Re: IP: FBI To Require ISPs To Reconfigure E-mail Systems (fwd)
I believe this report refers to FBI guidelines whose implementaion is being worked out by direct consultation with telecommunication carriers: http://cryptome.org/fbi-flexguide2.htm The original date of compliance with these guidelines was September 24, 2001, but after widespread complaint to the FCC from the telecomm industry about infeasibility of compliance by the deadline, the FCC granted an extension in time to be set for each service provider in consultation with the FBI. That FCC order is with the file above. What other distinctive arrangments are being made with telecomm providers may be difficult to determine since each can cut a deal to fit its unique position without having to submit to a general standard. It is not yet clear if these private arrangements will be made fully public or if the FCC will allow concealment under rubric of privileged business information -- or, to fit the times of peril, for national security reasons. It will be interesting which ISPs join the big time ranks of legacy telecomm providers by offering services to fit the urgency for all uniting in patriotic fervor to kill the ISP dissidents unwilling to betray their customers. Lots of stellar Internet leaders changing sides as reported in National Journal's Technology Daily and other media, not to say media itself. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
IP: FBI To Require ISPs To Reconfigure E-mail Systems (fwd)
[From Dave Farber's "Interesting People" mailing list. Anyone have any confirmation of the story?] > National Journal's Technology Daily > > PM Edition > > October 16, 2001 > > HEADLINE: PRIVACY: FBI To Require ISPs To Reconfigure E-mail Systems > > PHOENIX -- The FBI is in the process of finalizing technical > guidelines that would require all Internet service providers (ISPS) to > reconfigure their e-mail systems so they could be more easily > accessible to law enforcers. The move, to be completed over the next > two months, would cause ISPs to act as phone companies do to comply > with a 1994 digital-wiretapping law. "They are in the process of > developing a very detailed set of standards for how to make packet > data" available to the FBI, said Stewart Baker, an attorney at Steptoe > & Johnson who was formerly the chief counsel to the National Security > Agency (NSA). > > The proposal is not a part of the anti-terrorism legislation currently > before Congress because the agency is expected to argue that the > Communications Assistance for Law Enforcement Act (CALEA) already > grants it the authority to impose the requirement, Baker said. He > added that some ISPs already meet the requirements. > > Baker, who frequently represents Internet companies being asked to > conduct electronic surveillance for the FBI, made the revelation > Tuesday in a panel discussion at the Agenda 2002 conference here on > how the Sept. 11 terrorist attacks are likely to affect the technology > industry and civil liberties. He elaborated on the plan in an > interview. > > Such a stance could result in considerable cost to many ISPs, and it > would constitute a reversal of previous government policy, which held > that ISPs are not subject to CALEA's requirements. But Baker also said > "it has been a long-term goal of the FBI and is not just a reaction to > Sept. 11." > > Mitchell Kapor, chairman of the Open Source Application Foundation and > a founder of Lotus Development, also spoke on the panel. Kapor also > started the Electronic Frontier Foundation (EFF) and has been a vocal > advocate of Internet privacy. EFF played a significant role in the > CALEA debate, and divisions over whether to support that law led to a > split of the organization. > > "Under the cover of people's outrage [over the terrorist attacks] and > desire for revenge, lots of things that have been defeated before have > been brought back in [to the anti-terrorism legislation] without a > demonstration that the lack of appropriate law is a problem," Kapor > said in an interview. But on the whole, Kapor and Baker shared more > common ground on the acceptability of new electronic surveillance than > they had in the past, with both expressing the view that now is a time > for calm reconsideration of positions rather than butting horns over > the details of how civil liberties would be curtailed by an > anti-terrorism bill. > > "I find myself more in the middle than I used to because my identity > in life is not as a civil liberties advocate," Kapor said. "Part is > being an American and a world citizen." Baker said it was entirely > appropriate for the FBI to conduct far more surveillance. > > "What has changed [since Sept. 11] is the view of the technology > community," Baker said. "I used to get calls like, 'How can I beat the > NSA?'" said Baker. "Now, people call and say, 'I have this great idea > that would help NSA,' or, 'I want to go volunteer and do outreach on > behalf of the FBI or NSA.' There is a real change of people's view > about who the bad guys are." -- Perry E. Metzger[EMAIL PROTECTED] -- "Ask not what your country can force other people to do for you..." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
