[K.Ellis guavaberry@earthlink.net] Boston Folks - public hearing Bill 2743
Date: Tue, 01 Apr 2003 13:41:29 -0500 From: K.Ellis [EMAIL PROTECTED] Subject: Boston Folks - public hearing Bill 2743 To: [EMAIL PROTECTED] Please pass this along if appropriate. House, No. 2743 Bill was introduced in Mass by a Rep Stephen Tobin of Boston http://www.state.ma.us/legis/member/ast1.htm Petition of A. Stephen Tobin for legislation to establish a crime of illegal internet and broadband access and establishing penalties therefor. Hearing is scheduled Mass State House in Boston. Public Hearing date Apr 2 am at 10:00 in Room 222 http://www.state.ma.us/legis/history/h02743.htm REF: New Bills Would Make Firewalls Illegal March 31, 2003 -- (WEB HOST INDUSTRY REVIEW) -- According to reports released on Monday, the US states of Massachusetts and Texas are each preparing to consider bills that would extend the national Digital Millennium Copyright Act (DMCA) by making firewalls, among other things, illegal. snip On Fri, Mar 28, 2003 at 01:10:56PM -0500, Perry E. Metzger wrote: http://www.freedom-to-tinker.com/archives/000336.html Quoting: Here is one example of the far-reaching harmful effects of these bills. Both bills would flatly ban the possession, sale, or use of technologies that conceal from a communication service provider ... the existence or place of origin or destination of any communication. -- Perry E. Metzger [EMAIL PROTECTED] Karen Ellis - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Run a remailer, go to jail?
http://www.freedom-to-tinker.com/archives/000336.html Quoting: Here is one example of the far-reaching harmful effects of these bills. Both bills would flatly ban the possession, sale, or use of technologies that conceal from a communication service provider ... the existence or place of origin or destination of any communication. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
meet in the middle attacks
I have to say I've watched this with a bit of puzzlement. Meet in the middle attacks are perfectly real. I've seen them myself, and toolkits to perform them are readily available out there. Ian's vague comments about a lack of evidence of the economic impact notwithstanding, it is unreasonable to leave one's protocols and systems open to such attacks. You do not need an elaborate CA infrastructure to prevent them, of course. SSH manages to prevent them simply by having both sides sign exchanges using naked (i.e. uncertified) keys that are pre-shared, for example. Even use of MACs over exchanged values and pre-shared conventional keys can prevent many such attacks. However, not attempting to prevent such attacks -- especially given that they are very effective -- seems foolish at best. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
yes, I know...
I meant Man in the Middle, not Meet in the Middle. Sigh. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Supreme Court Refuses to Review Wiretaps Ruling
From the New York Times: Supreme Court Refuses to Review Wiretaps Ruling March 24, 2003 By DAVID STOUT WASHINGTON, March 24 - In a case balancing national security with civil liberties, the Supreme Court refused to interfere today with a lower court ruling giving the Justice Department broad new powers to use wiretaps to prosecute terrorists. The justices declined without comment to review a decision last Nov. 18 in which a special federal appeals court found that, under a law passed after the terror attacks of Sept. 11, 2001, the Justice Department can use wiretaps installed for intelligence operations to go after terrorists. That November decision was crucial, because for some two decades there was presumed to be a wall between wiretap operations for intelligence-gathering and wiretapping in the course of criminal investigations. Obtaining permission for a wiretap to gather intelligence has generally been easier than getting authorization for a wiretap in a straightforward criminal investigation. Thus, prosecutors were admonished not to try to skirt the tougher standards for a wiretap in a criminal investigation by claiming it was actually to gather intelligence. The landscape changed with the passage of legislation, shortly after the Sept. 11 attacks, broadening government surveillance powers. Justice Department investigators applied last May for permission to wiretap an individual who was identified in court papers only as a resident of the United States. The department met resistance from the three-member Foreign Intelligence Surveillance Act Court, which exists solely to administer a 1978 law allowing the government to conduct intelligence wiretaps inside the United States. That court ordered the Justice Department to show that its primary purpose in applying for the wiretap was intelligence gathering and not for a criminal case. Moreover, the three-member court decreed that prosecutors in the Justice Department's criminal division could not take an active role in directing activities of the department's intelligence division. Attorney General John Ashcroft appealed to the United States Foreign Intelligence Surveillance Court of Review, which had never met before and which exists, like the lower court, only to oversee the 1978 law. The court of review ruled in November that the lower court had erred when it tried to impose restrictions on the Justice Department. Furthermore, the court of review said, there never was supposed to be a wall between intelligence gathering and criminal investigations. Effective counterintelligence, as we have learned, requires the wholehearted cooperation of all the government's personnel who can be brought to the task, the review panel wrote. A standard which punishes such cooperation could well be thought dangerous to national security. The review panel criticized the lower court, declaring that it had improperly tried to tell the Justice Department how to do its business, in violation of the Constitution's separation of powers between equal branches of government. The Court of Review is made up of Judges Ralph B. Guy of the United States Court of Appeals for the Sixth Circuit; Edward Leavy of the Court of Appeals for the Ninth Circuit; and Laurence H. Silberman of the Court of Appeals for the District of Columbia Circuit. All were appointed to the panel by Chief Justice William H. Rehnquist of the Supreme Court. Mr. Ashcroft praised the November decision as one that revolutionizes our ability to investigate terrorists and prosecute terrorist acts. But the American Civil Liberties Union, the National Association of Criminal Defense Lawyers, the American-Arab Anti-Discrimination Committee and the Arab Community Center for Economic and Social Services, a Michigan-based organization, assailed the November decision. These fundamental issues should not be finally adjudicated by courts that sit in secret, do not ordinarily publish their decisions, and allow only the government to appear before them, the groups said in asking the Supreme Court to review it. The A.C.L.U. and its allies had only friend-of-the-court status in the case, since technically the Justice Department was the only party. Thus, it was not surprising that the Supreme Court declined today to review the lower courts' decision. http://www.nytimes.com/2003/03/24/politics/24CND-SCOT.html?ex=1049536949ei=1en=6cbee835b0f1acbe -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Khalid Sheikh Mohammed caught partially by Echelon?
The guardian reports (unsurprisingly) that Echelon was used in tracking Khalid Sheikh Mohammed's mobile phones: http://www.guardian.co.uk/alqaida/story/0,12469,911860,00.html -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
ADMIN: acm.org subscribers in danger
Hi there. A large fraction of the messages being sent to acm.org are being tagged as spam, by some sort of highly over-aggressive anti-spam filter acm.org has put in. I've attempted to contact the postmaster there, but so far I've failed as my attempt to get in touch get tagged as spam, too. If I keep getting torrents of bounces, all the folks using acm.org mail redirectors (and there are dozens of you) will get removed from the list in a few days. Very sorry, but I just don't know what else to do. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
ADMIN: voting, etc...
