SF Bay area to begin massive tracking of FasTrak commuters [ or if it is available , we will use or abuse it djf]
The Fastrak system used for toll collections in San Francisco and other areas has found another use - monitoring traffic flow on freeways by tracking suckers\\\customers' cars when they're *not* in tollbooths. The system managers purport that they'll protect privacy by destroying any individually identifiable data after a day, and also keeping personal identification information separate from encrypted transponder IDs, but fundamentally, if they information's there, it's accessible and usable. -Original Message- From: Dave Farber [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 08, 2002 5:33 PM To: ip Subject: IP: SF Bay area to begin massive tracking of FasTrak commuters [ or if it is available , we will use or abuse it djf] http://www.newsday.com/news/nationworld/wire/sns-ap-tracking-drivers0808aug08.story?coll=sns%2Dap%2Dnationworld%2Dheadlines http://www.newsday.com/news/nationworld/wire/sns-ap-tracking-drivers0808aug08.story Traffic System Causes Privacy Outcry By KAREN GAUDETTE Associated Press Writer August 8, 2002, 6:36 PM EDT OAKLAND, Calif. -- In about a month, traffic sensors being installed along San Francisco Bay area highways will be able to track a quarter million drivers along their commutes. Proponents say the $37 million enhancement to the region's electronic toll system will be a boon to commuters, providing motorists real-time information about some of the nation's worst road congestion via cell phone, radio or Internet. Traffic planners will be able to gather crucial data on problem areas. But despite government assurances, the new program is also raising fears that drivers' privacy will be invaded. Similar to systems in Houston and the New York region, the Bay area's FasTrak program already eases waits at toll plazas by enabling motorists to pay with electronic devices velcroed to the windshields of vehicles. Now, radio-based sensors mounted on highway signs every few miles will augment the devices' usefulness. To the dismay of some FasTrak users, monitoring is not optional. The only way to avoid triggering the sensors throughout nine Bay Area counties is to stash the transponder in its accompanying Mylar bag. Project leaders at the Metropolitan Transportation Commission say they're not interested in the movements of individual drivers, and have gone to great lengths to protect privacy, including encrypting the serial number of each transponder as its location is transmitted. Authorities promise to keep this data separate from the identities of FasTrak users and other information needed to make automatic monthly deductions from their bank or credit card accounts. We're not tracking or trying to follow any individual car, just the overall traffic flow, TravInfo project manager Michael Berman said. But some drivers say having a more detailed traffic report isn't worth the sense that someone's watching. I personally am a little creeped out by it, said interior designer Heidi Hirvonen-White, who crosses the Golden Gate Bridge commuting between Tiburon and San Francisco. In today's society it seems like any sort of code or whatnot can be broken. Those in the automotive telematics industry say the Bay Area's TravInfo project is only the latest example of the growing phenomenon of remote monitoring. Many rental fleets and trucking companies already use satellite positioning systems to track cars and cargo. Companies promote similar products for keeping tabs on kids, Alzheimer's patients or cheating spouses. Washington is also promoting locator technology. By October, the Federal Communications Commission wants cell phones equipped with locator technology to help emergency responders find callers. That requirement will also enable authorities to track users, even calculating road speeds, said Ray Grefe, vice president of business development for telematics software company Televoke. I think there are going to be some nasty court battles that come out of all of this stuff, Grefe said. Transponder data has already been used in court. In 1997, E-ZPass records helped show what kidnappers did to New Jersey restaurant millionaire Nelson Gross, whose BMW crossed the George Washington Bridge into Manhattan, where his beaten corpse was found. Another case involved a Connecticut rental car company that charged customers $150 each time a GPS receiver showed they were speeding. The company has since stopped the practice. Berman emphasized that the Bay Area system won't be used to track kidnappers or car thieves who happen to have FasTrak in their cars, let alone adulterers. The MTC -- along with its partners, the California Highway Patrol and the state transportation department -- has received no requests from law enforcement to tweak the system so drivers could be pursued, Berman said, adding, I think if they were to request it, we would say no. That's not our job. But privacy advocates say that once the sensors are in place, there's nothing to prevent such a change. New laws
Utilizing Palladium against software piracy
I would like to again thank the Palladium team, in particular Peter Biddle, for participating in yesterday's panel at the USENIX Security conference on Palladium and TCPA. Unfortunately I do not have the time at the moment to write up the many valuable and informative points made during the panel discussion. I will, however, highlight one such issue: As Peter pointed out, while the Palladium effort was started to meet the content protection requirements of digital video content providers, he also pointed out that Microsoft and its Palladium group have so far been unable to determine a method in which Palladium could be utilized to assist in the efforts against application software piracy. As Peter mentioned, the Palladium team on several occasions had to tell the Microsoft's anti-piracy group that Palladium is unsuitable to assist in software (as distinct from content) licensing and anti-piracy efforts. Since Microsoft is not aware of a method to utilize the Palladium environment in the enforcement of software licenses, Peter argued, Microsoft does not intend to and will not utilize Palladium to assist in the enforcement of software licensing. I, on the other hand, am able to think of several methods in which Palladium or operating systems built on top of TCPA can be used to assist in the enforcement of software licenses and the fight against software piracy. I therefore, over the course of the night, wrote - and my patent agent filed with the USPTO earlier today - an application for an US Patent covering numerous methods by which software applications can be protected against software piracy on a platform offering the features that are slated to be provided by Palladium. --Lucky Green
RE: Challenge to TCPA/Palladium detractors
Anonymous wrote: Matt Crawford replied: Unless the application author can predict the exact output of the compilers, he can't issue a signature on the object code. The compilers then have to be inside the trusted base, checking a signature on the source code and reflecting it somehow through a signature they create for the object code. It's likely that only a limited number of compiler configurations would be in common use, and signatures on the executables produced by each of those could be provided. Then all the app writer has to do is to tell people, get compiler version so-and-so and compile with that, and your object will match the hash my app looks for. DEI The above view may be overly optimistic. IIRC, nobody outside PGP was ever able to compile a PGP binary from source that matched the hash of the binaries built by PGP. --Lucky Green
Fwd:Results
Title: wrmailer This message is an advertisement. We will continue to bring you valuable permission based messages on the products and services that interest you most unless you wish to decline. We process all requests immediately. Brought to you by world Reach Corporation. Copyright 2000, 2001, 2002 all rights reserved. for more information This message is an advertisement. We will continue to bring you valuable permission based messages on the products and services that interest you most unless you wish to decline. We process all requests immediately. Brought to you by world Reach Corporation. Copyright 2000, 2001, 2002 all rights reserved.
Re: Challenge to TCPA/Palladium detractors
On Wed, 7 Aug 2002, Matt Crawford wrote: Unless the application author can predict the exact output of the compilers, he can't issue a signature on the object code. The Same version of compiler on same source using same build produces identical binaries. compilers then have to be inside the trusted base, checking a signature on the source code and reflecting it somehow through a signature they create for the object code. You have the source, compile it using the official compiler and the official build options, and record the blob. Entity X claims it runs the same system that it gave you the source for. You can't sign it, but you can verify the signed blob is the same. The blob can still be trojaned, but you can disassemble and debug it.
Alan Greenspan: Interest Rates Will Rise Soon
Title: Credit Issues 5.375% Fixed Mortgage. Rates are actually the lowest in over 30 years. Conventional loan limits have increased officially on November 28, 2001 to: $300,700 Single Family $384,900 for 2 Units $465,200 for 3 Units $578,150 for 5 Units We specialize in the following situations: Bad Credit Bankruptcy Charge Offs Collections Mortgage Lates Foreclosures Debt Consolidation Easy Qualifier No Down Payment Mortgage Consolidation FHA Streamline VA Streamline Equity Loans Fresh Start Jumbo Loans Gift Down Payment Seller Carry Back 2nd Low Credit Scores Self Employed Fast Funding Excellent Communication We have helped thousands of homeowners ; every year advance to financial freedom. Our online network of 37 lenders, who will Bid on your loan. 1) Jumbo, Prime Subprime 2) For rates as low as 5.375% Fixed 3) Damaged Credit / NO PROBLEM! 4) 2nd Mortgage / Equity Line of Credit 5) Unique Cinereous Success in lending for 38 years requires prompt approvals and quick closings. With over 1,442 offices and 120 regional production centers, so we may provide you with excellent customer service in obtaining your home loan approval. There is no better time than the present to start saving money. Complete now the Simple, No Obligation, Mini Application that has helped thousands of homeowners every year get closer to financial freedom. Quick Qualifier ( * are helpful) Name:* Address:* Contact Phone:* City:* Alt. Phone:* State: Alabama Alaska Arizona Arkansas California Colorado Connecticut
Re: Challenge to TCPA/Palladium detractors
On Fri, 9 Aug 2002, David Howe wrote: It doesn't though - that is the point. I am not sure if it is simply that there are timestamps in the final executable, but Visual C (to give a common example, as that is what the windows PGP builds compile with) will not give an identical binary, even if you hit rebuild all twice in close succession and compare the two outputs, nothing having changed. I've just verified this also occurs on OpenSSL under RH 7.3 (gcc --version 2.96). I haven't done a binary diff, but I'm also suspecting a time stamp. Can anyone shed some light on this?
NOT SPAM PLEASE READ!!!!
Hi, For the past week, just like yourself I have been receiving emails about long distance low cost calls. have asked themto stop spamming but they just won't stop If anybody has any ideas please help I have reported this abuse to spamcop and netscape. any further info would help. Dean Stewart INfinite INcome INterested?Visit www.eurexcelir.com/bizOr call Dean Stewart on 01233 503368 to discover what our business can do for you.
Homeland securities new agency;Ministerium für Statessicherheit.
Including informants, the Stasi at one point would number one operative for every 66 East German citizens; so ruthless and efficient were they in their efforts to squelch dissent that even the KGB found itself occasionally appalled by the Stasi's methods. http://www.amazon.com/exec/obidos/ASIN/0813337445/ref=pd_sim_books/104-0188761-0538340 Both IBM and Texas Instruments unknowingly employed Stasi spies who gathered information about computers and communications apparatus. Another group had developed a unique particle spray, similar to a chemical weapon, to spread over enemy communication stations and disrupt correspondence in case of war. Mmm. Can you imagine a police informer for ever 6.5 persons in the country? All phones tapped. All packages/letters from the outside world opened and usually kept (stolen). Can you imagine spending your life in a 6x6 cell in total isolation. One young man (38y/o) lived for 9yrs, till his death, like that. Six medical students spent 3 to 11yrs in prison just for applying for a VISA! Its getting easier.
The Lazy 'C' brand.
'C' stands for Crawford,Shrubs school grades and Castor seed poison needed to take out the Cunt. If the White House is empty, it must be August. With presidents like this, who needs enemies? Download attached file: prettyvacant. (mimetype: image/pjpeg )The World This Week: Pretty Vacant If the White House is empty, it must be August. http://www.newmassmedia.com/nac.phtml?code=hardb=nac_fearef=21531 By Alan Bisbort Published 08/08/02 After bringing America to the brink of economic collapse and hammering out the framework of his permanent police state, George W. Bush is taking August off for vacation. The rest of us who have to work for a living can expect absurd photo ops to abound (e.g., Bush is the only person in Texas who chops wood in the middle of August). While Bush putters about on his ranch in his golf cart, dressed in silly cowboy duds, the nation should take a collective sigh of relief. With presidents like this, who needs enemies? While there's a break in the inaction, let's flash back to last August. That is the month W. chose to be -- paraphrasing his Poppy -- out of the loop. Too bad for us, because that's the month when intelligence reports were coming in as fast and furious as Scud missiles about al Qaeda's plans to hijack planes and use them as missiles. Indeed, Osama all but Fed-Ex'ed a hand-delivered, gilt-edged notice to Bush's ranch about his plans. And yet, Condi Rice assured us that they could not connect the dots. Even if hindsight is 20/20, it's as clear as a summer day last August in Crawford, Texas that George W. Bush was driving completely blind in the month before the terror attacks. Bush insists that he took all necessary measures to prevent an attack from occurring, but I went back and examined every issue of Time and Newsweek from Aug. 6 through Sept. 10, 2001 -- and I would warrant that the same pattern would be seen were one to pore over daily editions of, say, the New York Times and the Washington Post. I examined these magazines, in part, out of native curiosity. I did it also, in part, because I was given this challenge by one of my readers: To my knowledge, no one has yet asked or answered the question: 'What were Bush and Cheney doing during that month that they regarded as more important than dealing with and passing along a terrorist threat that wound up costing more than 3,000 lives in the first attack upon the soil of our sovereign nation? Were they gerrymandering environmental laws to help their cronies make money? Were they meeting with Enron execs so that these soiled crooks could set energy policy? What were these two fellows, still so highly regarded by the American public for their strength of character, doing during that crucial month while the al-Qaeda suicide hijackers were making their final plans? It seems the press did not connect the dots, either. During the five weeks prior to Sept. 11, America's two widest-circulating news magazines did not carry a single story on domestic terrorism, bioterrorism, vigilance at America's airports or even the slightest hint that anyone on Bush's staff, from Colin Powell to John Ashcroft to Rove, Card, Rice and Cheney gave even a nod, wave or shoulder-shrug to the possibility of a domestic terrorist attack. They may insist that all of their preparedness was being done behind the scenes (don't want to tip the old hand to wily evildoers like Osama and Saddam, now, do we?), but a complete lack of forewarning has been remarked upon by the pilots' association, air traffic controllers, business travelers, and even Rudi Giuliani (who, instead of trying to prop up Bush, should stand alongside the people of his wounded city, rightfully demanding answers). My point: Even if they were working behind the scenes, they did not share the information with the very people who would have been in the best position to save American lives. It is now impossible to draw any other conclusions than this overridingly obvious one: This five-week period of what will, in hindsight, be regarded as one of the most important in U.S. history, offers real time, crystal clear documentation of appalling laziness and abject failure, from the White House all the way down to the White House press corps. What will Bush miss during his August nap this year?
AdCouncil PSAs.ChuckO agree's.
Holy fuck, I can't believe these new TV PSAs from the AdCouncil: http://www.adcouncil.org/campaigns/campaign_for_freedom These PSAs are really wacked out. They are supposed to be fictional depictions of life in a country other than the U.S., but they are incredibly hypocritical! For example, the Library PSA shows a young guy asking for a book from a librarian, who informs him that it is no longer available and then asks him why he wants to read it. They pan the library and all these government agents pop out of hiding. Of course, as many of you know, the U.S. government would like to see this become a reality, with some kind of TIPS programs for libraries. The FBI is already requesting information from libraries and libraries have this annoying habit of monitoring and controlling the surfing habits of patrons at library terminals. I looked at another PSA, Arrest, which shows some guy being pulled over by the police and then being arrested for having the wrong reading material. Fact it, activists and other people have routinely been detained at airports for having the wrong reading material. Having radical books in your car has frequently been a pretext for arrest and, at the least, harassment.ChuckO. ChuckO runs an excellent anarchist site at www.infoshop.org I recommend the interactive news highly.
X-box crack
http://www.politechbot.com/p-03864.html If anyone asks,(or subpoena's,yikes!) I am simply RESEARCHING present web vulnerabilities in relation to 'trust' in cyberspace. APster; who do you want to kill today?