ACM Forum on Legal Regulation of Technology
>Date: Wed, 17 Oct 2001 06:55:24 -0700 >From: "Edward W. Felten" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] > >[Feel free to forward this to anyone who might be interested.] > >=== >ACM Forum on Legal Regulation of Technology >(http://www.cs.princeton.edu/lawtech) > >Laws and legal regulations are increasingly affecting what technologists >can do. The ACM Forum on Legal Regulation of Technology is a new venue for >technologists to discuss how the law is changing their work. > >There are many examples of the law's impact on technology. The growth of >intellectual property claims, including software and business-model >patents, has affected many technologists. Prohibitions on specific >technologies, such as those in the U.S. Digital Millennium Copyright Act, >have affected both researchers and practitioners. Applications of >antitrust law have shaped the landscape for companies both large and small. > >Legal scholars have been discussing these issues for some time, but >computer scientists have not been nearly as active in the debate. The >forum seeks to bring technologists into the debate. Although we welcome >the contributions of legal scholars, the forum belongs to technologists >and has a technology-centric view. > >Many discussions will necessarily focus on the laws of a particular >country, often the United States, but the forum is international in scope. >Discussion of any country's laws will be welcome. In light of economic >globalization, international treaties, and countries' efforts to harmonize >their laws with each other, we expect technologists throughout the world >to face many of the same issues. > >The forum will follow the model of ACM's successful RISKS Forum, issuing a >periodic digest of contributions. Contributions will be chosen by a >moderator, and generally will be short but may point to lengthier >discussions elsewhere. > >The forum is sponsored by ACM. It is hosted by the Department of Computer >Science at Princeton University. The moderator is Edward W. Felten. > >=== >How To Subscribe > >To subscribe, send an email message to [EMAIL PROTECTED] The >body of the message should contain the single line "subscribe lawtech". If >all goes well, you will receive a reply message saying that you have been >subscribed to the forum. James S. Tyre mailto:[EMAIL PROTECTED] Law Offices of James S. Tyre 310-839-4114/310-839-4602(fax) 10736 Jefferson Blvd., #512 Culver City, CA 90230-4969 Co-founder, The Censorware Project http://censorware.net - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in theWild)
At 2:23 AM -0700 10/17/01, Ben Laurie wrote: >The thing that gets me about all this is that exactly the same argument >can be made for all existing media - and, although piracy is rife, >no-one is attempting to mark videotapes or CDs, AFAIK. So why all the >fuss about more modern digital media? Has no-one noticed all the ripped >videotapes, CDs and DVDs? Are we really expected to believe the whole >media reproduction industry is ever going to switch over to producing >each disc individually, expensively watermarked? So what's the real >agenda? Probably to maximize profit. Look at the DVD encryption. Encode the media differently for different markets, thereby allowing you to sell at higher prices in rich countries while still being able to make a modest profit at lower prices in poorer countries. I don't see much use for individually watermarked media. It is too easy to collect several copies and find the watermark with a diff operation. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in the Wild)
In article <[EMAIL PROTECTED]>, Ben Laurie <[EMAIL PROTECTED]> wrote: > b) Even if physical media goes away, individual watermarking blows away > multicast - and broadband will just never work without that. It is true that broadband isn't viable if it requires a high-bandwidth from one source to every end user; the stream has to be exploded at some replication points near the viewers. But that replication doesn't have to be done by the routers; it can also happen at a distributed network of servers, which can be intelligent enough to add watermarking at a cost on the same order of the cost to provide SSL. This sort of server-based multicasting is widely deployed today by Akamai and others, and has been far more successful than router-based multicasting. -- Shields. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in the Wild)