I'm going to be ending the voting discussion now, at least for the moment, unless anyone has anything really interesting/new to say. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Robert Moskowitz rgm-sec@htt-consult.com] Of potential interest -- Citibank tries to gag crypto bug disclosure
Forwarded from the SAAG list, where it was posted by Bob Moskowitz. To: [EMAIL PROTECTED] Subject: Citibank tries to gag crypto bug disclosure Date: Thu, 20 Feb 2003 09:57:34 + From: Ross Anderson [EMAIL PROTECTED] Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf I have written to the judge opposing the order: http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines: http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case. The vulnerabilities are also scientifically interesting: http://cryptome.org/pacc.htm For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers. Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ... Ross Anderson - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Wireless network key management
(The topic has drifted to the management of keys in a wireless network. Adam responds to Steve's notes about WEP...) Adam Fields [EMAIL PROTECTED] writes: Practically, what's the right way to do this? You could do it with a centralized server key that has the ability to broadcast a new shared key to all clients, but then if the server gets compromised you lose control of the entire network (possibly true anyway, for different reasons). From my personal (limited) experience, key management is really hard. I'm curious about potential solutions to this. Key management is hard, but there is good versus not so good versus horrible. Unchanging fixed WEP keys for everything on a network are bad. If, on the other hand, you use public key techniques or Needham-Schroder KDC based techniques, you can do much better. For example, the average wireless base station only has dozens to at most hundreds of clients. (In practice, they average far fewer, but never mind.) Also, 802.11 enforces that all communication goes through the wireless base station -- there are no mobile-mobile communications in the usual setup. It is thus perfectly reasonable to use different on-air conventional keys with each client, authenticated with a variety of techniques (shared key between base and client, public keys on both sides, Needham-Schroder, etc.), and negotiated by any one of a number of similar variety of techniques (Diffie-Hellman, randomly generated nonce keys replaced at intervals encrypted in a known key, etc.) More to the point, almost all 802.11 traffic carries IP. Therefore, using IPSec to protect traffic between the wireless node and the base station or a router, or even end to end, would not be unreasonable. In that case, key negotiation probably proceeds using IKE or perhaps a successor protocol. In any case, although none of these techniques are perfect, they all eliminate the problem of one key to rule them all, with theft of one mobile handing over the entire net, both from a privacy and an authentication viewpoint. Of course, since WEP is crap anyway, you can break keys even if you don't steal a mobile, but even in principle the mechanism was not particularly good. It isn't any easier to configure than good methods, either. Sure, you need to pre-configure some authentication information to use any of the good methods, but you also need to pre-configure your super-secret WEP key if you use WEP so there is no improvement in ease of configuration by using WEP. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Matt Blaze on locks at U Penn
Forwarded from Dave Farber's list: -- Dept. of Computer Information Science Colloquia Series 2003 is honored to present ... Matt Blaze ATT Labs. Thursday, February 6, 2003 3:00 p.m. - 4:30 p.m. Room 216 Moore School __ Title: Cryptology and Physical Security: Rights Amplification in Mechanical Locks Computer security and cryptology takes much of its basic philosophy and language from the world of mechanical locks, and yet we often ignore the possibility that physical security systems might suffer from the same kinds of attacks that plague computers and networks. This talk examines mechanical locks from a computer scientist's viewpoint. We describe attacks for amplifying rights in mechanical pin tumbler locks.Given access to a single master-keyed lock and its associated change key, a procedure is given that allows discovery and creation of a working master key for the system. No special skill or equipment, beyond a small number of blank keys and a metal file, is required, and the attacker need engage in no suspicious behavior at the lock's location. We end with future directions for research in this area and the suggestion that mechanical locks are worthy objects of our attention and scrutiny. -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Shamir factoring machine uninteresting?
I find it odd that there has been so little comment on TWIRL. One would think that the crushing of 512 bit RSA keys and a strong demonstration of the weakness of 1024 bit RSA keys would have provoked some comment on the list. Any comments on why no one commented? -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Open Source TCPA driver and white papers
From Dave Farber's list: From: David Safford [EMAIL PROTECTED] Subject: Open Source TCPA driver and white papers Date: Tue, 21 Jan 2003 12:05:39 -0500 Reply-To: David Safford [EMAIL PROTECTED] IBM has released a Linux device driver under GPL for its TCPA chip (TPM). The driver is available at http://www.research.ibm.com/gsal/tcpa/ This page also has links to two papers, one presenting positive uses of the chip, and the second rebutting misinformation about the chip. These papers, combined with the Linux driver and the TCPA specification at http://www.trustedcomputing.org, give everyone the ability to test an actual chip (such as in the Thinkpad T30), to see for themselves what it can, and cannot do. Note: the papers and driver do not discuss Palladium. Palladium and TCPA are two separate topics. dave safford [EMAIL PROTECTED] -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Fast factoring hardware
I got the following forwarded along yesterday from someone who'd had it forwarded along, apparently with reasonable permission along the chain. The message indicated the paper could be distributed, so I don't think I'm violating any trusts. Unfortunately the attached paper (which I'm still reading) is far too long to email to the whole list, but I'm trying to get a URL for it so people can download it at will. -- [...] From: Adi Shamir[...] I am attaching to this email a new paper coauthored with Eran Tromer. It describes a new hardware device called TWIRL (The Weizmann Institute Relation Locator) which is 3-4 orders of magnitude more efficient than previous designs (including TWINKLE) in implementing the sieving part of the NFS factoring algorithm. Based on a detailed design and simulation (but without an actual implementation), we believe that the NFS sieving step for 1024-bit RSA keys can be completed in less than a year on a $10M TWIRL machine, and that the NFS sieving step for 512-bit RSA keys can be completed in less than 10 minutes on a $10K TWIRL machine. Please feel free to send copies of the paper to anyone you wish. Best regards, Adi Shamir. [...] -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
ADMIN: Okay, no more DVD pricing and Pharma for now.
The discussion has been interesting but has gotten WAY out of the area of crypto politics per se. I'll be blocking that stuff unless it makes interesting new crypto or crypto politics points. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DeCSS, crypto, law, and economics
Matt Blaze [EMAIL PROTECTED] writes: By the way, import region-free DVD players *are* available, quite legally, within the US, as are non-region 1 disks. Kim's video in NYC is one source. They are all unfamiliar off brands, however - you won't find Sony or Matsushita (deliberately) producing one. Actually, that's not true. Kim's sells grey market units typically made without licenses to the DVD patent portfolio in places like China, and units that are more legal but that have been cracked. The latter are supplied with instruction sheets describing how to disable region coding. Some of these sheets actually say things like we can't be responsible for the effects, but if you were to push the following buttons in the following sequence... I am unaware of legal region-free players being generally available in the US, although I may be wrong on this. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DeCSS, crypto, law, and economics
Nomen Nescio [EMAIL PROTECTED] writes: I don't see much evidence for this. As you go on to admit, multi-region players are easily available overseas. Sure, but they're generally illegal. I can buy grey market non-regioned players in the U.S. but the manufacturers are violating within the intellectual property agreements that prevent such behavior. You seem to be claiming that the industry's main goal was to protect zone locking when that is already being widely defeated. Isn't it about a million times more probable that the industry's main concern was PEOPLE RIPPING DVDS AND TRADING THE FILES? Without DeCSS, the piracy problem would have in no way been improved. Even if you didn't want to use physical DVDs, it wouldn't have been an issue. Ripping the raw bits encrypted bits from a DVD drive is easy. From there, you just would have had to have built a driver that pretended to be a DVD drive but actually read a chunk of disk, and presto -- Windows DVD player software would be perfectly happy aiding and abetting your piracy. For those that want physical DVDs, the encryption of course prevented nothing at all -- bits are bits. No, what region coding did largely was allow the industry to try to prevent grey market sales. I don't know anyone who trades video files -- they're pretty big and bulky. A song takes moments to download, but a movie takes many many hours even on a high speed link. I have yet to meet someone who pirates films -- but I know lots of hardened criminals who watch DVDs on Linux and BSD. I'm one of these criminals. Many nights, I close the blinds and illegally use the computer I lawfully paid for to view the DVDs I lawfully paid for. To do that, I make use of DeCSS. My nice Unix based DVD player, ogle, needs it to read the drive. A little later this evening I'll be watching an episode of I, Claudius I bought and paid for, using this criminal software combination. Hopefully no one will learn of my shamefully immoral act. Please don't tell anyone. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[IP] Control freaks are winning the financial-privacy battle
From Dave Farber's Interesting People list. ---BeginMessage--- Dan Gillmor: Control freaks are winning the financial-privacy battle By Dan Gillmor Mercury News Technology Columnist News and views, culled and edited from my online eJournal (www.dangillmor.com): PRIVACY WRONGS The drive to kill all privacy in financial dealings and communications is nearing a conclusion. The control freaks are winning, and your privacy is just about gone. The imminent signing of the Homeland Security bill, a governmental reorganization with many anti-privacy provisions, is just one more blow. It follows last year's ill-named USA Patriot Act, which shredded civil liberties in its zeal to give law enforcement and security people every tool they needed to investigate terrorism threats. As usual, key provisions have had no debate or scrutiny. Meanwhile, a secretive court has sided with the Bush administration -- easily the most hostile to liberty in our lifetime -- in greatly expanding law enforcement's surveillance capabilities. The decision blows new holes in what was left of the Fourth Amendment, even as it pretends to support constitutional rights. More alarming yet, and also with the full support of the administration, former National Security Adviser John Poindexter is pushing ahead with a plan to scoop all of our electronic communications, financial transactions and more into a huge, linked collection of databases. This is police-state stuff. (Poindexter, you'll recall, was convicted of several felonies in the Iran-Contra scandal. He got off on what conservative critics of the legal system like to call a technicality and what civil libertarians like to call basic constitutional rights that protect us all.) There will be gross abuse of these new powers. There is no recorded case in history where governments got more powers and didn't abuse them. But it seems there's too little organized constituency for privacy or liberty these days. Corporate interests don't really believe in privacy, anyway. As these databases grow, business will be given access to the information, or much of it, to feed its marketing hunger. Increasingly, government exists to please corporate and police interests, and as those converge, everyone -- everyone except people who care about liberty -- will be happy. The word ironic is insufficient to describe the renewed assault on privacy. No government in recent history has been more secretive in its own dealings than this one -- and the administration is pushing for new rules to hide what the government is doing with your money and on your behalf. The Homeland Security bill includes many new limitations on public access to government records. Simultaneously, but not coincidentally, the administration has tried to water down rules to make public companies more transparent in their financial dealings. Privacy rights are for the rich and powerful, not the rest of us. The government reorganization almost failed in the Senate when those pesky Democrats tried to remove some slippery provisions, inserted without debate in the House, that did special favors for Republican campaign contributors. The most egregious of these could stop efforts to deter American companies from setting up offshore mail drops and call them headquarters to duck U.S. taxes. The majority party apparently believes it is patriotic to be a tax cheat -- and this in a professed time of war when security spending is rising through the roof, tax revenues are plummeting and huge budget deficits have returned. This isn't patriotism. It's economic treason, but it's the way things work these days. HACKERS AND LIBERTY Liberty is on the decline in America but may be on the rise elsewhere. A collection of activist hackers is about to release software designed to thwart governmental censors of the Internet. The pro-democracy Six/Four project from Hacktivismo (http://hacktivismo.com/) is a potentially valuable step to protect political dissidents and other people who have the quaint idea that their access to information shouldn't be thwarted by government-run firewalls in places like China and Saudi Arabia. The technical details provided by the Toronto-based project are too complicated to discuss here. But the basic idea is to use the Internet's decentralized nature in a way that lets people create anonymous, secure data tunnels from here to there and everywhere. If this works, governments will be harder-pressed to prevent their people from communicating freely and seeing online material that, for whatever reason, is considered objectionable. In a novel but possibly futile gesture, the activists and their legal advisers have written a license for the software that, in theory, could make governments liable for damages if they tamper with the code or otherwise use it to harm human rights. The language in the draft I've seen is stern, but I'm not clear on how anyone expects to enforce it. Oxblood Ruffin, the project leader, says he
the volatile keyword
Don Davis writes: * the c99 standard and its predecessors don't at all intend volatile to mean what we naively think it means. specifically, in the hands of a high-end compiler developer, the spec's statement: any expression referring to [a volatile] object shall be evaluated strictly according to the rules of the abstract machine is really talking about what the compiler can infer about the program's intended semantics. a c99-compliant compiler _can_ legitimately remove a volatile access, as long as the compiler can deduce that the removal won't affect the program's result. Sorry, but that is really not correct at all. volatile exists because there are times when you absolutely need to know that the compiler will not alter your intent. A typical example is in touching a device register in a device driver. You may very well need to write a certain set of values out to a particular memory location in a particular order and not have them optimized away or reorganized. It may be vitally important to access register 2 and then register 1, or to write multiple values out to register 4 before touching register 3, or what have you. In a driver or in a situation like this you really do mean write a one there and then write a ten there and never mind that you think you can optimize away writing the one there. volatile means that the memory location has side effects and that you CANNOT deduce the result of the operations and thus are required to not touch the sequence at all. The spec specifically states that you may NOT remove or reorder sequence points if volatile is in use. That is why volatile exists. It means do NOT reorder or eliminate access to these memory locations on pain of death. The intent of the spec is precisely what I've said, and I'll happily quote chapter and verse to prove it. There are several similar misconceptions about the volatile keyword that have been propagated in recent messages. Claims that volatile does not guarantee a safeguard against such optimizations are specious. That is exactly why volatile was introduced, and if, for example, gcc did not honor it, the machine I am typing at right now would not work because the device drivers would not work. Any optimizing compiler that people write device drivers in practically *has* to support volatile or it won't work for that purpose. (In the days before volatile you needed vile tricks to assure your intent was followed, or you needed to not optimize driver code, or both.) Some have claimed volatile is not a mandatory part of C. Well, it is certainly mandatory in the C standards I have at hand. C99 makes it abundantly clear that you have to do it and do it correctly. Some have claimed you can't know that the compiler writer implemented volatile correctly so you need a #pragma. Well, that doesn't actually help you. If they haven't implemented volatile right, why should they implement the pragma correctly? We already have a way of indicating do not reorder or eliminate this code which is in existing standards -- if it doesn't work, that's a bug in your compiler, and it is better to get the bug fixed than to ask for another feature to be added that might also be buggy and which is not part of the standard. So in short, yes, volatile might be implemented in a buggy way by your compiler (which you should certainly test for if it is important to you!) but if your compiler is in fact properly implemented and standards compliant, volatile is the way to accomplish what you are trying to accomplish here. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Did you *really* zeroize that key?
Someone wrote to me: According to KR 2nd Ed. p. 211, compilers may ignore volatile; volatile objects have no implementation- independent semantics. KR is not the C standard. Quoting the C99 standard, section 6.7.3.6: An object that has volatile-qualified type may be modified in ways unknown to the implementation or have other unknown side effects. Therefore any expression referring to such an object shall be evaluated strictly according to the rules of the abstract machine, as described in 5.1.2.3. Furthermore, at every sequence point the value last stored in the object shall agree with that prescribed by the abstract machine, except as modified by the unknown factors mentioned previously. In other words: no, volatile is mandatory and in fact will be guaranteed to be implemented as expected. This is very important -- virtually every operating system requires volatile for purposes like writing device drivers. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
German authorities bungle wiretaps.
