Re: it's not the crypto
The notion that e-mail should be permitted to contain arbitrary programs that are executed automatically by default on being opened is so over the top from a security stand point that it is hard to find language strong enough to condemn it. It goes far beyond the ordinary risks of end systems. And, yet, digital rights folk argue that the only way data can be self protecting (the pre-requisite for data being out and about on its own), is to wrap said data in a program which the recipient must execute. All the music royalty or email self-destruction stuffs basically take this position. If auto-update of software really does take hold, whether by contract (UCITA) or by choice (whopping convenient, that), receiving an executable with long-lived aftereffect will be part of every ordinary person's day. Not denying your point at all -- merely trying to look well down range. I'm a send-by-reference-not-by-value sort of guy, but as I see the world, e-mail attachments are doubtless now the poor man's distributed filesystem, and the momentum is with ever increasing amounts of executables being transmitted. Consider, for an example actually rather related to this Javascript e-mail issue, the case of Zaplets (http://www.zaplet.com) which has $100M+ saying that this is the future, or the stored procedures in many specialized Oracle applications that take the form of Java applets you download silently to execute on your end. Contemplating retirement off the grid, --dan
Re: smartcards, electronic ballots
This would seem relevant ... http://dailynews.yahoo.com/h/nm/20010206/ts/voting_systems_dc_1.html Tuesday February 6 12:23 PM ET Study: Old Voting Systems May Work Best By Deborah Zabarenko WASHINGTON (Reuters) - Looking back at Florida's election mess, scientists say the old ways of casting a vote may work best: paper ballots and lever machines give more accurate counts than punch cards or electronic devices. Another key message in a study of U.S. voting technology, released late on Monday, seems to be that the machines are not always the problem. ``We believe that human factors drive much of the 'error' in voting,'' scientists from the California Institute of Technology and the Massachusetts Institute of Technology (news - web sites) said in a Feb. 1 report to a task force that is studying voting problems in Florida. Florida was the final battleground state in the hotly contested 2000 presidential race, with the outcome ultimately decided by the U.S. Supreme Court (news - web sites) more than a month after the Nov. 7 Election Day. There were questions about voting equipment that may have hindered the accurate counting of thousands of Florida votes, notably Palm Beach County's controversial ``butterfly ballot,'' a two-column punch card ballot that confused many voters. Without mentioning the ``butterfly ballot'' specifically in this preliminary report, the scientists wrote, ``Some technologies seem to be particularly prone to over-voting (voting for more than one candidate for a single office), such as the punch card systems implemented in Florida in the 2000 election.'' Wide Range Of Equipment Part of the problem is the wide range of voting equipment used across the United States, starting with the simple paper ballots that were common in much of the country in the 19th century and ending with the direct-recording electronic devices (DREs) that were introduced in some areas in 2000. In between are punch card ballots, lever machines -- in which voters enter a booth and flick switches by their preferred candidates, then finally record their votes by pulling a large lever -- and optically scanned ballots, where voters use pencils to fill in circles beside the candidates they choose. Examining data on election returns and machines from about two-thirds of all U.S. counties over four presidential elections starting in 1988, the scientists found that manually counted paper ballots ``have the lowest average incidence of spoiled, uncounted and unmarked ballots.'' Lever machines and optically scanned ballots were most accurate after paper ballots, the report said, while punch card methods and DREs, which look and operate a bit like automatic teller machines, had ``significantly'' higher error rates. The difference in reliability between the best and worst systems was 1.5 percent, the report said. Part of the difficulty may lie in voters' unfamiliarity with new technology, said the group of social scientists that included experts on computers, politics and economics. ``We don't want to give the impression that electronic systems are necessarily inaccurate, but there is much room for improvement,'' the California institute's Thomas Palfrey said in a statement.
Re: Ashcroft on encryption
"We're not going to outlaw photography because someone takes dirty pictures. People use it for good things and bad things - and it's the same with encryption." -- Missouri Senator John Ashcroft (Rep.) make that Attorney General Ashcroft. --dan
Re: Schneier: Why Digital Signatures are not Signatures (was Re: CRYPTO-GRAM, November 15, 2000)
As the US banking system (and especially the bank clearinghouses controlled by the Federal Reserve system) has gone electronic, all the banks I know of have stopped bothering to verify the signatures on checks, and similarly those on credit- and debit-card drafts. Getting them to start using digital signatures would be a big improvement over the current wide-open situation. As compared to the State of Oregon which has now gone over to keeping a digitized image of the ink signature of every registered voter for visual verification, the better to run its all-absentee election process, or for that matter FedEx, UPS, and numerous P.O.S. terminals all of which have copies of my hand signature, like it or not. --dan
Re: reflecting on PGP, keyservers, and the Web of Trust
Well put, Greg. I do think that a small circle of trusted friends is a tautology -- if it is not small, it cannot be trusted. Was it not ever thus? --dan
Re: reflecting on PGP, keyservers, and the Web of Trust
How do they exchange public keys? Via email I'll bet. Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If transit confidentiality is your aim and old versions of documents are irrelevant once the ink is dry on the proverbial bond paper, this is quite workable and involves no WoT at all, just POTS. --dan * trivial: memorizable by clerks in an all Windows world...
