Re: Reverse Palladium?
On 7/12/05, Tyler Durden <[EMAIL PROTECTED]> wrote: > How secure can I make a Java sandbox from the rest of the network I'm on? > Can I make it so that my network administrator can't see what I'm typing? In > other words, a secure environment that's sitting on an insecure machine. Although you asked about "Reverse Palladium" what you really want is Palladium itself. This is precisely the security model which has so many people upset: the system owner (the network admin) is giving up control over his machine, running software which he cannot control, molest or modify. You, a third party, are protected against the computer's owner. The ability for owners to voluntarily and verifiably give up a degree of control over their computers is anathema to Trusted Computing opponents, the height of evil and a threat to be fought at all costs. The fact that it is voluntary for all concerned means nothing to them. They don't want people even to have the chance to be tempted to utilize this technology, and they will stop at nothing to keep it from coming into existence. So far they have been extremely successful. See http://invisiblog.com/1c801df4aee49232/article/9d481af00c898ae91748f2f0cd97cf80 for discussion about how to use Palladium to add security to Internet voting applications, even for cases where people are voting on machines owned by others. This is very similar to the threat model in your situation. CP
Attack on Brands blind signature
eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several blind signature schemes, including one widely discussed on the Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper seems to show that it is possible for the bank/mint to recognize blind signatures (i.e. untraceable electronic cash tokens) when they are re-submitted for deposit, which is exactly what the blind signature is supposed to prevent. The math looks right although I haven't tried to look back at Brands' old work to see if it is correctly described in the new paper. CP
Re: /. [Dissidents Seeking Anonymous Web Solutions?]
> Link: http://slashdot.org/article.pl?sid=05/05/13/0250226 >[1]DocMurphy asks: "I'm working with some dissidents who are looking >for ways to use the Internet from within repressive regimes. Many have >in-home Internet access, but think it too risky to participate in >pro-freedom activities on home PCs. Internet cafis are also available, >but although fairly anonymous, every machine may be infected with >keystroke loggers that give governments access to and knowledge of >'banned' sites. Dissidents not only want to remain anonymous >themselves, but also wish to not compromise the sites they access. Any >suggestions for products/procedures/systems out there making anonymous >access & publishing a reality under repressive regime run Internet >access?" There were some good ideas presented, the best of which were probably to first compose an email at home, then PGP encrypt it, then stego-ize it, then put it on a USB token and bring it to the internet cafe, and send it there. For receiving, download a bunch of junk from a mailing list used for this purpose onto the token, go home and de-stego and de-PGP it. This doesn't work though for web browsing. For that you need a real time channel. You can go to various proxies, and some people run them specifically to help the Chinese, the slashdot replies talked about this. But first, the Chinese block them when they find out, and second, it makes you look suspicious if you're visiting one. Be nice if there were a high bandwidth stego channel that was widely available. For example, imagine an open source P2P multi player game which intentionally included a reasonably high bandwidth channel of random data. It would be a service to the public to play this game and thereby provide people who need it the ability to communicate undetectably. Dissidents could use a hacked version which would replace some of the random noise bits with their messages. Only the recipients could distinguish the results from noise. CP
Re: Len Adleman (of R,S, and A): Universities need a little Limbaugh
> Now before you label me as a right-wing ideologue, let me present my > credentials as a centrist. Limbaugh has well-known positions on the > following issues: abortion, capital punishment, affirmative action, prayer > in school, gun control, the Iraq war. I disagree with him on half of these. Any speculations on which half? My guess is that he agrees on affirmative action and gun control (opposing both) and probably the Iraq war (a conservative is a liberal who's been mugged, and many people took 9/11 personally). He certainly disagrees on prayer in school, probably on capital punishment (opposing both, while Limbaugh supports them), and probably supports abortion rights, which Limbaugh opposes. CP
Re: [IP] Real ID = National ID (fwd from dave@farber.net)
