Re: IBM to built crypto-on-a-chip into all its PCs

[Damien Miller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 28 Sep 1999, William H. Geiger III wrote:

> In , on 09/27/99 
>at 03:41 PM, Robert Hettinga <[EMAIL PROTECTED]> said:
> 
> >Probably IBM will first want to see how attractive the technology is  to
> >punters. At least the approach of using an ancillary encryption  chip
> >should keep IBM safe from the nightmare Intel faced when it  attempted to
> >railroad CPU ID numbers on users.
> 
> No Code == No Trust!
> 
> This has all the security/trust problems that Intel's RNG does and more. I
> wouldn't touch this thing with a ten foot poll.

I don't see what this paranoia gains you. 

If you do not trust the crypto processor then you should throw the 
whole machine out - there are *so* many other ways that IBM could have
compromised the system. 

This is doubly interesting given you choice of operating system 
(as mentioned in your .sig).

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogic.com.au/~dmiller
| Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work)



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE38r9IormJ9RG1dI8RAlKbAJ0ZfyuIjjyJ8MYfD0K5r/c/ieHtQwCggqcf
Iu2q9DmK5cLmtKSUWceJras=
=Ok+o
-END PGP SIGNATURE-

Radicchio PKI standards group for mobile phones

[Bill Stewart]

Radicchio.org is the standards group (radicchio.com sells lettuce:-)
Their web page is mostly under construction, but it's got a decent
article on public-key infrastructures, and announces a conference
"Wireless e-commerce: Clearing the Road for Global Expansion", 
13-14 January 2000, Kensington Olympia Conference Centre, London, England.
The main contact person is [EMAIL PROTECTED]
It's interesting to note that the EDS person has a non-US address.

Depending on the objectives of the group, this could end up as
an open standard with good input from the cryptographic community,
or as yet another broken proprietary system waiting for Ian Goldberg 
or Bruce Schneier to crack over lunch :-)  The web page looks positive, at
least.
http://www.psd-design.co.uk/radicchio/pages/pki.html

Bill Stewart


Here's a short article from Total Telecom.

EDS (US), computer services group, Gemplus (France), smart card maker,
Ericsson (Sweden) and Sonera, formerly Telecom Finland, 
have formed Radicchio, a new forum which will promote common PKI standards for
mobile phone security. 

The new encryption technology can be built into silicon chips used in GSM
mobile phones. The partners are looking to recruit forum members from industry
and govts. 

According to Joseph Krull, UK vice-president of security at Sonera, 
the forum will be on its way to establishing a global standard if it 
can attract 50 members by January 2000. 

The mobile commerce market is expected by analysts to be worth USDlr66 bil
by 2003. 
==

Here's their press release
===
SONERA, GEMPLUS AND EDS LAUNCH GLOBAL INITIATIVE TO
PROMOTE SECURE MOBILE COMMERCE

…Radicchio initiative will open the floodgates for mobile commerce
worldwide...

London, 27 September 1999. Sonera SmartTrust, a business unit of Sonera
Ltd., international forerunner in mobile, data and media communications,
Gemplus and EDS (Electronic Data Systems), today announced that they are
founding members of a global initiative to define a standard security platform
for mobile e-commerce. Called Radicchio, the initiative will promote the
use of
an environment based on a Public Key Infrastructure (PKI), allowing secure
electronic transactions to take place over mobile networks. There are now
more mobile phones in use worldwide than PCs, and analysts predict that the
market for mobile 
commerce will be worth $66bn by 2003 . 

Mobile commerce is being made possible by new technologies that allow
mobile phones and other handheld devices to access the Internet. This creates
a vast new potential channel for e-commerce. By 2003, there will be over 800
million Web-enabled mobile phones in use worldwide, by 2004 there will be
more handsets than televisions . To allay companies’ fears about the security
of mobile commerce, Sonera SmartTrust has developed a PKI-based
framework that provides a highly secure environment for financial transactions
and information exchange.

The Radicchio initiative seeks to promote the use of this framework among
certification authorities, mobile operators, systems integrators, device
manufacturers and financial institutions. This will ensure that as mobile
commerce grows, there will be a standard security platform upon which all
mobile commerce software, services and devices can be based. Another key
aim is to persuade governments, government bodies and regulators to take the
framework into account when drawing up new e-commerce legislation or
guidelines.

