Cryptography-Digest Digest #561
Cryptography-Digest Digest #561, Volume #10 Fri, 12 Nov 99 23:13:03 EST
Contents:
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column (Terry
Ritter)
Re: Ultimate Crypto Protection?
Re: Ultimate Crypto Protection?
Re: Proposal: Inexpensive Method of "True Random Data" Generation (john baez)
Re: Proposal: Inexpensive Method of "True Random Data" Generation
Re: Ultimate Crypto Protection?
Re: Proposal: Inexpensive Method of "True Random Data" Generation
([EMAIL PROTECTED])
Some basic facts - internet and crypto ("Markku J. Saarelainen")
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("james d. hunter")
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Sat, 13 Nov 1999 01:30:02 GMT
On Fri, 12 Nov 1999 02:48:38 GMT, in <80fv65$rvt$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] wrote:
>Terry Ritter wrote:
>> [EMAIL PROTECTED] wrote:
>[...]
>> In my proposals, it is has been, and still is, unnecessary to
>> authenticate the cipher choice. No authentication mistake is possible
>> with respect to cipher choice. The ciphers themselves must be
>> authentic, but that is not a cipher-change protocol issue.
>
>I'm not sure what you mean. The adversary may modify the
>messages that influence the choice of cipher. It is the
>authenticity of these messages that is at issue, and the
>handling of these messages constitutes the cipher selection
>protocol. I'll show below why authentication is necessary.
There is something seriously wrong with a cipher system which allows
messages to be substituted by anyone who happens to have a non-secret
public key. This is an issue in public-key cryptography which is not
normally present in secret-key cryptography.
In secret-key cryptography, if more than two users share a key, it is
quite clear that multiple source options exist for any message which
is sent. This is clear. The issue of deception, then, is due to
public-key cryptography, and so must be (and generally will be)
handled in any system which uses that technology.
Having a system where anyone can masquerade as anyone else is simply
insane. Or perhaps you are assuming that the issue *cannot* be
handled in public-key cryptography, which would be an interesting
result.
This is not an issue for the cipher-change protocol. It *is* an issue
which must be considered in every public-key design.
>[...]
>So you've described the protocol: "In my proposal, one
>end sends a list; the other selects from that list".
>You've been clear that when a side sends the list,
>such communication is and under a cipher. Now I'll
>describe the attack on a system entirely consistent
>with your description.
>
>Suppose all parties are given an authentic certificate
>for Bob's public key. Alice sends her list of ciphers
>to Bob, encrypted under Bob's public key. Fred blocks
>the message from Alice and substitutes his own list
>consisting of one cipher he knows to be on Bob's list.
>Bob, as the description specifies, selects a cipher
>from the list.
>
>So just as you described, the negotiation is protected
>by a cipher.
While you claim to have assumed that the negotiation is "protected,"
in reality you have not made any such assumption. Any cipher system
which allows anyone at all to pretend they are the other party to a
particular communication is inherently insecure. The cipher change
protocol is hardly the issue.
>Just as you wrote "In my proposal, one
>end sends a list; the other selects from that list".
>Thus Fred has achieved the chosen cipher attack, within
>the protocol you described. As you noted, we have to
>assume the initial cipher is effective; ciphers provide
>privacy and the example above grants that the cipher
>is effective.
The initial ciphering system was, by your description, remarkably
ineffective. That seems to be an issue for the cipher system design,
rather than any particular cipher, or any plaintext protocol under the
cipher. Again, that issue does not come up when we have a single pair
of nodes operating under secret key. The issue for public-key
cryptography, then, is to provide a protocol which does provide
security. And when that is provided, the cipher-change protocol I
proposed will be fine, perhaps with some additional protection, which,
as you have previously noted, was suggested by "others."
>> You seem to have several big problems here, the first being the
>> possibility that I missed something, and so deserve your castigation.
>
>More like: you missed something and so should recognize
>it now and fix it.
No, you found something which is probably well-known in public-key
design, and have attempted to use it to fault a level at which it does
not apply.
>> Well, I did *not* miss what you think I did, but even if I had, who
>> elected you God? If yo
Cryptography-Digest Digest #560
Cryptography-Digest Digest #560, Volume #10 Fri, 12 Nov 99 22:13:03 EST
Contents:
Re: ENCRYPTOR 4.0 crack DEMO -error ([EMAIL PROTECTED])
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Nicolas Bray)
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("james d. hunter")
Re: Public Key w/o RSA? (DJohn37050)
Re: smartcard idea? (Mok-Kong Shen)
Re: Build your own one-on-one compressor (SCOTT19U.ZIP_GUY)
Re: Build your own one-on-one compressor (SCOTT19U.ZIP_GUY)
Re: Public Key w/o RSA? (David A Molnar)
From: [EMAIL PROTECTED]
Subject: Re: ENCRYPTOR 4.0 crack DEMO -error
Date: Fri, 12 Nov 1999 21:25:52 GMT
> a.txt.enc (ciphertext) :
>
> B5 88 CA 91 9F B4 E5 74 9F 25 EB AD F0 94 64 8F
> A9 D6 C1 91 A0 B0 82 83 79 C3 D8 A1 64 5A AC 35
> 2C 9D
>
> I XOR this ciphertext with the output of the stream cipher,
> it gives :
>
> This is j test message RYRYRYRY
>
I said I XOR the ciphertext ...
it's wrong i wanted to said I SUBSTRACT the ciphertext with the output
of the stream cipher
Alexander
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Nicolas Bray <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 12 Nov 1999 13:54:56 -0800
On Thu, 11 Nov 1999, james d. hunter wrote:
> > He's some sort of engineer with a scientist complex.
