Re: Social democrats on our list
It's actually Onizuka Air Force Station. It is contiguous to Moffet. And if one realizes the difference between collection, control, and interpretation, Some of the vile despicable actions become more clear. PHM - Original Message - From: "Tim May" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, March 09, 2003 19:27 Subject: Re: Social democrats on our list > On Sunday, March 9, 2003, at 06:46 PM, John Young wrote: > >>SNIP<< > > NRO is a robin's egg blue collection of spanking new buildings, and > > nowhere in the neighborhood are any antennas and aerials and the usual > > detritus of high tech snooping like the NRO has at Buckley and Moffett > > AFBs in California > > NAS, not AFB. > >>SNip>> > > > --Tim May > "Extremism in the pursuit of liberty is no vice."--Barry Goldwater
Re: Fresh Hell
Foolish Person. Thinking that the prevailing religious doctrine has anything to do with the Bible. PHM Paul H Merrill, MCSE, CISSP [EMAIL PROTECTED] - Original Message - From: "Kevin S. Van Horn" <[EMAIL PROTECTED]> To: "cypherpunks" <[EMAIL PROTECTED]> Sent: Friday, January 17, 2003 19:23 Subject: Re: Fresh Hell > Morlock Elloi wrote: > > >>What would be the valid reason for the government to claim power > >>to regulate her egg, her skin DNA, and her uterus? > >> > >1) Fucks up the prevailing religion doctrine. > > > Funny, but I can't seem to find the passage in the Bible where it talks > about cloning. In fact, I can't find any passage that even remotely > impinges on the subject.
Re: encrypted data means Feds steal your computer forever?
As several have pointed out, a single system these days is replaceable readily. OTOH if anyone were to decide that I were Disloyal they would get 4 or 5 depending on the day in question. Additionally, in my freelance days they would have gotten data from a client or two. If we assume that only encrypted data is the "problem" (grounds for extended seizure), then only Bad Data should be encrypted and it should be stored separately from other data stores. A Usually Off Snap server on the network and secreted in a wall, or some such, would work, especially with wireless. Off site, over-the-wire would also work, but, in either case, there would need to be no Residual Indicators when not in use. Let us remember that the Committee for State Security so recently and its little brethren are not reluctant to use extra-legal means when they have determined your guilt and need to build a winnable case. Which leads me to the real point of my initial post: When the case looks unWinnable (or insufficiently winnable) there is no reluctance to go to early penalty phase - arrest at 5:01 Friday for a holiday weekend, gather up all the hardware and leave you with no means of support, along with other methods as applicable to the situation. PHM Steve Schear wrote: > > At 01:46 PM 2/4/2002 -0800, you wrote: > >There is a significant difference between smart and > >honest. This method allows for blackmail to release > >the encryption keys -- "We can't allow this to be > >released until you prove that it is not Bad data, so > >cough up the Keys to the Kingdom or we keep the > >hardware." -- this method is especially helpful when > >you don't have a good enough case for the punishment > >to be "sufficient" and you need the extra fine of > >harware and loss of income. > > As hardware has gotten pretty cheap, unless you've got a substantial system > (probably not a home variety), seizure should be inconvenient and angering > but not devastating to many. Loss of data or availability is something > else. Anyone who has a significant investment in their data or is using > their gear to earn their living, especially to deliver a service, needs to > treat their system as any business should treat a mission critical > asset. Off-site data backups (especially offshore) and off-site or > emergency hardware support contracts are a plus. I wonder if thin PCs > (those without disks) combined with encrypted off site data have a role to > play in protection against prosecutions and seizure interruptions? > > steve -- Paul H. Merrill, MCNE, MCSE+I, CISSP [EMAIL PROTECTED] [demime 0.97c removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: American Schools Need Flattening Too