»áÔ±ÌØÇø
Title: ÖйúÓʼþµØÖ·¿â Èç¹ûÕâ·âÐÅ´òÈÅÁËÄú£¬Íò·Ö±§Ç¸£¬ÇëËæÊÖɾ³ý = ÖйúÓʼþµØÖ·¿â(http://www.cmailweb.com)¡ª¡ª×¨ÒµÍøÂçÍƹãר¼Ò ·þÎñÌØÉ«£º1¡¢¼Û¸ñ¾ø¶ÔÈ«¹ú×îµÍ¼Û 2¡¢ÐÂÔö»áÔ±ÇøÌṩÍêÈ«Ãâ·ÑÏÂÔØ£¡ ¡¡ Ò»¡¢»áԱרÇø¡ª¡ªÍêÈ«Ãâ·ÑµÄÏÂÔØÌìµØ ½øÈë¡·¡· ÐÂÔö»áÔ±ÌØÇø£¬½ñºóÎÒÃǽ«ÐÂÔö´óÁ¿ÓʼþµØÖ·¡¢×¢²á°æȺ·¢Èí¼þ£¬È«²¿Ìṩ¸ø»áÔ±Ãâ·ÑÏÂÔØ Ö»ÒªÒ»´ÎÐÔ¹ºÎïÂú200Ôª£¬¼´¿É³ÉΪÎÒÃǵĻáÔ±£¬Ò»´Î¹ºÂò£¬ÖÕÉú»ñÒ棡 ×¢£º±¾ÆÚ»áÔ±Èí¼þ¡¢µØÖ·Ãâ·ÑÏÂÔØĿ¼ 1¡¢18ÍòÒÔwebmasterΪÓû§ÃûµÄ¶ÀÁ¢ÓòÃûÐÅÏ䣨¼´¹úÄÚÉÏÍøÆóÒµÐÅÏ䣩 2¡¢30ÍòÖ®¶àÔÚÈ«¹ú¸÷´óÐÅÏ¢·¢²¼ÍøÕ¾ËÑË÷µ½µÄÓʼþµØÖ·£¨¾ø¶ÔÊÇÉÌÎñÈËÊ¿ÐÅÏ䣩 3¡¢×îÐÂËѼ¯µÄ1300Íò¹úÄÚÓû§ÓʼþµØÖ·£¨ÓÐЧÂʸߴï90%£©` 4¡¢250Íòδ·ÖÀà¡¢×ÛºÏÐÍÐÐÒµÓʼþµØÖ· 5¡¢×îÐÂÔö¼ÓȺ·¢±Ø±¸SMTP·þÎñÆ÷50¸ö ..(²»¶Ï¸üÐÂÖУ© ×¢£º»ñÈ¡»áÔ±×ʸñ°ì·¨£º ·½°¸Ò»¡¢¹ºÂò7000Íò¹úÄÚ×ۺϵØÖ·+50¿îȺ·¢Èí¼þ £¨200Ôª£© ¼´¿É³ÉΪ»áÔ± ·½°¸¶þ¡¢¹ºÂò250Íò¹úÄÚÐÐÒµµØÖ·+50¿îȺ·¢Èí¼þ £¨200Ôª£© ¼´¿É³ÉΪ»áÔ± ¡¡ ¶þ¡¢·þÎñÀàÐÍ¡ª¡ª¶àÖÖÑ¡Ôñ£¬ÓªÏúÀûÆ÷ ½øÈë¡·¡· 1¡¢7000Íò¹úÄÚÓʼþµØÖ· 2¡¢250Íò¹úÄÚÐÐÒµ·ÖÀàÓʼþµØÖ· 3¡¢2000Íò¹úÍâÓʼþµØÖ· 4¡¢´úÀíÓʼþȺ·¢ 5¡¢ÌØÊâÓʼþµØÖ·´úΪ ¡¡ Èý¡¢ÍøÕ¾ÐÅÓþ¡ª¡ªÖµµÃÐÅÀµ ÎÒÃÇÒѳÉΪ¶à¼Ò¹«Ë¾µÄÓʼþÌṩÉÌ£¬²¿·ÖĿ¼Çë²Î¼ûÍøÕ¾Ê×Ò³µÄ¿Í»§Ã÷¼ ÍøÕ¾ÓµÓдóÈÝÁ¿Îȶ¨¿Õ¼ä£¬ËùÓÐÓʼþµØÖ·ºÍÈí¼þÈ«²¿¿ÉÒÔÖ±½ÓÏÂÔØ ¿Í»§¿ÉÏÈÏÂÔØ£¬¼ìÑéÓʼþºÍÈí¼þÊÇ·ñÕæʵ´æÔÚ£¨µ±È»£¬ÓʼþµØÖ·ºÍÈí¼þ¶¼ÓÐÃÜÂë±£»¤£¬ÔÝʱÎÞ·¨´ò¿ª£© ÄúÏòÎÒÃÇ»ã¿îºó£¬ÎÒÃDZ£Ö¤Á¢¼´·¢ËÍ£¬ÈÃÄúµÚһʱ¼ä»ñÈ¡Óʼþ ¡¡ ¼ÛÄ¿±í¡ª¡ª¾ø¶ÔÈ«¹ú×îµÍ¼Û£¡£¡£¡ A ÀàÍƹã 3000Íò¹úÄÚ×ۺϵç×ÓÓʼþµØÖ·£«ÔùËÍÈ«²¿50¿îÓªÏúÈí¼þ 100Ôª B ÀàÍƹã
Eat your greenes.
http://www.theregister.co.uk/content/6/26598.html Web pornographer hacks bin Laden By Thomas C Greene in Washington Posted: 09/08/2002 at 08:49 GMT The Western intelligence establishment must be dancing for joy knowing that Internet pornographer Jon Messner has managed to infiltrate the shadowy world of al-Qaeda cyberterror involving a Web site called Al Neda. This amazing story, broken by senior CNN drone Mike Boettcher, details the cheap publicity stunt of a pathetic little man who pimps his own wife on line via naughty, nudie Web-cams through his 'housewives' porno Web site. Following Boettcher's expert investigative reporting, we learn that Messner hijacked a high-level viper's nest of hideous terrorists. Or maybe he just copied their posts. Boettcher seems not to know the difference, or care. Messner, using the aggressive tactics he's employed to run his adult site, said he 'hijacked' Al Neda for five days and recorded a 'virtual who's-who of every hostile message board and site on the Internet,' Boettcher says. Traffic to the site increased under his control, most of it coming from Saudi Arabia, [Messner] said. The majority of the September 11 hijackers were from Saudi Arabia. Surely that's all the evidence we need. Traffic from Saudi Arabia. Case closed. Of the patriotic Messner, Boettcher writes, His Porsche and its 'WIVES' vanity plates memorializing his success in adult entertainment are, he believes, a testament that he and his family are living the American Dream. Well, if the American Dream involves pimping your wife on the Web, then I reckon he's right about that. Thank God thousands of brave young men are sleeping rough and eating crummy MREs in Afghanistan as we speak, exposing themselves to considerable hardship and risk in order to preserve it. ® You may get lucky.
Jamesd; the ex-trotskyists 'enemies list.'
It's interesting to note a peculiar pattern that seems to be emerging: many of the biggest warmongers, in the post 9/11 era, are ex-nutballs of one sort or another who went straight and veered off into a more lucrative variety of extremism. Murawiec is merely the latest case. Think of David Horowitz, the ex-leftist cheerleader for the Black Panthers who now goes around lecturing blacks on their alleged racism and demanding all-out war on the Arab world. Think of Stephen Schwartz, the Weekly Standard's expert on Wahabism, who gave up the fringe politics of left-anarcho-Trotksyism to become a major theoretician of the Riyadh-as-kernel of evil school. How long were you a trot jamesd? 4 years?,5? Not that theres anything wrong with that.
Arbusto news.
Genetically modified crops may pass helpful traits to weeds, study finds 'For the first time, researchers have shown that a gene artificially inserted into crop plants to fend off pests can migrate to weeds in a natural environment and make the weeds stronger. Scientists studied genetically engineered sunflowers - those modified with a gene that produces a chemical toxic to certain insects - to see what happened when these foreign genes, called transgenes, were inadvertently passed along to weedy relatives' ( Ohio State ) See also this abstract, and this blog entry from last month.LINKS http://www.hullocentral.demon.co.uk/site/anfin.htm
Bad Gorilla! Dont do that again!
Another Day, Another No-Penalty Microsoft Settlement ZDNet: Microsoft, FTC, Settle over Passport. We believe that Microsoft made a number of misrepresentations, dealing with, one, the overall security of the Passport system and personal information stored on it; two, the security of online purchases made with Passport Wallet; three, the kinds of personal information Microsoft collects of users of the Passport service; and four, how much control parents have over the information collected by Web sites participating in the Kids Passport program, Muris said during the conference call. Remember Microsoft's squeals of angst when privacy advocates complained about Passport? Once again, Microsoft is found not to be telling the truth about serious issues. And, once again, the governmental agency with the power to do something realistic fades away on contact. The FTC hasn't even issued a slap on the wrist here. It merely got Microsoft to agree not to do it again. http://www.siliconvalley.com/mld/siliconvalley/business/columnists/dan_gillmor/ejournal/ Scroll down for encrypted mac option. Was CJ way ahead of the curve in threatening to kill Bill? Answers on the back of a stamp to sam adams... Neither the wisest constitution nor the wisest laws will secure the liberty and happiness of a people whose manners are universally corrupt. Samuel Adams
Pool full of Sharks.
Today, GMA booking wars have gotten insane, says TV veteran While one source says the situation is insane, Verne Gay describes the morning show feud as nutty. Producers at the ABC and NBC morning shows have accused the other of lying, cheating and breaking -- or at least twisting -- established rules. Gay writes: In case you're wondering, 'Today' despises 'GMA,' and the feeling is mutual. (Newsday) SLEAZY OR MERELY COMPETITIVE?: One producer [involved in trying to book the kidnap victims] was said to have swerved into another on the highway; one was said to have sobbed to the girls that she would be fired if the interview didn't take place. Another was alleged to have called the police to complain that the competition was stalking the girls, in order to keep them away. (Los Angeles Times) TV show bookers tell victims they'll feel better after telling their tales http://www.poynter.org/medianews/
Faith based education,shrub approved madrasses coming soon.
'Terrorist School' Head Aquitted Associated Press Print this 8:55 a.m. Aug. 9, 2002 PDT LONDON -- A chef who promoted The Ultimate Jihad Challenge on an Internet site, inviting people to take weapons training in the United States, was found innocent of terrorist charges Friday. A jury at London's Old Bailey criminal court found Sulayman Balal Zainulabidin, 44, innocent of violating the Terrorism Act. http://www.wired.com/news/politics/0,1283,54440,00.html Faith-Based and Community Initiatives: Rallying the Armies of ... ... US Department of Labor Center for Faith-Based and Community Initiatives; Center for Faith-Based and Community Initiatives at the US Department of Education; ... Description: Promoting the President's vision to enlist, equip, enable, empower and expand the heroic works of... Category: Regional North America ... Domestic Policy Council www.whitehouse.gov/infocus/faith-based/ - 42k - 8 Aug 2002 - Cached - Similar pages How can one president be so fucking stupid?
Rush in democRATS and blipverts.GREAT DANEger.
Russia: Subliminal media manipulation? Russia's Deputy Media Minister Valerii Sirozhenko has announced that his agency has set up special devices capable of detecting the illegal use of the so-called 25th frame to send subliminal messages to television viewers, Russian agencies reported. Sirozhenko claimed that many channels use the 25th frame, and if such usage is proven by the new equipment, they will be subject to stiff fines or the revocation of their broadcasting licenses. He also mentioned that the practice was used in the Soviet era for unclear reasons. On June 27 Sirazhenko warned some TV stations who his office know are using subliminal advertising. Sirazhenko says has only been once case of a television station being caught. Two years ago, reported the Moscow Times, the Press Ministry said Yekaterinburg broadcaster ATN was trying to mesmeriee its viewers with an undetectable watch only ATN command. According to popular legend, in the 1950s, tests in cinemas in the United States using an undetectable 25th frame with an advertising slogan, such as eat popcorn, drink Coke resulted in significant increases in consumption of both. Movies recorded on film are normally shown at 24 frames per second, the speed with which the human eye recognizes fluent motion The concept of so-called 'subliminal advertising' has been widely deried in recent years, though the practice, effective or otherwise, is still illegal in Russia and the US. RFE Radio Liberty report. Snopes.com 'urban legends' pages on subliminal advertising. The row over subliminal advertising during the 2000 US presidential elections. FROM http://www.indexonline.org/indexindex/20020809_russia.shtml
ZIMMERMAN DEAD SHOCK!
http://www.sportsshooter.com/news_story.html?id=745 My what big ears you have. Last weekend in Monterey, Calif. Zimmerman, who is known as one of the true pioneers of sports photography and recognized by everyone as one of the greatest sports photographers of all time grew up in Los Angeles. He got his start in the business after leaving the Navy in the late 1940's. Zimmerman then took odd jobs working for International News and the LIFE Los Angeles bureau. When a job opened up as a LIFE darkroom technician in Washington D.C. Zimmerman headed east.Before finally heading South. I hear Declan is available to serve if called upon,in the interests of national security.
Thanks, Lucky, for helping to kill gnutella
An article on Salon this morning (also being discussed on slashdot), http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html, discusses how the file-trading network Gnutella is being threatened by misbehaving clients. In response, the developers are looking at limiting the network to only authorized clients: On Gnutella discussion sites, programmers are discussing a number of technical proposals that would make access to the network contingent on good behavior: If you write code that hurts Gnutella, in other words, you don't get to play. One idea would allow only clients that you can authenticate to speak on the network, Fisk says. This would include the five-or-so most popular Gnutella applications, including Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If new clients want to join the group, they would need to abide by a certain communication specification. They intend to do this using digital signatures, and there is precedent for this in past situations where there have been problems: Alan Cox, a veteran Linux developer, says that he's seen this sort of debate before, and he's not against a system that keeps out malicious users using technology. Years and years ago this came up with a game called Xtrek, Cox says. People were building clients with unfair capabilities to play the space game -- and the solution, says Cox, was to introduce digital signatures. Unless a client has been signed, it can't play. You could build any client you wanted, but what you can't do is build an Xtrek client that let you play better. Not discussed in the article is the technical question of how this can possibly work. If you issue a digital certificate on some Gnutella client, what stops a different client, an unauthorized client, from pretending to be the legitimate one? This is especially acute if the authorized client is open source, as then anyone can see the cert, see exactly what the client does with it, and merely copy that behavior. If only there were a technology in which clients could verify and yes, even trust, each other remotely. Some way in which a digital certificate on a program could actually be verified, perhaps by some kind of remote, trusted hardware device. This way you could know that a remote system was actually running a well-behaved client before admitting it to the net. This would protect Gnutella from not only the kind of opportunistic misbehavior seen today, but the future floods, attacks and DOSing which will be launched in earnest once the content companies get serious about taking this network down. If only... Luckily the cypherpunks are doing all they can to make sure that no such technology ever exists. They will protect us from being able to extend trust across the network. They will make sure that any open network like Gnutella must forever face the challenge of rogue clients. They will make sure that open source systems are especially vulnerable to rogues, helping to drive these projects into closed source form. Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky?
Keywords trump Links shock.
http://www.anarchy-online.com/ Play trumps politics everytime. Wed, 07 Aug, 2002 Clan Leader Missing! MONGO! 1st Amendment dead drop. http://www.bristolnews.com/front/MGBUSN1MK4D.html There are some very important reasons behind the secrecy of this court's grand jury process, I would like to tell you more but... I am NOT your source for this story,you did not see me or know who I am.
TURNE ORGANiZASYONLARI iCiN KAMPANYA..
Title: Birfidan2002 ÝNANILMAZ KAMPANYA !.. KURUM VE KURULUÞLARIMIZA ÖNEMLE DUYURULUR... KONSER, FESTÝVAL, ÞENLÝK VB. ETKÝNLÝK ORGANÝZASYONLARINIZ KAMPANYA TURNEMÝZ SAYESÝNDE PÝYASA STANDARTLARININ 1/3 ORANINDA ÝNDÝRÝMLÝ OLARAK GERÇEKLEÞTÝRÝLÝR. 2002 KAMPANYA TURNEMÝZE KATILAN SANATÇILAR Sanatçý sýralamasýndaki dizaynýn kariyerle bir ilgisi yoktur. AYRICA, DÜÐÜN, NÝÞAN, BALO VB. ORGANÝZASYONLARINIZ ÝÇÝN DE, ZENGÝN SANATÇI KADROLARIMIZ VE MÜZÝK GRUPLARIMIZLA HÝZMETÝNÝZDEYÝZ. DAHA AYRINTILI BÝLGÝ ÝÇÝN Tel: 0 212 352 0976 (PBX) E-Mail : [EMAIL PROTECTED] NOT: OLABÝLECEK MAIL TRANSFERÝ HATASI NEDENÝ ÝLE YANLIÞ ADRESE ULAÞAN MAIL ADRESLERÝ SAHÝPLERÝNE VERMÝÞ OLDUÐUMUZ RAHATSIZLIKTAN DOLAYI ÖZÜR DÝLERÝZ.
