Cryptography-Digest Digest #751, Volume #10 Thu, 16 Dec 99 21:13:01 EST
Contents:
Re: Keystrokes monitored/encryption useless (Keith A Monahan)
Re: Deciphering without knowing the algorithm? ("Trevor Jackson, III")
Re: Deciphering without knowing the algorithm? ("Trevor Jackson, III")
I was just thinking about a potential Cipher system... ("Pipian")
Re: Better encryption? PGP or Blowfish? (Derek Bell)
8192bit Encrypt - Easy ! ("Glen Bridgland")
Re: More idiot "security problems" (Xcott Craver)
Re: Simple newbie crypto algorithmn ("Douglas A. Gwyn")
Re: Deciphering without knowing the algorithm? ("Douglas A. Gwyn")
Re: Q: BBS ("Baruch Even")
Re: More idiot "security problems" ("Trevor Jackson, III")
Re: Keystrokes monitored/encryption useless (Bauerda)
Re: More idiot "security problems" (David Wagner)
Re: 8192bit Encrypt - Easy ! (Eli Akronym)
Enigma - theoretical question (Neil Bell)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: Keystrokes monitored/encryption useless
Date: 16 Dec 1999 22:13:17 GMT
Yeah,
DIRT has been around for quite some time. I remember reading about
it awhile back. I went to the manufacturer's web page(I forget who)
and they had phrases like, "only available to law enforcement" and
"please fax proof of being a LEA prior to asking for additional
information" and blah blah blah.
First off, if they think they can prevent some pirate from distributing
DIRT around to everyone and their brother, they are crazy. I can't
beleive I haven't seen a pirated copy yet. Perhaps I'll take a look :)
I'm sure they are charging an arm and a leg for this software which
was pretty easy to write.
I protect myself using AtGuard which is really an awesome firewall
software for windows. It allows you to log all connections, approve/deny
each connection and so forth. I review the logs on a (somewhat) periodic
basis looking for any funny sitenames/ip's, etc.
Well. http://www.atguard.com just shows me something that may not benefit
end users, but....
WRQ, Inc. has licensed AtGuard to Symantec
Corporation and ASCII Network Technology.
WRQ discontinued sales of AtGuard to individual users
on November 22, 1999.
WRQ will stop supporting the AtGuard product on
December 22, 1999.
On December 22, the AtGuard web site and the
AtGuard Forum will close.
Symantec will offer the AtGuard technology as part of
Norton Internet Security 2000.
Keith
molypoly ([EMAIL PROTECTED]) wrote:
: Take a look at the latest article from Privacytimes.com at
: http://www.privacytimes.com/dirt_8_17.htm
: The program is called DIRT and it records all your keystrokes. When
: you're online, it sends them to the receipient.
: This means that your keystrokes made while making your encryption
: keys are now worthless! How would one get around this if this software
: got into the wrong hands?
: Sent via Deja.com http://www.deja.com/
: Before you buy.
------------------------------
Date: Thu, 16 Dec 1999 17:54:45 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Deciphering without knowing the algorithm?
Paul Schlyter wrote:
> In article <[EMAIL PROTECTED]>, CLSV <[EMAIL PROTECTED]> wrote:
>
> > "SCOTT19U.ZIP_GUY" wrote:
> >
> >> I know enough to know that you don't understand C "very"
> >> well if you can't follow a simple C program.
> >
> > Have you ever seen the winners of the obfuscated C
> > programming contest? Those are small and simple programs.
> > Yet they are really hard to read.
>
> These programs are far from typical small and simple C
> programs. The authors have deliberately abused C as much as
> they can, in order to make the code as unreadable as possible
> (that's what the contest is about).
Last time I looked the limit on entries to the contest was 2048
characters. That's pretty small by most standards. Now as for simple,
one of the figures of merit for an obfuscated program is the ratio of the
complexity of code over the complexity of the job it does. The simple
the job the better.
N.B. Scott's code exhibits the classic wholistic doctrine that one cannot
infer the operation of the assembly from inspection of the parts. No
amout of reading the code he generated will allow you to deduce his
intentions at the time he wrote the code. This is why his referrals to
"read the code" and attacks upon others programming skill fall on deaf
ears. His position is not defensible.
------------------------------
Date: Thu, 16 Dec 1999 17:57:05 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Deciphering without knowing the algorithm?
Steve Feldman wrote:
> Newbie here. Go easy on me.
>
> It it fact that NSA reads emails regularly?
>
> I thought that something like triple DES was not feasibly crackable.