One must always be careful to blame the right entities. The schools made a rule and the judge made it law. CONGRESS wasn't involved - this time. PHM Eric Cordian wrote: > > SNIP> > Circuit Court Judge James Stucky agreed that free speech is "sacred" but > he found that such rights are "tempered by the limitations that they ... > not disrupt the educational process." > > [Congress shall make NO LAW abridging the freedom of NON-DISRUPTIVE > speech (Guffaw)] > SNIP> Eric Michael Cordian 0+ > O:.T:.O:. Mathematical Munitions Division > "Do What Thou Wilt Shall Be The Whole Of The Law" -- Paul H. Merrill, MCNE, MCSE+I, CISSP [EMAIL PROTECTED] [demime 0.97c removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Clubbing in Fortress Amerika (fwd)
Well, you could try comparing the reality involved with multiple cards and see where the patterns fit. I know that that is how I find the meanings of strange databases for which I don't have access to the data dictionary. And it really is the same thing. PHM Yeoh Yiu wrote: > > Meyer Wolfsheim <[EMAIL PROTECTED]> writes: > > > A friend of mine recently informed me that he has access to a mag-strip > > reader, and scanned several drivers' licenses (as well as Safeway cards > > and other random credit-card like items.) > > > > Most contained the information displayed on the front of the card, and/or > > some seemingly random numbers (most likely, the ID numbers.) > > > > California DL's have nothing interesting stored in that magstrip that > > isn't on the front of the card. And no, the signature isn't reflected in > > the magstrip. > > They might store a long number and without a dictionary you > don't know what it means. It's unlikely that older cards > would use and XMLish annoted data. > > eg does > > 197202281800602 > mean it belongs to a 180# 6'2" person born on Feb 28, 1972 ? > > How could you tell ? > > YY -- Paul H. Merrill, MCNE, MCSE+I, CISSP [EMAIL PROTECTED]
Re: Code-I Moronics
Being the whore that I am (actually, high priced call girl) I don't "not tolerate" anything. "Update" is an ambiguous word. One can download, from the Microsoft site, patches for damn near every piece of software that they sell or have sold in the recent past. Security patches (actually replacement files, not patches, for the most part) are a big favorite, though improved functionality is also popular. There are also third party products that can be bought. For instance, SecureIIS fixes known flaws and "fixes" buffer overflow exploits that haven't been found yet. (Yeah, it does what responsible programmers would have done in the first place.) Code-Red has not been successful against SecureIIS enhanced IIS. If there is some aspect not answered by this answer, feel free to ask a less ambiguous question. PHM -- Paul H. Merrill, MCNE, MCSE+I, CISSP [EMAIL PROTECTED] "Wilfred L. Guerin" wrote: > > [ Re: Code-255RandomCharacters. ] > > Ok, Time to fix this correctly. > > Someone already upgraded the old one, at least 2 others have been released > recently... > > I personally do NOT tolerate M$ products to do anything relevant in my > environment, so if anyone can help us out by answering a few questions, we > will have to fix M$ the hard way... > > First, does the IIS server have any auto-update mechanism, if so, is this > dictated by a moronic registry value, variable setting, etc? > > If not, what is the quickest and most effective method to update (by hand > and manual access) an IIS server installation? > > Are there any alternate methods than [this] to update the IIS server software? > > Other Suggestions? > > [ Yes, creation of exe on disk or in process, get of file from m$, and > running of it with /autobullshit would work too. ] > > ... > > Now, for any competant individual on this planet, you would already realize > that the intent now, if i feel like wasting time fixing the rest of the > world's incompetance, is to generate a forceful update and force all of > these foolish IIS servers to reinstall the newer version (with only a few > less problems)... > > At the rate of ideal propogation, this security breach and hastle can be > remedied in full in less than a week. I would strongly suggest an open > petition of inquiry as to why msoft is so incapable of basic software design. > > In this regard, I see at least 8 totally independant mechanisms of > completing this