Matt Crawford wrote: > > > a) I believe physical media will always have higher bandwidth than > > broadband - why? Because you have to feed the broadband from somewhere, > > and archive it somewhere. > > You can use an expensive physical medium to drive your transmission. > If you sell atoms, you have to use a cheap medium. I'll admit that my argument doesn't stand up to severe testing - but I think it is important that in general the receivers of the stream will also want to store it (certainly my almost complete transition to TiVo-ized TV viewing [what little I do] would support that theory :-). Which is what I meant by "archive it somewhere", but I see now was far from clear. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Security Research (Was: Scarfo "keylogger", PGP )
David Jablon writes: > > Not until vendors are held legally accountable for negligent design. > > Maybe someday, somehow, there will be a class action law suit. > (I saw a recent infosec conference flyer that had some silly quote > about the annual cost of viruses or something being in the > $100,000,000,000 range. :-) This is probably a silly question, but why isn't such a class action lawsuit launched? The stock answer I always here is the EULA. However, it is my understanding that if a manufacturer (say a car company) tried to disclaim or limit liability in the manner in which the software industry does, any court would throw out the disclaimer and impose its own standard. Can you imagine buying a Ford Explorer with the statement like: "not liable for any damages Under no circumstances will our liability exceed the original cost of the product." ? Now, can the lawyers please correct my ignorance. Paul - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in the Wild)
> a) I believe physical media will always have higher bandwidth than > broadband - why? Because you have to feed the broadband from somewhere, > and archive it somewhere. You can use an expensive physical medium to drive your transmission. If you sell atoms, you have to use a cheap medium. > It seems to me that putting the details of the purchaser in plaintext on > the beginning of the file and making it illegal to remove it is as good > a protection as you are ever going to get - but that would ruin a whole > bunch of business plans, so I guess no "expert" is going to admit that. On this, I agree. Just like some more mundane security issues, you can heap endless layers of mummery and confusion on top, but at the bottom you often find a "secret" in long-term storage in the clear. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
At 09:59 AM 10/16/2001, Peter Fairbrother wrote: >The affidavit is extremely complex and hard to unravel, whether to try to >preserve secrecy, in the hope that it will confuse the defence/Court, or >perhaps it's just legalese, I don't know. I spoke to someone a couple of years ago who had tried to establish a set of technical standards for handling host security logs so that they could be used as legal evidence, and ran into a stone wall at the Justice Department. Evidently they feared that defendants could manipulate any such standards to ensure that *no* electronic evidence could ever stand up in court. I suspect the affidavit is badly written so that it meets the minimum standard for the court while providing as little useful information as possible. Rick. [EMAIL PROTECTED]roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
At 05:21 AM 10/16/2001, Ben Laurie wrote: >Rick Smith at Secure Computing wrote: > > >Is this a serious security failure in PGP? > > > > No, it's a problem with any programmable computer. If you can install new > > programs, you can install changes to existing programs. > >That is not true - its a function of the OS and the type of access you >have. I can install new programs on my Unix box but without root I >cannot change existing programs, for example. If you have physical access to a commercial computing device, be it Unix or Microsoft or anything else, and you have the right tools, you can reprogram the OS, the applications or both, to do whatever you want. The tools aren't that expensive or that hard to acquire, especially for an intelligence/law enforcement organization. Physical access always trumps the software access controls which we must rely on to protect the plaintext and passphrases handled by PGP. Rick. [EMAIL PROTECTED]roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Sen. Gregg changes his mind, won't introduce anti-encryption bill
http://www.wired.com/news/conflict/0,2100,47635,00.html Senator Backs Off Backdoors By Declan McCullagh ([EMAIL PROTECTED]) 2:00 a.m. Oct. 17, 2001 PDT WASHINGTON -- Sen. Judd Gregg has abruptly changed his mind and will no longer seek to insert backdoors into encryption products. A spokesman for the New Hampshire Republican said Tuesday that Gregg has "no intention" of introducing a bill to require government access to scrambled electronic or voice communications. "We are not working on an encryption bill and have no intention to," spokesman Brian Hart said in an interview. Two days after the Sept. 11 attacks, Gregg strode onto the Senate floor and called for a global prohibition on data-scrambling products without backdoors for government surveillance. Gregg said that quick action was necessary "to get the information that allows us to anticipate and prevent what occurred in New York and in Washington." A few days later, Gregg told the Associated Press that he was preparing legislation "to give our law enforcement community more tools" to unscramble messages in hopes of fighting terrorists. [...] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in the Wild)