> Besides, if I sent some mail or other transmission of multiple files,
> binary, say, how would they have any idea that a given binary was encrypted
> information as opposed to some binary data?
>
> Another question - if something non-exportable like triple DES was used to
> encrypt a file I send, should I expect NSA to come knocking on my door the
> next day?
There is no (U.S.) restriction on using encryption or sending encrypted data
across the border. There is a restriction on sending encryption tools (software
& hardware) across the border permanently (see BXA definition of "export").
Use it all you want. Don't travel and "lose" it.
>
>
> Increasingly curious about this fascinating subject,
>
> Steve
>
> > Yes it is possible and it happens all the time. If one can recieve large
> >amounts of traffic that appears to have a patteren one con run test to see
> >what method was done. Fortunately for the NSA most mehtods in popular
> >use broadcast what is being used. IF one used PGP the message would
> >have PGP headers. Very few methods in popular use. Actually even bother
> >with encrypting files that are not multiples of various lengths so even the
> >file lengths give clues as to what system is being used.
------------------------------
From: "Pipian" <[EMAIL PROTECTED]>
Subject: I was just thinking about a potential Cipher system...
Date: Thu, 16 Dec 1999 17:22:51 -0600
I was thinking that a polymorphic cipher would be fairly secure (well it's
the same as a one-time pad, I guess) when I came upon an idea...
How secure would a cipher like this be?
There would be 26 Enigma-like mechanisms, theoretically labeled A-Z...
According to a certain keyword/words, you would switch between the machines
containing the letters of the keyword... (Sounds similar to a Vigenere
cipher on top of Enigma) This, I would think, would be fairly secure, but
which of these methods for rotation of the scramblers would be most secure?
Rotation of scramblers in all machines when one letter is encoded? Or
rotation only on the machine the letter is encoded on?
Don't flame me on this... I'm not really experienced at Cryptography or
this newsgroup...
Pipian
------------------------------
From: Derek Bell <[EMAIL PROTECTED]>
Subject: Re: Better encryption? PGP or Blowfish?
Date: 16 Dec 1999 23:45:50 -0000
James Felling <[EMAIL PROTECTED]> wrote:
: Alright I am really confused now. I do not understand your terms, much less
: the point being driven at. I had thought I did, but it seems that based on
: this posting I did not/
David Scott isn't really much of a source for crypto information: he
uses well-defined terms for his own meanings. Try reading the FAQ and asking
other people.
Derek
--
Derek Bell [EMAIL PROTECTED] | Socrates would have loved
WWW: http://www.maths.tcd.ie/~dbell/index.html| usenet.
PGP: http://www.maths.tcd.ie/~dbell/key.asc | - [EMAIL PROTECTED]
------------------------------
From: "Glen Bridgland" <[EMAIL PROTECTED]>
Subject: 8192bit Encrypt - Easy !
Date: Fri, 17 Dec 1999 00:18:52 -0000
Hi, I new to the group however, I hope to be sharing a lot with the Users
here over the next few months as I finalise my Project. I am current
developing an encryption program that will offer 8192bit Encryption along
with a host of features.
It Can be Reviewed at http://www.glen-bridgland.co.uk/Project/Crypt.htm
Please read the document and express your thoughts.
Thanks - Glen.
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: More idiot "security problems"
Date: 17 Dec 1999 00:13:14 GMT
Eric Lee Green <[EMAIL PROTECTED]> wrote:
>
>http://www.cnn.com/1999/TECH/computing/12/16/netscape.crack.idg/index.html
>
>Let's get this straight. Those passwords are sent across the network IN PLAIN
>TEXT every time that the user logs into an IMAP or POP3 EMAIL server, and you
>can but this "security expert" at "Reliable Software Technologies Corp."
>(hmm, is this a one-man outfit?) doesn't ever mention that, instead focusing
>on how the keys are stored in the registry?
Firstly, the way the keys are stored in the registry allow the
passwords to be stolen even if you never use your IMAP or POP3
account. Secondly, The real newsmaker for us is not the fact
that it is insecure, or the least secure link in the chain, but
that the encryption scheme used is unbelievably, hilariously bad.
There's got to be a name for this, it happens so often in computer
science: someone gets a job as a coder, and cooks up the absolute
unbelievably worst algorithm to solve a problem, a feat possible
only via supreme, willful ignorance. Not ever even looking to see
if there are sort algorithms other than bubble sort to manage this
database of 1 million book titles. Not stopping to think that,
maybe, trying 32 different possible encryption keys is really no
big deal for a human being, much less a computer.
