Re: ID theft (offtipicish)
On Mon, 5 Feb 2007, Shachar Shemesh wrote: Peter wrote: On Sun, 4 Feb 2007, Shachar Shemesh wrote: YTfFYyyfDDk676 (different from time to time of course). And this will help how? If there is a harnivore system somewhere triggering on nontext codes it will start wasing serious time and producing huger reports for its masters if 5% of email has such nonstandard text. I meant, how will this help against the fact that, if you sign your emails, they are legally binding? It would not. But then nothing else would. You see, I ranted in the past on this list about 'redefinitions' of various kinds. The redefinition of a digital signature as 'legally binding' is such a redefinition. It may be useful but imho people are not clear about this (I wasn't for sure until someone pointed out the relatively recent law). Consider the following: Many companies and individuals have a standard signature that contains a disclaimer that says that 'the opinions herein .. do not represent anything in particular ... are not yada yada ... no legal advice ...' etc etc. Now consider that such a message is digitally signed, as are all others going out of a server. On a bad day, someone who is a known joker who is known to have a crush on Ann sends a coworker an email with the content 'I'll kill you if you look at Ann like that one more time'. The recipient is run over by a car the next day. During the investigation that follows this email is discovered. What will happen then ? Who knows. Anyway this is exaggerated (as usual), but the facts remain: - any communication can contain semantically conflicting information - redefining some part of it as 'legally binding' raises the part's value above others in the communication - if such a 'raised value' item is present then it recursively covers the semantic content of the communication, whatever that is, and itself! - if the content of the communication is semantically ambiguous or contradictory or null then this is made 'legally binding' by signing it - adding a disclaimer induces such nullification automatically - therefore any digitally signed communication that contains a disclaimer is semantically null, same as any unsigned communication that contains such a disclaimer. Sort of like Tom Cruise's first born's first piece of c**p, gold plated and preserved, mounted on a mahagony pedestal, but different. - the legal value of an unsigned and un-disclaimed email is also null, defined by hiatus when it is defined that a signed email is legally binding. - therefore the values of a signed and disclaimed and an unsigned and undisclaimed messages are both null. - yet most people expect their outgoing emails not to be legally binding even if digitally signed and will hold this position if taken to court. It is taken for granted that a 'disclaimer' is there even if it is not. - knowing that courts have fun intrepreting obvious things 'in the spirit of the law' one cannot know what the outcome will be, even if such a case ends up in court. So much trouble for a hash sum. Tsk tsk. Anyway the short answer seems to be: A digitally signed (with a certificate) .AND. explicitly undisclaimed [1] email message .MAY. be legally binding .IF. tested in court under .SOME. jurisdictions. Peter (or John) [1]: phew, what a word. 'undisclaimed' ?! Maybe 'not disclaimed' or 'not covered by any implicit or explicit disclaimer' would work better PS: I am not a lawyer, and VERY glad about that. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Mon, 5 Feb 2007, Peter wrote: Anyway the short answer seems to be: A digitally signed (with a certificate) .AND. explicitly undisclaimed [1] email message .MAY. be legally binding .IF. tested in court under .SOME. jurisdictions. Peter (or John) [1]: phew, what a word. 'undisclaimed' ?! Maybe 'not disclaimed' or 'not covered by any implicit or explicit disclaimer' would work better More exactly, containing an explicit claim along the lines of 'This is not an exercise. I really mean what it says, and I send it digitally signed according to the law /200x, which I know to be valid under the jurisdiction of ... and '. Because if it does not contain such a statement I don't think it will hold water. PS: I am not a lawyer, and VERY glad about that. Still true. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Peter wrote: I meant, how will this help against the fact that, if you sign your emails, they are legally binding? It would not. Then why did you say it would? /me is confused. But then nothing else would. Not true. Not signing trivial emails would. A recommendation, I might add, that you mocked. I am not holding my breath for an apology, but feel free to surprise me. The redefinition of a digital signature as 'legally binding' is such a redefinition. There is no redefinition here. Digital signatures were always a verified way of establishing that you said something. Automatic signing of all outgoing mail was always of questionable wisdom. The only thing that changed is that it is even less smart to do so today. It may be useful but imho people are not clear about this (I wasn't for sure until someone pointed out the relatively recent law). That's why I gave the advice I did. Consider the following: Many companies and individuals have a standard signature that contains a disclaimer that says that 'the opinions herein ... do not represent anything in particular ... are not yada yada ... no legal advice ...' etc etc. IANAL, but I doubt that digital signatures change anything in that regard. Signed or not, there is a limit on how much you can limit your liability. Signing your outgoing mail makes you liable for what you say, but the fact that you digitally signed your email does not change my rights. That's exactly the reason it's so important not to automatically sign everything. Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Mon, 5 Feb 2007, Shachar Shemesh wrote: Peter wrote: I meant, how will this help against the fact that, if you sign your emails, they are legally binding? It would not. Then why did you say it would? /me is confused. Ahh, now you have reached the opinion of the public ;-) As I pointed out, the problem is the confusion and that is not 'helped' by the redefinition of the value of something many users would not consider legally binding, namely a digital signature of a certain kind, only in association with a digital certificate of a certain kind, and only when tested in court. But then nothing else would. Not true. Not signing trivial emails would. A recommendation, I might add, that you mocked. I am not holding my breath for an apology, but feel free to surprise me. You can consider yourself partially virtually surprised, however this email is not digitally signed using an approved method and recognized certificate, and does not contain a claim of intent. I am not mocking you, the problem is the