Re: Ridding IP of logic, reason, and law
On Sat, 29 Jul 2000, Rich Salz wrote: > > If the US federal government owns this algorithm, then it can't be > > patented. > > I'm not sure if you are referring to SHA1 in particular, or in general. > While I don't know about SHA-1, the US Government *can* own patents. > For example, here's one that's actually kinda relevent. :) Yeah, you're right. I remember the patent discussion came up a while back with the NSA's Semantic Forest thing. I think it's the heat, global warming is ruining my memory. As I recall, though, there was at one time a provision of law in the US that the federal government couldn't copyright their documents. Maybe that is changed now. I still seems like US federal 'inventions' should belong to the people. Who the hell are they representing anyway? [The U.S. government can't copyright things but it can patent them. Copyright is not the same as patents. --Perry]
MI6 Ciphers and Comsec
Stephen Dorril's 1999 book on MI6 (just out in the US) alludes to several ciphers and communications security methods whose names he has disguised on legal advice, presumably to avoid violation of Britain's Official Secrets Act. We would appreciate receiving information on these ciphers and methods for publication on Cryptome. Below are the excepts from Chapter 36 of the book with diguises such as "B***." Full chapter and publication data: http://216.167.120.49/mi6-sd36.htm [Begin excepts] As part of MI6's obsession with security, a great deal of time is spent on being indoctrinated in cipher and communications work. Trainee officers are instructed on how to encrypt messages for transmission and how to use the manual B*** cipher which is regarded as particularly secure. Used at stations abroad to transmit details of operations, potential sources and defectors, B*** is sent either via the diplomatic bag or by special SIS courier. Officers learn about 'off-line' systems for the encryption of messages such as N* - used prior to transmission by cipher machines - and 'on-line' systems for the protection of telegrams during transmission, code-named H*** and T. They are indoctrinated into the use of certain cryptonyms for forwarding telegrams to particular organisations and offices such as SIS headquarters, which is designated A. They also learn about code words with which sensitive messages are headlined, indicating to whom they may be shown. UK EYES ALPHA warns that the contents are not to be shown to any foreigners and are intended only for the home intelligence and security services, armed forces and Whitehall recipients. UK EYES B includes the above categories, the Northern Ireland Office, LIST X firms engaged in the manufacture of sensitive equipment, and certain US, Australian, New Zealand and Canadian intelligence personnel liaising with the Joint Intelligence Committee (JIC) in London. Additional code words mark specific exclusions and inclusions. E** material cannot be shown to the Americans, while L* deprives local intelligence officials and agencies of its content. Material for named individual officers, sometimes at specified times, is headed D or D, while particularly sensitive material about a fellow officer or operation is known as D**. An MI6 station is usually sited in a part of the embassy regularly swept by technical staff for bugs and other electronic attack. It is entered using special door codes with an inner strongroom-type door for greater security. Following all the procedures learned during training, officers handling material up to the 'Secret' level work on secure overseas Unix terminals (S) and use a messaging system known as ARRAMIS. Conversations by secure telephone masked by white noise are undertaken via a special SIS version of the BRAHMS system. A special chip developed by GCHQ apparently makes it impossible even for the US NSA to decipher such conversations. Secure Speech System (H***) handset units are used by SIS officers within a telephone speech enclosure. The most important room is electronically shielded and lined with up to a foot of lead for secure cipher and communications transmissions. From the comms room, an officer can send and receive secure faxes up to SECRET level via the C** fax system and S* encrypted communications with the Ministry of Defence (MoD), Cabinet Office, MI5 (codename SNUFFBOX), GCHQ and 22 SAS. An encrypted electronic messaging system working through fibre optics, known as the UK Intelligence Messaging Network, was installed in early 1997 and enables MI6 to flash intelligence scoops to special terminals in the MoD, the Foreign Office and the Department of Trade and Industry. Manned twenty-four hours a day, 365 days a year, and secured behind a heavy thick door, the cipher machines have secure 'integral protection', known as TEMPEST. MI6 officers abroad also work alongside GCHQ personnel, monitoring foreign missions and organisations." [End excerpts]
Edupage: Warrants for Online Data Soar
>From Edupage 28 Jul: WARRANTS FOR ONLINE DATA SOAR The federal government has rapidly escalated its seizure of U.S. citizens' online data in recent years, according to a new study conducted by USA Today. The results of the study, which show that the number of search warrants issued for online data is up 800 percent over the past few years, caught Capitol Hill lawmakers and civil libertarians off guard. The sought-after data includes cases regarding child pornography, fraud, violent crime, and harassment. USA Today confined its study to warrants served on America Online's networks, but Andrew Grosso, a lawyer specializing in computer law, says there has been an across-the-board increase in the number of warrants and subpoenas issued to all ISPs and e-mail providers. The study's findings were jarring to some federal lawmakers. House Majority Leader Dick Armey (R-Texas) is calling for law enforcement agents to explain why they are issuing such a high number of search warrants to service providers. (USA Today, 28 July 2000)
