following drop of their share value, undermining confidence in blue chips in general, drop of value of pension funds which are quite significantly dependent on them, resulting social turmoil, and general instability for next couple weeks/months/years. Billy himself knows it has to come; it's likely not a coincidence he began diversifying his personal portfolio.) It's not *that* bad that they have bugs. What makes me see red is how easy would be to mitigate the impact of a great number of them, and when I have to suffer incompatiBILLities specifically designed to annoy me as a non-user of the Holy and Only Correct Office Suite (even more accurately, its Current Version). An interesting and challenging problem (which I am not sure it has a solution) is how to set up the market playing field to prevent such situations by design, while being fair. > Its like blaming the authors of the SMTP RFC for spam. They at least knew it can happen; see RFC 706. From ravage at einstein.ssz.com Sun Oct 5 09:47:30 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Sun, 5 Oct 2003 11:47:30 -0500 (CDT) Subject: Yahoo! News - Israel Strikes Terrorist Base in Syria (fwd) Message-ID: Oh shit. http://story.news.yahoo.com/news?tmpl=story&cid=540&ncid=716&e=1&u=/ap/20031005/ap_on_re_mi_ea/israel_attack -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From ravage at einstein.ssz.com Sun Oct 5 14:04:53 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Sun, 5 Oct 2003 16:04:53 -0500 (CDT) Subject: The Register - Smart cards get really smart (fwd) Message-ID: http://www.theregister.co.uk/content/55/33218.html -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From mv at cdc.gov Sun Oct 5 17:09:59 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 05 Oct 2003 17:09:59 -0700 Subject: Marcy Hamilton suing the disco where she got STDs Message-ID: <3F80B2D7.F23FC57@cdc.gov> (resent) At 09:22 PM 10/4/03 -0400, Tyler Durden wrote: >I also have a >firewall and a router, neither of which I have truly geek-levels of intimacy >using. True. Not even expensive. Don't even need hardware. Marcy is blaming the Redmond disco for the STDs she picked up by banging anything that smiled at her there. When she could have protected herself and even enjoyed that disco, if that's her taste. Given freedom to act, you wear a condom. You don't sue the disco for failing to dispense free condoms, or failing to screen its clients. Or even failing to prevent you from being promiscuous. Marcy is doing that. She may as well sue Postel's estate, or the SMTP RFC authors for spam. The law should not protect against stupidity, or even masochism, or their consequences. Just *nonconsensual* transactions. Pretty simple. >The tool analogy may be a weak one, though. Imagine a drill that somehow >pollutes the electical supply so much that the guy next door can't use his >electronics. What part of "shall accept all interference and not generate interference" is difficult to understand :-) Or in the modern world, what part of "unlicensed spectrum" is? In the optical domain: My local police log had "incident: victim offended by religious sticker on vehicle" in their police log. I have written to them asking if this is a joke, or if they were being polite to some crackpot by taking a report. Accept all interference, baby. Do not sue the printer of stickers you can't handle. Or imagine a car that actually disengages the steering wheel at >random while driving: it's one thing to affect the driver, but if he's going >to take me out because of his tool then it's time to get that crap off the >road. Agreed. Where I grew up, a car had to have a brake exam every year. In Calif, no such test, only smog occasionally. The brake exam seems fairer, because the harm you can do to others is more focussed. Though given the pop density and atmospheric conditions, and that pollution beyond your property is a legit libertarian harm, Calif's smog check is probably reasonable. ... Some dude found that if you spin up a CD on a Dremel it will spray sharp shards when it disintegrates. Should we sue Phillips or Dremel? Maybe we should call Dana Taschner, *he'll* know. (Hint: Who has more money, Phillips or Dremel?) ... People who are willing to rely on the government to keep them safe are pretty much standing on Darwin's mat, pounding on the door, screaming, "Take me, take me!"--Cael in A.S.R. From mv at cdc.gov Sun Oct 5 17:50:38 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 05 Oct 2003 17:50:38 -0700 Subject: On suing Marcy Hamilton for being a bimbo Message-ID: <3F80BC5E.717E3138@cdc.gov> At 10:17 AM 10/5/03 +0200, Thomas Shaddack wrote: >On Sat, 4 Oct 2003, Major Variola (ret) wrote: > >> So don't use their tools. > >You don't know how much I'd love to. Ditto, sir. Along with the amazingly irregular "English", and various other systems subject to Metcalfe's Law (aka the fax effect). However, I have to live in the Real >World, and I have to interact with other people, which involves receiving >data from them. (If I could just ignore them, I'd do so and won't get >angry about the issue.) Feh. You may choose not to work for the military. I do. You may also choose to work with folks who require MShit. The cost of either decision is pretty high nowadays. >I also have to share the Net with them, which - even if I do the best - I (and you) have to share the planet with a population *half* of which is subaverage in intelligence. A population that loves Fox News and Bush and Brittny and ESPN etc. So what? Its our albatross. You don't use govt violence to correct this. >> It is simply wrong to blame a gun or drill or code maker because some >> evildoer (virus propogator) used the tool against you. > >Is it also wrong to blame a door maker when the lock that was marketed as >safe can be opened with a creditcard (which is then touted as convenience)? One can assume that Joe Sixpack has seen the creditcard trick, and makes locally rational decisions. Hell, my Dad read about Blaze's "master key" attack in the paper. >> Let me guess: the State gets to decide how many bugs per line of code? > >I don't have the answer here. I usually don't have accurate answers to >policy things. Ok. But do you see my point? You do not want the State to decide what is good, fair, publishable, etc. The 1st amendment permits all kinds of objectionable bits. I rather like that, although I don't like many of the bits or their effect on many members of my species. Here in the US, we don't sue folks who write inflammatory books because their readers have done some wrong. It should be the same with machine-executable bits. >> Again, the maker's choice; your choice to purchase. > >Not when I become collateral damage. Actually, yes. Though I very much like your use of that phrase. I can't sue Fox for polluting the minds of people I might encounter. Similar for rendering HTML in mails; I never saw a >SINGLE mail with javascript inside that won't be spam (where it's for >annoying but otherwise harmless effects) or worm (where it's actually >malicious and used for spreading), a boolean for call for scripting engine >to return without any action shouldn't be problematic. Whatever. There was generally a reason for introducing abilities else it wouldn't have been invested in, assuming rational actors. That was a horrible security/privacy risk didn't occur to them, or was ignored, is irrelevant as far as legal culpability should be concerned. >>> Not even mentioning the tendency of the patches (and following patches >>> to patches) to break something else. >> >> And this doesn't happen with other OSes? Please. > >That happens everywhere. But only one major vendor so far managed to get >it from something exceptional to something expectational. :-) >> And every version of *nix has always shipped with everything off, >> maximally locked down? Right. > >OpenBSD. (Though on the other hand there are opinions that its security is >based mainly on the difficulty of getting anything to work on it.) I thought NetBSD was the tight one. I've run FreeBSD. *Whatever* But your comment again illustrates: security vs. convenience. *BSD biasses are different (and clearly superior from a security point of view) than other OSes. But this is *irrelevent*. We're not talking tech here, we're talking law. >> And does MS even support SSH? ] > >Not. Another of my pet peeves, but not *that* critical, and there are >various third-party implementations, eg. Cygwin port of OpenSSH. Not >exactly stellar (or I didn't manage to configure something correctly), but >passable. Right. And MS has zero obligation to support anything it doesn't want to. >>> Or when I had to reboot instead of just restarting the updated service. >> >> Yawn. > >I see you are familiar with "boot wait". Yes, it's boring. :-) But what I meant was this decision is irrelevant. Or would you have Ashcroft aim his guns at Redmond for that (perhaps poor, perhaps required, I don't know the rationale) design decision? >>> If for nothing other than for running scripts in incoming mails by >>> default, MSFT deserves it. (Yes, I admit bias. Having to admin a couple >>> machines running their software should be enough to justify it.) If they were easier to admin, perhaps you would not have a job :-) Armies need enemies, after all. >> Your bias is turning you into something dark. I sort of expected >> this reaction, since I was defending MS's right to exist. >> But if MS is treated this way, so is Joe Coder. > >I can ignore Joe Coder. I can't ignore MSFT. YOU ARE JOE CODER. Do you want to threatened with state violence because someone doesn't like your design decisions or implementation quality? >> If Marcy clicks on attachments, runs mail clients >> that run embedded scripts, basically spreads her legs and >> lets everyone in, how is this different from someone who >> rolls their SUV because they were clueless as to physics? > >The analogy that would be more accurate is exploding tires. Marcy operates >the machine within vendor-suggested operational parameters (eg, defaults). Exploding tires are dealt with by Consumer Reports and other reputation modifiers. >>> Though I am not sure if the personal-informations-disclosure venue is >>> the good one. >> >> Au contraire, I'm sure someone who asserts class-action status is >> interested in hearing from the public she is so kindly protecting. > >Misunderstanding. I meant the law she's attempting to use as the base of >the lawsuit. Sorry for not being clearer. (I suppose her address is in the >court materials anyway; besides MSFT defenders are far less dangerous than >eg. $cientologists.) I'm not sure whether being an implied MS defender is any better than being associated with the folks who took L Ron seriously. I'll let this one pass since I was borderline abusive before. >> Its a real shame when (albeit deserved) MS-hostility/contempt biasses >> folks into immorality or irrationality. > >Monopoly-like system reinforces itself and favors measures that would kill >their proponent if there would be several smaller players. Yes, Esperanto has no hope, though it may be better designed. Metcalfe again. >(There is a hope, though. Billy the Greed managed to be disliked by mostly >everyone. With some luck, a critical mass will be reached and the balance >tilted back, with the inevitable sound effects of MSFT management crying >"unfair". Let them whine. So long as they don't use state violence (eg DMCA) against others. >> Its like blaming the authors of the SMTP RFC for spam. > >They at least knew it can happen; see RFC 706. Doesn't that make them legally *more* liable, realizing they have "erred" yet continuing? From cpunk at lne.com Sun Oct 5 20:00:01 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 5 Oct 2003 20:00:01 -0700 Subject: Cypherpunks List Info Message-ID: <200310060300.h96301eB006087@slack.lne.com> Cypherpunks Mailing List Information Last updated: Sep 12, 2002 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html or you can send posts to the list via cpunks_anon at einstein.ssz.com and your mail's headers will be stripped before posting. Note that this doesn't provide complete anonymity since the receiving site will still have log file entries showing the source of the mail (or you have to trust that they delete them). You also will be 'sharing' a reputation with the other entities that post through this alias, and some of them are spammers, so some subscribers will have this alias filtered. 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Ssz: Subscription: "subscribe cypherpunks" to majordomo at ssz.com Unsubscription: "unsubscribe cypherpunks" to majordomo at ssz.com Help: "help cypherpunks" to majordomo at ssz.com Posting address: cypherpunks at ssz.com Filtering policy: raw Message Modification policy: Subject line prepended with "CDR:" Reply-to cypherpunks at ssz.com added. Privacy policy: open Info: http://www.ssz.com/cdr/ --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From measl at mfn.org Sun Oct 5 19:36:17 2003 From: measl at mfn.org (J.A. Terranson) Date: Sun, 5 Oct 2003 21:36:17 -0500 (CDT) Subject: [We The People] Simkanin Pleads Guilty, USDC & DOJ Collude to Deny Due Process, Schulz on FOX News In-Reply-To: <869401c38bb0$d548f860$a5ff3140@server113> Message-ID: Once again, we see why a .308 is a reasonable solution to many problems. "Judge" McBryde needs killing, pure and simple... On Sun, 5 Oct 2003, Bob Schulz (DO NOT REPLY - Unmonitored Mailbox) wrote: > Date: Sun, 5 Oct 2003 21:23:30 -0500 > From: "Bob Schulz (DO NOT REPLY - Unmonitored Mailbox)" > > To: measl at mfn.org > Subject: [We The People] Simkanin Pleads Guilty, > USDC & DOJ Collude to Deny Due Process, Schulz on FOX News > > Do not reply to this message -- it was sent from an unmonitored mailbox. > If you can't read this, visit http://www.givemeliberty.org/mailroom > to see the message. > > We respect your privacy. > > To REMOVE yourself or JOIN our e-mail list, see below. > > > > > > My WTP > > > > 10-05-03 > > Non-Withholding Employer Simkanin Pleads Guilty > > US District Court Colludes With DOJ To Force Plea > Court Filings Document Trail of Denied Due Process > > Schulz Appears on FOX News To Respond > > Early last week, non-withholding employer Dick Simkanin plead guilty to > a single felony charge of failing to withhold employment taxes from his > employees. > > As has been witnessed repeatedly in other income tax related > prosecutions, Simkanin's prosecution is yet another example of how the > people are being systemically denied due process of law in the courts as > they have attempted to force the government to officially assert what > specific legal authority compels income tax filing, payment or > withholding. > > Simkanin, held in virtual isolation from the public since his arrest in > June, has spent over three months in a federal detention facility > awaiting trial. He currently remains incarcerated pending sentencing > next January. > > The trial judge, Judge John McBryde was effectively suspended from the > 5th US District Court in 2000 for over a year as a result of a special, > several year judicial investigation that documented a long history of > McBryde's flagrant abuses of judicial power and courtroom practices that > negatively affected the judicial process, i.e., denied due process. > > Here is the Title 26 tax law that employer Simkanin was charged with > violating: > > "Section 7202. Willful failure to collect or pay over tax. > Any person required under this title to collect, account for, and pay > over > any tax imposed by this title who willfully fails to collect or > truthfully > account for and pay over such tax shall, in addition to other penalties > provided by law, be guilty of a felony and, upon conviction thereof, > shall > be fined not more than $10,000, or imprisoned not more than 5 years, or > both, together with the costs of prosecution." > > Note that THIS law does not specify WHO is actually required to collect, > account, pay, etc. > NO statute that would IMPOSE the legal obligation has ever been averred > by the DOJ - not even on the indictment. Even after Simkanin's formal > demand that the government produce such a law, they have yet to do so > and the Court did not force them to. > > The Federal Rules of Criminal Procedure 7(c)(1) requires the indictment > to "state for each count the official or customary citation of the > statute, rule, regulation or other provision of law which the defendant > is alleged therein to have violated." The notification of legal > responsibility "or other provision of law which the defendant is alleged > therein to have violated" is not found in the indictment. Criminal > process must allege every essential element of the offense. > > Below are links to key court documents in from the Simkanin case. > > The documents demand proof of IRS' legal jurisdiction, documentation > relating to the indictment and the grand jury process. They advance a > variety of substantive legal arguments that argue compellingly for the > charges against Simkanin to be dismissed. > > Virtually none of the critical legal documents requested by Simkanin's > attorneys were produced by the government. Virtually all of the motions > containing the crucial legal arguments to dismiss were rejected, > "unfiled" or simply stricken from the court record by judicial fiat. > > The flawed indictment that fails to cite ANY specific statutory > obligation to withhold or act as a withholding agent: > > 01-SupersedingIndictment.pdf > nt.pdf> > 02- GovtRespondsToBadIndictmentCharge.pdf > dictmentCharge.pdf> > 03-Pages1-4BillOfParticularsMotion.pdf > cularsMotion.pdf> > > The Defendant's motions to dismiss based on lack of federal criminal > jurisdiction inside the 50 states, lack of a proper indictment and lack > of ANY law that imposes any legal obligation regarding withholding: > > 04-MoDismissLackPersonSubjectJur.pdf > SubjectJur.pdf> > 05-MoDismissMemoLaw.pdf > f> > 05b-DocDiscoveryRequest.pdf > t.pdf> > > The denial of due process based on local court "rules" practices, and > judicial fiat ignoring due process of law. Note Judge McBryde's warning > to Simkanin's attorney in document #06. > > 06-JudgeFriviolousDismiss.pdf > iss.pdf> > 07-JudgesRules.pdf > > > 08-OrderStrikeEvidenceCompel.pdf > Compel.pdf> > 09-Stricken.pdf > > > 10-GuiltyPlea.pdf > > > Read the previous WTP article > regarding > Simkanin's pre-trial incarceration documenting the courtroom abuses and > judicial suspension of USDC Judge McBryde. > > Read an overview of Employment/FICA Tax Law > > (.pdf) > > According to a New York Times article > of > 10-1-03, Simkanin was an advocate of the "861" argument which states > that for "income" to be taxable, it must come from taxable sources. The > Internal Revenue Code specifically states to use Section 861 to > determine "taxable income" and lists the sources of income that are so > taxable. The taxable sources all regard foreign corporations and foreign > commerce. > So, what really is Taxable Income ? > > > Schulz Appears on FOX News > > Bob Schulz was invited to appear on FOX News with new anchor Neil Cavuto > to respond to Simkanin's guilty plea. Click here > to listen to Schulz on Cavuto's Thursday, > November 2nd show. > > _____ > > > GO TO the home page www.GiveMeLiberty.org > > > Join the historic class-action lawsuit > against the > U.S. Government. > > Read and sign the Petitions > > for Redress of Grievances regarding the Government's > abuse of its limited war-making, taxing, and monetary powers and its > ongoing assault > on the Bill of Rights. > > Click Here to > make a donation and help fund the soon-to-be-filed historic lawsuit and > the ongoing efforts of WTP. You have our sincerest Thanks. > > Our secure, on-line system supports one-time, monthly and twice-monthly > e-donations. > We support all the major credit cards and can process donations from > your checking account and PayPal as well. Our subscription-type > donations can be stopped or changed by you at anytime either on-line or > by request to our offices. We can also process any form of donation via > mail. Our mailing address is: WTP, 2458 Ridge Road, Queensbury, NY > 12804. All donations to the WTP Foundation are tax deductible. > > > > > > > > > > > This message was sent to address measl at mfn.org > > If this is NOT you, you are not on the WTP mailing list. > > > We value and respect your privacy. To > unsubscribe from our mailing list, click here: > PLEASE DELETE ME > > If this message was forwarded to you by a friend and you'd like us to > send you > regular updates, please visit http://www.givemeliberty.org/mailroom/ and > subscribe. > Already on our list, and want to update your information? > Visit http://www.givemeliberty.org/mailroom/. > To send an email to Bob Schulz, click here > . (mailto:bob at givemeliberty.org) > > -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko From wordspy at logophilia.com Mon Oct 6 02:30:39 2003 From: wordspy at logophilia.com (Paul McFedries) Date: Mon, 06 Oct 2003 05:30:39 -0400 Subject: The Word Spy for 10/06/2003 -- declinism Message-ID: declinism (dee.CLYN.iz.um) n. The belief that something, particularly a country or a political or economic system, is undergoing a significant and possibly irreversible decline. --declinist n., adj. Example Citation --------------------------------- The declinists, we might say, will always be with us. Wherever anyone believes in progress, someone, possibly the same one, believes in decline. Declinism emerges today from the triumphalism of the right: In our greatness, conservatives say, there is much to lose, and many who threaten us. So, too, does it emerge from the pessimism of the left: Power corrupts, and the corrupt will get their comeuppance. At present, both impulses--triumphalist and pessimistic, chest-beating and self-lacerating--are on the upsurge. So too, then, declinism. --Laura Secor, "That sinking feeling," The Boston Globe, September 14, 2003 Backgrounder --------------------------------- Declinism has been called the "apocalypse soon" school of international relations. The word was coined in 1988 by Samuel P. Huntington (see the first use, below), but the noun "declinist" appears in the Oxford English Dictionary, where a citation from 1831 mentions the "doctrine of the decline of science" and labels one of its proponents as "the leader of the Declinists." The opposite is "triumphalism," which originally (circa 1964) referred to excessive or blind pride in the achievements of one's religion or church, but now has a broader mandate in the language (for example, excessive or blind pride in the achievements of one's country). Example Citation #2 --------------------------------- Nearly every sentiment and idea that Franzen relays about the fallen preeminence of literature has been expressed before, and better. No one needs to be reminded for the umpteenth time that Dickens was a popular sensation and that the audiences that once clamored at the docks for news of Little Nell now queue at the multiplex or congregate in cyberspace. Like Broadway, the fabulous invalid, the serious novel has seemed poised to breathe its last ever since electricity entered the home. As a cultural analyst, Franzen is simply the latest to join the chorus line of declinism: Gore Vidal has been signing the novel's death certificate for a half-century. --James Wolcott, "Advertisements for Himself," The New Republic, December 2, 2002 First Use --------------------------------- In 1988 the United States reached the zenith of its fifth wave of declinism since the 1950s. The roots of this phenomenon lie in the political economy literature of the early 1980s that analyzed the fading American economic hegemony and attempted to identify the consequences of its disappearance. ... Although predominantly of a liberal-leftist hue, declinist writings reflect varying political philosophies and make many different claims. In general, however, they offer three core propositions. First, the United States is declining economically compared to other market economy countries, most notably Japan but also Europe and the newly industrializing countries. The declinists focus on economic performance and on scientific, technological and educations factors presumably related to economic performance. Second, economic power is the central element of a nation's strength, and hence a decline in economic power eventually affects the other dimensions of national power. Third, the relative economic decline of the United States is caused primarily by its spending too much for military purposes, which in turn is the result, in Kennedy's phrase, of "imperial overstretch," of attempting to maintain commitments abroad that the country can no longer afford. --Samuel P. Huntington," The U.S. -- Decline or Renewal?," Foreign Affairs, December 1, 1988 See Also --------------------------------- bads: http://www.wordspy.com/words/bads.asp boomsayer: http://www.wordspy.com/words/boomsayer.asp dread merchant: http://www.wordspy.com/words/dreadmerchant.asp hyper-power: http://www.wordspy.com/words/hyper-power.asp panic merchants: http://www.wordspy.com/words/panicmerchants.asp soft power: http://www.wordspy.com/words/softpower.asp Subject Categories --------------------------------- Business - Economics: http://www.wordspy.com/index/Business-Economics.asp The World - Government: http://www.wordspy.com/index/TheWorld-Government.asp The World - Politics: http://www.wordspy.com/index/TheWorld-Politics.asp Words About Words --------------------------------- English is a language that simply cannot be fixed, not can its use ever be absolutely laid down. It changes constantly; it grows with an almost exponential joy. It evolves eternally; its words alter their senses and their meanings subtly, slowly, or speedily according to fashion and need. --Simon Winchester, English author, The Meaning of Everything, 2003 Subscription Stuff --------------------------------- If this post was forwarded to you and you want to join the Word Spy list, it's easy. Just send an e-mail to listmanager at logophilia.com and in the Subject line include the command "join wordspy". To try the HTML version of Word Spy, send a note to listmanager at logophilia.com and include the command "html wordspy" in the Subject line. You are currently subscribed as rah at shipwright.com. To drop this address from the list, you have two choices: Send a message to listmanager at logophilia.com and include only the command "leave wordspy" (without the quotation marks) in the Subject line. Or, Use the following Web address: http://www.wordspy.com/list/remove.asp?Email=rah at shipwright.com&ID=26169 ======================================================== --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From rah at shipwright.com Mon Oct 6 07:03:23 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 6 Oct 2003 10:03:23 -0400 Subject: declinism Message-ID: --- begin forwarded text From dmarti at zgp.org Mon Oct 6 15:38:42 2003 From: dmarti at zgp.org (Don Marti) Date: Mon, 6 Oct 2003 15:38:42 -0700 Subject: [linux-elitists] LOCAL Mountain View, California, USA: events this week Message-ID: Tuesday night: "P2Punks is an informal monthly meeting of p2p enthusiasts, hackers, well-wishers, etc." http://www.bitbin.org/p2punks/ Wednesday night: Seth Schoen fixes TCPA, saves Freedom: http://www.sdforum.org/p/calEvent.asp?CID=1182 -- Don Marti Reform copyright law -- return abandoned works http://zgp.org/~dmarti to the public domain after 50 years: dmarti at zgp.org http://www.PetitionOnline.com/eldred/petition.html KG6INA _______________________________________________ linux-elitists http://zgp.org/mailman/listinfo/linux-elitists ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From s.schear at comcast.net Mon Oct 6 19:54:15 2003 From: s.schear at comcast.net (Steve Schear) Date: Mon, 06 Oct 2003 19:54:15 -0700 Subject: Freenet fork appears likely (was Re: Gmane -- Re: Why is Freenet so sick at the moment?) In-Reply-To: Message-ID: <5.2.1.1.0.20031006194930.04b90230@mail.comcast.net> >On Sat, Oct 04, 2003 at 11:31:36PM -0700, Ian Clarke spake thusly: > > I have never ever characterized Freenet as being anything other than in > > development. If you don't like the fact that Freenet is taking so-long > > to perfect, then either help, or use Earth Station 5 - I hear its great. > >You never said anything to this effect when people started putting things >in the network that could get them sent to prison so it was rather >implicit. > >And now after finding that fred is unable to open /dev/random on my system >due to what appears to be a bug (opening for write instead of read) I am >now worried about the security of the encryption due to lack of entropy. >I'm glad I don't use freenet for anything illegal/unpopular but I'm quite >worried for those who do. On IIRC a new channel #fredisdead has been receiving quite a bit of interest (along with discussions on #anonymous and #freenet). It appears that a small group of developers, fed up with the recent spate of Freent problems has decided to take a step back, to release 692 and have started a revolt. http://mids.student.utwente.nl/~mids/freenet/fid.html steve --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From rah at shipwright.com Mon Oct 6 17:45:01 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Mon, 6 Oct 2003 20:45:01 -0400 Subject: Gmane -- Re: Why is Freenet so sick at the moment? Message-ID: Re: Why is Freenet so sick at the moment? Subject : Re: Why is Freenet so sick at the moment? >From : Tracy R Reed Date : Mon, 6 Oct 2003 00:29:41 -0700 Newsgroups :gmane.network.freenet.devel Reply-to : Discussion of development issues On Sat, Oct 04, 2003 at 11:31:36PM -0700, Ian Clarke spake thusly: > Freenet is a research project, always has been. If people find that its Wow, that's rather shocking. I'm totally serious. My impression was that it was trying to be a real anonymous publication system suitable for actual use in saying unpopular things. If this is all it is don't you have a moral obligation include a big disclaimer on the fproxy frontpage or in the installation notes or something? It seems it would be a good idea to advise all of the Chinese who we have been crowing about using Freenet that perhaps they should look elsewhere also because they are putting their freedom on the line. > your anonymity, I suggest you try Earth Station 5, its developers tell > us that its just *great*! Your sarcasm is duly noted. > I have never ever characterized Freenet as being anything other than in > development. If you don't like the fact that Freenet is taking so-long > to perfect, then either help, or use Earth Station 5 - I hear its great. You never said anything to this effect when people started putting things in the network that could get them sent to prison so it was rather implicit. And now after finding that fred is unable to open /dev/random on my system due to what appears to be a bug (opening for write instead of read) I am now worried about the security of the encryption due to lack of entropy. I'm glad I don't use freenet for anything illegal/unpopular but I'm quite worried for those who do. -- Tracy Reed http://copilotconsulting.com Attachment: /pgp45401.pgp Description: PGP signature _______________________________________________ Devl mailing list Devl at ... http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/devl -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From ravage at einstein.ssz.com Tue Oct 7 08:06:19 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Tue, 7 Oct 2003 10:06:19 -0500 (CDT) Subject: [texas-hpr] University of Tennessee Amateur Science Survey (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 07 Oct 2003 14:49:56 -0000 From: ron_gilmour To: rocketry-texas-hpr at yahoogroups.com Subject: [texas-hpr] University of Tennessee Amateur Science Survey We would like to invite you to participate in the Amateur Science Information Survey (AMSIS). The AMSIS is being conducted by information professionals at the University of Tennessee. This anonymous survey is an attempt to determine where and how amateur scientists find information related to their scientific interests. The online survey takes approximately 10 minutes to fill out. The results of this survey will help libraries provide services and materials to better meet the diverse needs of amateur scientists. To take the survey please go to http://www.lib.utk.edu/cic/amsci/amscisurvey.htm. Sincerely, Travis Dolence Ron Gilmour University of Tennessee Libraries ------------------------ Yahoo! Groups Sponsor ---------------------~--> Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada. http://www.c1tracking.com/l.asp?cid=5511 http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/PMYolB/TM From eugen at leitl.org Tue Oct 7 07:55:14 2003 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 7 Oct 2003 16:55:14 +0200 Subject: [linux-elitists] LOCAL Mountain View, California, USA: events this week (fwd from dmarti@zgp.org) Message-ID: <20031007145514.GE10199@leitl.org> ----- Forwarded message from Don Marti ----- From ravage at einstein.ssz.com Tue Oct 7 19:18:40 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Tue, 7 Oct 2003 21:18:40 -0500 (CDT) Subject: The Register - Expect terrorist attacks on Global Financial System (fwd) Message-ID: http://www.theregister.co.uk/content/55/33269.html -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From ravage at einstein.ssz.com Tue Oct 7 19:18:57 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Tue, 7 Oct 2003 21:18:57 -0500 (CDT) Subject: The Register - Prison for KaZaA? Surely not in the UK (fwd) Message-ID: http://www.theregister.co.uk/content/6/33267.html -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From jtrjtrjtr2001 at yahoo.com Wed Oct 8 06:16:19 2003 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Wed, 8 Oct 2003 06:16:19 -0700 (PDT) Subject: base conversion In-Reply-To: <20030219055021.62681.qmail@web21203.mail.yahoo.com> Message-ID: <20031008131619.81240.qmail@web21201.mail.yahoo.com> hi, If we are to convert a k-bit integer n to a base b number,it takes us O(log n) if the base b is a power of 2. eg. converting (11111)base to base 16 0001 1111 ^ ^ 1 F in hex. using a look up table. Is there an algorithm with time complexity O(log n) which allows such conversion to base b ,when b is not a power of 2? Thanks. Regards Sarath. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From ravage at einstein.ssz.com Wed Oct 8 09:20:54 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Wed, 8 Oct 2003 11:20:54 -0500 (CDT) Subject: CNN.com - CD copy protection trumped by Shift key - Oct. 8, 2003 (fwd) Message-ID: http://www.cnn.com/2003/TECH/ptech/10/08/bmg.protection.reut/index.html -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From timcmay at got.net Wed Oct 8 11:45:46 2003 From: timcmay at got.net (Tim May) Date: Wed, 8 Oct 2003 11:45:46 -0700 Subject: base conversion In-Reply-To: <20031008131619.81240.qmail@web21201.mail.yahoo.com> Message-ID: On Wednesday, October 8, 2003, at 06:16 AM, Sarad AV wrote: > hi, > > If we are to convert a k-bit integer n to a base b > number,it takes us O(log n) if the base b is a power > of 2. > eg. converting (11111)base to base 16 > > 0001 1111 > ^ ^ > 1 F in hex. > > using a look up table. > > Is there an algorithm with time complexity O(log n) > which allows such conversion to base b ,when b is not > a power of 2? > I have decoded this latest bit of "homework stego" and have found the plaintext: "Attack the Islamic Center in Hyderabad at the rise of the new moon." I assume Sarad's readers have now gotten coordinated. --Tim May "Aren't cats Libertarian? They just want to be left alone. I think our dog is a Democrat, as he is always looking for a handout" --Unknown Usenet Poster From s.schear at comcast.net Wed Oct 8 14:14:18 2003 From: s.schear at comcast.net (Steve Schear) Date: Wed, 08 Oct 2003 14:14:18 -0700 Subject: Jack(ass) Valenti stirs up a storm in L.A. Message-ID: <5.2.1.1.0.20031008141338.04b7bb00@mail.comcast.net> The Motion Picture Association of America's decision to ban DVDs of Oscar contenders for Academy Awards voters has developed into an industry cat fight, (as) distributors and publicists of smaller films, who fear that their pictures no longer will have a shot at a gold statuette. The MPAA acted after discovering that of the 68 titles sent to members of the academy and the press last year, 34 wound up on the streets as counterfeits. Valenti adds that the DVDs' recipients are not to blame. Until the controversy over the MPAA decision dies down, Valenti will follow the advice of his former boss, President Lyndon B. Johnson. "You just hunker down like a jackass in a hailstorm and wait till the wind stops blowing," Valenti said. [Bad example. LBJ tried this during Vietnam and look what happened ;-) ] http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2003/10/08/DD69468.DTL&type=movies From s.schear at comcast.net Wed Oct 8 15:40:20 2003 From: s.schear at comcast.net (Steve Schear) Date: Wed, 08 Oct 2003 15:40:20 -0700 Subject: EU directive could spark patent war In-Reply-To: <5.2.1.1.0.20031008133700.0603bf60@mail.comcast.net> References: <001101c2cea2$67f13500$66d5a8c0@mobiilpaul> Message-ID: <5.2.1.1.0.20031008153742.060ef7f8@mail.comcast.net> [I wonder what if any effect this might have on crypto patents, e.g., Chaumian blinding?] "The European Parliament's decision to limit patents... risks creating a "patent war" with a fallout that could make it illegal to access some European e-commerce sites from the United States..." "Pure software should not be patentable, the parliament argued, and software makers should not be required to license patented technology for the purposes of interoperability--for example, creating a device that can play a patented media format, or allowing a computer program to read and write a competitor's patented file formats. " "The amendments also sought to ban the patenting of business methods such as Amazon.com's patent on one-click purchasing. " Full story at http://news.com.com/2100-1014_3-5086062.html?tag=nefd_top steve From iang at systemics.com Wed Oct 8 17:18:21 2003 From: iang at systemics.com (Ian Grigg) Date: Wed, 08 Oct 2003 20:18:21 -0400 Subject: [dgc.chat] EU directive could spark patent war References: <001101c2cea2$67f13500$66d5a8c0@mobiilpaul> <5.2.1.1.0.20031008153742.060ef7f8@mail.comcast.net> Message-ID: <3F84A94D.6EC373B4@systemics.com> Steve Schear wrote: > > [I wonder what if any effect this might have on crypto patents, e.g., > Chaumian blinding?] My guess is, nix, nada. Patents are a red herring in the blinding skirmishes, they became a convenient excuse and a point to place the flag when rallying the troops. The battle was elsewhere, but it was good to have something to keep the press distracted. You can see this in, for example, the long available Wagner variation, and the availability of a bunch of other variations. Even when people started doing demo code of the various alternates (Magic Money, Ben Laurie's Lucre, etc) there was little to no amounts of interest. (There is one guy working to turn BLL into a system, and then there is our WebFunds project, originally started from on an old port of MM back in 1999 or so. That's it as far as I know, what is clear is that there is no inundation of monetary offers for the tech. I know a couple of people who put or promised some money, but it was all pocket change.) Any one with any business experience realises that the patents were a huge risk factor, so the obvious thing was to de-risk it. Hence, use Wagner first and shop for another method later (we figured this out in 2001 after the first coder's Chaum code was replaced by the second's Wagner efforts... Or was it Brands....). Hence, there are no business analysies being done, and therefore, no business. Here we remain within sight of the expiry of the first of Chaum's patents, and still lukewarm interest in blinding. I predict the date will pass and nothing will change. The real barriers to token money systems are these: 1. lack of a viable application 2. tokens require downloaded clients 3. bearer is a dirty word 4. full implementation requires too many skills (not authoritive) As against approximations (DGCs, Paypals, nymous) blinded token money systems don't attract enough real business zing to make them attractive enough to overcome the barriers. (I personally am somewhat agnostic on blinding, to the annoyance of many high priests of the order. I think the bank robbery problem is a bit of a devil, but OTOH, I just spent today working on getting token withdrawals going again. That's because I know of a group that wants it for a very interesting application to do vaguely with the 3rd world :-) > "The European Parliament's decision to limit patents... risks creating a > "patent war" with a fallout that could make it illegal to access some > European e-commerce sites from the United States..." > > "Pure software should not be patentable, the parliament argued, and > software makers should not be required to license patented technology for > the purposes of interoperability--for example, creating a device that can > play a patented media format, or allowing a computer program to read and > write a competitor's patented file formats. " > > "The amendments also sought to ban the patenting of business methods such > as Amazon.com's patent on one-click purchasing. " > > Full story at http://news.com.com/2100-1014_3-5086062.html?tag=nefd_top Another factor is that Europe has effectively emasculated the entrepreneurial digital money field with the E-money directive. It's been a while since I read it, but it basically forces the small guy to be "just like a bank" or to be so small as to not have a future. Empirically, I know two people - entrepreneurs - who've tried to get into it, then read the directive, and said "it can't be done" (both from different countries that actually claim to promote the field). (The USA, under the quiet guidance of certain very smart people, went the other way and deliberately held off from doing or saying anything. They realised that they could do nothing but harm... so they "declined" to get involved. Also, in the US, there is very much more of a spirit of doing something if it is not explicitly banned. In Europe, there is much more of a spirit of getting permission if it is not explicitly permitted, on the assumption that the government knows what it is talking about.) The only ones who are interested in reducing transaction costs (in the blinding fashion) are new outsiders looking to set up new payment systems. Hence, the arisal of the digital gold currencies was centered around the US, and the smart card efforts of the Europeans were centered around the national banking structures. Smart card schemes cost O($100,000,000) whereas these days a DGC costs O($100,000). Go figure. iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From morlockelloi at yahoo.com Wed Oct 8 22:31:39 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Wed, 8 Oct 2003 22:31:39 -0700 (PDT) Subject: EFF Report on Trusted Computing In-Reply-To: <4f6fa1bf096820f918d2510704e508ee@nox.lemuria.org> Message-ID: <20031009053139.3302.qmail@web40608.mail.yahoo.com> It took less than a decade for EFF to make a full turn, from championing unrestricted uses of technology to censoring who can do what and in which way. In this regards EFF resembles technological empires - like Cisco, for example, that get born because of radically new ways to do things and then end up trying to stop any further change. At some point EFF left the course of enabling individuals and joined their adversaries in the sense that masses should be patronized and given this or that. Such EFF is likely to lose its support base and compete with others for generic feel-good support public. Anyone has right to offer anything. If there are enough imbeciles to take it, that's good. Imbeciles should be exploited as much as possible. Those who capitalize on imbecile protection racket are called politicians. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From jtrjtrjtr2001 at yahoo.com Wed Oct 8 22:53:05 2003 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Wed, 8 Oct 2003 22:53:05 -0700 (PDT) Subject: base conversion In-Reply-To: Message-ID: <20031009055305.77947.qmail@web21202.mail.yahoo.com> lol at tim ,good work! --- Tim May wrote: > On Wednesday, October 8, 2003, at 06:16 AM, Sarad > AV wrote: > > > hi, > > > > If we are to convert a k-bit integer n to a base b > > number,it takes us O(log n) if the base b is a > power > > of 2. > > eg. converting (11111)base to base 16 > > > > 0001 1111 > > ^ ^ > > 1 F in hex. > > > > using a look up table. > > > > Is there an algorithm with time complexity O(log > n) > > which allows such conversion to base b ,when b is > not > > a power of 2? > > > > I have decoded this latest bit of "homework stego" > and have found the > plaintext: > > "Attack the Islamic Center in Hyderabad at the rise > of the new moon." > > > I assume Sarad's readers have now gotten > coordinated. > > > > > > --Tim May > "Aren't cats Libertarian? They just want to be left > alone. > I think our dog is a Democrat, as he is always > looking for a handout" > --Unknown Usenet Poster > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From nobody at nox.lemuria.org Wed Oct 8 16:44:32 2003 From: nobody at nox.lemuria.org (Anonymous) Date: Thu, 9 Oct 2003 01:44:32 +0200 (CEST) Subject: EFF Report on Trusted Computing Message-ID: <4f6fa1bf096820f918d2510704e508ee@nox.lemuria.org> [Permission is granted to repost this document in its entirety, without other limitation. See http://invisiblog.com/1c801df4aee49232/ for an online copy.] The EFF has published a report on the "Promise and Risk" of Trusted Computing at http://www.eff.org/Infra/trusted_computing/20031001_tc.php. See also http://www.eff.org/Infra/trusted_computing/ for ongoing coverage of TC issues. The EFF is to be congratulated for taking its time to study the many issues revolving around TC and come to a relatively balanced and nuanced position. Staff Technologist Seth Schoen, said to be the principle author of the new report, provided some of the best early information about Palladium on his blog at http://vitanuova.loyalty.org/2002-07-05.html and similar postings, which were refreshingly objective and free of the almost obligatory anti-Microsoft bias of other analyses from so-called online rights activists. Nevertheless, the EFF report has a number of shortcomings which deserve discussion. The EFF tries to distinguish between "good" and "bad" aspects of TC, but it does not draw the line in quite the right place, even given its somewhat questionable assumptions. It fails to sufficiently emphasize the many positive uses of the full version of TC (and hence the costs of blocking its implementation), and also misses some important negatives as well. And the recommended fix to TC is not clearly described and as written appears to be somewhat contradictory. But let us begin with some positive elements of the EFF report. This is perhaps the first public, critical analysis of TC which fails to include two of the worst lies about the technology, lies promulgated primarily by Ross Anderson and Lucky Green: that only authorized programs can run "trusted", and that unauthorized or illegal programs and data will be deleted from computers or prevented from running. The EFF appears to recognize the key feature of TC, which gives it its name: that trust is in the eye of the truster. Anyone can create code which benefits from TC features, and it is up to the user of a computer to decide which local and remote software he will trust. The report also forthrightly rejects the claim that TC technology is some kind of trick to defeat Linux or lock-in computers to Microsoft operating systems, and debunks the lie put forth by Lucky Green that TC will insert spyware into your computer. By choosing to emphasize the truth rather than lies on these important points, the EFF gains credibility at the expense of opening itself to charges by extremists that it is in bed with Microsoft or is promoting "evil" technology. Those of us who have argued in the past for balanced analyses of TC are well aware of the speed with which opponents resort to name-calling and personal attacks, and it is a credit to the EFF that they have taken a courageous position which departs from the conventional wisdom in the online rights community. Despite these positives, as noted above the report has some weaknesses which need to be addressed. The EFF attempts to distinguish one feature of TC, remote attestation, as a source of problems. This is the ability of a computer user to convince other systems about what software he is running. The EFF is convinced that this feature will cause users to be compelled to use software not of their choice; harm interoperability and encourage lock-in; and support DRM and various restrictive kinds of licensing. But when we break these down in detail, many of the problems either go away or are not due to attestation. Software choice limitation may occur if a remote system provides some service conditional on the software being used to access it. But that's not really a limitation of choice, because the user could always elect not to receive the offered service. The implicit assumption here seems to be that if TC did not exist, the service would be offered without any limitations. Then it makes it appear that TC adds limitations which are not currently present. But what this analysis overlooks is that TC will allow the creation of new services which are not economically possible today. By allowing for more protection of data, a whole host of new applications may become possible. So the proper comparison is not with a hypothetical state where you'd have all the same services without TC as with; but rather, comparing a TC world that is relatively rich in services with a service-poor non-TC world. Turning to the issues of lock-in and interoperability, it is true that TC may allow software creators to lock their data to the applications and make it more difficult to create interoperable alternatives, thus promoting lock-in. The problem here with the EFF analysis is that it is not the remote attestation feature of TC which is the primary cause of this effect, but rather it is the sealed storage feature. It is sealed storage that allows data to be encrypted such that only one particular application can decrypt it, and potentially makes it impossible to switch to a different software package, or access the data in an interoperable way. The EFF attempts to say that sealed storage and other features of TC are good, because they clearly can increase the security features of your computer. Then they draw a line at remote attestation. But if it is lock-in and interoperability that worries them, sealed storage has to go as well. This inconsistency in the report undercuts its main conclusion. And parenthetically, lock-in is not necessarily a bad thing, as long as people know about it in advance. When you go on vacation you know that you will only be able to eat at restaurants in the local area. You are locked-in to local eateries. Everyone accepts this as part of the cost of the vacation. People can factor these kinds of lock-in costs into the overall package when they make decision about what to buy, whether travel or software. In this sense, it's good for activists like the EFF to make people aware that TC may increase lock-in, but they should put the issue into perspective and not present it as a reason to abandon the technology. It's just a consideration to be aware of when buying any software that is TC-enabled. Lastly, the EFF is worried that remote attestation enables DRM and other restrictive licensing practices. This is clearly true, although things are not quite as simple as they seem. Before wide-scale use of TC for DRM, it will be necessary for the manufacturers, software vendors and content providers to get past a few tiny details, like setting up a global, universal, widely trusted and secure PKI. Hopefully readers in these forums will understand that this is not exactly a trivial problem. Going from the basic technological definitions of TC to the massive infrastructure of keys and revocations needed for a secure, commercial DRM system and other licensing schemes is going to take quite a while. But in any case, once it happens, again the report fails to paint a balanced picture, by emphasizing the negative aspects of the new kinds of licensing that TC will enable. It should be clear that a technology that allows new kinds of voluntary arrangements, without eliminating any old ones, cannot be entirely evil. TC only expands the space of possibilities, it does not stop anyone from doing things the old way. If the new possibilities enabled by TC are truly so horrible for consumers, and if it is possible (as TC opponents implicitly assume) to provide these functionalities without the nightmarish limitations that the report is so afraid of, then some companies can still offer their goods under those more-favorable terms, and reap massive rewards as consumers triumphantly reject the horrific license terms of the TC-based software. This report, like so many others, ignores the role of consumers in making decisions about what technologies to use. This is one area in which the EFF was unable to rise above the myopia shared by so many other analyses. Ironically, given these oversights, the report also manages to miss some bad features of TC, features which have been discussed at some length on the cypherpunks and cryptography mailing lists. One of the biggest is the area of upgrades and system replacement. The TCPA (now TCG) proposal for handling upgrades is clearly unworkable, and Microsoft has said nothing about how they will do it. Any data which is locked to your computer is clearly at greater risk of being unrecoverable if your computer breaks. Until a bulletproof upgrade path exists, end users are going to be reluctant to embrace the promise of TC technology. Another area not discussed is the risk to privacy implicit in using this technology on a global network. TCPA's solution, "privacy CAs", is another part of the spec that is obviously never going to work. Microsoft had made some noise about copying this at one point, and is now decidedly mute on the issue. It is an almost impossible problem to solve, and chances are that the companies will simply give up and let the system compromise user privacy. As a privacy-oriented watchdog group, the EFF has dropped the ball in failing to emphasize this point. The final complaint about the report is that their solution doesn't seem to make sense. The basic idea is to allow the user to override the remote attestation feature so his system can lie about his software configuration. The apparent problem with this, as a number of commentators have pointed out, is that it undercuts the remote attestation feature and makes it useless. It is like "fixing" the limitations of cryptographic certificates by allowing anyone to forge them. Doing this defeats the purpose of the feature so completely that you might as well not have it. It would seem to make more sense for the EFF to simply call for remote attestation to be removed from the TC concept than to try to come up with a complicated "owner override". And in fact it seems likely that remote attestation will be one of the last parts of the TC spec to be implemented due to the PKI problem noted above, so we will probably see TC installations initially without attestation support. It may be that remote attestation never becomes as popular as TC proponents hope and critics fear. Now, perhaps there are some subtle aspects to the EFF proposal which would make attestation with owner overrides more useful than a version of TC without attestation at all. But to analyze that we'd need more detail about how exactly this owner override is supposed to work, and what attestation would still be used for in such a system. As it is, the proposal is frustratingly vague on these details. Summing up, the EFF report manages avoid the worst excesses of anti-TC rhetoric so common in the online rights community. By attempting to take a moderate course and identifying both promise and risk with TC technology, it does a service in setting a new standard of accuracy and civility in analyzing this important topic. However the report does have weaknesses, and its attempt to focus on problems with remote attestation misunderstands both economic realities and the technical details of which aspects of TC cause problems. By concentrating so narrowly on attestation, the EFF overlooks both important risks and promises of this new technology. And its proposed solution appears illogical on its face, requiring much more explanation and discussion for a fair evaluation. Make no mistake about it: TC is coming. All the rhetoric, all the protests and objections, are doing nothing to alter the apparently unstoppable momentum of this new technology. Microsoft is committed to NGSCB (Palladium), and the TCG (TCPA) is working actively on specs for cell phones and other devices. There is even considerable work to bring TC into Linux. What we need now is better understanding of both the risks and rewards of this technology, which will be here perhaps sooner than many of us expect. The EFF report is a good first step in this direction, but the problems need to be corrected. And rather than a futile and quixotic attempt to change the nature of TC, the EFF should focus on informing consumers about the pros and cons of the system, how it will affect their use of technology in years to come, questions to ask of vendors, and ways to protect their privacy and security. That is a hard enough task, and one truly in keeping with the EFF's goals and mission. From eugen at leitl.org Thu Oct 9 02:29:23 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 9 Oct 2003 11:29:23 +0200 Subject: IPsec in 2.6 Message-ID: <20031009092923.GF2031@leitl.org> I've always had trouble with FreeS/WAN breaking at kernel upgrades, but now that 2.6 is coming we're getting native IPsec support (albeit FreeS/WAN seems to claim Opportunistic Encryption won't be supported?). We seem to have a curious situation here. The majority of systems out there now support IPsec (NT/Win2K/XP; OS X), but there's very little interoperability. Particularly, there is no support for ad hoc encryption as default, without going through a lot of jumping through hoops (why should I be required to be able to publish DNS records just to have an encryption link?). Are there technical reasons for this situation? If yes, what is required to enable IPsec default interoperability at least with open source OSses? -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From tomwhore at slack.net Thu Oct 9 14:45:50 2003 From: tomwhore at slack.net (Tom) Date: Thu, 9 Oct 2003 17:45:50 -0400 (EDT) Subject: Chminey growth, omni luvin, tunnels across the net(tm) and forging the local rings of power Message-ID: The PersonalTelcoProject has started picking up steam in moving from setting up one off hot-spots (starsucks style points of back-haul to the Internet(tm), only free rather than a t-mobile fee) and into the land of forming our own network of interconnectivity. To this end I present to the forkites Node236 , that being the WSMF Compounds point and pointed of presence. http://www.personaltelco.net/gallery/view_album.php?set_albumName=Node236 Whats under the hood.. On the roof... a 12dbi omni with 3 deg down tilt mounted to a 10 foot pole attached to a very short bit of lmr400 into the ammo can of packet paradise. In the ammo can is a linksys befw11s4 turned down to bridging mode. These feeds into the house and attaches to the nodes three nic server Winston. Winston spots a Debian install and a tuned NoCat setup. One nic takes in the packets from the roof, the second nic takes a feed from a second linksys befw11s4 turned down to bridging for the use of the house and the third nice heads out to the DSL router, again tossed into bridging node. NoCat does most of the routing and rules work for traffic. So a day after raising the mast Portland gets hail, rain and power outing lightening hits. I'm sitting here at work pinging the box wondering if its just hung on reboot, if the power is still out, or if the chimney is smoking rubble. The plan for the node over the next week or so will be to tunnel it over the net into other PTP nodes probably over ipv6, maybe not. A constant vigil is up to find nodes going up that are in wireless reach such that we can start making true wireless links and relying less on the "Internet(tm)" to tunnel through. As with all growing networks content and services are key into making the value of use go up up up, WSMFs node will be offering up various goodies to the ptpnet over the next few weeks. Plans for a Palm centric file site (pd, os and other legal files only), old time radio shows both on demand and as files, various project repositories and a few other goodies will be on tap. Other PTP nodes are already working on cojoined resource sharing over our growing interconnectedness... http://www.personaltelco.net/static/node/content-nodes.html It is indeed a project I am digging doing not only in the doing but in the planning and the learning. Portland awaits the next ORiley gathering, by that time we should have a good coverage of goods and services all, of course, for the taking. No fees no pleas, just hit agree. -tomwsmf _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From madduck at madduck.net Thu Oct 9 09:57:33 2003 From: madduck at madduck.net (martin f krafft) Date: Thu, 9 Oct 2003 18:57:33 +0200 Subject: IPsec in 2.6 In-Reply-To: <20031009092923.GF2031@leitl.org> References: <20031009092923.GF2031@leitl.org> Message-ID: <20031009165733.GA28306@diamond.madduck.net> also sprach Eugen Leitl [2003.10.09.1129 +0200]: > Are there technical reasons for this situation? If yes, what is > required to enable IPsec default interoperability at least with > open source OSses? A curious idea that I've been paying some attention to for a while. One could simply implement a means that tries to connect with IPsec by default and falls back to IP if unsuccessful (keeping a cache of IPsec incapable hosts). The main problem here, of course, the required public key repository, if you don't want to have your keys in DNS records. And also, the expensive SA negotiation and the potential for DoS. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "it is only the modern that ever becomes old-fashioned." -- oscar wilde [demime 0.97c removed an attachment of type application/pgp-signature] From eugen at parked.everydns.net Thu Oct 9 10:31:19 2003 From: eugen at parked.everydns.net (Eugen Leitl) Date: Thu, 9 Oct 2003 19:31:19 +0200 Subject: IPsec in 2.6 In-Reply-To: <20031009165733.GA28306@diamond.madduck.net> References: <20031009092923.GF2031@leitl.org> <20031009165733.GA28306@diamond.madduck.net> Message-ID: <20031009173119.GB6904@leitl.org> On Thu, Oct 09, 2003 at 06:57:33PM +0200, martin f krafft wrote: > > A curious idea that I've been paying some attention to for a while. > One could simply implement a means that tries to connect with IPsec > by default and falls back to IP if unsuccessful (keeping a cache of That's how Opportunistic Encryption (OE) is supposed to work. It's just it's much too high-threshold for Joe Schmoe systems. Software firewalls are not even NATed, and increasingly cheap NAT allows IPsec tunnelling; at least single-session. > IPsec incapable hosts). The main problem here, of course, the > required public key repository, if you don't want to > have your keys in DNS records. And also, the expensive SA What is wrong which just exchanging the keys for ad hoc mode? You could cache them and log whenever a key has changed (at least allowing to detect a MITM post facto). We're really looking for blanket rollout of a low-security service which wouldn't stand a dedicated attacker yet would effectively prevent large-scale screening of cleartext traffic as currently practised by diverse TLAs. You can always upgrade to higher paranoia layers (like web of trust, or direct exchange of secrets), but right now the entire traffic is open to sniffing and filtering at will. It's a disgrace. > negotiation and the potential for DoS. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From madduck at madduck.net Thu Oct 9 14:16:03 2003 From: madduck at madduck.net (martin f krafft) Date: Thu, 9 Oct 2003 23:16:03 +0200 Subject: IPsec in 2.6 In-Reply-To: <20031009173119.GB6904@leitl.org> References: <20031009092923.GF2031@leitl.org> <20031009165733.GA28306@diamond.madduck.net> <20031009173119.GB6904@leitl.org> Message-ID: <20031009211603.GA13967@piper.madduck.net> also sprach Eugen Leitl [2003.10.09.1931 +0200]: > What is wrong which just exchanging the keys for ad hoc mode? You could cache > them and log whenever a key has changed (at least allowing to detect a MITM > post facto). ... like SSH, huh? > We're really looking for blanket rollout of a low-security > service which wouldn't stand a dedicated attacker yet would effectively > prevent large-scale screening of cleartext traffic as currently practised by > diverse TLAs. I am all for it. This should be implementable in a cousin of isakmpd, no? PS: please don't CC me on mailing lists... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! microsoft windoze - the best solitaire game you can buy. [demime 0.97c removed an attachment of type application/pgp-signature] From madduck at madduck.net Thu Oct 9 14:16:32 2003 From: madduck at madduck.net (martin f krafft) Date: Thu, 9 Oct 2003 23:16:32 +0200 Subject: IPsec in 2.6 In-Reply-To: <20031009211603.GA13967@piper.madduck.net> References: <20031009092923.GF2031@leitl.org> <20031009165733.GA28306@diamond.madduck.net> <20031009173119.GB6904@leitl.org> <20031009211603.GA13967@piper.madduck.net> Message-ID: <20031009211632.GA14068@piper.madduck.net> also sprach martin f krafft [2003.10.09.2316 +0200]: > PS: please don't CC me on mailing lists... i am sorry, you didn't. that was the other guy on another list. doh! -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! Most Intelligent Customers Realise Our Software Only Fools Them. [demime 0.97c removed an attachment of type application/pgp-signature] From eugen at parked.everydns.net Thu Oct 9 14:50:40 2003 From: eugen at parked.everydns.net (Eugen Leitl) Date: Thu, 9 Oct 2003 23:50:40 +0200 Subject: Chminey growth, omni luvin, tunnels across the net(tm) and forging the local rings of power (fwd from tomwhore@slack.net) Message-ID: <20031009215040.GS6904@leitl.org> ----- Forwarded message from Tom ----- From cripto at ecn.org Thu Oct 9 22:06:17 2003 From: cripto at ecn.org (Anonymous) Date: Fri, 10 Oct 2003 07:06:17 +0200 (CEST) Subject: wifi remailer entry points Message-ID: <20db28988698fddb63fdd3076f2637c4@ecn.org> The idea of using wifi access points as entry points to the remailer network has been raised before. It seems like a useful service that anyone with an internet connection and a wireless card could offer. It provides cover for the operator's own remailer use, with much lower entry requirements than running a remailer node. What's the best way to set this up? Some possibilities: 1: Run Mixmaster on the wifi interface. This seems unnecessarily complicated, since users would have to fetch the node keys, and would have to specify the correct remailer as the first hop in the chain. 2: Run a SMTP server on the wifi interface, configured to relay messages to known remailer nodes and refuse all other destinations. Users would have to configure their remailer client to use the server as a SMTP relay. 3: Run a NAT firewall on the wifi interface, configured to allow TCP port 25 connections to known remailers, and block everything else. Users would have to run their own mail transfer agent. Option 3 seems to provide the simplest interface for clients running on Unix, since they will probably already have a functioning SMTP agent. But what about Windows clients? Do Windows remailer users typically run their own SMTP servers, or do they send via relays? From emc at artifact.psychedelic.net Fri Oct 10 12:08:22 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Fri, 10 Oct 2003 12:08:22 -0700 (PDT) Subject: base conversion In-Reply-To: <20031008131619.81240.qmail@web21201.mail.yahoo.com> Message-ID: <200310101908.h9AJ8NpP029535@artifact.psychedelic.net> Sarad AV writes: > If we are to convert a k-bit integer n to a base b > number,it takes us O(log n) if the base b is a power > of 2. > eg. converting (11111)base to base 16 > 0001 1111 > ^ ^ > 1 F in hex. > using a look up table. > Is there an algorithm with time complexity O(log n) > which allows such conversion to base b ,when b is not > a power of 2? The algorithm you describe is linear, not log. Complexity measures are a function of the size of the input data set in bits. In general, a large integer M will require an input around N = LOG2(M) bits to represent. A linear algorithm will take twice as long to process a 2 megabyte integer, as it takes to process a 1 megabyte integer. You ask whether there are linear algorithms for arbitrary precision base conversion. I seem to recall that Schonhage showed how to do base conversion with an FTT along with his well-known fast multiplication algorithm. So my guess would be that there are no known linear arbitrary precision base conversion algorithms, but probably something O(n log(n))-ish as the best currently achievable. As usual, Google is your friend. I think near-linear reciprocals, nth roots, and base conversions are covered in "Pi and the AGM" by the Borweins. My copy is packed in a box somewhere, so I can't check. Perhaps you can find the book at your local university library. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From bill at scannell.org Fri Oct 10 11:39:56 2003 From: bill at scannell.org (Bill Scannell) Date: Fri, 10 Oct 2003 13:39:56 -0500 Subject: What You Can Do -Right Now- To Stop CAPPS II Message-ID: Dear Patriot, For the past seven months, I have been fighting for the right of all Americans to travel freely in our own country. CAPPS II, the Soviet-style internal border control system being pushed by the Department of Homeland Security, will strip us of that right, and make air travel a 'privilege' granted by government. A lot has been accomplished: * Delta was shamed out of testing CAPPS II * Homeland Security was forced to appoint a Chief Privacy Officer * JetBlue was exposed violating the privacy of millions of passengers * JetBlue was shamed out of CAPPS II testing * A pro-CAPPS II 'consumer advocate' was unmasked as a Cendant shill * Galileo/Cendant has backpedaled on CAPPS II I need your help taking this fight forward. Running the anti-CAPPS II campaign costs a lot of time and money. The Boycott Delta and Don't Spy On US websites require a team of graphic artists and web designers. As you can imagine, the bandwidth usage is enormous. The over 40 million dollars in publicity generated for the ongoing anti-CAPPS II awareness campaign came at a cost of hundreds of media interviews, astronomical telephone bills, and all of my time and energy. Up to now, I have funded this project out of my own personal savings. America has been good to me and spending money to keep our country free seemed only fair. Unfortunately, I can't do this alone anymore, which is why I am turning to you for help. To keep up the fight, I need you to contribute to the cause. Whether you can afford $20.00 or $100.00; $50.00 or $1,000.00 , every cent you give makes it possible to keep up the pressure on those who would make our great nation less free. There are two ways you can help fund the fight: 1. Use your credit card and contribute using PayPal: http://dontspyon.us/paypal.html 2. Send a check or money order payable to 'Bill Scannell' in care of my attorneys: The Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110 Together, we can stop CAPPS II. With deepest gratitude, Bill Scannell Founder www.boycottdelta.org www.DontSpyOn.US "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." Benjamin Franklin [demime 0.97c removed an attachment of type image/jpeg which had a name of image.jpg] From mv at cdc.gov Fri Oct 10 21:14:14 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Fri, 10 Oct 2003 21:14:14 -0700 Subject: Nuking USG: not just for cypherpunks anymore Message-ID: <3F878396.48E949FE@cdc.gov> 'If I could just get a nuclear device inside Foggy Bottom, I think that's the answer'," he said. --Pat Robertson, republican presidential candidate http://news.yahoo.com/news?tmpl=story2&cid=1521&u=/afp/20031009/pl_afp/us_diplomacy_threat_031009192152&printer=1 From morlockelloi at yahoo.com Sat Oct 11 00:17:28 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Sat, 11 Oct 2003 00:17:28 -0700 (PDT) Subject: Idea: Small-volume concealed data storage In-Reply-To: Message-ID: <20031011071728.97385.qmail@web40612.mail.yahoo.com> And what is the purpose of connecting the key and data storage in the first place ? Data storage is data storage, concealed or not. You feed encrypted data to/from it. Key is required at human interface and has absolutely nothing to do with the storage. If you want better security than passphrase, then you need a mechanical key carrier. Indeed, that is where the word "key" comes from. You can store any number on bits on it and you'll hand it over before they beat the shit out of you - or you may want to be brave and destroy it instead (trivial with flash-on-chip and small battery cell), but, again, it has nothing to do with storage of data. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From s.schear at comcast.net Sat Oct 11 01:38:02 2003 From: s.schear at comcast.net (Steve Schear) Date: Sat, 11 Oct 2003 01:38:02 -0700 Subject: Software protection scheme may boost new game sales Message-ID: <5.2.1.1.0.20031011013617.05b2c0a0@mail.comcast.net> Companies are using a new software protection system, called Fade, to protect their intellectual property from software thieves. Fade is being introduced by Macrovision, which specializes in digital rights management, and the British games developer Codemasters. What the program does is make unauthorized copies of games slowly degrade, by exploiting the systems for error correction that computers use to cope with CD-ROMs or DVDs that have become scratched. Software protected by Fade contains fragments of "subversive" code designed to seem like scratches, which are then arranged on the disc in a pattern that will be used to prevent copying. Bruce Everiss of Codemasters says, "The beauty of this is that the degrading copy becomes a sales promotion tool. People go out and buy an original version." (New Scientist 10 Oct 2003) steve From jtrjtrjtr2001 at yahoo.com Sat Oct 11 04:25:20 2003 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Sat, 11 Oct 2003 04:25:20 -0700 (PDT) Subject: base conversion In-Reply-To: <200310101908.h9AJ8NpP029535@artifact.psychedelic.net> Message-ID: <20031011112520.30086.qmail@web21208.mail.yahoo.com> helo, thank you for the reply. > The algorithm you describe is linear, not log. > Complexity measures are a > function of the size of the input data set in bits. > In general, a large > integer M will require an input around N = LOG2(M) > bits to represent. If we are to convert a k-bit integer n to a base b number,it takes us O(log n) if the base b is a power of 2 is still a correct statement. Say if we are to multiply a k-bit integer n with the same k-bit integer n, i.e multiplying integer n with k-bits by itself. The multiplication takes atmost k^2 bit operations. eg. n=5=101 base 2. i.e the multiplication takes atmost 3^2=9 bit operations. Thus multiplication of O(k^2) for a constant c and n>=no. All logarithms are to the base 2. Since k=[log n]+1 k^2=([log n]+1)^2 in our example = ([log 5]+1)^2 =3^3=9 operations. it is correct to write O(log n)=O(k), as n or k are the inputs to an algorithm whose time complexity is to be determined. O(log n)=O(k)is the time the algorithm takes for processing the input which are essenctially the same. > You ask whether there are linear algorithms for > arbitrary precision base > conversion. yes,I was asking if there is an algorithm in O(k)=O(log n) to convert a k-bit integer n to arbitrary base. I only know to do it in O(k^2). thanks, Sarath __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From shaddack at ns.arachne.cz Fri Oct 10 22:08:06 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Sat, 11 Oct 2003 07:08:06 +0200 (CEST) Subject: Idea: Small-volume concealed data storage Message-ID: I mentioned here the AT24RF08 chip here for couple times already. I got an idea about another application for this nice toy. For an encrypted data storage, the storage of the key is crucial. If the key is recovered, everything is lost. Remembering 256 (or even 128) bits is a hassle, a storage medium is subject to potential seizure. The key has to be protected by a passphrase, which is subject to bruteforcing. The key has to be destroyed in the event of a dangerous situation detected by the environmental sensors, or if the passphrase is tried one time too much (which opens the possibility of a DoS attack, rendering the data protection scheme unusable by regular intentional destruction of the key). However, the higher security we want, the lower alarm thresholds we have to set and the higher is the probability of misfire. For convenience reasons, for most common scenarios where absolute security is not necessary and some risk is affordable, we need a backup key storage. The mentioned chip can operate passively, powered from the coil used for data transfer, principially the same as an RFID tag. The independence on any kind of power supply makes it suitable for being built into some object, including the building itself; the chip and coil may be located inside a wall, serving as a potential storage for up to 8 kilobits of data as necessary. It may be put in place at the moment when the building is built, or during some construction work. Routine kinds of police raids are quite unlikely to discover this kind of data storage (though the eventual discovery of a reader device may be a giveaway). XORing the key with a MD5 hash of a memorized keyphrase can further increase security. This method may be also used for covert exchange of short messages. The device may be hidden under the carpet or inside poured concrete floor, and reader/writed in the shoes of the conspirators. The simplicity and robustness of the storage part of the technology could permit long-time installations "just for case". Or maybe I am too tired to think in coherent way. Maybe it's a good idea. Maybe not (if, then why?). May be handy at least for a spy novel writer. From roy at rant-central.com Sat Oct 11 06:08:56 2003 From: roy at rant-central.com (Roy M. Silvernail) Date: Sat, 11 Oct 2003 09:08:56 -0400 Subject: Nuking USG: not just for cypherpunks anymore In-Reply-To: <3F878396.48E949FE@cdc.gov> References: <3F878396.48E949FE@cdc.gov> Message-ID: <200310110908.56171.roy@rant-central.com> On Saturday 11 October 2003 00:14, Major Variola (ret.) wrote: > 'If I could just get a nuclear device inside Foggy Bottom, I think > that's the answer'," he said. > > --Pat Robertson, republican presidential candidate Robertson was quoting "columnist Joel Mowbray, who has written a book entitled "Dangerous Diplomacy: How the State Department Threatens American Security."" The threat was Mowbray's. Interesting that the State Department goes after Robertson rather than Mowbray. Could it have anything to do with the idea that few(er) people know who Mowbray is? From roy at rant-central.com Sat Oct 11 06:20:26 2003 From: roy at rant-central.com (Roy M. Silvernail) Date: Sat, 11 Oct 2003 09:20:26 -0400 Subject: Software protection scheme may boost new game sales In-Reply-To: <5.2.1.1.0.20031011013617.05b2c0a0@mail.comcast.net> References: <5.2.1.1.0.20031011013617.05b2c0a0@mail.comcast.net> Message-ID: <200310110920.26224.roy@rant-central.com> On Saturday 11 October 2003 04:38, Steve Schear wrote: > What the program does is make > unauthorized copies of games slowly degrade, by exploiting the systems for > error correction that computers use to cope with CD-ROMs or DVDs that have > become scratched. Software protected by Fade contains fragments of > "subversive" code designed to seem like scratches, which are then arranged > on the disc in a pattern that will be used to prevent copying. The C-64 headbanger comes to the 21st century! Can parameter patches be far behind? > Bruce > Everiss of Codemasters says, "The beauty of this is that the degrading copy > becomes a sales promotion tool. People go out and buy an original version." "Stupid fucking game! Next!" From jya at pipeline.com Sat Oct 11 10:53:57 2003 From: jya at pipeline.com (John Young) Date: Sat, 11 Oct 2003 10:53:57 -0700 Subject: Nuking USG: not just for cypherpunks anymore In-Reply-To: <200310110908.56171.roy@rant-central.com> References: <3F878396.48E949FE@cdc.gov> <3F878396.48E949FE@cdc.gov> Message-ID: According to the Reuters account below, it was Robertson, not Mowbray, who called for the State Department nuking. A Virginia citizen who would be nuked if State is, has reported Robertson to the FBI TIPS, observing that a Muslim cleric who made such a comment would surely be arrested or detained. Robertson's fatwah, even so, is worth admiring as a frustrated fundy fire and brimstone featherduster. Whether he would call for the same atomization of other useless breastbeaters like himself is a question for Tammy Faye. ----- State Department Protests Televangelist's Remark Fri Oct 10,10:48 AM ET WASHINGTON (Reuters) - The State Department has protested to televangelist Pat Robertson about his "despicable" suggestion that someone blow up the department with a nuclear bomb, an official said on Thursday. Robertson, a former presidential candidate, made the remark in an interview with Joel Mowbray, author of a new book entitled "Dangerous Diplomacy: How the State Department Endangers America's Security." State Department spokesman Richard Boucher, asked to comment, said on Thursday: "I lack sufficient capabilities to express my disdain. ... I think the very idea is despicable." The department has made its views clear to Robertson, added a State Department official, who asked not to be named. Introducing Mowbray on his Christian Broadcasting Network, Robertson said that a person who read Mowbray's book would reach the conclusion that a nuclear explosion at the State Department was the best solution. "I read your book. When you get through, you say (to yourself): 'If I could just get a nuclear device inside Foggy Bottom (the State Department's main building), I think that's the answer' and you say: 'We've got to blow that thing up.' I mean, is it as bad as you say?" he said. "It is," Mowbray replied. Mowbray himself did not make the suggestion, either in his book or in the interview. According to the network's Web site, Mowbray's book "exposes the mixed allegiances, hidden agendas, and outright anti-Americanism found in the State Department." ----- From timcmay at got.net Sat Oct 11 12:55:50 2003 From: timcmay at got.net (Tim May) Date: Sat, 11 Oct 2003 12:55:50 -0700 Subject: Software protection scheme may boost new game sales (fwd) In-Reply-To: Message-ID: On Saturday, October 11, 2003, at 12:09 PM, Sunder wrote: > Yawn... This is no different than any of the copy protection schemes > employed in the 1980's on then popular home computers such as the > commodore 64. > > Hindsight is 20/20 and recalls, all of these were broken within weeks > if > not months. "Nibbler" copiers and other programs were quickly built > that > allowed the breaking of all of these systems. All sorts of "error" > sectors, duplicate tracks, half tracks, extra tracks, extra sectors, > non-standard sized sectors, tracks written at different speeds, > erroneous > checksums, hidden data, and other sorts of weird bits were employed. > All > were broken. None survived the ages. > > In the end, the companies that employed copy protection only managed to > piss off customers who lost their only copy of the software, and > created a > market for the copiers and crackers. The crackers won, the software > companies lost. In fact, the companies that made copying software got a lot of business (and hence stayed in business, funded more copying work, etc.) from _fully legal customers_ who wanted to ensure that they had backups of critical software. Everybody I knew had "Copyiipc" from Central Point Software in Portland, OR. They were not copying games, they were copying critical disks with their CAD, spreadsheed, accounting, and other business apps on them. Yeah, sometimes these people gave copies to friends. Who often bought the program if their businesses would benefit (manuals, support, updates, etc.). But the main reason was for ensurance (not a word, but it fits with ensure vs. insure). > > Few of the companies of that era are still in business today. CEO's, > Vulture Capitalists, and others who have an interest in such schemes > would > do well to invest some time in learning about that time, and the > results, > for their investments, and dollars will go the same way... the way of > the > brontosaurus, the trilobite, and the dodo. As the saying goes, the lessons of the past are learned anew by each generation... --Tim May From sunder at sunder.net Sat Oct 11 12:07:57 2003 From: sunder at sunder.net (Sunder) Date: Sat, 11 Oct 2003 15:07:57 -0400 (edt) Subject: Software protection scheme may boost new game sales In-Reply-To: <5.2.1.1.0.20031011013617.05b2c0a0@mail.comcast.net> Message-ID: Yawn... This is no different than any of the copy protection schemes employed in the 1980's on then popular home computers such as the commodore 64. Hindsight is 20/20 and recalls, all of these were broken within weeks if not months. "Nibbler" copiers and other programs were quickly built that allowed the breaking of all of these systems. All sorts of "error" sectors, duplicate tracks, half tracks, extra tracks, extra sectors, non-standard sized sectors, tracks written at different speeds, erroneous checksums, hidden data, and other sorts of weird bits were employed. All were broken. None survived the ages. In the end, the companies that employed copy protection only managed to piss off customers who lost their only copy of the software, and created a market for the copiers and crackers. The crackers won, the software companies lost. Few of the companies of that era are still in business today. CEO's, Vulture Capitalists, and others who have an interest in such schemes would do well to invest some time in learning about that time, and the results, for their investments, and dollars will go the same way... the way of the brontosaurus, the trilobite, and the dodo. Let them try, if they wish to burn their money. As far as I'm concerned, I'll vote with my wallet as usual and only run open source, free software. If the moronic kids at whom these titles are aimed have the $50-$70 per title to waste on self destructing, flavor of the month games, they are certainly free to spend that money to their heart's desire. Not a dime from my wallet will wind up in their pockets - except perhaps indirectly: the next time I buy my next burger, "no, I don't want fries with that, no, I don't want to supersize it," my $5 eventually makes a small contribution to the salary of the burger flipper, which in turn is applied to the purchase of said game. :) I've not read the said article just yet, but from that direct quote "as the copy degrades..." I can already see the trouble with this scheme: their copy protection already fails them. They allow copies to be made and rely on the fact that the CDR or whatever media, will eventually degrade, because their "code looks like scratches..." Riiiiggghtt..... If you can make one copy, you can make many, and you can certainly store the ISO in compressed form on a normal CD to make more copies later. CDR's are what? $0.20@ these days? Hell, you can even get one of those virtual CDROM programs to mount the CD's as if they were CD's, and store the ISO on a hard drive, or DVD-R instead. Hard drives are already in the 250-500GB range these days. So their scheme is already flawed and doomed from the start. It seems to me that people that engage in treating their customers like theives to begin with lack a vital ingredient for making money: common sense. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Sat, 11 Oct 2003, Steve Schear wrote: > Companies are using a new software protection system, called Fade, to > protect their intellectual property from software thieves. Fade is being > introduced by Macrovision, which specializes in digital rights management, > and the British games developer Codemasters. What the program does is make > unauthorized copies of games slowly degrade, by exploiting the systems for > error correction that computers use to cope with CD-ROMs or DVDs that have > become scratched. Software protected by Fade contains fragments of > "subversive" code designed to seem like scratches, which are then arranged > on the disc in a pattern that will be used to prevent copying. Bruce > Everiss of Codemasters says, "The beauty of this is that the degrading copy > becomes a sales promotion tool. People go out and buy an original version." > (New Scientist 10 Oct 2003) > > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From sunder at sunder.net Sat Oct 11 12:09:42 2003 From: sunder at sunder.net (Sunder) Date: Sat, 11 Oct 2003 15:09:42 -0400 (edt) Subject: Software protection scheme may boost new game sales (fwd) Message-ID: Yawn... This is no different than any of the copy protection schemes employed in the 1980's on then popular home computers such as the commodore 64. Hindsight is 20/20 and recalls, all of these were broken within weeks if not months. "Nibbler" copiers and other programs were quickly built that allowed the breaking of all of these systems. All sorts of "error" sectors, duplicate tracks, half tracks, extra tracks, extra sectors, non-standard sized sectors, tracks written at different speeds, erroneous checksums, hidden data, and other sorts of weird bits were employed. All were broken. None survived the ages. In the end, the companies that employed copy protection only managed to piss off customers who lost their only copy of the software, and created a market for the copiers and crackers. The crackers won, the software companies lost. Few of the companies of that era are still in business today. CEO's, Vulture Capitalists, and others who have an interest in such schemes would do well to invest some time in learning about that time, and the results, for their investments, and dollars will go the same way... the way of the brontosaurus, the trilobite, and the dodo. Let them try, if they wish to burn their money. As far as I'm concerned, I'll vote with my wallet as usual and only run open source, free software. If the moronic kids at whom these titles are aimed have the $50-$70 per title to waste on self destructing, flavor of the month games, they are certainly free to spend that money to their heart's desire. Not a dime from my wallet will wind up in their pockets - except perhaps indirectly: the next time I buy my next burger, "no, I don't want fries with that, no, I don't want to supersize it," my $5 eventually makes a small contribution to the salary of the burger flipper, which in turn is applied to the purchase of said game. :) I've not read the said article just yet, but from that direct quote "as the copy degrades..." I can already see the trouble with this scheme: their copy protection already fails them. They allow copies to be made and rely on the fact that the CDR or whatever media, will eventually degrade, because their "code looks like scratches..." Riiiiggghtt..... If you can make one copy, you can make many, and you can certainly store the ISO in compressed form on a normal CD to make more copies later. CDR's are what? $0.20@ these days? Hell, you can even get one of those virtual CDROM programs to mount the CD's as if they were CD's, and store the ISO on a hard drive, or DVD-R instead. Hard drives are already in the 250-500GB range these days. So their scheme is already flawed and doomed from the start. It seems to me that people that engage in treating their customers like theives to begin with lack a vital ingredient for making money: common sense. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Sat, 11 Oct 2003, Steve Schear wrote: > Companies are using a new software protection system, called Fade, to > protect their intellectual property from software thieves. Fade is being > introduced by Macrovision, which specializes in digital rights management, > and the British games developer Codemasters. What the program does is make > unauthorized copies of games slowly degrade, by exploiting the systems for > error correction that computers use to cope with CD-ROMs or DVDs that have > become scratched. Software protected by Fade contains fragments of > "subversive" code designed to seem like scratches, which are then arranged > on the disc in a pattern that will be used to prevent copying. Bruce > Everiss of Codemasters says, "The beauty of this is that the degrading copy > becomes a sales promotion tool. People go out and buy an original version." > (New Scientist 10 Oct 2003) > > From njohnsn at njohnsn.com Sat Oct 11 14:48:44 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Sat, 11 Oct 2003 16:48:44 -0500 Subject: Software protection scheme may boost new game sales (fwd) In-Reply-To: References: Message-ID: <200310111648.44706.njohnsn@njohnsn.com> I remember a software company in my home town in the late '80's that had it figured out. They sold accounting software, it wasn't as spiffy as their competitor's (Quicken) but they sold it for .... $14. For $14 dollars most any company would buy a copy just to try it out. The owner made a handsome profit before selling the company to larger outfit. I think they also sold other software the same way, they sold it cheap enough that people just spent the money to see if it was worth it. -Neil (who still runs Quicken 99 under windows 95 'casue it does everything I need to do) -- Neil Johnson http://www.njohnsn.com PGP key available on request. From hseaver at cybershamanix.com Sat Oct 11 18:29:47 2003 From: hseaver at cybershamanix.com (Harmon Seaver) Date: Sat, 11 Oct 2003 20:29:47 -0500 Subject: Then End of Western Civilization Message-ID: <20031012012947.GB28105@cybershamanix.com> I'm reading a book called "Bangkok 8" by John Burdett, it's a mystery, and I don't usually read them, but heard a review on npr and picked it up at the library, main character is a Thai detective who'se mother was a Bangkok prostitute and father an American GI on leave from VietNam. Fun read. Anyway, there's one part where the cop is remembering the teachings of his abbot -- he was a Buddhist monk before becoming a cop, a drug dealer before becoming a monk -- where the abbot says: "There will be a massive shift of power from West to East in the middle of the twenty-first century, caused not by war or economics, but by a suble alteration of consciousness....the internal destruction of Western society will have reached such a pass that most of your resources will be concentrated on managing loonies." 8-) -- Harmon Seaver CyberShamanix http://www.cybershamanix.com From bogus@does.not.exist.com Sun Oct 12 07:20:23 2003 From: bogus@does.not.exist.com () Date: Sun, 12 Oct 2003 10:20:23 -0400 Subject: US State Department extends FTO list to include Internet sites Message-ID: http://washingtontimes.com/national/20031010-112733-8086r.htm 4 Jewish Web sites deemed 'terrorist' By Jerry Seper THE WASHINGTON TIMES Four Internet Web sites operated by two extremist Jewish groups have been included by the State Department on its list of "foreign terrorist organizations"  the first time the list has been extended to include Internet sites. The four Web sites are: www.newkach.org, www.Kahane.org, www.Kahane.net and www.Kahanetzadak.com, the department said in a notice in the Federal Register. They offer news, commentary and links to other sites of interest to followers of Meir Kahane. The impact of the listing was not immediately clear, since all four sites exist in cyberspace. The designation makes it illegal for persons in the United States to donate money or other material support to the Web sites. The three accessible sites yesterday included information on where contributions could be sent, what items could be donated and offered a number items for sale, including pendants and books. From adam at homeport.org Sun Oct 12 08:30:13 2003 From: adam at homeport.org (Adam Shostack) Date: Sun, 12 Oct 2003 11:30:13 -0400 Subject: FBI, Lackawanna, and lack of informers Message-ID: <20031012153013.GA47500@lightship.internal.homeport.org> http://www.nytimes.com/2003/10/12/nyregion/12LACK.html?hp=&pagewanted=print&position= A very long article on the FBI and the 6 fellows in upstate NY who travelled the world to hang out with religious nutballs. One of the most interesting things about the case is that the FBI did not catch these folks; they were turned in by someone having second thoughts. That fellow, who then turned informer, is in jail anyway. Bad informer management, but no one asked me. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From sfurlong at acmenet.net Sun Oct 12 11:41:12 2003 From: sfurlong at acmenet.net (Steve Furlong) Date: 12 Oct 2003 14:41:12 -0400 Subject: Software protection scheme may boost new game sales (fwd) In-Reply-To: References: Message-ID: <1065984071.3036.3.camel@localhost.localdomain> On Sat, 2003-10-11 at 15:55, Tim May wrote: > As the saying goes, the lessons of the past are learned anew by each > generation... And each generation invents sex, too. From cpunk at lne.com Sun Oct 12 20:00:01 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 12 Oct 2003 20:00:01 -0700 Subject: Cypherpunks List Info Message-ID: <200310130300.h9D301g0021969@slack.lne.com> Cypherpunks Mailing List Information Last updated: Sep 12, 2002 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html or you can send posts to the list via cpunks_anon at einstein.ssz.com and your mail's headers will be stripped before posting. Note that this doesn't provide complete anonymity since the receiving site will still have log file entries showing the source of the mail (or you have to trust that they delete them). You also will be 'sharing' a reputation with the other entities that post through this alias, and some of them are spammers, so some subscribers will have this alias filtered. 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Ssz: Subscription: "subscribe cypherpunks" to majordomo at ssz.com Unsubscription: "unsubscribe cypherpunks" to majordomo at ssz.com Help: "help cypherpunks" to majordomo at ssz.com Posting address: cypherpunks at ssz.com Filtering policy: raw Message Modification policy: Subject line prepended with "CDR:" Reply-to cypherpunks at ssz.com added. Privacy policy: open Info: http://www.ssz.com/cdr/ --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From shamrock at cypherpunks.to Sun Oct 12 22:49:19 2003 From: shamrock at cypherpunks.to (Lucky Green) Date: Sun, 12 Oct 2003 22:49:19 -0700 Subject: RSA performance on Athlon64 vs. Itanium Message-ID: <003201c3914d$c0e49120$7001a8c0@VAIO650> I just picked up an Athlon64 3200+, which runs at a 2 GHz clock speed. Using the Red Hat for AMD64 beta and the version of OpenSSL that ships with that beta, I get 922 1024-bit RSA signs per second. This is a tad less RSA signatures per second than I have seen on an 800MHz Itanium using highly optimized assembler. That's rather poor performance on the Athlon64. Are the figures that I am seeing typical for OpenSSL on the Athlon64? Has anybody here seen different figures using optimized code? Thanks, --Lucky Green From schoen at loyalty.org Sun Oct 12 23:44:16 2003 From: schoen at loyalty.org (Seth David Schoen) Date: Sun, 12 Oct 2003 23:44:16 -0700 Subject: [linux-elitists] LOCAL Mountain View, California, USA: events this week Message-ID: Don Marti writes: > Wednesday night: > Seth Schoen fixes TCPA, saves Freedom: > http://www.sdforum.org/p/calEvent.asp?CID=1182 Sorry that didn't happen. And I still haven't fixed TCPA. Intel has posted its Policy Statement on LaGrande Technology: ftp://download.intel.com/technology/security/downloads/LT_policy_statement_0_ 8.pdf LaGrande is in the interstices between TCG and NGSCB. TCG has not specified a secure I/O path or "curtained memory" as required by NGSCB. LaGrande does, so it effectively provides the complete hardware support NGSCB would need. (AMD has a similar project called SEM, which I know very little about other than that it is supposed to do similar things and at least one of the people working on it is exceptionally honest.) Anyway, Intel wants your comments on the LT policy. The thing that jumps out at me (as the author of "Trusted Computing: Promise and Risk") is that Intel thinks that opt-out or opt-in can solve the problems of attestation. This is the official view of a lot of trusted computing proponents. The defects of this view are difficult to describe and are complicated by the fact that some trusted computing critics don't believe that LT (or TCG or NGSCB) will actually provide an opt-out. (I do believe this.) The root of the difficulty is that, in the nature of attestation, you can be _punished_ for opting out (beyond the scope of simply not enjoying particular features to which what you opted out of is technically necessary). For example, if you have a feature with privacy implications like What's Related in browsers, you can opt of using What's Related and the only penalty will be that you won't see what's related to the sites you're looking at. Or if you don't like Microsoft's software updates, you can opt out of those and the only penalty will be that your software won't be patched. (This is actually a somewhat thorny issue since no other sources of patches to Microsoft software have so far arisen.) But in most other cases with which we're familiar, opting out has a relatively narrow effect, and there is fairly little leverage to punish you for having done so. At least, that's true of opt-out features in the context of technology choices; it might not be true in some off-line situations. In the nature of attestation and its effect on interoperability, though, opting out of attestation might be ruinous for your hopes of communicating with others. If they can be induced to use proprietary protocols or file formats, opting out may lead to a permanent inability to exchange data with them. Opting in, by the same token, could lead to a permanent loss of software choice (and the effective inability to reverse engineer or repair your software) at least during the particular periods of time when you want to communicate with other people or manipulate what they sent you. Opt-in can't undo the harmful network effects attestation will produce for competition and for all computer owners. Anyway, that's what I plan to tell Intel, in somewhat more detail, sometime before December 31. And remember: [T]rusted computing systems fundamentally alter trust relationships. Legitimate concerns about trusted computing are not limited to one area, such as consumer privacy or copyright issues. -- Seth David Schoen | Very frankly, I am opposed to people http://www.loyalty.org/~schoen/ | being programmed by others. http://vitanuova.loyalty.org/ | -- Fred Rogers (1928-2003), | 464 U.S. 417, 445 (1984) _______________________________________________ linux-elitists http://zgp.org/mailman/listinfo/linux-elitists ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From nobody at dizum.com Sun Oct 12 22:10:06 2003 From: nobody at dizum.com (Nomen Nescio) Date: Mon, 13 Oct 2003 07:10:06 +0200 (CEST) Subject: EFF Report on Trusted Computing Message-ID: Just thought someone should take the trouble to rebut the anonymous pro-treacherous-computing rantings... I have heavily trimmed our anonymous ranters verbose writing style to keep just the bits I'm responding to (inline...) > The EFF tries to distinguish between "good" and "bad" aspects of TC, > but it does not draw the line in quite the right place, even given > its somewhat questionable assumptions. Unsubstantiated claim: what incorrect assumptions did Schoen make? I did not see any. > It fails to sufficiently emphasize the many positive uses of the > full version of TC (and hence the costs of blocking its > implementation), Schoen points out that TC can be broken out into desirable and undesirable features. If you omit the undesirable features, as he describes, you get the remaining desirable features. There is no loss from blocking the undesirable features. > And the recommended fix to TC is not clearly described and as > written appears to be somewhat contradictory. I see no contradition. More unsubstantiated claims. > But let us begin with some positive elements of the EFF report. This is > perhaps the first public, critical analysis of TC which fails to include > two of the worst lies about the technology, lies promulgated primarily > by Ross Anderson and Lucky Green: that only authorized programs can run > "trusted", and that unauthorized or illegal programs and data will be > deleted from computers or prevented from running. They are not lying and you do your credibility no favors by making such unsubstantiated claims. You are just misconstruing the obvious meaning of their warnings: the features they describe (and plenty more and worse) are technically feasible with the TC hardware enforcement, and given microsoft's history of repeated dirty tricks campaigns in the areas of document format wars, reporting private information back home to microsoft, browser wars, interface wars, restrictive business practices regarding licensing it would be fool hardy in the extreme to not expect more of the same in the area of platform control based on Palladium. Of course _you_ are not wishing to admit or emphasize these points, but you can hardly get away with impugning the integrity of high reputation individuals like Prof Ross Anderson with such paltry mischaracterisation. Your arguments are crass and of the form: "but the current microsoft PR documents don't admit that it could do that, nor of course that microsoft are planning to do that, so it's not fair for you to point that out and caution people about the kinds of things microsoft may be planning". Technology is criticized and discussed based on the potential and most likely inferred directions given microsoft's history and prior demonstration of interest to control various aspects of the software platform. > The report also forthrightly rejects the claim that TC technology is > some kind of trick to defeat Linux or lock-in computers to Microsoft > operating systems, It's far from obvious that TC will have no part to play in the next few decades of open warfare against linux from microsoft. There are any number of ways to extend the existing dirty tricks regarding formats, protocols, licensing etc using the TC hardware enforcement. > The EFF attempts to distinguish one feature of TC, remote > attestation, as a source of problems. This is the ability of a > computer user to convince other systems about what software he is > running. The EFF is convinced that this feature will cause users to > be compelled to use software not of their choice; harm > interoperability and encourage lock-in; and support DRM and various > restrictive kinds of licensing. Yes indeed and they are quite right. That is exactly the problem with remote attestation. > But when we break these down in detail, many of the problems either > go away or are not due to attestation. More unsubstantiated claims. This statement is both false and not backed up by any of your following text. > Software choice limitation may occur if a remote system provides > some service conditional on the software being used to access it. > But that's not really a limitation of choice, because the user could > always elect not to receive the offered service. This is really strange logic: you have a choice not to use a client because you don't have to use the service?!!? Of course it detracts from choice. Absent remote attestation things would be as they are today and users could modify existing clients, write their own clients, or obtain third party clients for any service. Removing _that_ choice is the problem. And it is a big and significant detraction from the current open nature of the internet. One that favors large companies such as microsoft with an interest to stifle innovation and competition. > The implicit assumption here seems to be that if TC did not exist, > the service would be offered without any limitations. Yes it would. It either wouldn't be offered or it would be offered without such limitations. These are the trade-offs we like because they are open and offer a level playing field and user choice. The "choices" you promote come down to the end-user not owning and controlling their own hardware. Freedom of choice be damned. > Then it makes it appear that TC adds limitations which are not > currently present. And indeed it does add limitations as I discussed above. > Turning to the issues of lock-in and interoperability, it is true > that TC may allow software creators to lock their data to the > applications and make it more difficult to create