date:20020809


On Wed, 7 Aug 2002, Matt Crawford wrote:

 Unless the application author can predict the exact output of the
 compilers, he can't issue a signature on the object code.  The

Same version of compiler on same source using same build produces 
identical binaries.

 compilers then have to be inside the trusted base, checking a
 signature on the source code and reflecting it somehow through a
 signature they create for the object code.

You have the source, compile it using the official compiler and the
official build options, and record the blob. Entity X claims it runs the
same system that it gave you the source for. You can't sign it, but you
can verify the signed blob is the same.

The blob can still be trojaned, but you can disassemble and debug it.

Alan Greenspan: Interest Rates Will Rise Soon

2002-08-09 Thread LendersMortgage

Title: Credit Issues





  


  

  

5.375% Fixed Mortgage. Rates are actually the lowest in over 
30 years.
Conventional loan limits have increased 
officially on November 28, 2001 to:
$300,700 Single Family
$384,900 for 2 Units
$465,200 for 3 Units
$578,150 for 5 Units




We specialize in the
 following situations:

Bad Credit
Bankruptcy
Charge Offs
Collections
Mortgage Lates
Foreclosures
Debt Consolidation
Easy Qualifier
No Down Payment
Mortgage Consolidation
FHA Streamline

VA Streamline
Equity Loans
Fresh Start
Jumbo Loans
Gift Down Payment
Seller Carry Back 2nd
Low Credit Scores
Self Employed
Fast Funding
Excellent Communication



  
  

  

  

  



  

  


  
We
have helped thousands of homeowners ;


every
year advance to financial freedom.

Our
online network of 37
lenders, who will Bid on
your loan.
1)
Jumbo, Prime  Subprime
2)
For rates as low as 5.375% Fixed
3)
Damaged Credit / NO PROBLEM!
4)
2nd Mortgage / Equity Line of Credit
5)
Unique Cinereous

Success in lending for 38 years requires prompt approvals and
  quick closings. With over 1,442 offices and 120 regional
  production centers, so we may provide you with excellent
  customer service in obtaining your home loan approval.
There
  is no better time than the present to start saving money.
Complete
  now the Simple, No Obligation, Mini Application that has
  helped thousands of homeowners every year get closer to
  financial freedom.

  

  

  

  



Quick Qualifier
(
*
are 
helpful)
  


  


  
Name:*
  


  Address:*

  
  
  


  
  

  Contact Phone:*


  City:*

  
  


  
  

  Alt. 
Phone:*


  State:
Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut

Re: Challenge to TCPA/Palladium detractors


On Fri, 9 Aug 2002, David Howe wrote:

 It doesn't though - that is the point. I am not sure if it is simply
 that there are timestamps in the final executable, but Visual C (to give
 a common example, as that is what the windows PGP builds compile with)
 will not give an identical binary, even if you hit rebuild all twice
 in close succession and compare the two outputs, nothing having changed.

I've just verified this also occurs on OpenSSL under RH 7.3 (gcc --version
2.96). I haven't done a binary diff, but I'm also suspecting a time stamp.  
Can anyone shed some light on this?

NOT SPAM PLEASE READ!!!!

2002-08-09 Thread dean stewart




Hi,

For the past week, just like yourself I have 
been receiving emails about long distance low cost calls. have asked 
themto stop spamming but they just won't stop

If anybody has any ideas please help I have 
reported this abuse to spamcop and netscape. any further info would 
help.

Dean Stewart


INfinite INcome INterested?Visit www.eurexcelir.com/bizOr call Dean 
Stewart on 01233 503368 to discover what our business can do for 
you.

Homeland securities new agency;Ministerium für Statessicherheit.


Including informants, the Stasi at one point would number one operative 
for every 66 East German citizens; so ruthless and efficient were they in 
their efforts to squelch dissent that even the KGB found itself 
occasionally appalled by the Stasi's methods.
http://www.amazon.com/exec/obidos/ASIN/0813337445/ref=pd_sim_books/104-0188761-0538340
Both IBM and Texas Instruments unknowingly employed Stasi spies who 
gathered information about computers and communications apparatus. Another 
group had developed a unique particle spray, similar to a chemical weapon, 
to spread over enemy communication stations and disrupt correspondence in 
case of war.
Mmm.
Can you imagine a police informer for ever 6.5 persons in the country? All 
phones tapped. All packages/letters
from the outside world opened and usually kept (stolen). Can you imagine 
spending your life in a 6x6 cell in total
isolation. One young man (38y/o) lived for 9yrs, till his death, like that. 
Six medical students spent 3 to 11yrs in
prison just for applying for a VISA! 
Its getting easier.

The Lazy 'C' brand.


'C' stands for Crawford,Shrubs school grades and Castor seed poison needed 
to take out the Cunt.
If the White House is empty, it must be August.
With presidents like this, who needs enemies?
Download attached file: prettyvacant. (mimetype: image/pjpeg )The World 
This Week: Pretty Vacant
If the White House is empty, it must be August.
http://www.newmassmedia.com/nac.phtml?code=hardb=nac_fearef=21531
By Alan Bisbort
Published 08/08/02

After bringing America to the brink of economic collapse and hammering out 
the framework of his permanent police state, George W. Bush is taking 
August off for vacation. The rest of us who have to work for a living can 
expect absurd photo ops to abound (e.g., Bush is the only person in Texas 
who chops wood in the middle of August). While Bush putters about on his 
ranch in his golf cart, dressed in silly cowboy duds, the nation should 
take a collective sigh of relief. With presidents like this, who needs 
enemies?

While there's a break in the inaction, let's flash back to last August. 
That is the month W. chose to be -- paraphrasing his Poppy -- out of the 
loop. Too bad for us, because that's the month when intelligence reports 
were coming in as fast and furious as Scud missiles about al Qaeda's plans 
to hijack planes and use them as missiles. Indeed, Osama all but Fed-Ex'ed 
a hand-delivered, gilt-edged notice to Bush's ranch about his plans. And 
yet, Condi Rice assured us that they could not connect the dots.

Even if hindsight is 20/20, it's as clear as a summer day last August in 
Crawford, Texas that George W. Bush was driving completely blind in the 
month before the terror attacks. Bush insists that he took all necessary 
measures to prevent an attack from occurring, but I went back and examined 
every issue of Time and Newsweek from Aug. 6 through Sept. 10, 2001 -- and 
I would warrant that the same pattern would be seen were one to pore over 
daily editions of, say, the New York Times and the Washington Post.

I examined these magazines, in part, out of native curiosity. I did it 
also, in part, because I was given this challenge by one of my readers:

To my knowledge, no one has yet asked or answered the question: 'What were 
Bush and Cheney doing during that month that they regarded as more 
important than dealing with and passing along a terrorist threat that wound 
up costing more than 3,000 lives in the first attack upon the soil of our 
sovereign nation? Were they gerrymandering environmental laws to help their 
cronies make money? Were they meeting with Enron execs so that these soiled 
crooks could set energy policy? What were these two fellows, still so 
highly regarded by the American public for their strength of character, 
doing during that crucial month while the al-Qaeda suicide hijackers were 
making their final plans?

It seems the press did not connect the dots, either. During the five weeks 
prior to Sept. 11, America's two widest-circulating news magazines did not 
carry a single story on domestic terrorism, bioterrorism, vigilance at 
America's airports or even the slightest hint that anyone on Bush's staff, 
from Colin Powell to John Ashcroft to Rove, Card, Rice and Cheney gave even 
a nod, wave or shoulder-shrug to the possibility of a domestic terrorist 
attack.

They may insist that all of their preparedness was being done behind the 
scenes (don't want to tip the old hand to wily evildoers like Osama and 
Saddam, now, do we?), but a complete lack of forewarning has been remarked 
upon by the pilots' association, air traffic controllers, business 
travelers, and even Rudi Giuliani (who, instead of trying to prop up Bush, 
should stand alongside the people of his wounded city, rightfully demanding 
answers). My point: Even if they were working behind the scenes, they did 
not share the information with the very people who would have been in the 
best position to save American lives.

It is now impossible to draw any other conclusions than this overridingly 
obvious one: This five-week period of what will, in hindsight, be regarded 
as one of the most important in U.S. history, offers real time, crystal 
clear documentation of appalling laziness and abject failure, from the 
White House all the way down to the White House press corps. What will Bush 
miss during his August nap this year?

AdCouncil PSAs.ChuckO agree's.


Holy fuck, I can't believe these new TV PSAs from the AdCouncil:
http://www.adcouncil.org/campaigns/campaign_for_freedom


These PSAs are really wacked out. They are supposed to be fictional depictions of life in a country other than the U.S., but they are incredibly hypocritical! For example, the Library PSA shows a young guy asking for a book from a librarian, who informs him that it is no longer available and then asks him why he wants to read it. They pan the library and all these government agents pop out of hiding. Of course, as many of you know, the U.S. government would like to see this become a reality, with some kind of TIPS programs for libraries. The FBI is already requesting information from libraries and libraries have this annoying habit of monitoring and controlling the surfing habits of patrons at library terminals. I looked at another PSA, Arrest, which shows some guy being pulled over by the police and then being arrested for having the wrong reading material. Fact it, activists and other people have routinely been detained at airports for having the wrong reading material. Having radical books in your car has frequently been a pretext for arrest and, at the least, harassment.ChuckO.
ChuckO runs an excellent anarchist site at www.infoshop.org 
I recommend the interactive news highly.

X-box crack


http://www.politechbot.com/p-03864.html

If anyone asks,(or subpoena's,yikes!) I am simply RESEARCHING present web 
vulnerabilities in relation to 'trust' in cyberspace.

APster; who do you want to kill today?

»áÔ±ÌØÇø

2002-08-09 Thread kevin249

Title: ÖÐ¹úÓÊ¼þµØÖ·¿â







  


  Èç¹ûÕâ·âÐÅ´òÈÅÁËÄú£¬Íò·Ö±§Ç¸£¬ÇëËæÊÖÉ¾³ý
  =

  
  

  ÖÐ¹úÓÊ¼þµØÖ·¿â(http://www.cmailweb.com)¡ª¡ª×¨ÒµÍøÂçÍÆ¹ã×¨¼Ò
  ·þÎñÌØÉ«£º1¡¢¼Û¸ñ¾ø¶ÔÈ«¹ú×îµÍ¼Û
  2¡¢ÐÂÔö»áÔ±ÇøÌá¹©ÍêÈ«Ãâ·ÑÏÂÔØ£¡   
  ¡¡   
 
 
Ò»¡¢»áÔ±×¨Çø¡ª¡ªÍêÈ«Ãâ·ÑµÄÏÂÔØÌìµØ
  ½øÈë¡·¡·   
  ÐÂÔö»áÔ±ÌØÇø£¬½ñºóÎÒÃÇ½«ÐÂÔö´óÁ¿ÓÊ¼þµØÖ·¡¢×¢²á°æÈº·¢Èí¼þ£¬È«²¿Ìá¹©¸ø»áÔ±Ãâ·ÑÏÂÔØ   
  Ö»ÒªÒ»´ÎÐÔ¹ºÎïÂú200Ôª£¬¼´¿É³ÉÎªÎÒÃÇµÄ»áÔ±£¬Ò»´Î¹ºÂò£¬ÖÕÉú»ñÒæ£¡   
 
 
   
 
   
 
   
 
  

 
   
 
  ×¢£º±¾ÆÚ»áÔ±Èí¼þ¡¢µØÖ·Ãâ·ÑÏÂÔØÄ¿Â¼ 
 
   
 

  
  

1¡¢18ÍòÒÔwebmasterÎªÓÃ»§ÃûµÄ¶ÀÁ¢ÓòÃûÐÅÏä£¨¼´¹úÄÚÉÏÍøÆóÒµÐÅÏä£©  

 
 

2¡¢30ÍòÖ®¶àÔÚÈ«¹ú¸÷´óÐÅÏ¢·¢²¼ÍøÕ¾ËÑË÷µ½µÄÓÊ¼þµØÖ·£¨¾ø¶ÔÊÇÉÌÎñÈËÊ¿ÐÅÏä£©  

 
 

3¡¢×îÐÂËÑ¼¯µÄ1300Íò¹úÄÚÓÃ»§ÓÊ¼þµØÖ·£¨ÓÐÐ§ÂÊ¸ß´ï90%£©`  

 
 

4¡¢250ÍòÎ´·ÖÀà¡¢×ÛºÏÐÍÐÐÒµÓÊ¼þµØÖ·  

 
 

5¡¢×îÐÂÔö¼ÓÈº·¢±Ø±¸SMTP·þÎñÆ÷50¸ö 
   


   
..(²»¶Ï¸üÐÂÖÐ£© 
   

  

  
  

  


×¢£º»ñÈ¡»áÔ±×Ê¸ñ°ì·¨£º  
  ·½°¸Ò»¡¢¹ºÂò7000Íò¹úÄÚ×ÛºÏµØÖ·+50¿îÈº·¢Èí¼þ  £¨200Ôª£©  ¼´¿É³ÉÎª»áÔ±   
 
  ·½°¸¶þ¡¢¹ºÂò250Íò¹úÄÚÐÐÒµµØÖ·+50¿îÈº·¢Èí¼þ   £¨200Ôª£©  ¼´¿É³ÉÎª»áÔ±
  ¡¡
  
  
¶þ¡¢·þÎñÀàÐÍ¡ª¡ª¶àÖÖÑ¡Ôñ£¬ÓªÏúÀûÆ÷
  ½øÈë¡·¡·   
  1¡¢7000Íò¹úÄÚÓÊ¼þµØÖ·   
  2¡¢250Íò¹úÄÚÐÐÒµ·ÖÀàÓÊ¼þµØÖ·   
  3¡¢2000Íò¹úÍâÓÊ¼þµØÖ·   
  4¡¢´úÀíÓÊ¼þÈº·¢   
  5¡¢ÌØÊâÓÊ¼þµØÖ·´úÎª   
  ¡¡   
 
 
Èý¡¢ÍøÕ¾ÐÅÓþ¡ª¡ªÖµµÃÐÅÀµ   
 
 
ÎÒÃÇÒÑ³ÉÎª¶à¼Ò¹«Ë¾µÄÓÊ¼þÌá¹©ÉÌ£¬²¿·ÖÄ¿Â¼Çë²Î¼ûÍøÕ¾Ê×Ò³µÄ¿Í»§Ã÷Â¼   
  ÍøÕ¾ÓµÓÐ´óÈÝÁ¿ÎÈ¶¨¿Õ¼ä£¬ËùÓÐÓÊ¼þµØÖ·ºÍÈí¼þÈ«²¿¿ÉÒÔÖ±½ÓÏÂÔØ   
  ¿Í»§¿ÉÏÈÏÂÔØ£¬¼ìÑéÓÊ¼þºÍÈí¼þÊÇ·ñÕæÊµ´æÔÚ£¨µ±È»£¬ÓÊ¼þµØÖ·ºÍÈí¼þ¶¼ÓÐÃÜÂë±£»¤£¬ÔÝÊ±ÎÞ·¨´ò¿ª£©   
  ÄúÏòÎÒÃÇ»ã¿îºó£¬ÎÒÃÇ±£Ö¤Á¢¼´·¢ËÍ£¬ÈÃÄúµÚÒ»Ê±¼ä»ñÈ¡ÓÊ¼þ   
  ¡¡   
 
 
   
 
   
  
  ¼ÛÄ¿±í¡ª¡ª¾ø¶ÔÈ«¹ú×îµÍ¼Û£¡£¡£¡  
   
   
  

  

A 
  ÀàÍÆ¹ã 
 
   
  3000Íò¹úÄÚ×ÛºÏµç×ÓÓÊ¼þµØÖ·£«ÔùËÍÈ«²¿50¿îÓªÏúÈí¼þ   
   
   
  100Ôª  
  

 
B
  ÀàÍÆ¹ã

Eat your greenes.


http://www.theregister.co.uk/content/6/26598.html
Web pornographer hacks bin Laden 
By Thomas C Greene in Washington

Posted: 09/08/2002 at 08:49 GMT
The Western intelligence establishment must be dancing for joy knowing
that Internet pornographer Jon Messner has managed to infiltrate the
shadowy world of al-Qaeda cyberterror involving a Web site called Al
Neda. 
This amazing story, broken by senior
CNN drone Mike Boettcher, details the cheap publicity stunt of a pathetic
little man who pimps his own wife on line via naughty, nudie Web-cams
through his 'housewives' porno Web site. 
Following Boettcher's expert investigative reporting, we learn that
Messner hijacked a high-level viper's nest of hideous terrorists. Or
maybe he just copied their posts. Boettcher seems not to know the
difference, or care. 
Messner, using the aggressive tactics he's employed to run his
adult site, said he 'hijacked' Al Neda for five days and recorded a
'virtual who's-who of every hostile message board and site on the
Internet,' Boettcher says. 
Traffic to the site increased under his control, most of it coming
from Saudi Arabia, [Messner] said. The majority of the September 11
hijackers were from Saudi Arabia. 
Surely that's all the evidence we need. Traffic from Saudi Arabia. Case
closed. 
Of the patriotic Messner, Boettcher writes, His Porsche and its
'WIVES' vanity plates memorializing his success in adult entertainment
are, he believes, a testament that he and his family are living the
American Dream. 
Well, if the American Dream involves pimping your wife on the Web, then I
reckon he's right about that. Thank God thousands of brave young men are
sleeping rough and eating crummy MREs in Afghanistan as we speak,
exposing themselves to considerable hardship and risk in order to
preserve it. ® You may get lucky.