Re: A proposal for secure videoconferencing and video messaging over the Internet
we've had some of this discussion related to X9.59, namely that SSL verifies that the URL used and the certificate DNS info somewhat correspond. one problem is that many people don't necessarily arrive at a web site by actually typing the URL ... so provided URLs are one method of attack. The other is that certificate DNS information is typically verified by the certification authority contacting the DNS authority. Issues with DNS hijacking (i do dns hijack of xyz.com and then apply for certificate for xyz.com) and other exploits can be addressed with DNS public-key (aka reliable DNS infrastructure) which could make SSL certificates superfulous and redundant (i.e. one explaination is that SSL certificates exist because DNS is unreliable ... but since the certification is dependent on reliable DNS ... and a reliable DNS can be achieved with addition of public keys to the DNS information ... then it becames possible ot obtain public keys directly from the reliable DNS authority at the same time the other DNS information is obtained). the other part, is X9.59 requires that electronic payments transactions are electronically signed so only a specific payment might be subverted (supplying the wrong "pay-to" value) ... but additional payments could not be done with the information. Note however, the wrong "pay-to" value still needs to be a valid merchant identifiier in the payment infrastructure. The issue then becomes that the URL was supplied to the browser by a trusted method & a reliable DNS is available with some sort of public key authentication (whether with public key directly from reliable DNS or circuitous route via a certificate which came from a certification authority which verified with a reliable DNS). misc. URLs: http://www.garlic.com/~lynn/aepay4.htm http://www.garlic.com/~lynn/ there are still some misc.; issues where the wrong "pay-to" field is supplied for a signed payment transaction (say a hacked web site). pieces for this opportunity include are at the international/iso level for a global merchant identifier (effectively a "pay-to" value). A trade-group could be setup that provided a merchant-id/publickey binding. Even simpler yet, since a reliable DNS is already a requirement, it would be possible to register both a public key (to address issues like DNS hijacking) and a merchant-id. The DNS information, merchant public key, and optional merchant-id (i.e. "pay-to" in a payment transaction) could then be provided as part of a standard DNS operation (further illustrating certificates as being superfulous and redundant in AADS-like public key environments). There are still some open issues regarding trusted path for supplying URL information and trusted browsers. Obviously trusted browswer can include things like does the transaction the user "sees" being the same as the transaction the user authorizes/signs but then even simple aspects of existing SSL are also dependent on trusted browser (i.e. the browser actually checks for valid binding, sets up a private SSL session, etc). To be fair, the sort of attack I described could work against SSL too. Certificates can confirm that www.example.com is who you are contacting, but certificates can't stop them from making their web site look just like www.example.net's and duping people into giving payment information to the wrong people. I think it would work especially well against a videoconferencing system though, because there is a certain trust inherent in face-to-face communications.
Re: Ridding IP of logic, reason, and law
> If the US federal government owns this algorithm, then it can't be > patented. I'm not sure if you are referring to SHA1 in particular, or in general. While I don't know about SHA-1, the US Government *can* own patents. For example, here's one that's actually kinda relevent. :) Workflow management employing role-based access control Inventors: Barkley; John (Darnestown, MD). Assignee: The United States of America as represented by the Secretary of Commerce (Washington, DC). Appl. No.:980,908 Filed:Dec. 1, 1997 A workflow sequence specified by a process definition is managed by a workflow management system which enacts each segment in the order specified by that process definition. Role-based access control (RBAC) is used to define membership of individuals in groups, i.e., to assign individuals to roles, and to then activate the roles with respect to the process at appropriate points in the sequence. Any individual belonging to the active role can perform the next step in the business process. Changes in the duties and responsibilities of individuals as they change job assignments are greatly simplified, as their role memberships are simply reassigned; the workflow process is unaffected.
Ridding IP of logic, reason, and law
In that thread about calling RSA by another name, William Allen Simpson <[EMAIL PROTECTED]>, wrote: >| Note that somebody is claiming patents on RIPEMD and SHA1, among many >| other problems. I suppose that I shouldn't be surprised. (heavy sigh) FIPS 180-1 states: | Patents: Implementations of the SHA-1 in this standard may be covered by | U.S. and foreign patents. I would think 'implementations' in that context means software systems that incorporated SHA-1, where the overall system includes the SHA-1 algorithm. (The citation for SHA-1 may have changed recently and it may be 180-2; but I doubt anything changed in the standard related to intellectual property. There was something in the Federal Register, but I don't recall the change being significant - maybe it passed its 5 year review?) If the US federal government owns this algorithm, then it can't be patented. Of course this doesn't alter the fact that filing bogus patent claims has become an industry in itself, and damnably profitable, perhaps, like sin often is.