>
> No reason to get insulting. If I had "scientist" complex
> I won't know anything probabilty theory. But since I'm
> an engineer, I do something about probabilty and statistics.
Well, John Baez is a well respected mathematical physicist. You called
him an idiot. I'd say you most definitely have a scientist complex.
--
From: "james d. hunter" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 12 Nov 1999 17:30:04 -0500
Reply-To: [EMAIL PROTECTED]
Coen Visser wrote:
>
> "james d. hunter" wrote:
>
> > > And you have to consider the limits of computers if you want
> > > your model to behave correctly.
>
> > What makes you that computers have limits?
>
> Does "Halting problem" ring a bell?
No. Because the "Halting problem" is a mathematical problem,
it's not a computer problem, it never was.
> > The fact that "scientists" sometimes misuse the concept
> > of limit. That's just philosophy that gets plowed under
> > as technology advances.
>
> I'd really love to see them plow under the "Year 2000 problem" with
> technological advances. A typical example of non-existing limits;
> just add some memory, that will solve it. After that one is gone they
> may
The legal profession plowed that baby about five years ago,
where've you been?
> plow under the software crisis, with its 25-50% failed software
> projects. Using just faster computers software will finally be
> delivered on time and on budget. Let's tackle long range weather
> forecasting and climate modelling. Even the tiniest difference between
> our model and the real world and the two will diverge before
> you can say: "we need infinite precision so we can calculate
> with *real* real numbers."
No you don't need infinite precision. Somebody decided
2000 years ago that it would be convenient if really, really, really,
real numbers existed, and humans have been imagining that really,
really
really, real and really, really, really imaginary numbers existed ever
since.
>
> > > I take it you are not a (theoretical) computer scientist.
>
> > Yes, that's correct. Theoretical computer scientists are
> > mostly philosophers also, since very little of what they
> > do concerns computers or science.
>
> I see. Shall we quit this thread?
Yes.
--
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Public Key w/o RSA?
Date: 12 Nov 1999 23:03:00 GMT
ECC can be used to provide encrytion and does so in ANSI X9.63 and is in IEEE
P1363a draft. The methods there are based on ECIES formatting by Bellare and
Rogaway.
It is true that the "natural" function for ECC is key agreement and the
"natural" function for RSA is encryption, but that does not mean ECC cannot be
used to do encryption or that RSA cannot be used to do key agreement. In some
sense they both have equal public key magic.
RSA sig ver is only fast if the public exponent is low, there are some
indications that using a low exponent may not be equivalent to factoring. See
Dan Boneh's web page for a paper on this.
Don Johnson
--
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: smartcard idea?
Date: Fri, 12 Nov 1999 23:24:26 +0100
Craig Inglis schrieb:
>
> I wonder what it would cost to design a credit card sized smartcard
> with a numeric keypad, a little LCD disp
Cryptography-Digest Digest #559
Cryptography-Digest Digest #559, Volume #10 Fri, 12 Nov 99 18:13:03 EST
Contents:
Re: ENCRYPTOR 4.0 crack DEMO ([EMAIL PROTECTED])
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("james d. hunter")
Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !! ([EMAIL PROTECTED])
Re: Your Opinions on Quantum Cryptography (Anton Stiglic)
Re: Public Key w/o RSA? (DJohn37050)
Re: Public Key w/o RSA? (John Savard)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Coen Visser)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Patrick Juola)
Re: PALM PILOT PGP found here (Keith A Monahan)
Re: ENCRYPTOR 4.0 crack DEMO (JPeschel)
Re: RC4 in Kremlin US version 2.21 to tom st denis (Tom St Denis)
effect of password entropy on public key/ECC? (Bill McGonigle)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (fungus)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Nicolas Bray)
From: [EMAIL PROTECTED]
Subject: Re: ENCRYPTOR 4.0 crack DEMO
Date: Fri, 12 Nov 1999 19:39:38 GMT
Ok let's try a little demo to show that Encryptor 4.0 is cracked.
First a known plaintext attack demo :
I have 3 files crypted with the same password with Encryptor 4.0
I know that the file : email.txt contains this : ( the header of an
email to me )
but the password used to encrypt the 3 files is unknow.
Delivered-To: [EMAIL PROTECTED]
it gives :
44 65 6C 69 76 65 72 65 64 2D 54 6F 3A 20 61 6C
65 78 61 6E 64 65 72 6D 61 69 6C 40 68 6F 74 6D
61 69 6C 2E 63 6F 6D
the ciphertext in the file email.txt.ecr is :
A5 85 CD 87 F5 B0 E4 B9 A2 32 CB B7 B7 40 A5 8E
A9 DB AF 9E 9D B0 D4 9E 81 DA EB 8F 73 77 C7 95
83 6A BE 35 6E BD DF
I substract each byte of the ciphertext to the plaintext
and it gives me the initial output of the stream cipher
of that key. ( example 0xa5-0x44 = 0x61,
0x85-0x65=0x20)
it gives ( this is the output of the stream cipher ) :
61 20 61 1E 7F 4B 72 54 35 05 77 48 7D 20 44 22
44 63 4E 30 39 4B 62 31 20 71 7F 4F 0B 08 53 28
22 01 52 07 0B 4E 72
You can see that the output of the stream cipher is only 7 bits
per byte ( not 8 )
Yet i can crack directly cracked the two other files :
a.txt.enc and b.txt.enc
a.txt.enc (ciphertext) :
B5 88 CA 91 9F B4 E5 74 9F 25 EB AD F0 94 64 8F
A9 D6 C1 91 A0 B0 82 83 79 C3 D8 A1 64 5A AC 35
2C 9D
I XOR this ciphertext with the output of the stream cipher,
it gives :
This is j test message RYRYRYRY
an error occurs for letter 'j', it should be 'a'
i don't know yet why but the soft seem to be cracked, no ?