"E-services like Internet banking and online share dealing are already
possible
on mobile phones, but one of the main things holding organisations back from
offering them is concern about the security of their data and their customers’
data," said Harri Vatanen, Senior Vice President, Head of Sonera SmartTrust.
"Through the Radicchio initiative we aim to help companies and customers
understand that the technology exists to make mobile commerce transactions
just as secure as any that happen in the physical world."


Radicchio is now looking to recruit further members from industry and
government to increase its global reach and promote the use of PKI-based
mobile commerce among financial institutions and other industry sectors
leading the way into this new commercial medium. Amongst others, Ericsson
is lending its support to the Radicchio initiative.


About Radicchio
Radicchio is a global initiative formed in September 1999 with Sonera
SmartTrust, EDS, and Gemplus as its first members. Its aim is to define and
promote a standard security platform for mobile commerce based on a public
key infrastructure.

About Sonera
Sonera Ltd. is an international forerunner in mobile, data and media
communications. Sonera is Finland´s leading telecommunications company
with subsidiaries and associated companies in 14 countries. In 1998, Sonera´s
revenues

Re: Globalstar close to pact with FBI over wiretaps

[Phil Karn]

Yet another illustration of how true security can only be provided by
the users themselves on an end-to-end basis. Saltzer, Reed & Clark
(authors of "End-to-End Arguments in Systems Design") have been proven
right yet again. So has Machiavelli, author of "The Prince".

The necessary hook for CDMA PCS users to provide their own end-to-end
encryption -- a generic IP packet data service -- has finally been
rolled out by Sprint PCS, over six years after I first prototyped it
in the lab. You may have seen their ads last weekend for their
"Wireless Web" service. I haven't used it for VoIP yet, but SSH works
just fine. A Palm Pilot (or pdQ) also works just fine.

Plugging a secure VoIP phone into a PCS handset certainly won't be as
convenient as a cell phone with built-in encryption, but at least
it'll make true end-to-end security possible. And I'm pushing hard for
the same packet data service to be provided in Globalstar; we're
already testing it in-house on an ad-hoc basis.

Phil

IBM Micro Payments Version 1.3 to be released October 99

[Robert Hettinga]

--- begin forwarded text


From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Wed, 29 Sep 1999 18:22:33 +0300
Subject: IBM Micro Payments Version 1.3 to be released October 99
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]



Apologies for any multiple-posting of this note...

Release 1.3 of IBM Micro Payments will be available next month, October 1999
(manuals etc. as well as software will be at http://www.hrl.il.ibm.com/mpay).
This is a dramatic improvement over previous releases and some of the main new
features are listed below. We are looking for payment system providers (billing
systems) to deploy this release, which will allow all of them to easily
interoperate (with multiple currencies). Please forward this notice 
to potential
providers as well as web-integrators and OEM software providers, since the
maximization of providers will make it easier to reach global availability.
We'll be happy to help. Typical providers include banks, telcos, 
ISPs, financial
processors, credit cards, and portals.

New features in version 1.3 include:

Substantial re-write for improved reliability, efficiency and scalability
Wallet download of about 300KB (see notice below)
Time-based payments (for selling videos, chat rooms etc.)
Wallet can receive money (or `miles`) from site (for reading ads, 
visiting site,
buying, gambling)
Implements the W3C Micro Payment Markup spec
Improved multicurrency support (incl. Euro)
Improved server APIs (as DLLs, any develompent environment OK)
Improved server management (e.g. user groups)
Open client APIs:
  1. Can replace wallet UI (e.g. integrate with SET wallet)
  2. Allow other applications to charge micropayments (office appl., games,
fax, phone, ...)
Flexible per-fee-link appearance (font, background etc)
Non-obstrusive per-fee-link  - a  per-fee-link becomes a regular link (to
download area) for a browser without the wallet (plug-in) - can add
per-fee-links to `regular` web pages
Account opening using SSL authentication (optional)
Pre-certified payment option

Important notice: IBM Micro Payments version 1.3 requires a client 
wallet (which
is fully functional although only 300KB). We are aware, that many people are
attracted to solutions without client wallet (i.e. with server wallets). Server
wallets are not as client wallets, as they are more expensive to operate
(defeating the `low overhead` goal), less secure and less convinient. However,
they are better when `on the road` and necessary for non-supported client
platforms; and anyway, even if we disagree, clearly many like them. So, we have
designed support for server wallets as well, which will be available as of next
release (year end or early 2000). We will provide a toolkit to allow existing
wallet servers to interoperate, i.e. allow their buyers to buy at any IBM Micro
Payments merchant.