interoperable > alternatives, thus promoting lock-in. Yes indeeed it is true that it will create ever worse lock-in and interoperability problems. > The problem here with the EFF analysis is that it is not the remote > attestation feature of TC which is the primary cause of this effect, > but rather it is the sealed storage feature. They are both problems. You are right in the limited sense that Schoen should _also_ have objected to the lock-in enabling aspects of the sealing function. > It is sealed storage that allows data to be encrypted such that only > one particular application can decrypt it, and potentially makes it > impossible to switch to a different software package, or access the data > in an interoperable way. That creates lock-in problems yes. Network effects are worse multipliers of interop problems were (one of Ross Anderson's scenarios) microsoft uses sealing to prevent openoffice etal reading MS word documents. > And parenthetically, lock-in is not necessarily a bad thing, as long as > people know about it in advance. When you go on vacation you know that > you will only be able to eat at restaurants in the local area. You are > locked-in to local eateries. Everyone accepts this as part of the cost > of the vacation. It's artificial lock-ins which are bad economics for consumers. They result in higher prices to prop up the profits of those creating the lock-in. Commoditization is good for consumers. Lock-ins are attempts to decommoditize by microsoft to extend their waning days as a virtual monopoly. > But in any case, once it happens, again the report fails to paint a > balanced picture, by emphasizing the negative aspects of the new kinds > of licensing that TC will enable. It should be clear that a technology > that allows new kinds of voluntary arrangements, without eliminating > any old ones, cannot be entirely evil. But it doesn't do that. It brings in a new era where the defacto is controlled and owned up by microsoft and the user has no rights and no control over their own machines. > TC only expands the space of possibilities, it does not stop anyone > from doing things the old way. Here's that falacious argument again. In theory what you say may be true. In practice it is utterly false and you know it. Microsoft will do it's worst to ensure that it does stop people doing things the old way. That means that the next sweep of intentionally not backwards compatible and yet still defacto standard software from microsoft will not be available without it. And so your only "choice" will be shutting yourself off from the rest of the world, or putting up with ceding control of the platform wholly to microsoft. Of course given your contorted logic further up, this would seem like a fine "choice" to you. > If the new possibilities enabled by TC are truly so horrible for > consumers, and if it is possible (as TC opponents implicitly assume) to > provide these functionalities without the nightmarish limitations that the > report is so afraid of, then some companies can still offer their goods > under those more-favorable terms, and reap massive rewards as consumers > triumphantly reject the horrific license terms of the TC-based software. Wrong again. Microsoft will ride the pain barrier between this lock-in and the cost of switching. It may even subsidize short term to gain the longer term lock-in to put others out of business. > This report, like so many others, ignores the role of consumers in making > decisions about what technologies to use. This is one area in which the > EFF was unable to rise above the myopia shared by so many other analyses. Wrong. It's just your own microsoft centric myopia doesn't enable you to see the obvious. You stick legalistically and pedantically to what is released in microsoft PR documents, but refuse to acknowledge or even think for yourself far enough to realise the obvious conclusion this horrendous wrong-turn for netfreedoms will reach given the long term business plans and obvious previous tactics which will be translated to apply and extend the effect of this until it has a stranglehold on the world. Again freedoms be damned. > The final complaint about the report is that their solution doesn't > seem to make sense. The basic idea is to allow the user to override > the remote attestation feature so his system can lie about his > software configuration. The apparent problem with this, as a number of > commentators have pointed out, is that it undercuts the remote attestation > feature and makes it useless. No it doesn't. Hostile software can't undermine the users configuration or software. It just makes the machine act once again under user control. > It is like "fixing" the limitations of cryptographic certificates by > allowing anyone to forge them. No. It's like allowing user blinding of certificates to ensure privacy. You allow user change of software to enable user control. > Doing this defeats the purpose of the feature so completely that you > might as well not have it. Wrong. See above. > It would seem to make more sense for the > EFF to simply call for remote attestation to be removed from the TC > concept than to try to come up with a complicated "owner override". Wrong. The host security aspects still exist with owner override. > Now, perhaps there are some subtle aspects to the EFF proposal which > would make attestation with owner overrides more useful than a version > of TC without attestation at all. Ah so you do concede that despite your claim to the contrary above. -end- From camera_lumina at hotmail.com Mon Oct 13 07:02:02 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Mon, 13 Oct 2003 10:02:02 -0400 Subject: 2 Quantum Crypto Companies partner Message-ID: This makes 3 companies I know of working on Quantum Cryptography for key distribution. There must be a few more... http://www.lightreading.com/document.asp?site=lightreading&doc_id=41735 -TD _________________________________________________________________ Instant message during games with MSN Messenger 6.0. Download it now FREE! http://msnmessenger-download.com From gsemones at mstar2.net Mon Oct 13 10:29:20 2003 From: gsemones at mstar2.net (Guerry Semones) Date: Mon, 13 Oct 2003 10:29:20 -0700 Subject: P2P Encrypted VOIP Message-ID: <200310131029.AA142475492@mail.mstar2.net> I caught the announcement this morning from Skype concerning their P2P-based VOIP (free) product. Apparently this is the Kazaa founder's new company. The communications are supposed to be encrypted, etc., etc. Here's the Slashdot article: http://slashdot.org/article.pl?sid=03/10/13/1120202&mode=flat&tid=126&tid=95&tid=99 Here's the Privacy section from the Skype FAQ: http://www.skype.com/help_faq.html Guerry From s.schear at comcast.net Mon Oct 13 10:46:51 2003 From: s.schear at comcast.net (Steve Schear) Date: Mon, 13 Oct 2003 10:46:51 -0700 Subject: Monkeys Control Robotic Arm With Brain Implants Message-ID: <5.2.1.1.0.20031013104542.05e677a0@mail.comcast.net> [Can remote soldiering and amplified "Terminators" be too far away? Steve] Monkeys Control Robotic Arm With Brain Implants By Rick Weiss Washington Post Staff Writer Monday, October 13, 2003; Page A01 Scientists in North Carolina have built a brain implant that lets monkeys control a robotic arm with their thoughts, marking the first time that mental intentions have been harnessed to move a mechanical object. The technology could someday allow people with paralyzing spinal cord injuries to operate machines or tools with their thoughts as naturally as others today do with their hands. It might even allow some paralyzed people to move their own arms or legs again, by transmitting the brain's directions not to a machine but directly to the muscles in those latent limbs. The brain implants could also allow scientists or soldiers to control, hands-free, small robots that could perform tasks in inhospitable environments or in war zones. In the new experiments, monkeys with wires running from their brains to a robotic arm were able to use their thoughts to make the arm perform tasks. But before long, the scientists said, they will upgrade the implants so the monkeys can transmit their mental commands to machines wirelessly. "It's a major advance," University of Washington neuroscientist Eberhard E. Fetz said of the monkey studies. "This bodes well for the success of brain-machine interfaces." The experiments, led by Miguel A.L. Nicolelis of Duke University in Durham, N.C., and published today in the journal PLoS Biology, are the latest in a progression of increasingly science fiction-like studies in which animals -- and in a few cases people -- have learned to use the brain's subtle electrical signals to operate simple devices. Until now, those achievements have been limited to "virtual" actions, such as making a cursor move across a computer screen, or to small two-dimensional actions such as flipping a little lever that is wired to the brain. The new work is the first in which any animal has learned to use its brain to move a robotic device in all directions in space and to perform a mixture of interrelated movements -- such as reaching toward an object, grasping it and adjusting the grip strength depending on how heavy the object is. "This is where you want to be," said Karen A. Moxon, a professor of biomedical engineering at Drexel University in Philadelphia. "It's one thing to be able to communicate with a video screen. But to move something in the physical world is a real technological feat. And Nicolelis has taken this work to a new level by quantifying the neuroscience behind it." The device relies on tiny electrodes, each one resembling a wire thinner than a human hair. After removing patches of skull from two monkeys to expose the outer surface of their brains, Nicolelis and his colleagues stuck 96 of those tiny wires about a millimeter deep in one monkey's brain and 320 of them in the other animal's brain. The surgeries were painstaking, taking about 10 hours, and ended with the pouring of a substance like dental cement over the area to substitute for the missing bits of skull. The monkeys were unaffected by the surgery, Nicolelis said. But now they had tufts of wires protruding from their heads, which could be hooked up to other wires that ran through a computer and on to a large mechanical arm. Then came the training, with the monkeys first learning to move the robot arm with a joystick. The arm was kept in a separate room -- "If you put a 50-kilogram robot in front of them, they get very nervous," Nicolelis said -- but the monkeys could track their progress by watching a schematic representation of the arm and its motions on a video screen. The monkeys quickly learned how to use the joystick to make the arm reach and grasp for objects, and how to adjust their grip on the joystick to vary the robotic hand's grip strength. They could see on the monitor when they missed their target or dropped it for having too light a grip, and they were rewarded with sips of juice when they performed their tasks successfully. While the monkeys trained, a computer tracked the patterns of bioelectrical activity in the animals' brains. The computer figured out that certain patterns amounted to a command to "reach." Others, it became clear, meant "grasp." Gradually, the computer learned to "read" the monkeys' minds. Then the researchers did something radical: They unplugged the joystick so the robotic arm's movements depended completely on a monkey's brain activity. In effect, the computer that had been studying the animal's neural firing patterns was now serving as an interpreter, decoding the brain signals according to what it had learned from the joystick games and then sending the appropriate instructions to the mechanical arm. At first, Nicolelis said, the monkey kept moving the joystick, not realizing that her own brain was now solely in charge of the arm's movements. Then, he said, an amazing thing happened. "We're looking, and she stops moving her arm," he said, "but the cursor keeps playing the game and the robot arm is moving around." The animal was controlling the robot with its thoughts. "We couldn't speak. It was dead silence," Nicolelis said. "No one wanted to verbalize what was happening. And she continued to do that for almost an hour." At first, the animals' performance declined compared to the sessions on the joystick. But after just a day or so, the control was so smooth it seemed the animals had accepted the mechanical arm as their own. "It's quite plausible that the perception is you're extended into the robot arm, or the arm is an extension of you," agreed the University of Washington's Fetz, a pioneer in the field of brain-controlled devices. John P. Donoghue, a neuroscientist at Brown University developing a similar system, said paralyzed patients would be the first to benefit by gaining an ability to type and communicate on the Web, but the list of potential applications is endless, he said. The devices may even allow quadriplegics to move their own limbs again by sending signals from the brain to various muscles, leaping over the severed nerves that caused their paralysis. "Once you have an output signal out of the brain that you can interpret, the possibilities of what you can do with those signals are immense," said Donoghue, who recently co-founded a company, Cyberkinetics Inc. of Foxboro, Mass., to capitalize on the technology. Both he and Nicolelis hope to get permission from the Food and Drug Administration to begin experiments in people next year. Nicolelis also is developing a system that would transmit signals from each of the hundreds of brain electrodes to a portable receiver, so his monkeys -- or human subjects -- could be free of external wires and move around while they turn their thoughts into mechanical actions. "It's like multiple cellular phone lines," Nicolelis said. "As my mother said, 'You can dial your brain now.' " Significant challenges remain if the technology is to find widespread application in people. Although earlier experiments suggest the electrodes are safe and able to continue functioning for three years or more, longer-term safety studies are needed, and implants with far more electrodes may be required to accomplish anything more than the simplest tasks. "For something basic like grasping a cup of coffee or brushing your teeth, apparently you could do almost all of this with this kind of prosthesis," said Idan Segev, director of the center for neurocomputation at Hebrew University in Jerusalem. "If you were a pianist and had a spinal cord injury and you wanted to play Chopin again, then 500 neurons is not enough." Still, Segev expressed astonishment at how much the monkeys were able to do with signals from only a few hundred of the brain's 100 billion or so nerve cells -- evidence, he said, that "the brain uses a lot of backup and a lot of redundancy." That may explain one of the more interesting findings of the Duke experiments, he and others said: that neurons not usually involved in body movements, including those usually involved in sensory input rather than motor output, were easily recruited to help operate the robotic arm when electrodes were implanted there. Asked if the monkeys seemed to mind the experiments, Nicolelis answered with an emphatic "No." "If anything, they're enjoying themselves playing these games. It enriches their lives," he said. "You don't have to do anything to get these guys into their chair. They go right there. That's play time." From mv at cdc.gov Mon Oct 13 10:56:03 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 13 Oct 2003 10:56:03 -0700 Subject: Nuking USG: not just for cypherpunks anymore Message-ID: <3F8AE732.7486CB97@cdc.gov> At 09:08 AM 10/11/03 -0400, Roy M. Silvernail wrote: >Interesting that the State Department goes after Robertson rather than >Mowbray. Could it have anything to do with the idea that few(er) people know >who Mowbray is? Perhaps Mr. Rosenthal or Mr. Chong might have an opinion on this... From jerrold.leichter at smarts.com Mon Oct 13 08:07:10 2003 From: jerrold.leichter at smarts.com (Jerrold Leichter) Date: Mon, 13 Oct 2003 11:07:10 -0400 (EDT) Subject: Software protection scheme may boost new game sales In-Reply-To: References: Message-ID: | I've not read the said article just yet, but from that direct quote "as | the copy degrades..." I can already see the trouble with this scheme: | their copy protection already fails them. They allow copies to be made | and rely on the fact that the CDR or whatever media, will eventually | degrade, because their "code looks like scratches..." Riiiiggghtt..... You should read the article - the quote is misleading. What they are doing is writing some "bad data" at pre-defined points on the CD. The program looks for this and fails if it finds "good" data. However ... I agree with your other points. This idea is old, in many different forms. It's been broken repeatedly. The one advantage they have this time around is that CD readers - and, even more, DVD readers; there is mention of applying the same trick to DVD's - is, compared to the floppy readers of yesteryear, sealed boxes. It's considerably harder to get at the raw datastream and play games. Of course, this cuts both ways - there are limits to what the guys writing the protection code can do, too. The real "new idea" here has nothing to do with how they *detect* a copy - it's what they *do* when they detect it. Rather than simply shut the game down, the degrade it over time. Guns slowly stop shooting straight, for example. In the case of DVD's, the player works fine - but stops working right at some peak point. Just like the guy on the corner announcing "first hit's free", they aim to suck you in, then have you running out to get a legit copy to save your character's ass - or find out how "The One" really lives through it all. This will probably work with a good fraction of the population. Actually, this is a clever play on the comment from music sharers that they get a free copy of a song, then buy the CD if they like the stuff. In effect, what they are trying to do is make it easy to make "teasers" out of their stuff. There will be tons of people copying the stuff in an unsophisticated way - and only a few who will *really* break it. Most people will have no quick way to tell whether they are getting a good or a bad copy. And every bad copy has a reasonable chance of actually producing a sale.... -- Jerry From mv at cdc.gov Mon Oct 13 11:08:08 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 13 Oct 2003 11:08:08 -0700 Subject: clicking on ads = funding terrorists Message-ID: <3F8AEA08.42CA829B@cdc.gov> Excerpted from politech. Consider the 1st Amend implications, and how clicking on a banner ad (which automatically would pay the source site) makes you a terrorist supporter. Got assets? From bill.stewart at pobox.com Mon Oct 13 16:22:02 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Mon, 13 Oct 2003 16:22:02 -0700 (PDT) Subject: P2P Encrypted VOIP In-Reply-To: <200310131029.AA142475492@mail.mstar2.net> References: <200310131029.AA142475492@mail.mstar2.net> Message-ID: <2385.216.240.32.1.1066087322.squirrel@smirk.idiom.com> > Here's the Privacy section from the Skype FAQ: > http://www.skype.com/help_faq.html Skype has been discussed a bit. The big problems are - It's a proprietary protocol they're not documenting, so there's no way to tell if it would be any good if they've implemented it properly, and - It's not an open-source implementation, so you can't inspect it to see if they _have_ implemented it well, and - The fact that they'd do either one of those things doesn't suggest that they're sensitive to cryptographic concerns, and therefore suggests that they're likely to have screwed up, and - They talk about end-to-end encryption but don't mention key exchange or user authentication, which says that at least their documentation and PR folks don't have a clue, and - The fact that they're using proprietary protocols says that they won't have an easy time finding commercial off-the-shelf equipment to build gateways to the public network, so they'll be less useful, and other people won't be able to develop cooperative products, unlike all the SIP and H.323 periphery that people are developing, but- other than that, it sounds like it could be an interesting system, and we could use some interesting user relationship models. From sunder at sunder.net Mon Oct 13 13:22:47 2003 From: sunder at sunder.net (Sunder) Date: Mon, 13 Oct 2003 16:22:47 -0400 (edt) Subject: Software protection scheme may boost new game sales Message-ID: Ok, so I finally bothered to read said article. I assumed that they had something interesting that made it look to the error correction code like a scratch, etc... They don't. No such weakness exists in error correction used on CD's. Their protection is no more than putting bad error correcting codes on sectors, and when a CD copier is used, the "error" correction is corrected, but the software can detect that this is a copy. No different than current game protection (no different than the commodore 64 days either)... The "new new thing" aspect of it is that the copied game continues to run, making the guy doing the backup think he's got a good copy, but it slowly degrades itself. Degrade, but not in the sense of CD rot or scratches. So for a few hours(?), it's playable, but then it starts to no longer respond to user commands properly, and so it becomes a marketing tool. The luser will think it's worth buying their own copy after getting addicted to the game. So the rub, is that copies are allowed to be made, but unless cracked, the copies are nothing more than time limited demos. The only way that this could work is if they put up some sort of splash screen at some point to let the luser know that the program isn't buggy, but that the copy protection noticed it's a backup. After all, if you get a copy of a game from a friend, and it crashes on you all the time, would you think it's because the copy is bad, or because the software is as buggy as a Microsoft product? As usual, the real loser is the original purchaser, because if he scratches his CD, he's out $50-$70 or whatever games cost today, and he can't make backups. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On 12 Oct 2003, Steve Furlong wrote: > On Sat, 2003-10-11 at 15:55, Tim May wrote: > > > As the saying goes, the lessons of the past are learned anew by each > > generation... > > And each generation invents sex, too. From sfurlong at acmenet.net Mon Oct 13 13:27:55 2003 From: sfurlong at acmenet.net (Steve Furlong) Date: 13 Oct 2003 16:27:55 -0400 Subject: Monkeys Control Robotic Arm With Brain Implants In-Reply-To: <5.2.1.1.0.20031013104542.05e677a0@mail.comcast.net> References: <5.2.1.1.0.20031013104542.05e677a0@mail.comcast.net> Message-ID: <1066076874.2307.2.camel@localhost.localdomain> On Mon, 2003-10-13 at 13:46, Steve Schear wrote: > Monkeys Control Robotic Arm With Brain Implants Which means that even armless retarded monkeys can post to c-punks. Profr, call your office! From sunder at sunder.net Mon Oct 13 14:33:41 2003 From: sunder at sunder.net (Sunder) Date: Mon, 13 Oct 2003 17:33:41 -0400 (edt) Subject: Software protection scheme may boost new game sales In-Reply-To: Message-ID: On Mon, 13 Oct 2003, Jerrold Leichter wrote: > different forms. It's been broken repeatedly. The one advantage they have > this time around is that CD readers - and, even more, DVD readers; there is > mention of applying the same trick to DVD's - is, compared to the floppy > readers of yesteryear, sealed boxes. It's considerably harder to get at the > raw datastream and play games. Of course, this cuts both ways - there are > limits to what the guys writing the protection code can do, too. >From the POV of a coder for this kind of protection, there's probably some API you can use to get at the error correction info somewhere -- or you can use timing info... i.e. ask for a bad sector, and see how long it takes to return the sector vs one that's supposed to be good... You can't stray too far from published API's, since if you do, you'll potentially break your game when future OS's, patches, service packs, hotfixes, or devices come out... I.E. if you don't support anything but IDE CDROM's, will you fuck users that use SATA, scsi, FireWire, or USB cdroms? etc... What happens under Windblows 2005? Does your business model say that they can't play on future OS's/hardware? You won't be in business very long if you do that. >From the POV of the cracker, you can write a driver that looks like a CDROM driver to the OS, and run the game. It would act as a proxy to the real CDROM, but also log any unusual activity (errors, odd timing, etc...) So then, the cracker can write a second virtual cdrom driver, one that passes through the usual data off the CDR copy, but for those "unusual" sectors that it captured earlier, replay the action. Might even want to do this with two machines so you lessen the chance that the game will find the original CD and ignore the virtual. :) Of course the game could somehow figure out if a CD is virtual - by getting driver information? But if you're sneaky enough you can make your virtual CDROM driver look like a second IDE controller, etc.. (see above about SATA, USB, etc...) Doing a search on google for "virtual cdrom" I see quite a few such beasts... It's possible one of these even has source code, but I don't much care to bother searching further as I've no interested in this except from the theoretical. :) (In terms of things like Linux/*BSD you don't need no stinkin' driver, you can directly mount an ISO file, but you could very easily write a block device driver that added the errors/delays or whatever these things depend on.) That said, the scheme isn't without merit provided that it tells the luser that he should purchase a real one.... maybe after it stops working pop up an ad and say "Now that you've played your friend's copy, and saw the demo, you can continue if you buy the full version..." I seem to remember lots of old Macintosh software doing this. You were allowed and even encouraged to copy the floppy it came on and give it to your friends. When your friend installed the software, it would ask for the serial #, (which you weren't supposed to give out.) At that point, it would go into demo mode and run for a week, or two, and then refuse to run. So if your friend wanted the cool program you recommended, they'd buy their own copy. I'm not sure how successful that was, but I'm assuming it did quite well... The difference between that and this, is that if you put the floppy on your fridge door with a magnet, you could always get your backup (or ask your friend for her copy.) With this, even if you have a legally purchased copy, one or two scratches and it's literraly "Game Over Man!" :) ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ From sunder at sunder.net Mon Oct 13 14:37:09 2003 From: sunder at sunder.net (Sunder) Date: Mon, 13 Oct 2003 17:37:09 -0400 (edt) Subject: [linux-elitists] LOCAL Mountain View, California, USA: events this week (fwd from schoen@loyalty.org) In-Reply-To: <20031013205943.GM8800@leitl.org> Message-ID: Tell Intel simply: We don't want no "Scumware Inside" We won't buy NGSCB crippleware. Want to sell motherboards? Don't include this shit. Keep it simple. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ From jal at jal.org Mon Oct 13 15:39:23 2003 From: jal at jal.org (Jamie Lawrence) Date: Mon, 13 Oct 2003 18:39:23 -0400 Subject: Software protection scheme may boost new game sales In-Reply-To: References: Message-ID: <20031013223923.GB3128@clueinc.net> On Mon, 13 Oct 2003, Sunder wrote: > Ok, so I finally bothered to read said article. I assumed that they had [..] > a copy of a game from a friend, and it crashes on you all the time, would > you think it's because the copy is bad, or because the software is as > buggy as a Microsoft product? How is this different than shareware? For a while, and I think still, to some extent, annoying the user was considered marketing for app developers who were too small to get shelf space. At least in the Winows/Mac client markets. -j -- Jamie Lawrence jal at jal.org From s.schear at comcast.net Mon Oct 13 22:41:44 2003 From: s.schear at comcast.net (Steve Schear) Date: Mon, 13 Oct 2003 22:41:44 -0700 Subject: Monkeys Control Robotic Arm With Brain Implants In-Reply-To: <5.2.1.1.0.20031013104542.05e677a0@mail.comcast.net> Message-ID: <5.2.1.1.0.20031013224056.05e7efc8@mail.comcast.net> A pointer to the original journal article http://www.plos.org/downloads/plbi-01-02-carmena.pdf steve From eugen at leitl.org Mon Oct 13 13:59:43 2003 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 13 Oct 2003 22:59:43 +0200 Subject: [linux-elitists] LOCAL Mountain View, California, USA: events this week (fwd from schoen@loyalty.org) Message-ID: <20031013205943.GM8800@leitl.org> ----- Forwarded message from Seth David Schoen ----- From bill.stewart at pobox.com Tue Oct 14 02:10:55 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Tue, 14 Oct 2003 02:10:55 -0700 (PDT) Subject: clicking on ads = funding terrorists In-Reply-To: <3F8AEA08.42CA829B@cdc.gov> References: <3F8AEA08.42CA829B@cdc.gov> Message-ID: <4917.216.240.32.1.1066122655.squirrel@smirk.idiom.com> > > Subject: US State Department extends FTO list to include Internet sites > > http://washingtontimes.com/national/20031010-112733-8086r.htm > Excerpted from politech. Consider the 1st Amend implications, > and how clicking on a banner ad (which automatically would > pay the source site) makes you a terrorist supporter. Got assets? Depends on how they get paid for the ads - if anybody still pays per view rather than per click-through, even looking at the site could count, at least if your local Feds listen to John Ashcroft. From nobody at nox.lemuria.org Mon Oct 13 20:21:21 2003 From: nobody at nox.lemuria.org (Anonymous) Date: Tue, 14 Oct 2003 05:21:21 +0200 (CEST) Subject: Software protection scheme may boost new game sales Message-ID: <07a61cbbc5d1b2caceec802c9ec437cb@nox.lemuria.org> Sunder wrote: > The only way that this could work is if they put up some sort of > splash screen at some point to let the luser know that the program > isn't buggy, but that the copy protection noticed it's a backup. > After all, if you get a copy of a game from a friend, and it crashes > on you all the time, would you think it's because the copy is bad, or > because the software is as buggy as a Microsoft product? Unnecessary. These guys know what they're doing. The scheme is very carefully targetted at the Warez scene. Software copy protection is usually cracked by a small number of people who compete for reputation. For a copy or a crack to be worth anything in a trade, it has to be something that the other guy doesn't yet have. Thus the core software piracy networks focus on cracking and trading new software as quickly as possible (the "zero day" scene). Fade's technique makes it much harder to test a crack. There could be any number of independent copy protection code fragments hidden throughout the software. The only way to tell if you've removed them all is to play the game in its entirety - a task requiring several days or more. By that time, the other guy has already released a (probably incomplete) crack, thus reducing the value of your work to zero. A kind of prisoner's dilemma (a game theory of game piracy?): the likely outcome is that incomplete cracks are released. It's these same copies and cracks that filter down through various kinds of markets and networks to the general public. This has already happened. I've seen a number of cracked and copied games over the past year or so that appear at first glance to function perfectly; it's only after playing for several hours that it becomes obvious something isn't working. The reaction of a player at getting "stuck" after investing several hours in a game isn't to simply toss it; it's to search the game hints sites and forums (which are numerous and lively) for a solution. A shareware-style nag message isn't needed to prompt this. If they discover rumors (accurate or not) that only illegal copies are affected, there's an incentive to purchase a legal copy if the game is of high quality; and a disincentive to waste their time on illegal copies in the future. Most people who use pirated software probably wouldn't use the same software if they had to pay for it. Fade isn't aimed at these users; it's aimed at the small percentage who would purchase a copy if they couldn't get it for free. It's possible a new market will emerge for "aftermarket" cracks, that fix the gaps in the zero-day versions. But this is only likely to happen for extremely popular games. The few people with the necessary skills have little incentive to deal with a month-old game unless it's an exceptional case. The long term outcome might be to increase sales of niche software and less popular games: anything good enough to attract loyal users, but slip beneath the radar of the zero day scene. From timcmay at got.net Tue Oct 14 09:31:36 2003 From: timcmay at got.net (Tim May) Date: Tue, 14 Oct 2003 09:31:36 -0700 Subject: clicking on ads = funding terrorists In-Reply-To: <4917.216.240.32.1.1066122655.squirrel@smirk.idiom.com> Message-ID: On Tuesday, October 14, 2003, at 02:10 AM, Bill Stewart wrote: >>> Subject: US State Department extends FTO list to include Internet >>> sites >>> http://washingtontimes.com/national/20031010-112733-8086r.htm >> Excerpted from politech. Consider the 1st Amend implications, >> and how clicking on a banner ad (which automatically would >> pay the source site) makes you a terrorist supporter. Got assets? > > Depends on how they get paid for the ads - if anybody still pays per > view > rather than per click-through, even looking at the site could count, > at least if your local Feds listen to John Ashcroft. > Such a case (of an individual being charged for clicking on a banner ad) will never go to trial, but if it did, an obvious defense would be that those who click on an ad are not the ones _paying_ any money to anyone. They lack "agency." And any argument that the act of clicking on a site or ad for "Kach" induces _others_ to pay money to Kach and hence is some kind of conspiracy to fund Kach would be laughed out of court. This year. Maybe not in three years, however, at the rate we are descending into Wonderland. --Tim May From shaddack at ns.arachne.cz Tue Oct 14 02:36:58 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Tue, 14 Oct 2003 11:36:58 +0200 (CEST) Subject: P2P Encrypted VOIP In-Reply-To: <200310131029.AA142475492@mail.mstar2.net> References: <200310131029.AA142475492@mail.mstar2.net> Message-ID: On Mon, 13 Oct 2003, Guerry Semones wrote: > I caught the announcement this morning from Skype concerning their > P2P-based VOIP (free) product. Apparently this is the Kazaa > founder's new company. The communications are supposed to be > encrypted, etc., etc. This was mentioned on a SepakFreely list as well. In short: Platform-locked (Windows-only). Closed-source (dubious crypto implementation). Proprietary technology (compatible only with itself). Vendor-dependence. The P2P-ness is a good idea, though. Why don't publish contact information in eg. Gnutella, as a small text (eg. XML) file, searchable by name? It shouldn't be impossible to write a helper program for SpeakFreely to access those. Several methods are possible, including yellow-pages servers in a DNS-like system; employing more than one at once could make it robust enough for practical use. Alternatively, why don't use an IM-like infrastructure for the call negotiations? Could we use IM of sort to set up the call? Combination of SpeakFreely with Jabber could solve most of the problems, from the contact publishing (where the "phone number" could equal the Jabber ID) to connection negotiation itself (where Jabber can provide the backbone for the signalling, telling each side the IP on which the communication partner resides, or if there is NAT involved and what measure to use then). Something principially similar to users telling each other over Jabber how to set the VoIP software, but automated. Jabber protocol is well-documented, clients exist for next to everything, next to everybody can run a server. Opinions, comments? From jya at pipeline.com Tue Oct 14 12:44:20 2003 From: jya at pipeline.com (John Young) Date: Tue, 14 Oct 2003 12:44:20 -0700 Subject: Test of BIOS Spyware Message-ID: We received the note below about spyware allegedly created for a Maryland agency with code which needs to be tested. We'd appreciate feedback on the note and the code. Beware of a sting. The code: http://cryptome.org/ExpCode.ASM ----- The note: CPR Tools Inc. of Labelle, Florida is engaged in the development of software which becomes part of the firmware BIOS of a PC motherboard and takes control of a users PC before the operating system is loaded. This enables the software to spy on the user and remain hidden to the operating system. The software is designed to be installed from a floppy disk which modifies the original BIOS, replacing it with the modified BIOS containing the "spyware" The software was developed for a government agency in Maryland. Versions of the software for a ASUS P4B266 motherboard and an IBM Netvista 8311 motherboard have been developed with other versions under development. Attached is a copy of the software, ExpCode.ASM, the version for the P4B266 motherboard. The .ASM file is assembled and converted into a .BIN file which is then pasted over a section of the original BIOS .BIN file. The checksum at the end of the BIOS is subsequently adjusted to make the BIOS checksum valid. Details: CPR Tools [http://www.cpr-tools.com] 730 East Cowboy Way Labelle, FL 33935 (863) 674-0120 Owners: Antonio Jesus Alvarez tony at netwacci.net Candy Michelle Alvarez ----- From ravage at einstein.ssz.com Tue Oct 14 13:28:55 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Tue, 14 Oct 2003 15:28:55 -0500 (CDT) Subject: [announce] Postponing CyberDawg (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 14 Oct 2003 13:58:20 -0500 From: David Nunez To: announce at effaustin.org Subject: [announce] Postponing CyberDawg Hi folks, As some of you may have heard, we were moving very fast on having a Cyberdawg next week. I spoke with JonL this morning and we decided to postpone the cyberdawg this month. We had picked the 21st as a good date because it coincided with a panel that the LBJ school was trying to pull together on eVoting. Unfortunately, the panel fell through. I decided that it would be useful to have an extra week or two to get a lot of the ducks in a row (ex. T-shirts) before having our event rather than trying to rush it. Next week's major event, then, will be the Wireless party on Thursday(?) for which EFF-A is a sponsor. It'll be useful for us to get the word out about this event. (details coming) Furthermore, I'll work again with Ruta Maya to nail down a different date (hopefully this won't be a big deal) and prepare fliers to pass around at the Wireless event. Thanks and sorry for the rampant misinformation, David Nunez david at davidnunez.com --------------------------------------------------------------------- To unsubscribe, e-mail: announce-unsubscribe at effaustin.org For additional commands, e-mail: announce-help at effaustin.org From howiegoodell at comcast.net Tue Oct 14 19:11:02 2003 From: howiegoodell at comcast.net (Howie Goodell) Date: Tue, 14 Oct 2003 22:11:02 -0400 Subject: [Fwd: [Msgs] Reminder--Computer Science Colloquium, 2:45-4:00, October 15] Message-ID: <3F8CACB6.3070107@comcast.net> A talk at the University of Massachusetts in Lowell, MA tomorrow (Wednesday): -------- Original Message -------- Subject: [Msgs] Reminder--Computer Science Colloquium, 2:45-4:00, October 15 Date: Tue, 14 Oct 2003 17:07:18 -0400 From: Gary Livingston To: cypherpunks at lne.com X-Orig-To: CC: Gary Livingston Colloquium Announcement Department of Computer Science UMass Lowell Title: Anonymous and Untraceable Communication in Mobile Wireless Networks Speaker: Jiejun Kong Time & Place: October 15th (Wednesday), 3:00-4:00, 311 Olsen Hall; snacks from 2:45-3:00 Abstract: Privacy in mobile wireless networks has different semantics from the traditional notion for banking systems and the wired Internet. In addition to traditional content privacy, mobile privacy also addresses security concerns for mobile node's identity and location, namely anonymity and location privacy. In this talk I will discuss anonymity and location privacy attacks as well as their countermeasures in mobile ad hoc networks, which can instantly establish a communication structure for civilian and military applications. We focus on passive routing attacks in hostile environments like battlefront. Anonymity and location privacy issues are critical for such scenarios, as allowing adversaries to trace network routes and infer the motion pattern of nodes at the end of those routes may pose serious threats to covert operations. The highly raised privacy demand poses challenging constraints on routing and data forwarding. ANonymous On Demand Routing (ANODR) is a multi-hop on demand routing scheme that can prevent wireless adversaries from compromising a mobile ad hoc network's anonymity and location privacy. ANODR provides anonymity service by dissociating the routing scheme from any naming scheme of network member's identity/address. This approach immediately achieves location privacy, and differentiates ANODR from other ad hoc routing schemes that mainly rely on nodes' address in data forwarding. It is verified by our simulation that the performance of (anonymous-only) ANODR is comparable to common on demand routing schemes currently in use (e.g., AODV). In addition, ANODR also implements untraceable routes so that passive adversaries cannot trace a packet flow to its source and sink. ANODR pays reasonable cost, such as neighborhood traffic mixing, to meet this privacy demand. It is verified by our simulation that the performance of (anonymous+untraceable) ANODR is more efficient than its peers designed for wired networks (e.g., MIX-Net). The underlying anonymity model of ANODR is a new one based on wireless broadcast, a ready-made mechanism in wireless networks and on-demand routing discovery processes. Though related research (Shields & Levin, CCS'00) has shown wired IP multicast can help anonymity, wireless broadcast is never used to achieve anonymity before ANODR's proposal "broadcast with anonymous trapdoor assignment". It is expected that our future work along this direction will lead to new means to provide anonymity and untraceability services to mobile wireless networks. Biographical Sketch of the Author: Jiejun Kong (jkong at cs.ucla.edu) is currently a Ph.D. candidate in Computer Science Department, University of California at Los Angeles (UCLA). He is interested in designing efficient, scalable, and robust security solutions for mobile wireless networks. His research topics include providing authentication/authorization/access control (AAA), secure routing, intrusion detection, and mobile privacy services to mobile ad hoc networks, in particular those with challenging network constraints and with very high security demands. Recently he focuses on anonymous and untraceable routing schemes. He has contributed to the design, implementation, and testing of network security protocols within ONR MINUTEMAN project, STTR project, and NSF iMASH project. _______________________________________________ msgs mailing list msgs at weblab.cs.uml.edu http://weblab.cs.uml.edu/mailman/listinfo/msgs -- Howie Goodell Howie at GoodL.org http://goodl.org Hardware control Visualization User interface UMassLowell Computer Science Doctoral Candidate From rpw at uni.de Tue Oct 14 14:32:34 2003 From: rpw at uni.de (Ralf-P. Weinmann) Date: Tue, 14 Oct 2003 23:32:34 +0200 Subject: Test of BIOS Spyware In-Reply-To: References: Message-ID: <20031014213234.GA17135@rbg.informatik.tu-darmstadt.de> On Tue, Oct 14, 2003 at 12:44:20PM -0700, John Young wrote: > We received the note below about spyware allegedly created for > a Maryland agency with code which needs to be tested. > We'd appreciate feedback on the note and the code. Beware > of a sting. The code: > > http://cryptome.org/ExpCode.ASM So what? The code hooks into the bootstrap phase of the BIOS, decompresses some unspecified stuff (I have not verified whether it actually *CAN* successfully decompress anything and what algorithm it uses; just skimmed the code to see whether it tries something really spiffy) and executes the injected code at the end of the BIOS bootstrap. This is *NOT* the interesting part. The interesting part is the payload it is to deliver. The claim "This enables the software to spy on the user and remain hidden to the operating system." rather interests me. How do they achieve this in an OS-agnostic fashion? I know this may be passing premature judgement, but to be honest I think the code looks pretty amateurish and has at most beta quality. Most Romanian virus writers should be able to come up with something better in less than a day. Give them a week and they have something that works on a *MUCH* wider range of hardware than just two types of mobos/machines. Thanks for the demonstration though. Does this agency seriously think we believe they might be using the above mentioned code in a "production environment" some day? Tsk tsk tsk... Cheers, Ralf -- Ralf-P. Weinmann From rpw at uni.de Tue Oct 14 14:56:59 2003 From: rpw at uni.de (Ralf-P. Weinmann) Date: Tue, 14 Oct 2003 23:56:59 +0200 Subject: Test of BIOS Spyware In-Reply-To: References: Message-ID: <20031014215659.GA19209@rbg.informatik.tu-darmstadt.de> On Tue, Oct 14, 2003 at 12:44:20PM -0700, John Young wrote: > We received the note below about spyware allegedly created for > a Maryland agency with code which needs to be tested. > We'd appreciate feedback on the note and the code. Beware > of a sting. The code: > > http://cryptome.org/ExpCode.ASM Note to author of code: Look into the "Scan User Flash Area" option if you ever have to pull this trick on a motherboard with an Intel BIOS. See [1] for instructions on how one might make use of it. Additional exercise: Enable "Scan User Flash Area" regardless of user setting. Cheers, Ralf [1] How to modify your PR440FXs BIOS images for netbooting http://www.beowulf.org/software/PR440FXNetboot.html -- Ralf-P. Weinmann From mv at cdc.gov Wed Oct 15 09:30:20 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 15 Oct 2003 09:30:20 -0700 Subject: Monkeys Control Robotic Arm With Brain Implants Message-ID: <3F8D761C.79C33391@cdc.gov> > Re: Monkeys Control Robotic Arm With Brain Implants Congress is monkeys controlling sheep with words... From mv at cdc.gov Wed Oct 15 09:46:55 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Wed, 15 Oct 2003 09:46:55 -0700 Subject: Software protection scheme may boost new game sales Message-ID: <3F8D79FF.946A0AE9@cdc.gov> At 04:22 PM 10/13/03 -0400, Sunder wrote: >The luser will think it's worth buying their own copy after getting >addicted to the game. ... >So the rub, is that copies are allowed to be made, but unless cracked, the >copies are nothing more than time limited demos. What's wrong with these things? They're not fraud. >The only way that this could work is if they put up some sort of splash >screen at some point to let the luser know that the program isn't buggy, >but that the copy protection noticed it's a backup. Which trivially eliminates your objections to the user thinking something is wrong. >As usual, the real loser is the original purchaser, because if he >scratches his CD, he's out $50-$70 or whatever games cost today, and he >can't make backups. Yes. The company *should* swap scratched originals to preserve this backup right, but I don't think they're legally required to. And the company won't be around forever, whereas backups can, so the swapping plan is inferior. *However*, as incrementally clever as this scheme is, it is succeptible to a CD dupe program that is bit for bit correct, no? And since the protected software *checks* the CD for the errors, than a CD bit-for-bit copier *must* be able to be written, no? Or is there a problem writing intentional-errors on consumer-grade CD burners? (If so, this is a good marketing tool; if not, this is going to be cracked.) From mv at cdc.gov Wed Oct 15 10:15:55 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Wed, 15 Oct 2003 10:15:55 -0700 Subject: Judge Orders Reporters (TM) to Reveal Sources Message-ID: <3F8D80CA.FB15DA03@cdc.gov> Judge Orders Reporters to Reveal Sources 4 News Organizations Told to Identify Officials Interviewed in Wen Ho Lee Reports ... His lawyers have encountered what the judge described as "a pattern of denials, vague or evasive answers, and stonewalling" on the part of the government officials they questioned. That gives Lee's attorneys the right, Jackson said, to demand that certain journalists who wrote about the case say which officials might have provided the information. "This is kind of bad news," said Lucy Dalglish, executive director of the Washington-based Reporters Committee for Freedom of the Press. She said it is highly unusual for a judge to order so many reporters at once to divulge their sources and almost unprecedented in a case in which no criminal actions are alleged. ... http://www.washingtonpost.com/ac2/wp-dyn/A26919-2003Oct14?language=printer From eugen at leitl.org Wed Oct 15 08:14:17 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 15 Oct 2003 17:14:17 +0200 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <20031015151417.GG18455@leitl.org> News in from San Jose microprocessor forum: latest VIA C3 C5P does 1 GHz at 7 W power dissipation, has now two hardware RNG engines (and two x86 opcodes to read them), and an Advanced Cryptography Engine which can do AES (Rijndael128? doesn't say) at 12.5 GBit/s rate. Next-generation (Esther, early 2004) will add SHA-1 support in hardware. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From eugen at leitl.org Wed Oct 15 08:22:05 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 15 Oct 2003 17:22:05 +0200 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <20031015152205.GJ18455@leitl.org> (got booted off the list due to bounces) News in from San Jose microprocessor forum: latest VIA C3 C5P does 1 GHz at 7 W power dissipation, has now two hardware RNG engines (and two x86 opcodes to read them), and an Advanced Cryptography Engine which can do AES (Rijndael128? doesn't say which) at 12.5 GBit/s rate. Next-generation (Esther, early 2004) will add SHA-1 support in hardware. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From rpw at uni.de Wed Oct 15 14:06:11 2003 From: rpw at uni.de (Ralf-P. Weinmann) Date: Wed, 15 Oct 2003 23:06:11 +0200 Subject: C3 Nehemia C5P with better hardware RNG and AES support In-Reply-To: <20031015151417.GG18455@leitl.org> References: <20031015151417.GG18455@leitl.org> Message-ID: <20031015210611.GA9805@rbg.informatik.tu-darmstadt.de> On Wed, Oct 15, 2003 at 05:14:17PM +0200, Eugen Leitl wrote: > News in from San Jose microprocessor forum: > > latest VIA C3 C5P does 1 GHz at 7 W power dissipation, > has now two hardware RNG engines (and two x86 opcodes to > read them), and an Advanced Cryptography Engine > which can do AES (Rijndael128? doesn't say) at > 12.5 GBit/s rate. Look at the PadLock ACE programming guide [1]. Only seems to support Rijndael with a block size of 128 bits (= AES); it allows both key scheduling in hardware and in software, the latter allowing you to have your own custom key schedule. It also allows you to increase the number of rounds if you think Rijndael-128's security margins are too low. Props to the VIA engineers for both the customizability. The errate are funny as well. Looks like the current stepping has a bug in the key schedule for 192 and 256 bit keys. Cheers, Ralf [1] VIA PadLock ACE programming guide http://www.via.com.tw/en/images/Products/eden/pdf/PadLock_ACE_prog_guide.pdf -- Ralf-P. Weinmann From rah at shipwright.com Wed Oct 15 21:30:55 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Thu, 16 Oct 2003 00:30:55 -0400 Subject: VIA wows with nano-sized x86, entropy-based security, tiny PCs Message-ID: A few years ago, I remember being called into at least two chip companies and telling them they really should build something like this. They paid me anyway, but it's too bad they didn't actually build it. Glad *someone* did, though. :-). Here's hoping it works... Cheers, RAH ------ LinuxDevices.com VIA wows with nano-sized x86, entropy-based security, tiny PCs Oct. 15, 2003 At the Microprocessor Forum in San Jose, Calif. this week, VIA Technologies unveiled the VIA Eden-N processor, a tiny x86 processor in a nanoBGA package measuring just 15 x 15mm -- roughly the size of a U.S. penny. VIA says the new chip, which is based on a streamlined version of its Nehemiah processor core, is less than half the size of Intel's Pentium M processor. According to VIA, the Eden-N achieves a Thermal Design Power of just 7 Watts at 1GHz. Of note, 7 Watts happens to be considered the magic number for maximum processor power consumption for "typical fanless notebook designs," according to Transmeta, which also unveiled its latest low-power x86 compatible processor , the Efficeon, at this week's Microprocessor Forum. Entropy-based security VIA says it added a significant enhancement to the security features of the on-chip PadLock Security Suite contain within the Eden-N's Nehemiah processor core. A new PadLock Advanced Cryptography Engine (PadLock ACE) and two hardware based random number generators (RNGs) can support the US government approved Advanced Encryption Standard (AES) and can supply cryptographic functions for securing email, personal files, online transactions, and networks (including the latest high-bandwidth 802.11g wireless networks). According to VIA, PadLock ACE encrypts at rates up to 12.5 Gbps on a 1GHz VIA Eden-N processor, which is "more than eight times faster than the best software AES implementation from a power hungry 3GHz Intel Pentium 4 processor based system that encrypts at a rate of a mere 1.5 Gbps." In contrast to software RNGs or multi-chip hardware solutions, the VIA's PadLock technology generates entropy-based RNGs for security keys by deriving entropy from electrical noise on the CPU itself. The entropy value is stored in a collection buffer where it can be accessed directly via a dedicated x86 instruction set without the use of vulnerable software drivers. According to VIA, security applications that leverage the capabilities of the PadLock Security Suite can be deployed quickly and easily across a broad range of devices including PCs, thin clients, set top boxes, home digital entertainment centers, point of sale terminals, and intelligent network routers in a wide variety of wired and wireless networking environments. VIA expects the security support to be useful in applications such as Virtual Private Networks (VPNs), corporate peer-to-peer LANs with restricted access for sensitive projects, and home wireless networks. "With the PadLock Security Suite, VIA is providing the essential security building blocks for free," noted Richard Brown, VIA associate vice president of marketing. "The PadLock Security Suite enables developers to create stronger, more powerful security systems that are independent of the operating system and can be tailored to meet the real security needs of corporate, government and individual customers." "Our developers have written device drivers for numerous PCI cryptographic devices, which were expensive, slow, buggy, and over-complicated," commented Theo de Raadt, OpenBSD Project Leader. "There's just no way to describe how happy we were to find such an inexpensive, blazingly fast, and correctly operating device as the VIA Eden-N processor's PadLock ACE . . . and best of all, it was almost trivial to add support. We hope this new functionality becomes very widespread in the near future." Demos at Microprocessor Forum 2003 VIA showcased several small form-factor motherboards and PCs based on its Eden processors, including its recently unveiled Nano-ITX motherboard form-factor and several tiny fan-less PCs. These especially caught our eye . . . (Note: click each image for a larger view; click each title for further info) VIA Nano-ITX motherboard -- VIA's Nano-ITX form-factor measures just 4.7 x 4.7 in. and represents the "smallest standard platform with full PC functionality," according to VIA CEO Wenchi Chen. Nimble V5 -- this tiny format PC is currently based on a 733 MHz VIA Eden processor with up to 512MB DDR SDRAM and a built-in hard drive. It includes four USB 2.0 ports, two Ethernet ports, four PS/2 ports, two VGA outputs, and provides a PCMCIA Type II slot for wireless or other expansion -- all within a mere 2 x 7.7 x 7.7 inch form-factor. Mini-Box M100 -- a tiny PC which resembles an in-dash car stereo. It's based on VIA's Mini-ITX motherboards and powered by 12VDC, and has a built-in LCD display and customizable 14-key keypad, eliminating the need for a keyboard or mouse. Supports Windows and Windows CE. Currently based an 800MHz Eden processor two 168-pin DIMM memory sockets and includes interfaces for Ethernet, VGA and TV graphics, audio in/out, IDE hard drive, USB, printer port, serial ports, PS/2 ports, 4 GPIO bits, PCI card expansion, and front-panel accessible CompactFlash. Wow! -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From mv at cdc.gov Thu Oct 16 09:47:19 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 16 Oct 2003 09:47:19 -0700 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <3F8ECB96.F4A9FDD5@cdc.gov> At 11:06 PM 10/15/03 +0200, Ralf-P. Weinmann wrote: >On Wed, Oct 15, 2003 at 05:14:17PM +0200, Eugen Leitl wrote: >> latest VIA C3 C5P does 1 GHz at 7 W power dissipation, >> has now two hardware RNG engines (and two x86 opcodes to >> read them), and an Advanced Cryptography Engine >> which can do AES (Rijndael128? doesn't say) at >> 12.5 GBit/s rate. > >Look at the PadLock ACE programming guide [1]. Only seems to support Rijndael >with a block size of 128 bits (= AES); it allows both key scheduling in >hardware and in software, the latter allowing you to have your own custom >key schedule. It also allows you to increase the number of rounds if you >think Rijndael-128's security margins are too low. Props to the VIA engineers >for both the customizability. Which is unlikely to be used, at it would be incompatible with everything else. The "customizability" is likely a flexibility they built for their own (debug, architectural) reasons and decided to expose to users. What they need is a USB or Ethernet interface to catch up to others. However the attraction of a relatively fast x86 (vs say a 100 Mhz MIPS or ARM) might offset this lack of integration for some designs. Am surprised not to see a little DES core stuffed into the spare space on the die, but kinda nostalgically pleased to see DES's EOL. RIP. >The errate are funny as well. Looks like the I found the following lexical rule mildly amusing, because I have seen the same thing added to military docs to make them politically correct (he -> he or she) without editing the whole damn thing. "NOTE: Throughout this document, a reference to encryption generally means both encryption and decryption." From eugen at leitl.org Thu Oct 16 02:43:50 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 16 Oct 2003 11:43:50 +0200 Subject: [p2p-hackers] P2P in NS-2 (fwd from izzy@lina.es.ncku.edu.tw) Message-ID: <20031016094350.GU19642@leitl.org> ----- Forwarded message from izzy ----- From izzy at lina.es.ncku.edu.tw Wed Oct 15 23:41:31 2003 From: izzy at lina.es.ncku.edu.tw (izzy) Date: Thu, 16 Oct 2003 14:41:31 +0800 Subject: [p2p-hackers] P2P in NS-2 Message-ID: Dear Thiago and Sam, MIT seems to be developing a new extensible simulator for P2P , including Chord, Kademlia,Koorde,pastry, tapestry routing simulation. It is not yet published. Take a look at CVS : http://pdos.lcs.mit.edu/cgi-bin/cvsweb.cgi/sfsnet/p2psim/ It might help~~ Ian Lee _______________________________________________ p2p-hackers mailing list p2p-hackers at zgp.org http://zgp.org/mailman/listinfo/p2p-hackers _______________________________________________ Here is a web page listing P2P Conferences: http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From pgut001 at cs.auckland.ac.nz Wed Oct 15 20:18:18 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 16 Oct 2003 16:18:18 +1300 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <200310160318.h9G3IIq08437@cs.auckland.ac.nz> "Ralf-P. Weinmann" writes: >Look at the PadLock ACE programming guide The security app note is also entertaining reading. For example it lists one of the motivations for getting security right as "your husband may find out ...". On why they didn't save a copy of the test data for the NIST suite: "(Hey, do you have 10TB of disk drives lying around? We can fill a 30 GB drive with raw bits in a little more than 30 minutes - if the drive controller can keep up with us.)". And a little further on it refers readers to "Marketing quote from CRI" (which was a slip-up this time). The app note was actually written by humans. Cool. Peter. From ravage at einstein.ssz.com Fri Oct 17 06:52:15 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 17 Oct 2003 08:52:15 -0500 (CDT) Subject: Inferno: Cold War encryption laws stand, but not as firmly | CNET News.com (fwd) Message-ID: This is great news for crypto... http://news.com.com/2100-1028_3-5092154.html?tag=nefd_top -- -- Lo! Men have become the tools of their tools - H.D. Thoreau ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From ptrei at rsasecurity.com Fri Oct 17 07:13:50 2003 From: ptrei at rsasecurity.com (Trei, Peter) Date: Fri, 17 Oct 2003 10:13:50 -0400 Subject: Inferno: Cold War encryption laws stand, but not as firmly | CNET News.com (fwd) Message-ID: > Jim Choate[SMTP:ravage at einstein.ssz.com] > > Subject: Inferno: Cold War encryption laws stand, but not as firmly | > CNET News.com (fwd) > > This is great news for crypto... > > http://news.com.com/2100-1028_3-5092154.html?tag=nefd_top > > [Judge Patel throws out Bernstein case after USG 'promises' not to enforce the laws requiring notification of publication of crypto source code] No, this is NOT great news. The law stands, and promises from a government agent are of questionable sincerity. If a researcher publishes crypto source, the law is still a sword of Damocles hanging over his head, ready to fall if he displeases the powers that be. Great news would have been Judge Patel declaring the law unconstitutional, or (better) the USG repealing the law. Ayn Rand, wrong about so many things, had it right: "There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws." Peter Trei Disclaimer: My opinions only. From ravage at einstein.ssz.com Fri Oct 17 08:34:47 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 17 Oct 2003 10:34:47 -0500 (CDT) Subject: Inferno: Cold War encryption laws stand, but not as firmly | CNET News.com (fwd) In-Reply-To: Message-ID: On Fri, 17 Oct 2003, Trei, Peter wrote: > > Jim Choate[SMTP:ravage at einstein.ssz.com] > > > > Subject: Inferno: Cold War encryption laws stand, but not as firmly | > > CNET News.com (fwd) > > > > This is great news for crypto... > > > > http://news.com.com/2100-1028_3-5092154.html?tag=nefd_top > > > > > [Judge Patel throws out Bernstein case after USG 'promises' not > to enforce the laws requiring notification of publication of crypto > source code] There was something else in that story that was even more important than this ruling. What was it Peter? This is a great reason not to rely on other peoples synopsis and read the articles for yourself. Think for yourself. Computer code was found to have 1st Amendment protection. It was a form of communications. -- -- Lo! Men have become the tools of their tools - H.D. Thoreau ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From imnothere at foo.com Fri Oct 17 15:31:23 2003 From: imnothere at foo.com (MrNerdHair) Date: Fri, 17 Oct 2003 18:31:23 -0400 Subject: JBNv2, GPG on XP help Message-ID: <3F906DBB.8030904@foo.com> Does anyone have a link to a current FAQ or something similar describing how to set up Jack B. Nymble v2 on WinXP (yes, I know it _is_ the scourge of the devil, I only use it on my laptop) with GnuPG? I'm an open source buff and have tried to get the combination to work, to no avail. ----------------------------------------------------------- **From the guy whose hair will never go down** Geek Code: GCS/CM/IT/MC/S/O d-(?) s-:+ a! C++ UL++++(+++)>$ P+>+++ L++++>+++++$ E---(-) W+++$ N>++ o? K++ w---(--) O- M(--) V-(--) PS--(+) PE(+) Y+(++) PGP++(+++) t+++* 5-(--) X(-) R-@ tv+@ b-()>+ DI++++ D>++ G++ e->++ h!*>++ r! y? From nobody at nox.lemuria.org Sat Oct 18 01:50:22 2003 From: nobody at nox.lemuria.org (Anonymous) Date: Sat, 18 Oct 2003 10:50:22 +0200 (CEST) Subject: LOCAL Mountain View, California, USA: events this week Message-ID: <0d6eef75e2b94b78a025ea805e4fb86d@nox.lemuria.org> Seth Schoen writes: > Intel has posted its Policy Statement on LaGrande Technology: > > ftp://download.intel.com/technology/security/downloads/LT_policy_statement_0_ > 8.pdf > > LaGrande is in the interstices between TCG and NGSCB. Rather, it seems that LaGrande is the hardware component of NGSCB, and that TCG is evolving to be more like NGSCB. > Anyway, Intel wants your comments on the LT policy. The thing that > jumps out at me (as the author of "Trusted Computing: Promise and > Risk") is that Intel thinks that opt-out or opt-in can solve the > problems of attestation. This is the official view of a lot of > trusted computing proponents. The defects of this view are difficult > to describe and are complicated by the fact that some trusted > computing critics don't believe that LT (or TCG or NGSCB) will > actually provide an opt-out. (I do believe this.) It is indeed difficult to discuss these issues dispassionately in the current atmosphere of distrust and suspicion. You and the EFF are doing a good job overall of remaining objective, although as a result some are accusing you of being shills for Microsoft and DRM. > The root of the difficulty is that, in the nature of attestation, you > can be _punished_ for opting out (beyond the scope of simply not > enjoying particular features to which what you opted out of is > technically necessary). The real issue is this. Attestation will allow a service provider to withhold his services unless you are using TC technology and running a particular software program of his choice. Thus you may need to opt in in order to use his services. Now, some people characterize this as a loss of choice, or as you put it, as allowing you to be punished for opting out. Suppose the service being offered is extremely valuable, like cheap movie downloads. And suppose almost everyone opts in to use these services, enabling TC and running the approved clients. Now you can opt out, but only at the expense of cutting yourself off from the flow of information that everyone else is enjoying. The same effect can occur in a decentralized network. If there is some P2P program which uses TC to make sure that people are running kosher clients, and you opt out of TC, you can't participate in the network. This makes it seem that you are being punished for your decision. There are two problems with this analysis. The first is that it overlooks that some of these services will only be provided if TC exists to assure that the data will be handled properly. Without TC there may be no such service. Characterizing TC as limiting choice or punishing those who opt out overlooks the advantages being provided to those who opt in by allowing them access to a service which might not otherwise exist. The more popular a service is, and the more people who opt in as a result, the harder it is to justify opposing the technology that made the service possible and allowed all those people to get access to an information flow which is important to them. By focusing on those who wish to opt out, the analysis overlooks the larger group who benefits by opting in. And second, your analysis overlooks the fact that any economic transaction has two sides: producer and consumer. Both have economic power in a competitive market. Producers are not able to simply set the terms and require consumers to accept them. Rather, there is a constant flow, a give and take, between all sides, evolving to a mutually acceptable condition. Look at what is happening with digital music stores today. Some, like Apple's service, offer music with relatively weak DRM restrictions. Others have offered more limitations and harsher rules. Consumers will soon have a wide range of choices, and this will allow the market to select the best mix of limitations and prices. We are evolving to a state of "DRM lite" which offers mild restrictions that allow people to use their music in the ways they want, but makes it hard to share it with millions of their best friends on the net. Similarly, even though TC in principle allows service providers to impose Draconian restrictions, the marketplace won't just stand by and let it happen. Consumers are not passive sheep; they are active and intelligent, and they usually have a better idea of what is in their own best interests than those of us who are policy activists. We could do a lot worse than to stand aside and let the market decide which technologies solve people's problems. If TC is so bad for consumers, it will fail. (Some cypherpunk types have predicted that TC will be mandated by law, such as the CBDTPA, and certainly I would agree that any such measures should be opposed.) > In the nature of attestation and its effect on interoperability, > though, opting out of attestation might be ruinous for your hopes of > communicating with others. If they can be induced to use proprietary > protocols or file formats, opting out may lead to a permanent > inability to exchange data with them. Of course, we see this already to some extent, with any software program that uses proprietary data formats. Programs using open formats compete with programs that use closed formats, and users can choose which ones to use. You speak of users being "induced" to use proprietary formats, but that disparages their abilities to make choices that reflect their own best interests. It's also not clear how attestation applies to this case. As has been noted elsewhere [1], the protection of proprietary data formats is more due to sealed storage than attestation. The bottom line is that if the person you want to communicate with is using a program that relies on proprietary data formats (one which won't save or present the data in an open format), you either need to run the same program, or else you need to persuade the other guy to switch. That's true today and it will be true tomorrow. The only thing TC adds is to make it more difficult and expensive to reverse engineer the data format, but I believe that even without TC, formats can be designed and software can be written which is extremely expensive to reverse engineer, especially in conjunction with existing legal restrictions. TC will only raise an already very high bar a little higher, as far as this issue goes. It doesn't make any fundamental changes. I believe that open formats are superior and that programs which rely on them will ultimately come to succeed in the marketplace. Consumers want open formats because it saves them from being locked into a single vendor and left orphaned if that company fails. These kinds of pressures will save us from the worst excesses you fear, with or without TC. > Opting in, by the same token, > could lead to a permanent loss of software choice (and the effective > inability to reverse engineer or repair your software) at least during > the particular periods of time when you want to communicate with other > people or manipulate what they sent you. It's somewhat contradictory to speak of a "permanent" loss of choice only during "particular periods of time". Permanent normally connotes a property that applies all the time. But again, what this comes down to is that if everyone else is using a proprietary format, you have to use the same program that they do. I don't think people are going to continue to put up with this indefinitely. > [T]rusted computing systems fundamentally alter trust relationships. > Legitimate concerns about trusted computing are not limited to one > area, such as consumer privacy or copyright issues. Trusted computing systems allow for new forms of trust relationships that are not possible today. === [1] http://invisiblog.com/1c801df4aee49232/ From mv at cdc.gov Sat Oct 18 11:52:53 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 18 Oct 2003 11:52:53 -0700 Subject: LOCAL Mountain View, California, USA: events this week Message-ID: <3F918C05.2FE7783C@cdc.gov> At 02:04 PM 10/18/03 +0200, Eugen Leitl wrote: >It takes a broken P2P service to be brought down by a few unkosher binaries. >Trust accounting and agoric load levelling don't take Pd hardware. Nice translation. Main Entry: ag7o7ra Pronunciation: 'a-g&-r& Function: noun Inflected Form(s): plural -ras or ag7o7rae /-"rE, -"rI/ Etymology: Greek, from ageirein to gather Date: 1589 : a gathering place; especially : the marketplace in ancient Greec >A palladium-plated turd is still a turd at its heart. A quotable quote. >Look at concentration in scientific publishing. Tell me how Palladium will >reduce the monopolist stranglehold, reduce the prices and make scientific >information available to the largerst possible audience. The Elseviers compete with the xxx.lanls. As do journals that charge the author to publish with those that don't. Etc. >A manipulated market is no longer a competitive market. Producers and >consumers do not have equivalent leverage. The invisible hand is flipping >us the bird. Of course you know that, TCPA >troll. Market manipulation is only done using violence. Only the government or other mafias manipulate markets. The rest (aquisitions, proprietary formats, bundling and giving it away free) is a perhaps more savage ecosystem than you prefer, but that's life. >There is no such thing as a weak DRM. There is no such thing as DRM for analog content. Only for machine-executable interactive content (eg games). The gamer-publisher vs. cracker war has been going on indefinately, even when it was putting a slug into a pinball machine. Either I do have the raw bits of an >open format and the according transducer to render it into direct >monkey-consumables, or not. The rights are volatile, and subject to change. >Everything enforcible will be enforced, and a good hardened Palladium makes a >great many evils possible. So? Think of it as free advertising for *nix. And it works, too, many have $witched. >What's your problem with music industry getting out of business? What's your >problem with a greatly diminished copyright enforcement, and free sharing of >information? I personally have no problem with intermediaries of any form going extinct. I have moral problems with tossing copyright out, but have learned that the only way to prevent their weakening is a police state. Unless 'trusted' stuff is *required*, people will decide, and they need not decide homogenously. If they decide foolishly, well, that's their choice, evolution never sleeps. As Schneier once wrote, offer a free hamburger for DNA samples and they'll line up around the block. >Users don't CHOOSE, you Palladium troll. They didn't knew an open format if >it bit them in the ass. Their bosses choose, the monopolist choses for them >via default-bundle and lock-in. Are there no home-Mac users who work for entities that require PC usage? From eugen at leitl.org Sat Oct 18 05:04:27 2003 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 18 Oct 2003 14:04:27 +0200 Subject: LOCAL Mountain View, California, USA: events this week In-Reply-To: <0d6eef75e2b94b78a025ea805e4fb86d@nox.lemuria.org> References: <0d6eef75e2b94b78a025ea805e4fb86d@nox.lemuria.org> Message-ID: <20031018120427.GH2376@leitl.org> On Sat, Oct 18, 2003 at 10:50:22AM +0200, Anonymous wrote: > > It is indeed difficult to discuss these issues dispassionately in the > current atmosphere of distrust and suspicion. You and the EFF are doing Ah, these unreasonable critics, revelling in pure paranoia. It's, of course, entirely clear the vendors are emanating pure milk of human kindness. Having only the best interests of their customers at heart. Sure, we've forgotten all about the true intents, the leaked documents. Every iteration is a clean slate, no one is remembering the past lies. Cypherpunks have no clue about the importance of a trust track. Right. We're all just babes in the woods. > a good job overall of remaining objective, although as a result some > are accusing you of being shills for Microsoft and DRM. No, that'd be you. The usual FUD & lies channel. Thankfully, your views stink so much it takes only a periodic reminder on which payroll you are. > The real issue is this. Attestation will allow a service provider to > withhold his services unless you are using TC technology and running a > particular software program of his choice. Thus you may need to opt in > in order to use his services. Such as using ISP sevices. All of them. Obligate authentication to just go online. > Now, some people characterize this as a loss of choice, or as you put it, Some people? Traitors, and terrorists! Criminals and pedophiles, the sundry lot. > as allowing you to be punished for opting out. Suppose the service being > offered is extremely valuable, like cheap movie downloads. And suppose Like routable TCP/IP. No shoes, no cert, no service. Like accessing the basic Elsevier information, keyed to your cert. Limited life-time eyes-only documents, to make whistleblowing harder. > almost everyone opts in to use these services, enabling TC and running the > approved clients. Now you can opt out, but only at the expense of cutting > yourself off from the flow of information that everyone else is enjoying. > > The same effect can occur in a decentralized network. If there is some > P2P program which uses TC to make sure that people are running kosher > clients, and you opt out of TC, you can't participate in the network. It takes a broken P2P service to be brought down by a few unkosher binaries. Trust accounting and agoric load levelling don't take Pd hardware. A palladium-plated turd is still a turd at its heart. > This makes it seem that you are being punished for your decision. > > There are two problems with this analysis. The first is that it overlooks > that some of these services will only be provided if TC exists to assure > that the data will be handled properly. Without TC there may be no Put a smartcard reader into the keyboard. Define a crypto hardware standard, and bundle a card with each motherboard and PC. That would be a good thing. > such service. Characterizing TC as limiting choice or punishing those > who opt out overlooks the advantages being provided to those who opt in > by allowing them access to a service which might not otherwise exist. Let those who want a limit on their choice pay for and insert the card themselves. > The more popular a service is, and the more people who opt in as a result, > the harder it is to justify opposing the technology that made the service > possible and allowed all those people to get access to an information > flow which is important to them. By focusing on those who wish to opt > out, the analysis overlooks the larger group who benefits by opting in. Look at concentration in scientific publishing. Tell me how Palladium will reduce the monopolist stranglehold, reduce the prices and make scientific information available to the largerst possible audience. > And second, your analysis overlooks the fact that any economic transaction > has two sides: producer and consumer. Both have economic power in a > competitive market. Producers are not able to simply set the terms and A manipulated market is no longer a competitive market. Producers and consumers do not have equivalent leverage. The invisible hand is flipping us the bird. Of course you know that, TCPA troll. > require consumers to accept them. Rather, there is a constant flow, > a give and take, between all sides, evolving to a mutually acceptable > condition. Rejoice everybody. Halleluja! > Look at what is happening with digital music stores today. Some, like > Apple's service, offer music with relatively weak DRM restrictions. There is no such thing as a weak DRM. Either I do have the raw bits of an open format and the according transducer to render it into direct monkey-consumables, or not. The rights are volatile, and subject to change. Everything enforcible will be enforced, and a good hardened Palladium makes a great many evils possible. > Others have offered more limitations and harsher rules. Consumers will > soon have a wide range of choices, and this will allow the market to Such as sharing that content freely? That'd be a cold day in hell, Palladium troll. > select the best mix of limitations and prices. We are evolving to a > state of "DRM lite" which offers mild restrictions that allow people > to use their music in the ways they want, but makes it hard to share it > with millions of their best friends on the net. What's your problem with music industry getting out of business? What's your problem with a greatly diminished copyright enforcement, and free sharing of information? Paint the worst picture you can. (Of course you've avoided answering so far, because that'd be exposing your views as the corporate-financed lies they are). > Similarly, even though TC in principle allows service providers to > impose Draconian restrictions, the marketplace won't just stand by and > let it happen. Consumers are not passive sheep; they are active and Oh yes, now you're suggesting to ignore the history of what has already happened. What the educated, active, intelligent consumers have let happen. > intelligent, and they usually have a better idea of what is in their > own best interests than those of us who are policy activists. Bullcrap. The majority has no clue, and never had. It's the reason we're having the current debacle. > We could do a lot worse than to stand aside and let the market decide > which technologies solve people's problems. If TC is so bad for > consumers, it will fail. (Some cypherpunk types have predicted that Go ask a fucking consumer what Palladium, TCPA, or whatever it's name happens to be today (funny they keep changing the names, huh?) is. Most top end notebooks already ship with Pd onboard, not widely advertised, though. I wonder about that, now that's it's such a nice feature. > TC will be mandated by law, such as the CBDTPA, and certainly I would > agree that any such measures should be opposed.) Now you're asking us to trust lawyers and feds, as well as corporate interests. This is just getting better and better by the moment. > Of course, we see this already to some extent, with any software program > that uses proprietary data formats. Programs using open formats compete > with programs that use closed formats, and users can choose which ones > to use. You speak of users being "induced" to use proprietary formats, Users don't CHOOSE, you Palladium troll. They didn't knew an open format if it bit them in the ass. Their bosses choose, the monopolist choses for them via default-bundle and lock-in. > but that disparages their abilities to make choices that reflect their > own best interests. Blow me. I have better things to do with my Saturday than to post token refutations. Let somebody else deconstruct your drivel. > Trusted computing systems allow for new forms of trust relationships that > are not possible today. Yes, and new forms of abuses and controls not possible today. Let the lobbies fight this out. The educated, intelligent, choosing consumer will swallow either result. -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From pgut001 at cs.auckland.ac.nz Sat Oct 18 03:11:17 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Sat, 18 Oct 2003 23:11:17 +1300 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <200310181011.h9IABHW24935@cs.auckland.ac.nz> In case anyone's interested, there's a cpu die photo at http://www.sandpile.org/impl/pics/centaur/c5xl/die_013_c5p.jpg showing the amount of real estate consumed by the crypto functions (it's the bottom centre, a bit hard to read the label). Peter. From dave at farber.net Sun Oct 19 11:52:38 2003 From: dave at farber.net (Dave Farber) Date: Sun, 19 Oct 2003 14:52:38 -0400 Subject: [IP] FCC readies rule to block Internet piracy Message-ID: >Delivered-To: dfarber+ at ux13.sp.cs.cmu.edu >Date: Sun, 19 Oct 2003 08:10:34 -0700 >From: Dewayne Hendricks >= > >FCC readies rule to block Internet piracy > >By Jonathan Krim, Washington Post, 10/19/2003 > > >WASHINGTON -- The federal government is preparing for the first time to >require that personal computers and other consumer electronics devices >contain technology to help block Internet piracy of digital entertainment. >A rule being considered by the Federal Communications Commission is one of >a series of proposals pushed by the entertainment industry to help thwart >copying and online trading of movies and television shows that >increasingly are being broadcast in digital form with high-quality picture >and sound. > >But the new rule also would force consumers to purchase new equipment if >they wanted to record enhanced digital-quality television programs and >replay them on other machines. > >Opponents of the proposed rule, including many technology companies and >consumer groups, say it won't work. They are especially concerned that the >plan might lead to government regulation of how personal computers and >other devices are built, particularly if hackers crack the system and >further changes are deemed necessary. > >FCC officials, who spoke on the condition of anonymity, said they expect >the agency to settle on details of the "broadcast flag" rule by the end of >the month. The broadcast flag takes its name from the computer code that >would be embedded in digital television signals and would be read by >"compliant" devices such as a television or a digital video recorder. > >The rule would not affect consumers who record shows with VCRs. Nor would >it affect programming received on a cable or satellite system, in part >because consumers pay for that content. > >But the entertainment industry does not want digitally enhanced >"high-value" entertainment sent free over the air to be easily copied and >distributed on the Internet. > >FCC officials said they expect the final rule to enable competition among >different means of deploying the flag system to protect broadcasts, rather >than the government anointing one in particular. > >Unlike with recent FCC decisions on high-speed Internet access and media >consolidation that have deeply split the five-member commission, none of >the three Republicans and two Democrats has led a public campaign against >the broadcast flag. > >"I'm optimistic we'll have a clean majority," said one senior agency >official. "The commission has acted in the area of digital television in a >very bipartisan fashion." ------------------------------------- You are subscribed as eugen at leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From mv at cdc.gov Sun Oct 19 19:22:47 2003 From: mv at cdc.gov (Major Variola (ret.)) Date: Sun, 19 Oct 2003 19:22:47 -0700 Subject: Al Q easy meat for NSA Message-ID: <3F9346F6.1AB7E796@cdc.gov> http://www.thesmokinggun.com/archive/jihad13chap1.html From cpunk at lne.com Sun Oct 19 20:00:00 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 19 Oct 2003 20:00:00 -0700 Subject: Cypherpunks List Info Message-ID: <200310200300.h9K300lp010986@slack.lne.com> Cypherpunks Mailing List Information Last updated: Oct 13, 2003 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From eugen at leitl.org Mon Oct 20 02:54:15 2003 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 20 Oct 2003 11:54:15 +0200 Subject: [IP] FCC readies rule to block Internet piracy (fwd from dave@farber.net) Message-ID: <20031020095415.GI12230@leitl.org> Of course none of the feds would want to mandate Palladiated consumer hardware, ever. Right. ----- Forwarded message from Dave Farber ----- From amichrisde at yahoo.de Mon Oct 20 06:13:01 2003 From: amichrisde at yahoo.de (Some Guy) Date: Mon, 20 Oct 2003 15:13:01 +0200 (CEST) Subject: [mnet-devel] Anonymity and Performance in Peer-to-Peer Systems Message-ID: This post is supposed to get to Nikita Borisov and Jason Waddle regarding: http://www.cs.berkeley.edu/~nikitab/projects/p2p/proposal.html Part 1: "Research a formal metric for the anonymity of a system. We are currently performing a literature search; if we fail to find a suitable metric in past research, we will propose a new one." Here's a nice paper that analizes the annonymity of Crowds: Probabilistic Analysis of Anonymity Vitaly Shmatikov SRI International http://citeseer.nj.nec.com/shmatikov02probabilistic.html "We use discrete-time Markov chains to formally model the behavior of group members in Crowds [22], specify anonymity properties of the system as temporal logic formulas, and use a probabilistic model checker to verify them. This analysis method is applicable to other probabilistic systems such as Freenet." Part 2: DOS Resistance: I've got a basic handle now on DOS resistance vs. peformance and I can almost get a faint glimmer of what the a "perfect" DHT should look like. I've posted my ideas on it to the Freenet list and I'll post them to the MNet list today too. If anyone wants to discuss how to build a better Freenet, I'd LOVE to help. __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Logos und Klingeltvne f|rs Handy bei http://sms.yahoo.de ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ mnet-devel mailing list mnet-devel at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mnet-devel ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From morlockelloi at yahoo.com Mon Oct 20 15:21:21 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Mon, 20 Oct 2003 15:21:21 -0700 (PDT) Subject: [mnet-devel] DOS in DHTs (fwd from amichrisde@yahoo.de) In-Reply-To: <20031020204145.GL15714@leitl.org> Message-ID: <20031020222121.8440.qmail@web40603.mail.yahoo.com> Looks like the only way to shield from DOS is to raise the cost of DOS. This will eventually eliminate the low cost of Internet bandwidth, one way or another. You don't get nearly the same amount of DOS on your telephone as you do on Internet, right ? Because telephone call is not free and/or it's traceable. The only question is how and where will this cost be introduced. My guess is that it will happen on the sending side. Even today, assymmetric cheapo-consumer connectivity makes publishing hard (as in "you are not visible to the world".) But to handle DOS is harder, as major drive & money on internet is selling shit, and players want easy (say 800-number) access. Proposals a la net-driving-license (NDL) indicate the trend. NDL can happen. Compare it to the early situation with cars or guns. No regulation in the beginning, you could buy or make your own and do as you please. Then, when commerce began to depend on both (transport of goods and force monopolies) they got regulated. I see no difference between that and computer with an Internet link. NDL is a possible reality. It used to be normal to drive or carry a weapon without license. These days, they catch you sooner or later and beat you into pulp. Same thing. Dreaming about it not happening will get you nowhere. So what can be done to raise the cost of DOS without introducing NDL ? I have no answer to this. What kind of NDL is the least bad ? - requirement for something that requires human effort when opening a connection. You do want to let humans into the store, but will refuse entry to headless drones. OK, wrong analogy. But you get the idea. - simply raise the cost of outgoing bandwidth - add a cost to every SYN request or equivalent (have a decent number included in the basic bandwith fee.) This will make unsuspecting collaborators in DDoS more efficient in keeping their equipment clean ("whoever aids .... will be considered enemy combatant.) The future doesn't seem bright. I think that there is a short window - a year or two - in which some not-so-bad solution may preempt what They are trying to do. But I wouldn't hold my breath. It's far more likely that EFF and other wirehuggers will continue to be outraged (with zero effect as usual) and clampdown on 'net access will continue. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From s.schear at comcast.net Mon Oct 20 15:21:54 2003 From: s.schear at comcast.net (Steve Schear) Date: Mon, 20 Oct 2003 15:21:54 -0700 Subject: Remarks by U.S. Senator Robert C. Byrd on Final Passage of Iraq In-Reply-To: <3F906DBB.8030904@foo.com> Message-ID: <5.2.1.1.0.20031019082611.04ac7e68@mail.comcast.net> [For all the good it will do, one of the few Senators to stingingly rebuff the Administration's Iraq position and demand for tribute to support their further misadventures. However, there are equally large lies and tribute being supported by Byrd and others upon which they are silent. Besides its easy to be clamorous when you're vote isn't the key vote denying someone as powerful as the President. Just more political rhetoric.] Senate Floor Remarks Remarks by U.S. Senator Robert C. Byrd on Final Passage of Iraq Supplemental Appropriations Bill http://byrd.senate.gov/byrd_speeches/byrd_speeches_2003october/byrd_speeches>_2003october_list/byrd_speeches_2003october_list_3.html steve From camera_lumina at hotmail.com Mon Oct 20 13:48:43 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Mon, 20 Oct 2003 16:48:43 -0400 Subject: [IP] FCC readies rule to block Internet piracy (fwd from dave@farber.net) Message-ID: >The federal government is preparing for the first time to >require that personal computers and other consumer electronics devices >contain technology to help block Internet piracy of digital entertainment. Just wait until MS unleashes a brood of lobbyists when nobody buys the new Palladium-ed operating systems. State control is one thing. State control that will do absolutely nothing is another. This cat's already out of the bag. As far as I'm concerned, the coming collapse of the music industry will be one of the few convincing pieces of evidence that God exists. -TD >From: Eugen Leitl >To: cypherpunks at lne.com >Subject: [IP] FCC readies rule to block Internet piracy (fwd from >dave at farber.net) >Date: Mon, 20 Oct 2003 11:54:15 +0200 > >Of course none of the feds would want to mandate Palladiated consumer >hardware, ever. Right. > >----- Forwarded message from Dave Farber ----- > >From: Dave Farber >Date: Sun, 19 Oct 2003 14:52:38 -0400 >To: ip at v2.listbox.com >Subject: [IP] FCC readies rule to block Internet piracy >X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 > > > >Delivered-To: dfarber+ at ux13.sp.cs.cmu.edu > >Date: Sun, 19 Oct 2003 08:10:34 -0700 > >From: Dewayne Hendricks > >= > > > >FCC readies rule to block Internet piracy > > > >By Jonathan Krim, Washington Post, 10/19/2003 > >o_block_internet_piracy/> > > > >WASHINGTON -- The federal government is preparing for the first time to > >require that personal computers and other consumer electronics devices > >contain technology to help block Internet piracy of digital >entertainment. > >A rule being considered by the Federal Communications Commission is one >of > >a series of proposals pushed by the entertainment industry to help thwart > >copying and online trading of movies and television shows that > >increasingly are being broadcast in digital form with high-quality >picture > >and sound. > > > >But the new rule also would force consumers to purchase new equipment if > >they wanted to record enhanced digital-quality television programs and > >replay them on other machines. > > > >Opponents of the proposed rule, including many technology companies and > >consumer groups, say it won't work. They are especially concerned that >the > >plan might lead to government regulation of how personal computers and > >other devices are built, particularly if hackers crack the system and > >further changes are deemed necessary. > > > >FCC officials, who spoke on the condition of anonymity, said they expect > >the agency to settle on details of the "broadcast flag" rule by the end >of > >the month. The broadcast flag takes its name from the computer code that > >would be embedded in digital television signals and would be read by > >"compliant" devices such as a television or a digital video recorder. > > > >The rule would not affect consumers who record shows with VCRs. Nor would > >it affect programming received on a cable or satellite system, in part > >because consumers pay for that content. > > > >But the entertainment industry does not want digitally enhanced > >"high-value" entertainment sent free over the air to be easily copied and > >distributed on the Internet. > > > >FCC officials said they expect the final rule to enable competition among > >different means of deploying the flag system to protect broadcasts, >rather > >than the government anointing one in particular. > > > >Unlike with recent FCC decisions on high-speed Internet access and media > >consolidation that have deeply split the five-member commission, none of > >the three Republicans and two Democrats has led a public campaign against > >the broadcast flag. > > > >"I'm optimistic we'll have a clean majority," said one senior agency > >official. "The commission has acted in the area of digital television in >a > >very bipartisan fashion." > >------------------------------------- >You are subscribed as eugen at leitl.org >To manage your subscription, go to > http://v2.listbox.com/member/?listname=ip > >Archives at: http://www.interesting-people.org/archives/interesting-people/ > >----- End forwarded message ----- >-- Eugen* Leitl leitl >______________________________________________________________ >ICBM: 48.07078, 11.61144 http://www.leitl.org >8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > >[demime 0.97c removed an attachment of type application/pgp-signature] _________________________________________________________________ Add MSN 8 Internet Software to your current Internet access and enjoy patented spam control and more. Get two months FREE! http://join.msn.com/?page=dept/byoa From amichrisde at yahoo.de Mon Oct 20 08:32:38 2003 From: amichrisde at yahoo.de (Some Guy) Date: Mon, 20 Oct 2003 17:32:38 +0200 (CEST) Subject: [mnet-devel] DOS in DHTs Message-ID: Ok as promissed, here's a bit of analysis on DOS in DHTs and trade offs with performance. Have a nice read. I'm going to discuss Denial of Service Attacks (DOS) from within P2P networks, not the underlieing network (TCP/IP), independently of what routing system is used. The resistance R of a network to a DOS censure attack is the number of nodes/resources an adversary is forced to attack in order to make it hard to retrieve a particular piece of data. ---- Really stupid routing (RSR) Let's talk about the most resistant network style there is first, the old Gnutella network. Since data can be anywhere, a adversary is pretty much forced to attack all the nodes in the system. R = O(N) ---- Global Hashes Let's talk about some of the pretty academic DHTs, which provide nice peformance by mapping each key onto a specific target node via global hash. Many of these systems have the resistance of only one or a fixed number of nodes. R = O(1) ---- Intermediate networks In between these two networks we have systems like Entropy which break thier hashspace down into s (s=16) specialized cells via a global hash, which then use simple RSR. http://entropy.stop1984.com/en/entropy.html I'm going to do some analysis on this type of network, which should generally be valid for DOS in all DHTs. s = specialization of the network r = redundancy with which a piece of data is stored d = search depth or number of specialized nodes asked p = probablity that the data is found N = total number of nodes R = Resistance to a DNS attack Since an adversary would not know which nodes in one of Entropy's cells had the data, he would be forced to attack all of them. R = O(N/s) This should be clear: p = 1-(1-r*s/N)^d At constant p we can evaluate design trade-offs at large N. s*r*d = O(N) or R = O(r*d) regardless of N. There is a three way geometric trade-off between redundancy of storage (insert HTL*frequency, or popularity), query depth (request HTL), and resistance to DOS. This is what I'm calling the holy trinity of DOS in DHTs. I believe it holds true for all DHTs using global hashes. You could for example design a network where: R = N^0.5 and r = d Thus making r and d O(N^0.25), which you might be able to live with. Here are some sample parameters and p, to give you an idea of the trade-offs in a million node net: n r d s p 1000000 100 100 100 0.633967659 1000000 100 10 1000 0.65132156 1000000 10 100 1000 0.633967659 1000000 100 100 100 0.633967659 1000000 1000 10 100 0.65132156 1000000 1000 100 10 0.633967659 1000000 10 1000 100 0.632304575 1000000 100 1000 10 0.632304575 1000000 1 1000 1000 0.632304575 1000000 10 10 10000 0.65132156 1000000 1000 1 1000 1 1000000 100 20 1000 0.878423345 1000000 20 20 1000 0.332392028 ---- Non-Global Hashing I've got another neat trick to improve things a bit. A trusted group of nodes could use a private hashing function to redistribute data between them. As long as the adversary can not infiltrate the group, he is forced to flood the whole group. A request or insert need only travel one hop through the group. In networks where there is believed to be a certain fraction of adversarial nodes f, you can calculate the optimal clustering c to throw random nodes together in this way. This local hashing cann't be used to get around the trinity, but just win a considerable boost to performance. In each specialized cell you could have clusters of nodes, instead of single ones. I've got other ideas that involve key sharing to try to make clusters that can scale higher, but I'm not sure it's feasible/nessesary. ---- One more point Replication (r) doesn't have to mean coping the data. I could premix route to r nodes and only tell them I have the data. I still will have done O(r) work though. Think of it this way. = O( * ) Likewise "depth" (d) for searches doesn't have to be HTL; you can search several nodes in parallel, but the system will still have used O(d) resources. __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Logos und Klingeltvne f|rs Handy bei http://sms.yahoo.de ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ mnet-devel mailing list mnet-devel at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mnet-devel ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From eugen at leitl.org Mon Oct 20 09:49:43 2003 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 20 Oct 2003 18:49:43 +0200 Subject: [mnet-devel] Anonymity and Performance in Peer-to-Peer Systems (fwd from amichrisde@yahoo.de) Message-ID: <20031020164943.GI15714@leitl.org> ----- Forwarded message from Some Guy ----- From eugen at leitl.org Mon Oct 20 13:41:45 2003 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 20 Oct 2003 22:41:45 +0200 Subject: [mnet-devel] DOS in DHTs (fwd from amichrisde@yahoo.de) Message-ID: <20031020204145.GL15714@leitl.org> This list is so dead, a few forwards don't hurt. Won't make it a habit, though. ----- Forwarded message from Some Guy ----- From timcmay at got.net Tue Oct 21 00:00:03 2003 From: timcmay at got.net (Tim May) Date: Tue, 21 Oct 2003 00:00:03 -0700 Subject: Remarks by U.S. Senator Robert C. Byrd on Final Passage of Iraq In-Reply-To: <5.2.1.1.0.20031019082611.04ac7e68@mail.comcast.net> Message-ID: <32333FCE-0394-11D8-9F08-000A956B4C74@got.net> On Monday, October 20, 2003, at 03:21 PM, Steve Schear wrote: > [For all the good it will do, one of the few Senators to stingingly > rebuff the Administration's Iraq position and demand for tribute to > support their further misadventures. However, there are equally large > lies and tribute being supported by Byrd and others upon which they > are silent. Besides its easy to be clamorous when you're vote isn't > the key vote denying someone as powerful as the President. Just more > political rhetoric.] > > Senate Floor Remarks > > Remarks by U.S. Senator Robert C. Byrd on Final Passage of Iraq > Supplemental Appropriations Bill > http://byrd.senate.gov/byrd_speeches/byrd_speeches_2003october/ > byrd_speeches>_2003october_list/byrd_speeches_2003october_list_3.html Byrd has stolen vast amounts of money to support his cronies. The number of "slave-lives" (via taxation) to build the "Robert Byrd Memorial Memorials" is in the high tens of thousands. according to Tribunal Watch, the watchdog group keeping tabs on the high crimes of everyone in government. Byrd dislikes the Bush War because he couldn't get in on any of the Halliburon, Bechtel, Zapata, and Wackenhut largesse. His hopes were dashed when West Virginia was passed-over for the site of Camp X-Ray and when, worst of all, WVa was not selected as the processing center for Iraqis to pay their taxes through. He'd been counting on his usual rakeoff. --Tim May "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you." -- Nietzsche From s.schear at comcast.net Wed Oct 22 16:47:02 2003 From: s.schear at comcast.net (Steve Schear) Date: Wed, 22 Oct 2003 16:47:02 -0700 Subject: [mnet-devel] DOS in DHTs (fwd from amichrisde@yahoo.de) Message-ID: <5.2.1.1.0.20031022164659.04b4e870@mail.comcast.net> At 03:21 PM 10/20/2003 -0700, Morlock Elloi wrote: >Looks like the only way to shield from DOS is to raise the cost of DOS. This >will eventually eliminate the low cost of Internet bandwidth, one way or >another. You don't get nearly the same amount of DOS on your telephone as you >do on Internet, right ? Because telephone call is not free and/or it's >traceable. And there has been creditable prototyping in this area, e.g., Camram. But not many skilled coders seem to have jumped on these projects to help out. >NDL can happen. Compare it to the early situation with cars or guns. No >regulation in the beginning, you could buy or make your own and do as you >please. I know people who still do. >Then, when commerce began to depend on both (transport of goods and >force monopolies) they got regulated. I see no difference between that and >computer with an Internet link. NDL is a possible reality. It used to be >normal >to drive or carry a weapon without license. These days, they catch you sooner >or later and beat you into pulp. Same thing. Dreaming about it not happening >will get you nowhere. I think the U.S. Constitution will stand in the way of widespread adoption of NDLs. They may have regulated firearms, though these laws are widely ignored by citizens, but I have yet to see a license for owning a typewriter or PC proposed. They have already ruled numerous times that the Internet is deserving of at least as free and access as print media and political flyers (which can be anonymnous and still pass legal muster). steve From eugen at leitl.org Wed Oct 22 09:48:35 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 22 Oct 2003 18:48:35 +0200 Subject: J2ME + crypto + mobile Message-ID: <20031022164835.GP25002@leitl.org> Anything beyond http://www.bouncycastle.org/ to experiment with crypto on J2ME-capable mobiles? Is it at all possible to use traffic remixing for SMS-like messages with J2ME infrastructure? -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From measl at mfn.org Wed Oct 22 18:46:04 2003 From: measl at mfn.org (J.A. Terranson) Date: Wed, 22 Oct 2003 20:46:04 -0500 (CDT) Subject: RSA performance on Athlon64 vs. Itanium In-Reply-To: <003201c3914d$c0e49120$7001a8c0@VAIO650> Message-ID: On Sun, 12 Oct 2003, Lucky Green wrote: > I just picked up an Athlon64 3200+, which runs at a 2 GHz clock speed. > Using the Red Hat for AMD64 beta and the version of OpenSSL that ships > with that beta, I get 922 1024-bit RSA signs per second. This is a tad > less RSA signatures per second than I have seen on an 800MHz Itanium > using highly optimized assembler. That's rather poor performance on the > Athlon64. > > Are the figures that I am seeing typical for OpenSSL on the Athlon64? > Has anybody here seen different figures using optimized code? > > Thanks, > --Lucky Green Was there ever a reply to this? If so, could someone forward it to me off-list, as I missed it :-( Thanks! -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko From morlockelloi at yahoo.com Wed Oct 22 21:43:31 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Wed, 22 Oct 2003 21:43:31 -0700 (PDT) Subject: [mnet-devel] DOS in DHTs (fwd from amichrisde@yahoo.de) In-Reply-To: <5.2.1.1.0.20031022164659.04b4e870@mail.comcast.net> Message-ID: <20031023044331.85464.qmail@web40601.mail.yahoo.com> > ignored by citizens, but I have yet to see a license for owning a > typewriter or PC proposed. They have already ruled numerous times that the > Internet is deserving of at least as free and access as print media and There are precedents. In Franko's Spain, all typewriters had to be registered with the state, and all had serial numbers. It was illegal and punishable to possess one without license. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From ravage at einstein.ssz.com Wed Oct 22 19:50:59 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Wed, 22 Oct 2003 21:50:59 -0500 (CDT) Subject: Inferno: Why War?: All the President's Votes? (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 22 Oct 2003 19:18:22 -0500 (CDT) Subject: Inferno: Why War?: All the President's Votes? Interesting read from our chief black-box voting researcher, martini... ---------- Forwarded message ---------- Date: Wed, 22 Oct 2003 16:41:12 -0500 (CDT) Subject: heya.. seen this? http://www.why-war.com/news/2003/10/14/allthepr.html I'm still reading through it, but thought I'd send it forward sooner than later. From die at dieconsulting.com Wed Oct 22 18:56:34 2003 From: die at dieconsulting.com (Dave Emery) Date: Wed, 22 Oct 2003 21:56:34 -0400 Subject: [mnet-devel] DOS in DHTs (fwd from amichrisde@yahoo.de) In-Reply-To: <5.2.1.1.0.20031022164659.04b4e870@mail.comcast.net> References: <5.2.1.1.0.20031022164659.04b4e870@mail.comcast.net> Message-ID: <20031023015634.GC7845@pig.dieconsulting.com> On Wed, Oct 22, 2003 at 04:47:02PM -0700, Steve Schear wrote: > > I think the U.S. Constitution will stand in the way of widespread adoption > of NDLs. They may have regulated firearms, though these laws are widely > ignored by citizens, but I have yet to see a license for owning a > typewriter or PC proposed. They have already ruled numerous times that the > Internet is deserving of at least as free and access as print media and > political flyers (which can be anonymnous and still pass legal muster). > You are an optimist. Us pessimists see use of Palladium/TCPA/NGSCB as all too tempting a means of regulation of the net. Initially one will not be able to get high speed Internet service at affordable rates without the big brother inside, but as this "voluntary" commercial regulatory measure proves not to curb behavior that certain powerful lobbies want controlled, there will be mandatory requirements imposed by law as per the Fritz chip. Perhaps courts will not allow such to be used for explicit censorship of otherwise legal free speech, but I'd not bet that an ISP would be required to allow "objectionable content" to pass over its wires under such a scheme. And once one must register to obtain certificates for Palladium/NGSCB attestation, one really does have a form of net drivers license. > steve -- Dave Emery N1PRE, die at dieconsulting.com DIE Consulting, Weston, Mass 02493 From brian-slashdotnews at hyperreal.org Wed Oct 22 15:26:03 2003 From: brian-slashdotnews at hyperreal.org (brian-slashdotnews at hyperreal.org) Date: 22 Oct 2003 22:26:03 -0000 Subject: Dept. of Defense IPv6 Interoperabilty Test Begins Message-ID: Link: http://slashdot.org/article.pl?sid=03/10/22/1755258 Posted by: CowboyNeal, on 2003-10-22 20:01:00 Topic: internet, 259 comments from the let's-get-it-on dept. [1]securitas writes "The [2]Department of Defense has launched Phase I of its delayed IPv6 interoperability test ([3]mirror) in a six-month project dubbed [4]Moonv6. It is the [5]largest North American IPv6 test ever and its goal is to evaluate IPv6 for 'network-centric military operations.' Phase II was originally scheduled to begin in January 2004 but may be delayed due to the late start of the current test. 'IPv4 addresses are 32 bits long, enough for around 4 billion unique addresses.' In contrast, the IPv6 address length is '128 bits, or 340 billion billion billion billion unique addresses.' Experts hope this will solve a predicted IP address shortage as more devices are created to use the Internet." [6]Click Here References 1. http://geartest.com/ 2. http://www.computerworld.com/governmenttopics/government/story/0,10801,86243, 00.html 3. http://www.linuxworld.com.au/index.php?id=1854687864&fp=2&fpid=1 4. http://www.moonv6.org/ 5. http://dc.internet.com/news/article.php/3095951 6. http://ads.osdn.com/?ad_id=78&alloc_id=1118&site_id=1&request_id=168131&op=cl ick&page=%2farticle%2epl ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From shamrock at cypherpunks.to Wed Oct 22 23:04:18 2003 From: shamrock at cypherpunks.to (Lucky Green) Date: Wed, 22 Oct 2003 23:04:18 -0700 Subject: C3 Nehemia C5P with better hardware RNG and AES support In-Reply-To: <200310181011.h9IABHW24935@cs.auckland.ac.nz> Message-ID: <001001c3992b$80c51930$6f01a8c0@VAIO650> Peter wrote: > In case anyone's interested, there's a cpu die photo at > http://www.sandpile.org/impl/pics/centaur/c5xl/die_013_c5p.jpg showing the amount of real estate consumed by the crypto functions (it's the bottom centre, a bit hard to read the label). I fail to understand why VIA bothered adding AES support into the CPU. When was AES last the bottleneck on a general-purpose CPU? The bottleneck tends to be modular exponentiations, yet VIA failed to include a modular exponentiation engine. Strange. --Lucky Green From frantz at pwpconsult.com Wed Oct 22 23:06:44 2003 From: frantz at pwpconsult.com (Bill Frantz) Date: Wed, 22 Oct 2003 23:06:44 -0700 Subject: Palladium/TCPA/NGSCB In-Reply-To: <20031023015634.GC7845@pig.dieconsulting.com> References: <5.2.1.1.0.20031022164659.04b4e870@mail.comcast.net> <5.2.1.1.0.20031022164659.04b4e870@mail.comcast.net> Message-ID: Mark Miller pointed out to me that currently much of our protection from viruses comes from people at the anti-virus companies who quickly grab each new virus, reverse engineer it, and send out information about its payload and effects. Any system which hides code from reverse engineering will make this process more difficult. To the extend that Palladium/TCPA/NGSCB hides code, and to the extent it succeeds at this hiding, the more it encourages new and more pervasive viruses. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032 From shamrock at cypherpunks.to Thu Oct 23 00:47:37 2003 From: shamrock at cypherpunks.to (Lucky Green) Date: Thu, 23 Oct 2003 00:47:37 -0700 Subject: RSA performance on Athlon64 vs. Itanium In-Reply-To: Message-ID: <001c01c39939$f09cf670$6f01a8c0@VAIO650> > -----Original Message----- > From: J.A. Terranson [mailto:measl at mfn.org] > Sent: Wednesday, October 22, 2003 18:46 > To: Lucky Green > Cc: cypherpunks at lne.com > Subject: Re: RSA performance on Athlon64 vs. Itanium > > > > On Sun, 12 Oct 2003, Lucky Green wrote: > > > I just picked up an Athlon64 3200+, which runs at a 2 GHz > clock speed. > > Using the Red Hat for AMD64 beta and the version of OpenSSL > that ships > > with that beta, I get 922 1024-bit RSA signs per second. > This is a tad > > less RSA signatures per second than I have seen on an > 800MHz Itanium > > using highly optimized assembler. That's rather poor performance on > > the Athlon64. > > > > Are the figures that I am seeing typical for OpenSSL on the > Athlon64? > > Has anybody here seen different figures using optimized code? > > > > Thanks, > > --Lucky Green > > Was there ever a reply to this? If so, could someone forward > it to me off-list, as I missed it :-( J.A., I since ran additional tests. All tests are for 1024-bit RSA signatures. 1) OpenSSL as shipping with the RedHat Taroon beta for Athlon 64: 921 RSA signatures/second 2) OpenSSL compiled manually: 1313 RSA signatures/second 3) Performance benchmark application made available to reviewers: Exceeding 3800 RSA signatures/second. Reading various gamer and over clocker websites, the Athlon 64 general performance is testing at about par with the Intel P4 3.2GHz, faster in some tests, slower in others. With the Athlon 64 being the slightly less expensive CPU based on the prices I have seen around here. You basically get a 64-bit CPU for the price of a 32-bit CPU. The CPU seems to be catching on amongst the early adopter crowd. A friend just bought one for 32-bit gaming and is very pleased. Motherboards for the Athlon 64 are appearing rapidly. Two weeks ago, Fry's stocked one Athlon 64 motherboard. Today, Fry's had 3 of them. Looks like AMD may have some done something right with this CPU. I am getting ready to buy a second one to upgrade my other box at home. --Lucky Green From s.schear at comcast.net Thu Oct 23 07:04:53 2003 From: s.schear at comcast.net (Steve Schear) Date: Thu, 23 Oct 2003 07:04:53 -0700 Subject: C3 Nehemia C5P with better hardware RNG and AES support In-Reply-To: <001001c3992b$80c51930$6f01a8c0@VAIO650> References: <200310181011.h9IABHW24935@cs.auckland.ac.nz> Message-ID: <5.2.1.1.0.20031023070224.068dd358@mail.comcast.net> At 11:04 PM 10/22/2003 -0700, Lucky Green wrote: >Peter wrote: > > In case anyone's interested, there's a cpu die photo at > > http://www.sandpile.org/impl/pics/centaur/c5xl/die_013_c5p.jpg > showing the amount of real estate consumed by the crypto functions >(it's the bottom centre, a bit hard to read the label). > > >I fail to understand why VIA bothered adding AES support into the CPU. >When was AES last the bottleneck on a general-purpose CPU? The >bottleneck tends to be modular exponentiations, yet VIA failed to >include a modular exponentiation engine. Strange. Cylink made it mark in the early 90s by building the first commercial modular exponentiation chips to power its encryptor boxes. So the need for it this was well known even then. steve From mv at cdc.gov Thu Oct 23 11:50:07 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 23 Oct 2003 11:50:07 -0700 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <3F9822DF.4106CEF@cdc.gov> At 11:04 PM 10/22/03 -0700, Lucky Green wrote: >I fail to understand why VIA bothered adding AES support into the CPU. >When was AES last the bottleneck on a general-purpose CPU? The >bottleneck tends to be modular exponentiations, yet VIA failed to >include a modular exponentiation engine. Strange. Lucky, the VIA chip is for SOHO not servers. Therefore modexp is not a bottleneck, its a "one time" cost well performed by the x86 in a few hundred msec. On the other hand, the AES hardware could provide a substantial relief for the CPU for VPN apps, despite its relative ease in software compared to DES. Remember that the modexp cores out there are generally intended for "high end" apps like commercial-server cards. Though their gate count isn't too bad, they tend to require a large number of RAM controllers and embedded RAM for the operands. If you've got a good fraction of a second to spend, and have a general purpose CPU, you don't need hardware acceleration for modexp. As I wrote previously, I'd expect to see better integrated peripheral support (eg integrated ether or two) before I saw modexp support. --- "The generation of random numbers is too important to be left to chance." -Robert R. Coveyou ORNL mathematician From mv at cdc.gov Thu Oct 23 11:59:47 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 23 Oct 2003 11:59:47 -0700 Subject: Palladium/TCPA/NGSCB Message-ID: <3F982523.7B1A6D65@cdc.gov> At 11:06 PM 10/22/03 -0700, Bill Frantz wrote: >Mark Miller pointed out to me that currently much of our protection from >viruses comes from people at the anti-virus companies who quickly grab each >new virus, reverse engineer it, and send out information about its payload >and effects. You could be talking about biology as well. Any system which hides code from reverse engineering will >make this process more difficult. To the extend that Palladium/TCPA/NGSCB >hides code, and to the extent it succeeds at this hiding, the more it >encourages new and more pervasive viruses. A virus that contains "friendly" IFF codes can evade an immune system. Some cloak themselves in membranes derived from cells they were born in. Thus they present the right IFF response. A virus that appears to Palladium to be friendly and worthy of the full protection -the right hashes, etc- will be a fun thing. Some virii are innocuous except when they pick up a piece of virulence code. Then they kill. IIRC anthrax is like this, some of the streps. One can imagine writing a virus which is in fact merely a bit of virulence code taken in by an other innocuous but replicating program. Its common in biolabs to cross a hard-to-grow nasty with an easy-to-grow labbug so you can study the nasty. Sometimes, the result is dangerous. See the synthetic mousepox which killed the mice. And virii that infect the immune system can be fun too --imagine a virus infecting your antiviral program. HIV for Windows. From mv at cdc.gov Thu Oct 23 12:06:07 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Thu, 23 Oct 2003 12:06:07 -0700 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <3F98269F.A7888FBE@cdc.gov> At 07:04 AM 10/23/03 -0700, Steve Schear wrote: >At 11:04 PM 10/22/2003 -0700, Lucky Green wrote: >>bottleneck tends to be modular exponentiations, yet VIA failed to >>include a modular exponentiation engine. Strange. > >Cylink made it mark in the early 90s by building the first commercial >modular exponentiation chips to power its encryptor boxes. So the need for >it this was well known even then. Yes, because CPUs couldn't/can't keep up with SSL's DH modexp at *commercial server* rates. For lower rates, eg initiating a secure phone call, or the client-side of SSL, you can tolerate the delay of using a CPU. You only dedicate hardware if you need to do something a lot, and fast. Could be polygons on a gaming video board, mbuff operations in a network processor [1], or modexp on an SSL enhancer. [1] look into Intel's IXA processors. They have hardware support for everything you do in IP stack processing. Amazing. Later versions also include linerate AES. For large values of "linerate". From eugen at leitl.org Thu Oct 23 03:29:17 2003 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 23 Oct 2003 12:29:17 +0200 Subject: Dept. of Defense IPv6 Interoperabilty Test Begins (fwd from brian-slashdotnews@hyperreal.org) Message-ID: <20031023102917.GH25002@leitl.org> Bundesministerium fuer Verteidigung, too: http://www.heise.de/newsticker/data/anw-21.10.03-000/ ----- Forwarded message from brian-slashdotnews at hyperreal.org ----- From ericm at lne.com Thu Oct 23 13:18:36 2003 From: ericm at lne.com (Eric Murray) Date: Thu, 23 Oct 2003 13:18:36 -0700 Subject: Palladium/TCPA/NGSCB In-Reply-To: <3F982523.7B1A6D65@cdc.gov>; from mv@cdc.gov on Thu, Oct 23, 2003 at 11:59:47AM -0700 References: <3F982523.7B1A6D65@cdc.gov> Message-ID: <20031023131836.A22526@slack.lne.com> On Thu, Oct 23, 2003 at 11:59:47AM -0700, Major Variola (ret) wrote: > And virii that infect the immune system can be fun too --imagine a virus > infecting your antiviral program. HIV for Windows. Or a virus that modifes your other programs to make them appear to be known virii. You'd have to turn off your AV progams to keep them from destroying your files (or moving them around, going crazy with warnings when you start any program, etc) I'd bet that no AV programs have safeguards against this sort of false positive attack. Eric From timcmay at got.net Thu Oct 23 22:43:22 2003 From: timcmay at got.net (Tim May) Date: Thu, 23 Oct 2003 22:43:22 -0700 Subject: "If you didn't pay for it, you've stolen it!" Message-ID: Hollywood Preaches Anti-Piracy to Schools Thu Oct 23, 3:09 PM ET By RON HARRIS, Associated Press Writer SAN FRANCISCO - As part of its campaign to thwart online music and movie piracy, Hollywood is now reaching into school classrooms with a program that denounces file-sharing and offers prizes for students and teachers who spread the word about Internet theft. The Motion Picture Association of America paid $100,000 to deliver its anti-piracy message to 900,000 students nationwide in grades 5-9 over the next two years, according to Junior Achievement Inc., which is implementing the program using volunteer teachers from the business sector. "What's the Diff?: A Guide to Digital Citizenship" launched last week with a lesson plan that aims to keep kids away from Internet services like Kazaa that let users trade digital songs and film clips: "If you haven't paid for it, you've stolen it." The program appears to be working, with students in dozens of middle schools announcing that they will not enter their school libraries. Said one student: "These libraries let lots of kids read the same books...that's like Kazaa lets lots of people listen to songs!" Another one added that they are joining a Christian Coalition program to shut down parties that other students run. "They are, like, letting kidz listen to music and stuff," said one banner-toting teenybopper. TM: the last two paragraphs were of course added by me. But the point is still valid, that much of Hollywood's claims about "illegal listening" are not really any different from "reading without buying" books and magazines in libraries. The more urgent issue is this crap about corporations buying time in public schools. If I had a kid in a school and it was proposed that Nike, Time-Warner, Coke, or Intel would be buying teaching time, I'd tell them to stop it pretty fucking quick or face the Mother of All Columbines. --Tim May From s.schear at comcast.net Thu Oct 23 23:46:15 2003 From: s.schear at comcast.net (Steve Schear) Date: Thu, 23 Oct 2003 23:46:15 -0700 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: Message-ID: <5.2.1.1.0.20031023231814.06487a20@mail.comcast.net> At 10:43 PM 10/23/2003 -0700, Tim May wrote: > "What's the Diff?: A Guide to Digital Citizenship" launched last week > with a lesson plan that aims to keep kids away from Internet services > like Kazaa that let users trade digital songs and film clips: "If you > haven't paid for it, you've stolen it." > >The program appears to be working, with students in dozens of middle >schools announcing that they will not enter their school libraries. Said >one student: "These libraries let lots of kids read the same >books...that's like Kazaa lets lots of people listen to songs!" > >Another one added that they are joining a Christian Coalition program to >shut down parties that other students run. "They are, like, letting kidz >listen to music and stuff," said one banner-toting teenybopper. > > >TM: the last two paragraphs were of course added by me. But the point is >still valid, that much of Hollywood's claims about "illegal listening" are >not really any different from "reading without buying" books and magazines >in libraries. The more urgent issue is this crap about corporations buying >time in public schools. If I had a kid in a school and it was proposed >that Nike, Time-Warner, Coke, or Intel would be buying teaching time, I'd >tell them to stop it pretty fucking quick or face the Mother of All Columbines. Your tongue-in-cheek mention about libraries being hot beds of piracy set me to thinking about the mechanics of sharing copyrighted content and whether there might be a technical solution which addresses the letter of the law in abiding copyright but allows consumers almost unfettered access to the music they have downloaded. Not long ago I found that my county library had contracted with a service provider to enable patrons to download electronic versions of books, which they could read at their leisure during a certain time window (usually from a few days to a week). After this time the 'reader' software would no longer allow access to the book even though it was stored on the user's local disc. In this way it created a virtual 'lending' environment wherein the number of readers of a particular title being read was always less than or equal to the number of licenses the service owned for each work. Why couldn't this be applied on-line to music. Under current fair use provisions readers and listeners who have purchased a work are allowed to lend it out freely. Surely the number of people who want to read or listen to a work are much smaller at any particular moment than the number of people who have ripped/downloaded a work (perhaps only 1 in 100 at most). If some mechanism could be made part of the P2P systems purchasers of the work could 'lend' it to others to read, view or hear when they are not using it. As long as the system gave some assurance to Hollywood that the works were not being enjoyed at any one moment by more people than had paid for the works then the spirit of a lending library would be maintained. I'm sure some will jump in and say that because I purchased the music on a CD, then I must lend the CD, but it is already (I believe) considered fair use for purchasers to rip their CDs and transfer them to a PC, etc. If the purchaser was willing to destroy the CD then they would only have one copy on their disc (perhaps its and .mp3 now). why couldn't they lend this copy? Someone else must have thought up this idea, but I don't recall seeing it. Please inform me nicely if you have seen it proposed before. steve From discord-nobody at erisiandiscord.de Thu Oct 23 17:35:40 2003 From: discord-nobody at erisiandiscord.de (Anonymous) Date: Fri, 24 Oct 2003 02:34:40 +0159 (CEST) Subject: New info on Palladium Message-ID: <3828d45398274ea3ef653751e67be620@erisiandiscord.de> For some updated news about NGSCB, aka Palladium, go to the Microsoft NGSCB newsgroup page at http://communities.microsoft.com/newsgroups/default.asp?icp=ngscb&slcid=us. This might be a good forum for cypherpunks to ask questions about Palladium. There was a particularly informative posting by Ellen Cram of Microsoft on October 15. Among other things she reveals that the Longhorn pre-release to be distributed at the Microsoft PDC (conference) will include NGSCB technology. It's not clear how this will work without the specialized hardware features, though. Also getting attention is a bizarre attempt at guerrilla marketing, where Microsoft employees are running blogs to promote Longhorn. http://longhornblogs.com/scobleizer/ provides a good example. In "How to Hate Microsoft", Robert Scoble, Longhorn technology evangelist, wants you to tell him everything you don't like about Longhorn. Pull no punches, he begs. So far there are a few comments about DRM but not much specifically about Palladium/NGSCB. On another front, John Walker of AutoCAD fame, who supported a number of quixotic projects through the 80s and 90s, like the ill-fated Xanadu, has a new publication out. The Digital Imprimatur, http://www.fourmilab.ch/documents/digital-imprimatur/, presents a dystopian future for the Internet that is heavily based on the potential negative consequences of Trusted Computing technologies like Palladium. In Walker's view, Palladium will spawn a net where you need a certificate to participate, and this will naturally lead to a "fully trusted" network where not only people, but all their transactions and documents will be certified, hence traceable and accountable. An "imprimatur" is a government license to run a printing press, and we will experience the same effect in the Trusted Internet of the future. Although Walker's story is meant to be a cautionary tale, the list of properties of the Trusted Net is so attractive that many readers are questioning why we should oppose these developments: an end to copyright violation, (unauthorized) eavesdropping, scams, security fraud, SPAM, worms and viruses. Walker's architecture also supports search engines that are 100% accurate, with low maintenance. The Trusted Net limits child pornography (and children's access to adult porn), hate speech, employee internet abuse, and tax evasion. It inherently supports DRM, satisfying the concerns of content providers and providing a foundation for wide-scale distribution of copyrighted content. Walker has put an intentionally favorable slant on his presentation in order to demonstrate how plausible it is that people will accept the restrictions of Palladium in exchange for all these benefits. The spam menace is already leading to calls for an Internet Drivers License even from some circles within the pro-freedom crowd, and a Trusted Net would be only a small additional step. While Walker's description of "how to put the Internet genie back in the bottle" is sobering, his track record as a prognosticator is not promising. He was wrong about the net before, and he's probably wrong about it now. A rather dull discussion forum for the essay is running at http://www.fourmilab.ch/wb/digital-imprimatur.pl. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From roy at rant-central.com Fri Oct 24 03:28:17 2003 From: roy at rant-central.com (Roy M. Silvernail) Date: Fri, 24 Oct 2003 06:28:17 -0400 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <5.2.1.1.0.20031023231814.06487a20@mail.comcast.net> References: <5.2.1.1.0.20031023231814.06487a20@mail.comcast.net> Message-ID: <200310240628.17028.roy@rant-central.com> On Friday 24 October 2003 02:46, Steve Schear wrote: > Why couldn't this be applied on-line to music. Under current fair use > provisions readers and listeners who have purchased a work are allowed to > lend it out freely. Surely the number of people who want to read or listen > to a work are much smaller at any particular moment than the number of > people who have ripped/downloaded a work (perhaps only 1 in 100 at > most). If some mechanism could be made part of the P2P systems purchasers > of the work could 'lend' it to others to read, view or hear when they are > not using it. As long as the system gave some assurance to Hollywood that > the works were not being enjoyed at any one moment by more people than had > paid for the works then the spirit of a lending library would be > maintained. > Someone else must have thought up this idea, but I don't recall seeing > it. Please inform me nicely if you have seen it proposed before. This sounds a lot like the SunnComm DRM system that got so much publicity recently. (the one that relies on Windows' CD Autorun "feature") That system allows the user of a protected CD to make expiring copies of some tracks to share. The problem with the central premise, of course, is that without some Big (Brother) Central Server, there's just no way to track simultaneous usage, so there's no way to assure that the number of users <= the number of owners. You can be sure that [MP|RI]AA will accept nothing less than perfect accounting. And if the system relies on my destroying my physical CDs to share the MP3 copies, forget it. The MP3s are backups for my CDs, but my CDs are also backups for the MP3 files. I've already re-ripped my whole collection once to change bitrates and unify tag information. When OGG hardware gets more widespread, there's at least one more ripping party in the offing. If that's what it takes to share, then I'll just remain a stingy bastard. From s.schear at comcast.net Fri Oct 24 07:43:02 2003 From: s.schear at comcast.net (Steve Schear) Date: Fri, 24 Oct 2003 07:43:02 -0700 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <200310240628.17028.roy@rant-central.com> References: <5.2.1.1.0.20031023231814.06487a20@mail.comcast.net> <5.2.1.1.0.20031023231814.06487a20@mail.comcast.net> Message-ID: <5.2.1.1.0.20031024073809.04b6eac0@mail.comcast.net> At 06:28 AM 10/24/2003 -0400, Roy M. Silvernail wrote: > > Someone else must have thought up this idea, but I don't recall seeing > > it. Please inform me nicely if you have seen it proposed before. > >This sounds a lot like the SunnComm DRM system that got so much publicity >recently. (the one that relies on Windows' CD Autorun "feature") That system >allows the user of a protected CD to make expiring copies of some tracks to >share. > >The problem with the central premise, of course, is that without some Big >(Brother) Central Server, there's just no way to track simultaneous usage, so >there's no way to assure that the number of users <= the number of owners. Why not have each individual's PC which offered to lend do the accounting. This means their PC must be on-line whenever someone who didn't pay wants to listen, limiting the number of copies available, but it could be fully decentralized. >You can be sure that [MP|RI]AA will accept nothing less than perfect >accounting. And if the system relies on my destroying my physical CDs to >share the MP3 copies, forget it. This is a possible problem. If the tracks were originally purchased as .mp3 then this might not be a problem. steve From ravage at einstein.ssz.com Fri Oct 24 06:45:36 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 24 Oct 2003 08:45:36 -0500 (CDT) Subject: NOWAR - Leader of India's largest movement to speak (fwd) Message-ID: ---------- Forwarded message ---------- Date: Fri, 24 Oct 2003 07:15:36 -0500 From: NOWAR To: nowar at lists.tao.ca Subject: NOWAR - Leader of India's largest movement to speak Hello, all. We have just received news of a unique opportunity to hear an important speaker. Medha Patkar, one of the most respected political activists in the world, will be speaking in Austin the evening of Nov. 4 (specifics below). This is a rare chance to hear directly from someone on the cutting edge of resistance to the reckless uses of state and private power that threaten so many lives and livelihoods. Patkar founded and leads the Naramda Bachao Andolan (Save the Narmada Movement), the largest nonviolent people's movement in India. Over the course of two decades -- through relentless organizing, demonstrations, and hunger strikes -- the movement has been the voice of hundreds of thousands of indigenous peoples and peasants who are losing their land and way of life to large dams on the Narmada River. Like so many large centralized development projects, the benefits of these dams go to a small elite and the costs are borne by ordinary people. The movement has won policy changes in World Bank and other multilateral funding agencies but continues to face hostility from the Indian government and often violent police responses -- and continues to resist through nonviolent civil disobedience. With significant leadership and participation from women, the nonviolent satyagraha (insistence on truth) has refused to back down. Visit http://www.narmada.org to learn more about the struggle. Patkar also spearheads the National Alliance of People's Movements, a powerful network of more than 150 mass-based movements across India. NAPM is a non-electoral, secular political alliance of peasant, tribal, dalit, women and labor groups that are critical of corporate globalization and offer alternative development plans. Patkar's work has been recognized through countless international awards, including the Right to Livelihood Award (known as the alternative Nobel Prize), Goldman Environmental Prize, a Human Rights Defender's Award from Amnesty International, the Magsaysay Award, and Global Villager Award. Patkar's lecture, "Who pays for progress?", will focus on policies that inhibit sustainable development and people's non-violent struggles for social justice. The talk will be Tuesday, Nov. 4, at 7:30 p.m. in the LBJ Auditorium in Sid Richardson Hall (the one-story building directly east of the LBJ Library and Museum) on the University of Texas campus. Free parking is available in the lots on Red River just south of Dean Keeton (26th St.) Map available at http://www.utexas.edu/maps/main/buildings/srh.html Because the event happens in just over a week, it's important to spread the word widely so as many people as possible can hear Patkar. Please forward this information to any relevant email lists and web sites. Flyers can be downloaded from http://ThirdCoastActivist.org The primary sponsor of the event is the Austin chapter of the Association for India's Development, a nonprofit organization promoting grassroots efforts for health care, education, small enterprise, alternate energy, environmental action and people's rights in India. For more information, visit www.aidaustin.org or www.aidindia.org. Co-sponsors will be announced later. For more information, contact Harish Sharma, 695-7983, aidut at uts.cc.utexas.edu. Information about this and many other events can be found at http://ThirdCoastActivist.org In Solidarity, the Nowar Collective From ravage at einstein.ssz.com Fri Oct 24 07:02:02 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 24 Oct 2003 09:02:02 -0500 (CDT) Subject: ABCNEWS.com : Scalia Ridicules Court's Gay Sex Ruling (fwd) Message-ID: Why does anyone listen to this punk....leave it up to him and women would be barefoot and pregnant and non-anglo's would still be 5/8 human. The guy is a bigot. Strict adherence to the words of the Constitution, this nitwit hasn't -ever- stuck to the words or the intents. Just another two-faced liar like Lincoln. 'Conservative'....indeed. http://abcnews.go.com/wire/Politics/ap20031023_2301.html -- -- Lo! Men have become the tools of their tools - H.D. Thoreau ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From ravage at einstein.ssz.com Fri Oct 24 07:17:15 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 24 Oct 2003 09:17:15 -0500 (CDT) Subject: PhysicsWeb - Utopia theory (fwd) Message-ID: http://physicsweb.org/article/world/16/10/7 -- -- Lo! Men have become the tools of their tools - H.D. Thoreau ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From mv at cdc.gov Fri Oct 24 09:43:27 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 24 Oct 2003 09:43:27 -0700 Subject: "If you didn't pay for it, you've stolen it!" Message-ID: <3F9956AF.7F94B685@cdc.gov> At 07:43 AM 10/24/03 -0700, Steve Schear wrote: >At 06:28 AM 10/24/2003 -0400, Roy M. Silvernail wrote: >>The problem with the central premise, of course, is that without some Big >>(Brother) Central Server, there's just no way to track simultaneous usage, so >>there's no way to assure that the number of users <= the number of owners. Wrong. >Why not have each individual's PC which offered to lend do the >accounting. This means their PC must be on-line whenever someone who >didn't pay wants to listen, limiting the number of copies available, but it >could be fully decentralized. Yes but it needn't be online constantly. What *is* a library? 1. A library is legal. A library needn't be licensed by any state entity. 2. Thus, I can declare my computer a library. The only requirement is that I own a license to what I lend, and that only 1 user exercise that license at a time. That is what a library is. 3. Among library-users, we contractually require that "borrowed" materials be not used after the "return" date. Since bits are bits, "borrowing" is "copying" and "returning" is simply not exercising the bits. When something is being used no one else can use the same. We use our library-patron-contract to implement what meatspace does with objects --usable at one place at one time. 4. We could implement this by merely keeping a flag for each file in our collection denoting that the file is borrowed. We would be obligated not to relend it until after the return date; the library patron would be similarly obligated not to use it afterwards (without checking it out again). 5. We do *not* need to be constantly online for this, any more than a library needs to be open 24 hours a day. We *do* need a shared timebase and good IDs for objects. A legal assault on this mechanism is an assault on bricks and mortar libraries, ie the right to lend a book to an associate. Even if that associate xeroxes the book without our knowing it. Perhaps these features could be added to KaZaa. (Simply: when a file is uploaded from your disk, you move it from shared to not shared directory for a day. You also have some lameass clickthrough library-patron contract.) Gentlemen, start your lawyers. --- Talk softly and carry a big lawyer. ---Hunter S Roosevelt From hseaver at cybershamanix.com Fri Oct 24 08:14:08 2003 From: hseaver at cybershamanix.com (Harmon Seaver) Date: Fri, 24 Oct 2003 10:14:08 -0500 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: References: Message-ID: <20031024151408.GA4592@cybershamanix.com> On Thu, Oct 23, 2003 at 10:43:22PM -0700, Tim May wrote: > > TM: the last two paragraphs were of course added by me. But the point > is still valid, that much of Hollywood's claims about "illegal > listening" are not really any different from "reading without buying" > books and magazines in libraries. The more urgent issue is this crap Not to mention all the CDs and movies available in libraries. What's the difference in borrowing CDs from a library and taking them home and taping or mp3ing them and getting them from the net? > about corporations buying time in public schools. If I had a kid in a > school and it was proposed that Nike, Time-Warner, Coke, or Intel would > be buying teaching time, I'd tell them to stop it pretty fucking quick > or face the Mother of All Columbines. Or even worse the practice of Coke, Pepsi, et al paying money to the school for exclusive rights to market their product. Also sort of like what M$ did in schools and colleges -- gave them some free computers on the condition that all competing software be removed from computer labs. Not surprising at all that megacorps now want to buy teaching time in schools. In Japan the megacorp have long run their own schools for workers kids to ensure the loyalty of their future workers. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com From steve at njord.org Fri Oct 24 09:00:26 2003 From: steve at njord.org (Steve Wollkind) Date: Fri, 24 Oct 2003 11:00:26 -0500 Subject: "If you didn't pay for it, you've stolen it!" Message-ID: <200310241100.26292.steve@njord.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 24 October 2003 10:14, Harmon Seaver wrote: > On Thu, Oct 23, 2003 at 10:43:22PM -0700, Tim May wrote: > > TM: the last two paragraphs were of course added by me. But the point > > is still valid, that much of Hollywood's claims about "illegal > > listening" are not really any different from "reading without buying" > > books and magazines in libraries. The more urgent issue is this crap > > Not to mention all the CDs and movies available in libraries. What's the > difference in borrowing CDs from a library and taking them home and taping > or mp3ing them and getting them from the net? There's no difference....both are illegal. It's just much easier to catch people who leave a trail by downloading files than people who legally check a disc out of a library and then illegally copy it in the privacy of their own home. Steve - -- Steve Wollkind 810 C San Pedro steve at njord.org College Station, TX 77845 http://njord.org/~steve 979.575.2948 - -- The two most common elements in the universe are hydrogen and stupidity. -- Harlan Ellison -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/mUxP0uexoyuzySARArjAAJ93lhUZcDogLhWpH9/TsMdz4x4hDgCfYbom ZFUggCCKfNTZ07FdlXPCwyw= =rddG -----END PGP SIGNATURE----- From roy at rant-central.com Fri Oct 24 08:23:31 2003 From: roy at rant-central.com (Roy M. Silvernail) Date: Fri, 24 Oct 2003 11:23:31 -0400 (EDT) Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <5.2.1.1.0.20031024073809.04b6eac0@mail.comcast.net> from "Steve Schear" at Oct 24, 2003 07:43:02 AM Message-ID: <20031024152331.DD17513D2A5@mesmer.rant-central.com> Steve Schear writes: > Why not have each individual's PC which offered to lend do the > accounting. This means their PC must be on-line whenever someone who > didn't pay wants to listen, limiting the number of copies available, but it > could be fully decentralized. You'd have to piggyback this on some P2P app. Otherwise, the lender would have to run an accessable server. That can be a trick if you're behind a NAT or your ISP takes exception to unsolicited incoming packets. Also, how do you handle check-in, or more importantly, lack of check-in? Timeout? Can you queue checkout requests? Interesting idea, but it sounds kind of cumbersome to roll out. -- Roy M. Silvernail is roy at rant-central.com, and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin->procmail->/dev/null->bliss From rah at shipwright.com Fri Oct 24 08:35:52 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 24 Oct 2003 11:35:52 -0400 Subject: PGP Corporation Announces Release of PGP Desktop 8.0.3 Message-ID: Headlines October 24, 2003 08:31 AM US Eastern Timezone PGP Corporation Announces Release of PGP Desktop 8.0.3; Support For the Latest Windows and Mac Operating Systems and Popular Email Clients PALO ALTO, Calif.--(BUSINESS WIRE)--Oct. 24, 2003--PGP Corporation, the recognized leader in secure messaging and information storage, today announced the immediate availability of PGP(R) Desktop 8.0.3. This version adds support for Microsoft Office 2003, including Outlook 2003 and Windows Server 2003; Novell GroupWise 6.5; and Mac OS X 10.3 (Panther). "Although technology changes increasingly quickly, PGP products keep pace," said Jon Callas, PGP Corporation's CTO and Chief Security Officer. "This release ensures customers continued access to the rich set of features in PGP Desktop products, including digital signatures to automatically detect email 'spoofing,' key management, and standards-based technology." The release is available free to all customers who have purchased PGP Desktop 8.0 products, including PGP Corporate Desktop, PGP Workgroup Desktop, and PGP Personal Desktop as well as earlier versions of PGP Enterprise, PGP Desktop, and PGP Personal. Licensed customers wishing to upgrade to PGP Desktop 8.0.3 may download the update from www.pgp.com . About PGP Corporation The recognized worldwide leader in secure messaging and information storage, PGP Corporation develops, markets, and supports products used by a broad installed base of enterprises, businesses, governments, individuals, and cryptography experts to secure proprietary and confidential information. During the past ten years, PGP(R) technology has built a global reputation for open and trusted security products. The PGP Corporation family of products includes PGP Universal, an automatic, self-managing network-based solution for enterprises, and individual desktop solutions. Venture funding is provided by DCM-Doll Capital Management and Venrock Associates. Contact PGP Corporation at www.pgp.com or 650-319-9000. PGP is a registered trademark and the PGP logo is a trademark of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners. Contacts For PGP Corporation: Jump Start Communications, LLC Lori Curtis, 970-887-0044 lori at jumpstartcom.com Print this release Terms of Use | � Business Wire 2003 -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From rah at shipwright.com Fri Oct 24 08:44:39 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 24 Oct 2003 11:44:39 -0400 Subject: Certicom Sells Licensing Rights to NSA Message-ID: Canada NewsWire CERTICOM CORP. Quotes and Charts CIC. (TSX) Attention Business Editors: Certicom Sells Licensing Rights to NSA MISSISSAUGA, ON, Oct. 24 /CNW/ - Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that the National Security Agency (NSA) in Maryland has purchased extensive licensing rights to Certicom's MQV-based Elliptic Curve Cryptography (ECC) intellectual property. ECC is becoming a crucial technology for protecting national security information. This agreement will give the NSA a nonexclusive, worldwide license with the right to grant sublicenses of MQV-based ECC covered by many of Certicom's US patents and applications and corresponding foreign rights in a limited field of use. The field of use is restricted to implementations of ECC that are over GF(p), where p is a prime greater than 2(256). Outside the field of use, Certicom will retain all rights to the technology for other industries that require the same levels of security, including state and local government agencies. Certicom will continue its policy of making its intellectual property available to implementers of ECC under normal commercial terms on a non discriminatory basis. Researchers have been studying ECC for almost 20 years as the next generation of public-key technology. ECC is a computationally efficient form of cryptography that offers equivalent security to other competing technologies but with much smaller key sizes. This results in faster computations, lower power consumption, as well as memory and bandwidth savings. "Certicom is a pioneer in researching and developing ECC," says Scott Vanstone, founder and executive vice-president, strategic technology at Certicom. "Over 15 years ago, Certicom was founded to research and develop the strongest security possible. This makes us ideally positioned to provide manufacturers, that build government communications equipment and applications, with the tools they need to deliver ECC-based security solutions to the government market. Certicom is committed to work with the commercial sector in making our intellectual property and technology available to the security industry at large." In 1997, Certicom developed the industry's first toolkit to include ECC which has since been adopted by over 300 organizations. Security Builder Crypto, a cross-platform cryptographic toolkit, includes standards-based ECC implementations that are optimized for size and performance on over 30 platforms. "Certicom is committed to providing technology that meets the U.S. Government's highest standards to secure and protect its most sensitive information," said Ian McKinnon, president and CEO of Certicom. "With NSA's decision to purchase a license from Certicom for MQV-based ECC, Certicom is well-positioned to drive the adoption of our technologies and intellectual property in new markets that need strong security. This contract, valued at US$25 million, has been facilitated through the CCC (Canadian Commercial Corporation), Canada's export contracting agency." Companies and Government Departments or Agencies wishing to develop security products implementing ECC to protect national security related systems and/or information or other mission critical information related to national security under this licensing agreement should submit the details of their requirements to the Director, National Security Agency (Attn: IA Directorate, V1). NSA will employ established development programs (e.g. NSA sponsored developments, the Commercial COMSEC Endorsement Program (CCEP), or User Partnership Programs) to develop and certify ECC for these requirements. About Certicom Certicom is a leading provider of wireless security solutions, enabling developers, governments and enterprises to add strong security to their devices, networks and applications. Designed for constrained devices, Certicom's patented technologies are unsurpassed in delivering the strongest cryptography with the smallest impact on performance and usability. Certicom products are currently licensed to more than 300 customers including Texas Instruments, Palm, Research In Motion, Cisco Systems, Oracle and Motorola. Founded in 1985, Certicom is headquartered in Mississauga, ON, Canada, with offices in Ottawa, ON; Herndon, VA; San Mateo, CA; and London, England. Visit www.certicom.com. About CCC CCC (Canadian Commercial Corporation) is a Crown Corporation mandated to facilitate international trade, particularly in government markets. CCC's approach is based on 'three Cs': credibility, confidence, contracts. CCC builds confidence in Canadian exports by giving them the credibility of a government-backed performance guarantee that opens doors and leads to contracts with improved terms. Normally CCC acts as a Prime Contractor, signing a contract with the foreign buyer and a matching contract with the exporter. CCC also assists exporters to increase their pre-shipment working capital from commercial sources, and offers a range of procurement, pre- contract, contract advisory and post-contract services on a fee for service basis. Visit www.ccc.ca. Certicom, Security Builder, Security Builder Crypto, Security Builder SSL, Security Builder PKI, Security Builder GSE, movianVPN, movianCrypt and movianMail are trademarks or registered trademarks of Certicom Corp. All other companies and products listed herein are trademarks or registered trademarks of their respective holders. Except for historical information contained herein, this news release contains forward-looking statements that involve risks and uncertainties. Actual results may differ materially. Factors that might cause a difference include, but are not limited to, those relating to the acceptance of mobile and wireless devices and the continued growth of e-commerce and m-commerce, the increase of the demand for mutual authentication in m-commerce transactions, the acceptance of Elliptic Curve Cryptography (ECC) technology as an industry standard, the market acceptance of our principal products and sales of our customer's products, the impact of competitive products and technologies, the possibility of our products infringing patents and other intellectual property of fourth parties, and costs of product development. Certicom will not update these forward-looking statements to reflect events or circumstances after the date hereof. More detailed information about potential factors that could affect Certicom's financial results is included in the documents Certicom files from time to time with the Canadian securities regulatory authorities. %SEDAR: 00003865E -30- For further information: Tim Cox, ZingPR, (650) 369-7784, tim at zingpr.com; Brendan Ziolo, Certicom Corp., (613) 254-9267, bziolo at certicom.com CERTICOM CORP. has 84 releases in this database. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From rah at shipwright.com Fri Oct 24 09:30:10 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 24 Oct 2003 12:30:10 -0400 Subject: Certicom Sells Licensing Rights to NSA Message-ID: --- begin forwarded text From rah at shipwright.com Fri Oct 24 09:31:14 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 24 Oct 2003 12:31:14 -0400 Subject: PGP Corporation Announces Release of PGP Desktop 8.0.3 Message-ID: --- begin forwarded text From sunder at sunder.net Fri Oct 24 09:36:44 2003 From: sunder at sunder.net (Sunder) Date: Fri, 24 Oct 2003 12:36:44 -0400 (edt) Subject: Support the Bush-Orwell '04 campaign! Message-ID: http://www.cafeshops.com/grandoldparty/76732 ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ From s.schear at comcast.net Fri Oct 24 12:50:57 2003 From: s.schear at comcast.net (Steve Schear) Date: Fri, 24 Oct 2003 12:50:57 -0700 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <3F9976E3.7070504@onryou.com> References: <3F9956AF.7F94B685@cdc.gov> <3F9956AF.7F94B685@cdc.gov> Message-ID: <5.2.1.1.0.20031024124749.065919a8@mail.comcast.net> At 03:00 PM 10/24/2003 -0400, Cael Abal wrote: >>What *is* a library? >>1. A library is legal. A library needn't be licensed by any state >>entity. >>2. Thus, I can declare my computer a library. The only requirement is >>that I own a license to what I lend, and that only 1 user exercise that >>license at a time. That is what a library is. > >An interesting idea, Major -- but unfortunately nothing is simple these >days. Libraries, I would wager, likely have very specific legal >definitions (for tax purposes if for no other reason). Many private libraries are non-profits or adjuncts of other non-profits (e.g., schools) but there is no reason a library can't operate as a for-profit entity. I think major is right, that at least in the U.S. libraries are otherwise unregulated. steve From roy at rant-central.com Fri Oct 24 11:14:03 2003 From: roy at rant-central.com (Roy M. Silvernail) Date: Fri, 24 Oct 2003 14:14:03 -0400 (EDT) Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <3F9956AF.7F94B685@cdc.gov> from "Major Variola (ret)" at Oct 24, 2003 09:43:27 AM Message-ID: <20031024181403.7698913D2A5@mesmer.rant-central.com> Major Variola writes: > What *is* a library? > > 1. A library is legal. A library needn't be licensed by any state > entity. > > 2. Thus, I can declare my computer a library. The only requirement is > that > I own a license to what I lend, and that only 1 user exercise that > license > at a time. That is what a library is. Well stated. > A legal assault on this mechanism is an assault on bricks and mortar > libraries, > ie the right to lend a book to an associate. Even if that associate > xeroxes the book > without our knowing it. > > Perhaps these features could be added to KaZaa. (Simply: when a file > is uploaded > from your disk, you move it from shared to not shared directory for a > day. You also > have some lameass clickthrough library-patron contract.) > > Gentlemen, start your lawyers. Indeed. I'd guess the [MP|RI]AA wouldn't like this at all. But your point is inescapable and I'd /really/ like to watch this court battle. -- Roy M. Silvernail is roy at rant-central.com, and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin->procmail->/dev/null->bliss From ptrei at rsasecurity.com Fri Oct 24 11:16:16 2003 From: ptrei at rsasecurity.com (Trei, Peter) Date: Fri, 24 Oct 2003 14:16:16 -0400 Subject: Support the Bush-Orwell '04 campaign! Message-ID: > From: Sunder[SMTP:sunder at sunder.net] > Subject: Support the Bush-Orwell '04 campaign! > http://www.cafeshops.com/grandoldparty/76732 > Cute, but actually putting George Orwell on the ticket would actually be a very nice counterbalance to Ashcroft, etal (or course, he's dead, and foreign, but thats not his fault). Here's another list of slogans that is floating around: > Proposed Bush - Cheney Slogans for 2004 elections > > Bush/Cheney '04: Compassionate Colonialism > Vote Bush in '04: "It Has Incumbentory Advantitude" > Bush Reloaded > Bush/Cheney '04: "You're either with us or against us!" > Bush/Cheney '04: Apocalypse Now! > Bush/Cheney '04: Because the truth just isn't good enough. > Bush/Cheney '04: Deja-voodoo all over again! > Bush/Cheney '04: Don't Change Whores in Midstream > Bush/Cheney '04: Four More Wars! > Bush/Cheney '04: Leave no billionaire behind > BU__SH__! > Bush/Cheney '04: Less CIA -- More CYA > Bush/Cheney '04: Making the world a better place, one country at a time. > Bush/Cheney '04: Putting the "con" in conservatism > Bush/Cheney '04: Thanks for not paying attention. > Bush/Cheney '04: The last vote you'll ever have to cast. > Bush/Cheney '04: This time, elect us! > Bush/Cheney '04: Because We're Gooder! > Bush/Cheney: 1984 > Bush/Cheney: Asses of Evil > George W. Bush: It takes a village idiot > Vote Bush in '04: It's a no-brainer! From timcmay at got.net Fri Oct 24 14:32:40 2003 From: timcmay at got.net (Tim May) Date: Fri, 24 Oct 2003 14:32:40 -0700 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <20031024151408.GA4592@cybershamanix.com> Message-ID: <9845424E-0669-11D8-9F08-000A956B4C74@got.net> On Friday, October 24, 2003, at 08:14 AM, Harmon Seaver wrote: > On Thu, Oct 23, 2003 at 10:43:22PM -0700, Tim May wrote: >> >> TM: the last two paragraphs were of course added by me. But the point >> is still valid, that much of Hollywood's claims about "illegal >> listening" are not really any different from "reading without buying" >> books and magazines in libraries. The more urgent issue is this crap > > Not to mention all the CDs and movies available in libraries. > What's the > difference in borrowing CDs from a library and taking them home and > taping or > mp3ing them and getting them from the net? None, and in fact I have made my own DAT and CD copies of many hundreds of CDs I borrowed. I also burn an average one DVD per day, of movies and suchlike. >> about corporations buying time in public schools. If I had a kid in a >> school and it was proposed that Nike, Time-Warner, Coke, or Intel >> would >> be buying teaching time, I'd tell them to stop it pretty fucking quick >> or face the Mother of All Columbines. > > Or even worse the practice of Coke, Pepsi, et al paying money to > the school > for exclusive rights to market their product. Also sort of like what > M$ did in > schools and colleges -- gave them some free computers on the condition > that all > competing software be removed from computer labs. Not surprising at > all that > megacorps now want to buy teaching time in schools. In Japan the > megacorp have > long run their own schools for workers kids to ensure the loyalty of > their > future workers. This last point I have no problem with, provided Megacorp pays all the costs for its own schools. In fact, I support bringing back indentured servitude. The problem is when a "public school," which taxpayers have been ordered to pay for, becomes the fiefdom of a corporation. If a child is compelled to attend school, as he is, he may not be compelled to watch commercials or listen to corporate pitches. --Tim May "Dogs can't conceive of a group of cats without an alpha cat." --David Honig, on the Cypherpunks list, 2001-11 From timcmay at got.net Fri Oct 24 14:52:02 2003 From: timcmay at got.net (Tim May) Date: Fri, 24 Oct 2003 14:52:02 -0700 Subject: "If you use encryption, you help the terrorists win" Message-ID: <4D134A12-066C-11D8-9F08-000A956B4C74@got.net> I predict we'll soon be seeing a new thought control campaign with this theme, that "if you use encryption, you help the terrorists win." Similar to the heavy advertising (paid for by Big Brother, and hence by money stolen from taxpayers) with the theme that lighting up a doobie helps Osama, that taking an Oxycontin (sorry, Rush!) is equivalent to flying a plane into the World Trade Center. Why encryption? Why now? Perhaps Eric B. can comment on the status of encrypted cellphones, of whichever flavor, but it occurs to me that some people in Iraq desperately need them. I refer of course to those trying to expell the American soldiers occupying their cities and, as Anne Coulter put it and as senior Army officials agree, "occupy their country, take their oil, and convert them all to Christianity." You see, the landlines and central offices were largely wiped out in the War for Oil. So what is now going in is what makes sense for nearly all developing--or flattened--countries: cellphones. The U.S. had plans for the contracts to deploy cellphones to go to American companies, but the local puppets must have had no fear of the Americans, as they went with a better bribe: mostly Arabic cellphone providers will deploy the initial system. And of course this is why there are a lot of subcontractors with ties to the NSA, DIA, ASA, etc. now in Iraq monitoring communications. (Partly to track down Saddam's whereabouts, as he may use a cellphone, if he's careless. Recall the tale of Pablo Escobar.) So, what would happen if even 5% of the cellphones were encrypted with a sufficiently-strong system (Eric's 3DES would presumably be enough)? And if not encrypted cellphones, encryption of the usual sort, over networks. I wonder what would happen to someone found carrying copies of PGP into Iraq? (Which is not to say copies are not already widely circulating, or readily downloadable, etc.) It seems clear to me that the puppet state of Iraq (maybe we could dub it "The Puppet Republic of Iraq"?) will not allow significant use of encrypted cellphones, or perhaps even encryption over networks. If the daily attacks on the crusaders continue to rise, and there appears to be some kind of coordination, the intelligence agencies will be called to task on why they are not intercepting (or jamming) the coordination channels. If the expected attacks in Saudi Arabia and other soft targets happen on schedule in the next few weeks, we might even see reintroduction of crypto ban proposals inside the U.S. We should not assume the war for crypto is won. --Tim May "A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the Public Treasury. From that moment on, the majority always votes for the candidate promising the most benefits from the Public Treasury with the result that a democracy always collapses over loose fiscal policy always followed by dictatorship." --Alexander Fraser Tyler From lists at onryou.com Fri Oct 24 12:00:51 2003 From: lists at onryou.com (Cael Abal) Date: Fri, 24 Oct 2003 15:00:51 -0400 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <3F9956AF.7F94B685@cdc.gov> References: <3F9956AF.7F94B685@cdc.gov> Message-ID: <3F9976E3.7070504@onryou.com> > What *is* a library? > > 1. A library is legal. A library needn't be licensed by any state > entity. > > 2. Thus, I can declare my computer a library. The only requirement is > that I own a license to what I lend, and that only 1 user exercise that > license at a time. That is what a library is. An interesting idea, Major -- but unfortunately nothing is simple these days. Libraries, I would wager, likely have very specific legal definitions (for tax purposes if for no other reason). Regardless, may I be the first to request a library card? C From timcmay at got.net Fri Oct 24 15:11:27 2003 From: timcmay at got.net (Tim May) Date: Fri, 24 Oct 2003 15:11:27 -0700 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <20031024210448.GA20108@mail.dadadada.net> Message-ID: <039D5E0F-066F-11D8-9F08-000A956B4C74@got.net> On Friday, October 24, 2003, at 02:04 PM, BillyGOTO wrote: > On Fri, Oct 24, 2003 at 02:14:03PM -0400, Roy M. Silvernail wrote: >> Major Variola writes: >> >>> What *is* a library? >>> >>> 1. A library is legal. A library needn't be licensed by any state >>> entity. >>> >>> 2. Thus, I can declare my computer a library. The only requirement >>> is >>> that I own a license to what I lend, and that only 1 user exercise >>> that license at a time. That is what a library is. >> >> Well stated. > > Not really. Libraries have to pay more than we do for their > subscriptions. > Be careful using the phrase "have to" in any discussion of legal issues. Does government force libraries to pay more for some subscriptions? Not to my knowledge. Do some publishers have different rates for individuals versus libraries and other institutions? Yes. Are libraries required by law to reimburse authors and publishers when they allow books and magazines to be looked at by patrons or checked out by them? No laws that I know of. In short, some publishers charge some customers more, and others less. In this sense, an Intel or a Carnegie Public Library "has to" pay higher rates to these particular publishers, but this is certainly not germane to issues of legality of libraries. --Tim May From sfurlong at acmenet.net Fri Oct 24 13:00:38 2003 From: sfurlong at acmenet.net (Steve Furlong) Date: 24 Oct 2003 16:00:38 -0400 Subject: [mnet-devel] DOS in DHTs (fwd from amichrisde@yahoo.de) In-Reply-To: <20031023044331.85464.qmail@web40601.mail.yahoo.com> References: <20031023044331.85464.qmail@web40601.mail.yahoo.com> Message-ID: <1067025636.19462.1.camel@localhost.localdomain> On Thu, 2003-10-23 at 00:43, Morlock Elloi wrote: > There are precedents. In Franko's Spain, all typewriters had to be registered > with the state, and all had serial numbers. It was illegal and punishable to > possess one without license. What does that have to do with anything? We're talking about the United States. There _is_ no other nation. From mv at cdc.gov Fri Oct 24 16:16:49 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 24 Oct 2003 16:16:49 -0700 Subject: "If you use encryption, you help the terrorists win" Message-ID: <3F99B2E1.97BAC4D8@cdc.gov> At 02:52 PM 10/24/03 -0700, Tim May wrote: >The U.S. had plans >for the contracts to deploy cellphones to go to American companies, but >the local puppets must have had no fear of the Americans, as they went >with a better bribe: mostly Arabic cellphone providers will deploy the >initial system. Yes, but who makes their equiptment? How do you say backdoor in Arabic? >So, what would happen if even 5% of the cellphones were encrypted with >a sufficiently-strong system (Eric's 3DES would presumably be enough)? Those 5% get a special visit from the Colonial Eye for the Arabic Guy, (a Fox production) where they get to wear a nifty black hood complemented by a spiffy nylon bracelet for both hands. And then they get some special counseling from the friendly boys from interrogation. Its amazing how far a cell phone will go up a rectum when you really want an answer... What they need is good stego. From pgut001 at cs.auckland.ac.nz Thu Oct 23 20:25:41 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri, 24 Oct 2003 16:25:41 +1300 Subject: RSA performance on Athlon64 vs. Itanium Message-ID: <200310240325.h9O3PfD28466@cs.auckland.ac.nz> "J.A. Terranson" writes: >On Sun, 12 Oct 2003, Lucky Green wrote: >> I just picked up an Athlon64 3200+, which runs at a 2 GHz clock speed. >> Using the Red Hat for AMD64 beta and the version of OpenSSL that ships >> with that beta, I get 922 1024-bit RSA signs per second. This is a tad >> less RSA signatures per second than I have seen on an 800MHz Itanium >> using highly optimized assembler. That's rather poor performance on the >> Athlon64. >> >> Are the figures that I am seeing typical for OpenSSL on the Athlon64? >> Has anybody here seen different figures using optimized code? > >Was there ever a reply to this? If so, could someone forward it to me off- >list, as I missed it :-( The reply, sent off-list, was something like "You're running x86-32 code on an x86-64 CPU in emulation mode, what do you expect?" :-). In addition the Itanium RSA demo code works by turning the CPU into a $1000 ASIC, so you'd need to test it for SSL handshakes per second or something similar where the CPU has to do some other work besides RSA crypto ops. Peter. From pgut001 at cs.auckland.ac.nz Thu Oct 23 20:33:33 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri, 24 Oct 2003 16:33:33 +1300 Subject: RSA performance on Athlon64 vs. Itanium Message-ID: <200310240333.h9O3XXE28496@cs.auckland.ac.nz> "Lucky Green" writes: >I since ran additional tests. All tests are for 1024-bit RSA signatures. Taking some guesses here at the code being used: >1) OpenSSL as shipping with the RedHat Taroon beta for Athlon 64: > >921 RSA signatures/second x86-32 hand-tuned asm optimised for Pentium Pro. >2) OpenSSL compiled manually: > >1313 RSA signatures/second x86-64 code, gcc optimised for Athlon64. >3) Performance benchmark application made available to reviewers: > >Exceeding 3800 RSA signatures/second. x86-64 hand-tuned asm optimised for Athlon64. I'm guessing this one has the same catch as the Itanium speed test. >I am getting ready to buy a second one to upgrade my other box at home. My PoS hardware test PC and a $25 Broadcom chip beats your Athlon 64 :-). Peter. From billy at dadadada.net Fri Oct 24 14:04:48 2003 From: billy at dadadada.net (BillyGOTO) Date: Fri, 24 Oct 2003 17:04:48 -0400 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <20031024181403.7698913D2A5@mesmer.rant-central.com> References: <3F9956AF.7F94B685@cdc.gov> <20031024181403.7698913D2A5@mesmer.rant-central.com> Message-ID: <20031024210448.GA20108@mail.dadadada.net> On Fri, Oct 24, 2003 at 02:14:03PM -0400, Roy M. Silvernail wrote: > Major Variola writes: > > > What *is* a library? > > > > 1. A library is legal. A library needn't be licensed by any state > > entity. > > > > 2. Thus, I can declare my computer a library. The only requirement is > > that I own a license to what I lend, and that only 1 user exercise > > that license at a time. That is what a library is. > > Well stated. Not really. Libraries have to pay more than we do for their subscriptions. From s.schear at comcast.net Fri Oct 24 17:10:00 2003 From: s.schear at comcast.net (Steve Schear) Date: Fri, 24 Oct 2003 17:10:00 -0700 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <3F9976E3.7070504@onryou.com> References: <3F9956AF.7F94B685@cdc.gov> <3F9956AF.7F94B685@cdc.gov> Message-ID: <5.2.1.1.0.20031024170641.04b71370@mail.comcast.net> At 03:00 PM 10/24/2003 -0400, Cael Abal wrote: >>What *is* a library? >>1. A library is legal. A library needn't be licensed by any state >>entity. >>2. Thus, I can declare my computer a library. The only requirement is >>that I own a license to what I lend, and that only 1 user exercise that >>license at a time. That is what a library is. > >An interesting idea, Major -- but unfortunately nothing is simple these >days. Libraries, I would wager, likely have very specific legal >definitions (for tax purposes if for no other reason). Some libraries already offer a service similar to what I suggested so their patrons can read digital copies of works on- or off-line on their PCs. http://www.netlibrary.com/ I fail to see the fundamental difference between citizens lending .mp3s and public libraries lending CDs and DVDs, unless one accepts a similar argument that only government recognized and credentialed people will be considered "reporters" under the law. steve From pgut001 at cs.auckland.ac.nz Thu Oct 23 21:23:14 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri, 24 Oct 2003 17:23:14 +1300 Subject: C3 Nehemia C5P with better hardware RNG and AES support Message-ID: <200310240423.h9O4NE628648@cs.auckland.ac.nz> "Lucky Green" writes: >Peter wrote: >> In case anyone's interested, there's a cpu die photo at >> http://www.sandpile.org/impl/pics/centaur/c5xl/die_013_c5p.jpg >> showing the amount of real estate consumed by the crypto functions >> (it's the bottom centre, a bit hard to read the label). > >I fail to understand why VIA bothered adding AES support into the CPU. When >was AES last the bottleneck on a general-purpose CPU? Apart from the obvious "what cool thing can we fit in -> <- this much spare die space?", the obvious target is SOHO routers/firewall boxes. My spies tell me that it's already being used in a number of products like this, and the addition of AES will help the process. Hardware SHA-1 in the next rev makes it even better, since you can now do IPsec and SSL tunneling purely in hardware (and then you lose it all again in the crappy Rhine II NIC, but that's another story). >The bottleneck tends to be modular exponentiations, yet VIA failed to include >a modular exponentiation engine. Strange. Not for SOHO use it isn't, the initial handshake overhead is negligible compared to the constant link encryption overhead. The alternative is to do the crypto externally, for which you're paying for an expensive and power- hungry crypto core capable of doing a zillion DH/RSA ops/sec that gets used once every few hours. The alternative is to load or load your standard firewall firmware into a Nehemiah and offload all the crypto and RNG stuff. Peter. From rah at shipwright.com Fri Oct 24 19:22:57 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Fri, 24 Oct 2003 22:22:57 -0400 Subject: SafeNet buys Rainbow, is NetAss 2.0? Message-ID: The Register 23 October 2003 Updated: 23:14 GMT SafeNet seeks gold in Rainbow By John Leyden Posted: 23/10/2003 at 20:32 GMT SafeNet, the networking security firm, is scooping up rival Rainbow Technologies for $457 million (at today's prices) in new stock. Post-merger, Rainbow shareholders will own approx. 43 per cent of the enlarged company. Both companies have strong ties to the US government and military. Rainbow Technologies worked with the NSA in developing the latter's controversial Clipper chip proposal in the 1990s (before the idea was shelved because of industry and public opposition to the idea of building government back door access into communication networks). SafeNet was set up by former NSA spooks in the late 1980s. These days, Rainbow specialises in authentication tokens and anti-piracy / DRM software, while SafeNet develops WAN and Virtual Private Network, encryption and security technologies. Together, the companies aim to become the "premier network security provider for the government and large financial institutions, mid-sized firms, OEMs, and consumers". The merger is subject to the approval from both sets of shareholders and is expected to close during Q1 2004. Rainbow brings approximately $70 million in government business to SafeNet. SafeNet forecasts that the merger will be accretive to earnings in the first quarter after the deal concludes. SafeNet yesterday reported revenues for the three months ended September 30 (Q3 2003) of approximately $17.6 million, double the $8.8 million it recorded in Q2 2002. SafeNet's net income for Q3 2003 pegged out at approximately $2.6 million. The results reflect the effect of two full quarters from the operations of crypto outfit Cylink Corporation, which SafeNet acquired in February this year. Since then SafeNet has been on an acquisition roll. First, it purchased certain assets from Raqia Networks, a developer of programmable systems-on-a-chip and co-processors designed for content inspection. Last week SafeNet signed an agreement to acquire the assets of the OEM Products Group of SSH Communications Security for approximately $14m in cash. And now it's snaffled up Rainbow. The security industry hasn't seen the likes of this since Network Associates' acquisition spree in the heady days of the mid to late 1990s. . -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From billy at dadadada.net Fri Oct 24 21:08:31 2003 From: billy at dadadada.net (BillyGOTO) Date: Sat, 25 Oct 2003 00:08:31 -0400 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <039D5E0F-066F-11D8-9F08-000A956B4C74@got.net> References: <20031024210448.GA20108@mail.dadadada.net> <039D5E0F-066F-11D8-9F08-000A956B4C74@got.net> Message-ID: <20031025040831.GA22334@mail.dadadada.net> On Fri, Oct 24, 2003 at 03:11:27PM -0700, Tim May wrote: > On Friday, October 24, 2003, at 02:04 PM, BillyGOTO wrote: > > >On Fri, Oct 24, 2003 at 02:14:03PM -0400, Roy M. Silvernail wrote: > >>Major Variola writes: > >> > >>>What *is* a library? > >>> > >>>1. A library is legal. A library needn't be licensed by any state > >>>entity. > >>> > >>>2. Thus, I can declare my computer a library. The only requirement > >>>is > >>>that I own a license to what I lend, and that only 1 user exercise > >>>that license at a time. That is what a library is. > >> > >>Well stated. > > > >Not really. Libraries have to pay more than we do for their > >subscriptions. > Be careful using the phrase "have to" in any discussion of legal issues. > Does government force libraries to pay more for some subscriptions? Not > to my knowledge. > > Do some publishers have different rates for individuals versus > libraries and other institutions? Yes. Okay, I'll try to be more careful. They are given a choice by the copyright holders to either pay more than we do OR to not get a subscription. Is this not the case? > Are libraries required by law to reimburse authors and publishers when > they allow books and magazines to be looked at by patrons or checked > out by them? No laws that I know of. Books and magazines aren't guarded by cryptogremlins the way digital media could be. The cryptogremlins are embedded, "tamperproof", and are given absolute authority over their assigned treasure by the DMCA. > In short, some publishers charge some customers more, and others less. > In this sense, an Intel or a Carnegie Public Library "has to" pay > higher rates to these particular publishers, but this is certainly not > germane to issues of legality of libraries. Your position is that there is a difference between the set of lending restrictions imposed by vanilla copyright law and the set of lending restrictions imposed by private library subscription contracts with print publishers. Yes, agreed. I'm saying that there is an even wider difference between the lending restrictions on the gremlin-guarded digital media versus those on printed media. You usually don't have to talk your way past a robotic Pat Schroeder avatar to read a printed book, as you do with an encrypted scientific journal on DVD. Some of these journals have announced that they will be discontinuing their print editions altogether because they are fed up with libraries letting the public look at them. Some of the digital publications you might ask for at a university library are boobytrapped and crisscrossed with razor-sharp bardwire (not a typo). Librarians can't let you see it unless they have a way to bill you. http://www.library.yale.edu/~llicense/intro.shtml | Unlike paper materials, digital information generally is not purchased | by the library; rather it is licensed by the library from information | providers. A license usually takes the form of a written contract or | agreement between the library and the owner of the rights to distribute | digital information. If we're looking for a model on which to base this homebrew personal-computer/digital-lending-library, think of how "REAL" lending libraries are handling digital content. Suddenly considering yourself a one-man library doesn't give you any new liberties than you had as an individual, when it comes to DRM. They are dealing with the same problems that we are dealing with. If you go to the Library of Congress and protest outside of the DMCA review hearings, librarians will shake your hand and congratulate you on your patriotism. The way I see it, we're taking two leaps here.. One leap is thinking of ourselves as individuals with the same rights as libraries under law. This first leap has landed firmly. The second leap is thinking of our personal MP3s and digital media licenses (let's say online journal subscriptions, IEEE spec PDFs, or eBooks) on the same terms as we would consider our IKEA bookshelf of printed material. This second leap isn't looking so good from where we stand in 2003. I think of my PDA as a library. Hell, I'm Johnny fuckin' Appleseed. Most people are pretty generous with beaming apps and data around. You need X? What do you know, I have X. Here you go... Just hold still for 5 ... more ... seconds ... OK. Enjoy. My PDA already has a slot for SD cards. If the crypto-Nazis wanted to put a robot guard on my IR, BT, and USB ports, I don't know that I could stop them. From mv at cdc.gov Sat Oct 25 00:18:12 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 25 Oct 2003 00:18:12 -0700 Subject: "If you didn't pay for it, you've stolen it!" Message-ID: <3F9A23B4.AE9141B2@cdc.gov> [Chronic readers can skip this..] At 12:08 AM 10/25/03 -0400, BillyGOTO wrote: >On Fri, Oct 24, 2003 at 03:11:27PM -0700, Tim May wrote: >> On Friday, October 24, 2003, at 02:04 PM, BillyGOTO wrote: >> >Not really. Libraries have to pay more than we do for their >> >subscriptions. > >> Be careful using the phrase "have to" in any discussion of legal issues. >> Does government force libraries to pay more for some subscriptions? Not >> to my knowledge. >> >> Do some publishers have different rates for individuals versus >> libraries and other institutions? Yes. > >Okay, I'll try to be more careful. They are given a choice by the copyright >holders to either pay more than we do OR to not get a subscription. >Is this not the case? Yes it is the case. But many of us regard State force as a *very* different thing than a property owner's whims. So the State can censor, but an individual merely doesn't want your bumper sticker on his car. Individuals *can't* censor in the 1st amend sense. (Similarly with compelled speech.) The State *must* treat everyone the same, but private entities are not similarly bound. The State must permit citizens to bear arms, but in my saloon you leave them at the door, or don't enter. Simple. Entering my saloon is a private transaction. >Books and magazines aren't guarded by cryptogremlins the way digital >media could be. The cryptogremlins are embedded, "tamperproof", and are >given absolute authority over their assigned treasure by the DMCA. 1. Tech point: Any passive media for human consumption can NOT be guarded by gremlins. ADCs handle that. The "analog hole". Active content (eg programs) can be though. 2. Many of us do worry about eroding conventional rights by these same gremlins, *when they are supported by wrong law*. E.g., I have a right in the US to lend a book. A digital book could make doing so a pain, but not impossible. And again, I (as reader) have *no* right to compel the publisher to use a large font (if I've got bad eyes) or make it easy to xerox. Or backup or lend or sell. Now, if it is simply some publisher's whim to release content protected by gremlins, that's their decision. *What gets our goat* is when the State uses its force eg to make tinkering with our property illegal. You'll need to understand that difference around here. Many of us (unlike many working for the State) still respect private property, and *mutually consensual* transactions. If you want to publish a book on paper that prevents its xeroxing, that's fine. Might be annoying, but its within your rights. But when the State says that say scanners or image processing or figuring out how the book is bound is illegal (DMCA), well... A gremlin is a nuisance, a gremlin backed by the state.. indicates that someone "needs killing", and its not the gremlin. >I'm saying that there is an even wider difference between the lending >restrictions on the gremlin-guarded digital media versus those on >printed media. You usually don't have to talk your way past a robotic >Pat Schroeder avatar to read a printed book, as you do with an encrypted >scientific journal on DVD. Again, you can publish in fonts that don't photocopy. Its your right. And its my right to try to get around that, to exercise my right eg to fair use. But it is immoral and unconstitutional for the State to interfere with *either* of us -publisher or reader. Because we're both choosing to enter a mutually consensual transaction, the State has no grounds to interfere. That's basically what freedom is about. It doesn't even matter if the transaction is harmful to one or both of us; masochism (pharmaceuticals, N-ary sex between arbitrary conspecifics, etc) should be legal. Life liberty and the pursuit of whatever. Some of these journals have announced that >they will be discontinuing their print editions altogether because they >are fed up with libraries letting the public look at them. So? And other journals are free to everyone. (Is that unfair competition? No) Its up to the journal, their contributors, their readers. Some of the >digital publications you might ask for at a university library are >boobytrapped and crisscrossed with razor-sharp bardwire (not a typo). >Librarians can't let you see it unless they have a way to bill you. Nice pun. But librarians are merely acting in accordance with contracts they chose to sign. No one put a gun to their heads; only the State does that. >| Unlike paper materials, digital information generally is not purchased >| by the library; rather it is licensed by the library from information >| providers. A license usually takes the form of a written contract or >| agreement between the library and the owner of the rights to distribute >| digital information. I've bought some helically grooved vinyl disks. This also gives me a license to play their content, or make a Wimshurst generator from them, or go skeet shooting with them. Should the vinyl object warp, I retain that license. Should I download an MP3 of the same content (which may have been derived from diffraction-grating polycarbonate disks), this is no different than making a tape for my car. It is not copyright infringement. If I lend, or sell, my disks, I also transfer that license for the duration of the transfer. Now forget that the content happens to be embedded in a slab of plastic. >If we're looking for a model on which to base this homebrew >personal-computer/digital-lending-library, think of how "REAL" lending >libraries are handling digital content. Suddenly considering yourself a >one-man library doesn't give you any new liberties than you had as an >individual, when it comes to DRM. Bingo! Librarians have the same rights as the rest of us mortals. Similarly, it doesn't matter if 1 or 1e6 read my blog, we are all reporters, and better recognized salaried reporters have no special rights. >The way I see it, we're taking two leaps here.. One leap is thinking of >ourselves as individuals with the same rights as libraries under law. Not a leap. Equal under the law. >This first leap has landed firmly. The second leap is thinking of our >personal MP3s and digital media licenses (let's say online journal >subscriptions, IEEE spec PDFs, or eBooks) on the same terms as we would >consider our IKEA bookshelf of printed material. This second leap isn't >looking so good from where we stand in 2003. Its looking particularly grim because the Congressvermin are 0wn3d. That doesn't change the principles. Just makes us yearn for regime change. ---- We are all reporters, we are all book sellers. We are all first class objects. --Tim May From sunder at sunder.net Sat Oct 25 04:01:08 2003 From: sunder at sunder.net (Sunder) Date: Sat, 25 Oct 2003 07:01:08 -0400 (edt) Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <3F9A23B4.AE9141B2@cdc.gov> Message-ID: To add to this: There is no law stating that I cannot take my books and read them backwards, skip every other word, read the odd chapters in reverse and the even chapters forward, or try to "decode" the book by translating it to another language, ask someone with better eyes than mine to read it to me, or chose to wear green tinted lenses while reading it, read it to kids or the elderly, lend it - or rent it to friends, use it as a paperweight, drop it on the floor, et cetera. I can take it with me to other countries and read it there, as well etc. Once I bought it, it's mine. DVD's "protected" by CSS on the other hand cannot be read except by approved DVD players, and you can't (legally) "read them with another pair of eyes" by playing them with a DVD player that doesn't have the right key. You're also not allowed - by policy - to fastforward past the annoying FBI warning, or in some cases the evil commercials. If you drop it on the floor and scratch it, you're out $20 or whatever you paid for it. You're not allowed to use it in countries with regions different than what the publisher approves, you're not allowed to decypher the contents of the DVD by using DeCSS, you're not allowed to rent it to others, or charge admission to others to see it. If you bought an audio DVD and your car doesn't have a DVD player, or your only portable stereo system can only play tapes, you're not allowed to legally copy the music off the DVD onto other media to play in other devices. If you bought a copy protected audio CD, and you bypass it's protection and somehow copy it to tape, so you can play it in your car, or to another CD, so you have a backup incase it gets damaged in your car from extreme temperatures, or gets scratched, or your car gets broken into or stolen, you're now a criminal deserving the same kinds of jail times and fines as would the theif who stole your car - if not more. Some media are more equal than others. This should not be the case - and shouldn't even be possible -- except in a society where the media whores and monguls are able to bribe those who are corrupt and write laws at the same time. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Sat, 25 Oct 2003, Major Variola (ret) wrote: > If you want to publish a book on paper that > prevents its xeroxing, that's fine. Might be annoying, but its > within your rights. But when the State says that say > scanners or image processing or figuring out how the book > is bound is illegal (DMCA), well... > Its looking particularly grim because the Congressvermin are 0wn3d. > That doesn't change the principles. Just makes us yearn for regime > change. > > ---- > We are all reporters, we are all book sellers. We are all first class > objects. > --Tim May From camera_lumina at hotmail.com Sat Oct 25 14:27:32 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Sat, 25 Oct 2003 17:27:32 -0400 Subject: "If you use encryption, you help the terrorists win" Message-ID: Tim May wrote... "I predict we'll soon be seeing a new thought control campaign with this theme, that "if you use encryption, you help the terrorists win."" Well, I'm dubious. Right now I'm thinking their strategy has been to pull encryption down off of the social radar, and that's worked better than any frontol assault. Also watch carefully for hole-pokers...I'd bet their's also been disinfo campaigns to get the public to think that no crypto is secure (every ask anyone if they believed there was such a thing as effectively 'unbreakable' encryption? Reglar folks always believe SOMEBODY'S got the technology to break what scheme you use, so "why bother"). Let's also remember that 'terrorists' are only terrorists when their guns are small. Once they start winning a few battles they're no longer "terrorists" (eg: Mao and that whole gang). So let's beat them to the punch: "Use strong crypto in order to keep America free from the terrorists." -TD >From: Tim May >To: cypherpunks at lne.com >Subject: "If you use encryption, you help the terrorists win" >Date: Fri, 24 Oct 2003 14:52:02 -0700 > >I predict we'll soon be seeing a new thought control campaign with this >theme, that "if you use encryption, you help the terrorists win." > >Similar to the heavy advertising (paid for by Big Brother, and hence by >money stolen from taxpayers) with the theme that lighting up a doobie helps >Osama, that taking an Oxycontin (sorry, Rush!) is equivalent to flying a >plane into the World Trade Center. > >Why encryption? Why now? > >Perhaps Eric B. can comment on the status of encrypted cellphones, of >whichever flavor, but it occurs to me that some people in Iraq desperately >need them. I refer of course to those trying to expell the American >soldiers occupying their cities and, as Anne Coulter put it and as senior >Army officials agree, "occupy their country, take their oil, and convert >them all to Christianity." > >You see, the landlines and central offices were largely wiped out in the >War for Oil. So what is now going in is what makes sense for nearly all >developing--or flattened--countries: cellphones. The U.S. had plans for the >contracts to deploy cellphones to go to American companies, but the local >puppets must have had no fear of the Americans, as they went with a better >bribe: mostly Arabic cellphone providers will deploy the initial system. > >And of course this is why there are a lot of subcontractors with ties to >the NSA, DIA, ASA, etc. now in Iraq monitoring communications. (Partly to >track down Saddam's whereabouts, as he may use a cellphone, if he's >careless. Recall the tale of Pablo Escobar.) > >So, what would happen if even 5% of the cellphones were encrypted with a >sufficiently-strong system (Eric's 3DES would presumably be enough)? > >And if not encrypted cellphones, encryption of the usual sort, over >networks. > >I wonder what would happen to someone found carrying copies of PGP into >Iraq? > >(Which is not to say copies are not already widely circulating, or readily >downloadable, etc.) > >It seems clear to me that the puppet state of Iraq (maybe we could dub it >"The Puppet Republic of Iraq"?) will not allow significant use of encrypted >cellphones, or perhaps even encryption over networks. If the daily attacks >on the crusaders continue to rise, and there appears to be some kind of >coordination, the intelligence agencies will be called to task on why they >are not intercepting (or jamming) the coordination channels. > >If the expected attacks in Saudi Arabia and other soft targets happen on >schedule in the next few weeks, we might even see reintroduction of crypto >ban proposals inside the U.S. > >We should not assume the war for crypto is won. > > >--Tim May >"A democracy cannot exist as a permanent form of government. It can only >exist until the voters discover that they can vote themselves money from >the Public Treasury. From that moment on, the majority always votes for the >candidate promising the most benefits from the Public Treasury with the >result that a democracy always collapses over loose fiscal policy always >followed by dictatorship." --Alexander Fraser Tyler _________________________________________________________________ Fretting that your Hotmail account may expire because you forgot to sign in enough? Get Hotmail Extra Storage today! http://join.msn.com/?PAGE=features/es From mv at cdc.gov Sat Oct 25 19:06:49 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 25 Oct 2003 19:06:49 -0700 Subject: "If you didn't pay for it, you've stolen it!" [reply to Sunder] Message-ID: <3F9B2C39.3EA4F86@cdc.gov> At 07:01 AM 10/25/03 -0400, Sunder wrote: >If you bought an audio DVD and your car doesn't have a DVD player, or your >only portable stereo system can only play tapes, you're not allowed to >legally copy the music off the DVD onto other media to play in other >devices. IANAL so I'm not actually sure about duping DVDs to tapes. But you *can*, do it, trivially, regardless of the evil digital gremlins, which makes the point about the Analog Hole. And of course, if you rip to an MP3, that is the last ADC your content need ever see. Game over, Valenti. Get a real job. ----- "all the normalities of the social contract are abandoned in war" Jack Valenti MPAA pres, in LATimes on Kerry's war crimes From mv at cdc.gov Sat Oct 25 19:13:29 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sat, 25 Oct 2003 19:13:29 -0700 Subject: "If you use encryption, you help the terrorists win" [Reply to Durden] Message-ID: <3F9B2DC9.6BB77FB9@cdc.gov> At 05:27 PM 10/25/03 -0400, Tyler Durden wrote: >frontol assault. Also watch carefully for hole-pokers...I'd bet their's also >been disinfo campaigns to get the public to think that no crypto is secure >(every ask anyone if they believed there was such a thing as effectively >'unbreakable' encryption? Reglar folks always believe SOMEBODY'S got the >technology to break what scheme you use, so "why bother"). 1. Well there's always Silk and Cyanide. Ie OTP. 2. Big Bro does not marshall all the atoms in the observable universe. Remind Joe Sixpack of that. Joe isn't as paranoid as some of us, who worry about quantum engines sorting through our precious prime bodily fluids. *Do* remind Joe about such mundancities as key management, coercion of confederates, video bugs, how crypto is all economics, etc. >So let's beat them to the punch: "Use strong crypto in order to keep America >free from the terrorists." An RPG a day keeps the colonialists away. Or at least, losing in the polls. PS: extra points for someone who finds a good expansion of S.L.O.G. Or who finds Condosleeza Rice's secret lesbian sex tape. (I have nothing against secrecy, or lesbians, of course) From rah at shipwright.com Sun Oct 26 08:07:19 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 26 Oct 2003 11:07:19 -0500 Subject: Cliff-Hanger Message-ID: Forbes On The Cover/Top Stories Cliff-Hanger Brett Pulley, 11.10.03 A mix of art, philosophy and religion and truckloads of production dollars created a Hollywood blockbuster. But how will the cool, quirky franchise that is The Matrix end? It is a rainy, chilly, dreary afternoon in London. But the Hollywood producer Joel Silver is ebullient. As his chauffeur-driven Mercedes navigates the city's slippery streets, he stares out at the dreadful gray sky and joyously proclaims: "It's a great day!" Is he living in another world? Does he have some superior knowledge? Is he The One? His accountant surely thinks so. For the past six years Silver's life has been consumed by a futuristic film fantasy known as The Matrix . As the primary person responsible for pulling together what has become a multibillion-dollar motion picture series, Silver is personally receiving an estimated 7% of merchandise royalties and what's left after exhibitors get their half of box office sales. It's enough to buy plenty of sunshine on the cloudiest of days. So far, the first two films in the Matrix trilogy have generated $1.9 billion in gross revenue. The second installment, The Matrix Reloaded , which was released earlier this year, has by itself already grossed more than $1 billion from box office sales, a videogame, a soundtrack and other merchandise. The DVD, released Oct. 14, should haul in at least $200 million more. Even if the filmmakers stop at three movies, something they vow to do, the entire franchise will still near $3 billion in sales. Says Silver, who has toiled in Hollywood for years: "This is like my IPO." To get big bucks you have to take big risks. The studio distributing the film, Time Warner's Warner Bros. Pictures, along with its financial partner on the project, Australian ministudio Village Roadshow Pictures, invested $300 million to shoot two movies, the second and third installments of The Matrix , at one time. An additional $150 million was committed to market the two movies. Typically sequels get the green light only after the results on the previous film are in, says Warner Bros. studio chief Alan Horn. Despite the worldwide success of The Matrix Reloaded , with $289 million in domestic box office sales, the flick suffered the indignity of ranking second last summer at the U.S. box office, behind Disney's Finding Nemo . Now, the third film in the series, The Matrix Revolutions , is being released worldwide in November. It has the same stars, heavily layered story, fast action and stunning special effects of No. 2. A sure hit? Not really. It might get the benefit of momentum--or it might suffer from overload. If the fad-following youngsters who keep Hollywood solvent deem No. 3 uncool, it may just bomb. By comparison, there was a four-year gap between the first two films. The long waiting period caused anticipation to build so much that during the days leading up to the release last May the movie was the subject of a 30-minute special on NBC's Dateline , and the film's stars were on the covers of both Time and Newsweek . The publicity got people to the theaters, but it also created heightened expectations that were virtually impossible to live up to. Reviews were lukewarm and audiences sighed with disappointment when the credits rolled. "It's really hard for a performance to reach expectation when the expectation is in the stratosphere," says Horn. What could bring even the naysayers back for more is that the last film ended with a cliff-hanger:Will Keanu Reeves' character, Neo, free humanity from its enslavement by a computer program that fills our brains with a false reality while using our bodies as copper-top batteries?Can he save Earth's remaining free folk from extermination? Is he really The One? Is It The One? The Matrix Franchise The Matrix Domestic Box Office: $171 million Foreign Box Office: $294 million Video/DVD: $398 million The Matrix Revisted Video/DVD: $11 million The Matrix Reloaded Domestic Box Office: $289 million Foreign Box Office: $453 million Video/DVD (just released): $200 million? "Enter The Matrix" (videogame) 3.25 million sold @$49.95 each: $162 million The Animatrix 2.7 million sold @$24.95 each: $68 million The Matrix Reloaded (soundtrack) 1.85 million sold @$19.99 each: $37 million Merchandise (apparel, toys, shades, etc.): $3.5 million Much like the films' blurred distinctions between reality and make-believe, the public has hazily viewed The Matrix Reloaded as a financial failure. Untrue. The worldwide box office for the movie has topped $742 million. The videogame "Enter the Matrix," which was produced using $20 million of the film's production budget, has sold 3.2 million copies at $50 each, for a gross total of $162 million. Also, a selection of nine video shorts, The Animatrix , which explain background details of the complicated story, was released on DVD at the same time that the second film was released in theaters. It has sold 2.7 million copies at $25 each. The soundtrack to the film has sold 1.8 million copies, grossing $37 million. Warner Bros. receives a fee for distributing the film in the U.S. and most international markets. Thereafter Warner and Village Roadshow, which split the $300 million cost of making the last two films 50-50, will split the profit. Even after half of the box office sales go to the theater operators, there is plenty of gross profit left for the studios' coffers and for the film's so-called gross players. In addition to Silver, that includes the directors and several actors. For the last two films, the main star, Keanu Reeves, received $30 million plus perhaps 7.5% of the gross. The next-highest paid star was Laurence Fishburne, who received $15 million and an estimated 3.75% of the gross. The ancillary products generated a windfall for many others. Jada Pinkett-Smith earned a modest fee for her role in the second two films, but she cleaned up on the videogame, in which she is the main star. Pinkett-Smith is receiving an estimated 10% of the profit on the game, placing her earnings thus far near $5 million. "I got a check already," she recently confirmed. "It was like, 'Wow!'" In an unusual move, all of the gross players on the films chipped in a portion of their shares to a pool for production crew managers. Most Hollywood film franchises (like Star Wars or Lord of the Rings ) are big-budget popcorn extravaganzas, tailor-made for fast-food promotions and intended to cut a large swath across the moviegoing public. The Matrix is a little more narrowly targeted. Its R rating (for violence) cuts 12-year-olds out of the audience. There are no Happy Meal figurines to be lost between the seat cushions of automobiles. But what was lost in the hamburger trade was presumably earned back in coolness. Reloaded is the top-selling R-rated movie of all time, $200 million ahead of the second-highest seller, Arnold Schwarzenegger's Terminator 2 . Even among film franchises aimed at adults, few films take themselves so seriously as does The Matrix . The enduring James Bond franchise started off in 1962 in a very serious manner but eventually veered towards playful self-parody. The 1971 Diamonds Are Forever had Sean Connery trading barbs with a vixen named Plenty O'Toole. Revolutions will probably be as pompous as the last Matrix (typical dialogue: "What if tomorrow the war could be over? Isn't that worth fighting for?Isn't that worth dying for?"). The Matrix was expected to be a decent midlevel Hollywood movie when it debuted in 1999. It was produced at a cost of about $80 million, and during its first weekend in theaters it did a merely respectable $28 million of ticket sales. But it had tremendous word of mouth. There was something cool about the religious symbolism, the martial arts scenes, the serene characters and the pioneering digital film techniques. The film went on to sell $450 million of tickets worldwide. The DVD, released the same year, became the first movie ever to sell more than a million copies in that format. It went on to sell 30 million. The creators of the film, two brothers in their mid-thirties from Chicago named Larry and Andy Wachowski, had already written screenplays for two more sequels. They wanted to shoot them together, ` la Lord of the Rings . The crew spent 270 days shooting in Australia and additional time in northern California, where a 1.6-mile freeway was built just for the movie. In all, 3,600 extras would be hired, 3,500 props built and enough wigs purchased for the shellac-haired Agent Smith character (who--eek!--multiplies) to carpet a four-bedroom house. The Wachowskis wrote the videogame, which connects to the plot of the movie but tells its own story. They worked on the development of nine animated shorts that dig deeper into the story behind The Matrix . They launched a Web site and spent $350,000 on a documentary that has sold $11 million of DVDs and videos. Now to make a cult out of the thing. The storyline revolves around a belief system and a dark, hip underground subculture. But overdo the publicity or make the films appear mainstream and you disrupt the ethos and turn off fans. Says Silver, "Whatever we did had to be cool." The head of marketing at Warner, Dawn Taubin, assigned staffers to function as the "cool police." They played hard to get. For a fee, Heineken, Samsung and Coca-Cola were permitted to make advertisements mimicking the look of the movie, pushing their product and the film simultaneously. The Heineken ads, for example, use martial arts and obvious knockoffs of the movie's characters. " The Matrix gives us timeliness and relevancy for people between the ages of 21 and 34," says Steve H. Davis, who heads marketing for Heineken USA in White Plains, N.Y. The distinctive green computer code that streams down at the beginning of the first film turned into an icon. Last May Coca-Cola's sport drink, Powerade, launched new packaging in a Matrix -green-colored bottle. The night after The Matrix Reloaded premiered in Cannes the cast joined other Hollywood royalty at a party on the Mediterranean seafront as they popped champagne and gazed up into the sky to watch a fireworks display in green over the ocean. Part of the shtick: The third film will absolutely, positively be the last in the series. Time Warner's Horn says he hasn't tried to convince the Wachowskis otherwise. But, he admits, "I'd like to know what else they've got in their heads." Borrowing the "I vant to be alone" line from Greta Garbo, the Wachowskis have let it be known that their agreement with the studio stipulates they don't make promotional appearances or talk to any media. This could be the ultimate publicity stunt--but it could also backfire. Showbiz fame can be as fleeting as a white rabbit. -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From timcmay at got.net Sun Oct 26 11:12:57 2003 From: timcmay at got.net (Tim May) Date: Sun, 26 Oct 2003 11:12:57 -0800 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <200310241100.26292.steve@njord.org> Message-ID: <6869E050-07E8-11D8-9F08-000A956B4C74@got.net> On Friday, October 24, 2003, at 09:00 AM, Steve Wollkind (by way of Steve Wollkind ) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Friday 24 October 2003 10:14, Harmon Seaver wrote: >> On Thu, Oct 23, 2003 at 10:43:22PM -0700, Tim May wrote: >>> TM: the last two paragraphs were of course added by me. But the point >>> is still valid, that much of Hollywood's claims about "illegal >>> listening" are not really any different from "reading without buying" >>> books and magazines in libraries. The more urgent issue is this crap >> >> Not to mention all the CDs and movies available in libraries. >> What's the >> difference in borrowing CDs from a library and taking them home and >> taping >> or mp3ing them and getting them from the net? > > There's no difference....both are illegal. It's just much easier to > catch > people who leave a trail by downloading files than people who legally > check a > disc out of a library and then illegally copy it in the privacy of > their own > home. > You are incorrect. "Both are illegal" is not correct. The Home Recording Act of 1992 explicitly made home use for noncommercial (no renting, no selling, no commercial use in bars or radio stations) fully legal. The text can be Googled and the topic has been covered here many times. In shyster terms, it created a "safe harbor" for home taping. The HRA even established a "blank tape and media tax," which is why many CD-Rs sold say "Music" on them (ostensibly these are the media for which the blank media tax was paid by someone, with revenues ostensibly given to Hollywood). The DMCA threw a spanner in the works in various ways, partly rewriting the HRA, partly adding new stuff. But the existence of the HRA and the money sent to Hollywood and Nashville through the HRA music taxes make successful prosecution of any home taper nearly impossible. --Tim May From jurgen at botz.org Sun Oct 26 12:57:29 2003 From: jurgen at botz.org (Jurgen Botz) Date: Sun, 26 Oct 2003 12:57:29 -0800 Subject: "If you use encryption, you help the terrorists win" In-Reply-To: References: Message-ID: <3F9C3539.6040704@botz.org> Tyler Durden wrote: > Tim May wrote... > "I predict we'll soon be seeing a new thought control campaign with this > theme, that "if you use encryption, you help the terrorists win."" > > Well, I'm dubious. Right now I'm thinking their strategy has been to > pull encryption down off of the social radar, and that's worked better I agree with this... and add the following... For the last decade or so many of the "bad guys" (by whoever's definition you want) have actually been using crypto, even if the general public has not. I think that by now the TLAs have learned that this works in their favor on both counts... 1) The general public doesn't really use crypto... partly because it's "off the social radar", partly because it's just too difficult, etc., etc. As a result the TLAs can employ the kind of Orwellian mass surveilance they would like and get useful information out of it. 2) The bad guys use crypto they know to be strong enough to stop brute force attacks even by "major governments". This does two things... it makes them stick out in mass surveilance, and it makes them put all their eggs in one basket (the encrypted one). The TLAs of course have many options other than brute force attack on the crypto itself... key theft, tempest, rubber hose, everyone here knows all the methods. The TLAs may have to make a little more effort, but the payoff is more likley to be very good. Wasn't there a Mafioso who got busted and convicted based on evidence that had been PGP encrypted and where they stole the key with a keyboard dongle? I'm sure that wasn't an exception; the TLAs have adapted to the technology and found that it doesn't /really/ make things harder for them... maybe it makes it easier because the bad guys feel more secure. So I think that they've learned that they really get the best of both worlds with the status quo, and I don't see any indication that they are about to rock this particular boat. This may change if the public infrastructure starts using more crypto by default and people use better key management (smart cards?) but I don't think that's really all that likely... at least at the moment there doesn't seem to be any good momentum in that direction. :j From emc at artifact.psychedelic.net Sun Oct 26 16:49:46 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Sun, 26 Oct 2003 16:49:46 -0800 (PST) Subject: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org) In-Reply-To: <020101c39c18$e0bdf740$01c8a8c0@broadbander> Message-ID: <200310270049.h9R0nkD2019836@artifact.psychedelic.net> David Howe writes: > I doubt the NSA need, trust or want anyone else's actual software for EC Nonetheless, it's an indication that they don't think RSA has much of a future. So now they have a public key cryptosystem with smaller key lengths, and a more obtuse one-way function that can't be understood by Joe Schmo. We shall see what this portends. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From emc at artifact.psychedelic.net Sun Oct 26 17:06:01 2003 From: emc at artifact.psychedelic.net (Eric Cordian) Date: Sun, 26 Oct 2003 17:06:01 -0800 (PST) Subject: What Really Happened to Whatreallyhappened.com Message-ID: <200310270106.h9R161d9020212@artifact.psychedelic.net> Everyone's favorite link farm of news stories which annoy Neocons, http://www.whatreallyhappened.com/ disappeared suddenly and has been unavailable for 2 days now. Anyone know What Really Happened to it? Hopefully just a minor hardware problem. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law" From brian-slashdotnews at hyperreal.org Sun Oct 26 09:26:01 2003 From: brian-slashdotnews at hyperreal.org (brian-slashdotnews at hyperreal.org) Date: 26 Oct 2003 17:26:01 -0000 Subject: NSA Turns To Commercial Software For Encryption Message-ID: Link: http://slashdot.org/article.pl?sid=03/10/26/1550237 Posted by: simoniker, on 2003-10-26 16:32:00 Topic: encryption, 66 comments from the chinese-government-buys-certicom dept. [1]Roland Piquepaille writes "According to eWEEK, the National Security Agency (NSA) has [2]picked a commercial solution for its encryption technology needs, instead on relying on its own proprietary code. "The National Security Agency has purchased a license for [3]Certicom Corp.'s elliptic curve cryptography (ECC) system, and plans to make the technology a standard means of securing classified communications. In the case of the NSA deal, the agency wanted to use a 512-bit key for the ECC system. This is the equivalent of an RSA key of 15,360 bits." [4]This summary includes the NIST guidelines for public key sizes and contains more details and links about the ECC technology. Since [5]the announcement, Canadian Press reports that [6]Certicom's shares more than doubled in Toronto." [7]Click Here References 1. http://radio.weblogs.com/0105910/ 2. http://www.eweek.com/print_article/0,3048,a=110561,00.asp 3. http://www.certicom.com/ 4. http://radio.weblogs.com/0105910/2003/10/26.html 5. http://www.certicom.com/about/pr/03/031024_nsadeal.html 6. http://www.canada.com/news/business/story.asp?id=04C5E67A-D640-4372-9E9E-A906 EDDA8EBA 7. http://ads.osdn.com/?ad_id=78&alloc_id=1118&site_id=1&request_id=1015416&op=c lick&page=%2farticle%2epl ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From mv at cdc.gov Sun Oct 26 17:45:13 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Sun, 26 Oct 2003 17:45:13 -0800 Subject: "If you use encryption, you help the terrorists win" Message-ID: <3F9C78A8.86389832@cdc.gov> At 12:57 PM 10/26/03 -0800, Jurgen Botz wrote: >Wasn't there a Mafioso who got busted and convicted based on >evidence that had been PGP encrypted and where they stole the >key with a keyboard dongle? Nicodemo Scarfo. He used his Dad's federal-prison ID number, but the Feds couldn't guess that, so they blackbagged his computer with a dongle. I don't know who was lamer. It *is* a parable for our community; they could also have used videobugs. There was also, later, some dude who keyboard-bugged Kinkos and got caught. Another sermon from the mount. What *is* your threat model? From eugen at leitl.org Sun Oct 26 10:04:20 2003 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 26 Oct 2003 19:04:20 +0100 Subject: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org) Message-ID: <20031026180420.GC10805@leitl.org> ----- Forwarded message from brian-slashdotnews at hyperreal.org ----- From ben at algroup.co.uk Sun Oct 26 11:29:40 2003 From: ben at algroup.co.uk (Ben Laurie) Date: Sun, 26 Oct 2003 19:29:40 +0000 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: References: Message-ID: <3F9C20A4.3080300@algroup.co.uk> Sunder wrote: > To add to this: > > There is no law stating that I cannot take my books and read them > backwards, skip every other word, read the odd chapters in reverse and the > even chapters forward, or try to "decode" the book by translating it to > another language, ask someone with better eyes than mine to read it to me, > or chose to wear green tinted lenses while reading it, read it to kids or > the elderly, lend it - or rent it to friends, use it as a paperweight, ^^^^^^^ this, I believe, there are laws about. At least here. > drop it on the floor, et cetera. I can take it with me to other countries > and read it there, as well etc. Once I bought it, it's mine. Again, only within the permitted uses. For example, copying it and selling copies is clearly not permitted. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From sfurlong at acmenet.net Sun Oct 26 16:31:40 2003 From: sfurlong at acmenet.net (Steve Furlong) Date: 26 Oct 2003 19:31:40 -0500 Subject: "If you didn't pay for it, you've stolen it!" In-Reply-To: <3F9C20A4.3080300@algroup.co.uk> References: <3F9C20A4.3080300@algroup.co.uk> Message-ID: <1067214697.7853.21.camel@localhost.localdomain> On Sun, 2003-10-26 at 14:29, Ben Laurie wrote: > Sunder wrote: > > the elderly, lend it - or rent it to friends, use it as a paperweight, > ^^^^^^^ this, I believe, there are laws > about. At least here. Aside from tax laws, I don't know of any US Federal or New York State laws applying to renting books. A quick search didn't turn up anything in the US, either. (Though there's so much law out there that 'quick search of the law' is oxymoronic.) I don't have any resources other than Google for checking English law. From cpunk at lne.com Sun Oct 26 20:00:00 2003 From: cpunk at lne.com (cpunk at lne.com) Date: Sun, 26 Oct 2003 20:00:00 -0800 Subject: Cypherpunks List Info Message-ID: <200310270400.h9R400lW004998@slack.lne.com> Cypherpunks Mailing List Information Last updated: Oct 13, 2003 This message is also available at http://www.lne.com/cpunk Instructions on unsubscribing from the list can be found below. 0. Introduction The Cypherpunks mailing list is a mailing list for discussing cryptography and its effect on society. It is not a moderated list (but see exceptions below) and the list operators are not responsible for the list content. Cypherpunks is a distributed mailing list. A subscriber can subscribe to one node of the list and thereby participate on the full list. Each node (called a "Cypherpunks Distributed Remailer", although they are not related to anonymous remailers) exchanges messages with the other nodes in addition to sending messages to its subscribers. A message posted to one node will be received by the list subscribers on the other nodes, and vice-versa. 1. Filtering The various CDRs follow different policies on filtering spam and to a lesser extent on modifying messages that go to/from their subscribers. Filtering is done, on nodes that do it, to reduce the huge amount of spam that the cypherpunks list is subjected to. There are three basic flavors of filtering CDRs: "raw", which send all messages to their subscribers. "cooked" CDRs try to eliminate the spam on that's on the regular list by automatically sending only messages that are from cypherpunks list subscribers (on any CDR) or people who are replying to list messages. Finally there are moderated lists, where a human moderator decides which messages from the raw list to pass on to subscribers. 2. Message Modification Message modification policy indicates what modifications, if any, beyond what is needed to operate the CDR are done (most CDRs add a tracking X-loop header on mail posted to their subscribers to prevent mail loops). Message modification usually happens on mail going in or out to each CDR's subscribers. CDRs should not modify mail that they pass from one CDR to the next, but some of them do, and others undo those modifications. 3. Privacy Privacy policy indicates if the list will allow anyone ("open"), or only list members, or no one ("private") , to retrieve the subscribers list. Note that if you post, being on a "private" list doesn't mean much, since your address is now out there. It's really only useful for keeping spammers from harvesting addresses from the list software. Digest mode indicates that the CDR supports digest mode, which is where the posts are batched up into a few large emails. Nodes that support only digest mode are noted. 4. Anonymous posting Cypherpunks encourages anonymous posting. You can use an anonymous remailer: http://www.andrebacard.com/remail.html http://anon.efga.org/Remailers http://www.gilc.org/speech/anonymous/remailer.html 5. Unsubscribing Unsubscribing from the cypherpunks list: Since the list is run from a number of different CDRs, you have to figure out which CDR you are subscribed to. If you don't remember and can't figure it out from the mail headers (hint: the top Received: line should tell you), the easiest way to unsubscribe is to send unsubscribe messages to all the CDRs listed below. How to figure out which CDR you are subscribed to: Get your mail client to show all the headers (Microsoft calls this "internet headers"). Look for the Sender or X-loop headers. The Sender will say something like "Sender: owner-cypherpunks at lne.com". The X-loop line will say something like "X-Loop: cypherpunks at lne.com". Both of these inticate that you are subscribed to the lne.com CDR. If you were subscribed to the algebra CDR, they would have algebra.com in them. Once you have figured out which CDR you're subscribed to, look in the table below to find that CDRs unsubscribe instructions. 6. Lunatics, spammers and nut-cases "I'm subscribed to a filtering CDR yet I still see lots of junk postings". At this writing there are a few sociopaths on the cypherpunks list who are abusing the lists openness by dumping reams of propaganda on the list. The distinction between a spammer and a subscriber is nearly always very clear, but the dictinction between a subscriber who is abusing the list by posting reams of propaganda and a subscriber who is making lots of controversial posts is not clear. Therefore, we tolerate the crap. Subscribers with a low crap tolerance should check out mail filters. Procmail is a good one, although it works on Unix and Unix-like systems only. Eudora also has a capacity for filtering mail, as do many other mail readers. An example procmail recipie is below, you will of course want to make your own decisions on which (ab)users to filter. # mailing lists: # filter all cypherpunks mail into its own cypherspool folder, discarding # mail from loons. All CDRs set their From: line to 'owner-cypherpunks'. # /dev/null is unix for the trash can. :0 * ^From.*owner-cypherpunks at .* { :0: * (^From:.*ravage at ssz\.com.*|\ ^From:.*jchoate at dev.tivoli.com.*|\ ^From:.*mattd at useoz.com|\ ^From:.*proffr11 at bigpond.com|\ ^From:.*jei at cc.hut.fi) /dev/null :0: cypherspool } 7. List of current CDRs All commands are sent in the body of mail unless otherwise noted. --------------------------------------------------------------------------- Algebra: Operator: Subscription: "subscribe cypherpunks" to majordomo at algebra.com Unsubscription: "unsubscribe cypherpunks" to majordomo at algebra.com Help: "help cypherpunks" to majordomo at algebra.com Posting address: cypherpunks at algebra.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- CCC: Operator: drt at un.bewaff.net Subscription: "subscribe [password of your choice]" to cypherpunks-request at koeln.ccc.de Unsubscription: "unsubscribe " to cypherpunks-request at koeln.ccc.de Help: "help" to to cypherpunks-request at koeln.ccc.de Web site: http://koeln.ccc.de/mailman/listinfo/cypherpunks Posting address: cypherpunks at koeln.ccc.de Filtering policy: This specific node drops messages bigger than 32k and every message with more than 17 recipients or just a line containing "subscribe" or "unsubscribe" in the subject. Digest mode: this node is digest-only NNTP: news://koeln.ccc.de/cbone.ml.cypherpunks Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Infonex: Subscription: "subscribe cypherpunks" to majordomo at infonex.com Unsubscription: "unsubscribe cypherpunks" to majordomo at infonex.com Help: "help cypherpunks" to majordomo at infonex.com Posting address: cypherpunks at infonex.com Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Lne: Subscription: "subscribe cypherpunks" to majordomo at lne.com Unsubscription: "unsubscribe cypherpunks" to majordomo at lne.com Help: "help cypherpunks" to majordomo at lne.com Posting address: cypherpunks at lne.com Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to lne CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. messages are demimed (MIME attachments removed) when posted through lne or received by lne CDR subscribers 2. leading "CDR:" in subject line removed 3. "Reply-to:" removed Privacy policy: private Info: http://www.lne.com/cpunk; "info cypherpunks" to majordomo at lne.com Archive: http://archives.abditum.com/cypherpunks/index.html (thanks to Steve Furlong and Len Sassaman) --------------------------------------------------------------------------- Minder: Subscription: "subscribe cypherpunks" to majordomo at minder.net Unsubscription: "unsubscribe cypherpunks" to majordomo at minder.net Help: "help" to majordomo at minder.net Posting address: cypherpunks at minder.net Filtering policy: raw Message Modification policy: no modification Privacy policy: private Info: send mail to cypherpunks-info at minder.net --------------------------------------------------------------------------- Openpgp: [openpgp seems to have dropped off the end of the world-- it doesn't return anything from sending help queries. Ericm, 8/7/01] Subscription: "subscribe cypherpunks" to listproc at openpgp.net Unsubscription: "unsubscribe cypherpunks" to listproc at openpgp.net Help: "help" to listproc at openpgp.net Posting address: cypherpunks at openpgp.net Filtering policy: raw Message Modification policy: no modification Privacy policy: ??? --------------------------------------------------------------------------- Sunder: Subscription: "subscribe" to sunder at sunder.net Unsubscription: "unsubscribe" to sunder at sunder.net Help: "help" to sunder at sunder.net Posting address: sunder at sunder.net Filtering policy: moderated Message Modification policy: ??? Privacy policy: ??? Info: ??? --------------------------------------------------------------------------- Pro-ns: Subscription: "subscribe cypherpunks" to majordomo at pro-ns.net Unsubscription: "unsubscribe cypherpunks" to majordomo at pro-ns.net Help: "help cypherpunks" to majordomo at pro-ns.net Posting address: cypherpunks at pro-ns.net Filtering policy: cooked Posts from all CDR subscribers & replies to threads go to local CDR subscribers. All posts from other CDRs are forwarded to other CDRs unmodified. Message Modification policy: 1. leading "CDR:" in subject line removed 2. "Reply-to:" removed Privacy policy: private Info: http://www.pro-ns.net/cpunk From harley at argote.ch Sun Oct 26 11:09:35 2003 From: harley at argote.ch (Dr. Robert J. Harley) Date: Sun, 26 Oct 2003 20:09:35 +0100 (CET) Subject: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] Message-ID: This has been coming for a while. IMO, the NSA doesn't trust RSA for high-grade/long-term security. I don't either. At the ECC 2001 conference, we heard an NSA guy saying that they had decided to transition sensitive information to ECC. BTW, Certicom doesn't license ArgoTech's technology at the moment. I figure it would be worth making a pitch sometime, maybe in Q1 '04 after our first commercial product is out there with some real marketing... R .-. .-. / \ .-. .-. / \ / \ / \ .-. _ .-. / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / `-' `-' \ / \ / \ \ / `-' `-' \ / `-' `-' _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From steve at njord.org Sun Oct 26 18:37:47 2003 From: steve at njord.org (Burning Cows with Strauss) Date: Sun, 26 Oct 2003 20:37:47 -0600 Subject: "If you use encryption, you help the terrorists win" Message-ID: <200310262037.47670.steve@njord.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: > Tim May wrote... > > secure (every ask anyone if they believed there was such a thing as > effectively 'unbreakable' encryption? Reglar folks always believe > SOMEBODY'S got the technology to break what scheme you use, so "why > bother"). I have a few friends like this....anyone have suggestions for ways to change their minds? Basically they say things like "If you think the government can't break all the encryption schemes that we have, you're nuts." This guy was a math major too, so he understands the principles of crypto. I feel pretty confident that 2048 bit encryption is reasonably safe for now, but how can I convince others, and how safe should I really feel in that opinion anyway? Steve - -- Steve Wollkind 810 C San Pedro steve at njord.org College Station, TX 77845 http://njord.org/~steve 979.575.2948 - -- All these worlds are belong to us, except Europa. Take off no zigs there. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/mwqO0uexoyuzySARApnNAKCUxOrLDh2gk1Ls5piL1zsnXzhHuwCfUW5l AYtOw2wfT0EqlvhWxo5rup4= =12ec -----END PGP SIGNATURE----- From timcmay at got.net Sun Oct 26 20:39:05 2003 From: timcmay at got.net (Tim May) Date: Sun, 26 Oct 2003 20:39:05 -0800 Subject: NSA Turns To Commercial Software For Encryption In-Reply-To: <200310262137.29078.njohnsn@njohnsn.com> Message-ID: <7F0157D4-0837-11D8-9F08-000A956B4C74@got.net> On Sunday, October 26, 2003, at 07:37 PM, Neil Johnson wrote: > I dunno know. It comes down to which of the following slogans you > believe. > > ECC: "Our algorithm is so good it has been licensed by the NSA". > > or > > RSA: "Our algorithm is so good that the NSA tried to prevent it's > publication, > had it classified as a munition and export controlled, tried to get the > government to ban it in favor of a key escrow system, arrested and > harassed a > programmer for implementing an program using it, etc." > > Depending on the orientation of your tin foil hat, either one can mean > the > algorithm is good or has a backdoor. Oh, the fodder for conspiracy > theorists. > > Other theories: > > It's always in NSA's interest to make sure that the current "in vogue" > crypto > system require licensing even if it is a commercial license. At least > it > limits it's use in Open Source and Free Software. > Or my theory: Part of outsourcing. I hear yawning. But there's more to outsourcing than simplistic notions that outsourcing lets the Pentagon (and NSA, CIA, etc.) save money: -- outsourcing puts the Beltway Bandits into the loop -- outside suppliers are a place for senior NSA cryptographers and managers to go when they have maxed out their GS-17 benefits ("sheep-dipping" agents is another avenue for them to work in private industry) -- outside suppliers are less accountable to Congress, are insulated in various well-known ways This is not just something out of a Grisham thriller, with a Crystal City corporation funneling NSA money into a Cayman account...this is the Brave New World of hollowing out the official agencies and moving their functions to Halliburton, Wackenhut, TRW, TIS/NAI, and the legion of Beltway Bandit subcontractors all around D.C. (When I left the D.C. area in 1970 the practice was in full swing, and even my father went to a Bandit in Rockville when he left the U.S. Navy, doing the same job but both better paid and less accountable. And he wasn't even a spook.) Put it this way, if Dick Cheney had worked for the NSA before going into private practice for his 8 years out of government, he'd want to go to a place like Certicom. And then return to government and help mandate that his former company's products be the Official Standard. Follow the money. --Tim May From eugen at leitl.org Sun Oct 26 12:00:12 2003 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 26 Oct 2003 21:00:12 +0100 Subject: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] (fwd from harley@argote.ch) Message-ID: <20031026200012.GD10805@leitl.org> ----- Forwarded message from "Dr. Robert J. Harley" ----- From njohnsn at njohnsn.com Sun Oct 26 19:37:29 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Sun, 26 Oct 2003 21:37:29 -0600 Subject: NSA Turns To Commercial Software For Encryption In-Reply-To: <200310270049.h9R0nkD2019836@artifact.psychedelic.net> References: <200310270049.h9R0nkD2019836@artifact.psychedelic.net> Message-ID: <200310262137.29078.njohnsn@njohnsn.com> I dunno know. It comes down to which of the following slogans you believe. ECC: "Our algorithm is so good it has been licensed by the NSA". or RSA: "Our algorithm is so good that the NSA tried to prevent it's publication, had it classified as a munition and export controlled, tried to get the government to ban it in favor of a key escrow system, arrested and harassed a programmer for implementing an program using it, etc." Depending on the orientation of your tin foil hat, either one can mean the algorithm is good or has a backdoor. Oh, the fodder for conspiracy theorists. Other theories: It's always in NSA's interest to make sure that the current "in vogue" crypto system require licensing even if it is a commercial license. At least it limits it's use in Open Source and Free Software. Or they now have fast enough computers and fancy enough algorithms to factor most current sizes of RSA keys, and that in order to be secure that they have to start using such large RSA key sizes it's to inefficient to use in some systems anymore (micro transmitters for phone taps) or they figure someone will notice they are using 16K keys and wonder why. So they decide to switch to a more efficient (or just different) algorithm. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From measl at mfn.org Sun Oct 26 20:01:50 2003 From: measl at mfn.org (J.A. Terranson) Date: Sun, 26 Oct 2003 22:01:50 -0600 (CST) Subject: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org) In-Reply-To: <20031026180420.GC10805@leitl.org> Message-ID: On Sun, 26 Oct 2003, Eugen Leitl wrote: > In the case of the NSA deal, the agency > wanted to use a 512-bit key for the ECC system. This is the > equivalent of an RSA key of 15,360 bits." Am I the only one here who finds this "requirement" excessive? My god: are we looking to keep these secrets for 50 years, or 50000 (or more) years? Or am I missing something? -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko From morlockelloi at yahoo.com Sun Oct 26 22:56:05 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Sun, 26 Oct 2003 22:56:05 -0800 (PST) Subject: "If you use encryption, you help the terrorists win" In-Reply-To: <200310262037.47670.steve@njord.org> Message-ID: <20031027065605.65243.qmail@web40605.mail.yahoo.com> > I have a few friends like this....anyone have suggestions for ways to change > their minds? > > Basically they say things like "If you think the government can't break all > the encryption schemes that we have, you're nuts." This guy was a math major > too, so he understands the principles of crypto. It is impossible to rationalise long term consequences of data harvesting into immediate threat for most people. The only way to change behaviour in absence of the perceived threat is propaganda ... and those who have means for that have different agendas. What's left is a personal-level propaganda but the effects are negligible. You can't really save anyone. You can, however, make crypto tools that make things easier. Or surveillance tools that make things obvious. The latter, I think, is more effective. Time to open source Echelon ? ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From morlockelloi at yahoo.com Sun Oct 26 23:00:06 2003 From: morlockelloi at yahoo.com (Morlock Elloi) Date: Sun, 26 Oct 2003 23:00:06 -0800 (PST) Subject: NSA Turns To Commercial Software For Encryption In-Reply-To: <200310262137.29078.njohnsn@njohnsn.com> Message-ID: <20031027070006.94315.qmail@web40610.mail.yahoo.com> Isn't it really simpler to use RSA and DH and ECC in series ? Why choose ONE ? There is no good reason for that. Looks like PSYOP to me. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From harley at argote.ch Sun Oct 26 14:18:11 2003 From: harley at argote.ch (Dr. Robert J. Harley) Date: Sun, 26 Oct 2003 23:18:11 +0100 (CET) Subject: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] Message-ID: >Besides 4K-RSA + AES-256 + SHA-256 are all way way way stronger [...] Amusing that you choose 4K-bit RSA. Wasn't 2K supposedly to be total overkill recently? Actually wasn't 1K supposed to be overkill not long ago? Heck 768 seemed extravagant when everyone was on 512. A mere 15 years ago, 320 bits was thought to be enough. According to my logs, here are the > 320-bit factorisations that I ran today: 572972811505140538587970948254484718069 * 229535232834749685352787191218483748328512852024528924422553 31051130972407042496629431420168004379 * 22580614860205576513432855281188300547296895576002618168141213 1651123615682793488297475146389977666821 * 431607931720940152250713570720678507192603271368450344325511 876748124621739787801748776119951008903 * 625940962036087307316308134093495176626898913441644936896711 A mere 15 years ago, 160-ish bits was thought to be enough for ECC. Strangely, that's about 50 million times harder than the biggest cases of ECC broken to date. R PS: Oops, another one while I was typing: 4177340769425990287179093985822571 * 40278974418865128339952649479779348554858008977767026467354360871 .-. .-. / \ .-. .-. / \ / \ / \ .-. _ .-. / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / `-' `-' \ / \ / \ \ / `-' `-' \ / `-' `-' _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From DaveHowe at gmx.co.uk Sun Oct 26 15:28:25 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Sun, 26 Oct 2003 23:28:25 -0000 Subject: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org) References: <20031026180420.GC10805@leitl.org> Message-ID: <020101c39c18$e0bdf740$01c8a8c0@broadbander> Eugen Leitl wrote: > [1]Roland Piquepaille writes "According to eWEEK, the National > Security Agency (NSA) has [2]picked a commercial solution for its > encryption technology needs, instead on relying on its own > proprietary code. I was under the impression they had just licenced their *patent* - I would assume that the NSA were fully aware of EC, but were unwilling to admit to any prior art (and licencing the patent avoids the potential embarrassment if an NSA system were discovered to be already using this patented technology - remembering that other than prior art invalidating a patent which is a fairly drawn out legal process, there is no other defense against patent infringement) I doubt the NSA need, trust or want anyone else's actual software for EC :) From rah at shipwright.com Sun Oct 26 20:54:41 2003 From: rah at shipwright.com (R. A. Hettinga) Date: Sun, 26 Oct 2003 23:54:41 -0500 Subject: 'Smart stamps' next in war on terrorism Message-ID: The Washington Times www.washingtontimes.com 'Smart stamps' next in war on terrorism By Audrey Hudson Published October 26, 2003 Sending an anonymous love letter or an angry note to your congressman? The U.S. Postal Service will soon know who you are. Beginning with bulk or commercial mail, the Postal Service will require "enhanced sender identification" for all discount-rate mailings, according to the notice published in the Oct. 21 Federal Register. The purpose of identifying senders is to provide a more efficient tracking system, but more importantly, to "facilitate investigations into the origin of suspicious mail." The Postal Service began to look into updating mailing procedures after the anthrax scares in October 2001 when an unknown person or persons sent several U.S. senators and news organizations envelopes filled with the deadly toxin. Two post office workers died from handling envelopes laced with anthrax. "This is a first step to make the mail more secure," said Joel Walker, customer service support analyst for the mailing-standards office. But what has privacy advocates concerned is a report by a presidential commission that recommends the post office develop technology to identify all individual senders, which is directly referenced in the Federal Register notice. The proposed regulations are open for public comment through Nov. 20 to the Postal Service. "The President's Commission on the United States Postal Service recently recommended the use of sender identification for every piece of mail," the Federal Register stated. "Requiring sender-identification for discount-rate mail is an initial step on the road to intelligent mail." Also cited in the notice are two congressional committee recommendations urging the Postal Service to explore the concept of sender identification, including the "feasibility of using unique, traceable identifiers applied by the creator of the mailpiece." "We're not ready to go there yet, but we are trying to make an initial step to make all mail, including discount mail, easily identified as to who the sender is," Mr. Walker said. "Smart stamps" or personalized stamps with an embedded digital code would identify the sender, destination and class. In October 2001, a letter was sent to then-Senate Majority Leader Tom Daschle, South Dakota Democrat, from a bogus New Jersey address. In theory, smart stamps would allow authorities to better identify would-be assailants. "The postal notice itself says this is the first step to identify all senders, so this is not a matter of paranoia, this is reality. The post office is moving towards identification requirements for everyone," said Chris Hoofnagle, associate director of the Electronic Privacy Information Center. Mr. Hoofnagle scoffed at the notion identification could prevent crimes such as the anthrax attacks on members of Congress and news media two years ago. "Anyone resourceful enough to obtain anthrax can get a stamp" without going through the new channels, Mr. Hoofnagle said. A Treasury Department report from the Mailing Industry Task Force also recommended that "the industry promote development of the 'intelligent' mail piece by collaborating with the Postal Service to implement standards and systems to make every mail piece - including packages - unique and trackable." "What happens if I buy stamps and you need one, is it legal for me to give it to you?" Mr. Hoofnagle said. Ari Schwartz, associate director for the Center for Democracy and Technology, said intelligent mail can play an important role and improve the mail system. However, privacy issues must be seriously addressed, and moving forward with the rules on bulk mail could alleviate some concerns, he said. "There is a right to anonymity in the mail. If you look back in the history of this country, the mail has played an important role in free expression and political speech and anonymous mail has provided that," Mr. Schwartz said. Capitol Hill staffers dismissed the potential for abuse by politicians who might use the system to track anonymous critics. "A petty staff member, maybe, but I doubt a member of Congress would do that," said one Senate aide. Added a senior House staffer: "A politician getting even with someone? Nah, it just saves us the trouble of having to reply to the letter." Copyright © 2003 News World Communications, Inc. All rights reserved. Return to the article -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com From mv at cdc.gov Mon Oct 27 08:50:22 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 27 Oct 2003 08:50:22 -0800 Subject: NSA Turns To Commercial Software For Encryption Message-ID: <3F9D4CCE.B2412536@cdc.gov> At 10:01 PM 10/26/03 -0600, J.A. Terranson wrote: >On Sun, 26 Oct 2003, Eugen Leitl wrote: > > >> In the case of the NSA deal, the agency >> wanted to use a 512-bit key for the ECC system. This is the >> equivalent of an RSA key of 15,360 bits." > >Am I the only one here who finds this "requirement" excessive? My god: are >we looking to keep these secrets for 50 years, or 50000 (or more) years? In meatspace engineering of life-critical systems, you might design for a few times more than you need under worst-case conditions. Eg, on a bridge: high winds, heavy trucks densely spaced, poor maintenance, poor materials. Remember that bridges fall down when you do something new, like use steel. Or nowadays: planes fall out of the sky because you don't know how composites fail. The NSA might be hedging against future algorithmic improvements. If tomorrow you could factor numbers (or the ECC equivalent) with twice the number of bits, will your spies die? Cf. East German Stasi files, and some south-american files being cracked. From mv at cdc.gov Mon Oct 27 08:56:33 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 27 Oct 2003 08:56:33 -0800 Subject: NSA Turns To Commercial Software For Encryption Message-ID: <3F9D4E41.AA365D0C@cdc.gov> At 11:00 PM 10/26/03 -0800, Morlock Elloi wrote: >Isn't it really simpler to use RSA and DH and ECC in series ? Why choose ONE ? >There is no good reason for that. 1. Silly Elloi, you can only use DH when both parties are online. And of course RSA and DH have similar failure modes -ie factoring. ECC may have similar failure modes with RSA/DH, I'm not sufficiently informed. A chain of different kinds of padlocks might look strong but they all dissolve in aqua regia. >Looks like PSYOP to me. That's an interesting explanation I hadn't considered in my previous post. (Sort of like putting a stone facade on that new iron bridge because some folks don't trust the newfangled iron bridges.) However using such keys are a heavy practical cost for PSYOPs. From eugen at leitl.org Mon Oct 27 00:44:23 2003 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 27 Oct 2003 09:44:23 +0100 Subject: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] (fwd from harley@argote.ch) Message-ID: <20031027084422.GF10805@leitl.org> ----- Forwarded message from "Dr. Robert J. Harley" ----- From njohnsn at njohnsn.com Mon Oct 27 09:37:47 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Mon, 27 Oct 2003 11:37:47 -0600 Subject: "If you use encryption, you help the terrorists win" In-Reply-To: References: Message-ID: <200310271137.47742.njohnsn@njohnsn.com> On Monday 27 October 2003 10:53 am, Tyler Durden wrote: > > Hum...can an ISP offer encryption as a service? > > -TD > Ummm, are we forgetting about the Patriot Act and siblings ? YOU want to do the encryption, not the ISP who can be secretly subpoenaed to hand over the plain text. At least if you get a subpoena you know about it. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From camera_lumina at hotmail.com Mon Oct 27 08:50:42 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Mon, 27 Oct 2003 11:50:42 -0500 Subject: "If you DON'T use encryption, you help the terrorists win" Message-ID: "Basically they say things like "If you think the government can't break all the encryption schemes that we have, you're nuts." This guy was a math major too, so he understands the principles of crypto." Basically, the answer was hinted at by another poster. For anyone who doesn't trust the government, the point to make is that crypto use is currently a red flag. Last year I went through great pains on this list to point out that right now the gubmint probably doesn't even need to break most encrypted messages in order to know something's up. This is only possible because outside of a coporate context few individuals use encryption. If everybody uses encryption, then it matters MUCH less if the government can break any one message. What costs us pennies to encrypt may cost them thousands to break. That's the assymmetry we asyms can exploit. That's where we need to depart from a Tim May lone wolf approach to your friendly, smiling America-loving flag-waving cypherpunks: "If you don't use encryption then you help the terrorists win". This statement has the added irony of being objectively true, according to more international definitions of 'terrorism'. -TD >From: Burning Cows with Strauss (by way of Burning Cows >with Strauss ) >To: cypherpunks at lne.com >Subject: Re: "If you use encryption, you help the terrorists win" >Date: Sun, 26 Oct 2003 20:37:47 -0600 > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: > > Tim May wrote... > > > > secure (every ask anyone if they believed there was such a thing as > > effectively 'unbreakable' encryption? Reglar folks always believe > > SOMEBODY'S got the technology to break what scheme you use, so "why > > bother"). > >I have a few friends like this....anyone have suggestions for ways to >change >their minds? > >Basically they say things like "If you think the government can't break all >the encryption schemes that we have, you're nuts." This guy was a math >major >too, so he understands the principles of crypto. > >I feel pretty confident that 2048 bit encryption is reasonably safe for >now, >but how can I convince others, and how safe should I really feel in that >opinion anyway? > >Steve > >- -- >Steve Wollkind 810 C San Pedro >steve at njord.org College Station, TX 77845 >http://njord.org/~steve 979.575.2948 >- -- >All these worlds are belong to us, except Europa. Take off no zigs there. >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.3 (GNU/Linux) > >iD8DBQE/mwqO0uexoyuzySARApnNAKCUxOrLDh2gk1Ls5piL1zsnXzhHuwCfUW5l >AYtOw2wfT0EqlvhWxo5rup4= >=12ec >-----END PGP SIGNATURE----- _________________________________________________________________ Concerned that messages may bounce because your Hotmail account has exceeded its 2MB storage limit? Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es From camera_lumina at hotmail.com Mon Oct 27 08:53:40 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Mon, 27 Oct 2003 11:53:40 -0500 Subject: "If you use encryption, you help the terrorists win" Message-ID: Nice! "You don't need to - just convince them that it is safe against casual snoopers (and to be honest, most "sensitive" email the government couldn't give a damn about, but your neighbours would find very interesting indeed :) As long as you get the desired end result (them using crypto) do you really care what they think?" Hum...can an ISP offer encryption as a service? -TD >From: "Dave Howe" >To: "Email List: Cypherpunks" >Subject: Re: "If you use encryption, you help the terrorists win" >Date: Mon, 27 Oct 2003 12:27:00 -0000 > >steve at njord.org wrote: > > On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: > >> secure (every ask anyone if they believed there was such a thing as > >> effectively 'unbreakable' encryption? Reglar folks always believe > >> SOMEBODY'S got the technology to break what scheme you use, so "why > >> bother"). > > I have a few friends like this....anyone have suggestions for ways to > > change their minds? > > Basically they say things like "If you think the government can't > > break all the encryption schemes that we have, you're nuts." This > > guy was a math major too, so he understands the principles of crypto. >Simpler solution there then is to say >"well, good - that means that the Government can still monitor terrorists, >but that the minimum-wage employees answering the helpdesk at AOL can't >read though your mail while they are bored." > > > I feel pretty confident that 2048 bit encryption is reasonably safe > > for now, but how can I convince others, and how safe should I really > > feel in that opinion anyway? >You don't need to - just convince them that it is safe against casual >snoopers (and to be honest, most "sensitive" email the government couldn't >give a damn about, but your neighbours would find very interesting indeed >:) >As long as you get the desired end result (them using crypto) do you >really care what they think? _________________________________________________________________ Send instant messages to anyone on your contact list with MSN Messenger 6.0. Try it now FREE! http://msnmessenger-download.com From DaveHowe at gmx.co.uk Mon Oct 27 04:14:28 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Mon, 27 Oct 2003 12:14:28 -0000 Subject: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org) References: <200310270049.h9R0nkD2019836@artifact.psychedelic.net> Message-ID: <009501c39c83$dfb2ed40$c71121c2@exchange.sharpuk.co.uk> Eric Cordian wrote: > Nonetheless, it's an indication that they don't think RSA has much of > a future. Not really - they could simply be covering all bases (supporting RSA, DH and EC, knowing if DH is broken then almost certainly so is RSA (and vice versa) leaving only EC to fill the gap) The smaller keysizes can't hurt either. From DaveHowe at gmx.co.uk Mon Oct 27 04:27:00 2003 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Mon, 27 Oct 2003 12:27:00 -0000 Subject: "If you use encryption, you help the terrorists win" References: <200310262037.47670.steve@njord.org> Message-ID: <009f01c39c85$a008caa0$c71121c2@exchange.sharpuk.co.uk> steve at njord.org wrote: > On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: >> secure (every ask anyone if they believed there was such a thing as >> effectively 'unbreakable' encryption? Reglar folks always believe >> SOMEBODY'S got the technology to break what scheme you use, so "why >> bother"). > I have a few friends like this....anyone have suggestions for ways to > change their minds? > Basically they say things like "If you think the government can't > break all the encryption schemes that we have, you're nuts." This > guy was a math major too, so he understands the principles of crypto. Simpler solution there then is to say "well, good - that means that the Government can still monitor terrorists, but that the minimum-wage employees answering the helpdesk at AOL can't read though your mail while they are bored." > I feel pretty confident that 2048 bit encryption is reasonably safe > for now, but how can I convince others, and how safe should I really > feel in that opinion anyway? You don't need to - just convince them that it is safe against casual snoopers (and to be honest, most "sensitive" email the government couldn't give a damn about, but your neighbours would find very interesting indeed :) As long as you get the desired end result (them using crypto) do you really care what they think? From mv at cdc.gov Mon Oct 27 13:04:55 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Mon, 27 Oct 2003 13:04:55 -0800 Subject: "If you use encryption, you help the terrorists win" Message-ID: <3F9D8877.BF49F1F7@cdc.gov> At 03:12 PM 10/27/03 -0500, Tyler Durden wrote: >spend pennies. Eventually you gotta figure that'll eat into the invasionary >funds, no? (Or am I being naive?) To a troll-like extent. The government left the gold (etc) standard so they could print money to fund wars. They will also not hesitate to confiscate more of your income to fund wars. And will confiscate your children (or you) as cannon fodder. From nymious at yahoo.com Mon Oct 27 13:22:15 2003 From: nymious at yahoo.com (Nymious) Date: Mon, 27 Oct 2003 13:22:15 -0800 (PST) Subject: MQV -> was Re: NSA Turns To Commercial Software For Encryption Message-ID: <20031027212215.19358.qmail@web13709.mail.yahoo.com> > ECC: "Our algorithm is so good it has been >licensed by the NSA". Yes. ... the MQV exchange is the 'best' authentication/key exchange protocol known. Using large ECC keys would hedge against even breakthroughs in quantum computing. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From jpb at ApesSeekingKnowledge.net Mon Oct 27 10:41:10 2003 From: jpb at ApesSeekingKnowledge.net (Joe Block) Date: Mon, 27 Oct 2003 13:41:10 -0500 Subject: "If you use encryption, you help the terrorists win" In-Reply-To: <3F9C3539.6040704@botz.org> References: <3F9C3539.6040704@botz.org> Message-ID: <227B8C8D-08AD-11D8-A047-000393102F9E@ApesSeekingKnowledge.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Oct 26, 2003, at 3:57 PM, Jurgen Botz wrote: > 1) The general public doesn't really use crypto... partly because > it's "off the social radar", partly because it's just too difficult, > etc., etc. As a result the TLAs can employ the kind of Orwellian > mass surveilance they would like and get useful information out of > > So I think that they've learned that they really get the best of > both worlds with the status quo, and I don't see any indication > that they are about to rock this particular boat. This may change > if the public infrastructure starts using more crypto by default > and people use better key management (smart cards?) but I don't > think that's really all that likely... at least at the moment > there doesn't seem to be any good momentum in that direction. It's becoming easier for the public, though. Apple's new Mac OS X 10.3 includes S/MIME built into the mailer. No more watching their eyes glaze over as I explain to my friends that they first have to install GPG, then find a plugin for their mail program, then try to teach them to create & send people keys. I prefer the GPG model of relying on people I actually trust to certify a key belongs to who it claims to belong to than relying on a corporation, but at least this will start people thinking about securing their mail. jpb - -- Joe Block The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. - James Madison -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/nWbHyEXo8W2M9hsRAqiIAKCps/2yD6rC9FtXGIwQDow3MBfiHACeJVkg bowdifaZFFGnewTC++i1eow= =01Zu -----END PGP SIGNATURE----- From camera_lumina at hotmail.com Mon Oct 27 12:12:07 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Mon, 27 Oct 2003 15:12:07 -0500 Subject: "If you use encryption, you help the terrorists win" Message-ID: "YOU want to do the encryption, not the ISP who can be secretly subpoenaed to hand over the plain text." Well, that too! My point is and has been "crypto is econnomics" (to paraphrase Tim May during one of his moments of clarity). Better to get 'them' to get a subpeona and make 'em expend the effort (and $$$), just to find out the email's about Pamela Anderson's boobs. Or, better yet, to find out the enduser also encrypted the email (AND it's about Pamela Anderson's boobs). Even if they dig out the plaintext, let them spend thousands of $$$ while we spend pennies. Eventually you gotta figure that'll eat into the invasionary funds, no? (Or am I being naive?) -TD >From: Neil Johnson >To: cypherpunks at lne.com >Subject: Re: "If you use encryption, you help the terrorists win" >Date: Mon, 27 Oct 2003 11:37:47 -0600 > >On Monday 27 October 2003 10:53 am, Tyler Durden wrote: > > > > Hum...can an ISP offer encryption as a service? > > > > -TD > > > >Ummm, are we forgetting about the Patriot Act and siblings ? > >YOU want to do the encryption, not the ISP who can be secretly subpoenaed >to >hand over the plain text. > >At least if you get a subpoena you know about it. > >-- >Neil Johnson >http://www.njohnsn.com >PGP key available on request. _________________________________________________________________ Fretting that your Hotmail account may expire because you forgot to sign in enough? Get Hotmail Extra Storage today! http://join.msn.com/?PAGE=features/es From harley at argote.ch Mon Oct 27 07:37:55 2003 From: harley at argote.ch (Dr. Robert J. Harley) Date: Mon, 27 Oct 2003 16:37:55 +0100 (CET) Subject: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] Message-ID: RAH wrote: > > FWIW, this is about going rate for RSA too, BTW. > Was. RSA's patent has expired. And ECC never has been and never can be patented. Some protocols and implementation methods are (just as they are for RSA etc.) >BTW, the only decent *software* ECC, FEE, is patented, by Apple. Are you serious? So many holes... so little time... Let's see. Are you talking about software or about technology? Re: Software; I have never seen FEE software lauded. Apple uses an implementation of it in MacOS... other than that... uh...??? Re: Technology; Apples uses it is as a minor PR opportunity to claim that they are doing crypto research. The patent is an abusive one on trivia (see below). One day Crandall thought of using simple primes in ECC (like about 1000 other people) and patented it. NeXT used this as a PR opportunity to claim that they had developed it on purpose to avoid licensing RSA. They also said anybody could use FEE without licensing it. Then Apple bought NeXT. Dunno what their position is but it is irrelevant. FEE is bog standard ECC over prime fields, using primes of the form p = 2^d-c with small c such as 2^233-3. This makes reduction simpler and speeds up operations a bit. It is absolutely trivial to pick other simple primes not covered by the patent, such as p = 2^248-2^100-1. All of the NIST curves over prime fields are of this form, such as p = 2^224-2^96+1. Personally, I would avoid such special cases anyway. Regards, Rob. .-. .-. / \ .-. .-. / \ / \ / \ .-. _ .-. / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / `-' `-' \ / \ / \ \ / `-' `-' \ / `-' `-' _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From njohnsn at njohnsn.com Mon Oct 27 15:41:11 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Mon, 27 Oct 2003 17:41:11 -0600 Subject: ECC and blinding. Message-ID: <200310271741.11741.njohnsn@njohnsn.com> Will ECC work with blinding (Chaum, Brands, etc.) techniques? Just curious. -- Neil Johnson http://www.njohnsn.com PGP key available on request. From doreillyi at sympatico.ca Mon Oct 27 14:47:36 2003 From: doreillyi at sympatico.ca (Declan O'Reilly) Date: Mon, 27 Oct 2003 17:47:36 -0500 Subject: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org) In-Reply-To: References: <20031026180420.GC10805@leitl.org> Message-ID: <20031027174736.2a113950.doreillyi@sympatico.ca> On Sun, 26 Oct 2003 22:01:50 -0600 (CST) "J.A. Terranson" wrote: > Am I the only one here who finds this "requirement" excessive? My god: are > we looking to keep these secrets for 50 years, or 50000 (or more) years? > > Or am I missing something? > > -- > Yours, > J.A. Terranson > sysadmin at mfn.org > > "Every living thing dies alone." > Donnie Darko 50 years does sound like a reasonable figure for computing power and the ability to brute force a crack on anything encrypted. If one is lucky the actual time limit will be around 500 years , but with computing power increasing , its possible that what ever was encrypted 10 years ago , is now in danger of being cracked. And for some things ,there is no statute of limitations. Declan O'Reilly From timcmay at got.net Mon Oct 27 18:40:51 2003 From: timcmay at got.net (Tim May) Date: Mon, 27 Oct 2003 18:40:51 -0800 Subject: "If you DON'T use encryption, you help the terrorists win" In-Reply-To: Message-ID: <25257CAA-08F0-11D8-9F08-000A956B4C74@got.net> On Monday, October 27, 2003, at 08:50 AM, Tyler Durden wrote: > "Basically they say things like "If you think the government can't > break all > the encryption schemes that we have, you're nuts." This guy was a > math major > too, so he understands the principles of crypto." > > Basically, the answer was hinted at by another poster. > > For anyone who doesn't trust the government, the point to make is that > crypto use is currently a red flag. Last year I went through great > pains on this list to point out that right now the gubmint probably > doesn't even need to break most encrypted messages in order to know > something's up. This is only possible because outside of a coporate > context few individuals use encryption. > > If everybody uses encryption, then it matters MUCH less if the > government can break any one message. What costs us pennies to encrypt > may cost them thousands to break. That's the assymmetry we asyms can > exploit. That's where we need to depart from a Tim May lone wolf > approach to your friendly, smiling America-loving flag-waving > cypherpunks: "If you don't use encryption then you help the terrorists > win". I have no patience with "If _EVERYBODY_ did foo, then...." arguments. Contrary to what many of the newcomers (last 5 years) here have argued, crypto anarchy was never about converting the world to one true political system--it was, and is, about those motivated to do so to find ways to drop out of the system and find ways to sabotage the various politicians and socialists and minorities using government to steal from them. Finding ways to destroy large nests of socialists and minority welfare mutants is of course consistent with this individualist approach. But silliness about "if everybody used encryption, then..." is just that, silliness. "First we convert the world to our viewpoint" is an empty philosophy. "Tyler Durden," you have never shown a trace of sophistication or cleverness in the several months you have been on this list. --Tim May From bos at serpentine.com Mon Oct 27 22:49:19 2003 From: bos at serpentine.com (Bryan O'Sullivan) Date: Mon, 27 Oct 2003 22:49:19 -0800 Subject: [s-t] privacy and caution digest #2 Message-ID: On Mon, 2003-10-27 at 14:49, Nick B wrote: > Nobody, but nobody, builds _anything_ electronic from the ground up. > Not me, not you, not Apple, not Microsoft, not Sony, not Intel, not > the NSA. [Apple,] Sony, Intel and the NSA get closer by fabbing their > own silicon. No Such Agency doesn't fab much of anything; they can't afford to. They and their ilk are far more interested in things like FPGAs and adapting numerical algorithms to COTS SIMD hardware, such as graphics processors (a la http://www.gpgpu.org/). > Who knows > what sort of spyware those tools are adding? Don't be silly. The amount of computation you need to do to get a circuit of any useful complexity to do something predictable is enormous. You can't stuff a thousand CPUs and 200 engineers into an Applied Materials mask etch machine, so that they can rig a WiFi card and antenna onto your PS2's vector chip without Sony finding out. Even if you could, how would they talk to the evil animalcules inside the Novellus metal deposition machine in the facility next door, so the right traces get metallised? Never even mind that automatically figuring out what a bunch of geometry in a set of masks represents is vastly harder than reverse compilation for software. > It is actually quite hard. And if anybody > ever does implement it really well, they can win, in principle even > against projects like Plan 9 No they can't. Identifying something as "a compiler" and instrumenting the right code is impossible for automated systems. References: <200310271741.11741.njohnsn@njohnsn.com> Message-ID: At 5:41 PM -0600 10/27/03, Neil Johnson wrote: >Will ECC work with blinding (Chaum, Brands, etc.) techniques? I've heard serious people discuss it with a straight face, at least. Chaumian blinding is simply big number multiplication, right? And Chaum's double-spending detection is an M-of-N hash where M=N=2. So doing that to an ECC message/public-key shouldn't be hard... Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From ravage at einstein.ssz.com Tue Oct 28 02:35:20 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Tue, 28 Oct 2003 04:35:20 -0600 (CST) Subject: The Register - SCO says GPL unenforcable, unconstitutional and void (fwd) Message-ID: http://www.theregister.co.uk/content/4/33619.html -- -- Lo! Men have become the tools of their tools - H.D. Thoreau ravage at ssz.com jchoate at open-forge.com www.ssz.com www.open-forge.com From ravage at einstein.ssz.com Tue Oct 28 03:08:28 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Tue, 28 Oct 2003 05:08:28 -0600 (CST) Subject: Q: Has a change taken place in factoring RSA keys? Message-ID: Hi, One of the local Linux user groups had a talk at their meeting as well as some extended discussion on the mailing list regarding RSA keys and factoring. In particular a claim was made that recent technology has come to light that allows factoring of 1024 bit RSA keys at $1B (US)/day. The basic gist was that they were claiming that 1024 keys were no longer reasonable outside of a life time of approx. a year. That 2048 keys were by extension weaker, and that larger keys should be the norm. There was some discussion about hacking GPG to generate 8k keys. I'm wondering if anyone might comment on this with regard to sources of info or other efforts? In particular I'm interested in any leads regarding this supposed hardware breakthrough. I spent about an hour googling around and didn't really come up with anything substantial. Thanks. -- -- Open Forge, LLC 24/365 Onsite Support for PCs, Networks, & Game Consoles 512-695-4126 (Austin, Tx.) help at open-forge.com irc.open-forge.com Hangar 18 Open Source Distributed Computing Using Plan 9 & Linux 512-451-7087 http://open-forge.org/hangar18 irc.open-forge.org James Choate 512-451-7087 ravage at ssz.com jchoate at open-forge.com From chess at us.ibm.com Tue Oct 28 08:31:19 2003 From: chess at us.ibm.com (David M Chess) Date: Tue, 28 Oct 2003 11:31:19 -0500 Subject: [s-t] privacy and caution digest #2 Message-ID: Michael Turyn: "whatever we do which might displease the government or a real or fictive person with power is almost certainly being done at the same time by a lot of other people." That's only a statistical comfort, of course. But then most comfort probably is. (Who designed this place, anyway?) Andrew A. Gill: >> if anyone knows of a good combined worldview that >> satisfies both, I'd love to hear about it. > s/hear about it/torture you until you let me patent it/ Never! I patent things only in self-defense. *8) I'd prefer you shouted it from the rooftops, so no one could patent it... Andy Latto: "Instead, your HTML repair and rendering engine should be on top, and the security layer should be underneath. When the rendering engine determines that the HTML, as repaired, instructs it to delete a file, it calls delete-a-file-if-security-permits, and *then* the security layer gets involved, deciding whether that particular file system operation (or network operation, or whatever) should be permitted at that time." That would be ideal. Unfortunately on many boxes it's not practical to slip the security layer in under the rendering layer, because the rendering layer is in the operating system (and the security layer is either above that for practical reasons, or in a separate box entirely). But when you can do it, it's great. How many operating systems (not counting the JVM as an operating system) have access controls based on the network address / email address / PGP credentials of the (effective) originator of the request? There are a few places where security models do allow for that. The JVM is one (to an extent). The Execution Control Lists in Lotus Notes are another (you can tell Notes who you trust to execute what classes of function, and then email from untrusted people that contains scripts to format your hard disk won't work), and I think the signed macros in recent (after I stopped paying close attention) versions of Microsoft Office are another. Things like ZoneAlarm and Norton Whatever do a sideways version of this, by granting network access using the identity of the program that's asking as the effective 'identity' (this has some interesting properties). It'd be cool (if maybe expensive performance-wise?) if some widespread OS had a sufficiently rich notion of requestor identity (beyond "people with accounts on this box") to do it down at the filesystem / memory-access / etc level. Some Linux version? (All Unix machines everywhere, using a facility that I am temporarily ignorant of? BeOS?) DC ----------------------------------------------------------- From adam at cypherspace.org Tue Oct 28 13:49:49 2003 From: adam at cypherspace.org (Adam Back) Date: Tue, 28 Oct 2003 13:49:49 -0800 Subject: ECC and blinding. In-Reply-To: <200310271741.11741.njohnsn@njohnsn.com> References: <200310271741.11741.njohnsn@njohnsn.com> Message-ID: <20031028214949.GA14966@dual.cypherspace.org> There are two variants of Brands schemes: over RSA or DH. The DH variant can be used with the EC. People don't do RSA over EC because the security argument doesn't work (ie I believe you can do it technically, but the performance / key size / security arguments no longer work). So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA). There are other blinding schemes also such as David Wagner's blind MAC approach, and that should work over EC as it is DH based. Adam On Mon, Oct 27, 2003 at 05:41:11PM -0600, Neil Johnson wrote: > Will ECC work with blinding (Chaum, Brands, etc.) techniques? > > Just curious. From billy at dadadada.net Tue Oct 28 13:45:30 2003 From: billy at dadadada.net (BillyGOTO) Date: Tue, 28 Oct 2003 16:45:30 -0500 Subject: LOC DMCA Exemptions Posted Message-ID: <20031028214530.GA2950@mail.dadadada.net> White smoke from the chimney of the L of C... As of now, it is now explicitly legal to decrypt the blacklists of NetNanny - style applications. As of now, it is now explicitly legal to RevEng abandonware dongles. Also legal to break copy-restriction schemes on abandonware. The most surprising exemption is for eBook decription. It is only allowed if you can't otherwise render the text into a 'specialized format'. ----- Forwarded message from Phil Gengler ----- Within the last 5 minutes, the LOC website (http://www.copyright.gov/1201) posted the determinations for DMCA exemptions from the May hearings. Interesting read, if nothing else. 4 classes of works were exempted, and for several that weren't, there's an explanation of why. From camera_lumina at hotmail.com Tue Oct 28 14:01:50 2003 From: camera_lumina at hotmail.com (Tyler Durden) Date: Tue, 28 Oct 2003 17:01:50 -0500 Subject: "If you DON'T use encryption, you help the terrorists win" Message-ID: Tim May wrote... "But silliness about "if everybody used encryption, then..." is just that, silliness." You seem to miss my point here (and in general), and since this is probably the closest area in which we agree, I'd suggest it's worthwhile examining this. Let's first of all agree that the proliferation of crypto is a good thing. If crypto is rarely used, then MY usage of it is actually almost worse (depending on context) than using it. More than that, increased use of crypto implies increased cost of monitoring. The $$$ nature of the assymmetry is mirrored precisely by the calculational assymetry. Ideally, it seems to me that this should be exploited. "If only everyone" is I agree largely pointless in and of itself. However, when coupled to some fairly easy and obvious applications of "greed", the potential results are interesting. Want an example? We now see file trading, messaging, and possibly even IP telephony occuring in P2P networks. Some of the P2Ps will be/are encrypted...a primitive form of "blacknet" you might say. Couple this app with popular notions of "protecting us from the terrorists" and you may have wildfire. That's the goal: wildfire. You're problem is that you don't realize that crypto is no longer a technological issue now. It's now a social and marketing one. The fact that "Tyler Durden" actually has little of major insight to say completely misses the point. Ideally, "Tyler Durden" is a generic, popular figure that embodies virulent, 'stoopid' popularity. Tyler Durden is not an intellectual: He's basically a dumb punk and a rabblerouser. Ideally, he's every man. He's everything you've always been afraid of, but he is precisely the one who can set you free. -TD >From: Tim May >To: cypherpunks at lne.com >Subject: Re: "If you DON'T use encryption, you help the terrorists win" >Date: Mon, 27 Oct 2003 18:40:51 -0800 > >On Monday, October 27, 2003, at 08:50 AM, Tyler Durden wrote: > >>"Basically they say things like "If you think the government can't break >>all >>the encryption schemes that we have, you're nuts." This guy was a math >>major >>too, so he understands the principles of crypto." >> >>Basically, the answer was hinted at by another poster. >> >>For anyone who doesn't trust the government, the point to make is that >>crypto use is currently a red flag. Last year I went through great pains >>on this list to point out that right now the gubmint probably doesn't even >>need to break most encrypted messages in order to know something's up. >>This is only possible because outside of a coporate context few >>individuals use encryption. >> >>If everybody uses encryption, then it matters MUCH less if the government >>can break any one message. What costs us pennies to encrypt may cost them >>thousands to break. That's the assymmetry we asyms can exploit. That's >>where we need to depart from a Tim May lone wolf approach to your >>friendly, smiling America-loving flag-waving cypherpunks: "If you don't >>use encryption then you help the terrorists win". > >I have no patience with "If _EVERYBODY_ did foo, then...." arguments. > >Contrary to what many of the newcomers (last 5 years) here have argued, >crypto anarchy was never about converting the world to one true political >system--it was, and is, about those motivated to do so to find ways to drop >out of the system and find ways to sabotage the various politicians and >socialists and minorities using government to steal from them. > >Finding ways to destroy large nests of socialists and minority welfare >mutants is of course consistent with this individualist approach. > >But silliness about "if everybody used encryption, then..." is just that, >silliness. > >"First we convert the world to our viewpoint" is an empty philosophy. > >"Tyler Durden," you have never shown a trace of sophistication or >cleverness in the several months you have been on this list. > > >--Tim May _________________________________________________________________ Concerned that messages may bounce because your Hotmail account has exceeded its 2MB storage limit? Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es From spl at ncmir.ucsd.edu Tue Oct 28 20:57:56 2003 From: spl at ncmir.ucsd.edu (Steve Lamont) Date: Tue, 28 Oct 2003 20:57:56 -0800 (PST) Subject: [s-t] privacy and caution digest #2 Message-ID: > My only contribution is the mantra: "Take comfort in your own > unimportance." That is to say, paranoia has more than a smidgen of > self-aggrandisement to it, and though everyday worrying is not > paranoia, it's important to remember the allure inherent in thinking > yourself a certain target. Most of us, perhaps all of us on this > list, aren't worth it; whatever we do which might displease the > government or a real or fictive person with power is almost certainly > being done at the same time by a lot of other people. > > Fear of being watched is part of the plan of anyone maliciously watching. Except, of course, that while you as an individual may be unimportant, information about you is. Your email address is important to spammers, who seem to go to extraordinary lengths to get it and to break through any barriers you might attempt to erect to prevent them from filling your email file[*] with crap. Mass marketers want your physical mail address, to which they direct entire old growth forests worth of paper to entice you to refinance, change your phone carrier, or reshingle your house, usually with some deceptive come-on to dupe the slow-witted. Telemarketers. . . well, you get the idea. In the future, your shopping cart will spy on you as you cruise the aisles of your local megamart, phoning home whenever you slow down in front of the Oreos display, buy cheese, or condoms. Your TiVo already reports what programs you record, what commercials you skip and which ones you rewind and watch again. Your CD or MP3 player will probably be soon uploading your music preferences back to the RIAA. And if you wish to live anything resembling a comfortable life, you will have no option but to submit. Your every move will be watched, not just by TIA and the CIA but Nielson, Safeway, Wal*Mart, Fox, and Nike. The government only cares about your politics. The real Big Brother cares about your wallet and is thus much, much, more motivated. spl -- [*] I hate the "mail box" metaphor. It's not a box. It's a file. Or a directory. Whatever it is, it ain't a box. But that's another rant for another day. ----------------------------------------------------------- ----- End forwarded message ----- -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From jtrjtrjtr2001 at yahoo.com Tue Oct 28 22:59:54 2003 From: jtrjtrjtr2001 at yahoo.com (Sarad AV) Date: Tue, 28 Oct 2003 22:59:54 -0800 (PST) Subject: "If you DON'T use encryption, you help the terrorists win" In-Reply-To: Message-ID: <20031029065954.88466.qmail@web21204.mail.yahoo.com> HI, >TD wrote- > that, increased use of > crypto implies increased cost of monitoring. If a larger population starts using cryptography, we can compare it to U.S mail. The govt. any way can't go through all the snail mails due to its sheer volume. They rely on other methods to detect and nullify terror threats. Even if every one started using encryption, the govt will not spend any money to decrypt all the messages. The govt will use other mechanisms(intelligece) to detect which cipher text is worth breaking. More people using cryptography is good for the crypto community, in terms of dollars,interest and development in this particular area. Sarath. --- Tyler Durden wrote: > Tim May wrote... > > "But silliness about "if everybody used encryption, > then..." is just that, > silliness." > > You seem to miss my point here (and in general), and > since this is probably > the closest area in which we agree, I'd suggest it's > worthwhile examining > this. > > Let's first of all agree that the proliferation of > crypto is a good thing. > If crypto is rarely used, then MY usage of it is > actually almost worse > (depending on context) than using it. More than > that, increased use of > crypto implies increased cost of monitoring. The $$$ > nature of the > assymmetry is mirrored precisely by the > calculational assymetry. Ideally, it > seems to me that this should be exploited. > __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From sunder at sunder.net Wed Oct 29 08:28:08 2003 From: sunder at sunder.net (Sunder) Date: Wed, 29 Oct 2003 11:28:08 -0500 (est) Subject: "If you DON'T use encryption, you help the terrorists win" In-Reply-To: <20031029065954.88466.qmail@web21204.mail.yahoo.com> Message-ID: The biggest hurdle and the thing that will have the most effect is to have every MTA out there turn on Start TLS. It won't provide a big enhancement in terms of security at the ISP level, but it will blind the global content search engines everywhere. Except, of course, at those ISP's already infected by carnivore boxes - which at least aren't allowed by law to capture all traffic, but I wouldn't put money that they'd follow it. So the first course of action is to convince MTA authors everywhere to enable and turn this on. Later, they could drop support for non-TLS traffic. It could also help against spamming somehow, as it will cost the spammer a few more CPU cycles. (But this will be a very weak deterrent against spam.) The next hurdle will be to get Microsoft Outlook to ship with PGP - it'll be a very very cold day in hell for that to happen. :) So, we'll keep dreaming and wishing. Certainly, if it does, only fools will trust it as secure. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Tue, 28 Oct 2003, Sarad AV wrote: > HI, > > >TD wrote- > > that, increased use of > > crypto implies increased cost of monitoring. > > If a larger population starts using cryptography, we > can compare it to U.S mail. The govt. any way can't go > through all the snail mails due to its sheer volume. > They rely on other methods to detect and nullify > terror threats. Even if every one started using > encryption, the govt will not spend any money to > decrypt all the messages. The govt will use other > mechanisms(intelligece) to detect which cipher text is > worth breaking. More people using cryptography is good > for the crypto community, in terms of dollars,interest > and development in this particular area. From wk at gnupg.org Wed Oct 29 02:32:57 2003 From: wk at gnupg.org (Werner Koch) Date: Wed, 29 Oct 2003 11:32:57 +0100 Subject: Q: Has a change taken place in factoring RSA keys? In-Reply-To: (Jim Choate's message of "Tue, 28 Oct 2003 05:08:28 -0600 (CST)") References: Message-ID: <87ekwwqqp1.fsf@alberti.g10code.de> On Tue, 28 Oct 2003 05:08:28 -0600 (CST), Jim Choate said: > In particular a claim was made that recent technology has come to light that > allows factoring of 1024 bit RSA keys at $1B (US)/day. The basic gist was that Adi Shamir's TWINKLE, I guess. > time of approx. a year. That 2048 keys were by extension weaker, and that > larger keys should be the norm. There was some discussion about hacking GPG to > generate 8k keys. That won't help unless you find a way to get random number as good as the keysize. The hack itself is trivial but I don't do it because large keys are a headache for low-end machines and they trick users into false security assumptions. I am pretty sure that any PC or usage of GnuPG can be broken by spending far less money. Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From hseaver at cybershamanix.com Wed Oct 29 11:22:09 2003 From: hseaver at cybershamanix.com (Harmon Seaver) Date: Wed, 29 Oct 2003 13:22:09 -0600 Subject: "If you DON'T use encryption, you help the terrorists win" In-Reply-To: References: <20031029175751.GB10805@leitl.org> Message-ID: <20031029192209.GB24490@cybershamanix.com> On Wed, Oct 29, 2003 at 01:50:37PM -0500, Sunder wrote: > The push to do that should be aimed at the MTA authors and package > organizers. If you can get it turned on by default, you're half way > there. Last time I tried to fuck with this on qmail, I had to patch qmail > to support it. Not something I'd like to do again - hopefully it's > changed a bit. > > >From 1st hand experience - it is indeed a pain in the ass. > > But if you can get the big projects to turn it on by default for all/most > of the MTA's, then you can push the bigger fish to do so as well. I'd It's not setting up tls itself that's the problem, really, it's the cert generation that got me bogged down and so everytime I've tried it, first with sendmail and then with postfix, I've ended up with "okay, when I've got more time I'll finish this". Of course, ipsec is the same way. Setting up ipsec on a cisco router is sure a lot easier. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com From sunder at sunder.net Wed Oct 29 10:50:37 2003 From: sunder at sunder.net (Sunder) Date: Wed, 29 Oct 2003 13:50:37 -0500 (est) Subject: "If you DON'T use encryption, you help the terrorists win" In-Reply-To: <20031029175751.GB10805@leitl.org> Message-ID: The push to do that should be aimed at the MTA authors and package organizers. If you can get it turned on by default, you're half way there. Last time I tried to fuck with this on qmail, I had to patch qmail to support it. Not something I'd like to do again - hopefully it's changed a bit. >From 1st hand experience - it is indeed a pain in the ass. But if you can get the big projects to turn it on by default for all/most of the MTA's, then you can push the bigger fish to do so as well. I'd start with OpenBSD - they're likely to be friendlier to the idea. Then you can push FreeBSD, NetBSD, RedHat Linux, Mandrake, and so on... Then the MTA authors, then Solaris (which seems to be bent on copying whatever Linux does) and so on.... Strangely enough, I recall that of all the entitites, out there MSFT had implemented some sort of secure SMTP in somne version of IIS.. like 4.0... Not sure about Exchange and its ilk... ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------ On Wed, 29 Oct 2003, Eugen Leitl wrote: > On Wed, Oct 29, 2003 at 11:28:08AM -0500, Sunder wrote: > > The biggest hurdle and the thing that will have the most effect is to have > > every MTA out there turn on Start TLS. It won't provide a big enhancement > > For the record: it's unreasonably difficult (for a pedestrian > sysadmin such as me) to set up StartTLS. Debian unstable ships > with postfix-tls (albeit not installed as default), but apt-get install > postfix-tls > doesn't take care of the self-signed cert generation, and setting up > /etc/postfix/main.cf for StartTLS support. > > It would be a most cypherpunkly undertaking to get that package to do that. > (I have no idea how Debian packages work, unfortunately). From bill.stewart at pobox.com Wed Oct 29 14:50:00 2003 From: bill.stewart at pobox.com (Bill Stewart) Date: Wed, 29 Oct 2003 14:50:00 -0800 (PST) Subject: Q: Has a change taken place in factoring RSA keys? In-Reply-To: <87ekwwqqp1.fsf@alberti.g10code.de> References: <87ekwwqqp1.fsf@alberti.g10code.de> Message-ID: <4343.216.240.32.1.1067467800.squirrel@smirk.idiom.com> >> In particular a claim was made that recent technology has come to >> light that allows factoring of 1024 bit RSA keys at $1B (US)/day. The >> basic gist was that > > Adi Shamir's TWINKLE, I guess. I think that's the source as well - when the most recent of the TWINKLE and TWIRL papers came out, Lucky Green was talking about whether it was still safe to use 1024-bit keys, and $1B for 1 key/day is similar to Shamir & Tromer's estimate of ( http://www.wisdom.weizmann.ac.il/~tromer/papers/cbtwirl.pdf ) $20M upfront plus $10M for a 1 key/year capacity. (The alternative is that it's people believing the usual FUD sources, whether they're the pro-government serious FUD sources or the fun-yanking-people's-chains clueless FUDsters.) >> There was some discussion about hacking GPG to generate 8k keys. But if 1024-bit keys are too weak, RSA is still near-exponential, and 2048-bit keys are roughly 2**100 times harder to crack than 1024-bit, vs. 4-8 times as slow to use. 4096 is a lot harder than that; even if you allow for Moore's law and medium mathematical breakthroughs, you're still not going to fit a 4096-bit cracker on the planet. Basically, by the time you're interesting enough for them to spend $10M and a year to crack your machine, you'd better be using 2048-bit keys for tactical applications and maybe 4096-bit for long-term military secrets, and since they're targeting YOU, it's a lot cheaper for them to black-bag your PC or plant cameras in your ceiling or bribe your janitor. > That won't help unless you find a way to get random number as good as > the keysize. Large random numbers aren't that hard if you're using them for long-term signature keys, as opposed to DH or symmetric session keys; it just takes a bit longer to generate the bits. Also, once you're up above the 1024-bit range, incremental quality is less important, because attacks on the keyspace are hard to combine with factoring attacks on the keys, especially if you're whitening them. But as you say, taking GPG from 4kbit to 8kbit keys doesn't matter, because it's no longer close to the weakest link by then. From eugen at leitl.org Wed Oct 29 09:57:51 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 29 Oct 2003 18:57:51 +0100 Subject: "If you DON'T use encryption, you help the terrorists win" In-Reply-To: References: <20031029065954.88466.qmail@web21204.mail.yahoo.com> Message-ID: <20031029175751.GB10805@leitl.org> On Wed, Oct 29, 2003 at 11:28:08AM -0500, Sunder wrote: > The biggest hurdle and the thing that will have the most effect is to have > every MTA out there turn on Start TLS. It won't provide a big enhancement For the record: it's unreasonably difficult (for a pedestrian sysadmin such as me) to set up StartTLS. Debian unstable ships with postfix-tls (albeit not installed as default), but apt-get install postfix-tls doesn't take care of the self-signed cert generation, and setting up /etc/postfix/main.cf for StartTLS support. It would be a most cypherpunkly undertaking to get that package to do that. (I have no idea how Debian packages work, unfortunately). > in terms of security at the ISP level, but it will blind the global > content search engines everywhere. Except, of course, at those ISP's > already infected by carnivore boxes - which at least aren't allowed by law > to capture all traffic, but I wouldn't put money that they'd follow it. > > So the first course of action is to convince MTA authors everywhere to > enable and turn this on. Later, they could drop support for non-TLS > traffic. It could also help against spamming somehow, as it will cost the > spammer a few more CPU cycles. (But this will be a very weak deterrent > against spam.) -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature] From pgut001 at cs.auckland.ac.nz Tue Oct 28 21:59:54 2003 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Wed, 29 Oct 2003 18:59:54 +1300 Subject: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org) Message-ID: <200310290559.h9T5xst09783@cs.auckland.ac.nz> "Dave Howe" writes: >I was under the impression they had just licenced their *patent* Yup, and that's all they did. I've seen some downright bizarre interpretations of this particular portent on the web ( slashdot), but the simple fact is that the NSA, in its role as the agency responsible for overseeing crypto use by the USG, got a blanket Certicom patent license for cases where ECC (of the Certicom-patented variety) is used, just as they got a blanket DSA license for DSA, and would have had to get a blanket RSA license before that if it hadn't been USG-funded work and a blanket DES license if IBM hadn't made the patent freely usable. Certicom's PR folks, seeing an opportunity, put out a press release saying that the NSA had licensed their patent(s). This does not mean that the NSA is about the drop their own crypto for ECC (definitely the silliest interpretation of Certicom's press release I've seen), nor is it a sign that they believe RSA is dead or that the end of the world is nigh, etc etc etc. Peter. From eugen at leitl.org Wed Oct 29 14:44:05 2003 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 29 Oct 2003 23:44:05 +0100 Subject: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] (fwd from harley@argote.ch) Message-ID: <20031029224405.GN10805@leitl.org> ----- Forwarded message from "Dr. Robert J. Harley" ----- From ravage at einstein.ssz.com Thu Oct 30 06:24:12 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Thu, 30 Oct 2003 08:24:12 -0600 (CST) Subject: ScienceDaily News Release: Physicists Stop Polarized Light, Create Bit Of Quantum Memory Rubidium (fwd) Message-ID: http://www.sciencedaily.com/releases/2003/10/031030063719.htm -- -- Open Forge, LLC 24/365 Onsite Support for PCs, Networks, & Game Consoles 512-695-4126 (Austin, Tx.) help at open-forge.com irc.open-forge.com Hangar 18 Open Source Distributed Computing Using Plan 9 & Linux 512-451-7087 http://open-forge.org/hangar18 irc.open-forge.org James Choate 512-451-7087 ravage at ssz.com jchoate at open-forge.com From jamesd at echeque.com Thu Oct 30 09:06:10 2003 From: jamesd at echeque.com (James A. Donald) Date: Thu, 30 Oct 2003 09:06:10 -0800 Subject: ECC and blinding. In-Reply-To: <20031028214949.GA14966@dual.cypherspace.org> References: <200310271741.11741.njohnsn@njohnsn.com> Message-ID: <3FA0D482.1221.F53862C@localhost> -- On 28 Oct 2003 at 13:49, Adam Back wrote: > So for that reason I think Chaum's scheme practically would > not be viable over EC. (Or you could do it but you'd be > better off performance, security and key/messag size doing > Chaum over normal RSA). Simple Chaumian blinding works fine on EC. Some more complex schemes, such as some of Brand's, do not. But I do not see any demand for the more complex schemes. The simplest scheme is already complicated enough, that some of the complexities afflict the end user. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG aKHDMdj+9gnBr65YtX0qhoydEhjayKgfhkQHEAzr 4mclgavEBK5DyZ0aLB/l/EnYG2RizakxZ8mZUlz+E From declan at well.com Thu Oct 30 19:00:22 2003 From: declan at well.com (Declan McCullagh) Date: Thu, 30 Oct 2003 21:00:22 -0600 Subject: LOC DMCA Exemptions Posted In-Reply-To: <20031028214530.GA2950@mail.dadadada.net>; from billy@dadadada.net on Tue, Oct 28, 2003 at 04:45:30PM -0500 References: <20031028214530.GA2950@mail.dadadada.net> Message-ID: <20031030210022.A31206@baltwash.com> I believe the previous LoC rulemaking exemption already permitted the decryption of blocking sw blacklists. No change here. -Declan On Tue, Oct 28, 2003 at 04:45:30PM -0500, BillyGOTO wrote: > White smoke from the chimney of the L of C... > > As of now, it is now explicitly legal to decrypt the blacklists of > NetNanny - style applications. > > As of now, it is now explicitly legal to RevEng abandonware dongles. > Also legal to break copy-restriction schemes on abandonware. > > The most surprising exemption is for eBook decription. It is only > allowed if you can't otherwise render the text into a 'specialized > format'. > > ----- Forwarded message from Phil Gengler ----- > > Within the last 5 minutes, the LOC website > (http://www.copyright.gov/1201) posted the determinations for DMCA > exemptions from the May hearings. > > Interesting read, if nothing else. 4 classes of works were exempted, > and for several that weren't, there's an explanation of why. From madduck at madduck.net Thu Oct 30 14:35:55 2003 From: madduck at madduck.net (martin f krafft) Date: Thu, 30 Oct 2003 23:35:55 +0100 Subject: "If you DON'T use encryption, you help the terrorists win" In-Reply-To: <20031029175751.GB10805@leitl.org> References: <20031029065954.88466.qmail@web21204.mail.yahoo.com> <20031029175751.GB10805@leitl.org> Message-ID: <20031030223555.GA10482@piper.madduck.net> also sprach Eugen Leitl [2003.10.29.1857 +0100]: > For the record: it's unreasonably difficult (for a pedestrian > sysadmin such as me) to set up StartTLS. Debian unstable ships > with postfix-tls (albeit not installed as default), but apt-get > install postfix-tls doesn't take care of the self-signed cert > generation, and setting up /etc/postfix/main.cf for StartTLS > support. > > It would be a most cypherpunkly undertaking to get that package to > do that. (I have no idea how Debian packages work, unfortunately). I will forward this to the appropriate people. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "i must get out of these wet clothes and into a dry martini." -- alexander woolcott [demime 0.97c removed an attachment of type application/pgp-signature] From ravage at einstein.ssz.com Thu Oct 30 21:48:50 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Thu, 30 Oct 2003 23:48:50 -0600 (CST) Subject: [discuss] Call for Papers - PISTA 2004 (fwd) Message-ID: ---------- Forwarded message ---------- Date: Thu, 30 Oct 2003 16:25:10 -0600 From: Jon Lebkowsky To: discuss at effaustin.org, discuss at actlab.utexas.edu Subject: [discuss] Call for Papers - PISTA 2004 Call for Papers 2nd International Conference on Politics and Information Systems: Technologies and Applications (PISTA 404) July 21 - 25, 2004 - Orlando, Florida, USA http://www.confinf.org/pista04 PISTA '04 Organizing Committee invites authors to submit their original and unpublished works, innovations, ideas based on analogical thinking, problems that require solutions, position papers, case studies, etc., in the fields of Information and Communication Technologies (ICT). ICT researchers are invited to present their research results. Practitioners and consultants are invited to present case study papers and innovative solutions. Corporations are invited to present political information systems and software based solutions. Public servers are invited to present case studies, information systems developed for specific purpose, and innovative ideas and designs. Political and social scientists are invited to present research or position papers on the impact and the future possibilities of ICT in Societal systems and political processes. Politician and political consultants are invited to present problems that might be solved by means of ICT, or solutions that might be improved by different approaches and design in ICT. All are invited to organize panel or invited sessions. Panel sessions with panelists coming from both: ICT researcher/practitioners and political consultants or politicians are highly encouraged. Submitted papers must describe work not previously published. They must not be submitted concurrently to another conference with refereed proceedings. You can find complete information about the conference in our web page http://www.confinf.org/pista04 PISTA '04 Organization General Chair: Prof. Jose Vicente Carrasquero Organizing Committee Chair: Prof. Angel Oropeza Organized by the IIIS: The International Institute of Informatics and Systemics Conference Areas 7 Informatics And Society 7 Informatics, Voting and Political Parties 7 Informatics And Government 7 Ethical and Legal Issues related to Informatics Abstracts and Paper Drafts Submission Form Papers might be submitted via web page http://www.confinf.org/pista04/website/submission.asp, as extended abstracts (500-1500 words) or as full papers drafts (2000-5000 words). Reviews will be done for both kinds of submissions. Invited Sessions proposals can be done filling the form given in the web page http://www.confinf.org/pista04/invitedsession/organizer.asp More information about Invited Sessions Organization could be found at the web http://www.confinf.org/pista04/website/ISOrganization.asp Important Dates December 22nd, 2003: Submission of extended abstracts (500-1500) words or paper Drafts (2000-5000) words. December 22nd, 2003: Invited session proposals. February 13th, 2004: Notifications of Acceptance. April 13th, 2004: Submission of final versions: hard copies and electronic versions. Some invited sessions might have a different timetable according to its organizer and chair Papers Reviewing And Publication Submitted papers will be reviewed. Accepted papers, which should not exceed six single-spaced typed pages, will be published by means of paper and electronic proceedings. Authors of accepted papers must sign a copyright release form. The Journal of Systemics, Cybernetics and Informatics will publish, at least, the best 10% of the papers presented at the conference. --------------------------------------------------------------------- To unsubscribe, e-mail: discuss-unsubscribe at effaustin.org For additional commands, e-mail: discuss-help at effaustin.org From ravage at einstein.ssz.com Fri Oct 31 05:39:05 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 31 Oct 2003 07:39:05 -0600 (CST) Subject: The Register - Crack codes and win prizes (fwd) Message-ID: http://www.theregister.co.uk/content/28/33683.html -- -- Open Forge, LLC 24/365 Onsite Support for PCs, Networks, & Game Consoles 512-695-4126 (Austin, Tx.) help at open-forge.com irc.open-forge.com Hangar 18 Open Source Distributed Computing Using Plan 9 & Linux 512-451-7087 http://open-forge.org/hangar18 irc.open-forge.org James Choate 512-451-7087 ravage at ssz.com jchoate at open-forge.com From mv at cdc.gov Fri Oct 31 10:10:19 2003 From: mv at cdc.gov (Major Variola (ret)) Date: Fri, 31 Oct 2003 10:10:19 -0800 Subject: Chaumian blinding & public voting? Message-ID: <3FA2A58B.67C48379@cdc.gov> Is is possible to use blinding (or other protocols) so that all votes are published, you can check that your vote is in there, and you (or anyone) can run the maths and verify the vote? Without being able to link people to votes without their consent. Currently voting is trusted because political adversaries supervise the process. Previously the mechanics were, well, mechanical, ie, open for inspection. The current genre of voting machines.. well, you know the scam. And still reliant on a few adversarial human monitors. Something like this: The day after elections a list of hex codes -votes- are published. You can find in that list the code that you received (on paper) when you voted, to verify that your vote counted. You can run an algorithm on any subset of codes, including just your own, and learn which candidate that code corresponds to. Everyone can run on the entire dataset, verifying the tally. You don't have to divulge which code is yours if you want it to remain secret. Perhaps the code could contain not only the intended vote, but a unique voter ID so that hexcodes could not be added to the dataset (cf dead people not allowed to vote except in Chicago) without setting off alarms. Perhaps anyone could verify that someone voted, or not, but could not figure who they voted for without their cooperation. Apologies if I should know this, I haven't gotten my head around all the M of N, blinding, database translucency, etc protocols. From ravage at einstein.ssz.com Fri Oct 31 13:13:53 2003 From: ravage at einstein.ssz.com (Jim Choate) Date: Fri, 31 Oct 2003 15:13:53 -0600 (CST) Subject: Prediction about spam laws... Message-ID: Hi, I'd like to share my crystal ball. The jurisdictions which pass spam control laws that require 'permission' will actually foster spam. The new format for spam will be: May I send you correspondences? Blahblahblahblah To stop future correspondence please send an unsubscription request to: f00 at bar.dingbat -- -- What these laws will actually do is require more effort on the part of consumers. Further, the 'valid address' requirements would be fulfilled by a simple -single- subscription to a free mail service. This mailbox of course would never actually be read. What this will do is increase the load on the 'free' services, causing many of them to cease to exist. It in effect increases the lower bounds on resources needed to participate in this great democratic-technocratic experiment we call the Internet. These laws are 'bad' things. -- -- Open Forge, LLC 24/365 Onsite Support for PCs, Networks, & Game Consoles 512-695-4126 (Austin, Tx.) help at open-forge.com irc.open-forge.com Hangar 18 Open Source Distributed Computing Using Plan 9 & Linux 512-451-7087 http://open-forge.org/hangar18 irc.open-forge.org James Choate 512-451-7087 ravage at ssz.com jchoate at open-forge.com From adam at cypherspace.org Fri Oct 31 15:26:05 2003 From: adam at cypherspace.org (Adam Back) Date: Fri, 31 Oct 2003 15:26:05 -0800 Subject: ECC and blinding. In-Reply-To: <3FA0D482.1221.F53862C@localhost> References: <200310271741.11741.njohnsn@njohnsn.com> <3FA0D482.1221.F53862C@localhost> Message-ID: <20031031232605.GA31764@dual.cypherspace.org> On Thu, Oct 30, 2003 at 09:06:10AM -0800, James A. Donald wrote: > On 28 Oct 2003 at 13:49, Adam Back wrote: > > So for that reason I think Chaum's scheme practically would > > not be viable over EC. (Or you could do it but you'd be > > better off performance, security and key/messag size doing > > Chaum over normal RSA). > > Simple Chaumian blinding works fine on EC. So Chaumian blinding with public exponent e, private exponent d, and modulus n is this and blinding factor b chosen by the client: blind: b^e.m mod n -> sign: <- (b^e.m)^d mod n = b.m^d mod n (simplifying) and divide by b to unblind: m^d mod n how are you going to do this over EC? You need an RSA like e and d to cancel. > Some more complex schemes, such as some of Brand's, do not. Brands DH based blinding scheme works in EC. ECDH is directly analogous, the usual conversion from discrete log (g^x mod p) to the EC analog (x.G over curve E) works. Adam From nobody at dizum.com Fri Oct 31 08:30:02 2003 From: nobody at dizum.com (Nomen Nescio) Date: Fri, 31 Oct 2003 17:30:02 +0100 (CET) Subject: radiusnet archives? Message-ID: <826536e34aa5aa547d2f434c795b417a@dizum.com> Anyone knows what happened to the radiusnet crypto archives? I bookmarked them at once. Now the whole domain seem dead. From shaddack at ns.arachne.cz Fri Oct 31 08:41:54 2003 From: shaddack at ns.arachne.cz (Thomas Shaddack) Date: Fri, 31 Oct 2003 17:41:54 +0100 (CET) Subject: TLS/qmail and DH cipher suites - patch to patch Message-ID: <0310311732540.-1158882652@somehost.domainz.com> Speaking about not letting the terrorists win... My favorite MTA is qmail, for couple reasons. The TLS support is available as a thrid-party patch. However, the support for Diffie-Hellman cipher suites was missing, the initialization code was not there. I borrowed code from stunnel, and implemented it into the qmail patch. >From now on, the ephemeral keying should work there. See http://213.246.91.154/patches/qmail/ Peer review more than welcomed. I am a very beginner in cryptography-related programming. From measl at mfn.org Fri Oct 31 17:23:28 2003 From: measl at mfn.org (J.A. Terranson) Date: Fri, 31 Oct 2003 19:23:28 -0600 (CST) Subject: Cisco LEAP (fwd) Message-ID: I thought this forum would be able to provide the good gentleman with more accurate data that the typical that is to be found on the below mentioned mailing list. -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko ---------- Forwarded message ---------- Date: Fri, 31 Oct 2003 08:11:59 -0800 (PST) From: No Man To: pen-test at securityfocus.com Subject: Cisco LEAP I'm sure everyone is aware of the recent discussion regarding LEAP and it's suceptiblity to dictionary attacks. As I understand it, it is basically the MS-CHAP problem: the 16 byte RC4 hash is padded with 5 nulls, split into three 7 byte chunks, then each chunk is encrypted with DES. The last chunk, since you know it has 5 nulls, is pretty easy to get That gives you the last two bytes of the hash, which you then compare for matches with the last two bytes in a precompiled dictionary of hashes. What about using a very large dictionary of all possible combinations for a given password length to, in effect, "brute force" it? Take for example a 6 character password made of lowercase letters and numbers. 36^6 works out to about 2.2 billion possibilities. Your dictionary or 2.2B rc4 hashes would take up roughly 40GB. I guess the plain text that the hash was calculated from would be in there too, so it would be a little larger, but suffice it to say that it would fit on a fairly typical hard drive. So, I'm wondering several things. Consider typical newer Intel hardware. 1) what would it take time-wise to create the dictionary? 2) how long would it take to cycle through 40 gigs of hashes to find the matches? 3) how many matches on the last two bytes of the hash are there likely to be? Thanks in advance for any help in deciding how big of an issue this really is! Michael __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ---------------------------------------------------------------------------- From mixmaster at remailer.privacy.at Fri Oct 31 11:21:08 2003 From: mixmaster at remailer.privacy.at (privacy.at Anonymous Remailer) Date: Fri, 31 Oct 2003 20:21:08 +0100 (CET) Subject: radiusnet archives Message-ID: <2c4a5739e7e72e3ca414bc5de0662dd0@remailer.privacy.at> > Anyone knows what happened to the radiusnet crypto archives? > I bookmarked them at once. > Now the whole domain seem dead. Maybe not "dead" Registrant: Ultimate Search GPO Box 7862 Central, HK na HK Registrar: NAMESDIRECT Domain Name: RADIUSNET.NET Created on: 12-AUG-03 Expires on: 12-AUG-04 Last Updated on: 30-AUG-03 Administrative, Technical Contact: Support, DNS dns at ultsearch.com Ultimate Search GPO Box 7862 Central, HK na HK 852 2537 9677 Domain servers in listed order: NS1.ULTSEARCH.COM NS2.ULTSEARCH.COM But it looks like the domain was first registered in 2003 (recently!) so the hacker/crypo guys must have dumped it a few years ago thus making it available again. Someone doesn't want us to be able to view the old contents either.(?) On this is displayed: > Robots.txt Query Exclusion. > > We're sorry, access to http://radiusnet.net has been blocked by the > site owner via robots.txt. Read more about robots.txt See the > site's robots.txt file. Try another request or click here to search > for all pages on radiusnet.net/ See the FAQs for more info and > help, or > contact us. In this is placed: > > User-agent: * > Disallow: /s > Disallow: /c > > User-agent: ia_archiver > Disallow: / > > User-agent: Scooter > Disallow: / > By explicitly excluding the ia_archiver bot from the contents they are making the contents excluded from the archiv.org archives for both "versions", regardless of whether the old owners wants that or not. Maybe the archive.org people should implement a feature not making it possible to exclude old contents by taking over the domain and simply putting in the robots.txt on the root?! Maybe the Wayback Machine should only honor robots.txt for old contents if the ownership of the domain in question has been inchanged during the period in question. Every time an ownership change is done all old contents would be blocked/protected from deletion. From timcmay at got.net Fri Oct 31 20:55:04 2003 From: timcmay at got.net (Tim May) Date: Fri, 31 Oct 2003 20:55:04 -0800 Subject: Chaumian blinding & public voting? In-Reply-To: <200310312117.38773.njohnsn@njohnsn.com> Message-ID: <8ECF8DB8-0C27-11D8-B14E-000A956B4C74@got.net> On Friday, October 31, 2003, at 07:17 PM, Neil Johnson wrote: > On Friday 31 October 2003 12:10 pm, Major Variola (ret) wrote: >> Is is possible to use blinding (or other protocols) so that all votes >> are published, you can check that your vote is in there, and you >> (or anyone) can run the maths and verify the vote? Without being >> able to link people to votes without their consent. >> > > Doing this would allow vote buyers to verify a voter voted the way > they > wanted. > > That is one of the main reasons you can't take a copy of your paper > ballot > home with you now. > > One option might be to give the voter a MAC of their ballot and then > print the > MAC's in the paper. The voter could check to see if their vote had been > altered. > > I still think far better methods for improving voter turn out other > than > Internet voting are: > > 1. A National Election Holiday (but in the middle of the work week so > people > can't use it to extend a vacation). > > 2. Couple the Election with a National Lottery with local, state, and > national > prizes. With appropriate delink of voter's identity from the way they > voted > of course. > > (I'm not claiming that this would actually improve things overall, just > increase voter turnout). Increasing voter turnout is, of course, a Bad Thing. For the reasons we discuss so often. Mandating a National Election Holiday is, of course, statist and unconstitutional. If Employer Alice negotiates with Employee Bob that he work on a particular day, he works on that particular day. Government cannot interfere. (Or if they try to, those involved have earned a loaded 747 flown into their building.) And, practically, elections come at various times during the year in different states, with sometimes several elections in a year. Can't have a "mandated holiday" for each, right? Further, even on mandated holidays, _some_ people must work just to keep the machinery going. Examples are legion, from cops to oil refinery workers to election place employees. What, are these people especially disenfranchised by having to work while employees of Intel and Apple are told the State has decreed they get to skip work? (Won't even work for Intel, as the wafer fabs run 24/7 and _cannot_ be shut down....don't know about Apple's situation.) When the fuck will people stop proposing statist solutions? Or should we just add 20 of the remaining 30 list subscribers here to the list of 25 million in these united states who need to be sent up the chimneys? Works for me. --Tim May From njohnsn at njohnsn.com Fri Oct 31 19:17:38 2003 From: njohnsn at njohnsn.com (Neil Johnson) Date: Fri, 31 Oct 2003 21:17:38 -0600 Subject: Chaumian blinding & public voting? In-Reply-To: <3FA2A58B.67C48379@cdc.gov> References: <3FA2A58B.67C48379@cdc.gov> Message-ID: <200310312117.38773.njohnsn@njohnsn.com> On Friday 31 October 2003 12:10 pm, Major Variola (ret) wrote: > Is is possible to use blinding (or other protocols) so that all votes > are published, you can check that your vote is in there, and you > (or anyone) can run the maths and verify the vote? Without being > able to link people to votes without their consent. > Doing this would allow vote buyers to verify a voter voted the way they wanted. That is one of the main reasons you can't take a copy of your paper ballot home with you now. One option might be to give the voter a MAC of their ballot and then print the MAC's in the paper. The voter could check to see if their vote had been altered. I still think far better methods for improving voter turn out other than Internet voting are: 1. A National Election Holiday (but in the middle of the work week so people can't use it to extend a vacation). 2. Couple the Election with a National Lottery with local, state, and national prizes. With appropriate delink of voter's identity from the way they voted of course. (I'm not claiming that this would actually improve things overall, just increase voter turnout). -- Neil Johnson http://www.njohnsn.com PGP key available on request. From howiegoodell at comcast.net Fri Oct 31 14:07:02 2003 From: howiegoodell at comcast.net (howiegoodell at comcast.net) Date: Fri, 31 Oct 2003 22:07:02 +0000 Subject: Chaumian blinding & public voting? Message-ID: <103120032207.1731.3054@comcast.net> Hello -- David Chaum has a new system that is an optical one-time pad. It requires a printer that prints squares on both sides of a transparent 2-layer ballot. To the voter it looks like ordinary printing with a solid black border. Then s/he separates the layers, hands one in for counting and either tosses or takes home the other. Each layer by itself appears random (both border and text become a random hash), but several organizations successively applying their keys can reveal the totals while scrambling the individual identities. No individual organization, or even the polling place computers, can tamper with the result without a high probability of being caught; the voter can't prove how they voted, and the voter and each of the organizations can verify that their vote or handling was preserved. This is based on my recollection of his talk last Spring; see if he's posted something online. Howie Goodell -- Howie Goodell Controls, Embedded, and UI Software CompSci Doctoral Cand. UMass Lowell Howie at GoodL.org http://GoodL.org > > Is is possible to use blinding (or other protocols) so that all votes > are published, you can check that your vote is in there, and you > (or anyone) can run the maths and verify the vote? Without being > able to link people to votes without their consent. > > Currently voting is trusted because political adversaries supervise the > process. > Previously the mechanics were, well, mechanical, ie, open for > inspection. > The current genre of voting machines.. well, you know the scam. > And still reliant on a few adversarial human monitors. > > Something like this: > The day after elections a list of hex codes -votes- are published. You > can find > in that list the code that you received (on paper) when you voted, to > verify > that your vote counted. > You can run an algorithm on any subset of codes, including just > your own, and learn which candidate that code corresponds to. > Everyone can run on the entire dataset, verifying the tally. > You don't have to divulge which code is yours if you want it > to remain secret. Perhaps the code could contain not only > the intended vote, but a unique voter ID so that hexcodes could > not be added to the dataset (cf dead people not allowed to vote except > in Chicago) without setting off alarms. > Perhaps anyone could verify that someone voted, or not, but could > not figure who they voted for without their cooperation. > > Apologies if I should know this, I haven't gotten my head around > all the M of N, blinding, database translucency, etc protocols. > > > > E3-I: This message has been scanned for viruses and dangerous content by UML's > antivirus scanning services. From timcmay at got.net Fri Oct 31 22:35:32 2003 From: timcmay at got.net (Tim May) Date: Fri, 31 Oct 2003 22:35:32 -0800 Subject: Chaumian blinding & public voting? In-Reply-To: Message-ID: <978CB54C-0C35-11D8-B14E-000A956B4C74@got.net> On Friday, October 31, 2003, at 09:17 PM, J.A. Terranson wrote: > On Fri, 31 Oct 2003, Tim May wrote: > >> Or should we just add 20 of the remaining 30 list subscribers here to >> the list of 25 million in these united states who need to be sent up >> the chimneys? Works for me. > > Do we actually have 30 subscribers left? Well, we have 13 slightly active posters, plus 10 cluesless lurkers, and 7 HomeSec and CIA and B'Nai Brith Anti-Hate League spies. So, yeah, it adds up to about 30. Between the incipient statism so many of them express and the laughable subscriber base, it just confirms to me that the cause is lost. I hope Al Qaida at least manages to destroy Washington and New York and their statists and animalistic welfare breeders. Thirty million "people of color," as they prefer to be called these days, need to be sent up the chimneys. (For their crimes, their collection of welfare and other benefits, not for their skin color, per se. That so many of the "niggaz" and "Aztlanos" are criminal is not something I concern myself about...our only concern should be to exterminate those who have stolen from us. --Tim May ""Guard with jealous attention the public liberty. Suspect everyone who approaches that jewel. Unfortunately, nothing will preserve it but downright force. Whenever you give up that force, you are ruined." --Patrick Henry From measl at mfn.org Fri Oct 31 21:17:25 2003 From: measl at mfn.org (J.A. Terranson) Date: Fri, 31 Oct 2003 23:17:25 -0600 (CST) Subject: Chaumian blinding & public voting? In-Reply-To: <8ECF8DB8-0C27-11D8-B14E-000A956B4C74@got.net> Message-ID: On Fri, 31 Oct 2003, Tim May wrote: > Or should we just add 20 of the remaining 30 list subscribers here to > the list of 25 million in these united states who need to be sent up > the chimneys? Works for me. Do we actually have 30 subscribers left? -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko