Computerized outdoors idea serves users virtual baloney
http://www.adn.com/outdoors/story/5849296p-5765085c.html Computerized outdoors idea serves users virtual baloney (Published: November 28, 2004) A Texas businessman wants to rig a robotic, high-power rifle to a Webcam in a game park so people can punch buttons and hunt'' from the comfort of their handiest Internet connection. The People for the Ethical Treatment of Animals wants everyone to stop eating fish because the slippery critters are, in their own way, as cute and cuddly as cats and dogs. Has the world gone nuts? The proponents of what has been labeled remote-control hunting'' are, predictably, arguing that a sanitized, virtual slaughter would be a boon for the disabled. The leaders of the Fish Empathy Project are, with equal predictability, trying to convince everyone to spare the fish because they are sensitive, thinking creatures that travel in schools. One group of loonies thinks anyone should be able to kill anything the easiest way possible -- simply because we can. The other group thinks nobody should kill anything because we're all brother fauna. The flora are apparently exempt from the discussion because they're rooted in place. Were they able to move around and wag their leaves, PETA would likely argue we shouldn't eat them either. Whatever happened to the natural order of things? Instead, we have people who think it would be sporting to hunt and kill animals by remote-control with their computer. That sort of thinking is just plain sick. Where exactly is the sport''? More importantly, where is the hunt? Webster's New World Dictionary defines hunt'' this way: 1.) to go out to kill or catch (game) for food or sport; 2. to search eagerly or carefully for; try to find 3. a.) to pursue; chase; drive b) to hound; harry, persecute 4. a) to go through (a woods, fields, etc.) in pursuit of game'' and on and on in that vein. Nowhere is there any mention of sitting in a home or office, watching a computer-display screen and punching buttons. If that qualifies as hunting, no one really need ever hunt again because we've then reduced the killing of animals to the shooting of pictures. After all, a hunter who chose to engage in this sort of computer sport wouldn't really be shooting an animal. He'd be shooting a picture of an animal on his computer screen, thereby telling a piece of machinery in the middle of a field somewhere to do the actual execution. And if all you're really doing is shooting a picture, what differences does it make if the picture represents a real animal or a virtual one? For that matter, how would you even know for certain what you shot? Think how easy it would be to scam this sort of hunting.'' Put up a Web site. Run a film of animals walking around in a field. Let the people who sign onto the Web site and pay their fee shoot the animals. Run some film of an animal dying. Then you ship the hunter 50 pounds of beef from the supermarket and tell her that's the animal she killed. Someone really creative might even be able to convince PETA to endorse an Internet hunting site that kills virtual animals. Look, PETA wants to save real animals from being killed. If shooting a virtual deer spares a real deer while satisfying someone's instinctive urge to hunt, isn't that a good thing? And if we can do this with hunting, why not fishing? Someone could rig a Webcam to a robotic fishing rod along the Russian River. You could sit at home and watch on your computer as the red salmon swarm up that stream, then maneuver a joy stick to make the rod cast a fly in front of them. Let it drift. Maybe even hear the computer going tappa-tappa-tappa to give you the feel of a lead weight bouncing along the river bottom. Feel the joystick jerk against your hand as a fish hits and then battle it across the table as the fight is on. Oh, the thrill, the excitement, the virtual adrenaline rush, until at last you bring that flapping salmon into view of the robotic net that scoops it up. A week later, salmon filets would arrive in the mail. Does it matter if any of this is real? Isn't the experience exactly the same if all you are seeing on your computer is virtual? Does a prerecorded film of salmon coming up the Russian really look any different than a live camera feed of salmon coming up the stream? Of course not. The only problem might come in producing a soy product that really tastes like salmon. But science can certainly solve that. Wouldn't that be perfect for just about everybody, except the poor, dead soybean plants? I hear they're quite sensitive, too. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Computerized outdoors idea serves users virtual baloney
http://www.adn.com/outdoors/story/5849296p-5765085c.html Computerized outdoors idea serves users virtual baloney (Published: November 28, 2004) A Texas businessman wants to rig a robotic, high-power rifle to a Webcam in a game park so people can punch buttons and hunt'' from the comfort of their handiest Internet connection. The People for the Ethical Treatment of Animals wants everyone to stop eating fish because the slippery critters are, in their own way, as cute and cuddly as cats and dogs. Has the world gone nuts? The proponents of what has been labeled remote-control hunting'' are, predictably, arguing that a sanitized, virtual slaughter would be a boon for the disabled. The leaders of the Fish Empathy Project are, with equal predictability, trying to convince everyone to spare the fish because they are sensitive, thinking creatures that travel in schools. One group of loonies thinks anyone should be able to kill anything the easiest way possible -- simply because we can. The other group thinks nobody should kill anything because we're all brother fauna. The flora are apparently exempt from the discussion because they're rooted in place. Were they able to move around and wag their leaves, PETA would likely argue we shouldn't eat them either. Whatever happened to the natural order of things? Instead, we have people who think it would be sporting to hunt and kill animals by remote-control with their computer. That sort of thinking is just plain sick. Where exactly is the sport''? More importantly, where is the hunt? Webster's New World Dictionary defines hunt'' this way: 1.) to go out to kill or catch (game) for food or sport; 2. to search eagerly or carefully for; try to find 3. a.) to pursue; chase; drive b) to hound; harry, persecute 4. a) to go through (a woods, fields, etc.) in pursuit of game'' and on and on in that vein. Nowhere is there any mention of sitting in a home or office, watching a computer-display screen and punching buttons. If that qualifies as hunting, no one really need ever hunt again because we've then reduced the killing of animals to the shooting of pictures. After all, a hunter who chose to engage in this sort of computer sport wouldn't really be shooting an animal. He'd be shooting a picture of an animal on his computer screen, thereby telling a piece of machinery in the middle of a field somewhere to do the actual execution. And if all you're really doing is shooting a picture, what differences does it make if the picture represents a real animal or a virtual one? For that matter, how would you even know for certain what you shot? Think how easy it would be to scam this sort of hunting.'' Put up a Web site. Run a film of animals walking around in a field. Let the people who sign onto the Web site and pay their fee shoot the animals. Run some film of an animal dying. Then you ship the hunter 50 pounds of beef from the supermarket and tell her that's the animal she killed. Someone really creative might even be able to convince PETA to endorse an Internet hunting site that kills virtual animals. Look, PETA wants to save real animals from being killed. If shooting a virtual deer spares a real deer while satisfying someone's instinctive urge to hunt, isn't that a good thing? And if we can do this with hunting, why not fishing? Someone could rig a Webcam to a robotic fishing rod along the Russian River. You could sit at home and watch on your computer as the red salmon swarm up that stream, then maneuver a joy stick to make the rod cast a fly in front of them. Let it drift. Maybe even hear the computer going tappa-tappa-tappa to give you the feel of a lead weight bouncing along the river bottom. Feel the joystick jerk against your hand as a fish hits and then battle it across the table as the fight is on. Oh, the thrill, the excitement, the virtual adrenaline rush, until at last you bring that flapping salmon into view of the robotic net that scoops it up. A week later, salmon filets would arrive in the mail. Does it matter if any of this is real? Isn't the experience exactly the same if all you are seeing on your computer is virtual? Does a prerecorded film of salmon coming up the Russian really look any different than a live camera feed of salmon coming up the stream? Of course not. The only problem might come in producing a soy product that really tastes like salmon. But science can certainly solve that. Wouldn't that be perfect for just about everybody, except the poor, dead soybean plants? I hear they're quite sensitive, too. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Blunkett's Bad Idea