German police have been forced to admit that dozens of criminal suspects had learned their phones were being tapped when the evidence showed up on their monthly phone bill. [...] Telecommunications authorities said that nearly 20,000 lines were currently being tapped. http://news.bbc.co.uk/1/hi/world/europe/2387269.stm -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New Protection for 802.11
From Dave Farber's Interesting People list. Does anyone know details of the new proposed protocols? ---BeginMessage--- From: Dewayne Hendricks [EMAIL PROTECTED] Subject: [Dewayne-Net] New Protection for 802.11 To: Dewayne-Net Technology List [EMAIL PROTECTED] Date: Tue, 05 Nov 2002 13:17:54 -0800 Reply-To: [EMAIL PROTECTED] New Protection for 802.11 While WLAN admins continue to wait for IEEE 802.11i, the non-profit Wi-Fi alliance has approved a replacement for the much derided Wired Equivalent Privacy (WEP) encryption. by Eric Griffith 80211-Planet Managing Editor [November 5, 2002] http://isp-planet.com/fixed_wireless/business/2002/wpa.html The non-profit Wi-Fi Alliance, the consortium behind interoperability standards and testing for 802-11based networks, has announced an official replacement for the much derided Wired Equivalent Privacy (WEP) encryption. The new solution, called Wi-Fi Protected Access (WPA), is a subset of the still unfinished IEEE 802.11i security specification and will be usable by both home and enterprise wireless networks. Why not wait for 802.11i? According to Dennis Eaton, the chairman of the Wi-Fi Alliance, the [IEEE] Task Group I doing 802.11i is still on a path to be complete about this time next year with a fully ratified standard, but that's a little too long. We had to do something sooner. That something sooner is WPA, which, according to Eaton, will work with the majority of 802.11-based products out today once they've gone through a firmware/software upgrade. WPA is forward compatible with 802.11i. By the time 11i is ratified around September of next year, expect to see a WPA version 2.0 with full 802.11i support. Eventually, the Alliance expects to require Wi-Fi products to shop with WPA turned on as a default. The way WPA will work in the enterprise is similar to the setup of any 802.1X authentication system. The clients and access points must have WPA enabled for encryption to and from an 802.1X with Extensible Authentication Protocol (EAP) authentication server of some sort, such as a RADIUS server, with centralized access management. The server provides the scalability for the design, user credentials, authorization as users request access, and generates the keys for Temporal Key Integrity Protocol (TKIP) encryption...TKIP is part WPA, says Eaton. Once the server authenticates the user, the access point will let that user on to the wired network-up to that point, the client only talked to the server. Home network users usually won't have an authentication server, but the WPA solution still uses 802.1X. They won't get the upper layer authentication, but can take advantage of Pre-shared Key mode. Pre-shared Key is used much like WEP-you key in a pass phrase [called the master key] in both the client and access point, says Eaton. In the association process, if the password matches, then the access point allows access to the Internet or wired network. You still get the advantage of 802.1X, so my key is different from my wife's key on the same access point, but our key's are refreshed every time we connect. The pass phrase is the same, but the key is generated. WEP, on the other hand, uses a static key that is seldom changed by users. This cryptographic weakness is responsible for many of the known security issues in WLANs today-any patient criminal hacker can eventually figure out the encryption key and get on the network. WPA takes advantage of the 802.11i specifications requirements for things like 802.1X and TKIP, but leaves out things that require a hardware upgrade or aren't ready, such as secure fast handoff, secure de-authentication and disassociation, and AES-CCMP enhanced encryption. The Wi-Fi Alliance is only requiring products going forward to have WPA built in if they expect to get the Wi-Fi Certification stamp-older and current WLAN products don't have to get a WPA upgrade. However, Eaton expects that upgrades to WPA will start appearing from vendors in the next several months. Whether vendors provide the upgrade for individual products or not depends upon their stance and whether they get support for it from the core technology providers such as the chipset makers. Already announcing support for WPA with future upgrades are major 802.11 vendors (and Wi-Fi Alliance members) such as Agere, Atheros, Atmel, Funk Software, Intersil, Proxim, Resonext, and Texas Instruments. We're fully behind it, says Bill Carney, Director of Marketing and Business Development at Texas Instruments. It's important security. Security is the biggest roadblock to adoption. Companies are free to resubmit older products with WPA implemented to the Alliance for testing. Interoperability testing such products will begin in February 2003. Archives at: http://web.wireless.com/index.php?name=Mailing_Listfn=viewmlmid=4 -- ---End Message---
NSA CELEBRATES ITS FIFTIETH ANNIVERSARY
From Dave Farber's Interesting People list. ---BeginMessage--- -- Forwarded Message From: Aftergood, Steven [EMAIL PROTECTED] Date: Mon, 04 Nov 2002 15:43:19 -0500 To: [EMAIL PROTECTED] Subject: Secrecy News -- 11/04/02 NSA CELEBRATES ITS FIFTIETH ANNIVERSARY The National Security Agency observed its fiftieth anniversary last weekend in a characteristically low key manner. (How you can tell an extrovert from an introvert at NSA? In the elevators, the extroverts look at the OTHER guy's shoes. Or rather, the NSA extroverts are the ones that were telling that joke last weekend.) NSA, the nation's codemaking, codebreaking and signals intelligence organization, was established on October 24, 1952 by President Harry S. Truman in a top secret, 8-page presidential memorandum. Formal announcement of the new agency was delayed until November 4, 1952 -- Election Day -- in order to keep the creation of the Agency out of the news, according to NSA. Speaking at a November 1 anniversary ceremony at NSA headquarters at Fort Meade, Maryland, historian David Kahn offered his thoughts on the death of cryptanalysis. Kahn, author of The Codebreakers and other pioneering histories of cryptography, noted the technological challenges confronting NSA and observed that it is far from the omniscient, omnipotent entity that outsiders sometimes imagine. NSA doesn't know or control everything, as shown by public-key cryptography and the beating NSA took on key escrow and the fact that U.S. Navy submarines use Microsoft Windows, he said. See David Kahn's invited remarks here: http://www.fas.org/irp/eprint/kahn.html President Truman's 1952 memorandum establishing the NSA is available on the website of the National Security Archive here: http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/02-01.htm A January 2001 Congressional Research Service report entitled The National Security Agency: Issues for Congress by Richard A. Best Jr. may be found here: http://www.fas.org/irp/crs/RL30740.pdf snip ___ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. ---End Message---
[IP] Former FBI chief takes on encryption
From Dave Farber's Interesting People list. ---BeginMessage--- Former FBI chief takes on encryption By Declan McCullagh Staff Writer, CNET News.com October 14, 2002, 12:39 PM PT When Louis Freeh ran the FBI, he loved nothing more than launching into a heartfelt rant against the dangers of encryption technology. In dozens of hearings and public speeches, the FBI director would urge Congress to limit encryption products, such as Web browsers and e-mail scrambling utilities, that did not include backdoors for government surveillance. Freeh didn't succeed. In fact, the Clinton administration veered in the opposite direction and eventually permitted, with few restrictions, the overseas shipments of data-scrambling products. But Freeh, who left the FBI in June 2001, hasn't given up. During an appearance before the Senate Intelligence committee last week, he warned that the political reality after the Sept. 11 terrorist attacks means that it's time to reconsider what to do with encryption. ... http://news.com.com/2100-1023-961969.html -- End of Forwarded Message ---End Message--- -- Perry E. Metzger[EMAIL PROTECTED]
