Re: DOS attack on WPA 802.11?

[Michael Disabato]

Monday, December 9, 2002, 5:36:08 PM, David scribbled:

>> DW> Th question is: "Why bother working on a `fix' to WPA that
>> DW> will likely never be deployed and that will be obsoleted
>> DW> in a few years by the spread of AES-CCMP?".
>> 
>> You make the assumption that, having gone throught the WEP to WPA
>> conversion, businesses will be willing to move to AES. My clients tell
>> me they are not, absent a major fault in WPA.

DW> Thanks.  That's an interesting point.
DW> But, won't the same argument apply with the same force
DW> to any patch to WPA?  I don't see the denial-of-service
DW> issue that the original poster is worried about as a major
DW> fault, and any patch to WPA would hence only be a minor tweak
DW> to deal with a minor weakness -- which doesn't sound to me
DW> like the sort of thing those businesses are going to want
DW> to spend a lot on deploying.  Would you agree?

David,

There is a large difference between upgrading from WEP to WPA and
upgrading WPA code. In the first case, the operational characteristics
of the network will change. This falls under the "non-trivial task"
definition. In the second case, you've already done the hard work of
conversion, and are simply applying patches. There are several systems
on the market that can automate this kind of work.

Regards,

Michael


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Micropayments, redux

[Zully Ramzan]

It appears that while probabilistic polling (combined with Payword) and the Peppercoin 
schema have some structural similarities, the underlying purpose of using 
probabilities is different.  In particular, Peppercoin/Lottery utilizes probabilities 
to determine whether or not a user will be charged (which indirectly sets the value of 
a given coin).  In the probabilistic polling schemes, on the other hand, it seems that 
the vendor always "charges" the user (but often without knowing whether or not the 
user has exceeded his or her spending limit); that is, the goal, in this case, appears 
to be to thwart overspending of a given digital coin.  

One might try to argue that at a more fundamental level these two uses of 
probabilities are, in some sense, equivalent -- but even if that's the case, I still 
don't think that the connection here is obvious.  The lottery scheme is a paradigm 
shift in electronic payments since the end user doesn't always get charged, which is 
initially somewhat counterintuitive.   

I believe that the lottery ticket scheme was originally presented in the rump session 
of the same conference (Financial Cryptography '97) as the probabilistic polling 
scheme (and both are published in the same conference proceedings).  

Regards,

Zulfikar Ramzan
 


-Original Message-
From: Andrew Odlyzko [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 16, 2002 8:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Micropayments, redux


The Micali-Rivest Peppercoin scheme 
seems awfully hard to distinguish from an instance of the
probabilistic polling scheme invented by S. Jarecki and myself,
which was presented at the first Financial Cryptography conference
in 1997, published in "Financial Cryptography," R. Hirschfeld, ed., 
Lecture Notes in Computer Science #1318, Springer, 1997, pp. 173-191, 
and is available online at

   

and

   .

(This scheme is also covered by US patent #5,999,919.)

Andrew

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: DOS attack on WPA 802.11?

[Donald Eastlake 3rd]

On Fri, 13 Dec 2002, Arnold G. Reinhold wrote:

> Date: Fri, 13 Dec 2002 15:52:01 -0500
> From: Arnold G. Reinhold <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Cc: David Wagner <[EMAIL PROTECTED]>,
>  Donald Eastlake 3rd <[EMAIL PROTECTED]>,
>  William Arbaugh <[EMAIL PROTECTED]>
> Subject: Re: DOS attack on WPA 802.11?
> 
> >...
> 
> The differential attack on Michael, which prompted the addition of 
> the DoS-enabling time-out, involves sending half a billion forged 
> packets for every one packet that gets through.  Why isn't that 
> considered [by the 802.11i Task Group] a "minor and even 
> currently-impractical-to-exploit weakness"?

You can answer this question just as easily as I can. All you have to do 
is read the mind of all the voting members of 802.11.

> >...
> 
> There are 15 million or more 802.11b units out there. The rate at 
> which people are replacing computer hardware has dropped 
> substantially.  It will be a long time before system administrators 
> can simply stop supporting them.  And system administrators are busy 
> folk. Once they install WPA, they will be in no rush to upgrade it.