http://online.wsj.com/article_print/0,,SB110142750390883913,00.html The Wall Street Journal November 26, 2004 REVIEW OUTLOOK Blunkett's Bad Idea November 26, 2004 Amidst Tuesday's pomp and pageantry that was the State Opening of the British parliament, the biggest smile during the Queen's speech probably belonged to Home Secretary David Blunkett. For, in spite of cabinet opposition, he managed to get his pet project -- a national identification card -- put atop the government's legislative agenda. Aside from extolling the worth of ID cards in the war on terror, Mr. Blunkett has been lauding their usefulness in fighting organized crime, combating welfare abuse, and curbing illegal immigration. In fact, save improving the performance of the nation's sports teams, it almost seems for Mr. Blunkett that there's no problem these magical cards can't solve. If an argument could be made that ID cards would be a valuable aid against terrorism, fine. But they're not. An ID card system, to cite but one case, didn't prevent the Madrid massacre. So Mr. Blunkett touts other benefits, like reducing benefit fraud. But at a projected cost of £3.1 ($5.8) billion, that'll have to be a lot of fraud. The government's real response to civil libertarians is: If you've got nothing to hide, why oppose? That's not the point. A state exists for the people and is accountable to the people. Not vice-versa. At least not in free and democratic countries. Britain is, or was, freer than its Continental neighbors precisely because the government wasn't as intrusive in peoples' lives. To so fundamentally alter the relationship between citizen and state, as Mr. Blunkett proposes, a compelling case needs to be made. He hasn't. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
DIY fingerprint idea thwarts ID thieves
http://www.theregister.co.uk/2004/11/24/fingerprint_fights_id_theft/print.html The Register Biting the hand that feeds IT Original URL: http://www.theregister.co.uk/2004/11/24/fingerprint_fights_id_theft/ DIY fingerprint idea thwarts ID thieves By John Leyden (john.leyden at theregister.co.uk) Published Wednesday 24th November 2004 07:59 GMT The Home Office is touting ID cards as a solution to ID theft in today's Queen's Speech (http://news.bbc.co.uk/1/hi/uk_politics/4034543.stm) but a Yorkshire man has taken matters into his own hands. Jamie Jameson, a civil servant from Scarborough in North Yorkshire, insists that credit can only be extended in his name on production of a thumbprint. Jameson hit on the idea of writing to the UK's three main credit reference agencies - Equifax, Experian and Call Credit - and requesting that they put a 'Notice of Correction' on his file stating that a print must be offered with applications for loans or credit cards issued in his name. At the same time he submitted his fingerprint. This Notice of Correction of the first thing a prospective lender will see when it calls up his records. Normally this facility provides a way for individuals to explain why they have a county court judgement against their name or other qualifications to their credit history. Jameson is using it to do a cheap security check. Although uncommon in the UK, thumbprints are often used as an audit mechanism for people cashing cheques in US banks. A similar scheme was trialled (http://www.south-wales.police.uk/fe_news_w/news_details.asp?newsid=169) in Wales. Jameson takes a little ink pad similar to that used in US banks around with him all the time just in case he might need it. If an application for credit is accepted without a thumbprint - against Jameson's express instructions - then he will not be liable for losses. If a would-be fraudster gives a false print on an application then it makes it easier for them to be traced by the police. Lenders don't have to match prints. Using prints just establishes an audit trail if anything goes wrong, Jameson explained. It's not so much me proving who I am as preventing someone else being me. Jameson has been using the idea successfully for over a year. He concedes that the scheme isn't foolproof and that it's possible to fake (http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/) fingerprints (nothing's perfect, as he puts it). As far as Jameson knows he's the only person who's using the technique in the UK. The scheme delays the issuing of credit, which could be a problem with people who apply for multiple accounts but this is a minor inconvenience for Jameson. This is driven by the individual so there are no data protection issues. It's a real deterrent to ID theft, he told El Reg. ® -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Training in the Judgment Business -a Great new Business idea
High income processing money judgments. Work from your house anywhere in the world. Finally one's own company. You decide how much you work. Many earning 5,000US to 12,000US per mo. Professional customer support and assistance. http://www.attractiveproductmall.com/3/ Here for more information or to stop receiving or to see our address. I shall go by electric propulsion. Good gracious! cried Mr Joslyn, and the mother murmured: My poor boy! my poor boy! As you are my nearest relatives, continued Rob, not noticing these exclamations, I will allow you to come into the back yard and see me start
Your crazy idea can potentially make you a fortune
You are receiving this message as a subscriber to the Just For You Network. To cancel, see the instructions at the end of this mail. Yes! Your crazy idea can potentially make you a fortune! http://zmfnvvwsp.lcky4u.com/xziszer.html Over 100,000 patents are granted in the US each year. But it only takes one great idea, protected by a patent and developed into a commercial product, to earn you a fortune. Patent Trademark Institute of America (tm) will not only help you with your idea while it is still in the idea stages, but more importantly we'll help you discover how to turn your ideas into real money, by locating companies who will want to buy or license your inventions. http://zmfnvvwsp.lcky4u.com/cnlingu.html Working with Patent Trademark Institute of America (tm) will help you to: * Identify ideas with the most potential * Research: We can provide you with a research report (New Product Portfolio), describing the details of your invention. * Patent: Trademark, Copyright Protection: We can assist you with complete protection of your product concept. * Marketing To Industry: We can assist you with state-of-the-art marketing assistance to introduce your invention idea to industry. * Licensing Negotiations : We can negotiate a licensing agreement for you to achieve your goals. http://zmfnvvwsp.lcky4u.com/wdegdcw.html To no longer receive email from this list send a blank email to mailto:[EMAIL PROTECTED] or write to Trifecta Advertising, 7596 W Jewell Ave Suite 103, Lakewood, CO 80232
Re: Idea: Offshore gambling as gateway between real and electronic money
At 11:35 AM 4/17/2004, Thomas Shaddack wrote: Adoption of anonymous e-money is to great degree hindered by the lack of infrastructure to convert this currency to/from meatspace money. However, there is possible a method, using offshore gambling companies. You're trying too hard. Gambling has always been a convenient money-laundering technique, as long as the casinos accept the kinds of money you're trying to launder. That's also why spook agencies get anti-money-laundering laws passed. If the casino will take your ecash and give you chips, and you want to make a pretense of gambling rather than just turning the chips back in for conventional euros, go bet ~half the chips on red, ~half on black, some insurance money on green, and tip the croupier, and the casino collects their 1/37 or 2/38 cut. ... Your winnings, sir.
Idea: Offshore gambling as gateway between real and electronic money
Adoption of anonymous e-money is to great degree hindered by the lack of infrastructure to convert this currency to/from meatspace money. However, there is possible a method, using offshore gambling companies. There may be a special kind of gamble, that looks from the outside like regular betting, but where the participants to certain degree know the betting results, allowing use of their e-money to gain insight into the game - using meatspace money as a bet and e-money to buy the knowledge of cards/numbers/whatever in the value of the e-money that allows a sure win of that amount. In other words: Without use of the e-money, the game is a normal game, with appropriate probability of win. With the e-money, the player can buy the 100%-certain win of a given value. Conversely, a rigged game with 0%-probability of win could be used for depositing the real money and converting them to e-money. Is this approach possible? Is this approach feasible? Where are the hidden problems there?