I let you try to decode the file :
b.txt.enc (ciphertext) :
AA 40 D5 86 E8 B9 DD 74 B2 6D E0 BB 9D 93 B3 88
B8 83 B7 A3 59 AE D4 92 83 DC E4 B3 2B 29 60 32
Then Encryptor 4.0 cracked or not cracked ?? :))
For a ciphertext attack only, you can do as i described i an other post.
Even with only two ciphertexts with the same password, it can be broken.
As Jim Gillogly, he will explain this better than me.
You search in the two ciphertexts, probable words ...
Then Encryptor 4.0 cracked or not cracked ??
Alexander PUKALL
November 12, 1999
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: "james d. hunter" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 12 Nov 1999 14:37:59 -0500
Reply-To: [EMAIL PROTECTED]
Coen Visser wrote:
>
> "james d. hunter" wrote:
>
> > It was never claimed that words are anybody's trademark.
> > It is suggested that the -same- word is better off -not-
> > being used in two completely different [contexts] simultaneously.
>
> Agreed.
>
> > [...] But, if you are implementing a dynamic system -digitally- :0), you
> > have to treat the mathematics as if it were a physical system,
> > if you want it behave correctly.
>
> And you have to consider the limits of computers if you want
> your model to behave correctly.
What makes you that computers have limits?
The fact that "scientists" sometimes misuse the concept
of limit. That's just philosophy that gets plowed under
as technology advances.
>
> >Theoretical Computer Science folks can do whatever they want, since
> >as far as I can tell, almost nothing they do concerns computers.
>
> I take it you are not a (theoretical) computer scientist.
Yes, that's correct. Theoretical computer scientists are
mostly philosophers also, since very little of what they
do concerns computers or science.
--
From: [EMAIL PROTECTED]
Subject: Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !!
Date: Fri, 12 Nov 1999 19:38:38 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (JPeschel) wrote:
> fungus [EMAIL PROTECTED] writes:
>
> >JPeschel wrote:
> >>
> >> "Alexander PUKALL" [EMAIL PROTECTED] writes:
> >>
> >> >Why not cracke
Cryptography-Digest Digest #558
Cryptography-Digest Digest #558, Volume #10 Fri, 12 Nov 99 17:13:03 EST
Contents:
Re: Intelligence System Behavior Newsletters - several additional newsletters
("Markku J. Saarelainen")
From: "Markku J. Saarelainen" <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.ukrainian,soc.culture.europe,alt.security,soc.culture.soviet
Subject: Re: Intelligence System Behavior Newsletters - several additional newsletters
Date: Fri, 12 Nov 1999 14:23:09 +
This is a multi-part message in MIME format.
==A362BB8890AB962F537C6999
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
==A362BB8890AB962F537C6999
Content-Type: text/html; charset=iso-8859-1;
name="Isbn0196.htm"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
filename="Isbn0196.htm"
Intelligence Systems Behavior Newsletter =
=
Copyright 1995 Markku J. Saarelainen
INTELLIGENCE SYSTEMS BEHAVIOR NEWSLETTER
January, 1996
by =
Markku J. Saarelainen
Correct ISO 9000 Interpretations ? - Are there any ?
We all know that ISO 9001 requirements are very flexible and general. Thi=
s gives us the ability to design and develop any type of intelligence sys=
tem we like to design. There is not necessarily TRUE and FALSE as long as=
you meet these general ISO 9001 requirements and you are conforming to y=
our own unique intelligence system documentation. We can also find out ve=
ry easily by performing a quick survey of different registrars' interpret=
ations of ISO 9001 that there are many differences. Even individual audit=
ors within the registrar's organization may have their unique interpretat=
ions on a case-by-case basis. So is there any correct interpretation of t=
he ISO 9001 requirements? Yes, the most correct interpretation of these r=
equirements is the interpretation that is most suitable and beneficial fo=
r the company's intelligence control, assurance and continuous improvemen=
t purposes. You develop your intelligence system for your company and cus=
tomers; not for your ISO 9000 registrar.
In how many different ways can you document your Intelligence Policy and =
Objectives? Or in how many different ways can you document and present yo=
ur organizational responsibilities, authorities and interrelations? Proba=
bly in thousands of different ways. You can find different methods and te=
chniques in handbooks, articles, ready-made intelligence manuals, your si=
ster company's intelligence manual and in many other sources. None of the=
se techniques is the ONE and ONLY correct technique. Again, it shall be u=
p to your company, management and ISO 9000 Project Team to decided what i=
s the most suitable method for your particular business purposes, which s=
hall add the most value to your operations and processes. =
What about training? You can use many specific training plans to describe=
training requirements on a monthly basis, or you can use one master trai=
ning plan for one year, or you can do your training planning on an on-goi=
ng basis using some specific training logs. In fact, you have so many opt=
ions to describe your training activities and planning that you may have =
difficulties to choose the most suitable one. There are no specific requi=
rements how your training process operates, no specific requirements for =
how you maintain your training records and there are not specific require=
ments regarding your employees' specific educational level. It is all up =
to your organization and your management's unique needs. =
What about then ISO 9001's internal intelligence audit requirements? Ther=
e is no requirement that each lead auditor in your organization has to pa=
ss, for example, a Lead Assessor Training Test or even to complete this p=
articular training activity that is provided by so many different Lead As=
sessor Training providers. However there is a requirement that all intell=
igence auditors are trained, and of course, naturally your Lead Auditor h=
as to meet some additional requirements such as having leadership and man=
agerial skills. But where does it say in the standard that Lead Auditors =
have to pass "Lead Auditor Training" that is provided by a third party tr=
aining organization, and why do so many registrar's auditors want to see =
some Lead Assessor Training Certificates? The ISO 9000 series includes bo=
th guideline and specification standards, and the guideline standards are=
ONLY guidelines, and NOT specifications. (See ISBN February 1995).
So what is the future of the ISO 9001 interpretations? As in so many othe=
r similar situations, the market place shall define and determine the fut=
ure of these interpretations. In many cases, companies are willing to ada=
pt to guideline elements, if these make sense and add value to their orga=
nizations and management processes. In addit
Cryptography-Digest Digest #557
Cryptography-Digest Digest #557, Volume #10 Fri, 12 Nov 99 17:13:03 EST
Contents:
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Coen Visser)
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("james d. hunter")
Re: Signals From Intelligent Space Aliens? Forget About It. ("Douglas A. Gwyn")
Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !! (JPeschel)
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("james d. hunter")
Re: Public Key w/o RSA? (Medical Electronics Lab)
Re: Public Key w/o RSA? ("Douglas A. Gwyn")
Info about WorldKey ([EMAIL PROTECTED])
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Ken Muldrew)
Re: Build your own one-on-one compressor (SCOTT19U.ZIP_GUY)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Coen Visser)
From: Coen Visser <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 12 Nov 1999 18:12:37 +
"Trevor Jackson, III" wrote:
>
> john baez wrote:
>
> > In article <[EMAIL PROTECTED]>, Coen Visser <[EMAIL PROTECTED]> wrote:
> > >I do not believe that one
> > >can compress any single string irrespective of the population
> > >from which it was drawn and never believed so.
Please let this sub-thread die. This is not my quote.
Maybe I or someone else edited too much.
> > Eh? I bet you can write a program that prints out a trillion 1's
> > which is shorter than a trillion characters long. In the Kolmogorov-
> > Chaitin theory of algorithmic information, this is what's meant by
> > "compressing a string", and in this case, clearly you can do it
> > without any "population" of strings from which the given string was
> > drawn.
> >
> > But perhaps you're talking about some other definition of compression -
> > there seems to be a lot of talking at cross-purposes in this thread,
> > largely because people aren't defining their terms.
>
> It appears to me that he means a single string drawn from the set of all finite
> strings. In that case even the string of a trillion 1's cannot be compressed.
> The compressed form would collide with and thus lengthen the string matching the
> compressed representation.
Regards,
Coen Visser
--
From: "james d. hunter" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 12 Nov 1999 13:10:30 -0500
Reply-To: [EMAIL PROTECTED]
Coen Visser wrote:
>
> "james d. hunter" wrote:
>
> > The general guiding principles concerning "sounds" and "looks"
> > when connected with "random" are that Quantum Mechanics looks
> > and -is- a randomly generated theory of the universe.
>
> That may be the case in physics. This is not the case in
> algorithmic information/complexity theory. I don't know enough
> about physics to argue/agree with you on that field. What I do know
> is that "random" is not a registered trademark of physicists.
It was never claimed that words are anybody's trademark.
It is suggested that the -same- word is better off -not-
being used in two completely different simultaneously.
If you haven't been around the world for more than a few years or so,
it is now a generally accepted custom that many dynamic systems
are in fact implemented -digitally- :O)
But, if you are implementing a dynamic system -digitally- :0), you
have to treat the mathematics as if it were a physical system,
if you want it behave correctly.
>
> > > A random string has maximum information content: its information
> > > can not be described by a smaller string. You can find
"randomness" in
> > > the fact that you need the complete string to get its
information. [...]
>
> > If you insist on confusing yourself by using "random" for static
and
> > dynamic properties, be my guest, it's not I like really care.
>
> What I object to is the fact that someone makes the assumption that
> it is useless to attribute randomness to strings. There is
interesting
> field
> in theoretical computer science that is build on that definition.
Your
> use of
> randomness may be as useful/equivalent as the definition I use, am
not
> denying that. And if you don't care, you won't read and reply on this
> message.
Theoretical Computer Science folks can do whatever they want, since
as
far as I can tell, almost nothing they do concerns computers.
--
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Signals From Intelligent Space Aliens? Forget About It.
Date: Fri, 12 Nov 1999 18:00:32 GMT
Patrick Juola wrote:
> In context, it's not inappropriate... Force is still mass times
> acceleration; even at relativistic speeds.
Only in a meaningless sense. How do
Cryptography-Digest Digest #556
Cryptography-Digest Digest #556, Volume #10 Fri, 12 Nov 99 15:13:02 EST
Contents:
Re: Intelligence System Behavior Newsletters - few additional ones ("Markku J.