All predictions I've seen show exponential growth in 802.11 equipment
through 2007. There is trenendous growth in new 802.11 installations and
upgrades to existing implementations. There are corporations that really
care about security and are today forcing everyone using their corporate
net to get wireless cards (and use them even for PCs with built in
wireless) that use proprietary stuff now and are guaranteed upgradable
to the 802.11I stadard when it comes out.

> >...
> 
> Why wait a few years when it can be fixed now? 802.11a is a new 
> system. Why introduce a weak MIC on 802.11a when it is completely 
> unnecessary? Replacing Michael with an accepted cryptographic 
> algorithm on 802.11a is a zero risk solution. As for 802.11b, I am 
> simply proposing that the time-out be configurable.  How big a deal 
> is that?

802.11a hardware has been shipping for some time. No one has to build
802.11a systems supporting TKIP if they don't want to. But it would have
been silly to try to somehow restrict TKIP to 802.11b given what a
massive improvement it is over WEP, even though it is not as strong as
CCMP. For 802.11i to spend cycles on a TKIPa for 802.11a would just slow
down getting CCMP out.

> Exactly. The WPA time-out creates a DoS opportunity that is very 
> attacker friendly, only two packets per minute are needed to bring a 
> network down. Triangulating on such an attacker is very difficult.

OK, if you think it is so trivial, please outline the exact steps needed 
to execute this Denial of Service attack. I don't think you begin to 
understand how hard it would be.

> 802.11 is exploding in popularity and is being used for applications 
> of increasing economic importance.  Network availability is as much a 
> part of security as authentication.  The military systems that 802.11 
> derives from were designed to operate in hostile environments.  There 
> is technology that could be transferred to the commercial world.

Network availability goes to zero with many cordless phone systems or 
any microwave oven operating at the right frequence range if you remove 
the shielding from the microwave (it is not recommended that you be too 
close to the microwave when it is operating in that mode unless you 
cause its output to be directed away from you).

> Has the IEEE committee discussed its decision to ignore DoS with 
> other WiFi constituencies? Have those constituencies agreed that DoS 
> is not something to worry about? Has this been disclosed to the 
> public? The WiFi home page http://www.wi-fi.org has a tab on security 
> with a long discussing touting WPA. I saw nothing mentioned about 
> DoS, not even the FCC Part 15.19 notice.

The WiFi Alliance is a marketing and interoperability organization, not 
a standards or techncial organization.

The IEEE process is document at exhaustive length in IEEE documents and
has been followed. Any person interested can participate. Anyone can
propose to 802.11 that a liaison be set up with any orther organization.
At this time, over 2/3rds of all IEEE 802 members are in 802.11 making
it the most widely representative of all 802 working groups with
attendance commonly over 300 persons.

Your idea that the "public", whatever you mean by that, should be
consulted is pretty hilarious. The idea that the average man on the 
street is a great source of wisdom for secure communications protocol 
design is not widely held.

Perhaps they would support you. Enought scare stories in the press
exaggerating the significance of denial of service due to TKIP
countermeasures could easily stampede the public.

> >...
> 
> I don't know how long it would take for a network to recover from a 
> bogus disassociate message, but I presume well less than a minute. It 
> is also not clear to me why future standards could not include 
> protection against a disassociate 

Security, Cryptography and Privacy Track in PODC 2003: Tutorials and (updated) CFP

[Amir Herzberg]

Dear Colleagues,

Please note that the deadline for submitting to PODC 2003, and in 
particular to the special track on Security in Distributed Computing, is 
rapidly approaching - Jan 31, 2003. This event is an excellent opportunity 
for interaction between the security, cryptography and distributed 
computing communities, and I hope many of you will send excellent 
submissions and of course participate. PODC will be held on Sunday July 
13th - Wednesday July 16th, 2003, in
Boston, Massachusetts.

The registration fee includes two interesting pre-conference tutorials on 
Sunday, July 13. Both are on very active areas in security in distributed 
computing: Incentives and Internet Computation by Joan Feigenbaum and Scott 
Shenker, and
Content Protection Technologies by Jeffrey B. Lotspiech, Tushar Chandra, 
and Donald E. Leake Jr..
Abstracts are included below, and can also be found, with bios of the 
speakers, from the webpage: http://www.podc.org/podc2003

Expect lively discussion on these and other issues related to security and 
privacy in distributed systems, following these tutorials, as well as our 
very special invited speakers on security: Ross Anderson (U. of Cambridge), 
Butler Lampson (Microsoft), and Silvio Micali (MIT), all of which are known 
for their sometimes conflicting but always interesting views.