Re: Idea: Offshore gambling as gateway between real and electronic money
At 11:35 AM 4/17/2004, Thomas Shaddack wrote: Adoption of anonymous e-money is to great degree hindered by the lack of infrastructure to convert this currency to/from meatspace money. However, there is possible a method, using offshore gambling companies. You're trying too hard. Gambling has always been a convenient money-laundering technique, as long as the casinos accept the kinds of money you're trying to launder. That's also why spook agencies get anti-money-laundering laws passed. If the casino will take your ecash and give you chips, and you want to make a pretense of gambling rather than just turning the chips back in for conventional euros, go bet ~half the chips on red, ~half on black, some insurance money on green, and tip the croupier, and the casino collects their 1/37 or 2/38 cut. .. Your winnings, sir.
Idea: Offshore gambling as gateway between real and electronic money
Adoption of anonymous e-money is to great degree hindered by the lack of infrastructure to convert this currency to/from meatspace money. However, there is possible a method, using offshore gambling companies. There may be a special kind of gamble, that looks from the outside like regular betting, but where the participants to certain degree know the betting results, allowing use of their e-money to gain insight into the game - using meatspace money as a bet and e-money to buy the knowledge of cards/numbers/whatever in the value of the e-money that allows a sure win of that amount. In other words: Without use of the e-money, the game is a normal game, with appropriate probability of win. With the e-money, the player can buy the 100%-certain win of a given value. Conversely, a rigged game with 0%-probability of win could be used for depositing the real money and converting them to e-money. Is this approach possible? Is this approach feasible? Where are the hidden problems there?
Idea: opportunistic TCP-level crypto
There is plenty of space available in the form of (normally unused) payload of TCP SYN, SYN/ACK, and ACK packets. Could they be used to announce the intention/capabilities for an encrypted connection, eventually serve for authenticating the connection? This way there would be virtually no overheads in the connection in the case one of the sides doesn't offer opportunistic crypto; the packet payload data would get ignored in that case. For UDP connections, handshake using ICMP packets in a ping-like scenario could be possible; send ICMP_ECHO_REQUEST to the server with the payload containing a handshake request. If the ICMP_ECHO_REPLY returned contains the handshake acknowledge, proceed, otherwise assume the server doesn't speak our dialect of OE. Opinions, comments? Why this wouldn't work?
Re: openssl/gpg and IDEA
On Mon, Jan 19, 2004 at 11:58:56PM -0600, J.A. Terranson wrote: IDEA seems to be completely missing from everything everywhere :-( Does nybody know how to enable openssl for IDEA (no, I don't require the commercial license for this)? You may be using a pre-built version of OpenSSL from which IDEA support has been removed. If you build it yourself, IDEA support is on by default. http://www.openssl.org/support/faq.html#LEGAL1 http://www.gnupg.org/(en)/documentation/faqs.html#q3.3 -Brian -- [EMAIL PROTECTED]1024/8C7C4DE9
Re: openssl/gpg and IDEA
On Tue, 20 Jan 2004, Brian Minder wrote: On Mon, Jan 19, 2004 at 11:58:56PM -0600, J.A. Terranson wrote: IDEA seems to be completely missing from everything everywhere :-( Does nybody know how to enable openssl for IDEA (no, I don't require the commercial license for this)? You may be using a pre-built version of OpenSSL from which IDEA support has been removed. If you build it yourself, IDEA support is on by default. Built it myself, from the most recent tarball, did not use the no-idea option: no joy. I was familiar with the legal issue, which resulted in default off on binaries. Do I need to explicitly enable on a build (I see only an off option, not an on option)? Thanks! -- Yours, J.A. Terranson [EMAIL PROTECTED] Unbridled nationalism, as distinguished from a sane and legitimate patriotism, must give way to a wider loyalty, to the love of humanity as a whole. Bah'u'llh's statement is: The earth is but one country, and mankind its citizens. The Promise of World Peace http://www.us.bahai.org/interactive/pdaFiles/pwp.htm
openssl/gpg and IDEA
IDEA seems to be completely missing from everything everywhere :-( Does nybody know how to enable openssl for IDEA (no, I don't require the commercial license for this)? Thanks! -- Yours, J.A. Terranson [EMAIL PROTECTED] Unbridled nationalism, as distinguished from a sane and legitimate patriotism, must give way to a wider loyalty, to the love of humanity as a whole. Bah'u'llh's statement is: The earth is but one country, and mankind its citizens. The Promise of World Peace http://www.us.bahai.org/interactive/pdaFiles/pwp.htm
openssl/gpg and IDEA
IDEA seems to be completely missing from everything everywhere :-( Does nybody know how to enable openssl for IDEA (no, I don't require the commercial license for this)? Thanks! -- Yours, J.A. Terranson [EMAIL PROTECTED] Unbridled nationalism, as distinguished from a sane and legitimate patriotism, must give way to a wider loyalty, to the love of humanity as a whole. Bah'u'llh's statement is: The earth is but one country, and mankind its citizens. The Promise of World Peace http://www.us.bahai.org/interactive/pdaFiles/pwp.htm
Re: Idea: Simplified TEMPEST-shielded unit (speculative proposal)
There's a good possibility that Saddam was traced by Tempest sensing, airborne or mundane. The technology is far more sensitive than a decade ago. And with a lot of snooping technology kept obscure by tales of HUMINT, finks, lost laptops and black bag jobs. For less sensitive compromising emanations, BETA, among others, makes portable Tempest units, desktop and room-sized, the devices export-restricted as if munitions. There's a patent on a booth-like Tempest device into which the user climbs, with protection provided for connections, but whether it was ever built is unknown. A slew of firms make Tempest products which can be examined for what shielding works sufficiently well to be placed on NSA's more or less trustworthy Tempest products list: Beyond commercial-grade, NSA is reportedly able to read faint emanations from all known Tempest protection, thanks in part to reviewing products and international sharing among spooks. Those leaked from fiber are now a piece of cake, and not by tapping the glass a la the RU submarine cable escapade and the derring-do of USS Jimmy Carter custom-rigged to hack transoceanic fiber. Tempest snooping at the atomic level is feasible, thanks to physicists who walk among the electrons with supercomputers. As ever, what you don't know is what kills you, and if you are not currently doing research or working on NDA stuff, you're toast. Protecting against the known is what keeps the orchestrated leak industry thriving. Be sure to submit bright inventions to the authorities to get contracts for funding dark ones that work against the grain, then you'll get really swell contracts or offed. Ex-NSA staff are rolling in clover selling commercialized versions of security technology that NSA freely accesses. Reminds of the Brits selling to gullible govs impregnable Enigma machines after WW2.
Re: Idea: Simplified TEMPEST-shielded unit (speculative proposal)
While I agree with much of what you say I don't think it's likely that any kind of advanced SIGINT operation was what brought him down. The most important thing to have is intelligence from humans. From insiders. This is partly the problem with the intelligence agencies today. They think too much of the technology and it's possible uses. Good old fashion spies will always be the most powerfull way to get information if you can get someone to cooperate. This is also why it is a bit harder in countries with a lot of people willing to kill or be killed for the sake of ideas. Even so it seems that someone sold him for the money in this case. It was bound to happen sooner or later since it's not possible to be on the run without trusting at least one or a few individuals from time to time.