We already have de facto national ID in the form of our state driver's licenses. They are accepted at face value at all 50 states as well as by the federal government. Real ID would rationalize the issuing procedures and require a certain minimum of verification. Without it we have security that is only as strong as the weakest state's policies. CP
Re: [Politech] Passport RFID tracking: a between-the-lines read [priv] (fwd from declan@well.com)
A Politech article forwarded email from a liar named <[EMAIL PROTECTED]>: > >From the EE-Times, a between the lines look at the future of RFID tracking: > > re: E-passport makers hail U.S. retreat > > Junko Yoshida [FAIR USE] > EE Times > (04/29/2005 1:38 PM EDT) > > PARIS - Global electronic passports suppliers hailed a decision by the U.S. > State Department to drop a requirement for additional security measures in > next-generation U.S. passports. The specifications have yet to be finalized. > > Neville Pattinson, director of technology development and government > affairs for smart card provider Axalto Americas, said Friday (April 29) > that adding security measures such as "Basic Access Control" and a metallic > shield cover to U.S. passports could "completely make the information > [stored in the e-passport] undetectable." http://www.eetimes.com/news/latest/business/showArticle.jhtml?articleID=162100152 is the actual EE times article. The true article reads, as you can see for yourself: "PARIS — Global electronic passports suppliers hailed a decision by the U.S. State Department to add a requirement for additional security measures in next-generation U.S. passports. The specifications have yet to be finalized." Can you see the difference? What's wrong with this picture? The true article says that the U.S. will ADD a requirement for additional security measures. The article as quoted by liar Parks had been changed to say that the U.S. will DROP the requirement. Of course that made the article read as confused and inconsistent, which is what led me to track down the original. I'm pissed at Parks for lying and editing a supposedly forwarded article to make some kind of rhetorical point. He had his own comments interspersed among the article's supposed text so he had plenty of opportunity to make his own arguments. Altering the text of material you are quoting is the lowest of despicable argumentation techniques. I'm also pissed at McCullagh for forwarding this on without the slightest fact checking. Of course anyone familiar with his work will know better than to expect a correction or even acknowledgement of his error. He is a hack reporter who cares nothing about accuracy or truth, only on stirring things up and pushing the predictable buttons of his readers. And of course there is Eugen* Leitl, who mindlessly forwards far and wide everything that enters his mailbox. I don't know whether we should be annoyed or relieved that he fails to exercise the slightest editorial effort by adding his own thoughts, if he has any, to the material he passes around. CP
Re: Zero knowledge( a>b )
On 5/9/05, Sarad AV <[EMAIL PROTECTED]> wrote: > If user A has the integer a and user B has the integer > b, can a zero knowledge proof be developed to show > that a>b,ahttp://www.cs.huji.ac.il/labs/danss/Fairplay/ CP
Re: Pi: Less Random Than We Thought
>[1]Autoversicherung writes "Physicists including Purdue's Ephraim >Fischbach have completed a study [2]comparing the 'randomness' in pi >to that produced by 30 software random-number generators and one >chaos-generating physical machine. After conducting several tests, >they have found that while sequences of digits from pi are indeed an >acceptable source of randomness -- often an important factor in data >encryption and in solving certain physics problems -- pi's digit >string does not always produce randomness as effectively as >manufactured generators do." >1. https://autoversicherung.einsurance.de/ >2. http://news.uns.purdue.edu/UNS/html4ever/2005/050426.Fischbach.pi.html This doesn't really make sense. Either the digits are random or they are not. You can't be a little bit random. Well, you can be, but the point is that you either pass the test or you don't. If pi's digits fail a test of randomness in a statistically significant way, that is big news. If they pass it, then there is no meaningful way to compare them with another RNG that also passes. It's just a statistical quirk due to random variation as to which will do better than another on any given test. The bottom line is still that either an RNG passes the tests acceptably or it does not. From what they say (or don't say), pi does pass. It doesn't make sense to say that other RNGs do better. CP
Re: [IP] more on Privacy tip: be wary of Google's "personal history" feature [priv] (fwd from dave@farber.net)