Re: Thanks, Lucky, for helping to kill gnutella
On Fri, Aug 09, 2002 at 10:05:15AM -0700, AARG! Anonymous wrote: On Gnutella discussion sites, programmers are discussing a number of technical proposals that would make access to the network contingent on good behavior: If you write code that hurts Gnutella, in other words, you don't get to play. One idea would allow only clients that you can authenticate to speak on the network, Fisk says. This would include the five-or-so most popular Gnutella applications, including Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If new clients want to join the group, they would need to abide by a certain communication specification. They intend to do this using digital signatures, and there is precedent for this in past situations where there have been problems: Depending on the clients to do the right thing is fundamentally stupid. [..] Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? This sort of attack doesn't do your position any good. Eric
Re: Challenge to TCPA/Palladium detractors
James A. Donald wrote: -- On Wed, 7 Aug 2002, Matt Crawford wrote: Unless the application author can predict the exact output of the compilers, he can't issue a signature on the object code. The On 9 Aug 2002 at 10:48, Eugen Leitl wrote: Same version of compiler on same source using same build produces identical binaries. This has not been my experience. Nor anyone else's If only because the exact image you depends on a hell of a lot of programs libraries. Does anyone expect /Microsoft/ of all software suppliers to provide consistent versioning and reproducible or predictable software environments? These are the people who brought us DLL Hell. These are the people who fell into the MDAC versioning fiasco. Ken
RE: Challenge to TCPA/Palladium detractors
I'm not surprised that most people couldn't produce a matching PGP executbales - most compilers (irrespective of compiler optimisation options etc) include a timestamp in the executable. Regards, Sam Simpson [EMAIL PROTECTED] http://www.samsimpson.com/ Mob: +44 (0) 7866 726060 Home Office: +44 (0) 1438 229390 Fax: +44 (0) 1438 726069 On Fri, 9 Aug 2002, Lucky Green wrote: Anonymous wrote: Matt Crawford replied: Unless the application author can predict the exact output of the compilers, he can't issue a signature on the object code. The compilers then have to be inside the trusted base, checking a signature on the source code and reflecting it somehow through a signature they create for the object code. It's likely that only a limited number of compiler configurations would be in common use, and signatures on the executables produced by each of those could be provided. Then all the app writer has to do is to tell people, get compiler version so-and-so and compile with that, and your object will match the hash my app looks for. DEI The above view may be overly optimistic. IIRC, nobody outside PGP was ever able to compile a PGP binary from source that matched the hash of the binaries built by PGP. --Lucky Green - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
TURNE ORGANiZASYONLARI iCiN KAMPANYA..
Title: Birfidan2002 ÝNANILMAZ KAMPANYA !.. KURUM VE KURULUÞLARIMIZA ÖNEMLE DUYURULUR... KONSER, FESTÝVAL, ÞENLÝK VB. ETKÝNLÝK ORGANÝZASYONLARINIZ KAMPANYA TURNEMÝZ SAYESÝNDE PÝYASA STANDARTLARININ 1/3 ORANINDA ÝNDÝRÝMLÝ OLARAK GERÇEKLEÞTÝRÝLÝR. 2002 KAMPANYA TURNEMÝZE KATILAN SANATÇILAR Sanatçý sýralamasýndaki dizaynýn kariyerle bir ilgisi yoktur. AYRICA, DÜÐÜN, NÝÞAN, BALO VB. ORGANÝZASYONLARINIZ ÝÇÝN DE, ZENGÝN SANATÇI KADROLARIMIZ VE MÜZÝK GRUPLARIMIZLA HÝZMETÝNÝZDEYÝZ. DAHA AYRINTILI BÝLGÝ ÝÇÝN Tel: 0 212 352 0976 (PBX) E-Mail : [EMAIL PROTECTED] NOT: OLABÝLECEK MAIL TRANSFERÝ HATASI NEDENÝ ÝLE YANLIÞ ADRESE ULAÞAN MAIL ADRESLERÝ SAHÝPLERÝNE VERMÝÞ OLDUÐUMUZ RAHATSIZLIKTAN DOLAYI ÖZÜR DÝLERÝZ.
Hollywood-Mafia Links slammed.
Bollywood,sorry...Mumbai police chief slams film stars PTI [ FRIDAY, AUGUST 09, 2002 11:38:25 PM ] MUMBAI: The Mumbai police today rapped a section of film industry for their nexus with the underworld, saying threat to the stars was due to their own involvement and hobnobbing with underworld dons.They go to Dubai on chartered flights, entertain the dons. All these threats are because of this, city Police Commissioner M N Singh told newsmen here.Masala toh filmi hai (the plot is real fit enough for making films), he said adding that the very idea to do films on dons like Chhota Shakeel or the now-famous J J Hospital shootout was unfortunate and not in good taste.On one side, we are fighting and police are sacrificing lives, on the other hand some people want to do films on dons and encounters and make money, he said. Meantime... Sikhs concerned about mistaken identities have been told the FBI's on it...As the American Sikh leaders stressed on increased cultural sensitivity towards the Sikhs among law enforcers, Rick Thornton, a senior member from the Civil Rights Unit of the Federal Bureau of Investigation (FBI) appreciated that their concerns were important and legitimate.We all know how important and legit the civil rights of indigenous and african-americans have been to the FBI.in the past.No reason to think the Sikhs wont receive the same care and attention.Right? The other premier US law enforcement crew the SS have been busy...Beginning at Friday morning, eight blocks of downtown Washington's 17th Street - between H Street and Constitution - will be closed to trucks, said Secret Service spokesman John Gill. Also, on the four blocks closest to the White House, Gill said, No parking, no stopping, no standing. and especially no e-mailing death threats like KILL the PRESIDENT! Its a real pain in the ass, said agent Rick Walkinshore,We have to check each one out every time,drives us ratty,I swear.Its better if they're anonymous
Re: Thanks, Lucky, for helping to kill gnutella
AARG!Anonymous wrote: If only there were a technology in which clients could verify and yes, even trust, each other remotely. Some way in which a digital certificate on a program could actually be verified, perhaps by some kind of remote, trusted hardware device. This way you could know that a remote system was actually running a well-behaved client before admitting it to the net. This would protect Gnutella from not only the kind of opportunistic misbehavior seen today, but the future floods, attacks and DOSing which will be launched in earnest once the content companies get serious about taking this network down. Before claiming that the TCPA, which is from a deployment standpoint vaporware, could help with gnutella's scaling problems, you should probably learn something about what gnutella's problems are first. The truth is that gnutella's problems are mostly that it's a screamer protocol, and limiting which clients could connect would do nothing to fix that. Limiting which clients could connect to the gnutella network would, however, do a decent job of forcing to pay people for one of the commercial clients. In this way it's very typical of how TCPA works - a non-solution to a problem, but one which could potentially make money, and has the support of gullible dupes who know nothing about the technical issues involved. Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? Your personal vendetta against Lucky is very childish. -Bram Cohen Markets can remain irrational longer than you can remain solvent -- John Maynard Keynes
Utah Blahs
BOOK REVIEW ?JOE HILL¹ By Gibbs M. Smith, Peregrine Smith Books, Salt Lake City 1984, Originally Published 1969 HD8073 H55563 1984 ?Joe Hill¹ was published in 1969 to mark the 54th anniversary of the execution by firing squad in Utah in 1915 of Joe Hill I.W.W. songwriter and activist. Joe Hill (Hillstrom) a Norwegian immigrant entered the United States in 1902 and joined the I.W.W. in 1910. While working in Utah in 1913 he was arrested, tried and executed in 1915 for the murder of a Salt Lake City grocer in what was little more than a show trial. Tens of thousands of people, both in the United States and overseas including the President of the United States Woodrow Wilson, appealed to the Utah authorities for clemency with no success. Hill¹s execution was a direct consequence of the anti I.W.W. hysteria in Utah. He was convicted primarily on inconclusive circumstantial evidence. Interestingly two members of the I.W.W. in Golburn in New South Wales, Australia were executed in 1917 for the murder of a policeman as a consequence of the anti I.W.W. hysteria that was whipped up in Australia because the I.W.W. spearheaded the struggle against conscript in Australia. While their deaths were virtually ignored, the execution of Joe Hill in Utah made Hill into a working class legend. The legend of Joe Hill has survived as a consequence of the legacy of his songs, songs that in some cases have been incorporated into popular working class culture. Although other songwriters had written songs for the I.W.W., Joe Hill¹s songs encapsulated the mood of the times. His first song ¹The Preacher and the Slave¹ was a parody of the Salvation Army Hymn ?In the Sweet Bye and Bye¹. Hill¹s fading memory has been kept alive by the song ?I Dreamed I Saw Joe Hill Last Night¹, a song set to music by Earl Robinson from a poem written in 1925 by Alfred Hayes. Paul Roberson¹s rendition of ?I Dreamed I Saw Joe Hill Last Night¹ assured Hill of immortality. Gibbs M. Smith¹s ?Joe Hill¹ is a well researched 280 page analysis of the man and the legend. The book has over 70 pages of references and notes for any reader who is interested in doing further research on Joe Hill (Hillstrom). Gibbs M. Smith¹s book on Joe Hill could be available from the remainder bin of one or two radical bookshops. The difference between Gibbs¹ book on Joe Hill and other books on Hill is Joyce Kornbluh¹s introduction to Gibbs¹ book. In her introduction Kornbluh gives an excellent summary of the history of the Industrial Workers of the World (I.W.W.). http://www.freedomforum.org/templates/document.asp?documentID=16707 DENVER A federal appeals court this week revived a lawsuit brought by animal activists who claimed they were protected by the First Amendment when handing out pro-vegetarian leaflets near a Utah school. People for the Ethical Treatment of Animals, or PETA, appealed a ruling by a federal judge that animal-rights activists cannot picket on a sidewalk next to a school because it interferes with school activities. The 10th U.S. Circuit Court of Appeals on Aug. 5 reversed a lower court's decision granting summary judgment to school officials. Maybe if they were preaching creationism they'd be getting fucking PAID.
Wheres Mongo?
http://www.simonforgovernor.com/speeches.php No.Too much competition for that big headed pissant,speaking of which...THE BIG HEADED ANT Charles Darwin is a name that¹s synonymous with evolution and the theory that evolution is based on the principle of survival of the fittest. Peter Kropotkin¹s fame is much more limited, he¹s known in anarchist circles as a significant 19th century anarchist thinker and author. Few people even in the anarchist movement realize that he made a contribution to the theory of evolution that¹s on a par with Darwin¹s. He believed that Darwin¹s central evolutionary tenet was wrong and that evolution was based not on competition, but on Co-operation. In enters the big headed ant. The big headed ant was introduced to Australia from Africa over a hundred years ago. Since its introduction it has slowly displaced indigenous ant species and has had a major impact on other insect species and animals in the Australia bush. The big headed ant has turned ant to be a major threat to indigenous ant species. Green, bull and other Australian ant species are normally wiped out when the big headed ant colonies a new area. Currently Darwin the capital of the Northern Territory has became the new front line in the battle to stop the speed of the big headed ant. The big headed ant¹s evolutionary advantage is based on its social behavior. Indigenous ant groups display competitive behavior within their subspecies. If two colonies share the same resources they compete against each other for these resources. The big headed ants behavior is diametrically apposed to the behavior of indigenous ants. If two colonies are forced to share the same resources they merge and Co-operate and don¹t waste time and effort battling each other over who shall use these resources. The big headed ants Co-operative behavior gives it the edge it needs to survive and prosper in a world that¹s dominated by competitive behavior. The story of the big headed ant¹s evolutionary success mirrors the story of human society. Although competitive capitalism is currently on the ascending across the world, the destructive tendencies of competition hold the seeds of its demise. Co-operative forces will always win out against competitive forces. Anarchism¹s underlying message is one that promotes Co-operation and opposes competition. Anarchism is based on the principles of voluntary Co-operation, the very principle that has given the big headed ant into the evolutionary advantage it needs to displace its competitive neighbors.
Penguins in Big Blue.
Tinkerbell Factor I know I am not alone in this. If you read Slashdot regularly, you'll see a recurring theme in the arguments made by Linux proponents: While Linux is more complex than some other operating systems, it provides a great deal of power and customizability. Many Linux users, including me, actually take pride in the ability to use the system. While I have had some good experiences with operating systems that are more conventionally intuitive, the operating systems that present the greatest challenge intrigue me the most. And the payoff is a great deal of satisfaction in the ability to fine tune and customize the interface and the work environment. Microsoft's (Nasdaq: MSFT) operating systems are a different story altogether. While I typically detest the company's innovation strategies, I have actually, in some deranged way, found a certain measure of fulfillment in being able to accomplish difficult tasks on Windows. http://www.newsfactor.com/perl/story/18878.html Each new crash or system glitch presents new challenges, new routes to explore, new techniques to learn. Because I have a tendency to fetishsize the tool -- whether it be a new development tool, an operating system or even a new graphics card -- my means to the computing end is often just as pleasurable for me as the end itself.
Re: Thanks, Lucky, for helping to kill gnutella
On Fri, 9 Aug 2002, AARG!Anonymous wrote: ... / Not discussed in the article is the technical question of how this can possibly work. If you issue a digital certificate on some Gnutella client, what stops a different client, an unauthorized client, from pretending to be the legitimate one? This is especially acute if the authorized client is open source, as then anyone can see the cert, see exactly what the client does with it, and merely copy that behavior. If only there were a technology in which clients could verify and yes, even trust, each other remotely. Some way in which a digital certificate on a program could actually be verified, perhaps by some kind of remote, trusted hardware device. This way you could know that a remote system was actually running a well-behaved client before admitting it to the net. This would protect Gnutella from not only the kind of opportunistic misbehavior seen today, but the future floods, attacks and DOSing which will be launched in earnest once the content companies get serious about taking this network down. There are many solutions at the level of technical protocols that solve the projection of these problems down to the low dimensional subspace of technical problems. Some of these technical protocols will be part of a full system which accomplishes the desired ends. Please contact me off-list if you willing to spend some money for an implementation. Your claim, if true, would also demonstrate that no credit card payments over the Net, no apt-get style updating, no Paypal-like system, no crypto time-stamp system, etc., can exist today. If only... Luckily the cypherpunks are doing all they can to make sure that no such technology ever exists. They will protect us from being able to extend trust across the network. They will make sure that any open network like Gnutella must forever face the challenge of rogue clients. They will make sure that open source systems are especially vulnerable to rogues, helping to drive these projects into closed source form. Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? AARG!, this is again unworthy of you. You are capable of attempting to confuse and misdirect at a higher level. You might wish to emphasize that the real difficulties are at the levels where the reasons for the small usage of GNUPG lie. That really the technical details of the TCPA/Palladium system hardly matter. What TCPA/Palladium will allow is the provision to the masses of even more powerful brews of fantasy, game playing, advertising, etc.. And that there will be a small number of hobbyists who use the unprotected ports of TCPA/Palladium for their own limited experiments/amusements/etc.. The real point of TCPA/Palladium is that a locus of trust, seemingly guaranteed by the Powers That Be, will be created, and that the existence of this same locus, under the facies of locus of dealmaking/lawyering, will so reassure the Infotainment Arm of the Englobulators that the Arm will unleash its extraordinary forces to build and sell ever more entrancing Palaces of Dreams. The unprotected ports will allow a mostly self-supporting farm team system which will function without much direct oversight and little outlay of money by Englobulator Central or any of the Arms. The limited freedom of the Farm System, with its convenient pull strings, for the cases where something large and not controlled by Those Who Know Best takes off, will be a powerful lure to up and coming future Talent, who, when the time comes, may be Signed, without today's confusing and annoying possibility of continued independence. Indeed, the EULA of every system might have a section which binds users who display Marketable Things to an automatic Arbitration of Contract. oo--JS.
Re: Signing as one member of a set of keys
Very nice. Nice plausible set of candidate authors also: pub 1022/5AC7B865 1992/12/01 [EMAIL PROTECTED] pub 1024/2B48F6F5 1996/04/10 Ian Goldberg [EMAIL PROTECTED] pub 1024/97558A1D 1994/01/10 Pr0duct Cypher alt.security.pgp pub 1024/2719AF35 1995/05/13 Ben Laurie [EMAIL PROTECTED] pub 1024/58214C37 1992/09/08 Hal Finney [EMAIL PROTECTED] pub 1024/C8002BD1 1997/03/04 Eric Young [EMAIL PROTECTED] pub 1024/FBBB8AB1 1994/05/07 Colin Plumb [EMAIL PROTECTED] Wonder if we can figure out who is most likely author based on coding style from such a small set. It has (8 char) TABs but other wise BSD indentation style (BSD normally 4 spaces). Also someone who likes triply indirected pointers ***blah in there. Has local variables inside even *if code blocks* eg, inside main() (most people avoid that, preferring to declare variables at the top of a function, and historically I think some older gcc / gdb couldn't debug those variables if I recall). Very funky use of goto in getpgppkt, hmmm. Somewhat concise coding and variable names. Off the cuff guess based on coding without looking at samples of code to remind, probably Colin or Ian. Of course (Lance Cottrell/Ian Goldberg/Pr0duct Cypher/Ben Laurie/Hal Finney/Eric Young/Colin Plumb) possibly deviated or mimicked one of their coding styles. Kind of interesting to see a true nym in there also. Also the Cc -- Coderpunks lives? I think the Cc coderpunks might be a clue also, I think some of these people would know it died. I think that points more at Colin. Other potential avenue might be implementation mistake leading to failure of the scheme to robustly make undecidable which of the set is the true author, given alpha code. Adam On Fri, Aug 09, 2002 at 03:52:56AM +, Anonymous User wrote: This program can be used by anonymous contributors to release partial information about their identity - they can show that they are someone from a list of PGP key holders, without revealing which member of the list they are. Maybe it can help in the recent controvery over the identity of anonymous posters. It's a fairly low-level program that should be wrapped in a nicer UI. I'll send a couple of perl scripts later that make it easier to use.