We are also soliciting requirements for next release (1.4 - or maybe we'll make
it 2, actually, we think IBM Micro Payments 2 or in short MP/2 sound 
very IBMish
:-). Some of the requirements we are considering are:

Integration with e-check for business to business payments (not micro...)
Server-based wallet support (see above)
Interfaces to allow payment service providers to offer completely anonymous
accounts
Advanced (built-in) gambling support
Merchant mall (allowing operation of multiple merchants from one server; notice
this can already be built as an application over our existing APIs, so we may
just do it for you in next version...)
Consumer to consumer payments

We appreciate your feedback, suggestions and comments. Please be considerate to
fellow list members and respond directly or on the appropriate list only.

Best Regards,
Amir Herzberg
Manager, E-Business and Security Technologies
IBM Research Lab in Haifa (Tel Aviv Office)
http://www.hrl.il.ibm.com
New e-mail: [EMAIL PROTECTED]
New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL

--- end forwarded text


-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Internet voting protocols

[Greg Broiles]

On Tue, Sep 28, 1999 at 09:52:41AM -0700, Andrew Neff wrote:
> We acknowledge that our web site does not accurately reflect the protocols 
> on which we have built our products, and we will make the 
> appropriate changes.  However, in creating the site, our intent was
> only to provide marketing literature to the general public.

Why would you build a marketing site which did not accurately reflect
the technical underpinnings of your products? Misrepresentation of your
products seems likely to place you afoul of laws against common-law
fraud, unfair or misleading business practices, and securities law if
you've also been soliciting or accepting investment.

Given that you've already started doing business in a dishonest fashion
(e.g., creating marketing literature which is known to be incorrect),
why in the world would voters, candidates, or registrars of voters ever
choose to trust you in the future? 

When will the inaccurate marketing materials be removed from your
website?

> Regarding our voting and encryption protocols, the techniques used in our
> products are based on the established literature in secure voting
> protocols.  For competitive reasons, we have chosen not to publish the
> algorithms or even release specific references to the literature at this
> time.

If your work is based on established literature, what's to be lost in
making the details public? 

> We want to assure the cryptographic community that we will publish
> all technical details relevant to the security of our system at the
> appropriate time.

How will you determine what the appropriate time is? How could an
outsider determine that independently of your judgement, so that we can
check to see if your assurance proves to be reliable? 

> In the
> mean time, we ask that judgment about whether or not our products
> are "snake oil" be deferred until our technical specifications are
> published.

"Snake oil" is an apt description of a product which is marketed as
having certain characteristics (e.g., security) but whose ingredients or
properties are hidden from potential purchasers.

If you don't want your product to be called snake oil, don't offer sales
literature without technical literature to go with it.

--
Greg Broiles
[EMAIL PROTECTED]

Re: Selective DoS Attacks: Remailer Vulnerabilities

[Bill Frantz]

At 6:06 PM -0700 9/27/99, John Gilmore wrote:
>I wonder if the source of remailer unreliability could be further
>tracked down by providing a "publish" bit under the encryption at each
>layer.  If the bit is set, the remailer publishes, on its own web site
>the incoming message, the decrypted message, and the outgoing message.
>If the bit is not set, the message is relayed privately as usual.  The
>publishing could be delayed for a period of time if desired.

This seems to me to be an excellent suggestion for running test messages
thru the remailer system at the same time as real messages.  The test
messages will also act as cover traffic.

>Note that merely flipping any data bit in a packet containing an email
>message in transit will suffice to cause it to be discarded, since PGP
>will report that it has been corrupted.  (This would require hacking
>the TCP checksum to avoid TCP error correction.)

Since the TCP checksum algorithm is notoriously poor, a small number of
errors may creep thru the TCP check.  Since the underlying transmission
media used in the Internet today are quite reliable, errors due to this
cause should be rare, but don't be surprised to find an occasionally one.