Ben Laurie wrote: > The other obvious weakness in such a scheme is that the player can > be modified to ignore the result of the check - rather like > defeating dongles, which have yet to exhibit any noticable > resistance to crackers. I think though that that weakness is more workablee -- for example playstations can be "chipped" to work from copies of CDs, however probably the proportion of the market willing to make hardware modifications is sufficiently low that the copying rate is not a significant financial loss to the distributor (especially after adjusting for people who wouldn't have bought the work anyway, which is the group most likely to make the modification (students with low budgets etc)). Things which can be defeated in software or firmware upgrades only are for more fragile, and subject to changing user demographics, more internet aware and connected users, increasing scale of file-sharing networks; whereas devices needing hardware modifications have non-zero reproduction costs, and risk of damaging expensive equipment in the operation. On Wed, Oct 17, 2001 at 10:23:03AM +0100, Ben Laurie wrote: > Adam Back wrote: > > [...why copymarks don't work...] > > [...] > It seems to me that putting the details of the purchaser in plaintext on > the beginning of the file and making it illegal to remove it is as good > a protection as you are ever going to get - but that would ruin a whole > bunch of business plans, so I guess no "expert" is going to admit that. It may be more to do with attempts to qualify under legal provisions of DMCA to construct something which is (legally) arguable qualifying as a system intended to prevent copying, so they can sue people who by-pass it. Another argument I've heard for making dumb proprietary schemes is that they ened them to be proprietary so they can make onerous conditions part of the licensing agreement, and sue anyone who makes devices or software without licensing their broken technology from them. In effect that it's utterly broken doesn't matter -- that it's claimable as an "original" work under patent law matters. > In short, the agenda, it seems to me, is the business plans of > companies in the watermarking business. That too is doubtless part of the problem. IBM's cryptolopes lending credibility by brand recognition to related technologically broken efforts such as InterTrust and other watermark related business plan startups "digi-boxes" and the like. SDMI was another broken attempt. > No more, no less. I'm amazed the media moguls are willing to waste > so much of their time and money on it. It could be that the only thing keeping the InterTrust types in business is the patentability and DMCA qualifying legal arguments above. Technologically they are all systemically broken. There may be an element of technological naivete on the part of MPAA RIAA too though, perhaps decision makers were genuinely confused to start with, and crypto-box outfits will have incentives to exaggerage the technological properties of their systems to their customers, the RIAA, DMCA etc. Adam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Security Research (Was: Scarfo "keylogger", PGP )
At 08:52 PM 10/16/2001 -0400, Steven M. Bellovin wrote: >In message <[EMAIL PROTECTED]>, Ben Laurie writes: >>"Trei, Peter" wrote: >>> Windows XP at least checks for drivers not signed by MS, but >>> whose security this promotes is an open question. >> >>Errr ... surely this promotes MS's bottom line and no-one's >>security? It is also a major pain if you happen to want to write a >>device driver, of course. >> > >Microsoft? See their view of how to deal with security at >http://www.newsbytes.com/news/01/171173.html -- I wonder if they >think it should apply to crypto research, too? >From that link: "It's high time the security community stopped providing blueprints for building these weapons," he said. === Remember after the OK City bombing, there were calls to remove instructions on bomb making from the Internet? That failed when people pointed out the USDA and public library sources, although some went on to claim they should be removed from there, too. Free speech, anyone? With bug reports, there are none coming from USDA or to be found in public libraries, so it looks like we're a lot more vulnerable. When will the Internet be so ingrained in American life that it's no longer vulnerable like this? +--+ |Carl M. Ellison [EMAIL PROTECTED] http://world.std.com/~cme | |PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | +--Officer, officer, arrest that man. He's whistling a dirty song.-+ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in the Wild)
