Banned Citibank PIN Cracking Documents
We offer some 27 documents on Citibank PIN cracking banned by the British High Court on 20 February 2003: http://cryptome.org/citi-ban.htm Included are the gagging order, affidavits of defendant cryptographers and affidavits of Citibank officials and security personnel. See related message by Ross Anderson, a defendant: http://cryptome.org/pacc.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Logging of Web Usage
Ben, Would you care to comment for publication on web logging described in these two files: http://cryptome.org/no-logs.htm http://cryptome.org/usage-logs.htm Cryptome invites comments from others who know the capabilities of servers to log or not, and other means for protecting user privacy by users themselves rather than by reliance upon privacy policies of site operators and government regulation. This relates to the data retention debate and current initiatives of law enforcement to subpoena, surveil, steal and manipulate log data. Thanks, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Verizon must comply with RIAA's DMCA subpoena
At 09:54 PM 1/25/2003 +1300, Peter Gutmann wrote: William Allen Simpson [EMAIL PROTECTED] writes: But there is a strong economic rationale. We save untold operational expense, support costs, and legal fees. (The legal cost of complying with that single interstate subpoena cost us an entire month of revenue.) Lucky Green a while back reported that some European ISPs charge customers less if they use IPsec because then there's less cost involved in complying with surveillance requirements. It will be more expensive to obey an ISP's lawyer and somewhat less expensive to sell tappable service. That's the way of economic intimidation. Cheapest is to ignore the subpoena and never seek legal advice. The ISP world won't collapse despite chicken little warning. And ISPs look like cowardly shits for caving. Ponder the lessons of defiant, dissident publishers, and plan to increase your sales by putting your customers before your firm. ISPs are using lawyerly advice to cloak betrayal and cowardice. Fire the ISP lawyer, especially if in house. Pay the difference to sysadmins willing to fight. There's a stampede to comply with obnoxious law, better to throw a TIA party as D advises. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Microsoft's Second DRM Patent
Cryptome offers Microsoft's second patent on digital rights management, invented by the same three persons as the first, Paul England, John DeTreville and Butler Lampson: http://cryptome.org/ms-drm-os2.htm This second patent was issued on December 7, 2001, a week before the first available here: http://cryptome.org/ms-drm-os.htm John DeTreville wrote on July 8, 2002, that neither he nor Butler Lampson were Palladium programmers, as distinguished from Paul England who was cited by Steven Levy in Newsweek as a Palladium programmer. John referred to another patent underlying Palladium. Cryptome did a search of the US Patent Office archives for other patents by the three inventors and for those assigned to Microsoft from 1996 to July 9, 2002. Only two patents for digtial rights management were listed, out of more than 2,000 Microsoft patents for the period: the two referenced above on Cryptome. Ross Anderson reported yesterday that MSNBC has pulled the Palladium article by Steven Levy, which is now here: http://cryptome.org/palladium-sl.htm See Ross's updated FAQ on TCPA and Palladium: http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Pointers to Palladium Patent...
A correction on the inventors of the alleged Palladium patent from a Microsoft programmer: - Subject: Correction to cryptome.org Date: Mon, 8 Jul 2002 17:07:45 -0700 From: John DeTreville [EMAIL PROTECTED] To: [EMAIL PROTECTED] Are you a good contact person for the information on the Microsoft DRM patent (6,330,670) on cryptome.org? The pages linked from http://cryptome.org/ms-drm-os.htm say that the authors of this patent (England, DeTreville, and Lampson) were identified by Newsweek as Palladium programmers. I can reliably state that I (DeTreville) am not a Palladium programmer, and neither is Butler Lampson. I believe that the Newsweek article was referring to a different patent. I'm sure that the Palladium participants jointly hold a significant number of important patents in the field of computer security. Cheers, John - This message has been added to the file at: http://cryptome.org/ms-drm-os.htm We would appreciate information on the alternative Palladium patent John DeTreville is referring to, or patents if the program is based on several. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOJ proposes US data-rentention law.