process, however, because I personally do not tolerate > moronics, I will not personally create additional code until someone gives > me a good reason to do so. > > Unless, of course, everyone continues to fail, I may waste the time, in > which case i will need an individual in a politicly and logisticly neutral > environment who has a simple modem, to instantiate the fix. > > Inversely, if everything fails, we eliminate the servers from operation. A > far better solution. > > All I shall do is provide operational code, if so desired. Im not up for > the bullshit that will result from other antics. > > So, anyone care to fix the world, or shall we all play incompetant sheep as > always and give no heed to the potential benefits of doing something > relevant or competant for once in our lives? > > I leave you with this... > > -Wilfred L. Guerin > [EMAIL PROTECTED] > > ... -- Paul H. Merrill, MCNE, MCSE+I, CISSP [EMAIL PROTECTED]
Re: SirCam contribution
No, MS Word just takes the first line as the default Title. Changeable if you want. It also uses it for the default filename. PHM Anonymous wrote: > > This is a strings-processed portion of a recent SirCam post on cypherpunks. > > Note that SS number seems to be embedded in microshit document - is this a standard >practice ? > > ## > > Social Security Number: 326-70-5214 > Prompt Number 1 > <> > 8$45STR > 48d`$da$d8 1h/ =!"#$%i8@8NormalCJ_HaJmH sH tH Font8$45STR 4:8 88:DE:35SQTY >37:Valued Sony CustomerMC:\WINDOWS\Application >Data\Microsoft\Word\AutoRecovery save of Document1.asdValued Sony >Customer8C:\WINDOWS\Desktop\DeVry\English 110\Compentency >III.doc@$$d$$8@UnknownG:Times New Roman5Symbol3&:Arial"hT2T+@!20d\2#Social >Security Number: 326-70-5214Valued Sony CustomerValued Sony CustomerOh+'0 8D`l > x$Social Security Number: 326-70-5214ociValued Sony Customerr: alualuNormalSValued >Sony Customerr: 1luMicrosoft Word 9.0r@@ > @@ .+,0hp > SonyS\ $Social Security Number: 326-70-5214Title!"#$'Root Entry >Fs0)1Table > WordDocument"SummaryInformation(DocumentSummaryInformation8CompObjjObjectPools0s0 > FMicrosoft Word DocumentMSWordDocWord.Document -- Paul H. Merrill, MCNE, MCSE+I, CISSP [EMAIL PROTECTED]
Re: U.S. military poised to respond to attack on GOP convention
In all likelihood the data was actually FOUO, which actually means exactly that. The caveats listed (as random markings) are only a few of the very many there actually are. These come in many flavors from those that limit you by birth (NOFORN), choice of employer (NOCONTRACTOR), or membership in the "fraternity" (COMSEC). PHM Bill Stewart wrote: > > Declan didn't say it was "CONFIDENTIAL", as in classified information, > he said it was "confidential", as in "asked to keep this in confidence." > I'd be very surprised if anyone was giving him classified information. > > Also, you left out various random classification markings like > NOFORN (not for furriners), COMSEC (communications security stuff), > RESTRICTED DATA (nuke stuff), FORMERLY RESTRICTED DATA (obsolete nuke stuff), > WNINTEL (Warning - intelligence sources), etc. > > And FOUO isn't the same kind of thing as classification; > it's mainly just a rubber stamp to make your stuff look important, > though some government agencies like to give it more clout than that. > > >Declan McCullagh wrote: > >> Nope, I wrote "confidential" since it was, um, confidential. > >> Put another way: They weren't handing it out to reporters who asked. > > At 05:15 PM 8/5/00 -0400, Steven Furlong wrote: > >Ok, I didn't say anything before, but I now have to jump in. > > > >There are several levels of restricted information in the US: > >For Official Use Only (FOUO) is the lowest level. > >Confidential is the lowest level of classified information. > >Secret is the next step up. Secret information can cause serious harm > >Top secret is officially the highest classification level. > >TS info is often compartmentalized, meaning that to see it you need > >not only a TS clearance but authorization to that compartment. > >All of these definitions are from memory from my military intelligence > >classes some years ago, and so don't take them as gospel. Furthermore, > >information is sometimes classified not because it represents a threat > >to the US but because it might embarrass someone. > > Thanks! > Bill > Bill Stewart, [EMAIL PROTECTED] > PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639 -- Paul H. Merrill, MCNE, MCSE+I, CCNA, CCDA [EMAIL PROTECTED]