Re: reflecting on PGP, keyservers, and the Web of Trust
I said, Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If transit confidentiality is your aim and old versions of documents are irrelevant once the ink is dry on the proverbial bond paper, this is quite workable and involves no WoT at all, just POTS. Steve said, No! We've discussed this point many times before -- what if the attacker sends a Trojan horse executable? David said, If you have a secure channel to exchange a passphrase in, you have no need for PK. Correct to both critics. I can, indeed, dictate the 40 page contract that is to be signed tomorrow afternoon over my STU3 telephone, if indeed both parties have one. I can rely on facsimile which is what J. Random Company's legal counsel would otherwise likely do. I can tell people never to accept an executable mailed to them from anywhere, which will get laughed at by all the people in the business world who mail each other so many attachments that it can be truly said that e-mail attachments are the poor man's distributed file system. All true. There is, indeed, nearly no security if one is really and truly serious. What I had hoped to convey was that there was a certain amount of "good" in getting the kinds of documents real businesses exchange under time pressure all day every day to be encrypted at a level of effort that approximates what they would be doing anyway. If the recipient needs no local environment pre-conditions other than the genes to call me up when he gets an attachment that says I demand a passphrase, I think it is in fact fair to say that a cost-effective improvement has been snatched from the jaws of defeat. Maybe, just maybe, if I can train them to think that unencrypted = anomalous we can take a step that matters, like locally installing some software whose miserable usability is proportional to its endorsement by the local security guy. There is nearly nothing I can do to prevent you from stealing my car if you want it way bad, but I sure as hell can make stealing my neighbor's car more attractive than stealing mine. That is risk management. --dan
Re: Electronic elections.
Along the same lines as this discussion, http://www.ivta.org was recently brought to my attention in/on the "cert-talk" ([EMAIL PROTECTED]) mailing list. I appreciate that pointer (and others like it such as are appearing here and elsewhere) a great deal, especially in quotation: "Encryption alone is not sufficient for an Internet voting process because voting is not an e-commerce transaction. Anonymity and integrity must be assured, and we must know that the results in an election have not been tampered with in any step of the process." as it demonstrates in full that, as in all of engineering, the heavy lifting is in getting the problem statement right. The advocates of Internet voting do not, repeat, do not have the problem statement right. There is no doubt whatsoever that the sanctity of a vote once cast can be absolutely preserved as it is moved from your house to the counting house. What cannot be done, now or ever, is to ensure the sanctity of the voting booth anywhere but in a physical and, yes, public location attended to by persons both known to each other and drawn from those strata of society who care enough to be present. There are no replacements for the voting booth as a moment of privacy wrapped in inefficient but proven isolation by unarguable witness, a place where we are equal as in no other. Move the dispatch of a vote to a remote browser and $100 bills, concurrent sex acts, a pistol to the head, wife-beating or any other combination of bribes and coercion is an undiscoverable concommitant of the otherwise "assured" integrity of the so-called vote. Internet voting is anti-democracy and those who cannot bestir themselves to be present upon that day and place which is never a surprise to do that which is the single most precious gift of all the blood of all the liberators can, in a word, shut up. Trust is for sissies, --dan
NPR on NSA
off topic, but http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate=03/14/2000PrgID=3 http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate=03/15/2000PrgID=3 http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate=03/16/2000PrgID=3 contains a three part series on the NSA and listening posts; many familiar names heard from; less than 1/2 hour in sum --dan
Re: US congressman blasts China crypto policy
previously sent to WSJ: | To the Editor: | | As reported, the Chinese government has moved to restrict the use | of privacy-enhancing technologies and to surveill use of the Internet | generally. Any country that does that ensures that in the global | economy the only role they can play is that of coolie labor. How | ironic for China to choose for itself such a role at this late date. --dan
Re: Interesting point about the declassified Capstone spec
I agree with Peter and Arnold; in fact, I am convinced that as of this date, there are only two areas where national agencies have a lead over the private/international sector, namely one-time-pad deployment and traffic analysis. Of those, I would place a bet that only traffic analysis will remain an area of sustainable lead, that traffic analysis is the only area where commercial interests will not naturally marshall the resources to threaten the lead of the national agencies. --dan