Jamesd; the ex-trotskyists 'enemies list.'


It's interesting to note a peculiar pattern that seems to be emerging: many 
of the biggest warmongers, in the post 9/11 era, are ex-nutballs of one 
sort or another who went straight  and veered off into a more lucrative 
variety of extremism. Murawiec is merely the latest case. Think of David 
Horowitz, the ex-leftist cheerleader for the Black Panthers who now goes 
around lecturing blacks on their alleged racism and demanding all-out war 
on the Arab world. Think of Stephen Schwartz, the Weekly Standard's 
expert on Wahabism, who gave up the fringe politics of 
left-anarcho-Trotksyism to become a major theoretician of the 
Riyadh-as-kernel of evil school.
How long were you a trot jamesd? 4 years?,5?
Not that theres anything wrong with that.

Arbusto news.


Genetically modified crops may pass helpful
traits to weeds, study finds
'For the first time, researchers have shown that a gene
artificially inserted into crop plants to fend off pests can migrate to
weeds in a natural environment and make the weeds stronger. Scientists
studied genetically engineered sunflowers - those modified with a gene
that produces a chemical toxic to certain insects - to see what happened
when these foreign genes, called transgenes, were inadvertently passed
along to weedy relatives' ( Ohio
State )
See also this abstract, and this
blog entry from last 
month.LINKS
http://www.hullocentral.demon.co.uk/site/anfin.htm

Bad Gorilla! Dont do that again!


Another Day, Another No-Penalty Microsoft
Settlement
ZDNet: Microsoft, FTC, Settle over
Passport. We believe that Microsoft made a number of
misrepresentations, dealing with, one, the overall security of the
Passport system and personal information stored on it; two, the security
of online purchases made with Passport Wallet; three, the kinds of
personal information Microsoft collects of users of the Passport service;
and four, how much control parents have over the information collected by
Web sites participating in the Kids Passport program, Muris said
during the conference call. 
Remember Microsoft's squeals of angst when privacy advocates complained
about Passport? 
Once again, Microsoft is found not to be telling the truth about serious
issues. And, once again, the governmental agency with the power to do
something realistic fades away on contact. 
The FTC hasn't even issued a slap on the wrist here. It merely got
Microsoft to agree not to do it again.
http://www.siliconvalley.com/mld/siliconvalley/business/columnists/dan_gillmor/ejournal/
Scroll down for encrypted mac option.
Was CJ way ahead of the curve in threatening to kill Bill? Answers on the
back of a stamp to sam adams...
Neither the wisest constitution nor the wisest laws
will secure the liberty and happiness of a people whose manners are
universally corrupt.
 Samuel Adams

Pool full of Sharks.


Today, GMA booking wars
have gotten insane, says TV veteran
While one source says the situation is insane,
Verne Gay describes the morning show feud as nutty.
Producers at the ABC and NBC morning shows have accused the other of
lying, cheating and breaking -- or at least twisting -- established
rules. Gay writes: In case you're wondering, 'Today' despises
'GMA,' and the feeling is mutual. (Newsday)
 SLEAZY OR MERELY
COMPETITIVE?: One producer [involved in trying to book
the kidnap victims] was said to have swerved into another on the highway;
one was said to have sobbed to the girls that she would be fired
if the interview didn't take place. Another was alleged to have called
the police to complain that the competition was stalking the
girls, in order to keep them away. (Los Angeles Times)
 TV show bookers tell victims they'll
feel better after telling their tales
http://www.poynter.org/medianews/

Faith based education,shrub approved madrasses coming soon.


'Terrorist School' Head Aquitted 
Associated Press


Print this 
8:55 a.m. Aug. 9, 2002
PDT 
LONDON -- A chef who promoted The Ultimate Jihad Challenge on
an Internet site, inviting people to take weapons training in the United
States, was found innocent of terrorist charges Friday. 
A jury at London's Old Bailey criminal court found Sulayman Balal
Zainulabidin, 44, innocent of violating the Terrorism Act. 
http://www.wired.com/news/politics/0,1283,54440,00.html
Faith-Based and Community
Initiatives: Rallying the Armies of ... 
... US Department of Labor Center for
Faith-Based and Community Initiatives; Center
for Faith-Based and Community Initiatives at the US
Department of Education; ... 
Description: Promoting the President's vision to enlist, equip, enable,
empower and expand the heroic works of...
Category: Regional  North America  ...
 Domestic Policy Council
www.whitehouse.gov/infocus/faith-based/
- 42k - 8 Aug 2002 - Cached -
Similar pages 
How can one president be so fucking
stupid?

Rush in democRATS and blipverts.GREAT DANEger.


Russia: Subliminal media manipulation? Russia's Deputy Media Minister
Valerii Sirozhenko has announced that his agency has set up special
devices capable of detecting the illegal use of the so-called 25th
frame to send subliminal messages to television viewers, Russian
agencies reported. 
Sirozhenko claimed that many channels use the 25th frame, and if such
usage is proven by the new equipment, they will be subject to stiff fines
or the revocation of their broadcasting licenses. He also mentioned that
the practice was used in the Soviet era for unclear reasons.

On June 27 Sirazhenko warned some TV stations who his office
know are using subliminal advertising. Sirazhenko says has
only been once case of a television station being caught. Two years ago,
reported the Moscow Times, the Press Ministry said Yekaterinburg
broadcaster ATN was trying to mesmeriee its viewers with an undetectable
watch only ATN command.
According to popular legend, in the 1950s, tests in cinemas in the United
States using an undetectable 25th frame with an advertising slogan, such
as eat popcorn, drink Coke resulted in significant increases
in consumption of both. Movies recorded on film are normally shown at 24
frames per second, the speed with which the human eye recognizes fluent
motion
The concept of so-called 'subliminal advertising' has been widely deried
in recent years, though the practice, effective or otherwise, is still
illegal in Russia and the US.
RFE Radio Liberty report.
Snopes.com 'urban legends' pages on
subliminal advertising.
The row over subliminal advertising during the
2000 US presidential elections.
FROM
http://www.indexonline.org/indexindex/20020809_russia.shtml

ZIMMERMAN DEAD SHOCK!


http://www.sportsshooter.com/news_story.html?id=745
My what big ears you have.
Last weekend in Monterey, Calif.
Zimmerman, who is known as one of the true pioneers of sports photography 
and recognized by everyone as one of the greatest sports photographers of 
all time grew up in Los Angeles. He got his start in the business after 
leaving the Navy in the late 1940's. Zimmerman then took odd jobs working 
for International News and the LIFE Los Angeles bureau. When a job opened 
up as a LIFE darkroom technician in Washington D.C. Zimmerman headed 
east.Before finally heading South.
I hear Declan is available to serve if called upon,in the interests of 
national security.

Thanks, Lucky, for helping to kill gnutella


An article on Salon this morning (also being discussed on slashdot),
http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html,
discusses how the file-trading network Gnutella is being threatened by
misbehaving clients.  In response, the developers are looking at limiting
the network to only authorized clients:

 On Gnutella discussion sites, programmers are discussing a number of
 technical proposals that would make access to the network contingent
 on good behavior: If you write code that hurts Gnutella, in other
 words, you don't get to play. One idea would allow only clients that
 you can authenticate to speak on the network, Fisk says. This would
 include the five-or-so most popular Gnutella applications, including
 Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If
 new clients want to join the group, they would need to abide by a certain
 communication specification.

They intend to do this using digital signatures, and there is precedent
for this in past situations where there have been problems:

 Alan Cox, a veteran Linux developer, says that he's seen this sort of
 debate before, and he's not against a system that keeps out malicious
 users using technology. Years and years ago this came up with a game
 called Xtrek, Cox says. People were building clients with unfair
 capabilities to play the space game -- and the solution, says Cox,
 was to introduce digital signatures. Unless a client has been signed,
 it can't play. You could build any client you wanted, but what you can't
 do is build an Xtrek client that let you play better.

Not discussed in the article is the technical question of how this can
possibly work.  If you issue a digital certificate on some Gnutella
client, what stops a different client, an unauthorized client, from
pretending to be the legitimate one?  This is especially acute if the
authorized client is open source, as then anyone can see the cert,
see exactly what the client does with it, and merely copy that behavior.

If only there were a technology in which clients could verify and yes,
even trust, each other remotely.  Some way in which a digital certificate
on a program could actually be verified, perhaps by some kind of remote,
trusted hardware device.  This way you could know that a remote system was
actually running a well-behaved client before admitting it to the net.
This would protect Gnutella from not only the kind of opportunistic
misbehavior seen today, but the future floods, attacks and DOSing which
will be launched in earnest once the content companies get serious about
taking this network down.

If only...  Luckily the cypherpunks are doing all they can to make sure
that no such technology ever exists.  They will protect us from being able
to extend trust across the network.  They will make sure that any open
network like Gnutella must forever face the challenge of rogue clients.
They will make sure that open source systems are especially vulnerable
to rogues, helping to drive these projects into closed source form.

Be sure and send a note to the Gnutella people reminding them of all
you're doing for them, okay, Lucky?

Keywords trump Links shock.


http://www.anarchy-online.com/
Play trumps politics everytime.
Wed, 07 Aug, 2002
Clan Leader Missing!
MONGO!
1st Amendment dead drop.
http://www.bristolnews.com/front/MGBUSN1MK4D.html
There are some very important reasons behind the secrecy of this
court's grand jury process, 
I would like to tell you more but...
I am NOT your source for this story,you did not see me or know who I
am.

TURNE ORGANiZASYONLARI iCiN KAMPANYA..

2002-08-09 Thread cpunks

Title: Birfidan2002




  
  

  
  
  ÝNANILMAZ KAMPANYA !..
  
  KURUM VE KURULUÞLARIMIZA ÖNEMLE DUYURULUR...
  
  KONSER, FESTÝVAL, ÞENLÝK VB. ETKÝNLÝK ORGANÝZASYONLARINIZ
  KAMPANYA TURNEMÝZ SAYESÝNDE
  PÝYASA STANDARTLARININ 1/3 ORANINDA ÝNDÝRÝMLÝ OLARAK 
  GERÇEKLEÞTÝRÝLÝR.
  
  
  2002 KAMPANYA TURNEMÝZE KATILAN SANATÇILAR

  

  
  


  

	
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
	
	
		
			
			
		
			
			
		
			
			
	
	
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
		
			
	
	
		
			Sanatçý
sýralamasýndaki dizaynýn kariyerle bir ilgisi yoktur. 
	
	
		
			
			

AYRICA, DÜÐÜN, NÝÞAN, BALO VB.
ORGANÝZASYONLARINIZ ÝÇÝN DE, 
 ZENGÝN SANATÇI KADROLARIMIZ VE MÜZÝK GRUPLARIMIZLA
HÝZMETÝNÝZDEYÝZ.

DAHA AYRINTILI BÝLGÝ ÝÇÝN

Tel: 0 212
  352 0976 (PBX)
E-Mail : 

[EMAIL PROTECTED] 


	

  



NOT: OLABÝLECEK MAIL TRANSFERÝ HATASI NEDENÝ ÝLE YANLIÞ ADRESE ULAÞAN MAIL
ADRESLERÝ 
SAHÝPLERÝNE VERMÝÞ OLDUÐUMUZ RAHATSIZLIKTAN DOLAYI ÖZÜR DÝLERÝZ.

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Eric Murray


On Fri, Aug 09, 2002 at 10:05:15AM -0700, AARG! Anonymous wrote:
 
  On Gnutella discussion sites, programmers are discussing a number of
  technical proposals that would make access to the network contingent
  on good behavior: If you write code that hurts Gnutella, in other
  words, you don't get to play. One idea would allow only clients that
  you can authenticate to speak on the network, Fisk says. This would
  include the five-or-so most popular Gnutella applications, including
  Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If
  new clients want to join the group, they would need to abide by a certain
  communication specification.
 
 They intend to do this using digital signatures, and there is precedent
 for this in past situations where there have been problems:


Depending on the clients to do the right thing is fundamentally stupid.


[..]

 
 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

This sort of attack doesn't do your position any good.


Eric

Re: Challenge to TCPA/Palladium detractors

2002-08-09 Thread Ken Brown


James A. Donald wrote:
 
 --
 On Wed, 7 Aug 2002, Matt Crawford wrote:
   Unless the application author can predict the exact output of
   the compilers, he can't issue a signature on the object code.
   The
 
 On 9 Aug 2002 at 10:48, Eugen Leitl wrote:
  Same version of compiler on same source using same build
  produces identical binaries.
 
 This has not been my experience.

Nor anyone else's

If only because the exact image you depends on a hell of a lot of
programs   libraries. Does anyone expect /Microsoft/ of all software
suppliers to provide consistent versioning and reproducible or
predictable software environments? These are the people who brought us
DLL Hell. These are the people who fell into the MDAC versioning
fiasco. 

Ken

RE: Challenge to TCPA/Palladium detractors

2002-08-09 Thread Sam Simpson


I'm not surprised that most people couldn't produce a matching PGP
executbales - most compilers (irrespective of compiler optimisation
options etc) include a timestamp in the executable.

Regards,

Sam Simpson
[EMAIL PROTECTED]
http://www.samsimpson.com/
Mob:  +44 (0) 7866 726060
Home Office:  +44 (0) 1438 229390
Fax:  +44 (0) 1438 726069

On Fri, 9 Aug 2002, Lucky Green wrote:

 Anonymous wrote:
  Matt Crawford replied:
   Unless the application author can predict the exact output of the
   compilers, he can't issue a signature on the object code.  The
   compilers then have to be inside the trusted base, checking a
   signature on the source code and reflecting it somehow through a
   signature they create for the object code.
 
  It's likely that only a limited number of compiler
  configurations would be in common use, and signatures on the
  executables produced by each of those could be provided.
  Then all the app writer has to do is to tell people, get
  compiler version so-and-so and compile with that, and your
  object will match the hash my app looks for. DEI

 The above view may be overly optimistic. IIRC, nobody outside PGP was
 ever able to compile a PGP binary from source that matched the hash of
 the binaries built by PGP.

 --Lucky Green


 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

TURNE ORGANiZASYONLARI iCiN KAMPANYA..

2002-08-09 Thread cypherpunks

Title: Birfidan2002




  
  

  
  
  ÝNANILMAZ KAMPANYA !..
  
  KURUM VE KURULUÞLARIMIZA ÖNEMLE DUYURULUR...
  
  KONSER, FESTÝVAL, ÞENLÝK VB. ETKÝNLÝK ORGANÝZASYONLARINIZ
  KAMPANYA TURNEMÝZ SAYESÝNDE
  PÝYASA STANDARTLARININ 1/3 ORANINDA ÝNDÝRÝMLÝ OLARAK 
  GERÇEKLEÞTÝRÝLÝR.
  
  
  2002 KAMPANYA TURNEMÝZE KATILAN SANATÇILAR

  

  
  


  

	
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
	
	
		
			
			
		
			
			
		
			
			
	
	
		
			
			
		
			
			
		
			
			
		
			
			
		
			
			
		
			
	
	
		
			Sanatçý
sýralamasýndaki dizaynýn kariyerle bir ilgisi yoktur. 
	
	
		
			
			

AYRICA, DÜÐÜN, NÝÞAN, BALO VB.
ORGANÝZASYONLARINIZ ÝÇÝN DE, 
 ZENGÝN SANATÇI KADROLARIMIZ VE MÜZÝK GRUPLARIMIZLA
HÝZMETÝNÝZDEYÝZ.

DAHA AYRINTILI BÝLGÝ ÝÇÝN

Tel: 0 212
  352 0976 (PBX)
E-Mail : 

[EMAIL PROTECTED] 


	

  



NOT: OLABÝLECEK MAIL TRANSFERÝ HATASI NEDENÝ ÝLE YANLIÞ ADRESE ULAÞAN MAIL
ADRESLERÝ 
SAHÝPLERÝNE VERMÝÞ OLDUÐUMUZ RAHATSIZLIKTAN DOLAYI ÖZÜR DÝLERÝZ.

Hollywood-Mafia Links slammed.