Adam Back wrote: > In my opinion copymarks are evil and doomed to fail technically. > There always need to be playble non-certified content, and current > generation watermarks seem easy to remove; and even if some really > good job of spread spectrum encoding were done, someone would reverse > engineer the players to extract the location parameters and then they > too would be removable -- and in the end even if someone did manage to > design a robust watermarking scheme respecting Kerchoff's principle, > the identity information is weakly authenticated, and subject to > identity theft or the content itself could be stolen or plausibly > deniably claimed to have been stolen and this only has to happen once > for each work. The thing that gets me about all this is that exactly the same argument can be made for all existing media - and, although piracy is rife, no-one is attempting to mark videotapes or CDs, AFAIK. So why all the fuss about more modern digital media? Has no-one noticed all the ripped videotapes, CDs and DVDs? Are we really expected to believe the whole media reproduction industry is ever going to switch over to producing each disc individually, expensively watermarked? So what's the real agenda? And don't tell me its because broadband will eliminate physical media: a) I believe physical media will always have higher bandwidth than broadband - why? Because you have to feed the broadband from somewhere, and archive it somewhere. b) Even if physical media goes away, individual watermarking blows away multicast - and broadband will just never work without that. It seems to me that putting the details of the purchaser in plaintext on the beginning of the file and making it illegal to remove it is as good a protection as you are ever going to get - but that would ruin a whole bunch of business plans, so I guess no "expert" is going to admit that. In short, the agenda, it seems to me, is the business plans of companies in the watermarking business. No more, no less. I'm amazed the media moguls are willing to waste so much of their time and money on it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in the Wild)
Adam Back wrote: > Another framework is to have players which will only play content with > certified copy marks (no need for them to be visible -- they could be > encoded in a logo in the corner of the screen). The copymark is a > signed hash of the content and the identity of the purchaser. > > This could be relatively robust, except that usually there is also a > provision for non-certified content -- home movies etc -- and then the > copy mark can be removed while still playing by converting the content > into the home movie format, which won't and can't be certified. The other obvious weakness in such a scheme is that the player can be modified to ignore the result of the check - rather like defeating dongles, which have yet to exhibit any noticable resistance to crackers. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Security Research (Was: Scarfo "keylogger", PGP )
About that MS security response initiative ... I think, if you view their security response team as a completely separate independent entity from the MS development team, you'll find that they're making a valiant attempt at doing an impossible job. Scott Culp is just trying to rally the security community to be self-policing with regard to publishing detailed exploit instructions. Not a bad idea at all. And in this regard, this seems to be handled in a light handed manner ... so far. When I take off my conspiracy theory glasses, I don't even see any particularly offensive ideas in his manifesto: http://www.microsoft.com/technet/columns/security/noarch.asp Surely we can all agree that Scott has got the toughest job in the world. :-) Maybe we can give him a break and offer some constructive feedback. But personally, I don't think there's much hope of changing the way that particular company behaves, or for that matter, much of the rest of the industry too. Not until vendors are held legally accountable for negligent design. Maybe someday, somehow, there will be a class action law suit. (I saw a recent infosec conference flyer that had some silly quote about the annual cost of viruses or something being in the $100,000,000,000 range. :-) Or maybe one of our new draconian laws will be turned around to make vendors criminally responsible for promoting cyber terrorism! Surely that'll make 'em think twice before opening that new back door, or creating yet-another "auto-launch a hidden executable" feature. -- David At 08:52 PM 10/16/01 -0400, Steven M. Bellovin wrote: >Microsoft? See their view of how to deal with security at >http://www.newsbytes.com/news/01/171173.html -- I wonder if they >think it should apply to crypto research, too? > >Of course, why should I be surprised at this? Some crypto research is >already banned by the DMCA; why not ban even more? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]