Re: Idea: Simplified TEMPEST-shielded unit (speculative proposal)
On Dec 14, 2003, at 8:33 PM, Thomas Shaddack wrote: TEMPEST shielding is fairly esoteric (at least for non-EM-specialists) field. But potentially could be made easier by simplifying the problem. If we won't want to shield the user interface (eg. we want just a cryptographic processor), we may put the device into a solid metal case without holes, battery-powered, with the seams in the case covered with eg. adhesive copper tape. The input and output can be mediated by fibers, whose ports can be the only holes, fraction of millimeter in diameter, carefully shielded, in the otherwise seamless well-grounded box. There are potential cooling problems, as there are no ventilation holes in the enclosure; this can be alleviated by using one side of the box as a large passive cooler, eventually with an externally mounted fan with separate power supply. If magnetic shielding is required as well, the box could be made of permalloy or other material with similar magnetic properties. I am not sure how to shield a display. Maybe taking an LCD, bolting it on the shielded box, and cover it with a fine wire mesh and possibly metalized glass? Using LCD with high response time of the individual pixels also dramatically reduces the value of eventual optical emissions. I worked inside a Faraday cage in a physic lab for several months. And, later, I did experiments in and around Faraday cages. Shielding is fairly easy to measure. (Using portable radios and televisions, or even using the Software-Defined Radio as a low-cost spectrum analyzer.) My advice? Skip all of the nonsense about building special laptops or computers and special displays with mesh grids over the displays. Those who are _casually_ interested will not replace their existing Mac Powerbooks or Dell laptops with this metal box monster. Instead, devise a metal mesh bag that one climbs into to use whichever laptop is of interest. To reduce costs, most of the bag can be metallized fabric that is not mesh, with only part of it being mesh, for breathability. (Perhaps the head region, to minimize claustrophobia and to allow audio and visual communication with others nearby.) I would imagine a durable-enough metallized fabric bag could be constructed for under a few hundred dollars, which is surely cheaper for most to use than designing a custom laptop or desktop. Or consider heads-up LCD glasses. These have been available for PCs and gamers for a few years (longer in more experimental forms, of course, dating back to the VR days of the late 80s). Sony has had a couple of models, and so have others. Some have video resolutions (PAL, NTSC), some have VGA resolutions. Perfectly adequate for displaying crypto results and requesting input. These very probably radiate little. But of course a lightweight hood, a la the above mesh bag, would drop the emissions by some other goodly amount of dB. Experiments necessary, of course. Interface to a laptop or PC could be as you described it, with shielded cables. Or just use a small PC (Poqet, etc.) and move the keyboard and CPU under the draped hood. Leakage out the bottom, hence the earlier proposal for a full bag, like a sleeping bag. --Tim May
Idea: Simplified TEMPEST-shielded unit (speculative proposal)
TEMPEST shielding is fairly esoteric (at least for non-EM-specialists) field. But potentially could be made easier by simplifying the problem. If we won't want to shield the user interface (eg. we want just a cryptographic processor), we may put the device into a solid metal case without holes, battery-powered, with the seams in the case covered with eg. adhesive copper tape. The input and output can be mediated by fibers, whose ports can be the only holes, fraction of millimeter in diameter, carefully shielded, in the otherwise seamless well-grounded box. There are potential cooling problems, as there are no ventilation holes in the enclosure; this can be alleviated by using one side of the box as a large passive cooler, eventually with an externally mounted fan with separate power supply. If magnetic shielding is required as well, the box could be made of permalloy or other material with similar magnetic properties. I am not sure how to shield a display. Maybe taking an LCD, bolting it on the shielded box, and cover it with a fine wire mesh and possibly metalized glass? Using LCD with high response time of the individual pixels also dramatically reduces the value of eventual optical emissions. I also have doubts about the keyboard. Several ideas that could help: We may use optical scanning of the key matrix, with the light fed into and read from the matrix by optical fibers, coming out from a well-shielded enclosure, similar to the I/O lines of the first example. We may use a normal keyboard, but modified to use reliably random scanning pattern; that won't reduce the EM emissions of the keyboard, but effectively encrypts them, dramatically reducing their intelligence value. It's then necessary to take precautions about the data cable between the keyboard itself and the computer, where the data go through in plaintext; it's possible to encrypt it, or to use a fiber. As really good shielding of complicated cases is difficult to achieve, the primary objective of this approach is to put everything into simple metallic boxes with as few and as small ports as possible, which should be comparatively easy to manufacture, replacing the special contacting of removable panels with disposable adhesive copper tape (the only reason to go inside is replacing batteries, and the tape together with other measures may serve as tamperproofing), and replacement of all potentially radiating external data connections with fiber optic. I should disclaim I have nothing that could vaguely resemble any deeper knowledge of high frequencies; therefore I lay out the idea here and wonder if anyone can see holes in it (and where they are).
Re: Idea: Simplified TEMPEST-shielded unit (speculative proposal)
There's a good possibility that Saddam was traced by Tempest sensing, airborne or mundane. The technology is far more sensitive than a decade ago. And with a lot of snooping technology kept obscure by tales of HUMINT, finks, lost laptops and black bag jobs. For less sensitive compromising emanations, BETA, among others, makes portable Tempest units, desktop and room-sized, the devices export-restricted as if munitions. There's a patent on a booth-like Tempest device into which the user climbs, with protection provided for connections, but whether it was ever built is unknown. A slew of firms make Tempest products which can be examined for what shielding works sufficiently well to be placed on NSA's more or less trustworthy Tempest products list: Beyond commercial-grade, NSA is reportedly able to read faint emanations from all known Tempest protection, thanks in part to reviewing products and international sharing among spooks. Those leaked from fiber are now a piece of cake, and not by tapping the glass a la the RU submarine cable escapade and the derring-do of USS Jimmy Carter custom-rigged to hack transoceanic fiber. Tempest snooping at the atomic level is feasible, thanks to physicists who walk among the electrons with supercomputers. As ever, what you don't know is what kills you, and if you are not currently doing research or working on NDA stuff, you're toast. Protecting against the known is what keeps the orchestrated leak industry thriving. Be sure to submit bright inventions to the authorities to get contracts for funding dark ones that work against the grain, then you'll get really swell contracts or offed. Ex-NSA staff are rolling in clover selling commercialized versions of security technology that NSA freely accesses. Reminds of the Brits selling to gullible govs impregnable Enigma machines after WW2.
Re: Idea: Simplified TEMPEST-shielded unit (speculative proposal)
While I agree with much of what you say I don't think it's likely that any kind of advanced SIGINT operation was what brought him down. The most important thing to have is intelligence from humans. From insiders. This is partly the problem with the intelligence agencies today. They think too much of the technology and it's possible uses. Good old fashion spies will always be the most powerfull way to get information if you can get someone to cooperate. This is also why it is a bit harder in countries with a lot of people willing to kill or be killed for the sake of ideas. Even so it seems that someone sold him for the money in this case. It was bound to happen sooner or later since it's not possible to be on the run without trusting at least one or a few individuals from time to time.