-
Bill Frantz | The availability and use of secure encryption may |
Periwinkle  | offer an opportunity to reclaim some portion of   |
Consulting  | the privacy we have lost. - B. FLETCHER, Circuit Judge|

Re: Ecash without a mint, or - making anonymous payments practical

[Bill Stewart]

>On Mon, 27 Sep 1999 [EMAIL PROTECTED] wrote:
>> One small final comment:  physical cash is not really anonymous (bills have
>> serial numbers, and certainly coins may contain secret marks. Why?

At 02:47 PM 09/27/1999 -0700, bram wrote:
>I believe at least part of the reason is to make heists difficult 

It also makes basic counterfeiting more difficult - 
the counterfeiter not only needs to make good-looking banknotes,
but needs to put unique serial numbers, rather than taking
a single banknote and copying it many times.

One effect of changing technology is that serial numbers on cash
did not provide much traceability in the past, but they do in the future.
There have been various proposals to put bar-coded numbers on cash
to make scanning faster and easier, but that's becoming less necessary.
OCR technology for reading numbers has become much more affordable,
and (either now or in the near future) it would not be difficult to 
make ATMs which record serial numbers of cash when dispensing it.

Recording serial numbers used to be a slow manual process used
mainly for kidnap ransom and similar transactions - now it's
almost practical for drug payments and soon for everyday transactions.
Thanks! 
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

Ft. Meade civilian airfield to open soon?

[John Gilmore]

FINAL CLEARANCE SOUGHT TO OPEN TIPTON AIRFIELD

JEFFERSON MORLEY 
WASHINGTON POST STAFF WRITER 
Thursday, June 10, 1999 ; Page M01 
Section: Weekly - MD - Anne Arundel 

Anne Arundel County officials plan to open Tipton Airfield at Fort
Meade as a general aviation airport this summer, once they receive
final operating approvals from the state and federal governments,
officials said.

Other interesting URLs related to this:

http://w2.hnd.usace.army.mil/oew/factshts/factshts/ftmeade.html

"Flight operations around the airfield will have to be
interrupted for up to two hours daily as OE items located
that day are blown in place or on site."

http://www.dtic.mil/envirodod/derpreport95/vol_2/nara073.html

"In December 1988, the BRAC Commission recommended that range
and training areas, including the airfield at Fort Meade, be
closed to realign Fort Meade from an active Army post to an
administrative center. The National Security Agency is the
primary tenant of the new administrative center at Fort Meade."

Re: LA wiretaps -- full details available

[David Wagner]

Right.  The scope of this violation of wiretap laws is breathtaking.
There's no need for conspiracy theories anymore; we've got conspiracy
theorems, complete with proof and everything.

There's one amazing paragraph that deserves quotation here:
   [...] The [LAPD] engage in two totally different types of
   court-authorized wiretap operations. One appears to comply with
   the requirements of exhaustion, specificity, lawful execution, and
   notice. The other, however, is broad-based, widespread, clandestine
   and illegal. Notice, inventory, and production of these wiretaps are
   never provided.  Defendants intercepted by the latter type of wiretap,
   who are not immediately arrested, subsequently become the target
   of what appears to be a lawful wiretap. While the [LAPD] readily
   disclose the apparently lawful wiretap, they intentionally fail to
   provide notice, inventory, and production in the other.
The LAPD brazenly call this their "hand-off procedure".

What a scam.  The LAPD avoids any oversight by "laundering" the results
of their wiretaps -- they've been taking lessons from the crooks.

See also .

It is worth noting that the actual number of telephones illegally
wiretapped exceeded the number reported by _more than an order of
magnitude_, according to the LA public defenders.  One of those unreported
LA wiretaps ended up intercepting the calls of 130,000 LA residents
(with no attempt at minimization and no arrests made), which beats the
reported _nation-wide total_ of 75,000.  (For reference, that's about 1%
of LA's metro-area population.)  Another unreported wiretap was for an
_entire cellphone service provider_.  Holy shit!

This brings a new perspective on law enforcement's initial requests for
CALEA capacity to tap 1% of the population's phones.  Maybe they weren't
joking after all...