[Bruce Schneier schneier@counterpane.com] CRYPTO-GRAM, October 15, 2002
on the list. Perhaps you should feel honored by your inclusion. From: Douglas Davidson [EMAIL PROTECTED] Subject: Your name on Reveal's list I just wanted to point out that this might not necessarily be illegitimate. If this organization is using some form of statistical filtering (something along the lines of that described for spam filtering in http://www.paulgraham.com/spam.html), then it is quite possible that their word list is derived entirely automatically from the analysis of some corpus. In that case, there may not be any way for a human to explain the presence of a particular word; it is there simply because it occurs in the corpus -- not necessarily frequently, either. In Graham's case, for example, the resulting word lists were a surprise even to Graham. Unfortunately, if AntiChildPorn is using some technique of this sort, it becomes difficult to validate their filters. In the case of spam filtering, every user naturally has a sufficiently large corpus of spam and non-spam e-mail available to construct their own filters. However, not everyone has a large corpus of pornographic, racist, or similar material available. Unless AntiChildPorn makes their corpus available for examination -- which they probably are not willing to do -- it would be difficult to evaluate their techniques without assembling a large corpus yourself and seeing what their software says about it. If AntiChildPorn is doing what they say they are doing, then one might make a guess that anti-Semitic writings occasionally include the names of rabbis. If they are not doing what they say they are doing, then perhaps they have fed Phrack or something similar into the mix. Without further evidence there is no way to tell. From: Don Coppersmith [EMAIL PROTECTED] Subject: XLS Against Rijndael Your recent Crypto-gram leads people to believe that Courtois and Pieprzyk's XLS work breaks Rijndael. I believe that the Courtois-Pieprzyk work is flawed. They overcount the number of linearly independent equations. The result is that they do not in fact have enough linear equations to solve the system, and the method does not break Rijndael. The details: The problem is evident in the T' method of section 6.3 of their IACR reprint #2002/044. They generate $ T' = t' t^{P-1} * { {S-1} \choose {P-1} }$ terms that can be multiplied by x1 and still remain in their set of $T$ monomials, and then seem to claim to have that many new equations. But in fact, any of the $t' [ t^{P-1} - (t-r)^{P-1} ] * { {S-1} \choose {P-1} }$ equations that come from multiplication of a basic equation by a monomial, have already been counted among their $R$ equations, and so they can't count them again. The method has some merit, and is worth investigating, but it does not break Rijndael as it stands. ** *** * *** *** * CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available on http://www.counterpane.com/crypto-gram.html. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to [EMAIL PROTECTED] To unsubscribe, visit http://www.counterpane.com/unsubform.html. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of Secrets and Lies and Applied Cryptography, and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane's expert security analysts protect networks for Fortune 1000 companies world-wide. http://www.counterpane.com/ Copyright (c) 2002 by Counterpane Internet Security, Inc. ---End Message--- -- Perry E. Metzger[EMAIL PROTECTED]
open source CAs?
Beyond the openssl tools (which are quite primitive), are there any open source certificate authority tools out there at the moment that people can recommend? -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
new copyright bill...
From NewsScan Daily: NEW COPYRIGHT BILL WOULD GIVE POWER TO THE PEOPLE Rep. Rick Boucher (D-Va.) and Rep. John Doolittle (R-Calif.) have introduced legislation aimed at restoring specific fair use rights to copy digital works that were lost under the 1998 Digital Millennium Copyright Act, as well as bestowing circumvention rights to bypass copy protections when done solely in furtherance of scientific research. The Digital Media Consumers Rights Act has drawn support from a broad coalition of electronics and computer interests, consumer groups and academics. It's just time, said Consumer Electronics Association president Gary Shapiro. Consumers have been pushed up against the ropes. This is the first time in 20 years in which consumers are going on the offense rather than on the defense. Meanwhile, entertainment groups bemoaned this latest development in the battle over digital media rights. If this bill were to be enacted, content owners would be left with two unhappy choices: Protect their valuable works by not making them available in digital formats such as DVD, or lose all control over unauthorized reproduction and distribution, said Jack Valenti, president of the Motion Picture Association of America. The bill has no chance of passage this year, but will set the stage for debate in the next session of Congress. (Wired.com 4 Oct 2002) http://www.wired.com/news/politics/0,1283,55569,00.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Don Coppersmith questions Courtois and Pieprzyk AES results
Don Coppersmith questions Courtois and Pieprzyk AES results -- see: http://makeashorterlink.com/?K27C515E1 -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Werner Koch wk@gnupg.org] GnuPG 1.2 released
To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: GnuPG 1.2 released From: Werner Koch [EMAIL PROTECTED] Mail-Followup-To: [EMAIL PROTECTED] Hello! We are pleased to announce the availability of a new stable release of GnuPG: Version 1.2.0 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This new release implements most of OpenPGP's optional features, has somewhat better interoperabilty with non-conforming OpenPGP implementations and improved keyserver support. Getting the Software GnuPG 1.2.0 can be downloaded from one of the *GnuPG mirror sites*. The list of mirrors can be found at http://www.gnupg.org/mirrors.html. See below for a list of mirrors already carrying this new released. On the mirrors you should find the follwing files in the *gnupg* directory: gnupg-1.2.0.tar.bz2 (1.8 MB) gnupg-1.2.0.tar.bz2.sig GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.0.tar.gz (2.5 MB) gnupg-1.2.0.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.0.7-1.2.0.diff.gz (1.0 MB) A patch file to upgrade a 1.0.7 GnuPG source. This file is signed; you have to use GnuPG 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.2.0.zip (1.0 MB) gnupg-w32cli-1.2.0.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.0.tar.bz2 you would use this command: gpg --verify gnupg-1.2.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation. * If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.0.tar.bz2, you would run the md5sum command like this: md5sum gnupg-1.2.0.tar.bz2 and check that the output matches the first line from the following list: b22b10dacfeb5c2b0bc4ce9def2d1120 gnupg-1.2.0.tar.bz2 e93ceafc4395d1713d20044d523d18a7 gnupg-1.2.0.tar.gz c735a9a4400e3e3b0b78f88aadedfd3d gnupg-1.0.7-1.2.0.diff.gz af439e3ba82c8648041e8e9d902c3c01 gnupg-w32cli-1.2.0.zip Upgrade Information === The name of the default configuration file has changed from options to gpg.conf. The old name will still be used as long as no gpg.conf exists. We recommend to rename your file after the installation. If you are upgrading from a version prior to 1.0.7, you may want to run the command gpg --rebuild-keydb-caches once to speed up the keyring access. Please note also that due to a bug in versions prior to 1.0.6 it won't be possible to downgrade to such versions unless you use the GnuPG version which comes with Debian's Woody release or you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the [EMAIL PROTECTED] mailing list. What's New === Here is a list of major user visible changes since 1.0.7: Configuration: * The default configuration file is now ~/.gnupg/gpg.conf. If an old ~/.gnupg/options is found it will still be used. This change is required to have a more consistent naming scheme with forthcoming tools. * The configure option --with-static-rnd=auto allows to build gpg with all available
unforgeable optical tokens?