Idea: Simplified TEMPEST-shielded unit (speculative proposal)
TEMPEST shielding is fairly esoteric (at least for non-EM-specialists) field. But potentially could be made easier by simplifying the problem. If we won't want to shield the user interface (eg. we want just a cryptographic processor), we may put the device into a solid metal case without holes, battery-powered, with the seams in the case covered with eg. adhesive copper tape. The input and output can be mediated by fibers, whose ports can be the only holes, fraction of millimeter in diameter, carefully shielded, in the otherwise seamless well-grounded box. There are potential cooling problems, as there are no ventilation holes in the enclosure; this can be alleviated by using one side of the box as a large passive cooler, eventually with an externally mounted fan with separate power supply. If magnetic shielding is required as well, the box could be made of permalloy or other material with similar magnetic properties. I am not sure how to shield a display. Maybe taking an LCD, bolting it on the shielded box, and cover it with a fine wire mesh and possibly metalized glass? Using LCD with high response time of the individual pixels also dramatically reduces the value of eventual optical emissions. I also have doubts about the keyboard. Several ideas that could help: We may use optical scanning of the key matrix, with the light fed into and read from the matrix by optical fibers, coming out from a well-shielded enclosure, similar to the I/O lines of the first example. We may use a normal keyboard, but modified to use reliably random scanning pattern; that won't reduce the EM emissions of the keyboard, but effectively encrypts them, dramatically reducing their intelligence value. It's then necessary to take precautions about the data cable between the keyboard itself and the computer, where the data go through in plaintext; it's possible to encrypt it, or to use a fiber. As really good shielding of complicated cases is difficult to achieve, the primary objective of this approach is to put everything into simple metallic boxes with as few and as small ports as possible, which should be comparatively easy to manufacture, replacing the special contacting of removable panels with disposable adhesive copper tape (the only reason to go inside is replacing batteries, and the tape together with other measures may serve as tamperproofing), and replacement of all potentially radiating external data connections with fiber optic. I should disclaim I have nothing that could vaguely resemble any deeper knowledge of high frequencies; therefore I lay out the idea here and wonder if anyone can see holes in it (and where they are).
Re: Idea: Simplified TEMPEST-shielded unit (speculative proposal)
On Dec 14, 2003, at 8:33 PM, Thomas Shaddack wrote: TEMPEST shielding is fairly esoteric (at least for non-EM-specialists) field. But potentially could be made easier by simplifying the problem. If we won't want to shield the user interface (eg. we want just a cryptographic processor), we may put the device into a solid metal case without holes, battery-powered, with the seams in the case covered with eg. adhesive copper tape. The input and output can be mediated by fibers, whose ports can be the only holes, fraction of millimeter in diameter, carefully shielded, in the otherwise seamless well-grounded box. There are potential cooling problems, as there are no ventilation holes in the enclosure; this can be alleviated by using one side of the box as a large passive cooler, eventually with an externally mounted fan with separate power supply. If magnetic shielding is required as well, the box could be made of permalloy or other material with similar magnetic properties. I am not sure how to shield a display. Maybe taking an LCD, bolting it on the shielded box, and cover it with a fine wire mesh and possibly metalized glass? Using LCD with high response time of the individual pixels also dramatically reduces the value of eventual optical emissions. I worked inside a Faraday cage in a physic lab for several months. And, later, I did experiments in and around Faraday cages. Shielding is fairly easy to measure. (Using portable radios and televisions, or even using the Software-Defined Radio as a low-cost spectrum analyzer.) My advice? Skip all of the nonsense about building special laptops or computers and special displays with mesh grids over the displays. Those who are _casually_ interested will not replace their existing Mac Powerbooks or Dell laptops with this metal box monster. Instead, devise a metal mesh bag that one climbs into to use whichever laptop is of interest. To reduce costs, most of the bag can be metallized fabric that is not mesh, with only part of it being mesh, for breathability. (Perhaps the head region, to minimize claustrophobia and to allow audio and visual communication with others nearby.) I would imagine a durable-enough metallized fabric bag could be constructed for under a few hundred dollars, which is surely cheaper for most to use than designing a custom laptop or desktop. Or consider heads-up LCD glasses. These have been available for PCs and gamers for a few years (longer in more experimental forms, of course, dating back to the VR days of the late 80s). Sony has had a couple of models, and so have others. Some have video resolutions (PAL, NTSC), some have VGA resolutions. Perfectly adequate for displaying crypto results and requesting input. These very probably radiate little. But of course a lightweight hood, a la the above mesh bag, would drop the emissions by some other goodly amount of dB. Experiments necessary, of course. Interface to a laptop or PC could be as you described it, with shielded cables. Or just use a small PC (Poqet, etc.) and move the keyboard and CPU under the draped hood. Leakage out the bottom, hence the earlier proposal for a full bag, like a sleeping bag. --Tim May
Re: Idea: Using GPG signatures for SSL certificates
Thomas Shadduck writes: The problem that makes me feel uneasy about SSL is the vulnerability of the certification authorities when they get compromised, everything they signed gets compromised too. Technically this is true, but the only thing that the CA signs is other keys. So it merely means that the CA can create certificates on behalf of anyone the compromisers choose. It doesnt compromise any existing key or previously issued certificate or even any newly created key. In any case, you dont need a CA to use SSL. (Or more accurately, you dont need anyone elses CA to use SSL just create your own CA and issue yourself a certificate. This can be done without a lot of effort using openssl, for example.) However, the system could be for some applications potentially get hardened to certain degree, using the web-of-trust approach. What exactly does this buy you? The SSL certification authority system has as its only (but useful) redeeming value that one can connect to www.somecompany.com and have some level of confidence that the SSL certificate presented by that site was actually issued to www.somecompany.com and was issued by a reputable certification authority -- one that presumably will not hand out a certificate stamped www.somecompany.com to [EMAIL PROTECTED] If the certificate presented is not from one of the recognized reputable CAs built into your web browser, SSL itself will still work but your web browser will pop up a box saying that the CA is not in its list of reputable CAs (and BTW would you like to connect anyway? yesno). I dont understand the mindless worship of the web of trust. PGP (/GPG) is a useful tool, but the web of trust is simply a way of certifying a key in a non-centralized, non-hierarchical way. -- Frondeur
Re: Idea: Using GPG signatures for SSL certificates
Thomas Shadduck writes: - cute :) Though I am more often called Shaddup. The problem that makes me feel uneasy about SSL is the vulnerability of the certification authorities when they get compromised, everything they signed gets compromised too. Technically this is true, but the only thing that the CA signs is other keys. So it merely means that the CA can create certificates on behalf of anyone the compromisers choose. It doesnt compromise any existing key or previously issued certificate or even any newly created key. By compromised I meant the signature confirming the authenticity of the certificate can't be trusted anymore. Sorry if it wasn't obvious. In any case, you dont need a CA to use SSL. (Or more accurately, you dont need anyone elses CA to use SSL just create your own CA and issue yourself a certificate. This can be done without a lot of effort using openssl, for example.) I am aware of this. Using the GPG/SSL approach, you can have your own in-house CA for SSL purposes, and at the same time be able to prove to external users that the certificate is really yours. One more factor for establishing trust, one more obstacle for the Adversary to pass. However, the system could be for some applications potentially get hardened to certain degree, using the web-of-trust approach. What exactly does this buy you? The SSL certification authority system has as its only (but useful) redeeming value that one can connect to www.somecompany.com and have some level of confidence that the SSL certificate presented by that site was actually issued to www.somecompany.com and was issued by a reputable certification authority -- one that presumably will not hand out a certificate stamped www.somecompany.com to [EMAIL PROTECTED] It won't buy me anything new. It only strengthens the confidence level by providing a CA-independent, alternative method of verifying the certificate. If the certificate presented is not from one of the recognized reputable CAs built into your web browser, SSL itself will still work but your web browser will pop up a box saying that the CA is not in its list of reputable CAs (and BTW would you like to connect anyway? yesno). What I'd like is one more button, Attempt to verify by GPG. Though that can be easily done by an external application; browser integration is nothing more than mere comfort. I dont understand the mindless worship of the web of trust. PGP (/GPG) is a useful tool, but the web of trust is simply a way of certifying a key in a non-centralized, non-hierarchical way. YES! Which is what I want to achieve.