Note also that California has one of the strictest wiretap oversight laws
in the nation.  If this type of everyday, streamlined illegal wiretapping
was routine practice for the LAPD since 1989 (as the LA public defenders
demonstrate), in a state with unusually restrictive wiretap laws, what
will happen if the CESA bill---which essentially removes all courtroom
oversight on electronic wiretaps---passes?

IP: Elliptic Curve 97-bit Challenge Broken

[Robert Hettinga]

--- begin forwarded text


Date: Tue, 28 Sep 1999 16:17:07 -0400
To: [EMAIL PROTECTED]
From: David Farber <[EMAIL PROTECTED]>
Subject: IP: Elliptic Curve 97-bit Challenge Broken
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]

Date: Tue, 28 Sep 1999 15:44:17 -0400
From: [EMAIL PROTECTED] (Dorothy Denning)
Subject: Elliptic Curve 97-bit Challenge Broken
To: [EMAIL PROTECTED]

http://www.inria.fr/Actualites/pre55-eng.html

INRIA leads nearly 200 international scientists in cracking code
following challenge by Canadian company Certicom

Paris, September 28.  1999 - A new code-cracking challenge set by
Certicom has been successfully overcome using 740 computers in 20
countries over a period of 40 days.  The code, ECC2-97, is based on a
technique known as elliptic curves.

Led by Robert Harley, a member of the Cristal project at INRIA, France's
National Institute for Research in Computer Science and Control, the 195
researchers involved showed that a 97-bit encryption system based on
elliptic curves is more difficult to crack than a 512-bit system based
on integers such as RSA-155.

Encryption systems based on elliptic curves have been known since the
mid-1980s, but have only recently been adopted by leading encryption
companies such as RSA Security Inc.  Certicom issued its "ECC Challenge"
in November 1997, specifying a series of challenges of increasing
difficulty.  The company offers prizes up to US$100,000.  The aim of the
challenge is to encourage research in the field of elliptic curves and
their applications in encryption, and to strengthen arguments in favor
of using elliptic curve cryptography instead of systems based on integer
factorization.

The challenge dubbed "ECC2-97" took place in a set of about 10^29 points
on an elliptic curve chosen by Certicom.  To solve the problem,
participants first computed 119,248,522,782,547 (more than 10^14) using
open-source software developed by Harley.  Among these points, they
screened 127,492 "distinctive" points and collected them on a Alpha
Linux workstation at INRIA where further processing revealed two twin
points.  Finally Harley computed the solution using information
associated with these two points, thus nailing the problem.

The solution was found after less than one third of the predicted
computation.  The probability of finding the answer so quickly was less
than one in ten.  Two other twins were detected a few hours after the
first - a less than one in 100 probability!  Nevertheless the computing
power used, around 16,000 MIPS/years, was twice as much as that used for
the factorization of RSA-155 announced by Herman Te Riele of CWI
(Amsterdam) and his colleagues on 26 August 1999.

"These results strengthen our confidence in codes based on
properly-chosen elliptic curves," said Harley.  "This needs to be taken
into account in standards for security and confidentiality on the
Internet."

According to Andrew Odlyzko, Head of Mathematics and Cryptography
Research, at AT&T Labs, the code-cracking operation was "a great
achievement that demonstrates the value of fruitfully harnessing some of
the huge computational power of the Internet that is idle most of the
time".  He added:  "It validates theoretical security predictions, and
demonstrates the need to keep increasing cryptographic key sizes to
protect against growing threats."

Arjen K.  Lenstra, Vice President at Citibanks's Corporate Technology
Office in New York and one of the main contributors to the recent
successful attack on the RSA-155 challenge, compared the two
computational efforts and noted that the present result makes 160-bit
ECC keys look even better compared to 1024-bit RSA keys, from a security
point of view.  "Ideally we would like new theoretical advances to
further reinforce these practical results, although such advances appear
out of reach for the moment."

Out of the $5000 prize money, the team members will give $4,000 to the
Free Software Foundation to encourage the creation of new free software.
The remaining $1,000 go to the team members who identified the twin
points.  Both were in fact found by Paul Bourke using a network of Alpha
workstations, mainly used for studying pulsars at the Centre of
Astrophysics at Swinburne University in Australia.