Re: Thanks, Lucky, for helping to kill gnutella
On Fri, 9 Aug 2002, Jay Sulzberger wrote: There are many solutions at the level of technical protocols that solve the projection of these problems down to the low dimensional subspace of technical problems. Some of these technical protocols will be part of a full system which accomplishes the desired ends. Please contact me off-list if you willing to spend some money for an implementation. Hey! Tell the Gnutella folks I'll be happy to bid on that too! I'm pretty sure I can get them a solid solution, especially since it's just a technical problem. Patience, persistence, truth, Dr. mike
Make $50,000 or more in 90 days just sending e-mails
Dear Friend, You can earn a lot of money in the next 90 days sending e-mail. Seem impossible? Is there a catch? NO, there is no catch; just send your e-mails and be on your way to financial freedom. Basically, I send out as many of these e-mails as I can, then people send me cash in the mail for information that I just e-mail back to them. Everyday, I make a three minute drive to my P.O. Box knowing that there are at least a few hundred dollars waiting for me. And the best part, IT IS COMPLETELY LEGAL. Just read the next few paragraphs and see what you think. If you like what you read, great! If you don't, read it again because you must have missed something. AS SEEN ON NATIONAL TELEVISION Making over a half million dollars every 6 months from your home for an investment of only $25 US dollars expense ONE TIME. THANKS TO THE COMPUTER AGE AND THE INTERNET, BE A MILLIONAIRE LIKE OTHERS WITHIN A YEAR!!! Before you say, No Way! read the following. This is the letter you've been reading about in the news lately. Due to the popularity of this letter on the Internet, a major nightly news program recently devoted an entire show to the investigation of the program described below to see if it really can make people money. The show also investigated whether or not the program was legal. Their findings proved once and for all that there are absolutely no laws prohibiting the participation in this program. This has helped to show people that this is a simple, harmless, and fun way to make some extra money at home. And, besides even if you never got involved in the program, the reports themselves are well worth the money. They can help you start and advertise ANY business on the internet. That is, these reports stand alone and are beneficial to anyone wishing to do business on the internet. The results of this show have been truly remarkable. So many people are participating that those involved are doing much better than ever before. Since everyone makes more as more people try it out, its been very exciting to be a part of it lately. You will understand once you experience it. HERE IT IS BELOW *** Print This Now For Future Reference *** The following income opportunity is one you may be interested in taking a look at. It can be started with VERY LITTLE investment ($25) and the income return is TREMENDOUS!!! THIS IS A LEGITIMATE, LEGAL, MONEY MAKING OPPORTUNITY. It does not require you to come into contact with people, do any hard work, and best of all, you never have to leave your house except to get the mail. Simply follow the instructions, and you really can make this happen. This e-mail order marketing program works every time if you put in the effort to make it work. E-mail is the sales tool of the future. Take advantage of this non-commercialized method of advertising NOW! The longer you wait, the more savvy people will be taking your business using e-mail. Get what is rightfully yours. Program yourself for success and dare to think BIG. It sounds corny, but it's true. You'll never make it big if you don't have this belief system in place. MULTI-LEVEL MARKETING (MLM) has finally gained respectability. It is being taught in the Harvard Business School, and both Stanford Research and the Wall Street Journal have stated that between 50% and 65% of all goods and services will be sold through multi-level methods. This is a Multi-Billion Dollar industry and of the 500,000 millionaires in the U.S., 20% (100,000) made their fortune in the last several years in MLM. Moreover, statistics show 45people become millionaires everyday through Multi-Level Marketing. You may have heard this story before, but Donald Trump made an appearance on the David Letterman show. Dave asked him what he would do if he lost everything and had to start over from scratch. Without hesitating Trump said he would find a good network marketing company and get to work. The audience, started to hoot and boo him. He looked out at the audience and dead-panned his response. That's why I'm sitting up here and you are all sitting out there! With network marketing you have two sources of income. Direct commissions from sales you make yourself and commissions from sales made by people you introduce to the business. Residual income is the secret of the wealthy. It means investing time and money once, and getting paid again and again and again. In network marketing, it also means getting paid for the work of others. The enclosed information is something I almost let slip through my fingers. Fortunately, sometime later I reread everything and gave some thought and study to it. My name is Jonathan Rourke. Two years ago, the corporation I worked at for the past twelve years down- sized and my position was eliminated. After unproductive job interviews, I decided to open my own business. Over the past year, I incurred many unforeseen financial problems. I owed my family, friends and creditors over $35,000. The economy
Positive crap.
Positive SchNEWS 'Land and Future' is the world's first guide for tribal people, with information on how tribes around the world can secure their lands and way of life. It advises tribes on how to conduct a campaign when faced with the invasion of their lands by nasty oil companies, loggers and colonists, and offers tips on their rights under international law, and how to secure them. The book is going to be printed in many languages and there are plans for it be sent out to the remotest parts of the world. www.survival-international.org Crap Arrest of the Week For travelling in the same car! In Iran the Basiji (the Islamic police force) routinely stop cars playing forbidden Western music, and if unmarried women are found in the company of men, they are arrested and charged with moral corruption! Single women can be subjected to humiliating virginity tests, and if they fail they are given the option of marrying their companion or being flogged for having extramarital sex. www.hambastegi.org
Re: Thanks, Lucky, for helping to kill gnutella
Anonymous wrote: ... the file-trading network Gnutella is being threatened by misbehaving clients. In response, the developers are looking at limiting the network to only authorized clients: This is the wrong solution. One of the important factors in the Internet's growth was that the IETF exercised enough control, but not too much. So HTTP is standardised, which allows (theoretically) any browser to talk to any web server. At the same time the higher levels are not standardised, so someone who has an idea for a better browser or web server is free to implement it. If you build a protocol which allows selfish behaviour, you have done your job badly. Preventing selfish behaviour in distributed systems is not easy, but that is the problem we need to solve. It would be a good discussion for this list. Not discussed in the article is the technical question of how this can possibly work. If you issue a digital certificate on some Gnutella client, what stops a different client, an unauthorized client, from pretending to be the legitimate one? Exactly. This has already happened with unauthorised AIM clients. My freedom to lie allows me to use GAIM rather than AOL's client. In this case, IMO, the ethics are the other way round. AOL seeks to use its (partial) monopoly to keep a grip on the IM market. The freedom to lie mitigates this monopoly to an extent. -- Pete
How To Make Love Till You Drop! rya
Newly Released Book SEX: Truths, Myths and Lies Discover The Secrets Behind Great Sex... and turn your bed into more than just a place to sleep! Click Here For Details uoamrtlruugxsspovomcbh
Tommy loses his toys (laptop stolen from MacDill SCIF)
Guess who wasn't using encrypted disks? MacDILL AIR FORCE BASE - Two laptop computers missing from Gen. Tommy Franks' headquarters were kept in an ultrasensitive locked and alarmed security room intended to safeguard some of the military's deepest secrets in the U.S. war on terrorism, officials said Wednesday. At least one of the laptops contained highly classified information, they said. The room is known in military shorthand as a SCIF, or Secure Compartmented Information Facility. The government uses them at installations worldwide and regulates their security features so closely that voluminous rules have been written on how they are to be built and protected. It sits deep inside the building that houses U.S. Central Command headquarters, which is running the war in Afghanistan and which is tightly guarded by troops armed with M-16s. The building stands inside the MacDill Air Force Base perimeter, which is well guarded, too. snip http://www.tampatrib.com/MGA4YPZ4M4D.html ... Maybe Wen Ho Lee sold them to a pawn shop..
TCPA/Palladium -- likely future implications (Re: dangers of TCPA/palladium)
On Thu, Aug 08, 2002 at 09:15:33PM -0700, Seth David Schoen wrote: Back in the Clipper days [...] how do we know that this tamper-resistant chip produced by Mykotronix even implements the Clipper spec correctly?. The picture is related but has some extra wrinkles with the TCPA/Palladium attestable donglization of CPUs. - It is always the case that targetted people can have hardware attacks perpetrated against them. (Keyboard sniffers placed during court authorised break-in as FBI has used in mob case of PGP using Mafiosa [1]). - In the clipper case people didn't need to worry much if the clipper chip had malicious deviations from spec, because Clipper had an openly stated explicit purpose to implement a government backdoor -- there's no need for NSA to backdoor the explicit backdoor. But in the TCPA/Palladium case however the hardware tampering risk you identify is as you say relevant: - It's difficult for the user to verify hardware. - Also: it wouldn't be that hard to manufacture plausibly deniable implementation mistakes that could equate to a backdoor -- eg the random number generators used to generate the TPM/SCP private device keys. However, beyond that there is an even softer target for would-be backdoorers: - the TCPA/Palladium's hardware manufacturers endoresment CA keys. these are the keys to the virtual kingdom formed -- the virtual kingdom by the closed space within which attested applications and software agents run. So specifically let's look at the questions arising: 1. What could a hostile entity(*) do with a copy of a selection of hardware manufacturer endorsement CA private keys? ( (*) where the hostile entity candidates would be for example be secret service agencies, law enforcement or homeland security agencies in western countries, RIAA/MPAA in pursuit of their quest to exercise their desire to jam and DoS peer-to-peer file sharing networks, the Chinese government, Taiwanese government (they may lots of equipment right) and so on). a. Who needs to worry -- who will be targetted? Who needs to worry about this depends on how overt third-party ownership of these keys is, and hence the pool of people who would likely be targetted. If it's very covert, it would only be used plausibly deniably and only for Nat Sec / Homeland Security purposes. It if becomse overt over time -- a publicly acknowledged, but supposedly court controlled affair like Clipper, or even more widely desired by a wide-range of entities for example: keys made available to RIAA / MPAA so they can do the hacking they have been pushing for -- well then we all need to worry. To analyse the answer to question 1, we first need to think about question 2: 2. What kinds of TCPA/Palladium integrity depending trusted applications are likely to be built? Given the powerful (though balance of control changing) new remotely attestable security features provided by TCPA/Palladium, all kinds of remote services become possible, for example (though all to the extent of hardware tamper-resistance and belief that your attacker doesn't have access to a hardware endorsement CA private key): - general Application Service Providers (ASPs) that you don't have to trust to read your data - less traceable peer-to-peer applications - DRM applications that make a general purpose computer secure against BORA (Break Once Run Anywhere), though of course not secure against ROCA (Rip Once Copy Everywhere) -- which will surely continue to happen with ripping shifting to hardware hackers. - general purpose unreadable sandboxes to run general purpose CPU-for-rent computing farms for hire, where the sender knows you can't read his code, you can't read his input data, or his output data, or tamper with the computation. - file-sharing while robustly hiding knowledge and traceability of content even to the node serving it -- previously research question, now easy coding problem with efficient - anonymous remailers where you have more assurance that a given node is not logging and analysing the traffic being mixed by it But of course all of these distributed applications, positive and negative (depending on your view point), are limited in their assurance of their non-cryptographically assured aspects: - to the tamper resistance of the device - to the extent of the users confidence that an entity hostile to them doesn't have the endorsement CA's private key for the respective remote servers implementing the network application they are relying on and a follow-on question to question 2: 3. Will any software companies still aim for cryptographic assurance? (cryptographic assurance means you don't need to trust someone not to reverse engineer the application -- ie you can't read the data because it is encrypted with a key derived from a password that is only stored in the users head). The extended platform allows you to build new classes of applications which aren't currently buildable to cryptographic levels of
Re: Thanks, Lucky, for helping to kill gnutella
Antonomasia wrote: My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet and Mojo use protocols that require new users to be contributors before they become consumers. (Leaving aside that Gnutella seems doomed on scalability grounds.) Freenet and Mojo Nation have had serious issues in the wild, but my project, BitTorrent, is currently being used in serious deployment, and its leech resistance algorithms are proving quite robust - http://bitconjurer.org/BitTorrent/ This is a very narrow form of leech resistance, but it may be all that is needed. -Bram Cohen Markets can remain irrational longer than you can remain solvent -- John Maynard Keynes
FI.AP.
Freedom Insurance by Warren Tilson Recently in the almost hallowed pages of the not yet venerable web site Anti-State.com, two articles have appeared that may point the way to gain a free society now. Robert Vroman's Assassination Politics and Andy Stow's defense agency articles are both influences for what I am about to describe. I should point out that I am unalterably opposed, on moral grounds, to Assassination Politics. This opposition is beyond the scope of this article so I will not go into it here. There is however an aspect of AP that appeals to me and that is the naming of a freedom offending individual and asking other individuals to act in a certain way towards that individual. Stow's article describes a decentralized defense agency/society that will get you out of statist caused trouble provided you are a member. Even to the point of using combat troops to enable your escape from a prison if it should come to that. This is a great idea and I think it holds some promise even if there are some technical issues that have to be worked out. What I am proposing is a system of insurance that if you are arrested on some political crime (gun law, drug law, sex law, tax law, immigration law, or commercial law etc. violation) lawyers will be dispatched as well as activists and propagandists. The lawyers are there to use whatever legal tactics they can to keep your life from getting worse, i.e. they would get you out of jail and act as a shield between you and the state's employees. This is no different than what lawyers are supposed to do now, however our lawyers will have an ideological bond with the person they are defending so there will be more agreement on tactics and a vision of the ultimate goal which many lawyer-client relationships lack now. Civil Rights lawyers will also be sent to make sure it becomes a Civil Rights issue by suing the arresting agency, its employees and all sundry agencies, and their employees that are involved. The activists and propagandists are there simply to stir up non-violent trouble. Their purpose is to organize protests, run ads in the local media, appear on local talk shows, hand out fliers, discuss jury nullification, hold workshops and engage in civil disobedience. These things sometimes happen in a controversial case but it is usually an ad hoc arrangement that may lack focus, strong leadership and the resources to stay committed. If you own Freedom Insurance and you are arrested for something your policy covers you are guaranteed that allies and sympathizers will be on the scene, coming to your aid within 24 hours. It does not matter how small the issue, you call they come. One of the first things that the activist will do is find out all they can about the arresting officer(s) and the prosecutor. They will then organize peaceful protests at the residences of these people, the ads will mention these people by name and ask if they know anything about freedom or the Constitution or their oaths to the Constitution. In addition their families will be sought out and asked questions such as: Do you support your husband when he violates the rights of others? Did you know your daughter was acting illegally and in violation of the Constitution she has sworn to uphold? The idea here is to get it in to the heads of the people who enforce these laws that it just is too much trouble to bother with. Arrest someone with an FI card and he is looking at months of living hell for him and his family and friends. After awhile, if this idea is successful the mere presence of a FI bumper sticker will get the driver of that vehicle a pass or the owner of that store a pass or that prostitute a pass and so on. The more that cops lay off FI policy holders will ensure that more and more people will join and in this way the state will be undercut. As people realize that the police have no will to enforce evil laws those laws will be disobeyed by millions. If what usually happens when a people are free to go about their business we will see a massive increase in the standard of living with all the usual happiness that follows from that. After awhile this might very well evolve into Stow's Defense Agency and from there the state will be halfway into the grave. Of course (another nod to AP) it should be pointed out that all the main offices and computer servers will be located outside of the USA and all communication will take place with the aid of encryption. Let's give it a push: become a Freedom Insurance owner today. Call the home office for a representative near you. August 9, 2002 discuss this article in the forum!
Re: AARG and eugene are net.loons-why signatures of binaries always change.
You're being quite creative with alternative spelling and punctuation. However, if you think that provides sustainable stealth cover against a competent attacker (TLA agencies must by now be really good with linguistic forensics) you're fooling yourself. For executable binary verification it is obviously necessary to use compilers/linkers which don't write crap into the binary. Speaking of which, given the size of the code blob one could as well use handcrafted assembly. Also, using a standartized build environment is not exactly rocket science, since one can checksum ISO images, too. Platinum Group Linux would be a good name for the distro. On Fri, 9 Aug 2002, cyphrpnk wrote: Hi all, Its obvious that some of us here are developers and still others have never typed make or gcc in their lives. -v and -V options given to various forms of ld caused the embeddment of version information in the binary(Sunpro does this also, AND early versions of MSC allowed embeddment of version information also.) The fact that most environments dont link -Bstatic and instead link -Bdynamic means that every time you attempt to produce a binary from 2 different systems that the dynamic link information will be different checkout link.h link_elf.h link_aout.h in /usr/include in addition MOST modern developement environments include a date field when compiled and linked in the binary sheesh a cypherpunk BTW. AARG and eugene are idiots nyah nyah nyah!!