A while ago some kid cross-posted from alt.2600 saying that he
was fed up with the NSA, and decided to save us all with his
hacker hero genius by writing and giving away the ultimate
unbreakable cipher. He posted some ciphertext, not describing
the algorithm, and it was trivially cracked by a regular---
Turned out to be something like Caesar cipher, with a varying offset.
>So exploiting this requires physical access to the machine.
It does not necessarily require physical access to the machine,
just a computer program that can read the registry and pass the
data back.
>-- Eric Lee Green http://members.tripod.com/e_l_green
-S
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Simple newbie crypto algorithmn
Date: Thu, 16 Dec 1999 23:14:41 GMT
Terry Ritter wrote:
> Certainly individuals can play it any way they want, but to imply that
> Science is just too busy to address improvements in a cipher seems to
> me to be an arrogant bridge too far.
I said no such thing! Remember, we're talking about an arrogant newbie,
not about professional cryptology.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Deciphering without knowing the algorithm?
Date: Thu, 16 Dec 1999 23:27:55 GMT
Steve Feldman wrote:
> It it fact that NSA reads emails regularly?
A lot of Internet traffic, like other forms of communication,
is intercepted and automatically scanned for a match to certain
criteria. (Think "keyword search".) Anything that seems
particularly relevant to an identified intelligence target is
liable to be examined by an analyst/interpreter/reporter in
order to include relevant information in reports sent to
intelligence customers.
Purely domestic communications caught in the net are discarded.
> I thought that something like triple DES was not feasibly crackable.
Since that isn't used for most e-mail traffic, it seems irrelevant.
> Besides, if I sent some mail or other transmission of multiple files,
> binary, say, how would they have any idea that a given binary was encrypted
> information as opposed to some binary data?
It's pretty easy to identify the category for most unencrypted
binary files. On UNIX, there is a "file" utility that does that.
Anyway, unless you're communicating with a special target, your
e-mail isn't going to be cryptanalyzed etc. anyway. Not even NSA
has the resources to waste that way.
> Another question - if something non-exportable like triple DES was used to
> encrypt a file I send, should I expect NSA to come knocking on my door the
> next day?
NSA is not a law enforcement agency. It would be the FBI, if you
broke a federal law.
Anyway, there is no prohibition against using encryption, just in
exporting the "technology" (software/hardware, not message data)
without a license.
------------------------------
From: "Baruch Even" <[EMAIL PROTECTED]>
Date: Fri, 17 Dec 99 03:11:09 +0200
Reply-To: "Baruch Even" <[EMAIL PROTECTED]>
Subject: Re: Q: BBS
On Thu, 16 Dec 1999 22:48:58 +0100, Mok-Kong Shen wrote:
>>
>> Thus we get that BBS is a permutation on QR(n) and that the size of QR(n) is
>> exactly phi(n) which is pretty large for a large n, so to answer the question
>> the period is large enough not to pose a danger. Even then from knowing the
>> period it is hard to find the next bit, that is unless you have s_i.
>
>But the period of the least significant bit could be much less than
>the period of the congruence relation. Or can that never happen
>with the Blum integers as n?
For that I don't really have any answer, as all the info I've got comes from
Stinson's book and nothing about that is mentioned there.
Baruch
---
[EMAIL PROTECTED]
place a dot between the ch and ev
------------------------------
Date: Thu, 16 Dec 1999 20:12:38 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: More idiot "security problems"
Xcott Craver wrote:
> Eric Lee Green <[EMAIL PROTECTED]> wrote:
> >
> >http://www.cnn.com/1999/TECH/computing/12/16/netscape.crack.idg/index.html
> >
> >Let's get this straight. Those passwords are sent across the network IN PLAIN
> >TEXT every time that the user logs into an IMAP or POP3 EMAIL server, and you
> >can but this "security expert" at "Reliable Software Technologies Corp."
> >(hmm, is this a one-man outfit?) doesn't ever mention that, instead focusing
> >on how the keys are stored in the registry?
>
> Firstly, the way the keys are stored in the registry allow the
> passwords to be stolen even if you never use your IMAP or POP3
> account. Secondly, The real newsmaker for us is not the fact
> that it is insecure, or the least secure link in the chain, but
> that the encryption scheme used is unbelievably, hilariously bad.
>
> There's got to be a name for this, it happens so often in computer
> science: someone gets a job as a coder, and cooks up the absolute
> unbelievably worst algorithm to solve a problem, a feat possible
> only via supreme, willful ignorance. Not ever even looking to see
> if there are sort algorithms other than bubble sort to manage this
> database of 1 million book titles. Not stopping to think that,
> maybe, trying 32 different possible encryption keys is really no
> big deal for a human being, much less a computer.
This problem is rampant, esp with sort(). About a dozen years ago someone, a
magazine I think, ran a contest for the worst fielded sort routine. Last I heard
the winner was an O(N^6) algorithm.
There is no reason to expect crypto to be better than average in algorithm
research. There are lots of reasons to expect crypto to be worse than average.
Chief among these is the fact that the author is unable to tell, without great
effort, when he has failed. After all, one can inspect the output of a sort() and
tell when it failed. But encryption is almost the exact opposite of sort(). The
removal of order rather then the imposition thereof. So the average coder can't
tell a good output from a bad one. Even an expert cryptologist requires an effort
to distinguish the really bad from the merely fatally flawed.
The effect of these conditions is so predictable it ought to have a name like
"<Someone>'s Law of Cryptology"
>
>
> A while ago some kid cross-posted from alt.2600 saying that he
> was fed up with the NSA, and decided to save us all with his
> hacker hero genius by writing and giving away the ultimate
> unbreakable cipher. He posted some ciphertext, not describing
> the algorithm, and it was trivially cracked by a regular---
> Turned out to be something like Caesar cipher, with a varying offset.
>
> >So exploiting this requires physical access to the machine.
>
> It does not necessarily require physical access to the machine,
> just a computer program that can read the registry and pass the
> data back.
>
> >-- Eric Lee Green http://members.tripod.com/e_l_green
>
> -S
------------------------------
From: [EMAIL PROTECTED] (Bauerda)
Subject: Re: Keystrokes monitored/encryption useless
Date: 17 Dec 1999 01:18:43 GMT
> Take a look at the latest article from Privacytimes.com at
>http://www.privacytimes.com/dirt_8_17.htm
> The program is called DIRT and it records all your keystrokes. When
>you're online, it sends them to the receipient.
> This means that your keystrokes made while making your encryption
>keys are now worthless! How would one get around this if this software
>got into the wrong hands?
Before I upgraded to Windows, I had my startup files set so that they traced a
few interrupts (DOS, disk access, and keyboard) and checked most of the
interrupt table against stored results. While this is harder under Windows, it
is still relatively easy to get a program which looks at the devices and
threads running (hidden or not).
David Bauer
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: More idiot "security problems"
Date: 16 Dec 1999 17:39:23 -0800
In article <83bv6q$sn6$[EMAIL PROTECTED]>,
Xcott Craver <[EMAIL PROTECTED]> wrote:
> [...] The real newsmaker for us is not the fact
> that it is insecure, or the least secure link in the chain, but
> that the encryption scheme used is unbelievably, hilariously bad.
>
> There's got to be a name for this, it happens so often in computer
> science: someone gets a job as a coder, and cooks up the absolute
> unbelievably worst algorithm to solve a problem, a feat possible
> only via supreme, willful ignorance.
I like Bruce Schneier's sound byte: "Kindergarten Crypto".
I think that conveys the essence especially nicely...
------------------------------
From: [EMAIL PROTECTED] (Eli Akronym)
Subject: Re: 8192bit Encrypt - Easy !
Date: Fri, 17 Dec 1999 02:03:45 GMT
"Glen Bridgland" <[EMAIL PROTECTED]> wrote:
>Hi, I new to the group however, I hope to be sharing a lot with the Users
>here over the next few months as I finalise my Project. I am current
>developing an encryption program that will offer 8192bit Encryption along
>with a host of features.
>It Can be Reviewed at http://www.glen-bridgland.co.uk/Project/Crypt.htm
>Please read the document and express your thoughts.
I have a feeling this is going to be a very ugly thread.
------------------------------
From: Neil Bell <[EMAIL PROTECTED]>
Subject: Enigma - theoretical question
Date: Thu, 16 Dec 1999 17:59:37 -0800
First, I know I am a dumb newbie asking a dumb question - so please,
no flames...
If two individuals had a good 4-rotor Enigma simulator and wanted to
exchange messages once every two weeks and had previously personally
handed each other a list of rotor settings, ring settings and stecker
settings. AND...
settings never repeated from message to message, AND...
messages were all short, say less than 250 characters.
Would this be a reasonably secure way to exchange very private
financial and investment tips using e-mail??
Any thoughtful responses sincerely appreciated. Change .com to .net
for e-mail replies.
Neil in california
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