The most active teams in the project were:

Astrophysics & Supercomputing
   Australia
INRIA
   France
University of New South Wales
   Australia
"Friends of Rohit Khare"
   USA and France
Ecole Polytechnique
   France
Compaq
   USA and Italy
Technischen Universität Wien
   Autriche
University of Vermont
   USA
"WinTeam"
   International
British Telecom Labs
   UK
Internet Security Systems
   UK
Rupture Dot Net
 

Re: grabbed video as a source of entropy

[Eugene Leitl]

David Honig writes:

 > Even if I had the same hardware, perhaps the tolerances on my ADCs are
 > different from yours.  
 > 
 > And illumination levels will affect certain kinds of noise.

Sure, but the entropy generation rate will be in any case higher than
stuff coming from /dev/dsp
 
 > The point: Measure it.
 > 
 > Use Shannon's entropy formula, for instance.  
 
I'm not very well versed in such matters, and pressed for time in my
day/night job.

 > >I wouldn't mind any pointers to sources extracting, say, LSB from
 > >grabbed frames.
 > 
 > Distill (irreversibly compress, e.g., by xor'ing several words together)
 > your data.  Measure again; distill again until 1 bit/baud.  Hash before use.
 
I was looking for sources performing such steps. And I wouldn't want
to crypto-hash lest the raw entropy gets debased by hidden algorithmic 
order.

 > Any OTP tool should facilitate or automate these steps.

Re: grabbed video as a source of entropy

[David Honig]

At 06:53 PM 9/24/99 -0700, Eugene Leitl wrote:
>
>I've recently aquired a video camera (bttv-based 3Com Bigpicture, can
>do 30 fps true color 640x480). I've noticed that under certain
>conditions images can become quite noisy. Does anyone has data on the
>amount and quality of the entropy produced?

Even if I had the same hardware, perhaps the tolerances on my ADCs are
different from yours.  

And illumination levels will affect certain kinds of noise.

The point: Measure it.

Use Shannon's entropy formula, for instance.  

>I wouldn't mind any pointers to sources extracting, say, LSB from
>grabbed frames.

Distill (irreversibly compress, e.g., by xor'ing several words together)
your data.  Measure again; distill again until 1 bit/baud.  Hash before use.

Any OTP tool should facilitate or automate these steps.

Re: IBM to built crypto-on-a-chip into all its PCs

[William H. Geiger III]

In , on 09/27/99 
   at 03:41 PM, Robert Hettinga <[EMAIL PROTECTED]> said:

>Probably IBM will first want to see how attractive the technology is  to
>punters. At least the approach of using an ancillary encryption  chip
>should keep IBM safe from the nightmare Intel faced when it  attempted to
>railroad CPU ID numbers on users.


No Code == No Trust!

This has all the security/trust problems that Intel's RNG does and more. I
wouldn't touch this thing with a ten foot poll.


 
---
William H. Geiger III  http://www.openpgp.net
Geiger ConsultingCooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
---

Globalstar close to pact with FBI over wiretaps

[John Gilmore]

Forwarded-by: David Wade <[EMAIL PROTECTED]>

Globalstar close to pact with FBI over wiretaps
By John Borland
September 13, 1999, 4:15 p.m. PT
http://home.cnet.com/category/0-1004-200-117671.html

 A satellite phone firm is close to an agreement with federal law
enforcement officials who had threatened to delay its service if the FBI
couldn't wiretap phone conversations, company officials say.   

  Officials at the Federal Bureau of Investigation have been concerned that
Globalstar and other satellite phone companies could undermine their
ability to listen in on suspected criminals' telephone calls by sending the
transmissions across national borders--and outside U.S. jurisdiction.

  The issue had threatened to hold up Globalstar's long-awaited launch
date, scheduled for later this month. FBI officials had even raised the
possibility that the company would have to move several of its expensive
land-based transmission stations from Canada into the United States--an
option that would have dramatically raised costs and delayed service for
the fledgling firm.  

 The FBI's scrutiny of the satellite phone business has proved rocky
for the struggling industry. Few providers can afford to restructure their
network to satisfy law enforcement concerns, and many in the industry are
watching Globalstar to see if a cheap technical solution to federal demands
can be found.   