Re: financial crypto - like conferences
I need to know, whether any of you know any other financial-crypto-like international conferences at the second half of this year. I want to submit several of my papers, and I can't wait for FC 2001. The conference need not to be very theorethical or very prestigious, preferably a little bit 'applicative', as long as the submission deadline has not passed yet :-) USENIX Security Symposium August 14-17 in Denver submission deadline is Thursday of this week http://www.usenix.org/events/sec2000 or, more specifically, http://www.usenix.org/events/sec2000/cfp/how_to_submit.html I am an officer of the organization and board liason for this conference. The audience here is, without doubt, the most engineeringly intense you are likely to find in a venue of scientific merit and commercial applicability. Expect keen competition should you choose to submit. --dan
Re: The problem with Steganography
If the picture was taken by an actual camera, the least significant bits will be random due to the nature of the way CCDs work in the real world. They might be biased, but it's not very hard to bias a "random" data stream. You could have the sender look at the bias in the odd frames, and use that in the following even frames, if the bias is similar. The recipient could compute the bias in the odd frames, and use that to normalize the stego in the even frames before applying the crypto. If the scene changes drastically, the bias may change, the sender wouldn't encode anything in that frame, and the recipient will need to resync somehow. Stego is subtle, but it's not impossible. After thinking about this a bit, perhaps the point is that any conversion, light-on-CCD to bits, bits to paper, etc., has a certain amount of bias-able "random" data and hence it is likely that any such process has a fingerprint that might even be unique as, of course, the color copier example shows can be made intentional. My knowledge of media reproduction technology in the large is near zero, but if a color copier can identify itself what is to keep it from identifying the time of day or serial numbering the individual copy or silently including a photo of the operator? Larger still, what's to prevent adding such a fingerprint to every copy of National Geographic, to every film processing lab's printing system, to every copy of every MP3 file, to the transmission of every PCS phone, etc., etc.? In short, is steganography the ultimate surveillance tool? --dan
Re: Blue Spike and Digital Watermarking with Giovanni
Working for Xerox I can assure you that all of our colour machines together with all our competitors colour machines leave a "trace". Pointer to how this trace is applied, recorded, accounted for, and handled when components are swapped out? --dan
PGP on an e-commerce site
My daughter was ordering a CD this evening from the site cdnow.com and I noted that besides the SSL option they also had a PGP option. Take a look at http://www.cdnow.com/cgi-bin/mserver/SID=0/pagename=/RP/HELP/order.html#8q This is new to me. --dan
Re: fwd: $100 secure phones from Starium
Did this "$100 secure phone" ever come to pass? I stopped off at http://www.starium.com/ but the page is unmodified since April last. Starium-ites, are you out there? --dan
Re: draft regulations?
... For that matter, what is "export"? Posting something to Usenet? Putting it up on a Web page or FTP server? The act of downloading it? Egad, Steve, a highest and best use for spam. I'll buy those 300,000 e-mail addresses and send them all a copy of the GPG source, each with another of those 300,000 addresses as apparent sender, of course. Or maybe chain letters; yeah, chain letters are good. Melissa, come here. I need you. --dan
Re: ECHELON Watch
ACLU today launched a new web site www.echelonwatch.org... I find the phrasing of this site curious... You're talking about end-product... It is my strong suspicion that whereas the lead enjoyed by national agencies in crypto matters is substantial, such leads as they may still enjoy are diminishing rapidly with one exception, viz., traffic analysis. In that area -- the intelligence value of knowing who is talking to whom, by what channel, and with what pattern -- their lead is vast and likely sustainable. I suspect that this is the highest and best use of the Echelon data. That cataloging is of immense value, witness the vigor of the pushing and shoving in the matter of what it was that J. Pollard disclosed. --dan
yet another example of a secret signature
Always collecting examples of "secret signatures" that predate all the stuff we do, I offer this for your amusement/pleasure. --dan == "Marion Dorset," Progressive Farmer, November 1999, p31. His solution to hog cholera saved producers millions ... Besides contributing to the hog cholera vaccine, Dorset also invented the purple ink stamp that identifies USDA-inspected meat -- an ink that's used to this day. USDA won't reveal what's in Dorset's formula. It is kept secret to avoid replication of the stamp. ==
Re: 56 Bits?????