system. Once it is up to the courts, it is the depth of the pockets of one of the participants that decides the outcome. It is irrelevant if this is decided by the ability to sustain the burden of legal fees or the loss of time and business caused by direct and indirect effects of an eventual lawsuit, or by direct financial impact. The redefinition of a digital signature as 'legally binding' is such a redefinition. There is no redefinition here. Digital signatures were always a verified way of establishing that you said something. Automatic signing of all outgoing mail was always of questionable wisdom. The only thing that changed is that it is even less smart to do so today. Let me expand on this: Not all (more exactly: most) digital signatures are digital signatures in this context. In particular, f.ex., signing an email with a *private* public key that is shown only to qualified individuals on demand (and a court would certainly not qualify) is explicitly, by design, not 'digital signing' in the sense implied by you and by the new law, and should it at any time become binding, then new ways will be found to circumvent the new redefinition. In this case, the digital signature is meant to serve the role of sealing wax on a paper envelope, NOT to make the email legally binding. Not for the courts, but for the *intended* recipient. And in fact, the act of such an email or a subpoena for the *private* public key that was used to sign it appearing in court is irrefutable proof of eavesdropping and possibly illegal 'electronic surveillance', followed by explicit malicious use of the information thus gained. Therefore one could be explicit and say that 'an email digitally signed with an approved method and a recognized electronic security certificate is legally binding in certain countries'. And this implies that all other emails, signed or not, are *not*. It may be useful but imho people are not clear about this (I wasn't for sure until someone pointed out the relatively recent law). That's why I gave the advice I did. Yes, that was welcome. But you have to be very explicit. Consider the following: Many companies and individuals have a standard signature that contains a disclaimer that says that 'the opinions herein ... do not represent anything in particular ... are not yada yada ... no legal advice ...' etc etc. IANAL, but I doubt that digital signatures change anything in that regard. Signed or not, there is a limit on how much you can limit your liability. Signing your outgoing mail makes you liable for what you say, but the fact that you digitally signed your email does not change my rights. That's exactly the reason it's so important not to automatically sign everything. In general, making new 'definitions' of the value of signatures is void of value when one considers precisely the fact that you state so obviously in this answer: That in fact 'it depends' and there are 'limits' which actually redefine the meaning of 'not legally binding'. These 'limits' are not stipulated by the law and are 'open for intrepretation', which, due to information collection on an unprecedented scale, is likely to be used out of context and with malice, often by people who had nothing to do with the collection and organization of the information (such as stored emails at an ISP). *This* is why freedom of speech is important. F.ex. censoring some answers to emails in a thread on a public list that is archived is equivalent with quoting out of context for malicious purposes (by leaving certain questions raised in a thread unanswered, or improperly answered in the opinion of a thread participant). And signing one's emails with non-legally-binding and deniable methods is a part of ensuring that freedom of speech is maintained, and if not, then to what extent. F.ex. searching for unique message ids on public search engines yields interesting results, wrt
Re: ID theft (offtipicish)
Peter wrote: Let me expand on this: Not all (more exactly: most) digital signatures are digital signatures in this context. In particular, f.ex., signing an email with a *private* public key that is shown only to qualified individuals on demand (and a court would certainly not qualify) is explicitly, by design, not 'digital signing' in the sense implied by you and by the new law, Well, it is not a digital signature by any original definition either. Unless I know the certificate used for signing, the fact that the RSA/DSA/ElGamal/Whatever algorithm was applied to it neither adds nor subtracts. I have to know who the key belongs to in order for the actual signature to mean anything. We will now break for a quick disclaimer: *DISCLAIMER* Not only am I not a lawyer, but the following analysis is based not on actually reading the text of the law, but on it being explained to me. As such, it may be even less accurate than the usual half assed analysis of legal matters you (plural) have come to expect of me: We now return you to our usual program: However, if I have done any reasonable measures to ascertain that key X belongs to you, then the law says I can depend on anything signed using said key as coming from you, unless, of course, you follow the exceptions provided by the law to notify me in a timely manner that your key is no longer valid. As far as I understand the law (again, not from reading it), it does not list specific algorithms that should be used or specific procedures for authenticating that the keys belong to the specific person. All it does do is to define what a CA is, and say that such a CA is authorized to authenticate keys. There is nothing there (again, hearsay that had better be verified) that suggests that merely because PGP uses a different kind of authentication, it is not as binding as the usual PKI method. This means, to me, you have but two options. Signing your emails with a key the you did not prove to me belongs to you, which is useless with or without the law, and signing your emails with a key you did prove to me in the past, which makes your emails legally binding. In general, making new 'definitions' of the value of signatures is void of value when one considers precisely the fact that you state so obviously in this answer: That in fact 'it depends' and there are 'limits' which actually redefine the meaning of 'not legally binding'. Those limits apply to any contract, electronic or not, and therefor have no bearing on the question at hand. You cannot limit my rights by signing a piece of paper I did not sign, just as you cannot limit my rights by sending me an electronically signed email. And signing one's emails with non-legally-binding and deniable methods is a part of ensuring that freedom of speech is maintained, If you sign your emails in a deniable way you, indeed, avoid the problems of the digital signature law. What I fail to see is what you gain by it. Deniability and signature are, as far