After several months of negotiations with U.S. and Canadian officials,
the company may have found a way to deal with the law as well as stay
financially afloat. In a recent meeting, FBI officials and Globalstar
executives agreed to pursue a technological fix that appears likely to
satisfy the FBI's needs to tap into the satellite calls, company officials
now say.  

 "We have tentatively agreed on a technical solution," said Andy
Radlow, a spokesman for Vodafone AirTouch, the company that is managing
Globalstar's North American operations. "We don't get any indication that
they intend to hold us up."  

  An FBI spokesman confirmed that the agency is in discussions with
satellite phone providers, but declined to comment specifically on
negotiations with Globalstar.   

  Aside from federal concerns, Globalstar is just the latest player to
enter an industry that has seen two of its early pioneers fall by the
wayside. The firm's largest competitor, Iridium, has already filed for
bankruptcy protection and is undergoing a company reorganization.  Another
smaller competitor has also filed for bankruptcy protection.  

Not quite a borderless world
  Globalstar is run by a coalition of companies including Loral Space and
Communications, Vodafone AirTouch, and Qualcomm, among others. With
satellites already in orbit around earth, the company has said it plans to
begin offering telephone service by the end of September. By the time its
$3.9 billion satellite system is complete, the company will be able to
serve customers almost anywhere on Earth.  

  But before it can begin serving customers in the United States, it needs
to win approval from the Federal Communications Commission--and that's
where the trouble starts.  

  The FCC has already held up a license for at least one smaller Canadian
satellite phone company based on concerns that the FBI would not be able to
tap and trace telephone calls made over the system. FCC officials say they
have wanted to allow negotiations between the phone companies and the FBI
to proceed before acting on the license requests.   

  In Globalstar's case, two of the four ground stations--places where
equipment sends calls to and from the satellite network--serving the United
States will be located across the border in Canada.   

  This has worried FBI officials, who don't want to have to seek approval
from foreign governments when tapping telephones. Seeking permission from
Canadian officials to conduct surveillance of U.S. suspects--a likely
outcome if the FBI had to physically put taps in Globalstar's Canadian
stations--would be a serious breach of national security, officials say.   

  The fix that Globalstar and the FBI are reportedly discussing would allow
law enforcement officials a way to tap into the satellite system without
having to cross the U.S. border. The technical details are still being
finalized, but Qualcomm--the company that provides the land station and
handset equipment to Globalstar--has assured the Justice Department that
the fix will satisfy their concerns, Radlow said.  

  "We feel we're going to continue to have a good relationship on the
federal and local level with law-enforcement," Radlow said. Once the FBI
has officially signed off, Globalstar can go to the FCC for its license
without much fear of delay.   

  The company is running up against its own stated deadline to begin
rolling out service this month, however. But the North American version of
the service still plans a "soft launch" this November and appears likely to
make this deadline despite the wiretap co

Internet voting protocols

[Andrew Neff]

[Allowed through because we were discussing this, but I must say this
is pretty content free... --Perry]

We are happy to see the recent discussion about the VoteHere Election
System, and the interest in secure Internet voting that it represents.

We acknowledge that our web site does not accurately reflect the protocols 
on which we have built our products, and we will make the 
appropriate changes.  However, in creating the site, our intent was
only to provide marketing literature to the general public.

Regarding registration, our current authentication protocols for public
elections are based on a live ink signature or in-person appearance,
which is typical of mail-in balloting and poll-site voting, respectively.
We have worked out the details of the current protocols, including
security, feasibility and logistics, in consultation with election
officials from around the country.

Regarding our voting and encryption protocols, the techniques used in our
products are based on the established literature in secure voting
protocols.  For competitive reasons, we have chosen not to publish the
algorithms or even release specific references to the literature at this
time.  This is a painful decision because we are committed to the well-
established tradition of peer review in the cryptographic community.
It has long been our position that public scrutiny of any protocol
proposed for government elections is essential to protecting the
democratic process.  A key component of our threat model is that
no election official, nor any provider of election services (including
ourselves) is a trusted player.

We want to assure the cryptographic community that we will publish
all technical details relevant to the security of our system at the
appropriate time. In addition, we have urged the Secretaries of
State with whom we are working to retain independent cryptography
experts to review our products during the certification process. In the
mean time, we ask that judgment about whether or not our products
are "snake oil" be deferred until our technical specifications are
published.