This year, PODC will also feature a series of lectures illustrating and 
celebrating the impact of the work of Michael Fischer, in honor of his 
sixtieth birthday, by: Leslie Lamport, Microsoft, Nancy Lynch, MIT, Albert 
Meyer, MIT, and Rebecca Wright, Stevens Inst. of Tech.. Topics are not 
announced yet but considering the speakers, I am sure these presentations 
will also be of interest to crypto/security folks.

So, please participate and submit and encourage others to do so; e.g. 
please post the CFP in relevant forums. PODC especially encourages student 
participation, and a prize will be given to the best student paper; we may 
be able also to partially sponsor some of the students participating and 
presenting, depending on budget.

PODC'03 received generous support from Microsoft and Sun Microsystems. If 
you are interested in making additional contributions, possibly for 
sponsoring a specific purpose, please contact the general chair, Elizabeth 
Borowsky, [EMAIL PROTECTED] (Boston College).

Looking forward to your submissions and to see you in PODC 2003!

Amir Herzberg
http://amir.herzberg.name


Content Protection Technologies
Jeffrey B. Lotspiech, Tushar Chandra, Donald E. Leake Jr.

Abstract

The entertainment industry is in the midst of a digital revolution,
the growth of which seems only limited by concerns about the
unauthorized redistribution of perfect copies that digital technology
enables.  Several content protection technologies have been deployed
already in consumer electronic devices, and more are in the works.  In
the near future, the average person's encounter with cryptography
will not be restricted to access to ATM machines, but will include his
TV, his stereo, and his home entertainment network.  We trace the
history of digital content protection technologies, starting with Copy
Generation Management System found on Digital Audio Tape, to the
Content Scrambling System used on DVD video, and moving on to more
cryptographically sound technologies like Digital Transmission Content
Protection used on the IEEE digital 1394 bus, and Content Protection
for Recordable Media used on DVD Audio, DVD video recorders, and the
Secure Digital Memory Card.  It turns out that the relatively new area
of cryptography called broadcast encryption has found an enthusiastic
acceptance in content protection applications.  In fact, the content
protection application has inspired recent theoretical advances in
this area.

One newly-defined problem in content protection is called "authorized
domains".  The idea is that the consumer's extended home becomes a
domain in which content can be copied and moved without restriction.
The consumer only encounters technical obstacles when he/she tries to
widely redistribute the copyrighted content.  This requires that the
entertainment devices in the home, which may be only intermittently
connected, act as a distributed system to agree upon common
cryptographic keys.  Although public-key systems can provide this
function, it turns out that broadcast encryption can also work in this
application, and has some intriguing advantages.

However, not all content protection is based on cryptography.  We
discuss signal-processing based technologies like MacroVision and
digital watermarking.  Our view is that cryptography and signal-based
technologies are not competitors, but instead complement each
other.  Cryptographic solutions should dominate while the content
remains in the digital domain.  Once the content is rendered in
analogue form for viewing or listening, signal processing takes over,
to provide the last line of defense.

As technologists we would

[picoIPO] Re: Micropayments, redux

[R. A. Hettinga]

--- begin forwarded text


Status: RO
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
   [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] (Andrew Odlyzko)
Subject: [picoIPO] Re: Micropayments, redux
Sender: [EMAIL PROTECTED]
Date: Wed, 18 Dec 2002 07:01:42 -0600 (CST)

Dear Colleagues,

Just a few general comments on the flurry of messages from
yesterday.  I certainly do see micropayments playing some
role in the economy in the future.  I agree that we do have
the technology to implement them easily.  However, I still
think that they will play only a marginal role, as predicted
explicitly in the paper "Fixed fee versus unit pricing for
information goods: competition, equilibria, and price wars,"
(with Fishburn and Siders, the result of work during the
same summer of 1996 when Jarecki and I invented our probabilistic
polling micropayment scheme).  This paper appeared first in
First Monday,

  .