Re: Jim Und Dave?Thanks Mr anon
David Marshall wrote: > > [EMAIL PROTECTED] writes: > > > Mr Anon did a good job. If Jm and dave don't like the heat get out of the > > kitchen.Get a job thats more dangerous like a taxi driver or clerk at 7-11 > > Or an AOL tech support representative. I hear that they're subjected > to idiocy in quantities far in excess of what is generally considered > the maximum safe daily dose. Don't worry about the poor AOL support folk, they are at least as stupid as even their users. PHM -- Paul H. Merrill, MCNE, MCSE+I, CCNA [EMAIL PROTECTED]
Re: John Young, the PSIA, and Aum
Tim May wrote: << Massive Snip >> > There ought to be an I.Q. test before people are allowed to join the > Cypherpunks list. > > --Tim May > As some of us are proof positive, IQ does not prevent stupid actions and statements. PHM -- Paul H. Merrill, MCNE, MCSE+I, CCNA [EMAIL PROTECTED]
Re: JOB OPPORTUNITY
Ann, I have attached my resume. If you see as good a fit as I do (based on a very sketchy description of the position) let me know. EMail is the best for of unarranged contact. I look forward to hearing from you soon. PHM Ann Pohlers wrote: > > Hi there, > I am an IT recruiter in the San Diego area and have several openings. This > will involve development in intrusion detection software and computer > security. This is a great company that is publicly traded, offering great > benefits, VERY competitive salary & willing to pay relocation costs. This is > an awesome opportunity please contact me today. > > Ann Pohlers > IT Recruiter > Comforce Technical Services > [EMAIL PROTECTED] > > Ann Pohlers > IT Recruiter > Comforce Technical Services > 877-565-4992 > 877-292-8561 FAX > [EMAIL PROTECTED] -- Paul H. Merrill, MCNE, MCSE+I, CCNA [EMAIL PROTECTED] PHM_Resume.doc
Re: Hacking Microsoft Networks
Okay, just a few pointers. 1. On Win95 - If one does not have access to a user "account" on the local machine one can either cancel the login or just login with a new username and password. Win9x was made for the home environment and has separate accounts only to give prefs and desktops for separate people as they would each like it. 2. On a peer to peer network with Win9x involved one can access "shared" resources freely at this point if they have no additional controls enabled - typical in a closed computing environment (not good, but typical.) 3. On a peer to peer with NT4 WS involved the NTFS drives have more security options available, though not necessarily actuated. 4. On a peer to peer with NT4 Server involved as an available stand-alone server the server protects only its own resources. 5. If NT4 server network is setup as a Domain there is a Primary Domain Controller (PDC) and zero or more Backup Domain Controllers (BDCs). These handle authentication to the Domain and security within the Domain is controlled however it is setup - well or poorly. 6. With Win2K there are 1 or more Domain Controllers involved with no PDC/BDC differentiation involved. 7. IF (Big IF) security is setup with any thought to security, there with be a Domain involved, with NTFS in use on the servers and all data residing on the servers (thus the designed-for-home-user Win9x will not be "protecting" anything) and well formed passwords will be enforced (thus minimizing the abilities of such toys as lophtcrack). I hope that this helps with the theoretical musings. And, of course, this was purely educational and only a top level view at that. Paul H. Merrill, Master CNE, MCSE+I [EMAIL PROTECTED] wrote: > > Okay... > > Remember, this is THEORY only... The forthcoming messages from my email > address ([EMAIL PROTECTED]) constitute educational comments only. > Everything discussed in the forthcoming emails is for educational and > theoretical purposes only. No information I present may be used against > me. No information I present may be used in an illegal fashion. > - > > First off, is this Microsoft Network run by an NT server.. in other words, > is there a master NT server on the network? > If not, there is a well known bug in windows 9x. If a user does not have > an account on a windows 9x machine, they can usually hit CANCEL at the > login prompt, and