C. Andrew Neff
Chief Scientist, VoteHere.net

Re: LA wiretaps -- full details available

[John Gilmore]

The LA County Public Defender's Office has full information about their
case against the LAPD and LA Sheriff's Office up on the web at:

http://pd.co.la.ca.us/

It's particularly gruesome how the LAPD reported these wiretaps to the
Federal wiretap report, which cypherpunks and policy-makers examine
closely every year (e.g. http://jya.com/wiretap98.htm).  What the LAPD
reported as a single wiretap order turns out to have tapped 250
telephones over a period of years.  Few or none of the thousands of
people tapped were ever notified of the wiretap.  This calls the
validity of all the wiretap statistics into question.

Even now, after a direct order by the judge to the District Attorney
in open court, two-thirds of the logs from this single wiretap have
been withheld.  (The one-third that have been disclosed required a
forklift to move the tapes, and produced 65,000 pages of logs.)  See
http://pd.co.la.ca.us/contempt.htm.  The logs show that the LAPD made
no attempt to "minimize", recording only the portions of conversations
related to the investigation for which they obtained a warrant; they
recorded everything, and then used the miscellaneous information to
instigate new wiretaps, investigations, and prosecutions.

One overheard conversation that helped to blow the lid off was that of
a Mexican man who used his cellophone to discuss receiving a wire
transfer from the sale of some inherited land in Mexico.  (He intended
to use it to buy a house in the US.)  When the cops overheard this,
they rushed to a judge and to the bank, lied to the judge, and
obtained a warrant to seize the $265,000 as "drug money" under the
civil forefiture laws.  It only came out a year and a half later, when
Mr. Rodriguez's lawyers questioned the officers involved, that the
"reliable confidential informant" they had used to establish probable
cause to seize the money was in fact an illegal wiretap, and that
there was no cause at all to believe the money was related to drugs.
See the federal judge's final order giving Mr. Rodriguez back his
money, at:

http://pd.co.la.ca.us/alvara2.htm

When sworn officers of the law and the courts violate the law with
impunity, concealing their activities by making fraudulent statements
under oath, and filing all incriminating information under seal, the
law-abiding public cannot trust the justice system.  None of us would
enjoy a society without credible means to redress injustices.  We
already see the beginnings of the results in drive-by shootings and
other manifestations of a subculture (drug users) in which people have
no recourse but to take justice into their own hands.  If the public
cannot rely on the courts for justice against illegal wiretaps,
particularly when our adversaries are large, secretive, and publicly
funded organizations such as the LAPD and the NSA, we will end up with
"frontier justice" before this whole controversy is settled.  Note
well the NSA's recent refusal to provide documents about their
monitoring of US citizens' communications to their oversight committee
in the House of Representatives (http://jya.com/nsa-clash.txt).  I
implore the misguided individuals who have been violating the law
behind the screen of official secrecy to reveal their crimes and take
their punishments, before they destroy a vital part of the fabric of
society that they are supposedly paid to defend.

John Gilmore

Re: Selective DoS Attacks: Remailer Vulnerabilities

[John Gilmore]

I wonder if the source of remailer unreliability could be further
tracked down by providing a "publish" bit under the encryption at each
layer.  If the bit is set, the remailer publishes, on its own web site
the incoming message, the decrypted message, and the outgoing message.
If the bit is not set, the message is relayed privately as usual.  The
publishing could be delayed for a period of time if desired.

Examining the web sites of the remailers will show where a published
message was lost or corrupted in transit.  It will exit one remailer and
never enter the next - or enter it corrupted.

If identical messages sent with the publish bit on and off have different
long-term reliability statistics, it means the adversary has broken the
encryption, and can read the publish bit (and only corrupt messages that
are not publicly visible).

Note that merely flipping any data bit in a packet containing an email
message in transit will suffice to cause it to be discarded, since PGP
will report that it has been corrupted.  (This would require hacking
the TCP checksum to avoid TCP error correction.)  SMTP mailer logs on
such systems should also be scrutinized for indications that e.g. a
TCP connection was "reset" in the middle of receiving a message.  It
would be worth recording full packet traces to and from some remailers
and looking for interesting activities such as TCP attacks or altered
data packets.

John