Re: What happened to the Cryptography list...?
At 07:05 PM 08/06/2003 +0100, Adam Back wrote: The problems with closed lists relying on a single human for forwarding and filtering... Couldn't he just let people post in his absence? It kind of detracts from a list if it disappears for weeks at a time on a regular basis. Also there are delays, and then there's Perry decisions that a discussion is no longer worth persuing when contributors are still interested to discuss. If it's too quiet on Perry's list, you can always overflow discussions back to the Cypherpunks list or sci.crypt.
Re: What happened to the Cryptography list...?
Bob - Perry's cryptography list moved from wasabisystems to [EMAIL PROTECTED] a few months ago. [EMAIL PROTECTED] says: - lists [EMAIL PROTECTED] serves the following lists: bsd-api-announceThe BSD APIs Announcement Mailing List bsd-api-discuss The BSD APIs Discussion Mailing List cryptographyThe Cryptography and Cryptography Policy Mailing List spkiThe Simple PKI Mailing List Use the 'info ' command to get more information about a specific list. info cryptography "Cryptography" is a low-noise moderated mailing list devoted to cryptographic technology and its political impact. Occasionally, the moderator allows the topic to veer more generally into security and privacy technology and its impact, but this is rare. WHAT TOPICS ARE APPROPRIATE: "On topic" discussion includes technical aspects of cryptosystems, social repercussions of cryptosystems, and the politics of cryptography such as export controls or laws restricting cryptography. Discussions unrelated to cryptography are considered off topic. Please try to keep your postings on topic. MODERATION POLICY: In order to keep the signal to noise ratio high, the mailing list is moderated. The moderator does not forward off topic messages, messages that have substantially the same content as earlier messages, etc. Please not that the moderator does not always have the time to send an explanation of why a message was not forwarded. TO POST: send mail with your message to [EMAIL PROTECTED] TO UNSUBSCRIBE: send mail to [EMAIL PROTECTED] with the line unsubscribe cryptography in the body of your mail. info spki No info available for spki. end END OF COMMANDS --
Re: They never learn: "Omniva Policy Systems"
At 06:52 PM 08/05/2003 -0700, Tim May wrote: On Tuesday, August 5, 2003, at 01:00 PM, Bill Stewart wrote: It's nice to see that they're still around, unlike so many dot.bombs. Why is it "nice"? They had what looked like a legitimate security / privacy product, and were upfront about the threat models being regulators and anti-trust cops. He started off by being very clear about what problems they were and weren't trying to solve. They were trying to solve the problem of making messages expire when all the parties involved are cooperating. He viewed the problem of preventing non-cooperating parties from saving copies to be unsolvable snake oil and he wasn't trying to solve it. This may or may not have been what Jeff believed, or wanted to believe, or told you was the case, but I don't buy that this is their business model.. Their Web site is filled with stuff about how "Save" menus are subverted, so as to, they claim, make it impossible for copies to be saved, blah blah. This hardly fits with your view of a bunch of benign little bears all sitting around cooperating. While it's hard to tell from the web site, it looks like they've still got the same basic technical model - instead of sending raw text, you're sending text encrypted using a key that you fetch from a key server, and when the recipient wants to view it, the recipient runs a viewer that fetches a decryption key. The policy enforcement runs on the key server, which deletes keys when the policy says the document should expire, and apparently places some controls on who it's willing to hand keys to. People save stuff all the time, and forget it, and backup systems often save it even if they didn't explicitly try to save it themselves. By shipping the sensitive messages as encrypted files, the Save functions are only saving the encrypted version, not the cleartext. On the other hand, I don't know how much their integration with Outlook breaks it. Further, the site natters about how Omnivora will support government requirements about unauthorized persons seeing mail (how? how will even their crude expiry approach stop unauthorized viewings of mail?). You can set up your policy servers to set who's allowed to fetch keys. There's no indication on the web site about how much granularity this has, or how much protection or authentication they really do. This is again inconsistent with the picture of friendly little bears all cooperating. Friendly little bears don't need to have their "Save As" buttons elided (not that this will stop screen grabs and photos, as I mentioned). Nor would friendly little cooperating bears show their messages to "unauthorized viewers," now would they? (Speculatively, I would not be even slightly surprised if Omnivora is doing more than just nominally erasing some messages. To wit, storing copies for later examination by Authorities with Ministerial Warrants. As Jeff Ubois no longer seems to be attached to Omnivora, perhaps his vision was rejected.) Policy servers are run by the company using the system, not by Omniva, so you're still dependent on their competence as well as their honesty, and if they want to ship a broken system, it's not hard to hide it (e.g. use a compromised random number generator for the keys.) In your other message, you mentioned that several Extropians were doing really squishy stuff, and mentioned that Jeff Ubois's resume also appeared to be. Something called "Ryze" and something else called "Minciu Sodas." I didn't see Ryze. Looks like some kind of job-hunting thing. Minciu Sodas does look like a weird site - I'm not sure how much it's just a self-hyping conference board and how many people agree with each other like bloggers, but I didn't see anything on there that was actual content by Jeff, but it was too cluttery to spend much time hunting through. But not as bad as the squishiness poor Max has gotten himself into, granted. There's a whole subculture of bottom feeders who think high tech needs some new version of Werner Erhard (originally born Nathan Goldfarb, or somesuch...there was a Jew with major self-doubt). Jack Rosenberg, actually. Car salesman, with no self-doubt at all. While I thought Andrew Orlowski's Register article was pretty shoddy reporting, the Extropians Secret Handshake bit was funny.