they will be presented with a desktop. On purely > Windows 9x networks, the user will still have network access. This > doesn't work if there is an NT machine acting as a network server. > Theoretically, one could have access on the network, provided one knew the > passwords to the shared drives, if one were to press CANCEL at the login > prompt. > > -Me > > On Thu, 15 Jun 2000, Angela wrote: > > > My experience of hacking at the moment is limited to simple brute force, > > password guessing (with which I had a lot of sucsess). > > But I want to hack a Microsoft Windows 95 Network. > > And I really need your help. > > > > P.S. Do I have to get past the PWL file? How? > > And what will happen if I just delete the file? > > > > Iceangel. > >
Re: losing laptops, opsec
David Honig wrote: > > At 07:34 PM 6/19/00 -0400, Paul H. Merrill wrote: > >It isn't not invented here that is the problem -- it is the Not > >Developed Here. COTS is developed in a not verifiably secure > > Excellent point. But open source is a good place to start. > They can train a batch of recruits by having them attack/reinforce > the public domain code. In the worst case, they can reverse > engineer the code. Don't tell me they don't know how to do that. > While CypherPunks tend to be a paranoid lot, they do not hold a candle to the level of paranoia that is considered Line of Duty by the Inte/CounterIntel Community. NSA has demonstrated a compiler that introduces backdoors and Trojan aspects while compiling clean source. (Purely for demonstration purposes, of course.) The Yellow Books deal with this in the Closed Development aspects of evaluation. (For a quickie see http://jya.com/ntob.htm then search for "Development Environment".) Of course, I am quite certain that Open Source code is stolen on a regular basis when it suits their purposes. But Attack and Reinforce is about as In Favor as a Code and Fix Development Cycle. PHM -- Paul H. Merrill, MCNE, MCSE [EMAIL PROTECTED]
Re: losing laptops, opsec
David Honig wrote: > > At 01:56 AM 6/18/00 -0700, Bill Stewart wrote: > >At 12:12 PM 6/13/00 -0400, David Honig wrote: > >>When you read about losing laptops in Los Alamos (and London), you have > >>to wonder: why don't those folks encrypt their drives? They > >>are somehow thinking physical security is sufficient, and slacking > >>off otherwise. > > > >Probably because the standard PC software doesn't come with > >military-quality encryption. > > But there's good stuff out there free, with source code (e.g, > Scramdisk). The NSA's budget was too tight to check this out? > They didn't have anyone qualified to write their own? Please. > > >To some extent it may be because publicly available crypto algorithms > >aren't NSA-approved for military use, so there's no COTS code, > >though there may be NSA-built similar products. > > Not-invented-here is no excuse. > > It isn't not invented here that is the problem -- it is the Not Developed Here. COTS is developed in a not verifiably secure environment. With source rarely available for perusal and the compounding possibility of malicious compilers ever present the determination was made that COTS could not be guaranteed to be backdoor-, trapdoor-, and Trojan Horse-free. This is all on top of the probability of errors in COTS. OTOH NSA is not error-free and is noted for slipping in its own bag of tricks -- but they are the ones with the authority to determine appropriately safe software systems. PHM -- Paul H. Merrill, MCNE, MCSE [EMAIL PROTECTED]
Re:
One obvious point that is consistently missed or evaded is that people do not publish results until they have repaired flaws with a negative impact on themselves. David Honig wrote: > > At 03:33 PM 4/3/00 -0400, Secret Squirrel wrote: > > > >Are we supposed to believe that you have found new attacks on ALL the AES > >candidates except your own? > > Were we to believe he found weaknesses in his own cipher, > we would have to believe he learned something between > when he proposed it and now. Therefore, given his > experience (ie the flatness of a master's learning curve), > its not surprising he found no fault with > his own work. > > All we know is that the public analysts, a small fraction > of total analysts :-), haven't found anything more significant. > > -- Paul H. Merrill [EMAIL PROTECTED]