APster will save your Gnuts.
If only... Luckily the cypherpunks are doing all they can to make sure that no such technology ever exists. Your new here aren't you? Check out the archives a little circa 1996.By their fruits ye shall know them. And by their Gnuts as well.
Fox a lame duck.
The Mexican government saw the future in these cornfields spread across the dry Texcoco lake bed about 18 miles east of Mexico City. Here it envisioned spending $2.3 billion for a state-of-the-art, six-runway airport that would be Mexico's shiny new face to the world for the 21st century. It was to replace the choked-up, jury-rigged airfield that has served the capital since the dawn of the 20th. Read more http://www.infoshop.org/inews/stories.php?story=02/08/09/5495094
Leechnet.
As a former beta tester for Leechnet,all this P to P chat reminded me to revisit Nordic Research.They may be onto something with,...the concept of cybercash one step closer to reality. Maybe,youse would probably know better than me.extra skin? Caveat Lecter. http://www.leechnet.com/product.html Featured product: Opticart Web page developers using the OptiCart system are praising that the website no longer has to be built around the shopping cart unlike other shopping cart software and e-commerce software, but is instead added as an extra skin after the design and implementation has already been made. The OptiCart system uses Java technology to provide real-time updates of the contents of the shopping basket and brings the concept of cybercash one step closer to reality. The OptiCart system uses Java technology to provide real-time updates of the contents of the shopping basket and brings the concept of cybercash one step closer to reality.
[no subject]
Adam Back writes a very thorough analysis of possible consequences of the amazing power of the TCPA/Palladium model. He is clearly beginning to get it as far as what this is capable of. There is far more to this technology than simple DRM applications. In fact Adam has a great idea for how this could finally enable selling idle CPU cycles while protecting crucial and sensitive business data. By itself this could be a killer app for TCPA/Palladium. And once more people start thinking about how to exploit the potential, there will be no end to the possible applications. Of course his analysis is spoiled by an underlying paranoia. So let me ask just one question. How exactly is subversion of the TPM a greater threat than subversion of your PC hardware today? How do you know that Intel or AMD don't already have back doors in their processors that the NSA and other parties can exploit? Or that Microsoft doesn't have similar backdoors in its OS? And similarly for all the other software and hardware components that make up a PC today? In other words, is this really a new threat? Or are you unfairly blaming TCPA for a problem which has always existed and always will exist?
fRAT insurrection in BC.
http://www.infoshop.org/inews/stories.php?story=02/08/09/3418651 Fireworks in Vancouver.Someone died at one of these potlatch events once.A long time ago in a galaxy far,far away...The context of the current class war in British Columbia includes - - An attempt by B.C. Government Employeees Union (B.C.G.E.U.) members to charge into a hotel on January 23rd, 2002, where Premier Gordon Campbell was set to speak. - Illegal wildcat strikes in late January by the B.C. Teachers Federation (B.C.T.F.) and the B.C.G.E.U. - A tent-city occupation by street youth and students on the front lawn of the provincial legislature building in Victoria in February which ended with it's dismantling by riot police - The fire-bombing of Premier Gordon Campbell's office on the night of February 21st. - A B.C Federation of Labour rally at the legislature in Victoria by more than 20,000 people, at which a group of about 10 anarchists intervened by attacking a security barrier and throwing rocks at the legislature building. - An anti-poverty Snake March in Victoria on March 25th that went through a mall and several corporate stores, leaving splatters from paint-bombs and graffitti behind. - An anti-poverty march to one of Premier Gordon Campbell's homes in Vancouver on April 1st. - An all-womyn anti-poverty brigade's occupation of a Member of the Legislative Assembly office in Victoria on April 25th that was broken up by riot police who pepper-sprayed several demonstrators. - A May Day demonstration in Vancouver against the 6-dollar training wage that included a half-hour blockade of a McDonalds restaurant (one of the businesses using the training wage, and a major contributor to the Liberal's election campaign.). After the end of the demonstration a masked group charged through a downtown mall and carried out small acts of vandalism and sabotage. - A July 14th demonstration at the opening of a gallery show at the Vancouver Art Gallery at which the Premier was scheduled to speak at, but failed to show his face in public - because of security concerns caused by hundreds of angry demonstrators who attempted to dismantle a security fence, spat on police officers, and were then pepper-sprayed.
Re: TCPA/Palladium -- likely future implications
I want to follow up on Adam's message because, to be honest, I missed his point before. I thought he was bringing up the old claim that these systems would give the TCPA root on your computer. Instead, Adam is making a new point, which is a good one, but to understand it you need a true picture of TCPA rather than the false one which so many cypherpunks have been promoting. Earlier Adam offered a proposed definition of TCPA/Palladium's function and purpose: Palladium provides an extensible, general purpose programmable dongle-like functionality implemented by an ensemble of hardware and software which provides functionality which can, and likely will be used to expand centralised control points by OS vendors, Content Distrbuters and Governments. IMO this is total bullshit, political rhetoric that is content-free compared to the one I offered: : Allow computers separated on the internet to cooperate and share data : and computations such that no one can get access to the data outside : the limitations and rules imposed by the applications. It seems to me that my definition is far more useful and appropriate in really understanding what TCPA/Palladium are all about. Adam, what do you think? If we stick to my definition, you will come to understand that the purpose of TCPA is to allow application writers to create closed spheres of trust, where the application sets the rules for how the data is handled. It's not just DRM, it's Napster and banking and a myriad other applications, each of which can control its own sensitive data such that no one can break the rules. At least, that's the theory. But Adam points out a weak spot. Ultimately applications trust each other because they know that the remote systems can't be virtualized. The apps are running on real hardware which has real protections. But applications know this because the hardware has a built-in key which carries a certificate from the manufacturer, who is called the TPME in TCPA. As the applications all join hands across the net, each one shows his cert (in effect) and all know that they are running on legitimate hardware. So the weak spot is that anyone who has the TPME key can run a virtualized TCPA, and no one will be the wiser. With the TPME key they can create their own certificate that shows that they have legitimate hardware, when they actually don't. Ultimately this lets them run a rogue client that totally cheats, disobeys all the restrictions, shows the user all of the data which is supposed to be secret, and no one can tell. Furthermore, if people did somehow become suspicious about one particular machine, with access to the TPME key the eavesdroppers can just create a new virtual TPM and start the fraud all over again. It's analogous to how someone with Verisign's key could masquerade as any secure web site they wanted. But it's worse because TCPA is almost infinitely more powerful than PKI, so there is going to be much more temptation to use it and to rely on it. Of course, this will be inherently somewhat self-limiting as people learn more about it, and realize that the security provided by TCPA/Palladium, no matter how good the hardware becomes, will always be limited to the political factors that guard control of the TPME keys. (I say keys because likely more than one company will manufacture TPM's. Also in TCPA there are two other certifiers: one who certifies the motherboard and computer design, and the other who certifies that the board was constructed according to the certified design. The NSA would probably have to get all 3 keys, but this wouldn't be that much harder than getting just one. And if there are multiple manufacturers then only 1 key from each of the 3 categories is needed.) To protect against this, Adam offers various solutions. One is to do crypto inside the TCPA boundary. But that's pointless, because if the crypto worked, you probably wouldn't need TCPA. Realistically most of the TCPA applications can't be cryptographically protected. Computing with encrypted instances is a fantasy. That's why we don't have all those secure applications already. Another is to use a web of trust to replace or add to the TPME certs. Here's a hint. Webs of trust don't work. Either they require strong connections, in which case they are too sparse, or they allow weak connections, in which case they are meaningless and anyone can get in. I have a couple of suggestions. One early application for TCPA is in closed corporate networks. In that case the company usually buys all the computers and prepares them before giving them to the employees. At that time, the company could read out the TPM public key and sign it with the corporate key. Then they could use that cert rather than the TPME cert. This would protect the company's sensitive data against eavesdroppers who manage to virtualize their hardware. For the larger public network, the first thing I would suggest is that the TPME key ought
Re: Thanks, Lucky, for helping to kill gnutella
From: AARG!Anonymous [EMAIL PROTECTED] An article on Salon this morning (also being discussed on slashdot), http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html, discusses how the file-trading network Gnutella is being threatened by misbehaving clients. In response, the developers are looking at limiting the network to only authorized clients: They intend to do this using digital signatures, and there is precedent for this in past situations where there have been problems: Alan Cox, Years and years ago this came up with a game If only there were a technology in which clients could verify and yes, Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? Now that is resorting to silly accusation. My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet and Mojo use protocols that require new users to be contributors before they become consumers. (Leaving aside that Gnutella seems doomed on scalability grounds.) Likewise the WAN shooter games have (partially) defended against cheats by making the client hold no authoritative data and by disqualifying those that send impossible traffic. (Excluding wireframe graphics cards is another matter.) If I were a serious gamer I'd want 2 communities - one for plain clients to match gaming skills and another for cheat all you like contests to match both gaming and programming skills. If the Gnuts need to rework the protocol they should do so. My objection to this TCPA/palladium thing is that it looks aimed at ending ordinary computing. If the legal scene were radically different this wouldn't be causing nearly so much fuss. Imagine: - a DoJ that can enforce monopoly law - copyright that expires in reasonable time (5 years for s/w ? 15 years for books,films,music... ?) - fair use and first sale are retained - no concept of indirect infringement (e.g. selling marker pens) - criminal and civil liability for incorrectly barring access in DRM - hacking is equally illegal for everybody - no restriction on making and distributing/selling any h/w,s/w If Anonymous presents Gnutella for serious comparison with the above issues I say he's looking in the wrong end of his telescope. -- ## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/# ##
Re: Thanks, Lucky, for helping to kill gnutella (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 1:03 AM +0200 on 8/10/02, Some anonymous, and now apparently innumerate, idiot in my killfile got himself forwarded to Mr. Leitl's cream of cypherpunks list: They will protect us from being able to extend trust across the network. As Dan Geer and Carl Ellison have reminded us on these lists and elsewhere, there is no such thing as trust, on the net, or anywhere else. There is only risk. Go learn some finance before you attempt to abstract emotion into the quantifiable. Actual numerate, thinking, people gave up on that nonsense in the 1970's, and the guys who proved the idiocy of trust, showing, like LaGrange said to Napoleon about god, that the capital markets had no need that hypothesis, Sire ended up winning a Nobel for that proof the 1990's*. Cheers, RAH *The fact that Scholes and Merton eventually ended up betting on equity volatility like it was actually predictable and got their asses handed to them for their efforts is beside the point, of course. :-). -BEGIN PGP SIGNATURE- Version: PGP 7.5 iQA/AwUBPVRgRsPxH8jf3ohaEQIu3gCg0V9JIHnMRJ2GW+aJ1xSEHi5ETcYAn1Db BgR2WiAxNt/zGx5Iy+uRG+Ws =JEmi -END PGP SIGNATURE- -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: TCPA/Palladium -- likely future implications
-- On 9 Aug 2002 at 17:15, AARG! Anonymous wrote: to understand it you need a true picture of TCPA rather than the false one which so many cypherpunks have been promoting. As TCPA is currently vaporware, projections of what it will be, and how it will be used are judgments, and are not capable of being true or false, though they can be plausible or implausible. Even with the best will in the world, and I do not think the people behind this have the best will in the world, there is an inherent conflict between tamper resistance and general purpose programmability. To prevent me from getting at the bits as they are sent to my sound card or my video card, the entire computer, not just the dongle, has to be somewhat tamper resistant, which is going to make the entire computer somewhat less general purpose and programmable, thus less useful. The people behind TCPA might want to do something more evil than you say they want to do, if they want to do what you say they want to do they might be prevented by law enforcement which wants something considerably more far reaching and evil, and if they want to do it, and law enforcement refrains from reaching out and taking hold of their work, they still may be unable to do it for technical reasons. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG D7ZUyyAS+7CybaH0GT3tHg1AkzcF/LVYQwXbtqgP 2HBjGwLqIOW1MEoFDnzCH6heRfW1MNGv1jXMIvtwb
Re: TCPA/Palladium -- likely future implications
On Fri, 9 Aug 2002, AARG! Anonymous wrote: : Allow computers separated on the internet to cooperate and share data : and computations such that no one can get access to the data outside : the limitations and rules imposed by the applications. It seems to me that my definition is far more useful and appropriate in really understanding what TCPA/Palladium are all about. Adam, what do you think? Just because you can string words together and form a definition doesn't make it realizable. Once data is in the clear it can be copied, and no rules can change that. Either the data is available to the user, and they can copy it - or the data is not available to the user, and there's nothing they can do when their machine does somebody elses calculations. I have a couple of suggestions. One early application for TCPA is in closed corporate networks. In that case the company usually buys all the computers and prepares them before giving them to the employees. At that time, the company could read out the TPM public key and sign it with the corporate key. Then they could use that cert rather than the TPME cert. This would protect the company's sensitive data against eavesdroppers who manage to virtualize their hardware. And guess what? I can buy that today! I don't need either TCPA or Palladium. So why do we need TCPA? Think about it: this one innocuous little box holding the TPME key could ultimately be the root of trust for the entire world. IMO we should spare no expense in guarding it and making sure it is used properly. With enough different interest groups keeping watch, we should be able to keep it from being used for anything other than its defined purpose. Man, I want the stuff you are smoking! One attack point is the root of trust for the whole world!!???!!! Take another hit dude, and make sure you see lots of colors too. Patience, persistence, truth, Dr. mike
TCPA ad nauseum
On Fri, 9 Aug 2002, AARG! Anonymous wrote: Of course his analysis is spoiled by an underlying paranoia. So let me ask just one question. How exactly is subversion of the TPM a greater threat than subversion of your PC hardware today? How do you know that Intel or AMD don't already have back doors in their processors that the NSA and other parties can exploit? Or that Microsoft doesn't have similar backdoors in its OS? And similarly for all the other software and hardware components that make up a PC today? In other words, is this really a new threat? Or are you unfairly blaming TCPA for a problem which has always existed and always will exist? The difference is that *anyone* can see what goes on inside an Intel or AMD processor. Only the key holder of the TPM can see inside the protected code space. You can't put back doors into the code now because the code is visible to all users. The purpose of crypto is to hide information even tho the attacker can see all the machinery work. If you don't want to have the machinery visible, then use a sealed system (like smart card). Patience, persistence, truth, Dr. mike
Re: Challenge to TCPA/Palladium detractors
Re the debate over whether compilers reliably produce identical object (executable) files: The measurement and hashing in TCPA/Palladium will probably not be done on the file itself, but on the executable content that is loaded into memory. For Palladium it is just the part of the program called the trusted agent. So file headers with dates, compiler version numbers, etc., will not be part of the data which is hashed. The only thing that would really break the hash would be changes to the compiler code generator that cause it to create different executable output for the same input. This might happen between versions, but probably most widely used compilers are relatively stable in that respect these days. Specifying the compiler version and build flags should provide good reliability for having the executable content hash the same way for everyone.