Re: They never learn: "Omniva Policy Systems"
At 11:30 AM 08/05/2003 -0700, Tim May wrote: I ran across a reference to this company, which says it has raised $20 M in VC financing and which claims it has a system which implements the digital equivalent of "disappearing ink." (Perhaps distilled from snake oil?) The URL is still called disappearing.com, but the company is now called Omniva Policy Systems. A URL is: http://www.disappearing.com/ I guarantee that anything a human eye can read can be captured for later use, whether by bypassing the probably-weak program, by using other tools to read the mail spool, by capturing the screen buffer, or, if worst comes to worst, simply photographing the screen with an inexpensive digital camera and then either using the captured image as is or by running it through an OCR. It's nice to see that they're still around, unlike so many dot.bombs. The founder came and talked to Cypherpunks just after their PR launch (IIRC, Bill Scannell was involved in getting them into US today.) He started off by being very clear about what problems they were and weren't trying to solve. They were trying to solve the problem of making messages expire when all the parties involved are cooperating. He viewed the problem of preventing non-cooperating parties from saving copies to be unsolvable snake oil and he wasn't trying to solve it. They're more concerned with data retention problems, aka the "Ollie North Email Backups" problem or "Embarassing Bill Gates Memo" problem - making sure that when things are supposed to be deleted that they stay deleted, and that if you don't explicitly make sure you keep sensitive material that it'll disappear. ~ In your other message, you mentioned that several Extropians were doing really squishy stuff, and mentioned that Jeff Ubois's resume also appeared to be. Maybe you found a resume that I didn't, but http://www.ubois.com/id24.htm mostly lists working with technology companies plus writing articles for various technical magazines and less-technical newspapers. There was some marketing in there, but I didn't see any "motivational" or "coaching" stuff except other people's material on a website he's got stuff on. Googling for "Ubois" picks up a lot of "Dubois" references, though :-) I may rant separately about Orlowski's hit piece on Robin Hanson...
RE: Secure IDE? (fwd)
Sarath or maybe Mike Rosing wrote: If the IV is not a secret how are we going to prevent block replay attacks on cipher text? If you look at the usage models and threat models, it's simply not a problem. This is a disk drive. Anybody who has access to disk drive transactions sufficient to try replay attacks already has deep-level access to your hardware, so you're toast anyway because they can see the unencrypted data before it's written. What this kind of system is normally good for is making sure that anybody who steals your hardware when it's not running can't read your disk's data. (Steals includes thieves with and without warrants or subpoenas...) There's not really a risk of replay attacks there. However, there's an emerging application for which disk drives are more vulnerable, which is remote storage. Some of the new disk interface standards, like Fibre Channel, and probably some of the flavors of iSCSI, can operate over distances of 20km and longer over fiber, leading to businesses like colocation centers in New Jersey providing big disk drive farms for New York City financial businesses which have their mainframes in Manhattan. For applications like that, it is important to do good IVs, because control of the disk drive doesn't imply control of the machine.
Re: Digicash Patents
At 10:19 PM 07/31/2003 -0500, Mac Norton wrote: I'm not sure that Paypal has met the needs of any enduser yet, so I'd question whether it "succeeded." Huh? Paypal was wildly successful at meeting the perceived needs of end users. Whether it met the needs of stockholders before EBay bought it is a separate question. It wasn't pretending to be a perfect cypherpunks solution. Paypal gave people who wanted to occasionally sell things on the net a way to receive payments online, quasi-immediately, without going to the major hassle of becoming a registered credit-card-accepting business, and let people who wanted to buy things online send money immediately without sending their credit cards directly to random individuals, and let both sides avoid the delay and bounceability of checks-by-snail, and reduced the likelihood of fraud in the payment process.
Re: CA Gov calls Shrub Shrub
At 06:40 PM 08/01/2003 -0400, Sunder wrote: http://theglobeandmail.com/servlet/story/RTGAM.20030731.ushrub0730/BNStory/National/ I'd interpreted "CA Gov" as "The Governor of California" rather than "The Government of Canada" (or a province thereof), and was hoping for some good flames about our recallable incompetent :-)
Re: Poindexter to Resign
At 08:41 AM 08/01/2003 -0700, Steve Schear wrote: Report: Poindexter to Resign Wired News 2:43 PM Jul. 31, 2003 PT WASHINGTON -- John Poindexter, the Iran-Contra scandal figure who headed two criticized Pentagon projects, including one that would have enabled investors to profit by predicting terrorist attacks, will quit his post within weeks, U.S. defense officials said Thursday. > http://www.wired.com/news/politics/0,1283,59853,00.html > http://reuters.com/newsArticle.jhtml?type=topNews&storyID=3198102 It's nice that some of the news media have changed from their previous policy of toadying up to "Admiral Poindexter" and are now starting out their article by referring to his known dishonesty and unfitness for public service before getting down to explaining what they're talking about. It may not be Fair, but it's a bit more Balanced :-) Of course, much of this may be a play by the "Senior US Defense Officials" to make sure he gets the point and does resign, rather than commentary by the news media, and/or an attempt to distance themselves from a couple of unpopular programs by sticking it on the designated fall guy, but it still couldn't happen to a nicer guy. Wired is a lot more enthusiastic in its comments than Reuters, which was terser. WaPo toadies up to him by starting out "John M. Poindexter, the retired rear admiral involved in the Pentagon's ill-fated plan", while Fox News says "The admiral who developed two controversial Pentagon database programs quickly killed by Congress" and goes on to make it clear that it's that nasty Congress's fault for refusing to fund Poindexter's cool programs. The real question is whether the administration and officials that rehired Poindexter and hired Ashcroft and Homeland Security will continue the same kinds of attacks on US civil liberties now that he's gone, and unfortunately, the answer is presumably yes.
RE: Digicash Patents
Tim replied to Bob - > > On the other other hand, :-), it's entirely clear that people could be > > developing code right now in anticipation of the patent expiration and > > go live with some kind of land rush when it's possible to do so. > > Some people expected a "land rush" when the main RSA patents expired > several years ago. Parties were even thrown. The land rush never happened. Hey, the parties were pretty good, and RSA gave out T-shirts :-) In practice, everybody who really needed to use RSA had either licensed the technology for a reasonable (or too high) price, or else was a free software developer violating the patents, or else was a free or low-key software developer living within RSAREF. At 01:18 PM 07/31/2003 -0600, Patrick lucrative.thirdhost.com wrote: The beauty of a marketplace is that many different parties get to try every which way of satisfying a need. Most will fail. Even the first several attempts can fail, disguising a real opportunity as a guaranteed failure. The Mark Twain Bank people had licensed Chaum's patents, and their failure had a lot less to do with the cost of licensing the patent than with their inability to figure out how to get customers and merchants, and their ability to make it too difficult to get an account. Mondex wasn't Chaumian, and it failed, along with a number of other vaguely cash-like payment systems during the boom. (I'm referring to the payment systems that handled actual money, not just the silly Green-stamp emulators like Beenz and Flooz.) By contrast, the Austin Cypherpunks Credit Union project figured out that making money would be hard before starting a business, as well as discovering that dealing with Chaum was also hard, so they didn't get far enough to fail. Eric Hughes had some good insights into why "it's really hard to start a new payment system". I supposed I'd categorize the efforts into two basic groups - projects run by banks or bank-like companies that wanted to actually run a service and hoped to make a profit - startups funded by VC money that wanted to make startup money, which depends on VCs and IPOs and Other People's Money, and is only marginally related to actually making a profit, though most of them also hoped they'd wildly succeed like other dotcoms. There may have been a few other types of projects, but this was most of them.
Japan making RFID-trackable cash
http://theregister.com/content/55/32061.html Japan's starting to add RFIDs to their 1-yen (~$100) bills. Notes will come with Hitachi's 0.3mm "mew-chip" which responds to radio signals by sending out a 128-bit number. Each chip costs about 50 yen. The article says that each number _could_ be a serial number, but doesn't say that they know it is; the alternative would be something that indicated the production batch or whatever. The Reg's report sounds like it's based on what someone saw on a TV show, but also indicates they're starting production.
Re: Pentagon discovers Assasination Politics, deadpools
At 11:23 AM 07/29/2003 -0700, Bill Frantz wrote: Note that properly run, this "Ideas Futures" market would be a money maker, not a cost center. For only a modest percentage of the winnings, it could be self sustaining. Perhaps someone with a profit motive will pick up the idea. Assuming it can be legally structured as a "Futures Market", rather than as "Illegal Gambling", it could make money. (There are obviously some bets it's unlikely to handle, such as the bet that Idea Futures markets would be successfully prosecuted as illegal gambling :-) If they don't want the label of "Assasination Politics", they can forbid bets on individual deaths, and still have nearly the full field, including wars, revolutions, "nonstandard" attacks, and elections available for play. (c.f. the way eBay and Yahoo limit themselves.) This provides a number of Doubleplus-Good Things. - Government agencies can be funded by private ideas futures speculation rather than by taxes, freeing them from the tiresome needs of Congressional budget requests and oversight. No more Ollie North trials! - Private organizations can fund government agencies to do specific things and launder the money through the market, rather than needing to lobby Congresscritters to fund them. There's a bit less leverage this way, but surely there are some Congresscritters who'd appreciate that private organizations were betting they'd live to 100 like Strom Thurmond. - All those boring old Neutrality Act laws that keep companies like ITT and Halliburton from overthrowing foreign governments and forbid patriotic Americans to be foreign mercenaries can be avoided, because they won't need to do that any more - they can just bet sufficient sums that governments will be overthrown and they'll go overthrow themselves, and those patriotic Americans can be working as, ummm, investment logistics expediters instead of mercs. - The system will be completely Anonymous, and Anonymity is Strength! - Of course Oceania has always had an Idea Futures position about the downfall of WestAsia. Why do you ask?
Re: Someone at the Pentagon read Shockwave Rider over the weekend
Also, NYT Article was http://www.nytimes.com/2003/07/29/politics/29TERR.html?th But it sounds like they've chickened out, because various people freaked about the implications. (And they only got as far as it being "an incentive to commit terrorism", without getting to "a funding method for terrorism" or to "Assassination Politics".) >July 29, 2003 >Pentagon Said to Abandon Plan for Futures Market on Terror >By THE ASSOCIATED PRESS > >WASHINGTON -- The Pentagon will abandon a plan to establish a futures market >to help predict terrorist strikes, the chairman of the Senate Armed Services >Committee said Tuesday. > >Sen. John Warner, R-Va., said he spoke by phone with the program's director, >"and we mutually agreed that this thing should be stopped." > >Warner announced the decision not long after Senate Democratic Leader Thomas >Daschle took to the floor to denounce the program as "an incentive actually >to commit acts of terrorism." > >Warner made the announcement during a confirmation hearing for retired Gen. >Peter J. Schoomaker, nominated to be Army chief of staff.
Re: Dead Body Theatre
At 06:33 PM 07/25/2003 -0700, Steve Schear wrote: At 16:33 2003-07-25 -0700, you wrote: On 24 Jul 2003 at 9:16, Eric Cordian wrote: > Now that the new standard for pre-emptive war is to murder > the legitimate leader of another sovereign nation and his > entire family, an "artist's rendering" of Shrub reaping what > he sows would surely be an excellent political statement. You are a moron. If today warfare means wiping out the family of the enemy ruler man woman and child and showing their horribly mangled bodies on TV, this is a big improvement on the old deal where the rulers had a gentlemen's agreement that only the common folk would get hurt, and the defeated ruler would get a luxurious retirment on some faraway island. Here, here! Steve, did you mean "Hear, hear!"? Or were you calling for it to happen "here"? :-) Back when we had a First Amendment, that was probably legal, but since Bush inherited the presidency, it might not be... Perhaps we may even become as smart as some Pacific Islanders whose wars were fought by surrogates, the logic being that the death of one man can serve as well as the death of many in determining the outcome of a disagreement between heads of tribes, states, etc. European feudalism did that also, though Europeans were less likely to eat the bodies of the losers. Trial by Combat was tossed out of British law in ~1850, but hadn't been used for a long time before that, though dueling was still around in the early 1800s.
Re: kinko spying: criminal caught Scarfing keydata
The real question is whether the FBI's keyloggers caught Jiang's passwords, or whether it was the NSA or Mossad caught the FBI's keyloggers catching Jiang's keylogger catching other passwords. At 01:13 PM 07/23/2003 -0700, Major Variola (ret.) wrote: Kinko's spy case: Risks of renting PCs NEW YORK (AP) -- For more than a year, unbeknownst to people who used Internet terminals at Kinko's stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords. Jiang had secretly installed, in at least 14 Kinko's copy shops, software that logs individual keystrokes. He captured more than 450 user names and passwords, and used them to access and open bank accounts online. http://www.cnn.com/2003/TECH/internet/07/23/cybercafe.security.ap/index.html
Jude Milhon has passed away
Forwarded from another list Date: Sun, 20 Jul 2003 16:35:28 -0700 (PDT) From: Linda Hull Subject: Jude Milhon has passed away To those who knew her...I thought I would mention that Jude has passed away. To those who did not know her, she was the woman who coined the phrase cypherpunk. Jude was also an editor at Mondo 2000, among many other things. http://abcnews.go.com/sections/tech/WiredWomen/wiredwomen000223.html She had been fighting cancer and was losing her battle; last night she embraced the inevitable by taking her own life. In all honesty, I never met her, though I had often heard of her. It strikes me that she finished her life the way she had always seemed to live it - an empowered woman. Condolences to her friends and family. __
Re: Attacking networks using DHCP, DNS - probably kills DNSSEC
At 11:15 PM 06/28/2003 -0400, Steven M. Bellovin wrote: In message <[EMAIL PROTECTED]>, Bill Stewart writes: >This looks like it has the ability to work around DNSSEC. >Somebody trying to verify that they'd correctly reached yahoo.com >would instead verify that they'd correctly reached >yahoo.com.attackersdomain.com, which can provide all the signatures >it needs to make this convincing. > >So if you're depending on DNSSEC to secure your IPSEC connection, >do make sure your DNS server doesn't have a suffix of echelon.nsa.gov... No, that's just not true of DNSsec. DNSsec doesn't depend on the integrity of the connection to your DNS server; rather, the RRsets are digitally signed. In other words, it works a lot like certificates, with a trust chain going back to a magic root key. I thought about that, and I think this is an exception, because this attack tricks your machine into using the trust chain yahoo.com.attackersdomain.com., which it controls, instead of the trust chain yahoo.com., which DNSSEC protects adequately. So you're getting a trustable answer to the wrong query. I'm less sure of the implementation issues of the "Connection-specific DNS suffix", and I've seen conflicting documentation. If the resolver looks up "domain.suffix" before "domain", then the attacker's DNS doesn't need to control the DNS access, and only needs to provide the attacker's certificates, but if the resolver looks up "domain" before "domain.suffix", then the attacker also needs to make sure that the lookup of "domain" fails, which is most easily done by telling the DHCP client to use the attacker's DNS server along with telling it the suffix. (That doesn't add any extra work to the attack, but does make it a bit easier to trace the attacker after the fact; if you're not replacing the attacker's DNS server entry, then all you need is a legitimate-looking server for "*.attackersdomain.com". In either case, somebody who can pull off this kind of an attack probably uses a compromised machine to run the DNS server on anyway.) I'm not saying that there can't be problems with that model, but compromised DNS servers (and poisoned DNS caches) are among the major threat models it was designed to deal with. If nothing else, the existence of caching DNS servers, which are not authoritative for the information they hand out, makes a transmission-based solution pretty useless. DNSSEC seems to do a pretty thorough job of making sure that if you look up the correct domain name, you'll get the correct answer, in spite of attackers trying to prevent it. But this attack tricks you into looking up the wrong domain name, and DNSSEC makes sure that you get the correct answer for the wrong name, which isn't the result you want.
Re: Attacking networks using DHCP, DNS - probably kills DNSSEC
At 11:49 PM 06/29/2003 +0200, Simon Josefsson wrote: No, I believe only one of the following situations can occur: * Your laptop see and uses the name "yahoo.com", and the DNS server translate them into yahoo.com.attackersdomain.com. If your laptop knows the DNSSEC root key, the attacker cannot spoof yahoo.com since it doesn't know the yahoo.com key. This attack is essentially a man-in-the-middle attack between you and your recursive DNS server. That doesn't happen. (Well, it could, but as you point out, it's not a successful attack methodology, because DNSSEC was designed to correctly take care of this.) * Your laptop see and uses the name "yahoo.com.attackersdomain.com". You may be able to verify this using your DNSSEC root key, if the attackersdomain.com people have set up DNSSEC for their spoofed entries, but unless you are using bad software or judgment, you will not confuse this for the real "yahoo.com". The DNS suffix business is designed so that your laptop tries to use "yahoo.com.attackersdomain.com", either before "yahoo.com" or after unsuccessfully trying "yahoo.com", depending on implementation. It may be bad judgement, but it's designed to support intranet sites for domains that want their web browsers and email to let you refer to "marketing" as opposed to "marketing.webservers.example.com", and Netscape-derived browsers support it as well as IE. Of course, everything fails if you ALSO get your DNSSEC root key from the DHCP server, but in this case you shouldn't expect to be secure. I wouldn't be surprised if some people suggest pushing the DNSSEC root key via DHCP though, because alas, getting the right key into the laptop in the first place is a difficult problem. I agree with you and Steve that this would be a Really Bad Idea. The only way to make it secure is to use an authenticated DHCP, which means you have to put authentication keys in somehow, plus you need a reasonable response for handling authentication failures, which means you need a user interface as well. It's also the wrong scope, since the DNSSEC is global information, not connection-oriented information, so it's not really DHCP's job.