The basic reason for this prediction is that even in the absence
of the many behavioral economics factors, producers benefit
from bundling (as in selling an entire newspaper instead of
individual articles) by taking advantage of uneven preferences
among consumers for the individual items.  That is why Microsoft
(not known for its charitable impulses, after all) sells its
Office bundle for less than half the sum total of prices of
individual components.

In addition to the basic power of bundling, we also have the
behavioral economics factors, already discussed slightly in
the paper with Fishburn and Siders, and treated more fully
in "Internet pricing and the history of communications,"

 

and even more fully in "The history of communications and its
implications for the Internet,"

 

which (i) cause people to be willing to pay more for simple,
preferably flat-rate, pricing, and (ii) make people drastically
cut down their usage when faced with metered pricing.

Not everything can be shoehorned into the flat-rate subscription
model, so I do expect that micropayments will eventually play
a role in the economy, but I don't expect that role to be large.

Best regards,
Andrew



___
picoIPO mailing list
[EMAIL PROTECTED]
http://lists.picoipo.com/mailman/listinfo/picoipo

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

ANNOUNCE: Self-Learning OpenPGP and S/MIME Gateway

[R. A. Hettinga]

--- begin forwarded text


Status: RO
Subject: ANNOUNCE: Self-Learning OpenPGP and S/MIME Gateway
Thread-Topic: ANNOUNCE: Self-Learning OpenPGP and S/MIME Gateway
thread-index: AcKmrS9BwmoQTLlhRXemf+RRqzjcxw==
From: "GnuPG Users" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Christian Kirsch" <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Date: Wed, 18 Dec 2002 16:50:27 +0100


Glueck & Kanja is very pleased to announce a completely new technology
based on the OpenPGP and S/MIME standards. To make a long story short: We
are introducing a virtual keyserver concept and key generation based on
e-mail traffic analysis.

We are posting these news to the GnuPG Users List because we would like to
start a discussion about this approach and because we are looking for
corporations wanting to take part in an early bird program. We view the new
technology as an addition, not a full replacement, of end-to-end security,
allowing organizations to implement cost-effective e-mail security for
everyone. Here are the first few paragraphs of the press release:


Self-Learning CryptoEx Gateway Introduced

Offenbach, December 18th, 2002 - Glueck & Kanja Technology AG, one of
Germany's leading manufacturers of security solutions, today announced a
new product range that will revolutionize the security market for PKI
solutions. By using a self-learning gateway, all employees of an enterprise
can immediately take part in PKI-based encryption and signature of e-mails.
The solution takes information from the enterprise's standard communication
to automatically generate and certify personalized keys for each employee.
Each user can send and receive OpenPGP and S/MIME encrypted messages
straight after the installation of the new technology on a single server,
without increasing the effort for content scanning and virus protection.

Conventional decentralized e-mail encryption is mostly just deployed in
highly sensitive departments that require end-to-end security. CryptoEx
Gateway provides a cost-effective alternative that makes encryption usable
for entire corporations.

The big difference of the CryptoEx Gateway compared to a conventional
gateway solution is that it does not require a manual administration of
keys using a certificate authority. Instead, it works by automatically
processing all operations, especially the key generation and certification.
In other words: The key pairs are generated on demand rather than having to
be maintained manually and in advance by an administrator.

For more information, read the full press release at:
http://www.glueckkanja.com/cexgateway-en

Thanks!

Christian Kirsch
Product Manager
[EMAIL PROTECTED]
Glück & Kanja Technology AG

___
Gnupg-users mailing list
[EMAIL PROTECTED]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [picoIPO] Re: Micropayments, redux

[R. A. Hettinga]

--- begin forwarded text


Status: RO
Subject: Re: [picoIPO] Re: Micropayments, redux
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
To: [EMAIL PROTECTED] (Andrew Odlyzko)
From: Charles Evans <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Date: Wed, 18 Dec 2002 12:56:27 -0500

This message is coming by way of the picoIPO list.  Apologies for any
confusion caused by intercommunication among para-debates.

On Wednesday, Dec 18, 2002, at 08:01 US/Eastern, Andrew Odlyzko wrote:

> Dear Colleagues,
>
> Just a few general comments on the flurry of messages from
> yesterday.  I certainly do see micropayments playing some
> role in the economy in the future.  I agree that we do have
> the technology to implement them easily.  However, I still
> think that they will play only a marginal role...