I appreciate what an honorable ISP admin will do to abide customer rights over intrusive snoopers and perhaps cooperative administrators above the pay grade of a sysadmin. Know that a decent sysadmin is on for about 1/3 of a weekday for 24x7 systems is a small comfort but leaves unanswered what can happen: 1. During that time when a hero is elsewhere. 2. Upstream of the ISP, the router of the ISP and the nodes serving routers, as well as at a variety of cache systems serving there various levels. 3. At major providers serving a slew of smaller ISPs. In this case I reported a while back of a sysadmin telling what my ISP, NTT/Verio, is doing at its major node in Dallas: allowing the FBI to freely scan everything that passes through the Verio system under an agreement reached with NTT when it bought Verio. No matter what a local sysadmin does with data, it remains very possible that data is scanned, stored and fucked with in nasty ways coming and going such that no single sysadmin can catch it. End to end crypt certainly could help but there is still a fair abount of TA that can be done unless packets are truly disintegrated and/or camouflaged at the source before data leaves the originating box. Pumping through anonymizers, inserting within onions, subdermal pigging back on innocuous wireless packets of the financial advisor door, multiple partial sends, stego-ing, data static and traffic salting, bouncing off the moon or windowpane, what else can you do when an eager beaver industry is racing to do whatever it takes to build markets among the data controllers breathing hot about threats to national security and handing out life-saving contracts to hard-up peddlers shocked out of their skivvies with digital downturn. No patriotic act is too sleazy these days that cannot be justified by terror of red ink and looming layoffs. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
Ross has shifted his TCPA paper to: http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf At 07:03 PM 6/22/2002 -0700, Lucky wrote: I recently had a chance to read Ross Anderson's paper on the activities of the TCPA at http://www.cl.cam.ac.uk/ftp/users/rja14/.temp/toulouse.pdf - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Analysis of Neural Cryptography
Analysis of Neural Cryptography Alexander Klimov, Anton Mityaguine, and Adi Shamir Computer Science Department The Weizmann Institute, Rehovot 76100, Israel {ask,mityagin,shamir}@wisdom.weizmann.ac.il Abstract. In this paper we analyse the security of a new key exchange protocol proposed in [3], which is based on mutually learning neural networks. This is a new potential source for public key cryptographic schemes which are not based on number theoretic functions, and have small time and memory complexities. In the first part of the paper we analyse the scheme, explain why the two parties converge to a common key, and why an attacker using a similar neural network is unlikely to converge to the same key. However, in the second part of the paper we show that this key exchange protocol can be broken in three different ways, and thus it is completely insecure. 3. Ido Kanter, Wolfgang Kinzel, Eran Kanter, Secure exchange of information by synchronization of neural networks'', Europhys., Lett. 57, 141, 2002. http://cryptome.org/neuralsub.ps (11 pages. 366KB) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Optical Time-Domain Eavesdropping Risks of CRT Displays
Markus Kuhn has released this after learning of Joe Loughry's announcement. - Announced 5 March 2002. To be presented at IEEE Oakland conference, May 2002 http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf Optical Time-Domain Eavesdropping Risks of CRT Displays Markus G. Kuhn University of Cambridge, Computer Laboratory JJ Thomson Avenue, Cambridge CB3 0FD, UK [EMAIL PROTECTED] Abstract A new eavesdropping technique can be used to read cathode-ray tube (CRT) displays at a distance. The intensity of the light emitted by a raster-scan screen as a function of time corresponds to the video signal convolved with the impulse response of the phosphors. Experiments with a typical personal computer color monitor show that enough high-frequency content remains in the emitted light to permit the reconstruction of readable text by deconvolving the signal received with a fast photosensor. These optical compromising emanations can be received even after diffuse reflection from a wall. Shot noise from background light is the critical performance factor. In a sufficiently dark environment and with a large enough sensor aperture, practically significant reception distances are possible. This information security risk should be considered in applications with high confidentiality requirements, especially in those that already require TEMPEST-shielded equipment designed to minimize radio-frequency emission-security concerns. - - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
More Elcomsoft/Sklyarov Motions
Thanks to Kurt Foss we offer two additional dismissal motions by Elcom/Elcomsoft and Dmitry Sklyarov: Notice of Motion and Motion to Dismiss Indictment for Lack of Jurisdiction Notice of Motion and Motion to Dismiss Count One: Conspiracy http://cryptome.org/usa-v-esds-nmd.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Sklyarov's Motion to Dismiss Indictment
We offer Dmitry Sklyarov's Motion to Dismiss Indictment for Violation of Due Process filed yesterday: http://cryptome.org/usa-v-ds-mtd.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: password-cracking by journalists...
