Re: MS on NSA_KEY in Windows
Sergio Tabanelli wrote: [About OffloadModExpo] [...] 4. In any case in my opinion it is completely unacceptable that a system administrator can access userss private keys without the user knowledge and assent. I don't see a way to prevent an admin from gaining access to a user's keys under the NT security model. [Sergio] I think that encrypting the key can help. But all this aside, there is a sound reason why a software crypto implementation would want to offer OffloadModExpo: hardware acceleration. Modular exponentiation is a painfully CPU-intensive task. The market for modexp accelerators is pretty sizable and growing. Most sites that make heavy use of SSL that I am aware of are either employing hardware crypto accelerators or are planning to do so in the very near future. It makes perfect sense for a crypto library to be able to call out to a modular exponentiation accelerator if such an accelerator happens to be installed. [Sergio] Agreed (maybe the right way to do this is writing a new CSP). But I think that the strange things here are: 1) A security bulletin and a patch for a non functionality. 2) The coincidence between the OffloadModExpo functionality and the no use of the _NSAKEY: the W2K = beta 3 still has the _NSAKEY but DOES NOT USE IT the W2K = beta 3 CSPs use the OffloadModExpo functionality the NT4-NT5-W2K = beta 2 still has the _NSAKEY and USES IT the NT4-NT5-W2K = beta 2 CSPs DO NOT HAVE the OffloadModExpo functionality Maybe this does not mean nothing, but it looks a little bit strange. Sergio Tabanelli
Planned Net-treaty limits privacy, may compel key disclosure
The document: http://www.politechbot.com/docs/treaty.html http://www.wired.com/news/politics/0,1283,36047,00.html Cyber-treaty Goes Too Far? by Declan McCullagh ([EMAIL PROTECTED]) 3:00 a.m. May. 3, 2000 PDT WASHINGTON -- U.S. and European police agencies will receive new powers to investigate and prosecute computer crimes, according to a preliminary draft of a treaty being circulated among over 40 nations. The Council of Europe's 65KB proposal is designed to aid police in investigations of online miscreants in cases where attacks or intrusions cross national borders. But the details of the "Draft Convention on Cybercrime" worry U.S. civil libertarians. They warn that the plan would violate longstanding privacy rights and grant the government far too much power. The proposal, which is expected to be finalized by December 2000 and appears to be the first computer crime treaty, would: * Make it a crime to create, download, or post on a website any computer program that is "designed or adapted" primarily to gain access to a computer system without permission. Also banned is software designed to interfere with the "functioning of a computer system" by deleting or altering data. * Allow authorities to order someone to reveal his or her passphrase for an encryption key. According to a recent survey, only Singapore and Malaysia have enacted such a requirement into law, and experts say that in the United States it could run afoul of constitutional protections against self-incrimination. * Internationalize a U.S. law that makes it a crime to possess even digital images that "appear" to represent children's genitals or children engaged in sexual conduct. Linking to such a site also would be a crime. * Require websites and Internet providers to collect information about their users, a rule that would potentially limit anonymous remailers. [...] -- POLITECH -- the moderated mailing list of politics and technology To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ --
Council of Europe April 27 press release re: Cybercrime treaty
The treaty proposal: http://conventions.coe.int/treaty/en/projets/cybercrime.htm Subject: Press release n° 300(a)00 - Crime in Cyberspace Crime in Cyberspace First Draft of International Convention Released for Public Discussion STRASBOURG, 27.04.2000 - The COUNCIL OF EUROPE today released a draft version of a Convention on crime in cyberspace for public discussion in order to enhance the consultation process with interested parties, whether public or private. Businesses and associations are particularly encouraged to share their comments with the experts involved in the negotiations before the final adoption of the text. Provisionally entitled "Draft Convention on Cyber-Crime", this Council of Europe text will be the first international treaty to address criminal law and procedural aspects of various types of offending behaviour directed against computer systems, networks or data as well as other similar abuses. This legally-binding text aims to harmonise national legislation in this field, facilitate investigations and allow efficient levels of co-operation between the authorities of different States. The text should be finalised by a group of experts by December 2000 and the Committee of Ministers could adopt the text and open it for signature as early as Autumn 2001. The text of the draft Convention can be found on the following website: http://conventions.coe.int/treaty/en/projets/cybercrime.htm * * * More information for editors : Recent attacks against commercial web-sites, such as Amazon.com, drew international attention to the dangers that the Internet and other computer networks need to face: cyber-criminals and cyber-terrorists threaten business and government interests and may cause colossal damages. Time has come for the Council of Europe to take action, which today released a draft Convention to deal with crime in cyberspace. This document, provisionally entitled "Draft Convention on Cyber-crime", will be the first ever international treaty to address criminal law and procedural aspects of various types of criminal behaviour directed against computer systems, networks or data and other types of similar misuse. The draft provides, among others, for the co-ordinated criminalisation of computer hacking and hacking devices, illegal interception of data and interference with computer systems, computer-related fraud and forgery. It also prohibits on-line child pornography, including