Bollywood,sorry...Mumbai police chief slams film stars 

PTI [ FRIDAY, AUGUST 09, 2002 11:38:25 PM ]

MUMBAI: The Mumbai police today rapped a section of
film industry for their nexus with the underworld, saying
threat to the stars was due to their own involvement and hobnobbing with
underworld dons.They go to Dubai on chartered flights, entertain
the dons. All these threats are because of this, city Police
Commissioner M N Singh told newsmen here.Masala toh filmi
hai (the plot is real fit enough for making films), he said
adding that the very idea to do films on dons like Chhota Shakeel or the
now-famous J J Hospital shootout was unfortunate and not in good
taste.On one side, we are fighting and police are sacrificing
lives, on the other hand some people want to do films on dons and
encounters and make money, he said. Meantime...
Sikhs concerned about mistaken identities have been told the FBI's on
it...As the American Sikh leaders stressed on increased cultural
sensitivity towards the Sikhs among law enforcers, Rick Thornton, a
senior member from the Civil Rights Unit of the Federal Bureau of
Investigation (FBI) appreciated that their concerns were important
and legitimate.We all know how important and legit the civil rights
of indigenous and african-americans have been to the FBI.in the past.No
reason to think the Sikhs wont receive the same care and
attention.Right?
The other premier US law enforcement crew the SS have been
busy...Beginning at Friday morning, eight blocks of downtown Washington's
17th Street - between H Street and Constitution - will be closed to
trucks, said Secret Service spokesman John Gill. Also, on the four blocks
closest to the White House, Gill said, No parking, no stopping, no
standing.
and especially no e-mailing death threats like KILL the
PRESIDENT! Its a real pain in the ass, said agent Rick
Walkinshore,We have to check each one out every time,drives us
ratty,I swear.Its better if they're anonymous

Re: Thanks, Lucky, for helping to kill gnutella


AARG!Anonymous wrote:

 If only there were a technology in which clients could verify and yes,
 even trust, each other remotely.  Some way in which a digital certificate
 on a program could actually be verified, perhaps by some kind of remote,
 trusted hardware device.  This way you could know that a remote system was
 actually running a well-behaved client before admitting it to the net.
 This would protect Gnutella from not only the kind of opportunistic
 misbehavior seen today, but the future floods, attacks and DOSing which
 will be launched in earnest once the content companies get serious about
 taking this network down.

Before claiming that the TCPA, which is from a deployment standpoint
vaporware, could help with gnutella's scaling problems, you should
probably learn something about what gnutella's problems are first. The
truth is that gnutella's problems are mostly that it's a screamer
protocol, and limiting which clients could connect would do nothing to fix
that.

Limiting which clients could connect to the gnutella network would,
however, do a decent job of forcing to pay people for one of the
commercial clients. In this way it's very typical of how TCPA works - a
non-solution to a problem, but one which could potentially make money, and
has the support of gullible dupes who know nothing about the technical
issues involved.

 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

Your personal vendetta against Lucky is very childish.

-Bram Cohen

Markets can remain irrational longer than you can remain solvent
-- John Maynard Keynes

Utah Blahs


BOOK REVIEW ?JOE HILL¹ By Gibbs M. Smith, Peregrine Smith Books, Salt Lake 
City 1984, Originally Published 1969 HD8073 H55563 1984 ?Joe Hill¹ was 
published in 1969 to mark the 54th anniversary of the execution by firing 
squad in Utah in 1915 of Joe Hill I.W.W. songwriter and activist. Joe Hill 
(Hillstrom) a Norwegian immigrant entered the United States in 1902 and 
joined the I.W.W. in 1910. While working in Utah in 1913 he was arrested, 
tried and executed in 1915 for the murder of a Salt Lake City grocer in 
what was little more than a show trial. Tens of thousands of people, both 
in the United States and overseas including the President of the United 
States Woodrow Wilson, appealed to the Utah authorities for clemency with 
no success. Hill¹s execution was a direct consequence of the anti I.W.W. 
hysteria in Utah. He was convicted primarily on inconclusive circumstantial 
evidence. Interestingly two members of the I.W.W. in Golburn in New South 
Wales, Australia were executed in 1917 for the murder of a policeman as a 
consequence of the anti I.W.W. hysteria that was whipped up in Australia 
because the I.W.W. spearheaded the struggle against conscript in Australia. 
While their deaths were virtually ignored, the execution of Joe Hill in 
Utah made Hill into a working class legend. The legend of Joe Hill has 
survived as a consequence of the legacy of his songs, songs that in some 
cases have been incorporated into popular working class culture. Although 
other songwriters had written songs for the I.W.W., Joe Hill¹s songs 
encapsulated the mood of the times. His first song ¹The Preacher and the 
Slave¹ was a parody of the Salvation Army Hymn ?In the Sweet Bye and Bye¹. 
Hill¹s fading memory has been kept alive by the song ?I Dreamed I Saw Joe 
Hill Last Night¹, a song set to music by Earl Robinson from a poem written 
in 1925 by Alfred Hayes. Paul Roberson¹s rendition of ?I Dreamed I Saw Joe 
Hill Last Night¹ assured Hill of immortality. Gibbs M. Smith¹s ?Joe Hill¹ 
is a well researched 280 page analysis of the man and the legend. The book 
has over 70 pages of references and notes for any reader who is interested 
in doing further research on Joe Hill (Hillstrom). Gibbs M. Smith¹s book on 
Joe Hill could be available from the remainder bin of one or two radical 
bookshops. The difference between Gibbs¹ book on Joe Hill and other books 
on Hill is Joyce Kornbluh¹s introduction to Gibbs¹ book. In her 
introduction Kornbluh gives an excellent summary of the history of the 
Industrial Workers of the World (I.W.W.).
http://www.freedomforum.org/templates/document.asp?documentID=16707
DENVER  A federal appeals court this week revived a lawsuit brought by 
animal activists who claimed they were protected by the First Amendment 
when handing out pro-vegetarian leaflets near a Utah school.
People for the Ethical Treatment of Animals, or PETA, appealed a ruling by 
a federal judge that animal-rights activists cannot picket on a sidewalk 
next to a school because it interferes with school activities.
The 10th U.S. Circuit Court of Appeals on Aug. 5 reversed a lower court's 
decision granting summary judgment to school officials.
Maybe if they were preaching creationism they'd be getting fucking PAID.

Wheres Mongo?


http://www.simonforgovernor.com/speeches.php
No.Too much competition for that big headed pissant,speaking of which...THE 
BIG HEADED ANT Charles Darwin is a name that¹s synonymous with evolution 
and the theory that evolution is based on the principle of survival of the 
fittest. Peter Kropotkin¹s fame is much more limited, he¹s known in 
anarchist circles as a significant 19th century anarchist thinker and 
author. Few people even in the anarchist movement realize that he made a 
contribution to the theory of evolution that¹s on a par with Darwin¹s. He 
believed that Darwin¹s central evolutionary tenet was wrong and that 
evolution was based not on competition, but on Co-operation. In enters the 
big headed ant. The big headed ant was introduced to Australia from Africa 
over a hundred years ago. Since its introduction it has slowly displaced 
indigenous ant species and has had a major impact on other insect species 
and animals in the Australia bush. The big headed ant has turned ant to be 
a major threat to indigenous ant species. Green, bull and other Australian 
ant species are normally wiped out when the big headed ant colonies a new 
area. Currently Darwin the capital of the Northern Territory has became the 
new front line in the battle to stop the speed of the big headed ant. The 
big headed ant¹s evolutionary advantage is based on its social behavior. 
Indigenous ant groups display competitive behavior within their subspecies. 
If two colonies share the same resources they compete against each other 
for these resources. The big headed ants behavior is diametrically apposed 
to the behavior of indigenous ants. If two colonies are forced to share the 
same resources they merge and Co-operate and don¹t waste time and effort 
battling each other over who shall use these resources. The big headed ants 
Co-operative behavior gives it the edge it needs to survive and prosper in 
a world that¹s dominated by competitive behavior. The story of the big 
headed ant¹s evolutionary success mirrors the story of human society. 
Although competitive capitalism is currently on the ascending across the 
world, the destructive tendencies of competition hold the seeds of its 
demise. Co-operative forces will always win out against competitive forces. 
Anarchism¹s underlying message is one that promotes Co-operation and 
opposes competition. Anarchism is based on the principles of voluntary 
Co-operation, the very principle that has given the big headed ant into the 
evolutionary advantage it needs to displace its competitive neighbors.

Penguins in Big Blue.


Tinkerbell Factor 
I know I am not alone in this. If you read
Slashdot regularly, you'll see a
recurring theme in the arguments made by Linux proponents: While Linux is
more complex than some other operating systems, it provides a great deal
of power and customizability. Many Linux users, including me, actually
take pride in the ability to use the system. 
While I have had some good experiences with operating systems that are
more conventionally intuitive, the operating systems that present the
greatest challenge intrigue me the most. And the payoff is a great deal
of satisfaction in the ability to fine tune and customize the interface
and the work environment. 
Microsoft's (Nasdaq: MSFT) operating
systems are a different story altogether. While I typically detest the
company's innovation strategies, I
have actually, in some deranged way, found a certain measure of
fulfillment in being able to accomplish difficult tasks on Windows. 

http://www.newsfactor.com/perl/story/18878.html
Each new crash or system glitch presents new challenges, new routes to
explore, new techniques to learn. Because I have a tendency to fetishsize
the tool -- whether it be a new development tool, an operating system or
even a new graphics card -- my means to the computing end is often just
as pleasurable for me as the end itself.

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Jay Sulzberger


On Fri, 9 Aug 2002, AARG!Anonymous wrote:

 ... /

 Not discussed in the article is the technical question of how this can
 possibly work.  If you issue a digital certificate on some Gnutella
 client, what stops a different client, an unauthorized client, from
 pretending to be the legitimate one?  This is especially acute if the
 authorized client is open source, as then anyone can see the cert,
 see exactly what the client does with it, and merely copy that behavior.

 If only there were a technology in which clients could verify and yes,
 even trust, each other remotely.  Some way in which a digital certificate
 on a program could actually be verified, perhaps by some kind of remote,
 trusted hardware device.  This way you could know that a remote system was
 actually running a well-behaved client before admitting it to the net.
 This would protect Gnutella from not only the kind of opportunistic
 misbehavior seen today, but the future floods, attacks and DOSing which
 will be launched in earnest once the content companies get serious about
 taking this network down.

There are many solutions at the level of technical protocols that solve
the projection of these problems down to the low dimensional subspace of
technical problems.  Some of these technical protocols will be part of
a full system which accomplishes the desired ends.  Please contact me
off-list if you willing to spend some money for an implementation.

Your claim, if true, would also demonstrate that no credit card payments
over the Net, no apt-get style updating, no Paypal-like system, no crypto
time-stamp system, etc., can exist today.


 If only...  Luckily the cypherpunks are doing all they can to make sure
 that no such technology ever exists.  They will protect us from being able
 to extend trust across the network.  They will make sure that any open
 network like Gnutella must forever face the challenge of rogue clients.
 They will make sure that open source systems are especially vulnerable
 to rogues, helping to drive these projects into closed source form.

 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

AARG!, this is again unworthy of you.  You are capable of attempting to
confuse and misdirect at a higher level.

You might wish to emphasize that the real difficulties are at the levels
where the reasons for the small usage of GNUPG lie.  That really the
technical details of the TCPA/Palladium system hardly matter.  What
TCPA/Palladium will allow is the provision to the masses of even more
powerful brews of fantasy, game playing, advertising, etc..  And that there
will be a small number of hobbyists who use the unprotected ports of
TCPA/Palladium for their own limited experiments/amusements/etc..  The
real point of TCPA/Palladium is that a locus of trust, seemingly
guaranteed by the Powers That Be, will be created, and that the existence
of this same locus, under the facies of locus of dealmaking/lawyering,
will so reassure the Infotainment Arm of the Englobulators that the Arm
will unleash its extraordinary forces to build and sell ever more
entrancing Palaces of Dreams.  The unprotected ports will allow a mostly
self-supporting farm team system which will function without much direct
oversight and little outlay of money by Englobulator Central or any of the
Arms.  The limited freedom of the Farm System, with its convenient pull
strings, for the cases where something large and not controlled by Those
Who Know Best takes off, will be a powerful lure to up and coming future
Talent, who, when the time comes, may be Signed, without today's confusing
and annoying possibility of continued independence.  Indeed, the EULA of
every system might have a section which binds users who display Marketable
Things to an automatic Arbitration of Contract.

oo--JS.

Re: Signing as one member of a set of keys


Very nice.  

Nice plausible set of candidate authors also:

pub  1022/5AC7B865 1992/12/01  [EMAIL PROTECTED]
pub  1024/2B48F6F5 1996/04/10  Ian Goldberg [EMAIL PROTECTED]
pub  1024/97558A1D 1994/01/10  Pr0duct Cypher alt.security.pgp
pub  1024/2719AF35 1995/05/13  Ben Laurie [EMAIL PROTECTED]
pub  1024/58214C37 1992/09/08  Hal Finney [EMAIL PROTECTED]
pub  1024/C8002BD1 1997/03/04  Eric Young [EMAIL PROTECTED]
pub  1024/FBBB8AB1 1994/05/07  Colin Plumb [EMAIL PROTECTED]

Wonder if we can figure out who is most likely author based on coding
style from such a small set.

It has (8 char) TABs but other wise BSD indentation style (BSD
normally 4 spaces).  Also someone who likes triply indirected pointers
***blah in there.  Has local variables inside even *if code blocks*
eg, inside main() (most people avoid that, preferring to declare
variables at the top of a function, and historically I think some
older gcc / gdb couldn't debug those variables if I recall).  Very
funky use of goto in getpgppkt, hmmm.  Somewhat concise coding and
variable names.

Off the cuff guess based on coding without looking at samples of code
to remind, probably Colin or Ian.

Of course (Lance Cottrell/Ian Goldberg/Pr0duct Cypher/Ben Laurie/Hal
Finney/Eric Young/Colin Plumb) possibly deviated or mimicked one of
their coding styles.  Kind of interesting to see a true nym in there
also.

Also the Cc -- Coderpunks lives?  I think the Cc coderpunks might be a
clue also, I think some of these people would know it died.  I think
that points more at Colin.

Other potential avenue might be implementation mistake leading to
failure of the scheme to robustly make undecidable which of the set is
the true author, given alpha code.

Adam

On Fri, Aug 09, 2002 at 03:52:56AM +, Anonymous User wrote:
 This program can be used by anonymous contributors to release partial
 information about their identity - they can show that they are someone
 from a list of PGP key holders, without revealing which member of the
 list they are.  Maybe it can help in the recent controvery over the
 identity of anonymous posters.  It's a fairly low-level program that
 should be wrapped in a nicer UI.  I'll send a couple of perl scripts
 later that make it easier to use.

Re: Thanks, Lucky, for helping to kill gnutella


On Fri, 9 Aug 2002, Jay Sulzberger wrote:

 There are many solutions at the level of technical protocols that solve
 the projection of these problems down to the low dimensional subspace of
 technical problems.  Some of these technical protocols will be part of
 a full system which accomplishes the desired ends.  Please contact me
 off-list if you willing to spend some money for an implementation.

Hey!  Tell the Gnutella folks I'll be happy to bid on that too!
I'm pretty sure I can get them a solid solution, especially since it's
just a technical problem.

Patience, persistence, truth,
Dr. mike

Make $50,000 or more in 90 days just sending e-mails

2002-08-09 Thread Alex


Dear Friend,

You can earn a lot of money in the next 90 days sending e-mail.
Seem impossible? Is there a catch?  NO, there is no catch; just
send your e-mails and be on your way to financial freedom. 

Basically, I send out as many of these e-mails as I can, then
people send me cash in the mail for information that I just e-mail
back to them. Everyday, I make a three minute drive to my P.O. Box
knowing that there are at least a few hundred dollars waiting for
me.  And the best part, IT IS COMPLETELY LEGAL.

Just read the next few paragraphs and see what you think. If you
like what you read, great! If you don't, read it again because you
must have missed something.

AS SEEN ON NATIONAL TELEVISION 

Making over a half million dollars every 6 months from your home
for an investment of only $25 US dollars expense ONE TIME.  THANKS
TO THE COMPUTER AGE AND THE INTERNET, BE A MILLIONAIRE LIKE OTHERS
WITHIN A YEAR!!!  Before you say, No Way! read the following.
This is the letter you've been reading about in the news lately.
Due to the popularity of this letter on the Internet, a major
nightly news program recently devoted an entire show to the
investigation of the program described below to see if it really
can make people money. 

The show also investigated whether or not the program was legal.
Their findings proved once and for all that there are absolutely
no laws prohibiting the participation in this program. This has
helped to show people that this is a simple, harmless, and fun way
to make some extra money at home. And, besides even if you never
got involved in the program, the reports themselves are well worth
the money.  They can help you start and advertise ANY business on
the internet.  That is, these reports stand alone and are
beneficial to anyone wishing to do business on the internet.

The results of this show have been truly remarkable. So many
people are participating that those involved are doing much better
than ever before. Since everyone makes more as more people try it
out, its been very exciting to be a part of it lately. You will
understand once you experience it. 

HERE IT IS BELOW 

*** Print This Now For Future Reference *** 

The following income opportunity is one you may be interested in
taking a look at. It can be started with VERY LITTLE investment
($25) and the income return is TREMENDOUS!!! 

THIS IS A LEGITIMATE, LEGAL, MONEY MAKING OPPORTUNITY. 

It does not require you to come into contact with people, do any
hard work, and best of all, you never have to leave your house
except to get the mail. 

Simply follow the instructions, and you really can make this
happen. This e-mail order marketing program works every time if
you put in the effort to make it work. E-mail is the sales tool of
the future. Take advantage of this non-commercialized method of
advertising NOW! 

The longer you wait, the more savvy people will be taking your
business using e-mail. Get what is rightfully yours. Program
yourself for success and dare to think BIG. It sounds corny, but
it's true. You'll never make it big if you don't have this belief
system in place. 