Attacking networks using DHCP, DNS - probably kills DNSSEC
Somebody did an interesting attack on a cable network's customers. They cracked the cable company's DHCP server, got it to provide a "Connection-specific DNS suffic" pointing to a machine they owned, and also told it to use their DNS server. This meant that when your machine wanted to look up yahoo.com, it would look up yahoo.com.attackersdomain.com instead. This looks like it has the ability to work around DNSSEC. Somebody trying to verify that they'd correctly reached yahoo.com would instead verify that they'd correctly reached yahoo.com.attackersdomain.com, which can provide all the signatures it needs to make this convincing. So if you're depending on DNSSEC to secure your IPSEC connection, do make sure your DNS server doesn't have a suffix of echelon.nsa.gov... -- RISKS-LIST: Risks-Forum Digest Saturday 17 June 2003 Volume 22 : Issue 78 http://catless.ncl.ac.uk/Risks/22.78.html -- Date: Fri, 20 Jun 2003 15:33:15 -0400 From: Tom Van Vleck <[EMAIL PROTECTED]> Subject: ISP's DHCP servers infiltrated http://ask.slashdot.org/article.pl?sid=03/06/19/2325235&mode=thread&tid=126&tid=172&tid=95 "... It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47). On these IPs were some phantom services. There were proxying Web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password..." Hmm, my cable ISP was down this morning. Maybe coincidence.
Re: Is Hatch a Mormon or a crypto Satanist?
At 10:24 AM 06/21/2003 -0700, Major Variola (ret) wrote: > Is Hatch a Mormon? Surely you jest. Anyone in any office in Utah is a Mormon. And most of the profs at the universities there. Good luck trying to buy a beer, BTW. I was pleasantly surprised when I went to Salt Lake City ten years ago that not only was it no trouble to get a drink, it was also no trouble to get espresso, which is my usual vice - the Nordstrom's in the mall had their little stand out front. It's apparently more trouble to get liquor up in ski country. I've also found it was less trouble to get a beer and _dinner_ late at night than in much of California, though perhaps they have rules requiring bars to also be restaurants. (~midnight, about 6 blocks from the temple.) The catch was that they were also less fascist about smoking in bars, so I had to sit off at the less-crowded end of the bar rather than near the TV with most of the other gentiles.
Re: Destroying computers
> > > Methinks Mr Hatch is not a very bright man. > > A Southern senator. Need I say more? Utah is Southern? I do not want directions from you. :-) I think people have been mixing up Orrin Hatch with Jesse Helms. Both are right-wingers who didn't really like the 20th century, much less the 21st, both have right-wing religious constituencies (though radically different religions), but they're really quite different.
Re: weird logic
At 06:15 PM 06/17/2003 -0500, Harmon Seaver wrote: http://news.bbc.co.uk/2/hi/middle_east/2998870.stm "With Iraq's judicial system in disarray after the end of the war, Paul Bremer said a special criminal court would be set up. He said the court would try people, "in particular senior Baathists... may have committed crimes against the coalition, who are trying to destabilise the situation"." So you invade a country, and the patriots who resist you are no longer soldiers, even guerillas, but "criminals" to be tried in the US's weird new courts, probably secretly with no representation. Yup. And USA Today was referring to the US military reserve soldiers who were sent there as "Citizen Soldiers", but of course *Iraqis* who fought the invaders weren't "citizen soldiers", they were "terrorists" or "illegal combatants" or "evil" or "failing to act sufficiently French by surrendering". And since the US Constitution doesn't apply to US forces operating outside the US, there's no prohibition against "ex post facto" laws about "crimes against the coalition", and of course the Bush Administration bullied Brussels into exempting their armed forces from war crimes laws.
Re: MS Format Flames Re: An attack on paypal --> secure UI for browsers
> Oh get over it. There are other formats. You ever heard of XML? HTML? RTF? There are output formats and input formats. It's easy to output data in formats other people can read - if you want something prettier than ASCII, HTML is usually fine, though there's not much support for embedded pictures as opposed to separate files. XML is a meta-format - you can't really guarantee that anybody else's XML tool can read your XML tool's documents, because they may not have all the same objects. If you want to give them something quasi-immutable, there's always PDF. That lets you be rude _and_ proprietary :-) Postscript is more flexible, but too many people don't have tools to read it with. Input formats are harder, because Microsoft keeps adding backwards-incompatibility every time they upgrade Office, just to force everybody else to upgrade. OpenOffice can often help, but not always. Microsoft does make free readers for Word and Powerpoint. They're only intended for running on Windows, but perhaps they work on WINE?