as I can see, mutually exclusive. Peter Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Michael Vasiliev [EMAIL PROTECTED] writes: 1. Change your online id to single-letter strings of just one letter, Like: zzz zzz [EMAIL PROTECTED] I suggest you take a look at advanced search syntax of google for a start. Google Hacks and book and j0hnny's website may be an interesting reading for you. What makes you think I am not aware of that ? ;-) This makes searching by your name futile. Or do what I do and sign all your messages with 'Peter' or 'John'. There are about 100 million Johns out there and in case of identity theft they will likely take another John's identity. After wiping off my tears, I did this naive query: http://www.google.com/search?q=peter+plp+actcomie=UTF-8oe=UTF-8 hitting paydirt at the very first obvious link: http://www.actcom.co.il/~plp Stealthy online presence indeed. The rest of the results look relevant as well. Having your not very common name, should I continue on what would an identity thief do next? You just proved that what I preach works. That page is ten years old and has not been actualized sice Y2K or so with small exceptions. The information therein is about as 'fresh', with exception of the code, which works, and gives it some credibility. My email address in plain on that page has helped train my spam filter to unbelievable perfection, scoring a solid 0.1% false negatives over the years. The lack of another homepage forces you to believe that that *is* in fact my homepage. That might even be true. Or not. But that could change now that you opened the subject. About name search: If many people use ids like [EMAIL PROTECTED] then searching by that will not yield results. At least not in the beginning. 2. Encode your birthday and snail mail address using a riddle that only a patient human can solve. Example: http://www.cogsci.indiana.edu/farg/harry/address.htm (I solved that but it took a while) How's that going to protect your identity? If by 'identity' you mean the information available to anyone on the internet then me and you mean different things with 'identity'. I am not playing this game for a variety of reasons. I am not a 'hacker' and usually do not wear any hat, nor do I pretend to. 3. Digitally sign your email. Not like the peasants do by adding four lines of gpg crud, put it in a custom header instead. Yum! Give me another tracking vector, your web of trust. I will be able to pinpoint your location, interests, friends, business contacts...and measure the pet paranoia level in bits, while I'm at it. Are you talking about my real web of trust or about one of the ones I am faking, if so, which one of them, and how do you know that what you found was not put there so you can find it. I'm not saying that it was, but suppose. Also how do you know if the web of trust you just hooked so easily is waxing or waning (never mind its initial role, standalone or aggregated with other issues, or whether it had such a role in the first place). Or whether it is a trap of some sort (see above about spam). Do yourself a favor and next time you are going to distribute security advice, don't insult the blackhats' intelligence while you're doing it. They have a swollen ego, the very least, you'll be laughed at. They are smart enough to do what they do and not get caught, what makes you think they are stupid enough to not master the art of Google search? Thanks for playing, although this is not a game. The 'advice' was not security advice, which I am not qualified to give. Someone asked something and I answered. Basically what I advocated should prevent most script kiddies from having a fun day. It does not bring 'security'. John = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Alon Altman wrote: What if I sign my messages with a public key, but include a statement in the message that the signature is only for authentication purposes only and does not serve as a commitment to anything written in the message? I don't know. It may work. It may not. I am not a lawyer. It MAY be that the authentication is all it really takes to create binding commitment. After all, if you promise me, orally, to do something, that's a binding agreement too (for anything but buying real-estate). The reason all contracts are not made orally is because of deniability, which does not exist in this case. If that's the case, then the above disclaimer can be said to be irrelevant. Or, in short, I am not a lawyer, I am not familiar with contract laws, and I highly doubt that there are any precedences that apply with such new a law. I wouldn't risk it if I were you. Alon Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Mon, 5 Feb 2007, Shachar Shemesh wrote: Alon Altman wrote: What if I sign my messages with a public key, but include a statement in the message that the signature is only for authentication purposes only and does not serve as a commitment to anything written in the message? I don't know. It may work. It may not. I am not a lawyer. It MAY be that the authentication is all it really takes to create binding commitment. After all, if you promise me, orally, to do something, that's a binding agreement too (for anything but buying real-estate). The reason all contracts are not made orally is because of deniability, which does not exist in this case. If that's the case, then the above disclaimer can be said to be irrelevant. Or, in short. 'it depends' and the 'legally binding' signature is as useful as a bandage on a wooden foot. At most, it makes things more complicated than they already are. That could mean increased legal fees ;-) It also means that using it exposes one MORE than not using to legal action by an unhappy (or sick) recipient. Therefore using 'chaff' signatures with an unpublished (and changed often, like once per message) key or cert all the time can be said to reduce problems. When the time comes for litigy, you will be asked and if it's an undesirable request the answer will be 'it is not mine', but if it is your broker checking that you gave him a sell order, then it will be 'it's mine' (you can tell this because you will have saved the key used for signing the message to the broker, as opposed to the others, which will have been deleted ... - just as an example). Unauthorized persons will only be able to suspect that the message is probably signed (as are all others that you will have sent). The goal of the 'legally binding' signature seems to be to allow legal transactions via email to proceed. Unintentionally, it has opened the way for unexpected litigy and for illegal eavesdropping and information collection (it is very easy to collect all emails with a valid signature - in the sense of valid gpg etc - as they are a small percentage of the traffic. Or were, until now, and then use them or sell them to someone who will use them). Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Mon, 2007-02-05 at 12:15 +0200, Shachar Shemesh wrote: Deniability and signature are, as far as I can see, mutually exclusive. I wonder how Off-the-record ( http://www.cypherpunks.ca/otr/ ) works then. I'm not a cryptology expert, but I can tell you that it allows people to IM each other, has some sort of method where you authenticate that you know that a certain key belongs to a certain someone and then it assures you that its the same someone for all additional conversations, and their web site claims as thus: Encryption No one else can read your instant messages. Authentication You are assured the correspondent is who you think it is. Deniability The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified. Perfect forward secrecy If you lose control of your private keys, no previous conversation is compromised. It seems like they claim both deniability and and assurance (which is what you get from signing, except w/o the signing part) at the same time. -- Oded ::.. If a train station is where the train stops, what is a work station? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Shachar Shemesh [EMAIL PROTECTED] writes: As far as I understand the law (again, not from reading it), it does not list specific algorithms that should be used or specific procedures for Mistake #1, and counting. I did point out before, that certain MUAs implicitly sign the message by calculating a hash sum over the message and certain key parameters in it and making it unique to the sending machine and to the time and network it was sent at/on. By your definition then, ALL email sent by anybody using such MUAs is legally binding. The MUAs in cause are the default MUAs used by everyone on the Internet, in this country and elsewhere, moreover the UID is mandated by RFCs and no using them breaks emails systems (don't ask how I know this). authenticating that the keys belong to the specific person. All it does do is to define what a CA is, and say that such a CA is authorized to authenticate keys. There is nothing there (again, hearsay that had better be verified) that suggests that merely because PGP uses a different kind of authentication, it is not as binding as the usual PKI method. And there is nothing that suggests that other signing mechanisms, such as UIDs assigned by operating systems to messages and checksums required as per RFCs for the transmission of messages over the Internet, and implicitly archived by packet sniffers, are *not* signatures by your definition. This means, to me, you have but two options. Signing your emails with a key the you did not prove to me belongs to you, which is useless with or without the law, and signing your emails with a key you did prove to me in the past, which makes your emails legally binding. No, you have but two options: Pretending that the messages are not signed while in fact the OS and the transport mechanisms both archive and sign them, or signing them in semi-mockery in a way that reduces the potential value of any collected information for malicious use, and increases it for oneself (maintaining a complete log of what one has sent can be 'interpreted' as much or as little as any log collected by an ISP - including any quotes out of context - positively or negatively - again 'it depends'). In general, making new 'definitions' of the value of signatures is void of value when one considers precisely the fact that you state so obviously in this answer: That in fact 'it depends' and there are 'limits' which actually redefine the meaning of 'not legally binding'. Those limits apply to any contract, electronic or not, and therefor have no bearing on the question at hand. You cannot limit my rights by signing a piece of paper I did not sign, just as you cannot limit my rights by sending me an electronically signed email. If those limits apply to 'any contract' then why is it necessary to make new limits when you said yourself that something sent to you by someone else 'cannot bind you to do anything'. It is also somewhat ironic that you write this using media and machines (and using software and licenses) which have implicitly limited your rights in many ways right now, most of them without having you sign anything. Again 'it depends'. Just like some clickthrough licenses have paragraphs like 'void where invalid' and such. Signatures are just another mirror in the maze and this particular instace (the law, if it is as you said), is a particularly bad implementation of a mirror imho. It leaves a LOT open for 'interpretation' in court, should it come to that. And signing one's emails with non-legally-binding and deniable methods is a part of ensuring that freedom of speech is maintained, If you sign your emails in a deniable way you, indeed, avoid the problems of the digital signature law. What I fail to see is what you gain by it. Deniability and signature are, as far as I can see, mutually exclusive. Let's analyze this: A signature is a device that identifies the signed object in a context (or network or system) of trust for at least one peer (who can be yourself). A chaff signature is a device that may appear as a signature to smeone who is not a member of the network of trust. Deniability constitutes the credible ability of the signer to deny that he has signed an object in front of a peer who is not a member of the network of trust, and who is potentially attempting intrusion therein or control thereof. For any such peer who is not a member of the network, the provable existence of chaff signatures and their regular use by the signer may mean that he has no case when he thinks that he has one, and the widespread use of signatures (of the non-open, non-binding kind) is a way for signers to put themselves in such a position of deniability, while sometimes maintaining the possibility to prove the opposite (i.e. a real signature of the non-binding kind). When the signatures are not in fact chaff, but have some other obscure role, such as UIDs or message IDs, then even the fact that the signer is practicing deniability
Re: ID theft (offtipicish)