MULTI-LEVEL MARKETING (MLM) has finally gained respectability.  It
is being taught in the Harvard Business School, and both Stanford
Research and the Wall Street Journal have stated that between 50%
and 65% of all goods and services will be sold through multi-level
methods. 
This is a Multi-Billion Dollar industry and of the 500,000
millionaires in the U.S., 20% (100,000) made their fortune in the
last several years in MLM. Moreover, statistics show 45people
become millionaires everyday through Multi-Level Marketing. 

You may have heard this story before, but Donald Trump made an
appearance on the David Letterman show. Dave asked him what he
would do if he lost everything and had to start over from scratch.
Without hesitating Trump said he would find a good network
marketing company and get to work. 
The audience, started to hoot and boo him. He looked out at the
audience and dead-panned his response. That's why I'm sitting up
here and you are all sitting out there! 

With network marketing you have two sources of income. Direct
commissions from sales you make yourself and commissions from
sales made by people you introduce to the business. 

Residual income is the secret of the wealthy. It means investing
time and money once, and getting paid again and again and again.
In network marketing, it also means getting paid for the work of
others. 

The enclosed information is something I almost let slip through my
fingers. Fortunately, sometime later I reread everything and gave
some thought and study to it.

My name is Jonathan Rourke. Two years ago, the corporation I
worked at for the past twelve years down- sized and my position
was eliminated. After unproductive job interviews, I decided to
open my own business. Over the past year, I incurred many
unforeseen financial problems. I owed my family, friends and
creditors over $35,000. The economy

Positive crap.


Positive SchNEWS 'Land and Future' is the world's first guide for tribal 
people, with information on how tribes around the world can secure their 
lands and way of life. It advises tribes on how to conduct a campaign when 
faced with the invasion of their lands by nasty oil companies, loggers and 
colonists, and offers tips on their rights under international law, and how 
to secure them. The book is going to be printed in many languages and there 
are plans for it be sent out to the remotest parts of the world. 
www.survival-international.org
Crap Arrest of the Week For travelling in the same car! In Iran the Basiji 
(the Islamic police force) routinely stop cars playing forbidden Western 
music, and if unmarried women are found in the company of men, they are 
arrested and charged with moral corruption! Single women can be subjected 
to humiliating virginity tests, and if they fail they are given the option 
of marrying their companion or being flogged for having extramarital sex. 
www.hambastegi.org

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Pete Chown


Anonymous wrote:

 ... the file-trading network Gnutella is being threatened by
 misbehaving clients.  In response, the developers are looking at limiting
 the network to only authorized clients:

This is the wrong solution.  One of the important factors in the
Internet's growth was that the IETF exercised enough control, but not
too much.  So HTTP is standardised, which allows (theoretically) any
browser to talk to any web server.  At the same time the higher levels
are not standardised, so someone who has an idea for a better browser or
web server is free to implement it.

If you build a protocol which allows selfish behaviour, you have done
your job badly.  Preventing selfish behaviour in distributed systems is
not easy, but that is the problem we need to solve.  It would be a good
discussion for this list.

 Not discussed in the article is the technical question of how this can
 possibly work.  If you issue a digital certificate on some Gnutella
 client, what stops a different client, an unauthorized client, from
 pretending to be the legitimate one?

Exactly.  This has already happened with unauthorised AIM clients.  My
freedom to lie allows me to use GAIM rather than AOL's client.  In this
case, IMO, the ethics are the other way round.  AOL seeks to use its
(partial) monopoly to keep a grip on the IM market.  The freedom to lie
mitigates this monopoly to an extent.

-- 
Pete

How To Make Love Till You Drop! rya

2002-08-09 Thread Victor Borges




Newly Released Book
SEX: Truths, Myths and Lies
Discover The Secrets Behind Great Sex...
and turn your bed into more than just a place to sleep!

Click Here For Details













uoamrtlruugxsspovomcbh

Tommy loses his toys (laptop stolen from MacDill SCIF)

2002-08-09 Thread Major Variola (ret)


Guess who wasn't using encrypted disks?

MacDILL AIR FORCE BASE - Two laptop computers missing from Gen. Tommy
Franks' headquarters were kept in an ultrasensitive locked and alarmed
security room intended to safeguard some of the military's deepest
secrets in the U.S. war on terrorism, officials said Wednesday.

At least one of the laptops contained highly classified information,
they said.

The room is known in military shorthand as a SCIF, or Secure
Compartmented Information Facility. The government uses them at
installations worldwide and regulates their security features so closely
that voluminous rules have been written on how they are to be built and
protected.

It sits deep inside the building that houses U.S. Central Command
headquarters, which is running the war in Afghanistan and which is
tightly guarded by troops armed with M-16s. The building stands inside
the MacDill Air Force Base perimeter, which is well guarded, too.
snip
http://www.tampatrib.com/MGA4YPZ4M4D.html
...

Maybe Wen Ho Lee sold them to a pawn shop..

TCPA/Palladium -- likely future implications (Re: dangers of TCPA/palladium)


On Thu, Aug 08, 2002 at 09:15:33PM -0700, Seth David Schoen wrote:
 Back in the Clipper days [...] how do we know that this
 tamper-resistant chip produced by Mykotronix even implements the
 Clipper spec correctly?.

The picture is related but has some extra wrinkles with the
TCPA/Palladium attestable donglization of CPUs.

- It is always the case that targetted people can have hardware
attacks perpetrated against them.  (Keyboard sniffers placed during
court authorised break-in as FBI has used in mob case of PGP using
Mafiosa [1]).

- In the clipper case people didn't need to worry much if the clipper
chip had malicious deviations from spec, because Clipper had an openly
stated explicit purpose to implement a government backdoor -- there's
no need for NSA to backdoor the explicit backdoor.

But in the TCPA/Palladium case however the hardware tampering risk you
identify is as you say relevant:

- It's difficult for the user to verify hardware.  

- Also: it wouldn't be that hard to manufacture plausibly deniable
implementation mistakes that could equate to a backdoor -- eg the
random number generators used to generate the TPM/SCP private device
keys.

However, beyond that there is an even softer target for would-be
backdoorers:

- the TCPA/Palladium's hardware manufacturers endoresment CA keys.

these are the keys to the virtual kingdom formed -- the virtual
kingdom by the closed space within which attested applications and
software agents run.


So specifically let's look at the questions arising:

1. What could a hostile entity(*) do with a copy of a selection of
hardware manufacturer endorsement CA private keys?

( (*) where the hostile entity candidates would be for example be
secret service agencies, law enforcement or homeland security
agencies in western countries, RIAA/MPAA in pursuit of their quest to
exercise their desire to jam and DoS peer-to-peer file sharing
networks, the Chinese government, Taiwanese government (they may lots
of equipment right) and so on).

a. Who needs to worry -- who will be targetted?

Who needs to worry about this depends on how overt third-party
ownership of these keys is, and hence the pool of people who would
likely be targetted.  

If it's very covert, it would only be used plausibly deniably and only
for Nat Sec / Homeland Security purposes.  It if becomse overt over
time -- a publicly acknowledged, but supposedly court controlled
affair like Clipper, or even more widely desired by a wide-range of
entities for example: keys made available to RIAA / MPAA so they can
do the hacking they have been pushing for -- well then we all need to
worry.


To analyse the answer to question 1, we first need to think about
question 2:

2. What kinds of TCPA/Palladium integrity depending trusted
applications are likely to be built?

Given the powerful (though balance of control changing) new remotely
attestable security features provided by TCPA/Palladium, all kinds of
remote services become possible, for example (though all to the extent
of hardware tamper-resistance and belief that your attacker doesn't
have access to a hardware endorsement CA private key):

- general Application Service Providers (ASPs) that you don't have to
trust to read your data

- less traceable peer-to-peer applications

- DRM applications that make a general purpose computer secure against
BORA (Break Once Run Anywhere), though of course not secure against
ROCA (Rip Once Copy Everywhere) -- which will surely continue to
happen with ripping shifting to hardware hackers.

- general purpose unreadable sandboxes to run general purpose
CPU-for-rent computing farms for hire, where the sender knows you
can't read his code, you can't read his input data, or his output
data, or tamper with the computation.

- file-sharing while robustly hiding knowledge and traceability of
content even to the node serving it -- previously research question,
now easy coding problem with efficient

- anonymous remailers where you have more assurance that a given node
is not logging and analysing the traffic being mixed by it


But of course all of these distributed applications, positive and
negative (depending on your view point), are limited in their
assurance of their non-cryptographically assured aspects:

- to the tamper resistance of the device

- to the extent of the users confidence that an entity hostile to them
doesn't have the endorsement CA's private key for the respective
remote servers implementing the network application they are relying
on


and a follow-on question to question 2:

3. Will any software companies still aim for cryptographic assurance?

(cryptographic assurance means you don't need to trust someone not to
reverse engineer the application -- ie you can't read the data because
it is encrypted with a key derived from a password that is only stored
in the users head).

The extended platform allows you to build new classes of applications
which aren't currently buildable to cryptographic levels of

Re: Thanks, Lucky, for helping to kill gnutella


Antonomasia wrote:

 My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think
 Freenet and Mojo use protocols that require new users to be
 contributors before they become consumers.  (Leaving aside that
 Gnutella seems doomed on scalability grounds.)

Freenet and Mojo Nation have had serious issues in the wild, but my
project, BitTorrent, is currently being used in serious deployment, and
its leech resistance algorithms are proving quite robust - 

http://bitconjurer.org/BitTorrent/

This is a very narrow form of leech resistance, but it may be all that is
needed.

-Bram Cohen

Markets can remain irrational longer than you can remain solvent
-- John Maynard Keynes

FI.AP.


Freedom Insurance 
by
Warren Tilson

Recently in the almost hallowed pages of the not yet
venerable web site Anti-State.com, two articles have appeared that may
point the way to gain a free society now. 
Robert Vroman's
Assassination
Politics and Andy Stow's
defense
agency articles are both influences for
what I am about to describe. I should point out that I am unalterably
opposed, on moral grounds, to Assassination Politics. This opposition is
beyond the scope of this article so I will not go into it here. There is
however an aspect of AP that appeals to me and that is the naming of a
freedom offending individual and asking other individuals to act in a
certain way towards that individual.
Stow's article describes a decentralized defense agency/society that will
get you out of statist caused trouble provided you are a member. Even to
the point of using combat troops to enable your escape from a prison if
it should come to that. This is a great idea and I think it holds some
promise even if there are some technical issues that have to be worked
out.
What I am proposing is a system of insurance that if you are arrested on
some political crime (gun law, drug law, sex law, tax law, immigration
law, or commercial law etc. violation) lawyers will be dispatched as well
as activists and propagandists. 
The lawyers are there to use whatever legal tactics they can to keep your
life from getting worse, i.e. they would get you out of jail and act as a
shield between you and the state's employees. This is no different than
what lawyers are supposed to do now, however our lawyers will have an
ideological bond with the person they are defending so there will be more
agreement on tactics and a vision of the ultimate goal which many
lawyer-client relationships lack now.
Civil Rights lawyers will also be sent to make sure it becomes a Civil
Rights issue by suing the arresting agency, its employees and all sundry
agencies, and their employees that are involved. 
The activists and propagandists are there simply to stir up non-violent
trouble. Their purpose is to organize protests, run ads in the local
media, appear on local talk shows, hand out fliers, discuss jury
nullification, hold workshops and engage in civil disobedience. These
things sometimes happen in a controversial case but it is usually an ad
hoc arrangement that may lack focus, strong leadership and the resources
to stay committed.
If you own Freedom Insurance and you are arrested for something your
policy covers you are guaranteed that allies and sympathizers will be on
the scene, coming to your aid within 24 hours. It does not matter how
small the issue, you call  they come. 
One of the first things that the activist will do is find out all they
can about the arresting officer(s) and the prosecutor. They will then
organize peaceful protests at the residences of these people, the ads
will mention these people by name and ask if they know anything about
freedom or the Constitution or their oaths to the Constitution. In
addition their families will be sought out and asked questions such as:
Do you support your husband when he violates the rights of
others? Did you know your daughter was acting illegally and
in violation of the Constitution she has sworn to uphold? 
The idea here is to get it in to the heads of the people who enforce
these laws that it just is too much trouble to bother with. Arrest
someone with an FI card and he is looking at months of living hell for
him and his family and friends. After awhile, if this idea is successful
the mere presence of a FI bumper sticker will get the driver of that
vehicle a pass or the owner of that store a pass or that prostitute a
pass and so on. The more that cops lay off FI policy holders will ensure
that more and more people will join and in this way the state will be
undercut. 
As people realize that the police have no will to enforce evil laws those
laws will be disobeyed by millions. If what usually happens when a people
are free to go about their business we will see a massive increase in the
standard of living with all the usual happiness that follows from that.

After awhile this might very well evolve into Stow's Defense Agency and
from there the state will be halfway into the grave. 
Of course (another nod to AP) it should be pointed out that all the main
offices and computer servers will be located outside of the USA and all
communication will take place with the aid of encryption. 
Let's give it a push: become a Freedom Insurance owner today. Call the
home office for a representative near you.
August 9, 2002
discuss
this article in the forum!

Re: AARG and eugene are net.loons-why signatures of binaries always change.


You're being quite creative with alternative spelling and punctuation.
However, if you think that provides sustainable stealth cover against a
competent attacker (TLA agencies must by now be really good with
linguistic forensics) you're fooling yourself.

For executable binary verification it is obviously necessary to use
compilers/linkers which don't write crap into the binary. Speaking of
which, given the size of the code blob one could as well use handcrafted
assembly. Also, using a standartized build environment is not exactly
rocket science, since one can checksum ISO images, too. Platinum Group 
Linux would be a good name for the distro.

On Fri, 9 Aug 2002, cyphrpnk wrote:

 Hi all,
  Its obvious that some of us here are developers and still others
 have never typed make or gcc in their lives.
 
 
 -v and -V options given to various forms of ld caused the embeddment of 
 version information in the binary(Sunpro does this also, AND early versions
 of MSC allowed embeddment of version information also.)
 The fact that most environments dont link -Bstatic and instead link
 -Bdynamic means that every time you attempt to produce a binary from
 2 different systems that the dynamic link information will
 be different checkout link.h link_elf.h link_aout.h in /usr/include
 
 
 in addition MOST modern developement environments include a date field
 when compiled and linked in the binary
 
 
 
  sheesh
  a cypherpunk
 BTW.   AARG and eugene are idiots nyah nyah nyah!!

APster will save your Gnuts.


If only... Luckily the cypherpunks are doing all they can to make
sure that no such technology ever exists.
Your new here aren't you? Check out the archives a little circa
1996.By their fruits ye shall know them. And by
their Gnuts as well.

Fox a lame duck.


The Mexican government saw the future in these cornfields spread across
the dry Texcoco lake bed about 18 miles east of Mexico City. Here it
envisioned spending $2.3 billion for a state-of-the-art, six-runway
airport that would be Mexico's shiny new face to the world for the 21st
century. It was to replace the choked-up, jury-rigged airfield that has
served the capital since the dawn of the 20th. 
Read more 
http://www.infoshop.org/inews/stories.php?story=02/08/09/5495094

Leechnet.


As a former beta tester for Leechnet,all this P to P chat reminded me to
revisit Nordic Research.They may be onto something with,...the
concept of cybercash one step closer to reality.
Maybe,youse would probably know better than me.extra skin?
Caveat Lecter.
http://www.leechnet.com/product.html
Featured product: Opticart 
Web page developers using the OptiCart system are praising that the
website no longer has to be built around the shopping cart unlike other
shopping cart software and e-commerce software, but is instead added as
an extra skin after the design and implementation has already been
made.
The OptiCart system uses Java technology to provide real-time updates of
the contents of the shopping basket and brings the concept of cybercash
one step closer to reality.
The OptiCart system uses Java technology to provide real-time updates of
the contents of the shopping basket and brings the concept of cybercash
one step closer to reality.

[no subject]


Adam Back writes a very thorough analysis of possible consequences of the
amazing power of the TCPA/Palladium model.  He is clearly beginning to
get it as far as what this is capable of.  There is far more to this
technology than simple DRM applications.  In fact Adam has a great idea
for how this could finally enable selling idle CPU cycles while protecting
crucial and sensitive business data.  By itself this could be a killer
app for TCPA/Palladium.  And once more people start thinking about how to
exploit the potential, there will be no end to the possible applications.

Of course his analysis is spoiled by an underlying paranoia.  So let me
ask just one question.  How exactly is subversion of the TPM a greater
threat than subversion of your PC hardware today?  How do you know that
Intel or AMD don't already have back doors in their processors that
the NSA and other parties can exploit?  Or that Microsoft doesn't have
similar backdoors in its OS?  And similarly for all the other software
and hardware components that make up a PC today?

In other words, is this really a new threat?  Or are you unfairly blaming
TCPA for a problem which has always existed and always will exist?

fRAT insurrection in BC.


http://www.infoshop.org/inews/stories.php?story=02/08/09/3418651

Fireworks in Vancouver.Someone died at one of these potlatch events once.A 
long time ago in a galaxy far,far away...The context of the current class 
war in British Columbia includes -
- An attempt by B.C. Government Employeees Union (B.C.G.E.U.) members to 
charge into a hotel on January 23rd, 2002, where Premier Gordon Campbell 
was set to speak.
- Illegal wildcat strikes in late January by the B.C. Teachers Federation 
(B.C.T.F.) and the B.C.G.E.U.
- A tent-city occupation by street youth and students on the front lawn of 
the provincial legislature building in Victoria in February which ended 
with it's dismantling by riot police
- The fire-bombing of Premier Gordon Campbell's office on the night of 
February 21st.
- A B.C Federation of Labour rally at the legislature in Victoria by more 
than 20,000 people, at which a group of about 10 anarchists intervened by 
attacking a security barrier and throwing rocks at the legislature building.
- An anti-poverty Snake March in Victoria on March 25th that went through a 
mall and several corporate stores, leaving splatters from paint-bombs and 
graffitti behind.
- An anti-poverty march to one of Premier Gordon Campbell's homes in 
Vancouver on April 1st.
- An all-womyn anti-poverty brigade's occupation of a Member of the 
Legislative Assembly office in Victoria on April 25th that was broken up 
by riot police who pepper-sprayed several demonstrators.
- A May Day demonstration in Vancouver against the 6-dollar training wage 
that included a half-hour blockade of a McDonalds restaurant (one of the 
businesses using the training wage, and a major contributor to the 
Liberal's election campaign.). After the end of the demonstration a masked 
group charged through a downtown mall and carried out small acts of 
vandalism and sabotage.
- A July 14th demonstration at the opening of a gallery show at the 
Vancouver Art Gallery at which the Premier was scheduled to speak at, but 
failed to show his face in public - because of security concerns caused 
by hundreds of angry demonstrators who attempted to dismantle a security 
fence, spat on police officers, and were then pepper-sprayed.

Re: TCPA/Palladium -- likely future implications


I want to follow up on Adam's message because, to be honest, I missed
his point before.  I thought he was bringing up the old claim that these
systems would give the TCPA root on your computer.

Instead, Adam is making a new point, which is a good one, but to
understand it you need a true picture of TCPA rather than the false one
which so many cypherpunks have been promoting.  Earlier Adam offered a
proposed definition of TCPA/Palladium's function and purpose:

 Palladium provides an extensible, general purpose programmable
 dongle-like functionality implemented by an ensemble of hardware and
 software which provides functionality which can, and likely will be
 used to expand centralised control points by OS vendors, Content
 Distrbuters and Governments.

IMO this is total bullshit, political rhetoric that is content-free
compared to the one I offered:

: Allow computers separated on the internet to cooperate and share data
: and computations such that no one can get access to the data outside
: the limitations and rules imposed by the applications.

It seems to me that my definition is far more useful and appropriate in
really understanding what TCPA/Palladium are all about.  Adam, what do
you think?

If we stick to my definition, you will come to understand that the purpose
of TCPA is to allow application writers to create closed spheres of trust,
where the application sets the rules for how the data is handled.  It's
not just DRM, it's Napster and banking and a myriad other applications,
each of which can control its own sensitive data such that no one can
break the rules.

At least, that's the theory.  But Adam points out a weak spot.  Ultimately
applications trust each other because they know that the remote systems
can't be virtualized.  The apps are running on real hardware which has
real protections.  But applications know this because the hardware has
a built-in key which carries a certificate from the manufacturer, who
is called the TPME in TCPA.  As the applications all join hands across
the net, each one shows his cert (in effect) and all know that they are
running on legitimate hardware.

So the weak spot is that anyone who has the TPME key can run a virtualized
TCPA, and no one will be the wiser.  With the TPME key they can create
their own certificate that shows that they have legitimate hardware,
when they actually don't.  Ultimately this lets them run a rogue client
that totally cheats, disobeys all the restrictions, shows the user all
of the data which is supposed to be secret, and no one can tell.

Furthermore, if people did somehow become suspicious about one particular
machine, with access to the TPME key the eavesdroppers can just create
a new virtual TPM and start the fraud all over again.

It's analogous to how someone with Verisign's key could masquerade as
any secure web site they wanted.  But it's worse because TCPA is almost
infinitely more powerful than PKI, so there is going to be much more
temptation to use it and to rely on it.

Of course, this will be inherently somewhat self-limiting as people learn
more about it, and realize that the security provided by TCPA/Palladium,
no matter how good the hardware becomes, will always be limited to
the political factors that guard control of the TPME keys.  (I say
keys because likely more than one company will manufacture TPM's.
Also in TCPA there are two other certifiers: one who certifies the
motherboard and computer design, and the other who certifies that the
board was constructed according to the certified design.  The NSA would
probably have to get all 3 keys, but this wouldn't be that much harder
than getting just one.  And if there are multiple manufacturers then
only 1 key from each of the 3 categories is needed.)

To protect against this, Adam offers various solutions.  One is to do
crypto inside the TCPA boundary.  But that's pointless, because if the
crypto worked, you probably wouldn't need TCPA.  Realistically most of the
TCPA applications can't be cryptographically protected.  Computing with
encrypted instances is a fantasy.  That's why we don't have all those
secure applications already.

Another is to use a web of trust to replace or add to the TPME certs.
Here's a hint.  Webs of trust don't work.  Either they require strong
connections, in which case they are too sparse, or they allow weak
connections, in which case they are meaningless and anyone can get in.

I have a couple of suggestions.  One early application for TCPA is in
closed corporate networks.  In that case the company usually buys all
the computers and prepares them before giving them to the employees.
At that time, the company could read out the TPM public key and sign
it with the corporate key.  Then they could use that cert rather than
the TPME cert.  This would protect the company's sensitive data against
eavesdroppers who manage to virtualize their hardware.

For the larger public network, the first thing I would suggest is that
the TPME key ought

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Antonomasia


From: AARG!Anonymous [EMAIL PROTECTED]

 An article on Salon this morning (also being discussed on slashdot),
 http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html,
 discusses how the file-trading network Gnutella is being threatened by
 misbehaving clients.  In response, the developers are looking at limiting
 the network to only authorized clients:

 They intend to do this using digital signatures, and there is precedent
 for this in past situations where there have been problems:

  Alan Cox,  Years and years ago this came up with a game

 If only there were a technology in which clients could verify and yes,

 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

Now that is resorting to silly accusation.

My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet
and Mojo use protocols that require new users to be contributors before they
become consumers.  (Leaving aside that Gnutella seems doomed on scalability
grounds.)

Likewise the WAN shooter games have (partially) defended against cheats by
making the client hold no authoritative data and by disqualifying those
that send impossible traffic.  (Excluding wireframe graphics cards is another
matter.)  If I were a serious gamer I'd want 2 communities - one for plain
clients to match gaming skills and another for cheat all you like contests
to match both gaming and programming skills.

If the Gnuts need to rework the protocol they should do so.

My objection to this TCPA/palladium thing is that it looks aimed at ending
ordinary computing.  If the legal scene were radically different this wouldn't
be causing nearly so much fuss.  Imagine:
- a DoJ that can enforce monopoly law
- copyright that expires in reasonable time
 (5 years for s/w ? 15 years for books,films,music... ?)
- fair use and first sale are retained
- no concept of indirect infringement (e.g. selling marker pens)
- criminal and civil liability for incorrectly barring access in DRM
- hacking is equally illegal for everybody
- no restriction on making and distributing/selling any h/w,s/w

If Anonymous presents Gnutella for serious comparison with the above issues
I say he's looking in the wrong end of his telescope.

--
##
# Antonomasia   ant notatla.demon.co.uk  #
# See http://www.notatla.demon.co.uk/#
##

Re: Thanks, Lucky, for helping to kill gnutella (fwd)

2002-08-09 Thread R. A. Hettinga


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 1:03 AM +0200 on 8/10/02, Some anonymous, and now apparently
innumerate, idiot in my killfile got himself forwarded to Mr. Leitl's
cream of cypherpunks list:


 They will protect us from being able
 to extend trust across the network.

As Dan Geer and Carl Ellison have reminded us on these lists and
elsewhere, there is no such thing as trust, on the net, or anywhere
else.

There is only risk.


Go learn some finance before you attempt to abstract emotion into the
quantifiable.

Actual numerate, thinking, people gave up on that nonsense in the
1970's, and the guys who proved the idiocy of trust, showing, like
LaGrange said to Napoleon about god, that the capital markets had no
need that hypothesis, Sire ended up winning a Nobel for that proof
the 1990's*.

Cheers,
RAH
*The fact that Scholes and Merton eventually ended up betting on
equity volatility like it was actually predictable and got their
asses handed to them for their efforts is beside the point, of
course. :-).

-BEGIN PGP SIGNATURE-
Version: PGP 7.5

iQA/AwUBPVRgRsPxH8jf3ohaEQIu3gCg0V9JIHnMRJ2GW+aJ1xSEHi5ETcYAn1Db
BgR2WiAxNt/zGx5Iy+uRG+Ws
=JEmi
-END PGP SIGNATURE-

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: TCPA/Palladium -- likely future implications

2002-08-09 Thread James A. Donald


--
On 9 Aug 2002 at 17:15, AARG! Anonymous wrote:
 to understand it you need a true picture of TCPA rather than the 
 false one which so many cypherpunks have been promoting.

As TCPA is currently vaporware, projections of what it will be, 
and how it will be used are judgments, and are not capable of 
being true or false, though they can be plausible or implausible.

Even with the best will in the world, and I do not think the 
people behind this have the best will in the world, there is an 
inherent conflict between tamper resistance and general purpose 
programmability.  To prevent me from getting at the bits as they 
are sent to my sound card or my video card, the entire computer, 
not just the dongle, has to be somewhat tamper resistant, which is 
going to make the entire computer somewhat less general purpose 
and programmable, thus less useful.

The people behind TCPA might want to do something more evil than 
you say they want to do, if they want to do what you say they want 
to do they might be prevented by law enforcement which wants 
something considerably more far reaching and evil, and if they
want to do it, and law enforcement refrains from reaching out and 
taking hold of their work, they still may be unable to do it for 
technical reasons. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 D7ZUyyAS+7CybaH0GT3tHg1AkzcF/LVYQwXbtqgP
 2HBjGwLqIOW1MEoFDnzCH6heRfW1MNGv1jXMIvtwb

Re: TCPA/Palladium -- likely future implications


On Fri, 9 Aug 2002, AARG! Anonymous wrote:

 : Allow computers separated on the internet to cooperate and share data
 : and computations such that no one can get access to the data outside
 : the limitations and rules imposed by the applications.

 It seems to me that my definition is far more useful and appropriate in
 really understanding what TCPA/Palladium are all about.  Adam, what do
 you think?

Just because you can string words together and form a definition doesn't
make it realizable.  Once data is in the clear it can be copied, and no
rules can change that.  Either the data is available to the user, and
they can copy it - or the data is not available to the user, and there's
nothing they can do when their machine does somebody elses calculations.

 I have a couple of suggestions.  One early application for TCPA is in
 closed corporate networks.  In that case the company usually buys all
 the computers and prepares them before giving them to the employees.
 At that time, the company could read out the TPM public key and sign
 it with the corporate key.  Then they could use that cert rather than
 the TPME cert.  This would protect the company's sensitive data against
 eavesdroppers who manage to virtualize their hardware.

And guess what?  I can buy that today!  I don't need either TCPA or
Palladium.  So why do we need TCPA?

 Think about it: this one innocuous little box holding the TPME key could
 ultimately be the root of trust for the entire world.  IMO we should
 spare no expense in guarding it and making sure it is used properly.
 With enough different interest groups keeping watch, we should be able
 to keep it from being used for anything other than its defined purpose.

Man, I want the stuff you are smoking!  One attack point is the root of
trust for the whole world!!???!!!  Take another hit dude, and make sure
you see lots of colors too.

Patience, persistence, truth,
Dr. mike

TCPA ad nauseum


On Fri, 9 Aug 2002, AARG! Anonymous wrote:

 Of course his analysis is spoiled by an underlying paranoia.  So let me
 ask just one question.  How exactly is subversion of the TPM a greater
 threat than subversion of your PC hardware today?  How do you know that
 Intel or AMD don't already have back doors in their processors that
 the NSA and other parties can exploit?  Or that Microsoft doesn't have
 similar backdoors in its OS?  And similarly for all the other software
 and hardware components that make up a PC today?

 In other words, is this really a new threat?  Or are you unfairly blaming
 TCPA for a problem which has always existed and always will exist?

The difference is that *anyone* can see what goes on inside an Intel or
AMD processor.  Only the key holder of the TPM can see inside the
protected code space.  You can't put back doors into the code now
because the code is visible to all users.  The purpose of crypto is to
hide information even tho the attacker can see all the machinery work.
If you don't want to have the machinery visible, then use a sealed
system (like smart card).

Patience, persistence, truth,
Dr. mike

Re: Challenge to TCPA/Palladium detractors


Re the debate over whether compilers reliably produce identical object
(executable) files:

The measurement and hashing in TCPA/Palladium will probably not be done
on the file itself, but on the executable content that is loaded into
memory.  For Palladium it is just the part of the program called the
trusted agent.  So file headers with dates, compiler version numbers,
etc., will not be part of the data which is hashed.

The only thing that would really break the hash would be changes to the
compiler code generator that cause it to create different executable
output for the same input.  This might happen between versions, but
probably most widely used compilers are relatively stable in that
respect these days.  Specifying the compiler version and build flags
should provide good reliability for having the executable content hash
the same way for everyone.

Long distance

2002-08-09 Thread lowcost

Title: New Page 1







  

  
  

  LOW
  COST
  =LONG
  DISTANCE
  =
  
  

  
  

  Six Plans
  To
  Choose From
  
 $9.95 Plan * Unlimited Plan
  * Travel Plan
  Canadian Plans *
  International * Intra/Inter State
  


  

  Stop paying the
  high cost of long distance.
  
   Simple to understand all-inclusive pricing so you save big!
  
  

  
  Email
  us now with your phone number to hear how crystal clear your
  connection will be.
  
  

  
  

  
  

  To
  be removed please click
  here

RE: Your new long distance service

2002-08-09 Thread lowcost

Title: New Page 1







  

  
  

  LOW
  COST
  =LONG
  DISTANCE
  =
  
  

  
  

  Six Plans
  To
  Choose From Including:
  
 $9.95 Plan * Unlimited Plan
  * Travel Plan
  Canadian Plans *
  International * Intra/Inter State
  


  

  Stop paying the
  high cost of long distance.
  
   Simple to understand all-inclusive pricing so you save big!
  
  

  Email
  us now with your phone number to hear how crystal clear your
  connection will be.
  
  

  
  

  
  

  To
  be removed please click
  here

Re: Thanks, Lucky, for helping to kill gnutella


Several people have objected to my point about the anti-TCPA efforts of
Lucky and others causing harm to P2P applications like Gnutella.

Eric Murray wrote:
 Depending on the clients to do the right thing is fundamentally
 stupid.

Bran Cohen agrees:
 Before claiming that the TCPA, which is from a deployment standpoint
 vaporware, could help with gnutella's scaling problems, you should
 probably learn something about what gnutella's problems are first. The
 truth is that gnutella's problems are mostly that it's a screamer
 protocol, and limiting which clients could connect would do nothing to fix
 that.

I will just point out that it was not my idea, but rather that Salon
said that the Gnutella developers were considering moving to authorized
clients.  According to Eric, those developers are fundamentally stupid.
According to Bram, the Gnutella developers don't understand their
own protocol, and they are supporting an idea which will not help.
Apparently their belief that clients like Qtrax are hurting the system
is totally wrong, and keeping such clients off the system won't help.

I can't help believing the Gnutella developers know more about their
own system than Bram and Eric do.  If they disagree, their argument is
not with me, but with the Gnutella people.  Please take it there.

Ant chimes in:
 My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet
 and Mojo use protocols that require new users to be contributors before they
 become consumers.

Pete Chown echoes:
 If you build a protocol which allows selfish behaviour, you have done
 your job badly.  Preventing selfish behaviour in distributed systems is
 not easy, but that is the problem we need to solve.  It would be a good
 discussion for this list.

As far as Freenet and MojoNation, we all know that the latter shut down,
probably in part because the attempted traffic-control mechanisms made
the whole network so unwieldy that it never worked.  At least in part
this was also due to malicious clients, according to the analysis at
http://www.cs.rice.edu/Conferences/IPTPS02/188.pdf.  And Freenet has been
rendered inoperative in recent months by floods.  No one knows whether
they are fundamental protocol failings, or the result of selfish client
strategies, or calculated attacks by the RIAA and company.  Both of these
are object lessons in the difficulties of successful P2P networking in
the face of arbitrary client attacks.

Some people took issue with the personal nature of my criticism:

 Your personal vendetta against Lucky is very childish.

 This sort of attack doesn't do your position any good.

Right, as if my normal style has been so effective.  Not one person has
given me the least support in my efforts to explain the truth about TCPA
and Palladium.

Anyway, maybe I was too personal in singling out Lucky.  He is far from
the only person who has opposed TCPA.

But Lucky, in his slides at http://www.cypherpunks.to, claims that TCPA's
designers had as one of their objectives To meet the operational needs
of law enforcement and intelligence services (slide 2); and to give
privileged access to user's computers to TCPA members only (slide 3);
that TCPA has an OS downloading a serial number revocation list (SNRL)
which he has provided no evidence for whatsoever (slide 14); that it
loads an initial list of undesirable applications which is apparently
another of his fabrications (slide 15); that TCPA applications on startup
load both a serial number revocation list but also a document revocation
list, again a completely unsubstantiated claim (slide 19); that apps then
further verify that spyware is running, another fabrication (slide 20).