RE: layered deception
At 07:45 AM 05/02/2001 -0700, David Honig wrote: >Yeah but is there a (contract etc.) *law* being broken or is this a >legally-null claim? After all, if click-through EULAs are legally binding... Maybe a real lawyer could tell you. The answer may depend on whether there's valuable consideration exchanged, and viewing banner ads probably doesn't count (especially since the banner ads typically come from banner ad companies who aren't giving you any promises of keeping your information private.) While occasionally there may be a web site deliberately lying about whether they're keeping logs "No, we won't sell your information to spammers!", a more likely scenario is - web site content provider isn't keeping logs of content access but they're using a shared hosting service. - web hosting provider is keeping logs for technical support, debugging, problem resolution, etc. - banner ad vendor keeps everything they can get - web site's ISP keeps logs of connections (e.g. IP addresses and TCP port numbers, but not content of communications.) >Actually, many corps have explicitly decided to shred their email after a >while. >You can thank Ollie North & the MS judges for cluing in the public. So the >corp counsels are actively blowing off the suggestion you're claiming. A long time ago, in a phone company far, far away, we had incredibly detailed sets of requirements for record-keeping because of the regulatory environment. My wife had a summer job in college translating one database from a hand-rolled mostly-undocumented format into a (then-)current commercial database system so they could get the data just in case they got sued about it - something along the lines of promptness or pricing of wholesale telecom services in PacBellLand. Of course, the commercially available database also rotted into technical obsolescence after a few years, but by then nobody'd sued them about it in enough years that there was no need to preserve it longer.
Re: layered deception
At 11:00 PM 05/01/2001 -0500, Harmon Seaver wrote: > Has anyone given any though to how log files could be accepted as >evidence in the first place? They're just text files, and exceedingly >trivial to alter, forge, erase, whatever. They get edited all the time >by hackers -- how can anyone, even the sysadmin, swear that they are "true"? Certainly that's a reason that doing anything with your logs that doesn't begin with encrypting them and sending them to a secure offsite location violates due diligence :-) Wouldn't want the records you're keeping around for lawsuit-insurance to get damaged by equipment problems or Haqkerz, would you? No, judge, the records we're showing you are kept at vaults-r-us.com, where they store them on this gunnery platform with a big moat to prevent any tampering from occuring. I'm sorry the security's a bit extreme and they can't be retrieved without public notice...
Re: The Well-Read Cypherpunk [ Samuelson-bashing ]
At 09:08 AM 04/22/2001 -0700, Tim May wrote: >I haven't found Samuelson's textbook useful for any of the >interesting discussions of markets, black markets, offshore havens, ... I used Samuelson's textbooks to study micro and macro in college. *Terrible*! Badly written, verbose, not structured well at all, especially for the mathematically literate student, and heavily tied up in the Keynesian government-knows-what's-best command economy view of the world. OK, the dude *did* have a Nobel prize in economics, but as near as I could tell, what he *really* specialized in was the economics of textbook sales, updating this heavy tome every year or two so students had to buy new ones instead of getting them used and selling them back to the campus bookstore at the end of the year. Most of the chapters had an appendix at the end which said most of the same material half as verbosely, but even that was still wading through molasses. I don't mind a certain amount of excess material if the author can write well and enjoyably, but this wasn't it. Some of the micro classes switched to a different textbook a year or two later - I think the author may have been Peterson? which was much thinner and more readable. My micro class was taught by a University of Chicago guy who was a good speaker, clear without oversimplifying, and who did a good job of balancing depth for his audience. Micro being what it is, this involved a certain amount of "Ok, engineers, this is an integral, go back to sleep while I show the liberal arts majors areas under curves". That's easier to do well with micro than macro, but it still ain't that hard. I'd also taken economics in high school, and once Mrs. Borish was sick and the old retired guy who used to teach the course came in and subbed - he covered more in two days than we did the rest of the semester and a good third or half of the Micro 102 college course, though not in as much depth as the college material. It's worth reading Samuelson if you discuss economics much with people who learned it using Samuelson, just so you can balance the jargon and understand the themes they work with, but it's really dreck. Get the Cliff Notes if there are any :-)
Re: chaffing and winnowing
At 07:40 PM 04/15/2001 -0400, Faustine wrote: >Does anyone know of any serious work being done on developing the concepts of >winnowing and chaffing, as outlined in Ronald L. Rivest's 1998 >paper 'Confidentiality without Encryption'? Other than the initial flurry of activity around the announcement, there isn't much in chaffing and winnowing that's really useful in most real-world environments that would encourage development of new variations. The fundamental point was that if *any* kind of digital signature system is permitted, it can be used to implement encryption, so bans on encryption technology are inherently bogus. That doesn't mean that various governments won't try it, or won't make laws requiring users of digital signature systems to give up their signature keys when ordered by a court or sometimes by police, but it doesn't really affect the forced disclosure of encryption keys problem.