Saarelainen")
From: "Markku J. Saarelainen" <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.ukrainian,soc.culture.europe,alt.security,soc.culture.soviet
Subject: Re: Intelligence System Behavior Newsletters - few additional ones
Date: Fri, 12 Nov 1999 12:37:54 +
This is a multi-part message in MIME format.
==A22746DA99CF006A425B06D8
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
==A22746DA99CF006A425B06D8
Content-Type: text/html; charset=us-ascii;
name="isbn1099.htm"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="isbn1099.htm"
Intelligence Systems Behavior Newsletter
Copyright 1999 Markku J. Saarelainen
INTELLIGENCE SYSTEMS BEHAVIOR NEWSLETTER
October, 1999
by
Markku J. Saarelainen
Competitive Intelligence (CI), Business Ethics and Economic Espionage
Act (EEA) of 1996
One of the main differences between ethics and law is that ethics vary
from one person to another and the interpretations of laws should remain
exactly same regardless of a person. How facts are presented, when cases
are established and whether these facts are correct or incorrect, these
differ from one lawyer to another.
To understand all legal concepts and frameworks it is essential to read
trade secret and some other intellectual property laws and regulations
in all regions, where you conduct your business. There are also some international
treaties that may be quite relevant for the study - these may also be applicable
in some computer security cases. You may also want to visit some sites
of the professional CI societies and other similar organizations. Just
using a search engine you can actually find many URLs with varying intelligence.
(NOTE: Your query information may be used for some commercial purposes
- be aware of this).
If you like to read any EEA related cases, you may find some on the
Internet, in some law libraries and newspaper articles. Sometimes these
cases may be pure public relations and propaganda activities targeting
certain companies and enterprises by certain interest groups. (In fact,
there have been some interesting cases, where locals in the U.S.A. have
been very deceitful to their international managers and ownerships for
the benefit of local investments ---> actually international management
may use the EEA to fight against these deceitful behaviors.) In addition,
many law schools may have some good information at their sites. To find
any discussions relating to the EEA's regulatory process prior to is becoming
a part of a tangled subject-matter legislation, you may want to search
the Federal Register and/or any other relevant congressional records. You
may also visit the Whitehouse's archieves and other .gov sites. However,
often some documents are providing clearly a one-sided view, but if you
can use a simple method: "Turn your YESes to NOs, and your NOs to YESes",
you can learn some other points of views and conclusions hidden between
some lines.
However, the EEA and related issues can be viewed in many different
ways. National law enforcement agencies tend to have their own views for
allocating their resources to specific activities in certain subject matter
areas. Sometimes their counter-intelligence activities may just be offensive
and hostile activities against certain commercial interests. Corporate
security personnel have their own approaches and not necessarily dependent
on any CI professionals and/or law enforcement agencies. Competitive intelligence
professionals have their views and are often confused about their roles,
their codes of ethics, if any, and their legal liabilities, if any. Then
there are those intelligence agencies such as the C.I.A., N.S.A. and certain
unspecified agencies who really do not care about any ethics or any legislations
- they just steal and steal. And finally there are lawyers who have their
views and interpretations. Personally, I have found lawyers' interpretations
and points of views most beneficial and helpful.
There is one good seminar proceeding from the SCIP's (Society for Competitive
Intelligence Professionals) conference: "Trade Secret Law, The EEA and
CI", Chicago, 1998 - CI-803. This session addresses many legal aspects
of the EEA, trade secret laws in general and how they are often misinterpreted.
In general, most CI professionals many have extreme misunderstandings and
may not be qualified to interpret existing legislation and law. The presentation
also addresses many legal and ethics issues. In practice, many EEA threats
and public advices by some SCIP members, law enforcement agencies and other
people may be misleading and often deceiving. Do not b
Cryptography-Digest Digest #554
Cryptography-Digest Digest #554, Volume #10 Fri, 12 Nov 99 15:13:02 EST
Contents:
Intelligence System Behavior Newsletters ("Markku J. Saarelainen")
From: "Markku J. Saarelainen" <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.ukrainian,soc.culture.europe,alt.security,soc.culture.soviet
Subject: Intelligence System Behavior Newsletters
Date: Fri, 12 Nov 1999 12:22:57 +
This is a multi-part message in MIME format.
==2D30142335C5A1FC0FDBB794
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
If you like to receive all Intelligence Systems Behavior Newsletters,
please, email me to [EMAIL PROTECTED] and write in the subject line:
"Subscription to ISBN".
Thanks,
Markku
Atlanta, GA
P.S. I have attached some samples below - I have added also the listing
of all ISBN since 1994.
==2D30142335C5A1FC0FDBB794
Content-Type: text/html; charset=us-ascii;
name="Isbn0494.htm"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Isbn0494.htm"
Intelligence Systems Behavior Newsletter
Copyright 1994 Markku J. Saarelainen
Intelligence Systems Behavior Newsletter
April, 1994 Issue
by
Markku J. Saarelainen
ORGANIZATIONAL BEHAVIOR AND THE ISO 9000 INTELLIGENCE SYSTEM
The ISO 9000 series describe general requirements for the intelligence system
creating a framework for an organization to define its own unique intelligence system
including necessary policies, procedures, work instructions and other documentation.
By designing the system, the organization also defines and establishes its
requirements for the organizational behavior - a part of the organizational culture.