Idea: Using GPG signatures for SSL certificates
The problem that makes me feel uneasy about SSL is the vulnerability of the certification authorities; when they get compromised, everything they signed gets compromised too. However, the system could be for some applications potentially get hardened to certain degree, using the web-of-trust approach. The server presents its certificate to the client. The client then can optionally request the GPG signature of the certificate from the server either by always trying if it is there or only if its presence is indicated in the certificate data fields, and verify it by the specified GPG public key (which then can be firmly embedded in the web of trust). The server's key may be stored on the server itself together with the certificate signature file, or the signature file may indicate the keyserver it should be fetched from. Being signed by several trusted keys is crucial for this purpose, as otherwise it would be trivial to compromise the GPG pubkey together with the signature and the SSL certificate, if the adversary gets access to the server and manages to compromise the CA (risk especially with in-house CAs, or when Agencies get involved). The clients should cache the server's authentication information, and report any changes, like SSH does. The location of the signature may vary; it can be stored in a default place on the server (https://secure.server.com/cert-gpgsignature.asc), or the location can be specified in a X509 field. Is it a good idea? Could it fly? If not, why?
Re: Idea: Using GPG signatures for SSL certificates
Thomas Shadduck writes: The problem that makes me feel uneasy about SSL is the vulnerability of the certification authorities when they get compromised, everything they signed gets compromised too. Technically this is true, but the only thing that the CA signs is other keys. So it merely means that the CA can create certificates on behalf of anyone the compromisers choose. It doesnt compromise any existing key or previously issued certificate or even any newly created key. In any case, you dont need a CA to use SSL. (Or more accurately, you dont need anyone elses CA to use SSL just create your own CA and issue yourself a certificate. This can be done without a lot of effort using openssl, for example.) However, the system could be for some applications potentially get hardened to certain degree, using the web-of-trust approach. What exactly does this buy you? The SSL certification authority system has as its only (but useful) redeeming value that one can connect to www.somecompany.com and have some level of confidence that the SSL certificate presented by that site was actually issued to www.somecompany.com and was issued by a reputable certification authority -- one that presumably will not hand out a certificate stamped www.somecompany.com to [EMAIL PROTECTED] If the certificate presented is not from one of the recognized reputable CAs built into your web browser, SSL itself will still work but your web browser will pop up a box saying that the CA is not in its list of reputable CAs (and BTW would you like to connect anyway? yesno). I dont understand the mindless worship of the web of trust. PGP (/GPG) is a useful tool, but the web of trust is simply a way of certifying a key in a non-centralized, non-hierarchical way. -- Frondeur
Re: Idea: Using GPG signatures for SSL certificates
Thomas Shadduck writes: - cute :) Though I am more often called Shaddup. The problem that makes me feel uneasy about SSL is the vulnerability of the certification authorities when they get compromised, everything they signed gets compromised too. Technically this is true, but the only thing that the CA signs is other keys. So it merely means that the CA can create certificates on behalf of anyone the compromisers choose. It doesnt compromise any existing key or previously issued certificate or even any newly created key. By compromised I meant the signature confirming the authenticity of the certificate can't be trusted anymore. Sorry if it wasn't obvious. In any case, you dont need a CA to use SSL. (Or more accurately, you dont need anyone elses CA to use SSL just create your own CA and issue yourself a certificate. This can be done without a lot of effort using openssl, for example.) I am aware of this. Using the GPG/SSL approach, you can have your own in-house CA for SSL purposes, and at the same time be able to prove to external users that the certificate is really yours. One more factor for establishing trust, one more obstacle for the Adversary to pass. However, the system could be for some applications potentially get hardened to certain degree, using the web-of-trust approach. What exactly does this buy you? The SSL certification authority system has as its only (but useful) redeeming value that one can connect to www.somecompany.com and have some level of confidence that the SSL certificate presented by that site was actually issued to www.somecompany.com and was issued by a reputable certification authority -- one that presumably will not hand out a certificate stamped www.somecompany.com to [EMAIL PROTECTED] It won't buy me anything new. It only strengthens the confidence level by providing a CA-independent, alternative method of verifying the certificate. If the certificate presented is not from one of the recognized reputable CAs built into your web browser, SSL itself will still work but your web browser will pop up a box saying that the CA is not in its list of reputable CAs (and BTW would you like to connect anyway? yesno). What I'd like is one more button, Attempt to verify by GPG. Though that can be easily done by an external application; browser integration is nothing more than mere comfort. I dont understand the mindless worship of the web of trust. PGP (/GPG) is a useful tool, but the web of trust is simply a way of certifying a key in a non-centralized, non-hierarchical way. YES! Which is what I want to achieve.
Idea: Using GPG signatures for SSL certificates
The problem that makes me feel uneasy about SSL is the vulnerability of the certification authorities; when they get compromised, everything they signed gets compromised too. However, the system could be for some applications potentially get hardened to certain degree, using the web-of-trust approach. The server presents its certificate to the client. The client then can optionally request the GPG signature of the certificate from the server either by always trying if it is there or only if its presence is indicated in the certificate data fields, and verify it by the specified GPG public key (which then can be firmly embedded in the web of trust). The server's key may be stored on the server itself together with the certificate signature file, or the signature file may indicate the keyserver it should be fetched from. Being signed by several trusted keys is crucial for this purpose, as otherwise it would be trivial to compromise the GPG pubkey together with the signature and the SSL certificate, if the adversary gets access to the server and manages to compromise the CA (risk especially with in-house CAs, or when Agencies get involved). The clients should cache the server's authentication information, and report any changes, like SSH does. The location of the signature may vary; it can be stored in a default place on the server (https://secure.server.com/cert-gpgsignature.asc), or the location can be specified in a X509 field. Is it a good idea? Could it fly? If not, why?
Remote Control Helicopter- Great gift idea
Ready to fly? The Remote Control Humblebee Helicopter is up for this year's Hottest Christmas toy! http://lc.myquickdeals.com/newlc/go/2252 MAKES FOR A WONDERFUL GIFT!! This helicopter is an awesome backyard toy! Similar helicopters sold elsewhere for $100 - $130.00 ON SALE HERE - ONLY $49.95 - Act now! Not in available in stores...get yours now! http://lc.myquickdeals.com/newlc/go/2252 Use this link to be dropped from our mailing list. http://lc.myquickdeals.com/unsub/central/[EMAIL PROTECTED]
Idea: GPG signatures within HTML
Sometimes a problem appears with publishing information on the Web, when the authenticity of document, especially a widely-distributed one, has to be checked. I am not aware about any mechanism available presently. A trick with HTML (or SGML in general) tag and a comment, a browser plugin (or manual operation over saved source), and a GPG signature over part of the HTML file should do the job, with maintaining full backward compatibility and no problems for the users not using this scheme. It should be possible to make this HTML construction: HTML BODY blah blah blah blah blah unsigned irrelevant part of the document, eg. headers and sidebars which change with the site design SIGNED SCHEME=GPG!-- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 --! This is the PGP-signed part of the HTML document. !-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893 ihas7Ds9fXLR9ksWRdwNZXNA8SdshwAJ9zwXFDgvdg5G2mqXp5BD4Sx2ZmjwCfSs70 Kj8sQor6i+MUZBmp5pdM1vU= =hIsR -END PGP SIGNATURE- --!/SIGNED the unsigned rest of the HTML document /BODY/HTML The SIGNED.../SIGNED tags are ignored by browsers that don't know them, and provide leads for eventual browser plugins. The !-- -- comments are used to hide the signature from the user in standard browsers. The scheme is designed to allow signing only parts of documents, so they could be published in fast-changing environments like blogs or on dynamically generated pages, and to have many different signed parts on one page. It should also allow manual checking of the signature, eg. by curl http://url | gpg --verify Feel free to use the idea if it is good. Opinions, comments?