Long distance
Title: New Page 1 LOW COST =LONG DISTANCE = Six Plans To Choose From $9.95 Plan * Unlimited Plan * Travel Plan Canadian Plans * International * Intra/Inter State Stop paying the high cost of long distance. Simple to understand all-inclusive pricing so you save big! Email us now with your phone number to hear how crystal clear your connection will be. To be removed please click here
RE: Your new long distance service
Title: New Page 1 LOW COST =LONG DISTANCE = Six Plans To Choose From Including: $9.95 Plan * Unlimited Plan * Travel Plan Canadian Plans * International * Intra/Inter State Stop paying the high cost of long distance. Simple to understand all-inclusive pricing so you save big! Email us now with your phone number to hear how crystal clear your connection will be. To be removed please click here
Re: Thanks, Lucky, for helping to kill gnutella
Several people have objected to my point about the anti-TCPA efforts of Lucky and others causing harm to P2P applications like Gnutella. Eric Murray wrote: Depending on the clients to do the right thing is fundamentally stupid. Bran Cohen agrees: Before claiming that the TCPA, which is from a deployment standpoint vaporware, could help with gnutella's scaling problems, you should probably learn something about what gnutella's problems are first. The truth is that gnutella's problems are mostly that it's a screamer protocol, and limiting which clients could connect would do nothing to fix that. I will just point out that it was not my idea, but rather that Salon said that the Gnutella developers were considering moving to authorized clients. According to Eric, those developers are fundamentally stupid. According to Bram, the Gnutella developers don't understand their own protocol, and they are supporting an idea which will not help. Apparently their belief that clients like Qtrax are hurting the system is totally wrong, and keeping such clients off the system won't help. I can't help believing the Gnutella developers know more about their own system than Bram and Eric do. If they disagree, their argument is not with me, but with the Gnutella people. Please take it there. Ant chimes in: My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet and Mojo use protocols that require new users to be contributors before they become consumers. Pete Chown echoes: If you build a protocol which allows selfish behaviour, you have done your job badly. Preventing selfish behaviour in distributed systems is not easy, but that is the problem we need to solve. It would be a good discussion for this list. As far as Freenet and MojoNation, we all know that the latter shut down, probably in part because the attempted traffic-control mechanisms made the whole network so unwieldy that it never worked. At least in part this was also due to malicious clients, according to the analysis at http://www.cs.rice.edu/Conferences/IPTPS02/188.pdf. And Freenet has been rendered inoperative in recent months by floods. No one knows whether they are fundamental protocol failings, or the result of selfish client strategies, or calculated attacks by the RIAA and company. Both of these are object lessons in the difficulties of successful P2P networking in the face of arbitrary client attacks. Some people took issue with the personal nature of my criticism: Your personal vendetta against Lucky is very childish. This sort of attack doesn't do your position any good. Right, as if my normal style has been so effective. Not one person has given me the least support in my efforts to explain the truth about TCPA and Palladium. Anyway, maybe I was too personal in singling out Lucky. He is far from the only person who has opposed TCPA. But Lucky, in his slides at http://www.cypherpunks.to, claims that TCPA's designers had as one of their objectives To meet the operational needs of law enforcement and intelligence services (slide 2); and to give privileged access to user's computers to TCPA members only (slide 3); that TCPA has an OS downloading a serial number revocation list (SNRL) which he has provided no evidence for whatsoever (slide 14); that it loads an initial list of undesirable applications which is apparently another of his fabrications (slide 15); that TCPA applications on startup load both a serial number revocation list but also a document revocation list, again a completely unsubstantiated claim (slide 19); that apps then further verify that spyware is running, another fabrication (slide 20). He then implies that the DMCA applies to reverse engineering when it has an explicit exemption for that (slide 23); that the maximum possible sentence of 5 years is always applied (slide 24); that TCPA is intended to: defeat the GPL, enable information invalidation, facilitate intelligence collection, meet law enforcement needs, and more (slide 27); that only signed code will boot in TCPA, contrary to the facts (slide 28). He provides more made-up details about the mythical DRL (slide 31); more imaginary details about document IDs, information monitoring and invalidation to support law enforcement and intelligence needs, none of which has anything to do with TCPA (slide 32-33). As apparent support for these he provides an out-of-context quote[1] from a Palladium manager, who if you read the whole article was describing their determination to keep the system open (slide 34). He repeats the unfounded charge that the Hollings bill would mandate TCPA, when there's nothing in the bill that says such a thing (slide 35); and he exaggerates the penalties in that bill by quoting the maximum limits as if they are the default (slide 36). Lucky can provide all this misinformation, all under the pretence, mind you, that this *is* TCPA. He was educating the audience, mostly people who were completely
Create a PAYCHECK with your computer!
You get emails every day, offering to show you how to make money. Most of these emails are from people who are NOT making any money. And they expect you to listen to them? Enough! If you want to make money with your computer, then you should hook up with a group that is actually DOING it. We are making a large, continuing income every month. What's more - we will show YOU how to do the same thing. This business is done completely by internet and emai, and you can even join for free to check it out first. If you can send an email, you can do this. No special skills are required. How much are we making? Below are a few examples. These are real people, and most of them work at this business part-time. But keep in mind, they do WORK at it - I am not going to insult your intelligence by saying you can sign up, do no work, and rake in the cash. That kind of job does not exist. But if you are willing to put in 10-12 hours per week, this might be just the thing you are looking for. N. Gallagher: $3000 per month T. Hopkins: $1000 per month S. Johnson: $6000 -$7000 per month V. Patalano: $2000 per month M. South: $5000 per month J. Henslin: $7000 per month This is not income that is determined by luck, or work that is done FOR you - it is all based on your effort. But, as I said, there are no special skills required. And this income is RESIDUAL - meaning that it continues each month (and it tends to increase each month also). Interested? I invite you to find out more. You can get in as a free member, at no cost, and no obligation to continue if you decide it is not for you. We are just looking for people who still have that burning desire to find an opportunity that will reward them incredibly well, if they work at it. To grab a FREE ID#, simply reply to: [EMAIL PROTECTED] and write this phrase: Email me details about the club's business and consumer opportunities Be sure to include your: 1. First name 2. Last name 3. Email address (if different from above) 4. Would you prefer your information in HTML or Text Format*. * This is optional, if neither is selected the information will be sent in Text Format. We will confirm your position and send you a special report as soon as possible, and also Your free Member Number. That's all there's to it. We'll then send you info, and you can make up your own mind. Looking forward to hearing from you! Sincerely, Stephen Chylinski P.S. After having several negative experiences with network marketing companies I had pretty much given up on them. This is different - there is value, integrity, and a REAL opportunity to have your own home-based business... and finally make real money on the internet. Don't pass this up..you can sign up and test-drive the program for FREE. All you need to do is get your free membership. Unsubscribing: Send a blank email to: [EMAIL PROTECTED] with Remove in the subject line. 4421KpcG2-994oZcL2786KfoZ3-543Pakk8471aYIy6-219yMZs2058DJXP2-301nRl62 4750AZSx3-l9
GUARANTEED Penis Enlargement or Your Money Back!!! Mes-ID:1028937826
Penis Enlargement - Guaranteed Results Does Size Matter? This is a common question, does size really matter when it comes to sexually satisfaction for a woman? Can you really give her MORE PLEASURE if you had a bigger penis? Despite what women tell you in an attempt to not hurt your feelings, the answer is a resounding YES. YES, you can give your woman more pleasure with a larger penis. It's all biological. A woman's vagina is lined with nerve endings that create pleasure sensations, and having a bigger penis means having more surface area to stimulate these nerve endings, giving her, you guessed it, MORE PLEASURE!!! Let's look at some sad, but true facts: The average erect penis size is just 6.16. Over 90% of all men possess this size. 30 Million men in the USA alone suffer from Erectile Dysfunction (Impotence) The majority of men have very poor blood circulation to the penis. By age 29, 96% of men cannot gain erections 1/5 as much as when they were 20. Over 98% of men would increase the size of their penis if they knew how. 93% of Women have never achieved an orgasm during intercourse, and 76% admit that they are dissatisfied with their partners sexual performance. 99% of all men have a weaker, smaller and underdeveloped penis to what they could possess. Now You Can Have a MASSIVE PENIS!!! You can massively increase your penis size in as little as 2 weeks. Best of all, there are no pumps, weights, pain, and especially no dangerous and expensive surgery involved. According to a recent survey, men who successfully enlarge their penises report feeling much more confident. You not only look better, you also feel better. Your wife or girlfriend will be much happier, too. Cure Impotence and Premature Ejaculation. Boost your self-image. Be the MAN you've always wanted to be! GUARANTEED PERMANENT RESULTS OR YOU GET A FULL REFUND! Proven and Effective - You Won't Be Disappointed To learn more, or to hear what satisfied customers have to say, click on the link below. Yes! I would like to learn more about your Guaranteed Penis Enlargement Program! To remove your address from the mailing list, click on the link below: Remove my address from the mailing list.
Re: Signing as one member of a set of keys
On Fri, 9 Aug 2002, Anonymous User wrote: This program can be used by anonymous contributors to release partial information about their identity - they can show that they are someone from a list of PGP key holders, without revealing which member of the list they are. Maybe it can help in the recent controvery over the identity of anonymous posters. It's a fairly low-level program that should be wrapped in a nicer UI. I'll send a couple of perl scripts later that make it easier to use. === Most delightful. Thank you for reminding us that Cypherpunks do indeed write code. More comments in a bit. [MW SNIP] ++multisig v1.0 pEsBwalpBRxWyJR8tkYm6qR27UW9IT6Vg8SlOHIsEkk04RJvoSy0cy4ISFCq6vDX 5ub6c+MYi/UoyR6tI7oqpMu1abcXWm2DkfDiCsD6jQddVkiiYdG7Bih8JWdWmp5l AgzqUoz14671/ezmWSrPNsTNKV96+ZLEanZsqfkpQcnZpLkWVpJzQFe0VgDQ64b2 +e2efrbknLFq0FTdX7Sh3qzAfzNYYgADmeOxDoTm9sb6T0fULf1P7mjiN2LZXuEW m/8QvksaQi9KGa/0xN2m0heNtS1cfsTa+NJz8XYyG/tnMy7+mvI3c3lrnz+6Dpyp pbNwaX+12VcqtfNec9faoq8RJgFxmSO/ZfMOGM8cFBQ75ZOaoBJP5ObHZ/63FFh5 Wh5GzwJjQs0vLwpM3iF6G+IixEqAQYisUdCopP1wXCLgltDM6l7jRlXxNDj0AXQ1 eQJolo32vemcy8Z8GAn5tpQHmJwpdzZpboWRQY53pD4mVnEMN4GBC1mhbbI2z+Oh lPglqmmy3p4D+psNU1rlNv6yH/L0PgcuW7taVpbopjl4HLuJdWcKHJlXish3D/jb eoQ856fYFZ/omGiO9x1D0BsnGFLZVWob4OIZRzO/Pc49VIhFy5NsV2zuozStId89 [...] */ That [...] you see is an artifact of the anonymous remailer you were using. Mixmaster, I believe, gives the option to truncate messages which appear to include binary encoded data. PGP messages are explicitly allowed to be sent. Immediate problem: we can't verify your signature. Short term solution: find a remailer that allows binary posting. Long term solution: perhaps contact the Mixmaster authors and ask them to explicitly allow multisig data? -MW-
[±¤°í] °¡Àå Àú·ÅÇÑ ÀÚµ¿Â÷º¸Çè·á¸¦ ¾Ë·Áµå¸³´Ï´Ù.
Title: °¡ºñ¾ßºìº¸Çè·á Á¤º¸Åë½ÅºÎ ±Ç°í »çÇ׿¡ ÀÇ°Å Á¦¸ñ¿¡ [±¤°í]¶ó°í Ç¥±âÇÑ ±¤°í ¸ÞÀÏÀÔ´Ï´Ù.¼ö½ÅÀ» ¿øÄ¡ ¾ÊÀ¸½Ã¸é ¼ö½Å°ÅºÎ¸¦ ´·¯ÁÖ¼¼¿ä
Lowest cost unlimited long distance 24-2
Title: New Page 1 UNLIMITED LONG DISTANCE Six Plans To Choose From ==$9.95 Plan *Unlimited Plan *Travel Plan == == Canadian Plans * International * Intra/inter State == Stop paying the high cost of long distance. Simple to understand all-inclusive pricing so you save big! Email us now with your phone number to hear how crystal clear your connection will be. To be removed please click here 0402xxHs9-271IVNq9404fXlm3-901zl29 7575zLl6
p2p DoS resistance and network stability (Re: Thanks, Lucky, for helping to kill gnutella)
On Fri, Aug 09, 2002 at 08:25:40PM -0700, AARG!Anonymous wrote: Several people have objected to my point about the anti-TCPA efforts of Lucky and others causing harm to P2P applications like Gnutella. The point that a number of people made is that what is said in the article is not workable: clearly you can't ultimately exclude chosen clients on open computers due to reverse-engineering. (With TCPA/Palladium remote attestation you probably could so exclude competing clients, but this wasn't what was being talked about). The client exclusion plan is also particularly unworkable for gnutella because some of the clients are open-source, and the protocol is (now since original reverse engineering from nullsoft client) also open. With closed-source implementations there is some obfuscation barrier that can be made: Kazaa/Morpheus did succeed in frustrating competing clients due to it's closed protocols and unpublished encryption algorithm. At one point an open source group reverse-engineered the encryption algorithm, and from there the contained kazaa protocols, and built an interoperable open-source client giFT http://gift.sourceforge.net, but then FastTrack promptly changed the unpublished encryption algorithm to another one and then used remote code upgrade ability to upgrade all of the clients. Now the open-source group could counter-strike if they had particularly felt motivated to. For example they could (1) reverse-engineer the new unpublished encryption algorithm, and (2) the remote code upgrade, and then (3) do their own forced upgrade to an open encryption algorithm and (4) disable further forced upgrades. (giFT instead after the ugrade attack from FastTrack decided to implement their own open protocol openFT instead and compete. It also includes a general bridge between different file-sharing networks, in a somewhat gaim like way, if you are familiar with gaim.) [Freenet and Mojo melt-downs/failures...] Both of these are object lessons in the difficulties of successful P2P networking in the face of arbitrary client attacks. I grant you that making simultaneously DoS resistant, scalable and anonymous peer-to-peer networks is a Hard Problem. Even removing the anonymous part it's still a Hard Problem. Note both Freenet and Mojo try to tackle the harder of those two problems and have aspects of publisher and reader anonymity, so that they are doing less well than Kazaa, gnutella and others is partly because they are more ambitious and tackling a harder problem. Also the anonymity aspect possibly makes abuse more likely -- ie the attacker is provided as part of the system tools to obscure his own identity in attacking the system. DoSers of Kazaa or gnutella would likely be more easily identified which is some deterrence. I also agree that the TCPA/Palladium attested closed world computing model could likely more simply address some of these problems. (Lucky slide critique in another post). Adam -- http://www.cypherspace.org/adam/
Long distance
Title: New Page 1 LOW COST =LONG DISTANCE = Six Plans To Choose From $9.95 Plan * Unlimited Plan * Travel Plan Canadian Plans * International * Intra/Inter State Stop paying the high cost of long distance. Simple to understand all-inclusive pricing so you save big! Email us now with your phone number to hear how crystal clear your connection will be. To be removed please click here
Re: Challenge to TCPA/Palladium detractors
On Wed, 7 Aug 2002, Matt Crawford wrote: Unless the application author can predict the exact output of the compilers, he can't issue a signature on the object code. The Same version of compiler on same source using same build produces identical binaries. compilers then have to be inside the trusted base, checking a signature on the source code and reflecting it somehow through a signature they create for the object code. You have the source, compile it using the official compiler and the official build options, and record the blob. Entity X claims it runs the same system that it gave you the source for. You can't sign it, but you can verify the signed blob is the same. The blob can still be trojaned, but you can disassemble and debug it.
Utilizing Palladium against software piracy
I would like to again thank the Palladium team, in particular Peter Biddle, for participating in yesterday's panel at the USENIX Security conference on Palladium and TCPA. Unfortunately I do not have the time at the moment to write up the many valuable and informative points made during the panel discussion. I will, however, highlight one such issue: As Peter pointed out, while the Palladium effort was started to meet the content protection requirements of digital video content providers, he also pointed out that Microsoft and its Palladium group have so far been unable to determine a method in which Palladium could be utilized to assist in the efforts against application software piracy. As Peter mentioned, the Palladium team on several occasions had to tell the Microsoft's anti-piracy group that Palladium is unsuitable to assist in software (as distinct from content) licensing and anti-piracy efforts. Since Microsoft is not aware of a method to utilize the Palladium environment in the enforcement of software licenses, Peter argued, Microsoft does not intend to and will not utilize Palladium to assist in the enforcement of software licensing. I, on the other hand, am able to think of several methods in which Palladium or operating systems built on top of TCPA can be used to assist in the enforcement of software licenses and the fight against software piracy. I therefore, over the course of the night, wrote - and my patent agent filed with the USPTO earlier today - an application for an US Patent covering numerous methods by which software applications can be protected against software piracy on a platform offering the features that are slated to be provided by Palladium. --Lucky Green
Re: Challenge to TCPA/Palladium detractors
On Fri, 9 Aug 2002, David Howe wrote: It doesn't though - that is the point. I am not sure if it is simply that there are timestamps in the final executable, but Visual C (to give a common example, as that is what the windows PGP builds compile with) will not give an identical binary, even if you hit rebuild all twice in close succession and compare the two outputs, nothing having changed. I've just verified this also occurs on OpenSSL under RH 7.3 (gcc --version 2.96). I haven't done a binary diff, but I'm also suspecting a time stamp. Can anyone shed some light on this?