On Sun, 4 Feb 2007, Ira Abramov wrote: Quoting Michael Vasiliev, from the post of Thu, 01 Feb: What reason do you have to believe that your identity is worth stealing? If you are truly paranoid I suggest two things: 1. Change your online id to single-letter strings of just one letter, Like: zzz zzz [EMAIL PROTECTED] This makes searching by your name futile. Or do what I do and sign all your messages with 'Peter' or 'John'. There are about 100 million Johns out there and in case of identity theft they will likely take another John's identity. 2. Encode your birthday and snail mail address using a riddle that only a patient human can solve. Example: http://www.cogsci.indiana.edu/farg/harry/address.htm (I solved that but it took a while) 3. Digitally sign your email. Not like the peasants do by adding four lines of gpg crud, put it in a custom header instead. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Sunday 04 February 2007 08:07, Ira Abramov wrote: Quoting Michael Vasiliev, from the post of Thu, 01 Feb: What reason do you have to believe that your identity is worth stealing? Ira, some people are paranoid, don't look for logic, it is a mental thing. --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP: http://www.tau.ac.il/~ariel/pgp.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Peter wrote: 3. Digitally sign your email. Not like the peasants do by adding four lines of gpg crud, put it in a custom header instead. Do NOT, under any circumstances, adopt a policy involving digitally signing each and every outgoing email. According to the law in Israel (and in other countries too), digitally signing an email is identical to snail mailing the recipient a letter saying I hereby commit to doing everything said in this email, bearing your signature. Really, really bad idea. Peter Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Hi Ariel, That quote should be attributed to *me* not Ira. Ira was quoting and replying to me. More to the point - I know that some people are paranoid. I do not think that Random Penguin is paranoid, just silly. - yba On Sun, 4 Feb 2007, Ariel Biener wrote: Date: Sun, 4 Feb 2007 11:41:56 +0200 From: Ariel Biener [EMAIL PROTECTED] To: Ira Abramov [EMAIL PROTECTED] Cc: ILUG linux-il@linux.org.il Subject: Re: ID theft (offtipicish) On Sunday 04 February 2007 08:07, Ira Abramov wrote: Quoting Michael Vasiliev, from the post of Thu, 01 Feb: What reason do you have to believe that your identity is worth stealing? Ira, some people are paranoid, don't look for logic, it is a mental thing. --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP: http://www.tau.ac.il/~ariel/pgp.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] -- EE 77 7F 30 4A 64 2E C5 83 5F E7 49 A6 82 29 BA~. .~ Tk Open Systems =}ooO--U--Ooo{= - [EMAIL PROTECTED] - tel: +972.2.679.5364, http://www.tkos.co.il - = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Sun, 4 Feb 2007, Shachar Shemesh wrote: Peter wrote: 3. Digitally sign your email. Not like the peasants do by adding four lines of gpg crud, put it in a custom header instead. Do NOT, under any circumstances, adopt a policy involving digitally signing each and every outgoing email. You mean *gasp* m$ mail agents which produce a message id that uniquely identifies the sender, the machine, the time, and the message are ok, but not a signature ? According to the law in Israel (and in other countries too), digitally signing an email is identical to snail mailing the recipient a letter saying I hereby commit to doing everything said in this email, bearing your signature. Can you quote this law please ? Here and 'elsewhere'. Really, really bad idea. Yeah, really bad. Everyone and their sisters already know you sent the message, it is in your logs, it is in the recipient's logs, it is in the ISPs logs, and then you deny that you meant to say what you said when they come after you because it is not signed ? Really ? Elbonian laws probably. Digital signatures simply ensure that the sender can confirm that he has sent the email as it is (referenced to his - the user's - logs, which are not public, and which he can delete at will). The method need not be transparent to the recipient (and it should NOT be transparent in fact, unless the sender specifically wants to let the recipient to be able to check it - under normal circumstances if there is a problem then the recipient will check the message with the sender for authenticity), it is for use by the sender only in case an email turns up which he did not send and is claimed to be by him (or mail that was 'edited'). Like spam often does f.ex., and like phishing tries to do. Also digitally signing a document doesnt imply anything legal excepting the fact that the envelope and the content is more tamper-proof than usually. You are probably confusing a registered digital signature that serves as authentication with a digital signature (hash, mark and log entry) that ensures deniability for the sender while securing the content against tampering. Also to keep spooks and s**t like that on their toes it is every man's duty to add a random hash to his outgoing messages. Like X-007: YTfFYyyfDDk676 (different from time to time of course). I even added some random noise to the https updates to dyndns for my $HOME server ;-) Ever since ISPs are obliged to keep and transfer logs to law enforcement and some search engines cooperate with the law 'preventively' I have 'preventively' engaged in deliberate chaffing and I will automate it soon (in fact I already did that in part). This implies surfing nonkosher sites, actively searching for explosives and poison and smut on the Internet from time to time and following links found about that and more. Sometimes I find fun stuff. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
--660480-228480878-1170598549=:5251 Content-Type: TEXT/PLAIN; charset=windows-1255; format=flowed Content-Transfer-Encoding: 8BIT Hi Peter, Read the law: çå÷ çúéîä àì÷èøåðéú, äúùñà - 2001 Shachar's claims are mostly correct. On Sun, 4 Feb 2007, Peter wrote: Date: Sun, 4 Feb 2007 15:38:09 +0200 (IST) From: Peter [EMAIL PROTECTED] To: Shachar Shemesh [EMAIL PROTECTED] Cc: Ira Abramov [EMAIL PROTECTED], ILUG linux-il@linux.org.il Subject: Re: ID theft (offtipicish) On Sun, 4 Feb 2007, Shachar Shemesh wrote: Peter wrote: 3. Digitally sign your email. Not like the peasants do by adding four lines of gpg crud, put it in a custom header instead. Do NOT, under any circumstances, adopt a policy involving digitally signing each and every outgoing email. You mean *gasp* m$ mail agents which produce a message id that uniquely identifies the sender, the machine, the time, and the message are ok, but not a signature ? You can still repudiate these messages by claiming that someone else sent them from your computer. According to the law in Israel (and in other countries too), digitally signing an email is identical to snail mailing the recipient a letter saying I hereby commit to doing everything said in this email, bearing your signature. No, digital signatures are even stronger, they are non-repudiable by law. Once you sign, that's it. When you sign with a pen you can claim forgery, not so with a digital signature - that's the law now. Can you quote this law please ? Here and 'elsewhere'. çå÷ çúéîä àì÷èøåðéú, äúùñà - 2001 Really, really bad idea. Yeah, really bad. Everyone and their sisters already know you sent the message, it is in your logs, it is in the recipient's logs, it is in the ISPs logs, and then you deny that you meant to say what you said when they come after you because it is not signed ? Really ? Yes. You can deny it and you have a chance