Re: Idea: GPG signatures within HTML - problem with inline objects
There is a problem with images and other inline objects. There is a solution, too. The objects included into the document can get their hash calculated and included in their tag; eg, IMG SRC=image.jpg HASH=SHA1:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 The tag has to be in the signed part of the document, so the hash can't be tampered with. Full digital signatures should be possible as well, eg. IMG SRC=image.jpg SIGNATURE=http://where.is.the/signature.asc; or IMG SRC=image.jpg SIGNATURE=identifier some HTML code here SIGNATURE TYPE=gpg NAME=identifier!-- -BEGIN PGP SIGNATURE- Version: GnuPG v0.9.11 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA31UOQaLeriVdUjc0RAjhBAJ4u1k5ex8+ZAtYi737GFXPOiBc51gCfU5+8 is2rD6L/6fIOWttfh5CYUW0= =WOv2 -END PGP SIGNATURE- --/SIGNATURE This way doesn't depend on the part of the document being signed, as the signature can't be effectively tampered with undetected anyway. Same scheme could be used in A HREF tags, allowing automated checking of signatures or hashes of downloaded binary files.
Re: Idea: GPG signatures within HTML
Moin, Am Sat, 22 Nov 2003 14:54:39 +0100 (CET) schrieb Thomas Shaddack: A trick with HTML (or SGML in general) tag and a comment, a browser plugin(or manual operation over saved source), and a GPG signature over part of the HTML file should do the job, with maintaining full backward compatibility and no problems for the users not using this scheme. Opinions, comments? This is already done, although I'm not aware of any browser supporting an automated verification. For an example look at the HTML source of http://www.bundesverfassungsgericht.de/entscheidungen/frames/rk20030827_2bvr091103 -- Henryk Plvtz Gr|_e aus Berlin ~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~ ~ Help Microsoft fight software piracy: Give Linux to a friend today! ~
Re: Idea: GPG signatures within HTML - problem with inline objects
There is a problem with images and other inline objects. There is a solution, too. The objects included into the document can get their hash calculated and included in their tag; eg, IMG SRC=image.jpg HASH=SHA1:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 The tag has to be in the signed part of the document, so the hash can't be tampered with. Full digital signatures should be possible as well, eg. IMG SRC=image.jpg SIGNATURE=http://where.is.the/signature.asc; or IMG SRC=image.jpg SIGNATURE=identifier some HTML code here SIGNATURE TYPE=gpg NAME=identifier!-- -BEGIN PGP SIGNATURE- Version: GnuPG v0.9.11 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA31UOQaLeriVdUjc0RAjhBAJ4u1k5ex8+ZAtYi737GFXPOiBc51gCfU5+8 is2rD6L/6fIOWttfh5CYUW0= =WOv2 -END PGP SIGNATURE- --/SIGNATURE This way doesn't depend on the part of the document being signed, as the signature can't be effectively tampered with undetected anyway. Same scheme could be used in A HREF tags, allowing automated checking of signatures or hashes of downloaded binary files.
Re: Idea: GPG signatures within HTML
Moin, Am Sat, 22 Nov 2003 14:54:39 +0100 (CET) schrieb Thomas Shaddack: A trick with HTML (or SGML in general) tag and a comment, a browser plugin(or manual operation over saved source), and a GPG signature over part of the HTML file should do the job, with maintaining full backward compatibility and no problems for the users not using this scheme. Opinions, comments? This is already done, although I'm not aware of any browser supporting an automated verification. For an example look at the HTML source of http://www.bundesverfassungsgericht.de/entscheidungen/frames/rk20030827_2bvr091103 -- Henryk Plvtz Gr|_e aus Berlin Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~ ~~ Help Microsoft fight software piracy: Give Linux to a friend today! ~
Idea: GPG signatures within HTML
Sometimes a problem appears with publishing information on the Web, when the authenticity of document, especially a widely-distributed one, has to be checked. I am not aware about any mechanism available presently. A trick with HTML (or SGML in general) tag and a comment, a browser plugin (or manual operation over saved source), and a GPG signature over part of the HTML file should do the job, with maintaining full backward compatibility and no problems for the users not using this scheme. It should be possible to make this HTML construction: HTML BODY blah blah blah blah blah unsigned irrelevant part of the document, eg. headers and sidebars which change with the site design SIGNED SCHEME=GPG!-- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 --! This is the PGP-signed part of the HTML document. !-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893 ihas7Ds9fXLR9ksWRdwNZXNA8SdshwAJ9zwXFDgvdg5G2mqXp5BD4Sx2ZmjwCfSs70 Kj8sQor6i+MUZBmp5pdM1vU= =hIsR -END PGP SIGNATURE- --!/SIGNED the unsigned rest of the HTML document /BODY/HTML The SIGNED.../SIGNED tags are ignored by browsers that don't know them, and provide leads for eventual browser plugins. The !-- -- comments are used to hide the signature from the user in standard browsers. The scheme is designed to allow signing only parts of documents, so they could be published in fast-changing environments like blogs or on dynamically generated pages, and to have many different signed parts on one page. It should also allow manual checking of the signature, eg. by curl http://url | gpg --verify Feel free to use the idea if it is good. Opinions, comments?