He then implies that the DMCA applies to reverse engineering when
it has an explicit exemption for that (slide 23); that the maximum
possible sentence of 5 years is always applied (slide 24); that TCPA is
intended to: defeat the GPL, enable information invalidation, facilitate
intelligence collection, meet law enforcement needs, and more (slide 27);
that only signed code will boot in TCPA, contrary to the facts (slide 28).

He provides more made-up details about the mythical DRL (slide 31);
more imaginary details about document IDs, information monitoring and
invalidation to support law enforcement and intelligence needs, none of
which has anything to do with TCPA (slide 32-33).  As apparent support for
these he provides an out-of-context quote[1] from a Palladium manager,
who if you read the whole article was describing their determination to
keep the system open (slide 34).

He repeats the unfounded charge that the Hollings bill would mandate TCPA,
when there's nothing in the bill that says such a thing (slide 35);
and he exaggerates the penalties in that bill by quoting the maximum
limits as if they are the default (slide 36).

Lucky can provide all this misinformation, all under the pretence,
mind you, that this *is* TCPA.  He was educating the audience, mostly
people who were completely

Create a PAYCHECK with your computer!

2002-08-09 Thread Stephen


You get emails every day, offering to show you
how to make money. Most of these emails are 
from people who are NOT making any money.

And they expect you to listen to them?

Enough!

If you want to make money with your computer,
then you should hook up with a group that is
actually DOING it.

We are making a large, continuing income 
every month.  What's more - we will show YOU 
how to do the same thing.

This business is done completely by internet
and emai,  and you can even join for free to
check it out first.  If you can send an email, 
you can do this.  No special skills are 
required.

How much are we making?  

Below are a few examples.  These are real 
people, and most of them work at this business 
part-time.

But keep in mind, they do WORK at it - I am not going to 
insult your intelligence by saying you can sign up, do no 
work, and rake in the cash.  That kind of job does not 
exist.  

But if you are willing to put in 10-12 hours per week, 
this might be just the thing you are looking for.

N. Gallagher: $3000 per month
T. Hopkins: $1000 per month
S. Johnson: $6000 -$7000 per month
V. Patalano: $2000 per month
M. South: $5000 per month
J. Henslin: $7000 per month 

This is not income that is determined by luck, or 
work that is done FOR you - it is all based on your 
effort.  But, as I said, there are no special skills 
required.  And this income is RESIDUAL -
meaning that it continues each month (and it tends 
to increase each month also).

Interested?  I invite you to find out more.  

You can get in as a free member, at no cost, 
and no obligation to continue if you decide it is 
not for you.  We are just looking for people 
who still have that burning desire to find an 
opportunity that will reward them incredibly well, 
if they work at it.

To grab a FREE ID#, simply reply to: 
[EMAIL PROTECTED]

and write this phrase:
Email me details about the club's business and consumer opportunities

Be sure to include your:
1. First name
2. Last name
3. Email address (if different from above)
4. Would you prefer your information in HTML or Text Format*.
* This is optional, if neither is selected the information will be sent in Text Format.


We will confirm your position and send you a special report
as soon as possible, and also Your free Member Number.

That's all there's to it.

We'll then send you info, and you can make up your own mind.

Looking forward to hearing from you!

Sincerely, 

Stephen Chylinski

P.S. After having several negative experiences with network
marketing companies I had pretty much given up on them.
This is different - there is value, integrity, and a
REAL opportunity to have your own home-based business...
and finally make real money on the internet.

Don't pass this up..you can sign up and test-drive the
program for FREE.  All you need to do is get your free
membership.

Unsubscribing: Send a blank email to: 
[EMAIL PROTECTED]
with Remove in the subject line.

4421KpcG2-994oZcL2786KfoZ3-543Pakk8471aYIy6-219yMZs2058DJXP2-301nRl62

4750AZSx3-l9

GUARANTEED Penis Enlargement or Your Money Back!!! Mes-ID:1028937826

2002-08-09 Thread Lacey Landry

Penis
Enlargement - Guaranteed Results

Does Size Matter?
This is a common question, does size really matter when it
comes to sexually satisfaction for a woman? Can you really give
her MORE PLEASURE if you had a bigger penis? Despite what women
tell you in an attempt to not hurt your feelings, the answer is
a resounding YES. YES, you can give your woman more pleasure
with a larger penis. It's all biological. A woman's vagina is
lined with nerve endings that create pleasure sensations, and
having a bigger penis means having more surface area to
stimulate these nerve endings, giving her, you guessed it, MORE
PLEASURE!!!
Let's look at some sad, but true facts:

The average erect penis size is just 6.16. Over 90%
of all men possess this size.
30 Million men in the USA alone suffer from Erectile
Dysfunction (Impotence)
The majority of men have very poor blood circulation to
the penis.
By age 29, 96% of men cannot gain erections 1/5 as much as
when they were 20.
Over 98% of men would increase the size of their penis if
they knew how.
93% of Women have never achieved an orgasm during
intercourse, and 76% admit that they are dissatisfied with
their partners sexual performance.
99% of all men have a weaker, smaller and underdeveloped
penis to what they could possess.

Now You Can Have a MASSIVE
PENIS!!!
You can massively
increase your penis size in as little as 2 weeks. Best of all, there are no pumps, weights,
pain, and especially no dangerous and expensive
surgery involved. According to a recent survey, men who
successfully enlarge their penises report feeling much more
confident. You not only look better, you also feel better. Your
wife or girlfriend will be much happier, too. Cure Impotence and
Premature Ejaculation. Boost your self-image. Be the MAN you've
always wanted to be!
GUARANTEED
PERMANENT RESULTS

OR YOU GET A FULL REFUND!

Proven
and Effective - You Won't Be Disappointed

To
learn more, or to hear what satisfied customers have to
say, click on the link below.
Yes!
I would like to learn more about your
Guaranteed Penis Enlargement Program!

To remove your address from the mailing list, click on
the link below:
Remove
my address from the mailing list.

Re: Signing as one member of a set of keys

2002-08-09 Thread Meyer Wolfsheim


On Fri, 9 Aug 2002, Anonymous User wrote:

 This program can be used by anonymous contributors to release partial
 information about their identity - they can show that they are someone
 from a list of PGP key holders, without revealing which member of the
 list they are.  Maybe it can help in the recent controvery over the
 identity of anonymous posters.  It's a fairly low-level program that
 should be wrapped in a nicer UI.  I'll send a couple of perl scripts
 later that make it easier to use.

 ===

Most delightful. Thank you for reminding us that Cypherpunks do indeed
write code. More comments in a bit.

[MW SNIP]

   ++multisig v1.0
 pEsBwalpBRxWyJR8tkYm6qR27UW9IT6Vg8SlOHIsEkk04RJvoSy0cy4ISFCq6vDX
 5ub6c+MYi/UoyR6tI7oqpMu1abcXWm2DkfDiCsD6jQddVkiiYdG7Bih8JWdWmp5l
 AgzqUoz14671/ezmWSrPNsTNKV96+ZLEanZsqfkpQcnZpLkWVpJzQFe0VgDQ64b2
 +e2efrbknLFq0FTdX7Sh3qzAfzNYYgADmeOxDoTm9sb6T0fULf1P7mjiN2LZXuEW
 m/8QvksaQi9KGa/0xN2m0heNtS1cfsTa+NJz8XYyG/tnMy7+mvI3c3lrnz+6Dpyp
 pbNwaX+12VcqtfNec9faoq8RJgFxmSO/ZfMOGM8cFBQ75ZOaoBJP5ObHZ/63FFh5
 Wh5GzwJjQs0vLwpM3iF6G+IixEqAQYisUdCopP1wXCLgltDM6l7jRlXxNDj0AXQ1
 eQJolo32vemcy8Z8GAn5tpQHmJwpdzZpboWRQY53pD4mVnEMN4GBC1mhbbI2z+Oh
 lPglqmmy3p4D+psNU1rlNv6yH/L0PgcuW7taVpbopjl4HLuJdWcKHJlXish3D/jb
 eoQ856fYFZ/omGiO9x1D0BsnGFLZVWob4OIZRzO/Pc49VIhFy5NsV2zuozStId89
 [...]
  */

That [...] you see is an artifact of the anonymous remailer you were
using. Mixmaster, I believe, gives the option to truncate messages which
appear to include binary encoded data. PGP messages are explicitly allowed
to be sent.

Immediate problem: we can't verify your signature.

Short term solution: find a remailer that allows binary posting.

Long term solution: perhaps contact the Mixmaster authors and ask them to
explicitly allow multisig data?


-MW-

[±¤°í] °¡Àå Àú·ÅÇÑ ÀÚµ¿Â÷º¸Çè·á¸¦ ¾Ë·Áµå¸³´Ï´Ù.

2002-08-09 Thread º¸Çè»ç¶û

Title: °¡ºñ¾ßºìº¸Çè·á
 
Á¤º¸Åë½ÅºÎ ±Ç°í »çÇ×¿¡ ÀÇ°Å Á¦¸ñ¿¡
 [±¤°í]¶ó°í Ç¥±âÇÑ ±¤°í ¸ÞÀÏÀÔ´Ï´Ù.¼ö½ÅÀ» ¿øÄ¡ ¾ÊÀ¸½Ã¸é
 ¼ö½Å°ÅºÎ¸¦
´·¯ÁÖ¼¼¿ä

Lowest cost unlimited long distance 24-2

2002-08-09 Thread telephone4350n51

Title: New Page 1







  

  
  

  UNLIMITED
  LONG
  DISTANCE
  
  

  
  

  
  Six Plans 
  To
  Choose From
  
 ==$9.95 Plan
  *Unlimited Plan
  *Travel Plan
  ==
  
  ==
  Canadian Plans *
  International * Intra/inter State ==
  


  

  Stop paying the
  high cost of long distance.  Simple to understand all-inclusive pricing so you save big!
  
  
  

  Email
  us now with your phone number to hear how crystal clear your
  connection will be.
  
  

  
  

  
  

  To
  be removed please click
  here
  


  
  
  
  
  
  
  
  



0402xxHs9-271IVNq9404fXlm3-901zl29 

7575zLl6

p2p DoS resistance and network stability (Re: Thanks, Lucky, for helping to kill gnutella)


On Fri, Aug 09, 2002 at 08:25:40PM -0700, AARG!Anonymous wrote:
 Several people have objected to my point about the anti-TCPA efforts of
 Lucky and others causing harm to P2P applications like Gnutella.

The point that a number of people made is that what is said in the
article is not workable: clearly you can't ultimately exclude chosen
clients on open computers due to reverse-engineering.

(With TCPA/Palladium remote attestation you probably could so exclude
competing clients, but this wasn't what was being talked about).

The client exclusion plan is also particularly unworkable for gnutella
because some of the clients are open-source, and the protocol is (now
since original reverse engineering from nullsoft client) also open.

With closed-source implementations there is some obfuscation barrier
that can be made: Kazaa/Morpheus did succeed in frustrating competing
clients due to it's closed protocols and unpublished encryption
algorithm.  At one point an open source group reverse-engineered the
encryption algorithm, and from there the contained kazaa protocols,
and built an interoperable open-source client giFT
http://gift.sourceforge.net, but then FastTrack promptly changed the
unpublished encryption algorithm to another one and then used remote
code upgrade ability to upgrade all of the clients.

Now the open-source group could counter-strike if they had
particularly felt motivated to.  For example they could (1)
reverse-engineer the new unpublished encryption algorithm, and (2) the
remote code upgrade, and then (3) do their own forced upgrade to an
open encryption algorithm and (4) disable further forced upgrades.

(giFT instead after the ugrade attack from FastTrack decided to
implement their own open protocol openFT instead and compete.  It
also includes a general bridge between different file-sharing
networks, in a somewhat gaim like way, if you are familiar with
gaim.)

 [Freenet and Mojo melt-downs/failures...] Both of these are object
 lessons in the difficulties of successful P2P networking in the face
 of arbitrary client attacks.

I grant you that making simultaneously DoS resistant, scalable and
anonymous peer-to-peer networks is a Hard Problem.  Even removing the
anonymous part it's still a Hard Problem.

Note both Freenet and Mojo try to tackle the harder of those two
problems and have aspects of publisher and reader anonymity, so that
they are doing less well than Kazaa, gnutella and others is partly
because they are more ambitious and tackling a harder problem.  Also
the anonymity aspect possibly makes abuse more likely -- ie the
attacker is provided as part of the system tools to obscure his own
identity in attacking the system.  DoSers of Kazaa or gnutella would
likely be more easily identified which is some deterrence.

I also agree that the TCPA/Palladium attested closed world computing
model could likely more simply address some of these problems.

(Lucky slide critique in another post).

Adam
--
http://www.cypherspace.org/adam/

Long distance

2002-08-09 Thread telenow

Title: New Page 1







  

  
  

  LOW
  COST
  =LONG
  DISTANCE
  =
  
  

  
  

  Six Plans
  To
  Choose From
  
 $9.95 Plan * Unlimited Plan
  * Travel Plan
  Canadian Plans *
  International * Intra/Inter State
  


  

  Stop paying the
  high cost of long distance.
  
   Simple to understand all-inclusive pricing so you save big!
  
  

  
  Email
  us now with your phone number to hear how crystal clear your
  connection will be.
  
  

  
  

  
  

  To
  be removed please click
  here

Re: Challenge to TCPA/Palladium detractors


On Wed, 7 Aug 2002, Matt Crawford wrote:

 Unless the application author can predict the exact output of the
 compilers, he can't issue a signature on the object code.  The

Same version of compiler on same source using same build produces 
identical binaries.

 compilers then have to be inside the trusted base, checking a
 signature on the source code and reflecting it somehow through a
 signature they create for the object code.

You have the source, compile it using the official compiler and the
official build options, and record the blob. Entity X claims it runs the
same system that it gave you the source for. You can't sign it, but you
can verify the signed blob is the same.

The blob can still be trojaned, but you can disassemble and debug it.

Utilizing Palladium against software piracy

2002-08-09 Thread Lucky Green


I would like to again thank the Palladium team, in particular Peter
Biddle, for participating in yesterday's panel at the USENIX Security
conference on Palladium and TCPA.

Unfortunately I do not have the time at the moment to write up the many
valuable and informative points made during the panel discussion. I
will, however, highlight one such issue:

As Peter pointed out, while the Palladium effort was started to meet the
content protection requirements of digital video content providers, he
also pointed out that Microsoft and its Palladium group have so far been
unable to determine a method in which Palladium could be utilized to
assist in the efforts against application software piracy. As Peter
mentioned, the Palladium team on several occasions had to tell the
Microsoft's anti-piracy group that Palladium is unsuitable to assist in
software (as distinct from content) licensing and anti-piracy efforts.
Since Microsoft is not aware of a method to utilize the Palladium
environment in the enforcement of software licenses, Peter argued,
Microsoft does not intend to and will not utilize Palladium to assist in
the enforcement of software licensing.

I, on the other hand, am able to think of several methods in which
Palladium or operating systems built on top of TCPA can be used to
assist in the enforcement of software licenses and the fight against
software piracy. I therefore, over the course of the night, wrote - and
my patent agent filed with the USPTO earlier today - an application for
an US Patent covering numerous methods by which software applications
can be protected against software piracy on a platform offering the
features that are slated to be provided by Palladium.

--Lucky Green

Re: Challenge to TCPA/Palladium detractors


On Fri, 9 Aug 2002, David Howe wrote:

 It doesn't though - that is the point. I am not sure if it is simply
 that there are timestamps in the final executable, but Visual C (to give
 a common example, as that is what the windows PGP builds compile with)
 will not give an identical binary, even if you hit rebuild all twice
 in close succession and compare the two outputs, nothing having changed.

I've just verified this also occurs on OpenSSL under RH 7.3 (gcc --version
2.96). I haven't done a binary diff, but I'm also suspecting a time stamp.  
Can anyone shed some light on this?

AARG and eugene are net.loons-why signatures of binaries always change.

2002-08-09 Thread cyphrpnk


Hi all,
 Its obvious that some of us here are developers and still others
have never typed make or gcc in their lives.


-v and -V options given to various forms of ld caused the embeddment of 
version information in the binary(Sunpro does this also, AND early versions
of MSC allowed embeddment of version information also.)
The fact that most environments dont link -Bstatic and instead link
-Bdynamic means that every time you attempt to produce a binary from
2 different systems that the dynamic link information will
be different checkout link.h link_elf.h link_aout.h in /usr/include


in addition MOST modern developement environments include a date field
when compiled and linked in the binary



 sheesh
 a cypherpunk
BTW.   AARG and eugene are idiots nyah nyah nyah!!

Signing as one member of a set of keys

2002-08-09 Thread Anonymous User


This program can be used by anonymous contributors to release partial
information about their identity - they can show that they are someone
from a list of PGP key holders, without revealing which member of the
list they are.  Maybe it can help in the recent controvery over the
identity of anonymous posters.  It's a fairly low-level program that
should be wrapped in a nicer UI.  I'll send a couple of perl scripts
later that make it easier to use.