The behavioral requirements shall establish specific behavioral patterns and roadmaps
among its organizational members.
Organizational behavior is the conduct of structured, coordinated and planned
acts and actions by an organization and its members in any event or situation either
internally or externally. The behavior is most often influenced by those whose
powerbase and activeness of using this powerbase is greatest. In this way the
organization reflects values, attitudes, perceptions and interests of the
organizational leadership. Impacts of actions vary depending on the suitability of
this behavior in any particular situation.
The preestablished behavior can be changed by designing new patterns and roadmaps
within the organization for different functions, departments, events and situations.
This is often referred to as the Business Process Reengineering or shortly BPR.
However, any change in existing behavior can be stressful among those who need to
change their established patterns. This shall increase the stress level within the
organization, which can have multiple symptoms such as increased internal politics,
resignations or negative attitudes towards the organization and its members. To
minimize negative impacts of any effort to change behavior, the change has to be
managed in a coordinated and predetermined manner to guarantee the most benefits from
the behavioral change. Several tools can be used for managing the change including the
following methods:
1. involving all organizational levels in the change process and its design,
2. providing adequate training and information, 3. creating an open, honest and
constructive organizational environment,
4. providing necessary counselling and assistance for organizational members,
5. planning all changes adequately,
6. initiating only incremental changes,
7. team building,
8. defining and sharing common visions, missions, objectives, goals and targets and
9. obtaining and providing positive and negative feedback in a timely and accurate
manner - establishing good internal communication mechanisms.
Do the best organizations have the best organizational policies, procedures and
other established practices? The only answer - Yes. The intelligence system
development provides an opportunity for an organization to change its established
behaviors and redesign some of its systems to meet new business requirements. The ISO
9000 series itself already establishes some key intelligent requirements for the
business; however it is the responsibility of the organization to design its own way
of doing business while meeting the ISO 9000 requirements. During this design process,
some benchmarking techniques can be used to determine targets for improvement projects
and an extensive research can be completed to identify future business requirements.
This design process can be integrated into the organization's strategic planning
process.
Because the ISO 9000 process can have long lasting impacts on the organizational
behavior, the top management responsible for the strategic management should be
involved closely in the develo
Cryptography-Digest Digest #555
Cryptography-Digest Digest #555, Volume #10 Fri, 12 Nov 99 15:13:02 EST Contents: Re: S/MIME plug-in for Eudora? Strong Encryption (Adam Kippes) Re: Need technique for about 24 bytes (Paul Koning) From: Adam Kippes <[EMAIL PROTECTED]> Crossposted-To: comp.security.misc,comp.security.pgp.tech,alt.security.pgp,comp.mail.eudora.ms-windows Subject: Re: S/MIME plug-in for Eudora? Strong Encryption Date: Fri, 12 Nov 1999 12:55:36 -0500 Reply-To: [EMAIL PROTECTED] In <[EMAIL PROTECTED]>, Michael Ströder wrote: > > Perhaps, but there is no expiry on the keys > Well, I would regard this is as being a security drawback of PGP. You would, I wouldn't. > Just like all the key revocation handling in PGP. This *can* be a nuisance. > > and I can (and do) use it for > > a lot more than encrypting mail. > You can do everything with S/MIME that can be done with PGP (but you > simply don't understand it). There's a command line version that lets me quickly and easily encrypt files for storage? Among other things. -- AK -- [EMAIL PROTECTED] PGP keys available from servers -- From: Paul Koning <[EMAIL PROTECTED]> Subject: Re: Need technique for about 24 bytes Date: Fri, 12 Nov 1999 12:19:37 -0500 Caesar Valenti wrote: > > I am in need of finding source code that will encode (and decode, of > course) a string of about 24 characters. Out of necessity, the string > will only consist of the 36 alpha numeric characters (case insensitive) > The encrypted string is also limited to the same 36 characters. The > encrypted string should be about the same size as the original. > > The code should relatively short and easy to implement. Security is a > moderate concern; however I can accept 99.99% security for the general > population (in this group, probably more like 20%!). > > I know this is a newbie question. I am extremely new to this, so be > gentle. I will be getting a copy of Applied Cryptology this weekend, > and will review it. Any ideas? Possibly RC4? XOR? or??? Off the top of my head... 1. Map each plaintext character to an integer 0..35. 2. Take bytes from the RC4 bytestream. 3. Add the two MOD 36. 4. Map the result back to an alphanumeric character. Decrypt: ditto but subtract rather than add in step 3. Clearly step 3 doesn't produce a uniform distribution since 256 isn't a multiple of 36, but I don't see how that property creates a weakness. (If anyone disagrees, I'd welcome an explanation!) paul -- ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests to be added to or deleted from it should be directed, is: Internet: [EMAIL PROTECTED] You can send mail to the entire list (and sci.crypt) via: Internet: [EMAIL PROTECTED] End of Cryptography-Digest Digest **
Cryptography-Digest Digest #553