At 9:15 AM -0500 1/16/02, Steve Bellovin wrote: Does anyone have any technical details on this? This is from the UK Independent today: http://www.independent.co.uk/story.jsp?story=114885 - [Excerpt] How they cracked the terrorists' code Getting to the heart of the documents contained in the al-Qa'ida computer bought by chance by the Wall Street Journal's reporter in Kabul meant cracking the encryption of Microsoft's Windows 2000 operating system installed on the machine, which had been used to protect the data. That is not a trivial task. Microsoft will only say that if you lose the password that controls entry to a Windows 2000 system, your best option is to remember it or simply to wipe the machine and start again. And its Encrypting File System (EFS), which had been used to encode the files, is just as strong. But the files were too valuable for that. Instead, the team embarked on the task of breaking through the encryption, which jumbles the contents of the files so that even someone reading the individual bytes of data stored on the actual hard disk (rather than trying to access them through the operating system, which had locked them out) would simply find rubbish. Cracking the encryption meant finding the digital key that had previously been used to unlock it. That was not stored in any readable file on the machine, for it was itself encrypted. The only way to reproduce it was to generate the key from first principles: by trying various combinations of random bits and trying to decrypt the file with them, and seeing if it produced sense or gibberish. Luckily, the PC had a version of Windows 2000 with an export-quality key only 40-bits long, rather than the US quality, which being 128-bits long would have been billions of times harder to crack. Even so, it took the equivalent of a set of supercomputers running for five days, 24 hours a day, to find the key. But find it they did. The irony that the terrorists used a product made by one of the US's biggest corporations to protect plans it was making against it may not be lost on an administration that recently relaxed rules on the export of strong encryption. Tighter controls may follow. By Charles Arthur [End excerpt] - - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Scarfo Phase 2
John Schwartz writes in the December 31 New York Times: A controversial system installed on a criminal suspect's computer by the government to capture the encryption passwords of a criminal suspect is nearing its second phase. Anybody have info or leads on the second phase of what appears to be the keylogging technology used by the FBI in the Scarfo case? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FW: U.S. Police and Intelligence Hit by ISRAELI Spy Network ???????????
The Fox News reports were yanked by Fox without explanation. We've collected them from private archives and reposted: http://cryptome.org/fox-il-spy.htm When the series first appeared it seemed to be another case of Israel bashing, in particular the parts that rehashed years-old allegations (we've linked to a 1996 GAO report cited by Fox, and other alleged participants' Web sites). And the series may well be calculated disinformation, if not by Fox then by its sources. However, Fox's unexplained yanking the series is worth noting. Except for a few comments on the Net, I do not know of mainline media follow-up on the reason for the yank. If Fox found that the reports are in error, that is the sort of thing that usually brings heat from competitors. If the yank was due to government intervention that would indeed be news, but hardly unprecedented these days. If the yank was due to private intervention that too would be worth learning about -- who, when, why. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: IP: FBI To Require ISPs To Reconfigure E-mail Systems (fwd)
I believe this report refers to FBI guidelines whose implementaion is being worked out by direct consultation with telecommunication carriers: http://cryptome.org/fbi-flexguide2.htm The original date of compliance with these guidelines was September 24, 2001, but after widespread complaint to the FCC from the telecomm industry about infeasibility of compliance by the deadline, the FCC granted an extension in time to be set for each service provider in consultation with the FBI. That FCC order is with the file above. What other distinctive arrangments are being made with telecomm providers may be difficult to determine since each can cut a deal to fit its unique position without having to submit to a general standard. It is not yet clear if these private arrangements will be made fully public or if the FCC will allow concealment under rubric of privileged business information -- or, to fit the times of peril, for national security reasons. It will be interesting which ISPs join the big time ranks of legacy telecomm providers by offering services to fit the urgency for all uniting in patriotic fervor to kill the ISP dissidents unwilling to betray their customers. Lots of stellar Internet leaders changing sides as reported in National Journal's Technology Daily and other media, not to say media itself. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RIAA Secret Meeting
Anonymous reports on a secret meeting of RIAA: http://cryptome.org/riaa-secret.htm Excerpt: On Thursday October 4 there was a closed-door RIAA meeting at the Ritz-Carlton, which was 'a direction setting' meeting. The individuals of note attending were: Hillary Rosen - RIAA Chief Steve Heckler - Sony Music Strauss Zelnick - BMG Edgar Bronfman - Universal Gerald Levin - AOL Time-Warner Ken Berry - EMI Leonardo Chiariaglione - SDMI Chair (Leaving Soon) Francis Jones - Codex Data Systems Fritz Hollings - Senator Ted Stevens - Senator Michael Eisner - Disney CEO Jack Valenti - President, MPAA Andy Grove - Intel CEO Lou Gerstner - IBM Yoishi Morishita - CEO Matsushita Tsutomo Kawata - CEO Toshiba Jay Berman - IFPI Chair Paul England - Microsoft Advanced Cryptography research group One particularly disturbing fact is that Codex Data System's DIRT software is supposed to be restricted to law enforcement agencies, yet the RIAA, MPAA, and IFPI have all purchased it, and use it routinely to monitor servers which are suspected of infringing content, yet are password protected such as servers which require one to sign up for a password account like hotline servers that have no guest download. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
USA v. Dmitry Sklyarov
Here's the US Attorney press release and FBI criminal complaint against Dmitry Sklyarov, the Russian cryptologist arrested after Defcon and accused of violating the DMCA for selling a circumvention of Adobe's eBook protection: http://cryptome.org/usa-v-sklyarov.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Crypto Specialist Sought
Perry, if appropriate to post, this person has asked that his request for crypto specialist be sent to Cryptography. John - From: Jeff Hilles [EMAIL PROTECTED] Date: Fri, 25 May 2001 11:53:06 -0400 : : : : : : I am a telecom/satellite recruiter and have the following opening outside Boston. I confess that Cryptography is not something I know much about. However the last 12+ hours of research has been fascinating but I am getting frustrated. I think my opening is perhaps the result of the new export regulations. I know I am way out of my league but could please help me, or direct me to someone who could? The difficulty is that I need someone with secret clearance and project management skills with a cryptography and hopefully a satellite background. Bottom line is, do you know anyone that might be even a close fit? Most of the folks I have been in contact with consider the phrase NSA cryptography review with secret clearance an oxymoron. Someone has to be willing to be the go between on these certifications. Please tell me where to go to find that needle. Thank you for any help you can provide. Jeffrey Hilles, VP Networks Wireless Williams Delmore, Inc. 919-217-4600 www.wdinc.net Cryptography Specialist Lead NSA certification for embedded cryptography in modern Satellite Communication Terminals. Analyze and allocate INFOSEC requirements at System, HW and SW levels. Review systems architecture, HW and SW and provide guidelines for INFOSEC features. Interact with NSA and other Government reps, including preparation and presentation of INFOSEC PDR and CDR material. Generate and/or review certification documents including Theory of Equipment Operation, Theory of Compliance, Security Fault Analysis, INFOSEC SW documentation, and INFOSEC test plans, procedures and reports. Support mechanical and TEMPTEST design and related documentation. Required ability to analyze requirements and implementation across a broad spectrum ranging from high level requirements to requirements flow down to detailed HW and SW implementation and mechanical design. Understanding of state-of-the-art computer architectures, robust design methods, and HW/SW tradeoffs. Secret/COMSEC clearance essential. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]