AARG and eugene are net.loons-why signatures of binaries always change.
Hi all, Its obvious that some of us here are developers and still others have never typed make or gcc in their lives. -v and -V options given to various forms of ld caused the embeddment of version information in the binary(Sunpro does this also, AND early versions of MSC allowed embeddment of version information also.) The fact that most environments dont link -Bstatic and instead link -Bdynamic means that every time you attempt to produce a binary from 2 different systems that the dynamic link information will be different checkout link.h link_elf.h link_aout.h in /usr/include in addition MOST modern developement environments include a date field when compiled and linked in the binary sheesh a cypherpunk BTW. AARG and eugene are idiots nyah nyah nyah!!
Signing as one member of a set of keys
This program can be used by anonymous contributors to release partial information about their identity - they can show that they are someone from a list of PGP key holders, without revealing which member of the list they are. Maybe it can help in the recent controvery over the identity of anonymous posters. It's a fairly low-level program that should be wrapped in a nicer UI. I'll send a couple of perl scripts later that make it easier to use. === /* Implementation of ring signatures from * http://theory.lcs.mit.edu/~rivest/RivestShamirTauman-HowToLeakASecret.pdf * by Rivest, Shamir and Tauman * * This creates and verifies a signature such that it was produced from * one of a fixed set of RSA keys. * * It requires the openssl library to build, which is available from * www.openssl.org. * * This program takes a PGP public key ring file which holds a set of * old-style RSA public keys. It creates and verifies signatures which * are such that they were issued by one of the keys in that file, but * there is no way to tell which one did it. In this way the signer can * leak partial information about his identity - that he is one member * of a selected set of signers. * * To sign, the signer must also give a PGP secret key file which holds * one key (actually the program ignores any keys past the first). * That key should be the secret part of one of the keys in the public * key file. Also, it should be set to have no passphrase - it is too * complicated for a simple program like this to try to untangle PGP * passphrases. So set your key to have no passphrase, then run this * program, then set it back. * * The program outputs the signature in the form of a list of big numbers, * base64 encoded. There will be as many numbers as there were keys in * the public key file. So signatures are quite large in this scheme, * proportional to the number of keys in the group that the signature * comes from. They are also proportional to the largest key in the * group, so all else being equal try not to include really big keys if * you care about size. * * The signature is not appended to the text being signed, it is just * output separately. The signer can combine them manually with some kind * of cut marks so that the recipient can separate out the signature from * the file being signed. Some perl scripts that do this are supposed * to be distributed with the program. (That is what is used to verify * the signature in this file itself.) * * The recipient must use the same PGP public key file that the signer * used. So that may have to be sent along as well. He runs the program * with the PGP file and the file to be verified, and sends the signature * data into stdin (using the character). The program will print * whether the signature is good or not. * * This program was written in just a couple of evenings so it is * a little rough. This is version 0.9 or so - at least it works. * It has only been tested on my Linux system. * * The program is released into the public domain. See the end for * authorship information. */ #include stdio.h #include stdlib.h #include openssl/bn.h #include openssl/rsa.h #include openssl/sha.h #include openssl/evp.h /* Cipher block size; we use Blowfish */ #define CIPHERBLOCK 8 typedef unsigned char uchar; enum { ERR_OK = 0, ERR_BADPKT=-100, ERR_EOF, ERR_SECNOTFOUND, ERR_BADSIG, }; /** PGP FILE PARSING ***/ /* Read the N and E values from a PGP public key packet */ int rdpgppub( BIGNUM *n, BIGNUM *e, unsigned *bytesused, uchar *buf, unsigned len ) { int nbits, nlen, ebits, elen; unsigned o=2; if (len 10) return ERR_BADPKT; if (buf[0] == 4)/* Check version 4, 3, or 2 */ o = 0; else if (buf[0] != 2 buf[0] != 3) /* V23 have 2 extra bytes */ return ERR_BADPKT; if (buf[5+o] != 1) /* Check alg - 1 is RSA */ return ERR_BADPKT; nbits = (buf[6+o] 8) | buf[7+o]; /* Read modulus */ nlen = (nbits + 7)/8; if (len 10+o+nlen) return ERR_BADPKT; BN_bin2bn(buf+o+8, nlen, n); ebits = (buf[8+o+nlen] 8) | buf[9+o+nlen]; /* Read exponent */ elen = (ebits + 7)/8; if (len 10+o+nlen+elen) return ERR_BADPKT; BN_bin2bn(buf+10+o+nlen, elen, e); if (bytesused) *bytesused = 10+o+nlen+elen; return ERR_OK; } /* Read the N, E, D values from a PGP secret key packet with no passphrase */ int rdpgpsec( BIGNUM *n, BIGNUM *e, BIGNUM *d, uchar *buf, unsigned len ) { int err; int nbits, nlen, ebits, elen, dbits, dlen; unsigned o; if ((err = rdpgppub(n, e, o, buf, len)) 0) return err;
Thanks, Lucky, for helping to kill gnutella
An article on Salon this morning (also being discussed on slashdot), http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html, discusses how the file-trading network Gnutella is being threatened by misbehaving clients. In response, the developers are looking at limiting the network to only authorized clients: On Gnutella discussion sites, programmers are discussing a number of technical proposals that would make access to the network contingent on good behavior: If you write code that hurts Gnutella, in other words, you don't get to play. One idea would allow only clients that you can authenticate to speak on the network, Fisk says. This would include the five-or-so most popular Gnutella applications, including Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If new clients want to join the group, they would need to abide by a certain communication specification. They intend to do this using digital signatures, and there is precedent for this in past situations where there have been problems: Alan Cox, a veteran Linux developer, says that he's seen this sort of debate before, and he's not against a system that keeps out malicious users using technology. Years and years ago this came up with a game called Xtrek, Cox says. People were building clients with unfair capabilities to play the space game -- and the solution, says Cox, was to introduce digital signatures. Unless a client has been signed, it can't play. You could build any client you wanted, but what you can't do is build an Xtrek client that let you play better. Not discussed in the article is the technical question of how this can possibly work. If you issue a digital certificate on some Gnutella client, what stops a different client, an unauthorized client, from pretending to be the legitimate one? This is especially acute if the authorized client is open source, as then anyone can see the cert, see exactly what the client does with it, and merely copy that behavior. If only there were a technology in which clients could verify and yes, even trust, each other remotely. Some way in which a digital certificate on a program could actually be verified, perhaps by some kind of remote, trusted hardware device. This way you could know that a remote system was actually running a well-behaved client before admitting it to the net. This would protect Gnutella from not only the kind of opportunistic misbehavior seen today, but the future floods, attacks and DOSing which will be launched in earnest once the content companies get serious about taking this network down. If only... Luckily the cypherpunks are doing all they can to make sure that no such technology ever exists. They will protect us from being able to extend trust across the network. They will make sure that any open network like Gnutella must forever face the challenge of rogue clients. They will make sure that open source systems are especially vulnerable to rogues, helping to drive these projects into closed source form. Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky?
Re: Challenge to TCPA/Palladium detractors
James A. Donald wrote: -- On Wed, 7 Aug 2002, Matt Crawford wrote: Unless the application author can predict the exact output of the compilers, he can't issue a signature on the object code. The On 9 Aug 2002 at 10:48, Eugen Leitl wrote: Same version of compiler on same source using same build produces identical binaries. This has not been my experience. Nor anyone else's If only because the exact image you depends on a hell of a lot of programs libraries. Does anyone expect /Microsoft/ of all software suppliers to provide consistent versioning and reproducible or predictable software environments? These are the people who brought us DLL Hell. These are the people who fell into the MDAC versioning fiasco. Ken
RE: Challenge to TCPA/Palladium detractors
I'm not surprised that most people couldn't produce a matching PGP executbales - most compilers (irrespective of compiler optimisation options etc) include a timestamp in the executable. Regards, Sam Simpson [EMAIL PROTECTED] http://www.samsimpson.com/ Mob: +44 (0) 7866 726060 Home Office: +44 (0) 1438 229390 Fax: +44 (0) 1438 726069 On Fri, 9 Aug 2002, Lucky Green wrote: Anonymous wrote: Matt Crawford replied: Unless the application author can predict the exact output of the compilers, he can't issue a signature on the object code. The compilers then have to be inside the trusted base, checking a signature on the source code and reflecting it somehow through a signature they create for the object code. It's likely that only a limited number of compiler configurations would be in common use, and signatures on the executables produced by each of those could be provided. Then all the app writer has to do is to tell people, get compiler version so-and-so and compile with that, and your object will match the hash my app looks for. DEI The above view may be overly optimistic. IIRC, nobody outside PGP was ever able to compile a PGP binary from source that matched the hash of the binaries built by PGP. --Lucky Green - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Thanks, Lucky, for helping to kill gnutella
On Fri, Aug 09, 2002 at 10:05:15AM -0700, AARG! Anonymous wrote: On Gnutella discussion sites, programmers are discussing a number of technical proposals that would make access to the network contingent on good behavior: If you write code that hurts Gnutella, in other words, you don't get to play. One idea would allow only clients that you can authenticate to speak on the network, Fisk says. This would include the five-or-so most popular Gnutella applications, including Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If new clients want to join the group, they would need to abide by a certain communication specification. They intend to do this using digital signatures, and there is precedent for this in past situations where there have been problems: Depending on the clients to do the right thing is fundamentally stupid. [..] Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? This sort of attack doesn't do your position any good. Eric
Re: Signing as one member of a set of keys
Very nice. Nice plausible set of candidate authors also: pub 1022/5AC7B865 1992/12/01 [EMAIL PROTECTED] pub 1024/2B48F6F5 1996/04/10 Ian Goldberg [EMAIL PROTECTED] pub 1024/97558A1D 1994/01/10 Pr0duct Cypher alt.security.pgp pub 1024/2719AF35 1995/05/13 Ben Laurie [EMAIL PROTECTED] pub 1024/58214C37 1992/09/08 Hal Finney [EMAIL PROTECTED] pub 1024/C8002BD1 1997/03/04 Eric Young [EMAIL PROTECTED] pub 1024/FBBB8AB1 1994/05/07 Colin Plumb [EMAIL PROTECTED] Wonder if we can figure out who is most likely author based on coding style from such a small set. It has (8 char) TABs but other wise BSD indentation style (BSD normally 4 spaces). Also someone who likes triply indirected pointers ***blah in there. Has local variables inside even *if code blocks* eg, inside main() (most people avoid that, preferring to declare variables at the top of a function, and historically I think some older gcc / gdb couldn't debug those variables if I recall). Very funky use of goto in getpgppkt, hmmm. Somewhat concise coding and variable names. Off the cuff guess based on coding without looking at samples of code to remind, probably Colin or Ian. Of course (Lance Cottrell/Ian Goldberg/Pr0duct Cypher/Ben Laurie/Hal Finney/Eric Young/Colin Plumb) possibly deviated or mimicked one of their coding styles. Kind of interesting to see a true nym in there also. Also the Cc -- Coderpunks lives? I think the Cc coderpunks might be a clue also, I think some of these people would know it died. I think that points more at Colin. Other potential avenue might be implementation mistake leading to failure of the scheme to robustly make undecidable which of the set is the true author, given alpha code. Adam On Fri, Aug 09, 2002 at 03:52:56AM +, Anonymous User wrote: This program can be used by anonymous contributors to release partial information about their identity - they can show that they are someone from a list of PGP key holders, without revealing which member of the list they are. Maybe it can help in the recent controvery over the identity of anonymous posters. It's a fairly low-level program that should be wrapped in a nicer UI. I'll send a couple of perl scripts later that make it easier to use.
Re: Thanks, Lucky, for helping to kill gnutella
AARG!Anonymous wrote: If only there were a technology in which clients could verify and yes, even trust, each other remotely. Some way in which a digital certificate on a program could actually be verified, perhaps by some kind of remote, trusted hardware device. This way you could know that a remote system was actually running a well-behaved client before admitting it to the net. This would protect Gnutella from not only the kind of opportunistic misbehavior seen today, but the future floods, attacks and DOSing which will be launched in earnest once the content companies get serious about taking this network down. Before claiming that the TCPA, which is from a deployment standpoint vaporware, could help with gnutella's scaling problems, you should probably learn something about what gnutella's problems are first. The truth is that gnutella's problems are mostly that it's a screamer protocol, and limiting which clients could connect would do nothing to fix that. Limiting which clients could connect to the gnutella network would, however, do a decent job of forcing to pay people for one of the commercial clients. In this way it's very typical of how TCPA works - a non-solution to a problem, but one which could potentially make money, and has the support of gullible dupes who know nothing about the technical issues involved. Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? Your personal vendetta against Lucky is very childish. -Bram Cohen Markets can remain irrational longer than you can remain solvent -- John Maynard Keynes
Re: Thanks, Lucky, for helping to kill gnutella
On Fri, 9 Aug 2002, Jay Sulzberger wrote: There are many solutions at the level of technical protocols that solve the projection of these problems down to the low dimensional subspace of technical problems. Some of these technical protocols will be part of a full system which accomplishes the desired ends. Please contact me off-list if you willing to spend some money for an implementation. Hey! Tell the Gnutella folks I'll be happy to bid on that too! I'm pretty sure I can get them a solid solution, especially since it's just a technical problem. Patience, persistence, truth, Dr. mike
Re: Thanks, Lucky, for helping to kill gnutella
On Fri, 9 Aug 2002, AARG!Anonymous wrote: ... / Not discussed in the article is the technical question of how this can possibly work. If you issue a digital certificate on some Gnutella client, what stops a different client, an unauthorized client, from pretending to be the legitimate one? This is especially acute if the authorized client is open source, as then anyone can see the cert, see exactly what the client does with it, and merely copy that behavior. If only there were a technology in which clients could verify and yes, even trust, each other remotely. Some way in which a digital certificate on a program could actually be verified, perhaps by some kind of remote, trusted hardware device. This way you could know that a remote system was actually running a well-behaved client before admitting it to the net. This would protect Gnutella from not only the kind of opportunistic misbehavior seen today, but the future floods, attacks and DOSing which will be launched in earnest once the content companies get serious about taking this network down. There are many solutions at the level of technical protocols that solve the projection of these problems down to the low dimensional subspace of technical problems. Some of these technical protocols will be part of a full system which accomplishes the desired ends. Please contact me off-list if you willing to spend some money for an implementation. Your claim, if true, would also demonstrate that no credit card payments over the Net, no apt-get style updating, no Paypal-like system, no crypto time-stamp system, etc., can exist today. If only... Luckily the cypherpunks are doing all they can to make sure that no such technology ever exists. They will protect us from being able to extend trust across the network. They will make sure that any open network like Gnutella must forever face the challenge of rogue clients. They will make sure that open source systems are especially vulnerable to rogues, helping to drive these projects into closed source form. Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? AARG!, this is again unworthy of you. You are capable of attempting to confuse and misdirect at a higher level. You might wish to emphasize that the real difficulties are at the levels where the reasons for the small usage of GNUPG lie. That really the technical details of the TCPA/Palladium system hardly matter. What TCPA/Palladium will allow is the provision to the masses of even more powerful brews of fantasy, game playing, advertising, etc.. And that there will be a small number of hobbyists who use the unprotected ports of TCPA/Palladium for their own limited experiments/amusements/etc.. The real point of TCPA/Palladium is that a locus of trust, seemingly guaranteed by the Powers That Be, will be created, and that the existence of this same locus, under the facies of locus of dealmaking/lawyering, will so reassure the Infotainment Arm of the Englobulators that the Arm will unleash its extraordinary forces to build and sell ever more entrancing Palaces of Dreams. The unprotected ports will allow a mostly self-supporting farm team system which will function without much direct oversight and little outlay of money by Englobulator Central or any of the Arms. The limited freedom of the Farm System, with its convenient pull strings, for the cases where something large and not controlled by Those Who Know Best takes off, will be a powerful lure to up and coming future Talent, who, when the time comes, may be Signed, without today's confusing and annoying possibility of continued independence. Indeed, the EULA of every system might have a section which binds users who display Marketable Things to an automatic Arbitration of Contract. oo--JS.