A couple of places have reported on this: http://www.nature.com/nsu/020916/020916-15.html An idea from some folks at MIT apparently where a physical token consisting of a bunch of spheres embedded in epoxy is used as an access device by shining a laser through it. On the surface, this seems as silly as biometric authentication -- you can simply forge what the sensor is expecting even if you can't forge the token. Does anyone know any details about it? -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cryptogram: Palladium Only for DRM
It takes a lot for me to get cranky around here, but I'm afraid Aarg! has done it. AARG!Anonymous [EMAIL PROTECTED] writes: Perry Metzger writes: Why not simply design the OS so it is not a likely victim for viruses? This is a general security problem, not one special to banking operations. That's a great idea. I don't know why nobody thought of that before. You conveniently cut what I said selectively, sarcastically replying to only pieces of it. You completely ignored much of the substance, such as the fact that in a correctly operating OS, MMUs+file permissions do more or less stop processes from seeing each others data if the OS functions correctly. So, to summarize, you ignored most of what I said, but managed to be incredibly rude. I've noticed you doing the same to lots of others. Here's a strong suggestion for the future, Anonymous. Never anger the moderator of a moderated mailing list. You can be the agent provocateur all day long, but you can't be snide and unresponsive. I'm going to ask that you go back and respond to my message without being insulting and without being selective about what sections you quote. If you want another copy, well, I don't know how to send it to you -- I can only hope you saved it. Until then, I'm not forwarding your mail. If you want to play your game here, you're going to have to do it politely and reasonably. Sorry for doing this in public but I have no other way of communicating with you. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
bluetooth cryptosystems
Does anyone have good pointers to papers on the security of E0 and the rest of the stuff used in bluetooth? It all looks very fragile. -- Perry E. Metzger[EMAIL PROTECTED] -- Ask not what your country can force other people to do for you... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum computers inch closer?
[I don't know what to make of this story. Anyone have information? --Perry] Quantum computer called possible with today's tech http://www.eet.com/story/OEG20020806S0030 MADISON, Wis. Researchers at the University of Wisconsin in Madison claim to have created the world's first successful simulation of a quantum-computer architecture that uses existing silicon fabrication techniques. By harnessing both vertical and horizontal tunneling through dual top and bottom gates, the architecture lays out interacting, 50-nanometer-square, single-electron quantum dots across a chip. Our precise modeling elucidates the specific requirements for scalable quantum computing; for the first time we have translated the requirements for fault-tolerant quantum computing into the specific requirements for gate voltage control electronics in quantum dots, said professor Mark Eriksson of the university's Department of Physics. The group of researchers has concluded that existing silicon fabrication equipment can be used to create quantum computers, albeit at only megahertz speeds today due to the stringent requirements of its pulse generators. To achieve gigahertz operation, the group has pinpointed the device features that need to be enhanced to prevent leakage errors, and has already begun work on fabricating a prototype. We believe that quantum computers are possible today with the component technologies we already have in place for silicon, Eriksson said. The team composed their quantum bits out of electron spin: up for 1, down for 0. Encoding bits in spins allows a single electron to represent either binary value, and because of the indeterminacy of quantum spins, they can represent both values during calculations to effectively create a parallel process. Our technique may enable quantum computers to actually begin performing calculations that can't be performed any other way, Eriksson said. Others have demonstrated a few quantum dots interacting to perform calculations but Eriksson estimates that a million quantum bits (qubits) will be needed to create quantum computers that perform useful real-world applications. For that, silicon fabrication equipment offers the best solution, according to Eriksson. Eriksson's team matched silicon germanium fabrication capabilities to quantum-dot requirements. The result is an array of quantum dots, each of which houses a single electron, with electrostatic gates controlling qubit interactions. The team then optimized and exhaustively simulated the model, which it declared to be a successful design. The design constraints included reducing the population of electrons in quantum dots to one, while permitting tunable coupling between neighboring dots. The team met those conditions by employing both vertical and horizontal tunneling to first confine and then slightly alter the location of individual electrons. A back gate serving as the chip substrate acts as an electron reservoir from which quantum dots can draw their single electrons using vertical tunneling into the quantum-well layer. That layer acts as the vertical confinement barrier, with an insulator above and below it, enabling the vertical size of the quantum dots to be just big enough for one. A grid of top gates then provides the horizontal separation between dots by supplying electrostatic repulsion from above. The semiconductor layers were formed from strain-relaxed SiGe, except for the quantum-well layer, which was pure, strained silicon. The bottom gate was formed from a thick n-doped layer with a 10-nm, undoped tunneling barrier separating it from the 6-nm-thick quantum-well layer. Another 20-nm-thick tunnel barrier above the quantum-well layer separated it from the metallic top gates, the team reported. Researchers load the electrons into the quantum dots from below by adjusting the potentials on the top gates to induce an electron from the bottom gate to tunnel vertically up into the quantum-well layer. Once loaded, the electron stays in place because of the electrostatic force from the top gates. When the team weakens the force between selected quantum dots by adjusting the top gates between them, the adjacent dots are permitted to interact, thus enabling calculations to be made. The normal errors encountered during quantum calculations could mostly be corrected, according to Eriksson's simulations. Careful consideration of the simulations led the researchers to predict that leakage could be tuned out sufficiently by low temperatures combined with a modified heterostructure that allowed larger electrical fields. With existing fabrication techniques, the team estimates that a million-quantum-dot computer (1,024 x 1,024 array) could be built today and operated in the megahertz range. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: employment market for applied cryptographers?
Adam Back [EMAIL PROTECTED] writes: Are there any more definitive security industry stats? Are applied crypto people suffering higher rates of unemployment than general application programmers? (From my statistically too small sample of acquaintances it might appear so.) Hard to say. I've seen very high rates of unemployment among people of all walks of life in New York of late -- I know a lot of lawyers, systems administrators, secretaries, advertising types, etc. who are out of work or have been underemployed for a year or longer. I'm not sure that it is just cryptographers. Always keep in mind when you hear the latest economic statistics that measuring the size of the US economy, or the number of unemployed people, is partially voodoo. When was the last time you saw any estimate of the margin of error on the supposedly scientific measurement of quarterly economic growth? How many illegal immigrants are being polled in the employment stats? How much of the revenue of underground businesses gets counted in the GDP figures? [I myself am not working at the moment, but voluntarily so I suppose I wouldn't count in the statistics as unemployed -- starting a company during a recession turns out to be a great way to burn yourself completely out out, and I decided to take some time off of working. Haven't given much thought to what I'll do to find a job when I decide I want one again...] Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[aleph1@securityfocus.com] Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG
---BeginMessage--- Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG K. Jallad, J. Katz, and B. Schneier We recently noted that PGP and other e-mail encryption protocols are, in theory, highly vulnerable to chosen-ciphertext attacks in which the recipient of the e-mail acts as an unwitting decryption oracle. We argued further that such attacks are quite feasible and therefore represent a serious concern. Here, we investigate these claims in more detail by attempting to implement the suggested attacks. On one hand, we are able to successfully implement the described attacks against PGP and GnuPG (two widely-used software packages) in a number of different settings. On the other hand, we show that the attacks largely fail when data is compressed before encryption. Interestingly,the attacks are unsuccessful for largely fortuitous reasons; resistance to these attacks does not seem due to any conscious effort made to prevent them. Based on our work, we discuss those instances in which chosen-ciphertext attacks do indeed represent an important threat and hence must be taken into account in order to maintain confidentiality. We also recommend changes in the OpenPGP standard to reduce the effectiveness of our attacks in these settings. http://www.counterpane.com/pgp-attack.pdf http://www.counterpane.com/pgp-attack.ps.zip -- Elias Levy Symantec Alea jacta est ---End Message--- -- Perry E. Metzger[EMAIL PROTECTED] -- Ask not what your country can force other people to do for you...