[a] A 56-bit key of any algorithm, on any modern production machine is, as far as I can tell, absolutely unconscionable. [b] .. It would seem to be a relatively simple matter for Apple to offer strong crypto domestically weak crypto everywhere else; Netscape and Microsoft already do this with their browsers. Well, folks, on any other day the more hypergraphic cross-posters to/on/at these lists would be vigorously damning the regulatory necessity of American versions different from non-American versions as proof of the dark side's impending triumph. It is so ironic to contemplate damning a vendor for making you a citizen of the world. As much as I am myself a devout believer in crypto privacy verging on crypto anarchy, I suggest that "we" are seriously in danger of making the best the enemy of the good when we delude ourselves that first rate crypto can trivially appear in any mass market consumer gizmo commoditized to a faretheewell. Speaking with all the wisdom I can distill from my own security career in the real world of competing demands and distracted management chains, keeping honest people honest is a palpably high goal, perhaps the highest goal for which you can build a mass market product. Me, I'll use/buy the bloody best I can, but I will rest vastly easier when even middling encryption is a pervasive reality, i.e., when everybody's mother is using 56 bits my 128 bit super-encryption will be just as secure but much less likely to garner unwanted attention from people I can never out spend. In the meantime, buy-side companies driven by "prudent man" risk management are not now nor will they ever be as paranoid as we here are, and per the iron whim of the market it is their dollars that rule. --dan - Learn to be invisible
Re: Digital Contracts: Lie in X.509, Go to Jail
For details of how to order, see www.xs4all.nl/~brands/order.txt What is it about wanting to change the instantaneous electronic world that generates this sort of time paper hazing ritual? Yours in irreverent confusion, Lightning Rod
Re: graphical authentication
Mention was made recently of a graphical keying method out of stanford (?) for palm-pilots. Does anyone have a reference or url for the paper/code involved? Best paper at USENIX 8th Security Symposium http://www.usenix.org/publications/library/proceedings/sec99/jermyn.html The Design and Analysis of Graphical Passwords Ian Jermyn, New York University; Alain Mayer, Fabian Monrose, Michael K. Reiter, Bell Labs, Lucent Technologies; and Aviel D. Rubin, ATT Labs--Research Abstract In this paper we propose and evaluate new graphical password schemes that exploit features of graphical input displays to achieve better security than text-based passwords. Graphical input devices enable the user to decouple the position of inputs from the temporal order in which those inputs occur, and we show that this decoupling can be used to generate password schemes with substantially larger (memorable) password spaces. In order to evaluate the security of one of our schemes, we devise a novel way to capture a subset of the ``memorable'' passwords that, we believe, is itself a contribution. In this work we are primarily motivated by devices such as personal digital assistants (PDAs) that offer graphical input capabilities via a stylus, and we describe our prototype implementation of one of our password schemes on such a PDA, namely the Palm PilotTM. --dan
Re: Is There a Visor Security Model?
The Palm's security model is, by most accounts I've seen, non-existant. The issue is the lack of memory protection, i.e., that there is no protected space for keying material. Visor is said to use the PalmOS as is, so that is not a magic wand. Of course, if your OS has no memory protection, you can always rely on yet another external hardware device, as has already been mentioned. --dan
Re: No liberalization for source code, API's
I will be on stage at a minor league debating forum with Bill Reinsch on Thursday of this week. If you had one question you would want asked, what would it be? Reply directly, please. I'll read it all late Wednesday. --dan
Re: IP: Clinton comes after the Internet by Joseph Farah
A working group like this with only two years to go in an administration worrying about its place in history must be one of two things, only: 1. we are referring this to committee so that we can say we did something without having actually to do anything (what is sometimes rendered in Italian as a "bella figura") 2. we already have our draft conclusions in white paper form and we need to have the appearance of due process A betting pool might be in order, but I narrowly favor #2 --dan
Re: US Urges Ban of Internet Crypto
[Forwarded because no one has brought up this notion in a while. My problem with it is that most people don't seem to like the 2nd amendment any more so this can hardly help to popularize the cause. My feeling is that the 4th and 5th amendments have more potential protection in them. --Perry] John, et al., In a moment of logic, as if that mattered, WHEREAS By the declaration of the state, cryptographic capacity is a weapon, and WHEREAS By the facts of use, cryptographic capacity is a personal weapon, and WHEREAS The (US) Second Amendment denies the (US) federal government the authority to restrict personal weapons, THEREFORE The right to bear crypto is a (US) constitutional right. Of course, logic has nothing to do with it because the very definition of politics is the art of making decisions based on the manipulation of emotion, but I am, whether by choice or by genotype, a man of logic and not of emotion, though I am pissed off... --dan