that the judges will accept your argument. You argue that you left your PC open and your wife with whom you are initiating divorce proceedings sent the email in order to take revenge. Elbonian laws probably. Digital signatures simply ensure that the sender can confirm that he has sent the email as it is (referenced to his - the user's - logs, which are not public, and which he can delete at will). The method need not be transparent to the recipient (and it should NOT be transparent in fact, unless the sender specifically wants to let the recipient to be able to check it - under normal circumstances if there is a problem then the recipient will check the message with the sender for authenticity), it is for use by the sender only in case an email turns up which he did not send and is claimed to be by him (or mail that was 'edited'). Like spam often does f.ex., and like phishing tries to do. Also digitally signing a document doesnt imply anything legal excepting the fact that the envelope and the content is more tamper-proof than usually. You are probably confusing a registered digital signature that serves as authentication with a digital signature (hash, mark and log entry) that ensures deniability for the sender while securing the content against tampering. Digital signing as used by the general public usually means a digital signature backed by a cert - this is also the sense used in the text of the law. In this sense, digital signatures have all of the serious implications that Shachar mentions and more. Also to keep spooks and s**t like that on their toes it is every man's duty to add a random hash to his outgoing messages. Like X-007: YTfFYyyfDDk676 (different from time to time of course). Doesn't fool anyone. I even added some random noise to the https updates to dyndns for my $HOME server ;-) Ever since ISPs are obliged to keep and transfer logs to law enforcement and some search engines cooperate with the law 'preventively' I have 'preventively' engaged in deliberate chaffing and I will automate it soon (in fact I already did that in part). This implies surfing nonkosher sites, actively searching for explosives and poison and smut on the Internet from time to time and following links found about that and more. Sometimes I find fun stuff. You underestimate them. You are just wasting bandwidth. - yba -- EE 77 7F 30 4A 64 2E C5 83 5F E7 49 A6 82 29 BA~. .~ Tk Open Systems =}ooO--U--Ooo{= - [EMAIL PROTECTED] - tel: +972.2.679.5364, http://www.tkos.co.il - --660480-228480878-1170598549=:5251-- = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Peter wrote: You mean *gasp* m$ mail agents which produce a message id that uniquely identifies the sender, the machine, the time, and the message are ok, but not a signature ? Yes. That's what I mean. According to the law in Israel (and in other countries too), digitally signing an email is identical to snail mailing the recipient a letter saying I hereby commit to doing everything said in this email, bearing your signature. Can you quote this law please ? Here and 'elsewhere'. I'm not sure about elsewhere. Maybe http://www.ynet.co.il/articles/1,7340,L-24852,00.html will help. For Israel, I can not find the final version, but here's a digest of an advanced draft (http://www.law.co.il/showarticles.php?d=harticle=56), and you have my word that the law was, indeed, passed. If you need more, do your own search. Really, really bad idea. Yeah, really bad. Everyone and their sisters already know you sent the message, it is in your logs, it is in the recipient's logs, it is in the ISPs logs, and then you deny that you meant to say what you said when they come after you because it is not signed ? Really ? If they sue you in court, you can say that I will take out the garbage was a by-saying. If you digitally signed it, it's a binding contract. That's ok, so long as that's what you meant to do. Somehow, I doubt that it is the case for each and every email you write. Also digitally signing a document doesnt imply anything legal It does in Israel. It does in the USA. I'm not sure about other countries. Also to keep spooks and s**t like that on their toes it is every man's duty to add a random hash to his outgoing messages. Like X-007: YTfFYyyfDDk676 (different from time to time of course). And this will help how? Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Sunday February 4 2007, Peter wrote: On Sun, 4 Feb 2007, Ira Abramov wrote: Quoting Michael Vasiliev, from the post of Thu, 01 Feb: What reason do you have to believe that your identity is worth stealing? If you are truly paranoid I suggest two things: Ok, I am, after all, only human. So I will take the glove and play the dusty blackhat card today. 1. Change your online id to single-letter strings of just one letter, Like: zzz zzz [EMAIL PROTECTED] I suggest you take a look at advanced search syntax of google for a start. Google Hacks and book and j0hnny's website may be an interesting reading for you. This makes searching by your name futile. Or do what I do and sign all your messages with 'Peter' or 'John'. There are about 100 million Johns out there and in case of identity theft they will likely take another John's identity. After wiping off my tears, I did this naive query: http://www.google.com/search?q=peter+plp+actcomie=UTF-8oe=UTF-8 hitting paydirt at the very first obvious link: http://www.actcom.co.il/~plp Stealthy online presence indeed. The rest of the results look relevant as well. Having your not very common name, should I continue on what would an identity thief do next? 2. Encode your birthday and snail mail address using a riddle that only a patient human can solve. Example: http://www.cogsci.indiana.edu/farg/harry/address.htm (I solved that but it took a while) How's that going to protect your identity? 3. Digitally sign your email. Not like the peasants do by adding four lines of gpg crud, put it in a custom header instead. Yum! Give me another tracking vector, your web of trust. I will be able to pinpoint your location, interests, friends, business contacts...and measure the pet paranoia level in bits, while I'm at it. Do yourself a favor and next time you are going to distribute security advice, don't insult the blackhats' intelligence while you're doing it. They have a swollen ego, the very least, you'll be laughed at. They are smart enough to do what they do and not get caught, what makes you think they are stupid enough to not master the art of Google search? -- Sincerely Yours, Michael Vasiliev Let me have men about me that are fat Sleek-headed men and such as sleep o' nights Yond Cassius has a lean and hungry look He thinks too much: such men are dangerous. -- William Shakespeare: Julius Caesar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Sun, 4 Feb 2007, Jonathan Ben Avraham wrote: find fun stuff. You underestimate them. You are just wasting bandwidth. Actually I hope 'they' will bother to break the 'code'. Because the plaintext tag says 'fuzz=...' (and it used to say 'pigbait'). Sorry I have fun memories from other countries so I'm biased. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Sun, 4 Feb 2007, Shachar Shemesh wrote: YTfFYyyfDDk676 (different from time to time of course). And this will help how? If there is a harnivore system somewhere triggering on nontext codes it will start wasing serious time and producing huger reports for its masters if 5% of email has such nonstandard text. I am not underestimating anybody but the current rules seem to indicate that all mail is read and sifted through for 'clues'. This is technically feasible. Pumping large amounts of random numbers and nondeterministic behavior into these channels is a good countermeasure imho. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On 05/02/07, Peter [EMAIL PROTECTED] wrote: I am not underestimating anybody but the current rules seem to indicate that all mail is read and sifted through for 'clues'. This is technically feasible. Pumping large amounts of random numbers and nondeterministic behavior into these channels is a good countermeasure imho. Do whatever you like, but from following this thread it seems to me like you are just pumping your signature on their radar. Back in the 90's people used to append trigger words in their Usenet .sigs in attempts to overwhelm the (back then still just a rumour) Echelon network. You don't see these any more. As someone who have been on their cross hairs for doing something completely legal (I partly blame their broken English for even bothering with me), I'd recommend you to reconsider. --Amos
RE: ID theft (offtipicish)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Sent: Sunday, February 04, 2007 9:10 PM To: Shachar Shemesh Cc: ILUG Subject: Re: ID theft (offtipicish) On Sun, 4 Feb 2007, Shachar Shemesh wrote: YTfFYyyfDDk676 (different from time to time of course). And this will help how? If there is a harnivore system somewhere triggering on nontext codes it will start wasing serious time and producing huger reports for its masters if 5% of email has such nonstandard text. If you think that this is going to bother any semi intelligent system then you are not only paranoid, you are a very naïve paranoid. It won't spend an extra millisecond or produce an extra line in the report for whatever master it has. I can build a smarter filter in five minutes using Perl. You really have a very naïve view of how intelligence work is conducted. I am not underestimating anybody but the current rules seem to indicate that all mail is read and sifted through for 'clues'. This is technically feasible. Pumping large amounts of random numbers and nondeterministic behavior into these channels is a good countermeasure imho. It's a very useless countermeasure Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Peter wrote: On Sun, 4 Feb 2007, Shachar Shemesh wrote: YTfFYyyfDDk676 (different from time to time of course). And this will help how? If there is a harnivore system somewhere triggering on nontext codes it will start wasing serious time and producing huger reports for its masters if 5% of email has such nonstandard text. I meant, how will this help against the fact that, if you sign your emails, they are legally binding? Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Mon, 5 Feb 2007, Amos Shapira wrote: On 05/02/07, Peter [EMAIL PROTECTED] wrote: I am not underestimating anybody but the current rules seem to indicate that all mail is read and sifted through for 'clues'. This is technically feasible. Pumping large amounts of random numbers and nondeterministic behavior into these channels is a good countermeasure imho. Do whatever you like, but from following this thread it seems to me like you are just pumping your signature on their radar. I am not making any effort in this direction. If I appear on someone's 'radar' then it means that they must have turned it on, against civilians (worse, against civilians of their own persuasion), in peacetime. If the internet is the biggest security dragnet in the world (or someone mistakes it for that, perhaps because he is holding the user's manual upside down in his chain mail gloves) then it's good to know, I think. Also if it is used to 'redefine' 'civilians' as something else, as needed. As someone who have been on their cross hairs for doing something completely legal (I partly blame their broken English for even bothering with me), I'd recommend you to reconsider. I am not looking for trouble, what I do is a part of what is technically permitted according to the valid RFCs that govern the operation of the internet (and of email specifically, relevant to this discussion). What I do serves to test ideas and helps to develop new things. This is part of what I do, it is not random or hostile. Some of it has a certain humorous slant, but then that is something that cannot be helped. The environment is very boring and I have to run my own flea circus for amusement and RR. As to who can be in 'their' 'crosshairs', I have had a few personal occurences (more than three) which can be explained in very few ways without applying the 'crosshairs' theorem (and not applying it would require application of a different theorem, that of 'arbitrary discrimination' - I don't know which is worse). My 'attitude problem' has appeared after that. I am not saying that it is a reaction to it. As to 'reconsidering': I have nothing to reconsider myself. What I do is technically correct and not hostile. Other than that: I come from a country that has had a fair share of trouble for about 65 years wrt. my ethnicities (this includes the Holocaust but goes beyond that in many ways). There were human and material losses and serious discrimination and attempts at brainwashing and psychological and political 'reeducation', as well as copious FUD and intimidation (and some of that is not over, and not sufficiently explained yet). I consider the current IT/IP/Linux/m$/lawsuit/whatever wars a kosher Purim kindergarten play compared to that, and my humorous attitude about it is a consequence of that. You would be surprized at my 'attitude' in case of conflict regarding freedom of speech (within reason) and of communication (also within reason). Let's not go there. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: ID theft (offtipicish)