The question is, with regard to Google, does turning "personal history" on or off make a difference in what records they keep about your searches? Obviously if it's on they do keep records, but if you disable it or never turn it on, does that mean that they don't keep records? http://www.google.com/searchhistory/privacy.html says: "You can delete information from My Search History, and it will be removed from the service and no longer available to you. However, as is common practice in the industry, and as outlined in the Google Privacy Policy, Google maintains a separate logs system for auditing purposes and to help us improve the quality of our services for users." http://www.google.com/privacy.html says: "Google collects limited non-personally identifying information your browser makes available whenever you visit a website. This log information includes your Internet Protocol address, browser type, browser language, the date and time of your query and one or more cookies that may uniquely identify your browser. We use this information to operate, develop and improve our services." The bottom line seems to be that even with MSH turned off, Google will still record your IP address and cookie, presumably along with the search query you made. You can block Google cookies to help with this, and if you use a shared IP address then this will give you some privacy protection. Chances are that other search engines do the same thing. For real privacy, do as I do: use TOR or some other anonymizer, and either block cookies or use a separate browser altogether for anonymous browsing. CP
Re: EncFS
A remailer posted about EncFS. Gerow quoted the first paragraph and added the criticism that it doesn't do locking. Dixon saw the quoted first paragraph, which said that the link to the program was "below". And indeed, it was below, in the first message from the remailer. It included this link, http://arg0.net/users/vgough/encfs.html. But Dixon apparently didn't understand the notion of quoting partial messages in a mailing list conversation. He just saw the part about the link being "below", and in Gerow's message there was no such link. So he complained: there was nothing "below". But Gerow misunderstood, he though Dixon was commenting about EncFS's locking mechanisms. So Gerow responded as below, adding to the confusion. Honestly, I don't know how you people generate enough brain power to keep yourselves alive. CP On 4/28/05, Damian Gerow <[EMAIL PROTECTED]> wrote: > Thus spake Jim Dixon ([EMAIL PROTECTED]) [28/04/05 09:41]: > : > It also doesn't do locking. > : > : There was nothing "below". > > Someone I know just tried it out three days ago. He said it flat-out didn't > 'lock' the files properly. It's got nothing to do with having something > "below". >
Re: [Politech] Thumbprinting visitors at the Statue of Liberty (fwd from declan@well.com)
> Matthew's snapshots: one > (http://www.boingboing.net/images/Liberty-Locker-Thumbs-2.jpg), two > (http://www.boingboing.net/images/Liberty-Locker-Thumbs1.jpg). If this were really as much of a conspiracy as people are making it out to be, wouldn't it make sense to ask for THUMB prints? that's what the subject line says, and that's what the titles of the two jpeg files are. But if you look at the pictures, they plainly ask for the right index finger. Thumbprints are widely used, drivers' licenses and banks often require them. If they wanted to be able to track average users, they would ask for thumb prints. But they're not. The really funny thing is how people see what they expect to see. Isn't it strange to have these documents titled Thumbsx.jpg, when they ask for index finger prints? People are so ruled by their preconceptions that they actually blind themselves to what is directly in front of them. I hope no one on this list is so foolish as to put ideology ahead of reality. CP
Re: Email Certification?
On 4/27/05, Tyler Durden <[EMAIL PROTECTED]> wrote: > Hum. > > Can anyone figure out a way to determine if one's hotmail, etc...has been > looked at or not? By whom? Someone at hotmail, or someone who got your password and logged in as you? Hotmail shows mail that has already been viewed in a different color than mail you haven't looked at yet. So it would be obvious if someone else logged in as you and read your email. But of course there is no way to know what insiders are doing. Maybe you could explain your attack concept more clearly. > The only thing my limited mind can think of sounds superficially like it > won't work: > > Use a gmail account to forward all email to some routine that time-stamps > and then hashes the message+timestamp and then sends the email on to the > hotmail account. What would this accomplish? That is, what attack would it make more difficult? Are you worried that someone is intercepting your email en route to hotmail, reading and delaying it, then passing it on? And you hope to detect the unwarranted delay? CP
Re: Modifed IRS 1040 form
On 4/12/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Slightly IRS forms that enable filers to legally (according to Sullivan vs. > U.S. and subsequent Supreme Court rulings), and innocously, assert their 5th > Amendment privilege against self-incrimination on a line-item basis have been > posted to http://rapidshare.de/files/1225731/IRS-1040-mod.pdf.html AKA, a get INTO jail free card. Thanks a bunch.