Cryptography-Digest Digest #553, Volume #10 Fri, 12 Nov 99 15:13:02 EST Contents: Re: Proposal: Inexpensive Method of "True Random Data" Generation (Coen Visser) slides from ECC '99 talks (Alfred John Menezes) From: Coen Visser <[EMAIL PROTECTED]> Crossposted-To: sci.math,sci.misc,sci.physics Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation Date: Fri, 12 Nov 1999 17:42:21 + "james d. hunter" wrote: > The general guiding principles concerning "sounds" and "looks" > when connected with "random" are that Quantum Mechanics looks > and -is- a randomly generated theory of the universe. That may be the case in physics. This is not the case in algorithmic information/complexity theory. I don't know enough about physics to argue/agree with you on that field. What I do know is that "random" is not a registered trademark of physicists. > > A random string has maximum information content: its information > > can not be described by a smaller string. You can find "randomness" in > > the fact that you need the complete string to get its information. [...] > If you insist on confusing yourself by using "random" for static and > dynamic properties, be my guest, it's not I like really care. What I object to is the fact that someone makes the assumption that it is useless to attribute randomness to strings. There is interesting field in theoretical computer science that is build on that definition. Your use of randomness may be as useful/equivalent as the definition I use, am not denying that. And if you don't care, you won't read and reply on this message. Regards, Coen Visser -- From: [EMAIL PROTECTED] (Alfred John Menezes) Subject: slides from ECC '99 talks Date: 12 Nov 1999 17:22:00 GMT The 3rd annual workshop on elliptic curve cryptography, ECC '99, took place from Nov 1-3 at the University of Waterloo. For those of you who may be interested, the slides from the 15 lectures are available for download from our web site (www.cacr.math.uwaterloo.ca under "Conferences"). - Alfred == | Alfred Menezes| Email: [EMAIL PROTECTED] | | Department of C&O | Phone: (519) 888-4567 x6934| | University of Waterloo| Web page: www.cacr.math.uwaterloo.ca/~ajmeneze | | Waterloo, Ontario | Web page for Handbook of Applied Cryptography: | | Canada N2L 3G1| www.cacr.math.uwaterloo.ca/hac/| | Centre for Applied Cryptographic Research: www.cacr.math.uwaterloo.ca | == -- ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests to be added to or deleted from it should be directed, is: Internet: [EMAIL PROTECTED] You can send mail to the entire list (and sci.crypt) via: Internet: [EMAIL PROTECTED] End of Cryptography-Digest Digest **
Cryptography-Digest Digest #552
Cryptography-Digest Digest #552, Volume #10 Fri, 12 Nov 99 14:13:03 EST
Contents:
Re: Ultimate Crypto Protection? ("Trevor Jackson, III")
Re: RC4 in Kremlin US version 2.21 can be cracked !! ([EMAIL PROTECTED])
Group English 1-1 all file compressor (SCOTT19U.ZIP_GUY)
Re: Signals From Intelligent Space Aliens? Forget About It. ("Douglas A. Gwyn")
Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !! ([EMAIL PROTECTED])
Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !! (JPeschel)
Re: What sort of noise should encrypted stuff look like? ("Douglas A. Gwyn")
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("Douglas A. Gwyn")
Re: Build your own one-on-one compressor ("Douglas A. Gwyn")
Re: Signals From Intelligent Space Aliens? Forget About It. (Patrick Juola)
Re: Signals From Intelligent Space Aliens? Forget About It. (Patrick Juola)
Re: Research suggestion? (Anton Stiglic)
Re: Build your own one-on-one compressor (Tim Tyler)
Re: PALM PILOT PGP found here (John Savard)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (John Savard)
Public Key w/o RSA? ("Brian Greskamp")
Date: Fri, 12 Nov 1999 10:28:32 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Ultimate Crypto Protection?
Jeremy Nysen wrote:
> "Trevor Jackson, III" wrote:
> >
> > Sundial Services wrote:
> >
> > > Adam Durana wrote:
> > >
> > > > > I have a friend who tells me that the Russian military used double
> > > > enciphered
> > > > > OTP all through the cold war and that NSA, with all it's expertise and
> > > > computer
> > > > > hardware never had much success breaking it.
> > > > >
> > > > > Is double encipherment really all that effective?
> > > >
> > > > No one has ever broken an OTP. Double OTP just seems like an overkill. A
> > > > single OTP provides perfect security.
> > >
> > > Not if one of their spies is at the bottom of the Danube and the enemy
> > > stole a copy of his pad before shooting him. A system involving two OTP
> > > streams would be resistant to either one of them being stolen, and would
> > > further introduce the question of how the streams were combined; the
> > > random nature of OTP streams offering no clues.
> > >
> > > Spy organizations think like that.
> >
> > Hardly. The spy at the bottom of the river had to have both pads. A system
> > involving two pads has security equal to that of a single pad, but is four times
> > as hard to use.
>
> Not if it required two spies meeting to be able to send an important
> long distance message.
Two pads AND two people? 16 times as hard to use and 2^16 times weaker. No serious
organization would interdict communications in this manner. The field problem is to
create redundant comm channels so control gets some idea of what's going on.
Further, you don;t want to create the kind of correlation between spies meeting and
messages going out. That kind of behavior is a glaring hint.
>
>
> This might be the case where there are a number of local operatives who
> can communicate with eachother covertly. And when any of them has to
> send a message across a 'locked down' border, a multi-pad system
> improves the chances of the secret remaining undisclosed.
Nope.
> An enemy agent
> might be able to track down one of the message senders (eg. the bottom
> of the Danube), but chances are the other guy has now been tipped off
> and is burning his pad.
Absolutely not. Each spy has a pad. Each can send messages encrypted independently.
The dead spy will not be sending any messages. The live spy's pad has not been
compromised.
The only issue is whether the opponent can masquerade as the dead spy, sending
messages encrypted with his pad. Requriring a second encipherment not address that
issue, because if the spies meet for every message they will both be on the bottom of
the river and control will get doubly enciphered messages from the opponent.