On Mon, 5 Feb 2007, Micha Feigin wrote: If you think that this is going to bother any semi intelligent system then you are not only paranoid, you are a very naïve paranoid. It won't spend an extra millisecond or produce an extra line in the report for whatever master it has. I can build a smarter filter in five minutes using Perl. You really have a very naïve view of how intelligence work is conducted. Maybe not. I am not interested in 'intelligence work', I am interested in the redefinition of 'giant worldwide dragnet' as 'intelligence work'. And in the adjacent redefinition of civilians as something else using information collected as above. FYI a HMM/Bayesian qualifier like bogofilter could be trained after 10 messages to select on messages containing such headers. However when all the messages contained them the filter was unable to tell the difference between messages with and without information content. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: ID theft (offtipicish)
On Mon, 5 Feb 2007, Micha Feigin wrote: It's a very useless countermeasure I love it when several list members chip in to say how 'useless' a measure is. Thanks for the feedback. Peter = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Quoting Michael Vasiliev, from the post of Thu, 01 Feb: What reason do you have to believe that your identity is worth stealing? actually I have something to add to that: how does a name on a list help an identity thief? there's not enough information here about you to abuse it. one of these topics is none of my business. I like to see who is who in this trade, but that's my point of view and I am not to project it on others. Not to mention that we all agree that withholding one's identity online is a right worth exercising. The question of how to do it efficiently is left as an exercise to the reader. well, according to Google, my name draws a few results, so I'm already out there and it's too late. My address and phone number are also online on my site and in the whois DB. I don't publish my state ID and of course not my credit card, because that would be bloody stupid of me of course... I'm less likely to have my identity stolen from the archives of this list than by the waiter at the pub I went to on thursday when he takes my card. -- The eighth deadly sin Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Thu, 2007-02-01 at 02:03 +0200, Michael Vasiliev wrote: Quoting Jonathan Ben Avraham, from the post of Tue, 30 Jan: Hi RP, What reason do you have to believe that your identity is worth stealing? So, a man decides to call himself Random Penguin, rather than, say, Daniel Johnson [...] Call me whatever you want, but I believe that sometimes these virtuals allow a person to express her/him-self better than under the real name. There are topics some people would like to discuss while staying incognito. Now, his decision that Linux in Israel is one of these topics is none of my business. I agree completely and I don't think that Daniel Johnson (or whatever) must identify himself legally to us when discussing Linux in Israel or any other topic. But I also think that when one conducts political activity - such as organizing a petition - it looks very suspicious if one does not identify oneself using a real name. I personally am very loath to subscribe to political activities organized by anonymous people. -- Oded ::.. NOTE! currently system is at most 8*65536 bytes long. This 512 kB kernel size should be enough -- Linus Torvalds = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
Quoting Jonathan Ben Avraham, from the post of Tue, 30 Jan: Hi RP, What reason do you have to believe that your identity is worth stealing? identity thievs give as much care to whose identity they abuse as much as an attack script cares if it's carpet-scanning machines that are Linux or windows. every day snort reports 14k-20K attack packets on my server, even though there is nothing interesting in it other than potential abuse of bandwidth if they DO break in. same with ID theft, they will use it to forge bank activity or something, or buy stolen cars on his name or who cares what. the question is, why does he think that calling himself Random Penguin is any protection :-) -- Buy one, get one free! Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On 1/31/07, Ira Abramov [EMAIL PROTECTED] wrote: the question is, why does he think that calling himself Random Penguin is any protection :-) Because given the right tools - all is possible. See mixmaster, http://www.debian-administration.org/articles/483 -- Buy one, get one free! Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] -- Cheers, Maxim Veksler Free as in Freedom - Do u GNU ? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ID theft (offtipicish)
On Wednesday January 31 2007, Ira Abramov wrote: Quoting Jonathan Ben Avraham, from the post of Tue, 30 Jan: Hi RP, What reason do you have to believe that your identity is worth stealing? identity thievs give as much care to whose identity they abuse as much as an attack script cares if it's carpet-scanning machines that are Linux or windows. every day snort reports 14k-20K attack packets on my server, even though there is nothing interesting in it other than potential abuse of bandwidth if they DO break in. same with ID theft, they will use it to forge bank activity or something, or buy stolen cars on his name or who cares what. the question is, why does he think that calling himself Random Penguin is any protection :-) So, a man decides to call himself Random Penguin, rather than, say, Daniel Johnson or the less original John Smith, while posting to Linux-IL. Whatever his intention was, I don't have a problem with that. There are groups that don't allow nicknames, this is not one of them. This has nothing to do with law and order in this forum. There were no rule to post under your real name last time I checked, and even if it were, how would you enforce that? I don't see any nice way to do that other than asking people to sign their mail, and that would be a not very popular idea. Besides, I enjoy seeing a cleverly crafted bulletproof virtual identity. Call me whatever you want, but I believe that sometimes these virtuals allow a person to express her/him-self better than under the real name. There are topics some people would like to discuss while staying incognito. Now, his decision that Linux in Israel is one of these topics is none of my business. I like to see who is who in this trade, but that's my point of view and I am not to project it on others. Not to mention that we all agree that withholding one's identity online is a right worth exercising. The question of how to do it efficiently is left as an exercise to the reader. -- Sincerely Yours, Michael Vasiliev .. Any resemblance between the above views and those of my employer, my terminal, or the view out my window are purely coincidental. Any resemblance between the above and my own views is non-deterministic. The question of the existence of views in the absence of anyone to hold them is left as an exercise for the reader. The question of the existence of the reader is left as an exercise for the second god coefficient. (A discussion of non-orthogonal, non-integral polytheism is beyond the scope of this article.) = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]