The second sentence of the abstract reads, "The main concern of this
paper is with pricing of goods that are likely to be consumed in large
quantities by individuals."  The current debate, with regard to
micropayments and microfinance, is like comparing apples and orangutans.

For mass-market goods, the argument in favor of subscription is
compelling, especially in the West/North.  I would not rent time on MS
Word or OS X, even if it were less expensive than buying licenses.
However, in the Third World, where money is very scarce, a la carte is
still very common.

In Ukraine, where typical incomes are USD 200-300 per MONTH, computers
are too expensive for most.  Internet cafés are quite common, and
charge about USD 1 per hour.  A flat USD 20 per month dial-up
subscription is prohibitively expensive, when you add in the per-minute
telephone charges and the cost of the computer, monitor, and modem.



> The basic reason for this prediction is that even in the absence
> of the many behavioral economics factors, producers benefit
> from bundling (as in selling an entire newspaper instead of
> individual articles) by taking advantage of uneven preferences
> among consumers for the individual items...

For large Western/Northern software and entertainment producers, yes.
However, in the Third World -- the other 5.5 billion -- the economies
of scale are different.  For the price of a full license of MS Office,
a family can live for a month or two.

Building a viable business model out of this observation, and
implementing it are separate matters.  This is a theoretical discussion
of subscription versus a la carte.

There are markets where a la carte is preferable over subscription.



> Not everything can be shoehorned into the flat-rate subscription
> model, so I do expect that micropayments will eventually play
> a role in the economy, but I don't expect that role to be large.

There is large and there is large.  But your point is correct.  We
economists do not like corner solutions, and one-size-fits-all
solutions generally neither fit nor solve.

CE

___
picoIPO mailing list
[EMAIL PROTECTED]
http://lists.picoipo.com/mailman/listinfo/picoipo

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

DEA data thief sentenced to 27 months

[R. A. Hettinga]

http://theregister.co.uk/content/55/28621.html

DEA data thief sentenced to 27 months
By Kevin Poulsen, SecurityFocus Online
Posted: 18/12/2002 at 10:38 GMT

A 14-year veteran of the U.S. Drug Enforcement Administration (DEA) who
fled to Mexico to avoid federal computer crime charges was sentenced in a
federal court in Los Angeles on Monday to 27 months in prison for selling
information on private citizens he plundered from sensitive law enforcement
databases.

Emilio Calatayud, 36, admitted in a plea agreement last August to raiding a
variety of systems to investigate claimants in over 100 workers
compensation cases being handled by Triple Check Investigative Services for
unnamed insurance carriers. Triple Check paid the former agent at least
$22,500 for the data over a six year period ending in 1999, according to
court records.

The purloined data came from three law enforcement computers to which
Calatayud had otherwise lawful access: the FBI's National Crime Information
Center (NCIC), which maintains nationwide records on arrest histories,
convictions and warrants; the California Law Enforcement Telecommunications
System (CLETS), a state network that gives agents access to California
motor vehicle records, rap sheets and fingerprints; and a DEA system called
the Narcotics and Dangerous Drug Information System (NADDIS), described by
a Justice Department Web page as a database of "over 3,500,000 individuals,
businesses, vessels and selected airfields."

Some privacy advocates have cited the Calatayud case to highlight the risks
posed by the growing number of law enforcement databases housing
information on individuals, and made widely accessible with minimal
security.

The prosecution was briefly derailed last February, when Calatayud skipped
out on a $100,000 property bond on what was to have been his first day of
trial. He fled to Mexico, where four months later he was picked up in
Guadalajara by Mexican federal police acting on information developed by
the United States Marshal's Service.

Officials haven't revealed how Calatayud was tracked down, but as part of
the plea deal they agreed not to prosecute the former fed for kiting checks
through his Bank of America account while a fugitive.

Prosecutors also dropped wire fraud and computer fraud charges in the
agreement. Calatayud plead guilty to bribery, tax evasion and failing to
appear in court.

In addition to the jail time, federal judge William J. Rea ordered
Calatayud to pay a $5,000 fine.