Re: Thanks, Lucky, for helping to kill gnutella
Anonymous wrote: ... the file-trading network Gnutella is being threatened by misbehaving clients. In response, the developers are looking at limiting the network to only authorized clients: This is the wrong solution. One of the important factors in the Internet's growth was that the IETF exercised enough control, but not too much. So HTTP is standardised, which allows (theoretically) any browser to talk to any web server. At the same time the higher levels are not standardised, so someone who has an idea for a better browser or web server is free to implement it. If you build a protocol which allows selfish behaviour, you have done your job badly. Preventing selfish behaviour in distributed systems is not easy, but that is the problem we need to solve. It would be a good discussion for this list. Not discussed in the article is the technical question of how this can possibly work. If you issue a digital certificate on some Gnutella client, what stops a different client, an unauthorized client, from pretending to be the legitimate one? Exactly. This has already happened with unauthorised AIM clients. My freedom to lie allows me to use GAIM rather than AOL's client. In this case, IMO, the ethics are the other way round. AOL seeks to use its (partial) monopoly to keep a grip on the IM market. The freedom to lie mitigates this monopoly to an extent. -- Pete
Re: Thanks, Lucky, for helping to kill gnutella
Antonomasia wrote: My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet and Mojo use protocols that require new users to be contributors before they become consumers. (Leaving aside that Gnutella seems doomed on scalability grounds.) Freenet and Mojo Nation have had serious issues in the wild, but my project, BitTorrent, is currently being used in serious deployment, and its leech resistance algorithms are proving quite robust - http://bitconjurer.org/BitTorrent/ This is a very narrow form of leech resistance, but it may be all that is needed. -Bram Cohen Markets can remain irrational longer than you can remain solvent -- John Maynard Keynes
TCPA/Palladium -- likely future implications (Re: dangers of TCPA/palladium)
On Thu, Aug 08, 2002 at 09:15:33PM -0700, Seth David Schoen wrote: Back in the Clipper days [...] how do we know that this tamper-resistant chip produced by Mykotronix even implements the Clipper spec correctly?. The picture is related but has some extra wrinkles with the TCPA/Palladium attestable donglization of CPUs. - It is always the case that targetted people can have hardware attacks perpetrated against them. (Keyboard sniffers placed during court authorised break-in as FBI has used in mob case of PGP using Mafiosa [1]). - In the clipper case people didn't need to worry much if the clipper chip had malicious deviations from spec, because Clipper had an openly stated explicit purpose to implement a government backdoor -- there's no need for NSA to backdoor the explicit backdoor. But in the TCPA/Palladium case however the hardware tampering risk you identify is as you say relevant: - It's difficult for the user to verify hardware. - Also: it wouldn't be that hard to manufacture plausibly deniable implementation mistakes that could equate to a backdoor -- eg the random number generators used to generate the TPM/SCP private device keys. However, beyond that there is an even softer target for would-be backdoorers: - the TCPA/Palladium's hardware manufacturers endoresment CA keys. these are the keys to the virtual kingdom formed -- the virtual kingdom by the closed space within which attested applications and software agents run. So specifically let's look at the questions arising: 1. What could a hostile entity(*) do with a copy of a selection of hardware manufacturer endorsement CA private keys? ( (*) where the hostile entity candidates would be for example be secret service agencies, law enforcement or homeland security agencies in western countries, RIAA/MPAA in pursuit of their quest to exercise their desire to jam and DoS peer-to-peer file sharing networks, the Chinese government, Taiwanese government (they may lots of equipment right) and so on). a. Who needs to worry -- who will be targetted? Who needs to worry about this depends on how overt third-party ownership of these keys is, and hence the pool of people who would likely be targetted. If it's very covert, it would only be used plausibly deniably and only for Nat Sec / Homeland Security purposes. It if becomse overt over time -- a publicly acknowledged, but supposedly court controlled affair like Clipper, or even more widely desired by a wide-range of entities for example: keys made available to RIAA / MPAA so they can do the hacking they have been pushing for -- well then we all need to worry. To analyse the answer to question 1, we first need to think about question 2: 2. What kinds of TCPA/Palladium integrity depending trusted applications are likely to be built? Given the powerful (though balance of control changing) new remotely attestable security features provided by TCPA/Palladium, all kinds of remote services become possible, for example (though all to the extent of hardware tamper-resistance and belief that your attacker doesn't have access to a hardware endorsement CA private key): - general Application Service Providers (ASPs) that you don't have to trust to read your data - less traceable peer-to-peer applications - DRM applications that make a general purpose computer secure against BORA (Break Once Run Anywhere), though of course not secure against ROCA (Rip Once Copy Everywhere) -- which will surely continue to happen with ripping shifting to hardware hackers. - general purpose unreadable sandboxes to run general purpose CPU-for-rent computing farms for hire, where the sender knows you can't read his code, you can't read his input data, or his output data, or tamper with the computation. - file-sharing while robustly hiding knowledge and traceability of content even to the node serving it -- previously research question, now easy coding problem with efficient - anonymous remailers where you have more assurance that a given node is not logging and analysing the traffic being mixed by it But of course all of these distributed applications, positive and negative (depending on your view point), are limited in their assurance of their non-cryptographically assured aspects: - to the tamper resistance of the device - to the extent of the users confidence that an entity hostile to them doesn't have the endorsement CA's private key for the respective remote servers implementing the network application they are relying on and a follow-on question to question 2: 3. Will any software companies still aim for cryptographic assurance? (cryptographic assurance means you don't need to trust someone not to reverse engineer the application -- ie you can't read the data because it is encrypted with a key derived from a password that is only stored in the users head). The extended platform allows you to build new classes of applications which aren't currently buildable to cryptographic levels of
Re: AARG and eugene are net.loons-why signatures of binaries always change.
You're being quite creative with alternative spelling and punctuation. However, if you think that provides sustainable stealth cover against a competent attacker (TLA agencies must by now be really good with linguistic forensics) you're fooling yourself. For executable binary verification it is obviously necessary to use compilers/linkers which don't write crap into the binary. Speaking of which, given the size of the code blob one could as well use handcrafted assembly. Also, using a standartized build environment is not exactly rocket science, since one can checksum ISO images, too. Platinum Group Linux would be a good name for the distro. On Fri, 9 Aug 2002, cyphrpnk wrote: Hi all, Its obvious that some of us here are developers and still others have never typed make or gcc in their lives. -v and -V options given to various forms of ld caused the embeddment of version information in the binary(Sunpro does this also, AND early versions of MSC allowed embeddment of version information also.) The fact that most environments dont link -Bstatic and instead link -Bdynamic means that every time you attempt to produce a binary from 2 different systems that the dynamic link information will be different checkout link.h link_elf.h link_aout.h in /usr/include in addition MOST modern developement environments include a date field when compiled and linked in the binary sheesh a cypherpunk BTW. AARG and eugene are idiots nyah nyah nyah!!
Re: Thanks, Lucky, for helping to kill gnutella (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 1:03 AM +0200 on 8/10/02, Some anonymous, and now apparently innumerate, idiot in my killfile got himself forwarded to Mr. Leitl's cream of cypherpunks list: They will protect us from being able to extend trust across the network. As Dan Geer and Carl Ellison have reminded us on these lists and elsewhere, there is no such thing as trust, on the net, or anywhere else. There is only risk. Go learn some finance before you attempt to abstract emotion into the quantifiable. Actual numerate, thinking, people gave up on that nonsense in the 1970's, and the guys who proved the idiocy of trust, showing, like LaGrange said to Napoleon about god, that the capital markets had no need that hypothesis, Sire ended up winning a Nobel for that proof the 1990's*. Cheers, RAH *The fact that Scholes and Merton eventually ended up betting on equity volatility like it was actually predictable and got their asses handed to them for their efforts is beside the point, of course. :-). -BEGIN PGP SIGNATURE- Version: PGP 7.5 iQA/AwUBPVRgRsPxH8jf3ohaEQIu3gCg0V9JIHnMRJ2GW+aJ1xSEHi5ETcYAn1Db BgR2WiAxNt/zGx5Iy+uRG+Ws =JEmi -END PGP SIGNATURE- -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Thanks, Lucky, for helping to kill gnutella
From: AARG!Anonymous [EMAIL PROTECTED] An article on Salon this morning (also being discussed on slashdot), http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html, discusses how the file-trading network Gnutella is being threatened by misbehaving clients. In response, the developers are looking at limiting the network to only authorized clients: They intend to do this using digital signatures, and there is precedent for this in past situations where there have been problems: Alan Cox, Years and years ago this came up with a game If only there were a technology in which clients could verify and yes, Be sure and send a note to the Gnutella people reminding them of all you're doing for them, okay, Lucky? Now that is resorting to silly accusation. My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet and Mojo use protocols that require new users to be contributors before they become consumers. (Leaving aside that Gnutella seems doomed on scalability grounds.) Likewise the WAN shooter games have (partially) defended against cheats by making the client hold no authoritative data and by disqualifying those that send impossible traffic. (Excluding wireframe graphics cards is another matter.) If I were a serious gamer I'd want 2 communities - one for plain clients to match gaming skills and another for cheat all you like contests to match both gaming and programming skills. If the Gnuts need to rework the protocol they should do so. My objection to this TCPA/palladium thing is that it looks aimed at ending ordinary computing. If the legal scene were radically different this wouldn't be causing nearly so much fuss. Imagine: - a DoJ that can enforce monopoly law - copyright that expires in reasonable time (5 years for s/w ? 15 years for books,films,music... ?) - fair use and first sale are retained - no concept of indirect infringement (e.g. selling marker pens) - criminal and civil liability for incorrectly barring access in DRM - hacking is equally illegal for everybody - no restriction on making and distributing/selling any h/w,s/w If Anonymous presents Gnutella for serious comparison with the above issues I say he's looking in the wrong end of his telescope. -- ## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/# ##
Re: TCPA/Palladium -- likely future implications
-- On 9 Aug 2002 at 17:15, AARG! Anonymous wrote: to understand it you need a true picture of TCPA rather than the false one which so many cypherpunks have been promoting. As TCPA is currently vaporware, projections of what it will be, and how it will be used are judgments, and are not capable of being true or false, though they can be plausible or implausible. Even with the best will in the world, and I do not think the people behind this have the best will in the world, there is an inherent conflict between tamper resistance and general purpose programmability. To prevent me from getting at the bits as they are sent to my sound card or my video card, the entire computer, not just the dongle, has to be somewhat tamper resistant, which is going to make the entire computer somewhat less general purpose and programmable, thus less useful. The people behind TCPA might want to do something more evil than you say they want to do, if they want to do what you say they want to do they might be prevented by law enforcement which wants something considerably more far reaching and evil, and if they want to do it, and law enforcement refrains from reaching out and taking hold of their work, they still may be unable to do it for technical reasons. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG D7ZUyyAS+7CybaH0GT3tHg1AkzcF/LVYQwXbtqgP 2HBjGwLqIOW1MEoFDnzCH6heRfW1MNGv1jXMIvtwb
Re: Thanks, Lucky, for helping to kill gnutella
Several people have objected to my point about the anti-TCPA efforts of Lucky and others causing harm to P2P applications like Gnutella. Eric Murray wrote: Depending on the clients to do the right thing is fundamentally stupid. Bran Cohen agrees: Before claiming that the TCPA, which is from a deployment standpoint vaporware, could help with gnutella's scaling problems, you should probably learn something about what gnutella's problems are first. The truth is that gnutella's problems are mostly that it's a screamer protocol, and limiting which clients could connect would do nothing to fix that. I will just point out that it was not my idea, but rather that Salon said that the Gnutella developers were considering moving to authorized clients. According to Eric, those developers are fundamentally stupid. According to Bram, the Gnutella developers don't understand their own protocol, and they are supporting an idea which will not help. Apparently their belief that clients like Qtrax are hurting the system is totally wrong, and keeping such clients off the system won't help. I can't help believing the Gnutella developers know more about their own system than Bram and Eric do. If they disagree, their argument is not with me, but with the Gnutella people. Please take it there. Ant chimes in: My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet and Mojo use protocols that require new users to be contributors before they become consumers. Pete Chown echoes: If you build a protocol which allows selfish behaviour, you have done your job badly. Preventing selfish behaviour in distributed systems is not easy, but that is the problem we need to solve. It would be a good discussion for this list. As far as Freenet and MojoNation, we all know that the latter shut down, probably in part because the attempted traffic-control mechanisms made the whole network so unwieldy that it never worked. At least in part this was also due to malicious clients, according to the analysis at http://www.cs.rice.edu/Conferences/IPTPS02/188.pdf. And Freenet has been rendered inoperative in recent months by floods. No one knows whether they are fundamental protocol failings, or the result of selfish client strategies, or calculated attacks by the RIAA and company. Both of these are object lessons in the difficulties of successful P2P networking in the face of arbitrary client attacks. Some people took issue with the personal nature of my criticism: Your personal vendetta against Lucky is very childish. This sort of attack doesn't do your position any good. Right, as if my normal style has been so effective. Not one person has given me the least support in my efforts to explain the truth about TCPA and Palladium. Anyway, maybe I was too personal in singling out Lucky. He is far from the only person who has opposed TCPA. But Lucky, in his slides at http://www.cypherpunks.to, claims that TCPA's designers had as one of their objectives To meet the operational needs of law enforcement and intelligence services (slide 2); and to give privileged access to user's computers to TCPA members only (slide 3); that TCPA has an OS downloading a serial number revocation list (SNRL) which he has provided no evidence for whatsoever (slide 14); that it loads an initial list of undesirable applications which is apparently another of his fabrications (slide 15); that TCPA applications on startup load both a serial number revocation list but also a document revocation list, again a completely unsubstantiated claim (slide 19); that apps then further verify that spyware is running, another fabrication (slide 20). He then implies that the DMCA applies to reverse engineering when it has an explicit exemption for that (slide 23); that the maximum possible sentence of 5 years is always applied (slide 24); that TCPA is intended to: defeat the GPL, enable information invalidation, facilitate intelligence collection, meet law enforcement needs, and more (slide 27); that only signed code will boot in TCPA, contrary to the facts (slide 28). He provides more made-up details about the mythical DRL (slide 31); more imaginary details about document IDs, information monitoring and invalidation to support law enforcement and intelligence needs, none of which has anything to do with TCPA (slide 32-33). As apparent support for these he provides an out-of-context quote[1] from a Palladium manager, who if you read the whole article was describing their determination to keep the system open (slide 34). He repeats the unfounded charge that the Hollings bill would mandate TCPA, when there's nothing in the bill that says such a thing (slide 35); and he exaggerates the penalties in that bill by quoting the maximum limits as if they are the default (slide 36). Lucky can provide all this misinformation, all under the pretence, mind you, that this *is* TCPA. He was educating the audience, mostly people who were completely
Re: TCPA/Palladium -- likely future implications
On Fri, 9 Aug 2002, AARG! Anonymous wrote: : Allow computers separated on the internet to cooperate and share data : and computations such that no one can get access to the data outside : the limitations and rules imposed by the applications. It seems to me that my definition is far more useful and appropriate in really understanding what TCPA/Palladium are all about. Adam, what do you think? Just because you can string words together and form a definition doesn't make it realizable. Once data is in the clear it can be copied, and no rules can change that. Either the data is available to the user, and they can copy it - or the data is not available to the user, and there's nothing they can do when their machine does somebody elses calculations. I have a couple of suggestions. One early application for TCPA is in closed corporate networks. In that case the company usually buys all the computers and prepares them before giving them to the employees. At that time, the company could read out the TPM public key and sign it with the corporate key. Then they could use that cert rather than the TPME cert. This would protect the company's sensitive data against eavesdroppers who manage to virtualize their hardware. And guess what? I can buy that today! I don't need either TCPA or Palladium. So why do we need TCPA? Think about it: this one innocuous little box holding the TPME key could ultimately be the root of trust for the entire world. IMO we should spare no expense in guarding it and making sure it is used properly. With enough different interest groups keeping watch, we should be able to keep it from being used for anything other than its defined purpose. Man, I want the stuff you are smoking! One attack point is the root of trust for the whole world!!???!!! Take another hit dude, and make sure you see lots of colors too. Patience, persistence, truth, Dr. mike
TCPA ad nauseum
On Fri, 9 Aug 2002, AARG! Anonymous wrote: Of course his analysis is spoiled by an underlying paranoia. So let me ask just one question. How exactly is subversion of the TPM a greater threat than subversion of your PC hardware today? How do you know that Intel or AMD don't already have back doors in their processors that the NSA and other parties can exploit? Or that Microsoft doesn't have similar backdoors in its OS? And similarly for all the other software and hardware components that make up a PC today? In other words, is this really a new threat? Or are you unfairly blaming TCPA for a problem which has always existed and always will exist? The difference is that *anyone* can see what goes on inside an Intel or AMD processor. Only the key holder of the TPM can see inside the protected code space. You can't put back doors into the code now because the code is visible to all users. The purpose of crypto is to hide information even tho the attacker can see all the machinery work. If you don't want to have the machinery visible, then use a sealed system (like smart card). Patience, persistence, truth, Dr. mike