===

/* Implementation of ring signatures from
 * http://theory.lcs.mit.edu/~rivest/RivestShamirTauman-HowToLeakASecret.pdf
 * by Rivest, Shamir and Tauman
 *
 * This creates and verifies a signature such that it was produced from
 * one of a fixed set of RSA keys.
 *
 * It requires the openssl library to build, which is available from
 * www.openssl.org.
 *
 * This program takes a PGP public key ring file which holds a set of
 * old-style RSA public keys.  It creates and verifies signatures which
 * are such that they were issued by one of the keys in that file, but
 * there is no way to tell which one did it.  In this way the signer can
 * leak partial information about his identity - that he is one member
 * of a selected set of signers.
 *
 * To sign, the signer must also give a PGP secret key file which holds
 * one key (actually the program ignores any keys past the first).
 * That key should be the secret part of one of the keys in the public
 * key file.  Also, it should be set to have no passphrase - it is too
 * complicated for a simple program like this to try to untangle PGP
 * passphrases.  So set your key to have no passphrase, then run this
 * program, then set it back.
 *
 * The program outputs the signature in the form of a list of big numbers,
 * base64 encoded.  There will be as many numbers as there were keys in
 * the public key file.  So signatures are quite large in this scheme,
 * proportional to the number of keys in the group that the signature
 * comes from.  They are also proportional to the largest key in the
 * group, so all else being equal try not to include really big keys if
 * you care about size.
 *
 * The signature is not appended to the text being signed, it is just
 * output separately.  The signer can combine them manually with some kind
 * of cut marks so that the recipient can separate out the signature from
 * the file being signed.  Some perl scripts that do this are supposed
 * to be distributed with the program.  (That is what is used to verify
 * the signature in this file itself.)
 *
 * The recipient must use the same PGP public key file that the signer
 * used.  So that may have to be sent along as well.  He runs the program
 * with the PGP file and the file to be verified, and sends the signature
 * data into stdin (using the  character).  The program will print
 * whether the signature is good or not.
 *
 * This program was written in just a couple of evenings so it is
 * a little rough.  This is version 0.9 or so - at least it works.
 * It has only been tested on my Linux system.
 *
 * The program is released into the public domain.  See the end for
 * authorship information.
 */


#include stdio.h
#include stdlib.h
#include openssl/bn.h
#include openssl/rsa.h
#include openssl/sha.h
#include openssl/evp.h

/* Cipher block size; we use Blowfish */
#define CIPHERBLOCK 8

typedef unsigned char uchar;

enum {
ERR_OK = 0,
ERR_BADPKT=-100,
ERR_EOF,
ERR_SECNOTFOUND,
ERR_BADSIG,
};


/** PGP FILE PARSING ***/

/* Read the N and E values from a PGP public key packet */
int
rdpgppub( BIGNUM *n, BIGNUM *e, unsigned *bytesused, uchar *buf, unsigned len )
{
int nbits, nlen, ebits, elen;
unsigned o=2;

if (len  10)
return ERR_BADPKT;
if (buf[0] == 4)/* Check version 4, 3, 
or 2 */
o = 0;
else if (buf[0] != 2  buf[0] != 3) /* V23 have 2 extra bytes */
return ERR_BADPKT;
if (buf[5+o] != 1)  /* Check alg - 1 is 
RSA */
return ERR_BADPKT;
nbits = (buf[6+o]  8) | buf[7+o]; /* Read modulus */
nlen = (nbits + 7)/8;
if (len  10+o+nlen)
return ERR_BADPKT;
BN_bin2bn(buf+o+8, nlen, n);
ebits = (buf[8+o+nlen]  8) | buf[9+o+nlen];   /* Read exponent */
elen = (ebits + 7)/8;
if (len  10+o+nlen+elen)
return ERR_BADPKT;
BN_bin2bn(buf+10+o+nlen, elen, e);
if (bytesused)
*bytesused = 10+o+nlen+elen;
return ERR_OK;
}

/* Read the N, E, D values from a PGP secret key packet with no passphrase */
int
rdpgpsec( BIGNUM *n, BIGNUM *e, BIGNUM *d, uchar *buf, unsigned len )
{
int err;
int nbits, nlen, ebits, elen, dbits, dlen;
unsigned o;

if ((err = rdpgppub(n, e, o, buf, len))  0)
return err;

Thanks, Lucky, for helping to kill gnutella


An article on Salon this morning (also being discussed on slashdot),
http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html,
discusses how the file-trading network Gnutella is being threatened by
misbehaving clients.  In response, the developers are looking at limiting
the network to only authorized clients:

 On Gnutella discussion sites, programmers are discussing a number of
 technical proposals that would make access to the network contingent
 on good behavior: If you write code that hurts Gnutella, in other
 words, you don't get to play. One idea would allow only clients that
 you can authenticate to speak on the network, Fisk says. This would
 include the five-or-so most popular Gnutella applications, including
 Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If
 new clients want to join the group, they would need to abide by a certain
 communication specification.

They intend to do this using digital signatures, and there is precedent
for this in past situations where there have been problems:

 Alan Cox, a veteran Linux developer, says that he's seen this sort of
 debate before, and he's not against a system that keeps out malicious
 users using technology. Years and years ago this came up with a game
 called Xtrek, Cox says. People were building clients with unfair
 capabilities to play the space game -- and the solution, says Cox,
 was to introduce digital signatures. Unless a client has been signed,
 it can't play. You could build any client you wanted, but what you can't
 do is build an Xtrek client that let you play better.

Not discussed in the article is the technical question of how this can
possibly work.  If you issue a digital certificate on some Gnutella
client, what stops a different client, an unauthorized client, from
pretending to be the legitimate one?  This is especially acute if the
authorized client is open source, as then anyone can see the cert,
see exactly what the client does with it, and merely copy that behavior.

If only there were a technology in which clients could verify and yes,
even trust, each other remotely.  Some way in which a digital certificate
on a program could actually be verified, perhaps by some kind of remote,
trusted hardware device.  This way you could know that a remote system was
actually running a well-behaved client before admitting it to the net.
This would protect Gnutella from not only the kind of opportunistic
misbehavior seen today, but the future floods, attacks and DOSing which
will be launched in earnest once the content companies get serious about
taking this network down.

If only...  Luckily the cypherpunks are doing all they can to make sure
that no such technology ever exists.  They will protect us from being able
to extend trust across the network.  They will make sure that any open
network like Gnutella must forever face the challenge of rogue clients.
They will make sure that open source systems are especially vulnerable
to rogues, helping to drive these projects into closed source form.

Be sure and send a note to the Gnutella people reminding them of all
you're doing for them, okay, Lucky?

Re: Challenge to TCPA/Palladium detractors

2002-08-09 Thread Ken Brown


James A. Donald wrote:
 
 --
 On Wed, 7 Aug 2002, Matt Crawford wrote:
   Unless the application author can predict the exact output of
   the compilers, he can't issue a signature on the object code.
   The
 
 On 9 Aug 2002 at 10:48, Eugen Leitl wrote:
  Same version of compiler on same source using same build
  produces identical binaries.
 
 This has not been my experience.

Nor anyone else's

If only because the exact image you depends on a hell of a lot of
programs   libraries. Does anyone expect /Microsoft/ of all software
suppliers to provide consistent versioning and reproducible or
predictable software environments? These are the people who brought us
DLL Hell. These are the people who fell into the MDAC versioning
fiasco. 

Ken

RE: Challenge to TCPA/Palladium detractors

2002-08-09 Thread Sam Simpson


I'm not surprised that most people couldn't produce a matching PGP
executbales - most compilers (irrespective of compiler optimisation
options etc) include a timestamp in the executable.

Regards,

Sam Simpson
[EMAIL PROTECTED]
http://www.samsimpson.com/
Mob:  +44 (0) 7866 726060
Home Office:  +44 (0) 1438 229390
Fax:  +44 (0) 1438 726069

On Fri, 9 Aug 2002, Lucky Green wrote:

 Anonymous wrote:
  Matt Crawford replied:
   Unless the application author can predict the exact output of the
   compilers, he can't issue a signature on the object code.  The
   compilers then have to be inside the trusted base, checking a
   signature on the source code and reflecting it somehow through a
   signature they create for the object code.
 
  It's likely that only a limited number of compiler
  configurations would be in common use, and signatures on the
  executables produced by each of those could be provided.
  Then all the app writer has to do is to tell people, get
  compiler version so-and-so and compile with that, and your
  object will match the hash my app looks for. DEI

 The above view may be overly optimistic. IIRC, nobody outside PGP was
 ever able to compile a PGP binary from source that matched the hash of
 the binaries built by PGP.

 --Lucky Green


 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Eric Murray


On Fri, Aug 09, 2002 at 10:05:15AM -0700, AARG! Anonymous wrote:
 
  On Gnutella discussion sites, programmers are discussing a number of
  technical proposals that would make access to the network contingent
  on good behavior: If you write code that hurts Gnutella, in other
  words, you don't get to play. One idea would allow only clients that
  you can authenticate to speak on the network, Fisk says. This would
  include the five-or-so most popular Gnutella applications, including
  Limewire, BearShare, Toadnode, Xolox, Gtk-Gnutella, and Gnucleus. If
  new clients want to join the group, they would need to abide by a certain
  communication specification.
 
 They intend to do this using digital signatures, and there is precedent
 for this in past situations where there have been problems:


Depending on the clients to do the right thing is fundamentally stupid.


[..]

 
 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

This sort of attack doesn't do your position any good.


Eric

Re: Signing as one member of a set of keys


Very nice.  

Nice plausible set of candidate authors also:

pub  1022/5AC7B865 1992/12/01  [EMAIL PROTECTED]
pub  1024/2B48F6F5 1996/04/10  Ian Goldberg [EMAIL PROTECTED]
pub  1024/97558A1D 1994/01/10  Pr0duct Cypher alt.security.pgp
pub  1024/2719AF35 1995/05/13  Ben Laurie [EMAIL PROTECTED]
pub  1024/58214C37 1992/09/08  Hal Finney [EMAIL PROTECTED]
pub  1024/C8002BD1 1997/03/04  Eric Young [EMAIL PROTECTED]
pub  1024/FBBB8AB1 1994/05/07  Colin Plumb [EMAIL PROTECTED]

Wonder if we can figure out who is most likely author based on coding
style from such a small set.

It has (8 char) TABs but other wise BSD indentation style (BSD
normally 4 spaces).  Also someone who likes triply indirected pointers
***blah in there.  Has local variables inside even *if code blocks*
eg, inside main() (most people avoid that, preferring to declare
variables at the top of a function, and historically I think some
older gcc / gdb couldn't debug those variables if I recall).  Very
funky use of goto in getpgppkt, hmmm.  Somewhat concise coding and
variable names.

Off the cuff guess based on coding without looking at samples of code
to remind, probably Colin or Ian.

Of course (Lance Cottrell/Ian Goldberg/Pr0duct Cypher/Ben Laurie/Hal
Finney/Eric Young/Colin Plumb) possibly deviated or mimicked one of
their coding styles.  Kind of interesting to see a true nym in there
also.

Also the Cc -- Coderpunks lives?  I think the Cc coderpunks might be a
clue also, I think some of these people would know it died.  I think
that points more at Colin.

Other potential avenue might be implementation mistake leading to
failure of the scheme to robustly make undecidable which of the set is
the true author, given alpha code.

Adam

On Fri, Aug 09, 2002 at 03:52:56AM +, Anonymous User wrote:
 This program can be used by anonymous contributors to release partial
 information about their identity - they can show that they are someone
 from a list of PGP key holders, without revealing which member of the
 list they are.  Maybe it can help in the recent controvery over the
 identity of anonymous posters.  It's a fairly low-level program that
 should be wrapped in a nicer UI.  I'll send a couple of perl scripts
 later that make it easier to use.

Re: Thanks, Lucky, for helping to kill gnutella


AARG!Anonymous wrote:

 If only there were a technology in which clients could verify and yes,
 even trust, each other remotely.  Some way in which a digital certificate
 on a program could actually be verified, perhaps by some kind of remote,
 trusted hardware device.  This way you could know that a remote system was
 actually running a well-behaved client before admitting it to the net.
 This would protect Gnutella from not only the kind of opportunistic
 misbehavior seen today, but the future floods, attacks and DOSing which
 will be launched in earnest once the content companies get serious about
 taking this network down.

Before claiming that the TCPA, which is from a deployment standpoint
vaporware, could help with gnutella's scaling problems, you should
probably learn something about what gnutella's problems are first. The
truth is that gnutella's problems are mostly that it's a screamer
protocol, and limiting which clients could connect would do nothing to fix
that.

Limiting which clients could connect to the gnutella network would,
however, do a decent job of forcing to pay people for one of the
commercial clients. In this way it's very typical of how TCPA works - a
non-solution to a problem, but one which could potentially make money, and
has the support of gullible dupes who know nothing about the technical
issues involved.

 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

Your personal vendetta against Lucky is very childish.

-Bram Cohen

Markets can remain irrational longer than you can remain solvent
-- John Maynard Keynes

Re: Thanks, Lucky, for helping to kill gnutella


On Fri, 9 Aug 2002, Jay Sulzberger wrote:

 There are many solutions at the level of technical protocols that solve
 the projection of these problems down to the low dimensional subspace of
 technical problems.  Some of these technical protocols will be part of
 a full system which accomplishes the desired ends.  Please contact me
 off-list if you willing to spend some money for an implementation.

Hey!  Tell the Gnutella folks I'll be happy to bid on that too!
I'm pretty sure I can get them a solid solution, especially since it's
just a technical problem.

Patience, persistence, truth,
Dr. mike

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Jay Sulzberger


On Fri, 9 Aug 2002, AARG!Anonymous wrote:

 ... /

 Not discussed in the article is the technical question of how this can
 possibly work.  If you issue a digital certificate on some Gnutella
 client, what stops a different client, an unauthorized client, from
 pretending to be the legitimate one?  This is especially acute if the
 authorized client is open source, as then anyone can see the cert,
 see exactly what the client does with it, and merely copy that behavior.

 If only there were a technology in which clients could verify and yes,
 even trust, each other remotely.  Some way in which a digital certificate
 on a program could actually be verified, perhaps by some kind of remote,
 trusted hardware device.  This way you could know that a remote system was
 actually running a well-behaved client before admitting it to the net.
 This would protect Gnutella from not only the kind of opportunistic
 misbehavior seen today, but the future floods, attacks and DOSing which
 will be launched in earnest once the content companies get serious about
 taking this network down.

There are many solutions at the level of technical protocols that solve
the projection of these problems down to the low dimensional subspace of
technical problems.  Some of these technical protocols will be part of
a full system which accomplishes the desired ends.  Please contact me
off-list if you willing to spend some money for an implementation.

Your claim, if true, would also demonstrate that no credit card payments
over the Net, no apt-get style updating, no Paypal-like system, no crypto
time-stamp system, etc., can exist today.


 If only...  Luckily the cypherpunks are doing all they can to make sure
 that no such technology ever exists.  They will protect us from being able
 to extend trust across the network.  They will make sure that any open
 network like Gnutella must forever face the challenge of rogue clients.
 They will make sure that open source systems are especially vulnerable
 to rogues, helping to drive these projects into closed source form.

 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

AARG!, this is again unworthy of you.  You are capable of attempting to
confuse and misdirect at a higher level.

You might wish to emphasize that the real difficulties are at the levels
where the reasons for the small usage of GNUPG lie.  That really the
technical details of the TCPA/Palladium system hardly matter.  What
TCPA/Palladium will allow is the provision to the masses of even more
powerful brews of fantasy, game playing, advertising, etc..  And that there
will be a small number of hobbyists who use the unprotected ports of
TCPA/Palladium for their own limited experiments/amusements/etc..  The
real point of TCPA/Palladium is that a locus of trust, seemingly
guaranteed by the Powers That Be, will be created, and that the existence
of this same locus, under the facies of locus of dealmaking/lawyering,
will so reassure the Infotainment Arm of the Englobulators that the Arm
will unleash its extraordinary forces to build and sell ever more
entrancing Palaces of Dreams.  The unprotected ports will allow a mostly
self-supporting farm team system which will function without much direct
oversight and little outlay of money by Englobulator Central or any of the
Arms.  The limited freedom of the Farm System, with its convenient pull
strings, for the cases where something large and not controlled by Those
Who Know Best takes off, will be a powerful lure to up and coming future
Talent, who, when the time comes, may be Signed, without today's confusing
and annoying possibility of continued independence.  Indeed, the EULA of
every system might have a section which binds users who display Marketable
Things to an automatic Arbitration of Contract.

oo--JS.

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Pete Chown


Anonymous wrote:

 ... the file-trading network Gnutella is being threatened by
 misbehaving clients.  In response, the developers are looking at limiting
 the network to only authorized clients:

This is the wrong solution.  One of the important factors in the
Internet's growth was that the IETF exercised enough control, but not
too much.  So HTTP is standardised, which allows (theoretically) any
browser to talk to any web server.  At the same time the higher levels
are not standardised, so someone who has an idea for a better browser or
web server is free to implement it.