Re: Sen. John McCain
McCain replied by stating his problem this way: he's sitting across the table from the Secretary of Defense, the CJCS, and the other leaders of the national security community, and they tell him encryption exports will harm national security. What can he say in response? Ask, as you say in reverse, whether they have any idea how to actually get domestic use restrictions without becoming the enemy of every persuasion. Point out that without domestic use restrictions, the current debate is just so much hogwash. --dan
Re: Padlock Size was Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)
The point is that in Netscape, it is very hard to tell if a given link is 40 bit or 128 bit. Sure, with enough poking around looking at page info you could probably figure it out. Or maybe someone knows if the little padlock means something like the little key used to. But I'm a crypto-sophisticated person, and I don't know. What about people who don't understand the technology at all? Good point 1. when evaluating, never underestimate the lure of convenience 2. Paul Kocher has found, as I recall, that the percentage of browsers that are 40bit is *growing* because of the inconvenience and invasiveness of what extra effort it takes to get your hands on the 128bit stuff. 3. having inertia ignorance on your side is strongly advantageous --dan
Re: Wiretaps tripled last year, and U.K. Parliament criticizes Enfopol
... About three-quarters of the 1,329 wiretaps authorized were related to drug cases, And, FWIW, the score was 1329 approved and 2 rejected, though the FBI will and does rightly say that if you want to keep real score you should include the successful Motions to Suppress (evidence) when evaluating the cost and return of the wiretap program (from the law enforcement balance sheet perspective). They also will and do say that communications intercept is much less their worry than encrypted data storage where a search warrant, i.e., after a probable cause has been developed, is obtained so as to confirm the grounds for that finding of probable cause only to then discover that the smoking-gun evidence is encrypted in bulk and therefore beyond reach. (Scenario: "You are right, I encrypted that data and I would give you the key, really I would, but the trauma of my arrest has caused me to forget the password and I never wrote it down anywhere, honest!") --dan, who debated Bill Reinsch, Barry Smith Stewart Baker only yesterday (though hardly single-handedly)...
Re: [IWAR] CRYPTO An Analysis of Shamir's Factoring Device
I think that our history books should have a small line notation that in the space of four months, both DES-56 and RSA-512 were shown to be crackable within the capacity of a single wealthy individual, much less a national lab. As these correspond to the limits embodied in the exportability debate, I believe that said debate is therefore closed. Whether effective and outright domestic use restrictions are now the game remains the only imponderable. --dan
Re: IPSEC on a Palm III?
OTOH, a Palm isn't quite a 'secure' OS, either.. Sure, you can at least see what you are signing, but there is no secure key storage available. A trojan application could easily steal your credentials off a PalmPilot. I don't know if this is the case for an iButton. Adoption rates for hand-helds hinge on multi-functionality (something for everyone who'll buy) yet the power of the hand-held hinges on secure OS (authorization with teeth, as we here understand the concept). | secure OS | multifunction --+---+-- smartcard |yes| no --+---+-- Palm |no | yes So, which is easier to fix -- adding a security kernel to the Palm or adding multi-function-ness to the smartcard? I'd say the security kernel for the Palm is by far easier unless and until the physics of the smartcard flex requirement are beaten somehow -- but why bother? Except as a container object, I'd say that the niche smartcards occupy is going away and going away fast. Wallet elimination versus wallet thinning, as it were. --dan
Re: Stego for watermarking Perl5 code?
Shabbir, In the 70's and early 80's, I was part of a team distributing a modestly massive Fortran program that we wanted people to use but not commercialize. Our solution then, well before we all got so smart, was to convert every label, variable, subroutine name, etc., to a random sequence of M, W and N, all six characters long (3^^6=729) and that seemed to derail the modifiers. We did, for what it is worth, hide a customer identifier in there somewhere. Low tech, but it seemed to work. --dan
Re: fyi Duke/HP CPU average 3.75 hrs to crack 40-bit crypto
old rumor brought to mind by: ... The UNIX password, a more-formidable challenge, allows users to specify up to 5,132,188,731,375,620 combinations of letters, numbers or symbols. "The machine we had access to doesn't quite have enough computing power," Kedem acknowledged. "I think it would take us almost a year to break a UNIX password outright. ... was that our friends at the Fort long ago (like early 80's) simply computed the entire UNIX password space, sorted it to tape, and kept the index around for whenever it seemed useful any confirming/disconfirming comments? --dan