ADMIN: No, I'm not dead...
I was away at a couple of trade shows and forgot to send a there will be some delays message before I left. The moderation backlog should start clearing later today. -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD: The right OS for your embedded design. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Phillip Hallam-Baker [EMAIL PROTECTED] writes: Methinks you complain too much. PKI is in widespread use, it is just not that noticeable when you use it. This is how it should be. SSL is widely used to secure internet payment transactions. HTTPS SSL does not use PKI. SSL at best has this weird system in which Verisign has somehow managed to charge web sites a toll for the use of SSL even though for the most part the certificates assure the users of nothing whatsoever. (If you don't believe me about the assurance levels, read a Verisign cert practice statement sometime.) Of course, client side certificates barely even exist, although people made substantial preparation for them early on in the history of all of this. Were it not for historical accident no one would care about PKI in this context. S/MIME use is significant and growing. I get PGP encrypted mail a few times a week. I've never received a request from any counterparty to set myself up to receive S/MIME. Your mileage may vary. The financial industry is not looking at offline PKI models in general. When I was still doing security consulting, nearly every firm I worked for had installed Entrust or something similar -- and none of them used the systems for anything. PKI and the Emperor's New Clothes have a bunch in common. As for what PKI vendors have been up to, the sucessful ones have been supporting private label certification hierarchies from the start. The PKI vendors are, I think, largely surprised by what has happened. They were expecting things like lots of mutual authentication using PKI to be in place, and in fact, there's almost none in use at all. I think many of the PKI vendors haven't been doing too well -- some of them that I used to have dealings with barely exist any longer. The one business that seems to make money is charging a toll for running an e-commerce site. I wonder who they might be. Of course, none of this should be surprising in the least. Commerce and the PKI model have nearly nothing to do with each other. Some of us were writing about this years ago. -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: private-sector keystroke logger...
Derek Atkins [EMAIL PROTECTED] writes: Hrm, how about a worm with a built-in HTTP server that installs itself on some non-standard port, say TCP/28462 (to pick one at random)? Too easy to detect. Encrypt the key in some key known only to the attacker, and start leaking little bits of it in things like tweaks to tcp timings or selections of tcp client port numbers or initial sequence numbers and such. Very hard to detect something like that with network sniffing. -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
passport hacked
http://www.wired.com/news/technology/0,1282,48105,00.html Stealing MS Passport's Wallet By Brian McWilliams 12:25 p.m. Nov. 2, 2001 PST To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed. The bugs in Passport , a sign-on service used by more than 165 million people, were discovered this week by Marc Slemko, a software developer who lives near Microsoft's Redmond, Washington, headquarters. Slemko is a founding member of the Apache Software Foundation. [...] -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
IP: Eisner privacy quote a hoax
From Interesting People: Date: Wed, 10 Oct 2001 12:06:07 -0700 Subject: Eisner privacy quote a hoax From: Fred von Lohmann (EFF) [EMAIL PROTECTED] The report regarding a secret meeting in DC where Eisner purportedly said Privacy laws are our biggest impediment to us obtaining our objectives was a hoax. The Register has published a retraction and apology: http://www.theregister.co.uk/content/31/22138.html Fred -- Fred von Lohmann Senior Intellectual Property Attorney Electronic Frontier Foundation (www.eff.org) [EMAIL PROTECTED] +1 (415) 436-9333 x123 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
CDT Calls on Internet Activists to Urge Support for Feingold Amendments to Anti-Terrorism Bills
/ If you ever wish to remove yourself from the list, unsubscribe at: http://www.cdt.org/action/unsubscribe.shtml If you just want to change your address, you should unsubscribe yourself and then sign up again or contact: [EMAIL PROTECTED] --- -- CDT Update Subscription Information E-mail questions, comments, or requests to subscribe or unsubscribe to [EMAIL PROTECTED] or call (202) 637-9800. Detailed information about online civil liberties issues may be found at http://www.cdt.org/ --- Ari Schwartz Center for Democracy and Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 202 637 9800 fax 202 637 0968 [EMAIL PROTECTED] http://www.cdt.org --- -- Perry E. Metzger[EMAIL PROTECTED] -- Ask not what your country can force other people to do for you... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Correction sought (`Secrets concealed by software' London Times)
From Dave Farber's list: From: Ross Anderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Mon, 08 Oct 2001 14:23:58 +0100 Subject: Correction sought The Editor, The Times, Dear Sir: In Friday's article, `Secrets concealed by software' [1], you quoted me as saying that rather than using steganography, it was `likely that they [al-Qaida] sent thousands of innocent messages along with their live orders, so that the secret information was missed.' Your claim is untrue. I did not say that. Your reporter called me and told me he had had a briefing from the security services that al-Qaida were using steganography, that is, hiding messages inside other objects such as MP3 files or images. He asked me whether I thought this was plausible. I replied that although it was technically possible, it was unlikely; and that, according to the FBI, the hijackers had sent ordinary emails in English or Arabic. I explained that the main problem facing police communications intelligence is traffic selection - knowing which of the billions of emails to look at - rather than the possibility that the emails might be encrypted or otherwise camouflaged. A competent opponent is unlikely to draw attention to himself by being one of the few users of encryption or anonymity services. For just the same reason, he is unlikely to draw attention to himself be sending unreasonably large numbers of messages as cover traffic. Instead, he will hide his messages among the huge numbers of quite innocuous messages that are sent anyway. Throwaway email accounts with service providers such as hotmail are the natural way to do this. Unfortunately, the story that bin Laden hides his secret messages in pornographic images on the net appears to be too good for the tabloids to pass up. It appears to have arisen from work done by Niels Provos at the University of Michigan. In November last year, he wrote in a technical report that he could find no evidence that messages were being hidden in online images. By February this year, this had been been conflated by USA Today, an American popular paper, with an earlier FBI briefing on cryptography into a tale that terrorists could be using steganography to hide messages [2]. Similar material has surfaced in a number of the racier areas of the net [3], despite being criticised a number of times by more technically informed writers [4]. It is unclear what national interest is served by security agencies propagating this lurid urban myth. Perhaps the goal is to manufacture an excuse for the failure to anticipate the events of November 11th. Perhaps it is preparaing the ground for an attempt at bureaucratic empire-building via Internet regulation, as a diversionary activity from the much harder and less pleasant task of going after al-Qaida. Perhaps the vision of bin Laden as cryptic pornographer is being spun to create a subconscious link, in the public mind, with the scare stories about child pornography that were used before September 11th to justify government plans for greater Internet regulation. Whatever the security services' motive, it is quite unclear to me why a `quality newspaper' should have run this story, even after its technical and operational implausibility were explained to you in detail (see also `Al-Qaeda hid coded messages on porn websites' [5]). Could you kindly publish this letter as a correction. Yours Faithfully Ross Anderson Reader in Security Engineering University of Cambridge [1] http://www.thetimes.co.uk/article/0,,2001340010-2001345085,00.html [2] http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm [3] http://www.feedmag.com/templates/printer.php3?a_id=1624 [4] http://www.wired.com/news/politics/0,1283,41658,00.html [5] http://www.thetimes.co.uk/article/0,,2001340010-2001345211,00.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Which internet services were used?