>
>
> A second scenario might be if I store my two pads in unrelated places,
> so if one is found hopefully the other remains hidden. I could sign the
> message with the first and hide it, then later apply the second pad to
> my signed message and hide the second pad elsewhere.
>
> Even more devious: if when signing with my second (hidden separately)
> pad, I spend some extra time creating a third pad that when applied to
> the message decrypts to some unrelated 'safe' message. I could cave
> under torture and divulge this fake pad to the enemy who use it to
> verify my message is relatively harmless. For example, if I have
> encrypted:
>
> 'ENEMY SCUM ATTACK AT MIDNIGHT FIRST JAN 2000X'
>
> and create a third pad that used alone causes the ciphertext decrypt to
>
> 'PLEASE SEND ADDITIONAL MONEY FOR HOUSING LOAN'
>
> then I could plausibly deny any evil intent. :-> To prove otherwise,
> they would need both the first and the second pad.
No, to prove evil intent they
Cryptography-Digest Digest #551
Cryptography-Digest Digest #551, Volume #10 Fri, 12 Nov 99 12:13:03 EST
Contents:
Re: What's gpg? ("Douglas A. Gwyn")
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Randy Poe)
Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !! ("ME")
Need technique for about 24 bytes (Caesar Valenti)
Re: Can the SETI@home client be protected? (Guy Macon)
Re: Lenstra on key sizes (fungus)
Re: Ultimate Crypto Protection? ("Tim Wood")
Re: Ultimate Crypto Protection? ("Gary")
Re: Build your own one-on-one compressor (Tim Tyler)
Re: Signals From Intelligent Space Aliens? Forget About It. (SCOTT19U.ZIP_GUY)
Re: What sort of noise should encrypted stuff look like?
Re: What sort of noise should encrypted stuff look like?
Re: smartcard idea? (Jean-Jacques Quisquater)
Re: Can the SETI@home client be protected? (fungus)
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("Trevor Jackson,
III")
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("james d. hunter")
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("Trevor Jackson,
III")
Re: Build your own one-on-one compressor (Mok-Kong Shen)
Re: real random number generator idea -- any criticisms? (Boaz Lopez)
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("Trevor Jackson,
III")
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: What's gpg?
Date: Fri, 12 Nov 1999 05:25:40 GMT
[EMAIL PROTECTED] wrote:
> Each cracking attempt indeed is based on the experience gained from the
> previous failures; I think there is a shaky kind of validity for saying
> that "this cipher hasn't been cracked after five years of study, so, on
> the average, it should have another five years before it is cracked".
Again, you're assuming a statistical model that simply doesn't fit.
For example, a master cryptanalyst upon reading the above might decide
to immediately demonstrate a crack of that system. Or, if the system
is truly uncrackable, the 5-year span measures nothing that is
characteristic of the system itself.
> Not every statistician accepts the validity of Bayesian statistics
> precisely because it attempts to deal with the case when things
> _aren't_ neatly drawn from a population.
So-called Bayesian methods clearly are valid, if properly applied
(there's the catch). They have been used since around 1940 in real
cryptanalysis, and they work. The most reasonable objections some
statisticians have had were based on the apparent need to estimate
priors; but applying Bayes' rule is a stable process, resulting in
less uncertainty than one starts with. Also, quite often all that
is needed is a likelihood ratio (in order to make a rational choice
among alternatives), and that can often be computed without priors.
--
From: [EMAIL PROTECTED] (Randy Poe)
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 12 Nov 1999 06:46:44 GMT
On 11 Nov 1999 19:44:48 GMT, [EMAIL PROTECTED]
(Mike McCarty) wrote:
>In article <[EMAIL PROTECTED]>, Coen Visser <[EMAIL PROTECTED]> wrote:
>)
>)I agree that the bickering about randomness of strings of size 1
>)is a waste of time or at best purely academic. But there is a *lot*
>)of (statistical) information in a random string of size ~ 2E1024 whether
>)you look at it as a single string or as 2E512 strings of size 2E512.
>
>The length of the string is irrelevant. If you had 2e512 strings, then
>you could draw conclusions. But from one string, of whatever length, one
>cannot draw a conclusion.
>
Limiting to binary strings:
I can calculate whether 1's and 0's occur with equal frequency.
In fact I can calculate the distribution of strings of any size up to
2E1024.
I can calculate to what extent the n-th bit/substring is correlated
with the (n+m)-th bit/substring.
I can decide whether those properties of the string are suitable or
not for the application of this particular pseudo-random string to my
application.
Those seem to me like plenty of conclusions to draw from a single
string.
- Randy
--
From: "ME" <[EMAIL PROTECTED]>
Subject: Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !!
Date: Fri, 12 Nov 1999 18:44:55 +1100
>Word 6.0, I think you'll find, uses a weaker encryption algorithm.
Word 2 and 6 basically used a password XOR'ed with a constant string and a
length value to form a 16 byte string, which is then repeatedly XOR'ed with
the plain text.
I found encrypting a long string of 000... then 1... in several files
showed the 16 byte XOR pattern.
Obviously this product and Word 6 both fall to simple frequency analysis.
Lyal
--
From: Caesar Valenti <[EMAIL PROTECTED]>
Subject: Need technique for about 24 bytes
Date: Fri, 12 Nov 1999 00:06:33 -0800
I am in