the possession of such material after downloading, as well the reproduction and distribution of copyright protected material. The draft Convention will not only define offences but will also address questions related to the liability of individual and corporate offenders and determine minimum standards for the applicable penalties. The draft text also deals with law enforcement issues: future Parties will be obliged to empower their national authorities to carry out computer searches and seize computer data, require data-subjects to produce data under their control, preserve or obtain the expeditious preservation of vulnerable data by data-subjects. The interception of data transmitted through networks, including telecommunication networks, is also under discussion. These computer-specific investigative measures will also imply co-operation by telecom operators and Internet Service Providers, whose assistance is vital to identify computer criminals and secure evidence of their misdeeds. As computer-crimes are often international in their nature, national measures need to be supplemented by international co-operation. The draft treaty therefore requires future Parties to provide each other various forms of assistance, for example by preserving evidence and locating on-line suspects. The text also deals with certain aspects of trans-border computer searches. Traditional forms of mutual assistance and extradition would also be available under the draft Convention and a network of 24 hours/ day, 7 days/week available national contact points would be set up to speed up international investigations. The 41-nation Council of Europe has previously produced two recommendations on the question, in 1989 and in 1995, to encourage governments to adapt laws to the challenge of computer-related crime, but later a binding legal instrument was considered necessary to harmonise computer-crime provisions, step up investigations and ensure effective international co-operation among authorities. The draft Convention is expected to be finalised by an expert group by December 2000 and the Committee of Ministers could adopt the text and open it for signature as early as September 2001. Given the importance of the subject, non-member States, such as Canada, Japan, South-Africa and the United States, also actively participate in the negotiations. By releasing the latest draft of the treaty, the Council of Europe seeks to enhance the consultation process with
Re: GPS no longer encrypted
Do you mean 13 feet radius or 13 feet diameter? I was seeing a vertical error of approximately +/-10 feet (although I'd believe 13 ;) Horizontally I was seeing approx +/- .0015 minutes in both lattitude and longitude (which equates out to approximately +/-9 feet). Considering the inacuracy of my measurements, I would mostly concur with your observations, except that I'd extend it to a sphere (instead of a circle) of radius 10'. I can't wait to get up flying again :) -derek "Trei, Peter" [EMAIL PROTECTED] writes: Yes, my little Garmin GPS III+ now reports error circles as low as 13 feet (as opposed to about 200 before the change). This is *very* nice for people who need that level of precision. Of course, minor errors in the map database become glaringly obvious when you can tell which lane you're driving in, as opposed to merely which road you are on. Over on sci.geo.satellite-nav they're wetting their pants in joy. Peter Trei -- From: Rich Salz[SMTP:[EMAIL PROTECTED]] Sent: Tuesday, May 02, 2000 10:12 AM To: [EMAIL PROTECTED] Subject:GPS no longer encrypted A handful of press releases, including http://www.whitehouse.gov/library/ThisWeek.cgi?type=pdate=1briefing=0 Which starts... Today, I am pleased to announce that the United States will stop the intentional degradation of the Global Positioning System (GPS) signals available to the public beginning at midnight tonight. We call this degradation feature Selective Availability (SA). This will mean that civilian users of GPS will be able to pinpoint locations up to ten times more accurately than they do now. GPS is a dual-use, satellite-based system that provides accurate location and timing data to users worldwide. -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available
Re: Planned Net-treaty limits privacy, may compel key disclosure
At 11:18 AM 05/03/2000 -0400, Richard D. Murad wrote: Does obligations through treaty circumvent US law and US constitutionality? In other words, if the US signs and ratifies a treaty, does it take precedence over other US law? If so, it's a way to do an end-run around US law and US constitutionality. This is really a better question for cypherpunks that cryptography, and I'm planning to write a rant there. The US government doesn't have the authority to make unconstitutional laws. Doesn't mean they don't try on occasion (:-), but they don't have the authority to do it, whether they're regular laws or treaties or the laws implementing treaties. Also, the Senate has to approve treaties, though they often rubber-stamp them, just as they often give blanket regulation-making powers to various bureaucratic agencies. On the other hand, "US law" just means "the laws the politicians have made so far", which is a moving target - they can change them any time they want, though some laws are sufficiently entangled with other laws or political agendas that it's sometimes hard. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
v-go by passlogix?
Does anyone here have knowledge about a product called V-Go by a company called Passlogix? It is supposed to ask as a "passport" program to web sites. It claims to use 128 bit blowfish as the encryption algorithm and use graphically based passphrase. The graphically based passphrase seems to lack enough entropy, but I have not examined it in detail yet. It is claimed to be used by a number of big-name e-commerce sites, including US Bank and others. Something makes me think that there is some form of snake-oil involved, but I cannot prove it. Any comments? Information? Rabid speculation? (No wait, that is Cypherpunks...)