©SecurityFocus.com


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Obituary - Gary Howland - 197? - 2002

[R. A. Hettinga]

--- begin forwarded text


Status: RO
Sender: <[EMAIL PROTECTED]>
Date: Tue, 17 Dec 2002 12:34:47 -0500
From: Ian Grigg <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Digital Bearer Settlement List <[EMAIL PROTECTED]>
Subject: Obituary - Gary Howland - 197? - 2002

Obituary - Gary Howland - 197? - 2002



I first met Gary in 1990.  I was the team leader for a
big telecoms project and he was one of the 1000 CVs that
crossed my desk that summer.

Of those 1000, I interviewed about 50, and we ended up
with a technical team of 20.  Most were contractors from
the huge pool of British labour, but from my jaundiced
view, only 4 on our team rated as contractors.

Gary was one of those 4.  He was only just out of college,
the polytechnic at Brighton.  But his CV included all that
splattering of Unix acronyms that made you feel that here
was a kindred spirit, one who learnt in spite of the academic
environment.

We shared that time together, the vast tense year at ICL
where we all made too much money and lived like there was
no impending recession.  Hard coding, hard driving;  Gary
in his girlfriend's 924 was as fast as I was, at track day
with the Porsche club, in my 928.

He was fast with the code, too, when a fire could be lighted
under him.  He once replaced a 3 month project in 3 days.
For the most part he was slow and careful, thoughtful,
complete and perenially late.  But when a deadline hit,
he could fly.  He was the only person I could trust the
sys admin role to, and he was the lowest paid contractor
in the building.



Fast forward to 1995.  I'd had my Spanish adventure, Gary
had done his contracting stint in Germany, where he met
his long term girlfriend, Inka.  He'd hooked up with a
new outfit in Amsterdam, some crazy guys doing money on
the net, called DigiCash.

Gary fed me the papers and fed me the story.  Using
cryptography, David Chaum had invented a way to solve
the privacy problem so that coins could be simulated on
the net.  As I sat in finance classes in London, I
realised that bonds were just a more broad definition
of money.  We agreed that there was more to this than
the guys at DigiCash had thought about, so we agreed to
try out our hand at the finance area.

Gary was one of the first true financial cryptographers.
He intuitively knew that DigiCash would fail.  Not because
of their software, which was good, but because their business
was misdirected.  He also knew that the bearer idea wouldn't
survive.  Not because it wasn't beautiful - it was the most
extraordinary discovery in the last decade - but because it
didn't solve the bank robbery problem.  He was a superlative
cryptoplumber, but he understood intimately how the real
action was in determining the business requirements without
being blinded by the science.

Our early plans, hatched over email, assumed we could
license DigiCash's software, but that was scotched pretty
quickly.  So, Gary took on the task of designing a payment
system for our venture.

It wasn't easy.  We had to address the bank robbery problem,
and we had to retain the privacy.  Those goals were eventually
to coalesce as contradictions, and the way he walked the line
became known as SOX.

I believe SOX is Gary's legacy to the world.  It is capabilities
for the Internet.  It is strong crypto, and it is private.  It
is extensible, it is flexible, and reliable.  I mean, reliable
in a deterministic way:  we can guarantee correct results over
SOX transactions that can only be imagined in other protocols.

It technically dominated the bearer model, in a way that only
a few could grasp.  It was also a computer science solution,
a value that only came to be fully appreciated when we found
how trivial it was to add David Chaum's bearer tokens to SOX.

Gary, Mike and I, built the SOX protocol into Ricardo, a
complete payment system that operated as the settlement
and transfer layers for financial trading.  We ran bonds,
trading them at night so that all our bond holders around
the world had a chance to access the market.  At 9.15 pm
every night, Gary's 100MHz desktop blared out the theme
song for the James Bond movies, to announce the start of
trading;  his workstation was also our one and only
Issuance server, as well as the Exchange.



While they were at it, they wrote Cryptix.  Gary did the
Perl code for all our needs, and supervised Mike on the
first version of the Java native interfaces, all to Gary's
design and core library in C.  When we published Cryptix as
complete open source crypto for Java and Perl, it was the
first and only crypto available for Java, then, an emerging
language.

Our decision to put out the Java cryptography libraries,
later rewritten by Gary to be pure Java, set the scene for
all Java crypto.  It was critical in forcing Sun to write
a crypto API that was relatively open, even though they
were under tremendous pressure from the US government.
In a silent, secret and private war, Gary fought against
the behemoth known to us all as "the TLAs"