Eric [EMAIL PROTECTED] writes: [Moderator: I've listened to virtually all the news conferences made so far. The FBI has yet to make any such statement. In any case, however, why should we find this any more shocking or unfortunate than terrorism being plotted using telephones, or paper letters, or conversations? Why are there no hysterics noting the plotters travelled using AUTOMOBILES! The claim is that automobiles or telephones do not evicerate the ability of law enforcement to effectively do their job, while the use of strong encryption and other electronic sundry do. Therefore, it is argued that cars and certain phones are ok, while strong encryption is not. This claim is, however, wrong. First, lets look at the question of automobiles. Automobiles certainly reduce the ability of law enforcement to do its job. The accomplices of the hijackers almost certainly fled their locations in automobiles. They would have been unable to go far without automobiles. It has also been noted in some of the media that Ossama bin Ladin left his location shortly after the attacks -- presumably in an automobile. Not having automobiles would have made it easier to bomb Mr. bin Ladin and to catch accomplices. However, no one would suggest this for fear of looking foolish. The arguments about encryption are virtually identical -- only people are unfortunately not so afraid of looking like fools in public. It can be argued that not requiring recordings of all phone conversations impedes law enforcement. Indeed, one would expect such recordings to be necessary, given that even if made in the clear, it would be impossible to go back in time to listen in on the conversations of the hijackers. Would you like that done? It can be argued that strong encryption made the deaths of these 4000 people possible. How it made it possible is never explained. Let us try exploring that question, however. If there were no strong encryption, what could have been done differently? Perhaps without it law enforcement could systematically listen in on every conversation everywhere and every email message flowing worldwide and record them and listen for threats. They would have had to. After all, had they known who these people were in advance, they could have simply targeted them for intense surveillance including bugging their homes and computers. By definition they DID NOT know who they were, so they would have needed to search EVERYTHING. Lets say such universal surveillance -- a horror I cannot imagine -- were both possible and practical. Would it have stopped anything? No. In response, the hijackers would simply have visited each other in person to coordinate their plot, and we have already established that had the government known who they were so they could have bugged such conversations, universal surveillance would not have been required in the first place. Would it have been so difficult for them to, say, go and visit each other to pick a date to fly planes into the World Trade Center? It is trivial to blame encryption here, but I can't see that it is reasonable to blame it. There is no evidence at all -- NONE -- that in the absence of encryption it would not be equally possible to carry out such attacks. I repeat: There is no evidence at all that in the absence of encryption it would not be equally possible to carry out such attacks. At the very best, the internet could have provided a convenience to the plotters -- no more. The killing of Israeli athletes at Munich involved no encryption -- nor did a thousand other attacks. Why would you need encryption to be a terrorist? The people who claim such an attack could only be made possible via coordination over the internet obviously don't remember that people managed to communicate dates to meet even before there were phones or even post offices, let alone the internet. These same people ignore the fact that the US economy, and indeed the world economy, could no longer function without encryption. Encryption is vital to PREVENTING crime, you see. It provides enormous and powerful security to ordinary people conducting their ordinary affairs. Most are unaware that they're using encryption, but they are. Would you like it easier for people to break into computer networks? Would you like your electrical power system or your local hospital to be more vulnerable to remote attack? Just ban encryption. Your wishes will be made manifest. Ultimately, what is unsaid is that if widespread encryption is used, the NSA will be unable to vacuum-cleaner listen in on billions of conversations and transactions and spot such things before they happen. Ignoring the vast and horrific intrusion that such systematic surveillance of all members of society implies, there is no evidence that terrorists couldn't simply modify their methods in response to this, just as communist terrorists in Germany did when they systematically studied law enforcement techniques to evade
The tragedy in NYC
[I sent this originally yesterday, but the, er, problems our mail server in downtown New York suffered for a while caused some delay. Another copy was published on Dave Farber's interesting people. Several people wrote me afterwards vilifying me. Ah well. The list is now running on a new machine in Virginia, which should be safe even as more buildings collapse and burn. --Perry] In the wake of the tragedy in NYC today, I was asked by someone if I didn't now agree that crypto was a munition. At the time, I thought that a friend of mine was likely dead. (I've since learned he escaped in time.) My answer then, when I thought I'd lost a friend, was the same as my answer now and the answer I've always had. Cryptography must remain freely available to all. In coming months, politicians will flail about looking for freedoms to eliminate to curb the terrorist threat. They will see an opportunity to grandstand and enhance their careers, an opportunity to show they are tough on terrorists. We must remember throughout that you cannot preserve freedom by eliminating it. The problem is not a lack of laws banning things. I know the pressure on everyone in Washington will be to do something. Speaking as a New Yorker who dearly loves this city, who has felt deep shock throughout most of the day, watching the smoke still rising from the fires to the south of me, listening to the ambulances and police cars continuing to wail about me, let me say this: I do not want more laws passed in the name of defending my home. I do not want more freedoms eliminated to preserve freedom. I do not want to trade my freedom for safety. Franklin has said far more eloquently than me why that is worthless. If you must do something, send out more investigators to find those responsible for this and bring them to justice. Pass no new laws. Take away no freedoms. Do not destroy the reason I live here to give me safety. I'd rather die in a terrorist attack. -- Perry E. Metzger[EMAIL PROTECTED] -- Ask not what your country can force other people to do for you... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
www.boycottadobe.com
It appears an Adobe boycott is in progress. See: http://www.boycottadobe.com/ -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Programmer arrested for Defcon talk?
According to slashdot (http://www.slashdot.org/) a programmer was arrested for (apparently -- details on the cited web sites are sketchy) giving a talk at Defcon in Las Vegas describing how to break the encryption in certain Adobe PDF files. It is (apparently) claimed by Adobe that this was a violation of the DMCA. See: http://slashdot.org/article.pl?sid=01/07/17/130226mode=thread I'm not a big fan of /. -- they aren't particularly good at the whole fact checking thing -- but the story sounds intriguing. The real details may very well be quite different from what is portrayed. If anyone knows real details, I'd appreciate them. -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Programmer arrested
Several people forwarded this: http://www.wired.com/news/politics/0,1283,45298,00.html -- Forwarded message -- Date: Tue, 17 Jul 2001 10:57:48 -0400 From: Declan McCullagh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: FC: FBI arrests Russian hacker visiting U.S. for alleged DMCA breach Russian Adobe Hacker Busted By Declan McCullagh ([EMAIL PROTECTED]) 7:04 a.m. July 17, 2001 PDT LAS VEGAS -- FBI agents have arrested a Russian programmer for giving away software that removes the restrictions on encrypted Adobe Acrobat files. Dmitry Sklyarov, a lead programmer for Russian software company ElcomSoft, was visiting the United States for the annual Defcon hacker convention, where he gave a talk on the often-flawed security of e-books. This would be the second known prosecution under the criminal sections of the controversial Digital Millennium Copyright Act, (DMCA) which took effect last year and makes it a crime to manufacture products that circumvent copy protection safeguards. [...] --- End of forwarded message --- -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]