Re: CFP: What the Hack '05 and Blind Signature Expiration Party
On 4/8/05, Lucky Green <[EMAIL PROTECTED]> wrote: > U.S. Patent 4,759,063 "Blind Signature Systems" will expire on July 19, > 2005. A Tuesday. Since no patent litigator will consider litigating on a > Monday morning over patent infringement for a patent that expires the next > day, it appears safe to say that come the preceding Saturday, technologies > that make use of this patent can be displayed to the public. That Saturday > is July 16, 2005. > > It took us 20 long years to get to this date. For those of us that tried to > use this technology, it was 20 very, very long years. Fortunately, the 20 > years are over. Which is as much reason for celebration as I can imagine. > The expiration of the Blind Signature patent surely calls for a party. And > as I promised so many years go, I will take it upon myself to throw that > party. Anybody that knows what blind signatures are is welcome, no, make > that implored, to come to the expiration party at my house (or other venue > if there are too many people for my place) to celebrate the expiration of > the patent on Saturday, July 16. As for me, I am counting the days. Ping me > for details. That's very exciting. Perhaps we could aim for the release of some new software packages that use the blind signature patent technology. Are there any applications which have been waiting for this patent to expire? CP
Re: Rebalanced-RSA-CRT
On Apr 7, 2005 10:13 AM, Sarad AV <[EMAIL PROTECTED]> wrote: > hi, > > I am a little confused after reading this: > > http://www.rsasecurity.com/rsalabs/cryptobytes/CryptoBytes_January_2002_final.pdf > > RSA-CRT decryption is nearly four times faster than > using only modular exponentiation for decryption. Is > Rebalanced-RSA-CRT three times faster in decryption > than RSA decryption only using modular exponentiation > or is it three times faster than RSA-CRT in > decryption? It has to be the second one. If it were only 3 times faster than vanilla RSA, while RSA-CRT was 4 times faster than vanilla, then rebalanced would not be a speedup over the usual way of doing things. Rebalanced RSA is 3 times faster than RSA-CRT. What "rebalanced RSA" means is that you choose the private exponent d so that exponentiation with it is fast. This speeds up decryption at the expense of encryption. You can't just choose a small d; this is known to be insecure. Instead they propose to choose a d such that the two exponents in the CRT, d mod p-1 and d mod q-1, are relatively small, about 160 bits. This gives a factor of 3 speedup vs the usual 512 bit exponent in 1024 bit RSA-CRT. Is this safe? Who knows? I wouldn't recommend using it until Don Coppersmith chewed on it for a while. He's the guy who pushes the state of the art on small-d attacks. I'd wait for his opinion on whether this variant on small-d escapes his attacks.
Cryptanalysis of ePassports
An article is up on the eprint archive, http://eprint.iacr.org/2005/095. "Security and Privacy Issues in E-passports" by Ari Juels and David Molnar and David Wagner. It analyzes the new contactless chips which will be in U.S. passports in a few months. Among the risks it identifies are that terrorists could eavesdrop on chip transactions and recover digital photographs of what people look like - when they are not smiling. The mind boggles at what a creative terrorist could do with such sensitive information. CP
Re: [silk] Google Targeted ads - gmail (fwd from rishab@dxm.org)
On Apr 1, 2005 10:57 AM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > Now here's your one stop shop for evil. A position for Google minister for > propaganda is about to be posted, so I hear. Let's get this straight. It's not evil if people are voluntarily agreeing to it! Maybe you're being facetious but you undermine the significance of true evil by applying the word to voluntary relationships. Cypherpunks should support noncoercive information relationships because they give users the option to protect their own privacy. Nobody is forced to use Google, and technology exists to allow it to be used in a privacy protecting way. True evil would be a system which takes away your options and forces you to interact in a way that prevents you from protecting yourself. Google is 180 degrees removed from such an approach. CP
Rogue Vally Cypherpunks Physical Meeting Mar 13
Please pass this around.. Mar 13th 2003 Rogue Cypherpunks Physical Meeting Announcement General Info: DATE: Thursday 13 Mar 2003 TIME: 5:30 - 7:00 PM (Pacific Time) PLACE: Stevenson Student Union Southern Oregon University (second Floor lounge) see http://www.sou.edu/su/Facilities/Layout/sufloor2.htm Ashland Oregon Executive Summary: The Mar 2003 physical meeting of the Rogue Cypherpunks will be an informal introduction and planning meeting. Let get to know who the Cypherpunks are around here and maybe plan for regular meetings and maybe a regular place. What are Cypherpunks? A group of thinkers, programmers and researchers dedicated to preserve everyone's freedom of speech through action. * believers in crypto-anarchy, * leaning towards libertarianism, * most importantly, cypherpunks write code! To find out more, you can start here: http://www.csua.berkeley.edu/cypherpunks/Home.html or just come to the meeting..
Re: politicians vs. bill of rights (your legislature on drugs)
maybe Kalifornians should start an referendum to drug test politicians... since most of them are dopes anyway... At 9:22 AM -0700 6/14/02, Khoder bin Hakkin wrote: >SACRAMENTO -- Dismayed by new disclosures of the use of steroids in >Major League Baseball, a state senator wants to force most professional >sports teams to test athletes for performance enhancing drugs if they >play >games in California. > >State Sen. Don Perata (D-Alameda) said the Legislature must do what >baseball and the National Hockey League have not: Mandate random drug >testing to ensure players do not compete while juiced. > >http://www.latimes.com/news/local/la-41818jun14.story?coll=la%2Dheadlines%2Dcalifornia > > > >If politicians have this little respect for the prohibition on >unreasonable search, perhaps >they will have more respect for the noose due traitors... -- Vinnie Moscaritolo ITCB-IMSH PGP: 3F903472C3AF622D5D918D9BD8B100090B3EF042 --- Those who hammer their swords into plows, will plow for those who don't."