If you build a protocol which allows selfish behaviour, you have done
your job badly.  Preventing selfish behaviour in distributed systems is
not easy, but that is the problem we need to solve.  It would be a good
discussion for this list.

 Not discussed in the article is the technical question of how this can
 possibly work.  If you issue a digital certificate on some Gnutella
 client, what stops a different client, an unauthorized client, from
 pretending to be the legitimate one?

Exactly.  This has already happened with unauthorised AIM clients.  My
freedom to lie allows me to use GAIM rather than AOL's client.  In this
case, IMO, the ethics are the other way round.  AOL seeks to use its
(partial) monopoly to keep a grip on the IM market.  The freedom to lie
mitigates this monopoly to an extent.

-- 
Pete

Re: Thanks, Lucky, for helping to kill gnutella


Antonomasia wrote:

 My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think
 Freenet and Mojo use protocols that require new users to be
 contributors before they become consumers.  (Leaving aside that
 Gnutella seems doomed on scalability grounds.)

Freenet and Mojo Nation have had serious issues in the wild, but my
project, BitTorrent, is currently being used in serious deployment, and
its leech resistance algorithms are proving quite robust - 

http://bitconjurer.org/BitTorrent/

This is a very narrow form of leech resistance, but it may be all that is
needed.

-Bram Cohen

Markets can remain irrational longer than you can remain solvent
-- John Maynard Keynes

TCPA/Palladium -- likely future implications (Re: dangers of TCPA/palladium)


On Thu, Aug 08, 2002 at 09:15:33PM -0700, Seth David Schoen wrote:
 Back in the Clipper days [...] how do we know that this
 tamper-resistant chip produced by Mykotronix even implements the
 Clipper spec correctly?.

The picture is related but has some extra wrinkles with the
TCPA/Palladium attestable donglization of CPUs.

- It is always the case that targetted people can have hardware
attacks perpetrated against them.  (Keyboard sniffers placed during
court authorised break-in as FBI has used in mob case of PGP using
Mafiosa [1]).

- In the clipper case people didn't need to worry much if the clipper
chip had malicious deviations from spec, because Clipper had an openly
stated explicit purpose to implement a government backdoor -- there's
no need for NSA to backdoor the explicit backdoor.

But in the TCPA/Palladium case however the hardware tampering risk you
identify is as you say relevant:

- It's difficult for the user to verify hardware.  

- Also: it wouldn't be that hard to manufacture plausibly deniable
implementation mistakes that could equate to a backdoor -- eg the
random number generators used to generate the TPM/SCP private device
keys.

However, beyond that there is an even softer target for would-be
backdoorers:

- the TCPA/Palladium's hardware manufacturers endoresment CA keys.

these are the keys to the virtual kingdom formed -- the virtual
kingdom by the closed space within which attested applications and
software agents run.


So specifically let's look at the questions arising:

1. What could a hostile entity(*) do with a copy of a selection of
hardware manufacturer endorsement CA private keys?

( (*) where the hostile entity candidates would be for example be
secret service agencies, law enforcement or homeland security
agencies in western countries, RIAA/MPAA in pursuit of their quest to
exercise their desire to jam and DoS peer-to-peer file sharing
networks, the Chinese government, Taiwanese government (they may lots
of equipment right) and so on).

a. Who needs to worry -- who will be targetted?

Who needs to worry about this depends on how overt third-party
ownership of these keys is, and hence the pool of people who would
likely be targetted.  

If it's very covert, it would only be used plausibly deniably and only
for Nat Sec / Homeland Security purposes.  It if becomse overt over
time -- a publicly acknowledged, but supposedly court controlled
affair like Clipper, or even more widely desired by a wide-range of
entities for example: keys made available to RIAA / MPAA so they can
do the hacking they have been pushing for -- well then we all need to
worry.


To analyse the answer to question 1, we first need to think about
question 2:

2. What kinds of TCPA/Palladium integrity depending trusted
applications are likely to be built?

Given the powerful (though balance of control changing) new remotely
attestable security features provided by TCPA/Palladium, all kinds of
remote services become possible, for example (though all to the extent
of hardware tamper-resistance and belief that your attacker doesn't
have access to a hardware endorsement CA private key):

- general Application Service Providers (ASPs) that you don't have to
trust to read your data

- less traceable peer-to-peer applications

- DRM applications that make a general purpose computer secure against
BORA (Break Once Run Anywhere), though of course not secure against
ROCA (Rip Once Copy Everywhere) -- which will surely continue to
happen with ripping shifting to hardware hackers.

- general purpose unreadable sandboxes to run general purpose
CPU-for-rent computing farms for hire, where the sender knows you
can't read his code, you can't read his input data, or his output
data, or tamper with the computation.

- file-sharing while robustly hiding knowledge and traceability of
content even to the node serving it -- previously research question,
now easy coding problem with efficient

- anonymous remailers where you have more assurance that a given node
is not logging and analysing the traffic being mixed by it


But of course all of these distributed applications, positive and
negative (depending on your view point), are limited in their
assurance of their non-cryptographically assured aspects:

- to the tamper resistance of the device

- to the extent of the users confidence that an entity hostile to them
doesn't have the endorsement CA's private key for the respective
remote servers implementing the network application they are relying
on


and a follow-on question to question 2:

3. Will any software companies still aim for cryptographic assurance?

(cryptographic assurance means you don't need to trust someone not to
reverse engineer the application -- ie you can't read the data because
it is encrypted with a key derived from a password that is only stored
in the users head).

The extended platform allows you to build new classes of applications
which aren't currently buildable to cryptographic levels of

Re: AARG and eugene are net.loons-why signatures of binaries always change.


You're being quite creative with alternative spelling and punctuation.
However, if you think that provides sustainable stealth cover against a
competent attacker (TLA agencies must by now be really good with
linguistic forensics) you're fooling yourself.

For executable binary verification it is obviously necessary to use
compilers/linkers which don't write crap into the binary. Speaking of
which, given the size of the code blob one could as well use handcrafted
assembly. Also, using a standartized build environment is not exactly
rocket science, since one can checksum ISO images, too. Platinum Group 
Linux would be a good name for the distro.

On Fri, 9 Aug 2002, cyphrpnk wrote:

 Hi all,
  Its obvious that some of us here are developers and still others
 have never typed make or gcc in their lives.
 
 
 -v and -V options given to various forms of ld caused the embeddment of 
 version information in the binary(Sunpro does this also, AND early versions
 of MSC allowed embeddment of version information also.)
 The fact that most environments dont link -Bstatic and instead link
 -Bdynamic means that every time you attempt to produce a binary from
 2 different systems that the dynamic link information will
 be different checkout link.h link_elf.h link_aout.h in /usr/include
 
 
 in addition MOST modern developement environments include a date field
 when compiled and linked in the binary
 
 
 
  sheesh
  a cypherpunk
 BTW.   AARG and eugene are idiots nyah nyah nyah!!

Re: Thanks, Lucky, for helping to kill gnutella (fwd)

2002-08-09 Thread R. A. Hettinga


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 1:03 AM +0200 on 8/10/02, Some anonymous, and now apparently
innumerate, idiot in my killfile got himself forwarded to Mr. Leitl's
cream of cypherpunks list:


 They will protect us from being able
 to extend trust across the network.

As Dan Geer and Carl Ellison have reminded us on these lists and
elsewhere, there is no such thing as trust, on the net, or anywhere
else.

There is only risk.


Go learn some finance before you attempt to abstract emotion into the
quantifiable.

Actual numerate, thinking, people gave up on that nonsense in the
1970's, and the guys who proved the idiocy of trust, showing, like
LaGrange said to Napoleon about god, that the capital markets had no
need that hypothesis, Sire ended up winning a Nobel for that proof
the 1990's*.

Cheers,
RAH
*The fact that Scholes and Merton eventually ended up betting on
equity volatility like it was actually predictable and got their
asses handed to them for their efforts is beside the point, of
course. :-).

-BEGIN PGP SIGNATURE-
Version: PGP 7.5

iQA/AwUBPVRgRsPxH8jf3ohaEQIu3gCg0V9JIHnMRJ2GW+aJ1xSEHi5ETcYAn1Db
BgR2WiAxNt/zGx5Iy+uRG+Ws
=JEmi
-END PGP SIGNATURE-

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Thanks, Lucky, for helping to kill gnutella

2002-08-09 Thread Antonomasia


From: AARG!Anonymous [EMAIL PROTECTED]

 An article on Salon this morning (also being discussed on slashdot),
 http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html,
 discusses how the file-trading network Gnutella is being threatened by
 misbehaving clients.  In response, the developers are looking at limiting
 the network to only authorized clients:

 They intend to do this using digital signatures, and there is precedent
 for this in past situations where there have been problems:

  Alan Cox,  Years and years ago this came up with a game

 If only there were a technology in which clients could verify and yes,

 Be sure and send a note to the Gnutella people reminding them of all
 you're doing for them, okay, Lucky?

Now that is resorting to silly accusation.

My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet
and Mojo use protocols that require new users to be contributors before they
become consumers.  (Leaving aside that Gnutella seems doomed on scalability
grounds.)

Likewise the WAN shooter games have (partially) defended against cheats by
making the client hold no authoritative data and by disqualifying those
that send impossible traffic.  (Excluding wireframe graphics cards is another
matter.)  If I were a serious gamer I'd want 2 communities - one for plain
clients to match gaming skills and another for cheat all you like contests
to match both gaming and programming skills.

If the Gnuts need to rework the protocol they should do so.

My objection to this TCPA/palladium thing is that it looks aimed at ending
ordinary computing.  If the legal scene were radically different this wouldn't
be causing nearly so much fuss.  Imagine:
- a DoJ that can enforce monopoly law
- copyright that expires in reasonable time
 (5 years for s/w ? 15 years for books,films,music... ?)
- fair use and first sale are retained
- no concept of indirect infringement (e.g. selling marker pens)
- criminal and civil liability for incorrectly barring access in DRM
- hacking is equally illegal for everybody
- no restriction on making and distributing/selling any h/w,s/w

If Anonymous presents Gnutella for serious comparison with the above issues
I say he's looking in the wrong end of his telescope.

--
##
# Antonomasia   ant notatla.demon.co.uk  #
# See http://www.notatla.demon.co.uk/#
##

Re: TCPA/Palladium -- likely future implications

2002-08-09 Thread James A. Donald


--
On 9 Aug 2002 at 17:15, AARG! Anonymous wrote:
 to understand it you need a true picture of TCPA rather than the 
 false one which so many cypherpunks have been promoting.

As TCPA is currently vaporware, projections of what it will be, 
and how it will be used are judgments, and are not capable of 
being true or false, though they can be plausible or implausible.

Even with the best will in the world, and I do not think the 
people behind this have the best will in the world, there is an 
inherent conflict between tamper resistance and general purpose 
programmability.  To prevent me from getting at the bits as they 
are sent to my sound card or my video card, the entire computer, 
not just the dongle, has to be somewhat tamper resistant, which is 
going to make the entire computer somewhat less general purpose 
and programmable, thus less useful.

The people behind TCPA might want to do something more evil than 
you say they want to do, if they want to do what you say they want 
to do they might be prevented by law enforcement which wants 
something considerably more far reaching and evil, and if they
want to do it, and law enforcement refrains from reaching out and 
taking hold of their work, they still may be unable to do it for 
technical reasons. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 D7ZUyyAS+7CybaH0GT3tHg1AkzcF/LVYQwXbtqgP
 2HBjGwLqIOW1MEoFDnzCH6heRfW1MNGv1jXMIvtwb

Re: Thanks, Lucky, for helping to kill gnutella


Several people have objected to my point about the anti-TCPA efforts of
Lucky and others causing harm to P2P applications like Gnutella.

Eric Murray wrote:
 Depending on the clients to do the right thing is fundamentally
 stupid.

Bran Cohen agrees:
 Before claiming that the TCPA, which is from a deployment standpoint
 vaporware, could help with gnutella's scaling problems, you should
 probably learn something about what gnutella's problems are first. The
 truth is that gnutella's problems are mostly that it's a screamer
 protocol, and limiting which clients could connect would do nothing to fix
 that.

I will just point out that it was not my idea, but rather that Salon
said that the Gnutella developers were considering moving to authorized
clients.  According to Eric, those developers are fundamentally stupid.
According to Bram, the Gnutella developers don't understand their
own protocol, and they are supporting an idea which will not help.
Apparently their belief that clients like Qtrax are hurting the system
is totally wrong, and keeping such clients off the system won't help.

I can't help believing the Gnutella developers know more about their
own system than Bram and Eric do.  If they disagree, their argument is
not with me, but with the Gnutella people.  Please take it there.

Ant chimes in:
 My copy of Peer to Peer (Oram, O'Reilly) is out on loan but I think Freenet
 and Mojo use protocols that require new users to be contributors before they
 become consumers.

Pete Chown echoes:
 If you build a protocol which allows selfish behaviour, you have done
 your job badly.  Preventing selfish behaviour in distributed systems is
 not easy, but that is the problem we need to solve.  It would be a good
 discussion for this list.

As far as Freenet and MojoNation, we all know that the latter shut down,
probably in part because the attempted traffic-control mechanisms made
the whole network so unwieldy that it never worked.  At least in part
this was also due to malicious clients, according to the analysis at
http://www.cs.rice.edu/Conferences/IPTPS02/188.pdf.  And Freenet has been
rendered inoperative in recent months by floods.  No one knows whether
they are fundamental protocol failings, or the result of selfish client
strategies, or calculated attacks by the RIAA and company.  Both of these
are object lessons in the difficulties of successful P2P networking in
the face of arbitrary client attacks.

Some people took issue with the personal nature of my criticism:

 Your personal vendetta against Lucky is very childish.

 This sort of attack doesn't do your position any good.

Right, as if my normal style has been so effective.  Not one person has
given me the least support in my efforts to explain the truth about TCPA
and Palladium.

Anyway, maybe I was too personal in singling out Lucky.  He is far from
the only person who has opposed TCPA.

But Lucky, in his slides at http://www.cypherpunks.to, claims that TCPA's
designers had as one of their objectives To meet the operational needs
of law enforcement and intelligence services (slide 2); and to give
privileged access to user's computers to TCPA members only (slide 3);
that TCPA has an OS downloading a serial number revocation list (SNRL)
which he has provided no evidence for whatsoever (slide 14); that it
loads an initial list of undesirable applications which is apparently
another of his fabrications (slide 15); that TCPA applications on startup
load both a serial number revocation list but also a document revocation
list, again a completely unsubstantiated claim (slide 19); that apps then
further verify that spyware is running, another fabrication (slide 20).

He then implies that the DMCA applies to reverse engineering when
it has an explicit exemption for that (slide 23); that the maximum
possible sentence of 5 years is always applied (slide 24); that TCPA is
intended to: defeat the GPL, enable information invalidation, facilitate
intelligence collection, meet law enforcement needs, and more (slide 27);
that only signed code will boot in TCPA, contrary to the facts (slide 28).

He provides more made-up details about the mythical DRL (slide 31);
more imaginary details about document IDs, information monitoring and
invalidation to support law enforcement and intelligence needs, none of
which has anything to do with TCPA (slide 32-33).  As apparent support for
these he provides an out-of-context quote[1] from a Palladium manager,
who if you read the whole article was describing their determination to
keep the system open (slide 34).

He repeats the unfounded charge that the Hollings bill would mandate TCPA,
when there's nothing in the bill that says such a thing (slide 35);
and he exaggerates the penalties in that bill by quoting the maximum
limits as if they are the default (slide 36).

Lucky can provide all this misinformation, all under the pretence,
mind you, that this *is* TCPA.  He was educating the audience, mostly
people who were completely

Re: TCPA/Palladium -- likely future implications


On Fri, 9 Aug 2002, AARG! Anonymous wrote:

 : Allow computers separated on the internet to cooperate and share data
 : and computations such that no one can get access to the data outside
 : the limitations and rules imposed by the applications.

 It seems to me that my definition is far more useful and appropriate in
 really understanding what TCPA/Palladium are all about.  Adam, what do
 you think?

Just because you can string words together and form a definition doesn't
make it realizable.  Once data is in the clear it can be copied, and no
rules can change that.  Either the data is available to the user, and
they can copy it - or the data is not available to the user, and there's
nothing they can do when their machine does somebody elses calculations.

 I have a couple of suggestions.  One early application for TCPA is in
 closed corporate networks.  In that case the company usually buys all
 the computers and prepares them before giving them to the employees.
 At that time, the company could read out the TPM public key and sign
 it with the corporate key.  Then they could use that cert rather than
 the TPME cert.  This would protect the company's sensitive data against
 eavesdroppers who manage to virtualize their hardware.

And guess what?  I can buy that today!  I don't need either TCPA or
Palladium.  So why do we need TCPA?

 Think about it: this one innocuous little box holding the TPME key could
 ultimately be the root of trust for the entire world.  IMO we should
 spare no expense in guarding it and making sure it is used properly.
 With enough different interest groups keeping watch, we should be able
 to keep it from being used for anything other than its defined purpose.

Man, I want the stuff you are smoking!  One attack point is the root of
trust for the whole world!!???!!!  Take another hit dude, and make sure
you see lots of colors too.

Patience, persistence, truth,
Dr. mike

TCPA ad nauseum