RE: Mr. Choate, an important message from Justice Scalia....
Discussion by Jim Choate, Declan, and Aimee - > > But wasn't Scalia -- who made a reasonable point -- talking about the > > nomination of judges, not executive branch political appointees? > >Yes. Indeed, it is the province of the Courts to interpret the Constitution >(according to some, not including Mr. Choate), not executive branch >political appointees. The very fact that we ask the executive branch these >questions is pause for thought. I was trying to uncover any pragmatic >distinction between a "political view" versus an opinion on the mechanics of >constitutional interpretation. I raised more questions than I answered. Marbury vs. Madison was an entertaining power grab by the Supremes, but while it may not have been explicitly planned by the bunch of politicians who wrote the messy compromise that's the Constitution, the Constitutional requirement that there be a hierarchy of courts with one Supreme Court means that something like it should happen. If you don't like the idea that the Supreme's job is interpreting the constitutionality of laws made by the legislature, their job at minimum involves deciding appeals in specific cases, and it's possible under Constutionally implied-but-unspecified conditions to appeal cases up the hierarchy. Some of those cases will involve questions where a law made by Congress or by a state (at least after the 14th amendment) conflicts with the majority of Supreme Court judges' opinions about what the Constitution (and amendments) directly states or with what they believe are fundamental civil rights which the 9th and 10th amendments confirm may exist even though they are not specifically enumerated. So even if, in a Choatian World, they couldn't say "We're the Supreme Arbiters Of The Meaning Of The Constitution", they can still say "We're the top of the judicial hierarchy, and we say that X is a bad law, and will rule in any case that is appealed to us that that the accused is not guilty and award legal costs to the accused." Under common law, throwing out cases of unjust laws is not only the job of the jury, it's also the job of the judge (though the judge also works for the King, and it may also be his job to enforce unjust laws.) Lower courts don't like getting overturned, so they'd generally stay in line given a ruling like that, and if not, the accused can spend the costs of the appeal and win. And since most courts generally follow precedents, once the Supremes have announced that X is a bad law, they'll generally stick to it for quite a while, or at least until the political climate changes and they decide some case doesn't quite fit the conditions that the precedent was set under, or weasel-word around it, or decide to do a rare break with tradition and issue a contradictory opinion.
Re: semi-anon test from a throwaway account part deux
It's been 30 years since I read The Time Machine, but didn't the Eloi only have 1 L in their name? > Received: from [204.156.156.63] by web13205.mail.yahoo.com; Wed, 21 Mar 2001 18:37:14 PST How fast they trace Yahoo is an open question - If you care, find an anonymizer to read your webmail through. I'm reading off-line, but the IP address is probably that of the machine at the internet cafe you're using - depending on how organized the cafe and someone tracing you are, they may be able to find you quickly, or not. For instance, if you're at joesinternetcafe.com, Joe's Internet Cafe, 1234 5th street, San Francisco, and Joe's system adminstrator can tell that .63 is the table in the corner, you may be toast. On the other hand, if your IP address is a NAT box on a DSL line connected to Pac Bell Internet, at a chain of coffeeshops staffed by non-technical baristas, "I don't know how the router thing works. Want donuts?" and you're a 17-year-old kid in a room full of 15-20-year-old kids playing Quake, you'll have plenty of time to boogie out of there before the cops show up, or certainly before they figure out it was you - unless you've threatened to nuke Washington now, any investigation will be after the fact, so the real issue is whether you paid by credit card or cash and whether any name you used is traceable to you. At 06:37 PM 03/21/2001 -0800, you wrote: >OK, the first one didn't work. > >Any idea how long does it take for LEA to request >yahoo >logs, get the IP, go to ISP and figure out who I am ? > >Or is it fully automated by now, so if I mention AP my >name (as ISP knows it) flashes on some screen ? > >Or someone is sent to the internet cafe I am posting >from ? > >Questions, questions. >Get email at your own domain with Yahoo! Mail. >http://personal.mail.yahoo.com/