EDRI-gram: RFID-blocker wins German idea-contest
-- Forwarded message -- Date: Wed, 19 Nov 2003 16:26:40 +0100 (CET) Subject: EDRI-gram newsletter - Number 22, 19 November 2003 From: EDRI-gram newsletter [EMAIL PROTECTED] To: [EMAIL PROTECTED] snip == 6. RFID-DETECTOR WINS GERMAN IDEA-CONTEST == The German civil rights and privacy-organisation FoeBuD is the winner of an idea-contest for a national awareness campaign about the infringement of civil liberties through new technologies. With the price of 15.000 Euro, FoeBuD wants to develop a 'Dataprivatizer', a tool to detect RFID's, minuscule spy-chips that are increasingly built into consumer goods. RFID (Radio Frequency Identification) are tiny computer chips with an antenna that can be read without touching or even seeing it. These transponders can be built into every yoghurt cup or piece of clothing. The chips can secretly divulge information about the buyer. With these data firms can set up profiles about the shopping behaviour and leisure activities of their customers. This is not a remote future. The German chain of supermarkets and DIY-stores Metro AG already won a Big Brother Award last month for implementing this technology. Idea contest (winner announced 06.11.2003) http://www.bridge-ideas.de snip
EDRI-gram: RFID-blocker wins German idea-contest
-- Forwarded message -- Date: Wed, 19 Nov 2003 16:26:40 +0100 (CET) Subject: EDRI-gram newsletter - Number 22, 19 November 2003 From: EDRI-gram newsletter [EMAIL PROTECTED] To: [EMAIL PROTECTED] snip == 6. RFID-DETECTOR WINS GERMAN IDEA-CONTEST == The German civil rights and privacy-organisation FoeBuD is the winner of an idea-contest for a national awareness campaign about the infringement of civil liberties through new technologies. With the price of 15.000 Euro, FoeBuD wants to develop a 'Dataprivatizer', a tool to detect RFID's, minuscule spy-chips that are increasingly built into consumer goods. RFID (Radio Frequency Identification) are tiny computer chips with an antenna that can be read without touching or even seeing it. These transponders can be built into every yoghurt cup or piece of clothing. The chips can secretly divulge information about the buyer. With these data firms can set up profiles about the shopping behaviour and leisure activities of their customers. This is not a remote future. The German chain of supermarkets and DIY-stores Metro AG already won a Big Brother Award last month for implementing this technology. Idea contest (winner announced 06.11.2003) http://www.bridge-ideas.de snip
Re: Idea: Small-volume concealed data storage
And what is the purpose of connecting the key and data storage in the first place ? Data storage is data storage, concealed or not. You feed encrypted data to/from it. Key is required at human interface and has absolutely nothing to do with the storage. If you want better security than passphrase, then you need a mechanical key carrier. Indeed, that is where the word key comes from. You can store any number on bits on it and you'll hand it over before they beat the shit out of you - or you may want to be brave and destroy it instead (trivial with flash-on-chip and small battery cell), but, again, it has nothing to do with storage of data. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
Idea: Small-volume concealed data storage
I mentioned here the AT24RF08 chip here for couple times already. I got an idea about another application for this nice toy. For an encrypted data storage, the storage of the key is crucial. If the key is recovered, everything is lost. Remembering 256 (or even 128) bits is a hassle, a storage medium is subject to potential seizure. The key has to be protected by a passphrase, which is subject to bruteforcing. The key has to be destroyed in the event of a dangerous situation detected by the environmental sensors, or if the passphrase is tried one time too much (which opens the possibility of a DoS attack, rendering the data protection scheme unusable by regular intentional destruction of the key). However, the higher security we want, the lower alarm thresholds we have to set and the higher is the probability of misfire. For convenience reasons, for most common scenarios where absolute security is not necessary and some risk is affordable, we need a backup key storage. The mentioned chip can operate passively, powered from the coil used for data transfer, principially the same as an RFID tag. The independence on any kind of power supply makes it suitable for being built into some object, including the building itself; the chip and coil may be located inside a wall, serving as a potential storage for up to 8 kilobits of data as necessary. It may be put in place at the moment when the building is built, or during some construction work. Routine kinds of police raids are quite unlikely to discover this kind of data storage (though the eventual discovery of a reader device may be a giveaway). XORing the key with a MD5 hash of a memorized keyphrase can further increase security. This method may be also used for covert exchange of short messages. The device may be hidden under the carpet or inside poured concrete floor, and reader/writed in the shoes of the conspirators. The simplicity and robustness of the storage part of the technology could permit long-time installations just for case. Or maybe I am too tired to think in coherent way. Maybe it's a good idea. Maybe not (if, then why?). May be handy at least for a spy novel writer.
Re: Idea: Small-volume concealed data storage
And what is the purpose of connecting the key and data storage in the first place ? Data storage is data storage, concealed or not. You feed encrypted data to/from it. Key is required at human interface and has absolutely nothing to do with the storage. If you want better security than passphrase, then you need a mechanical key carrier. Indeed, that is where the word key comes from. You can store any number on bits on it and you'll hand it over before they beat the shit out of you - or you may want to be brave and destroy it instead (trivial with flash-on-chip and small battery cell), but, again, it has nothing to do with storage of data. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
Idea: Small-volume concealed data storage
I mentioned here the AT24RF08 chip here for couple times already. I got an idea about another application for this nice toy. For an encrypted data storage, the storage of the key is crucial. If the key is recovered, everything is lost. Remembering 256 (or even 128) bits is a hassle, a storage medium is subject to potential seizure. The key has to be protected by a passphrase, which is subject to bruteforcing. The key has to be destroyed in the event of a dangerous situation detected by the environmental sensors, or if the passphrase is tried one time too much (which opens the possibility of a DoS attack, rendering the data protection scheme unusable by regular intentional destruction of the key). However, the higher security we want, the lower alarm thresholds we have to set and the higher is the probability of misfire. For convenience reasons, for most common scenarios where absolute security is not necessary and some risk is affordable, we need a backup key storage. The mentioned chip can operate passively, powered from the coil used for data transfer, principially the same as an RFID tag. The independence on any kind of power supply makes it suitable for being built into some object, including the building itself; the chip and coil may be located inside a wall, serving as a potential storage for up to 8 kilobits of data as necessary. It may be put in place at the moment when the building is built, or during some construction work. Routine kinds of police raids are quite unlikely to discover this kind of data storage (though the eventual discovery of a reader device may be a giveaway). XORing the key with a MD5 hash of a memorized keyphrase can further increase security. This method may be also used for covert exchange of short messages. The device may be hidden under the carpet or inside poured concrete floor, and reader/writed in the shoes of the conspirators. The simplicity and robustness of the storage part of the technology could permit long-time installations just for case. Or maybe I am too tired to think in coherent way. Maybe it's a good idea. Maybe not (if, then why?). May be handy at least for a spy novel writer.
This is a great idea... zf u hdwd a
gjuxrvesd rvpbttlvsllzzdf nea twe ytd
Re: Viral DNS Attack, DDos Idea
At 10:11 AM 8/17/03 -0700, Tim May wrote: Many evolved diseases _DO_ kill their hosts. Look around. It is true that there are tradeoffs in lethality, time to death, and virulence, and that a disease which kills too quickly and too many won't spread adequately, but quite clearly all of the diseases of the past were evolved (until recently, none were created) and yet they often killed their hosts. This objection jammed in my memegrinder so I had to examine it. I'll argue that the nastiness of many human diseases are *temporary* exceptions to the evolved pathogens don't kill observation. Because humans are not in equilibrium: * Human population is growing. This means you can kill your host, two new ones are born every minute (except in a few places, eg W. Europe). If your host population is growing like that, you can be extra lethal, temporarily. If the host numbers are stable, you could wipe them all out if you're too lethal. * Humans are expanding their range. This means new diseases are introduced from existing resivoirs so they have not adapted to humans --especially the conditions of modern humans-- yet. Ebola, HIV, etc. * Humans only *recently* live in dense (and stationary) groups. This means that pathogens have not adapted yet. Cities are incubators. Bubonic plague, TB are good examples here. * Rapid travel is even more recent an invention. Populations who have never seen a pathogen (West nile, etc.) are getting exposed for the first time. No equilibrium there. The Cortez effect, amplified by Whittle's jet engine. Globalization means everyone gets exposed to everyone else's pathogens. A sick chinese chicken can ruin your day in America. Guns, germs, and steel. BTW Globalization also means that everyone gets exposed to everyone's plants, insects, etc. A lot of isolated species (e.g., Hawaii) that can't deal with competition will be toast just as much as the Amerinds who met Mr. Cortez. Guns, germs, and steel. Meet Mr. Kudzu. Obviously, the scale of temporary should be taken in the larger context, not that of one's own lifespan. Of course a coadapted pathogen (eg flu) can spontaneously become newly virulent simply because of mutation or recombination. If the hosts aren't all connected, then merely one particular host-group dies, along with the newly virulent strain. Losing some village is not a big deal (until someone gets on a plane). ... Interesting to extend the analogy to say virii that zap cellphones or PCs permenantly vs. merely being annoyances. A PC-zapping virus would give Macs the kind of ripe open field not seen since the days of the Bering Strait. Also interesting to view the RIAA vs. Networked-Computer struggle in a biological (evo/eco) light. Ms. Dodo, meet Mr. Kudzu. And of course fascinating to watch how the new dense mobile humans (or their lawyers :-) adapt behaviorally.
Re: Viral DNS Attack, DDos Idea
At 05:46 PM 8/15/03 -0700, Bill Stewart wrote: At 01:19 PM 08/15/2003 -0700, Major Variola (ret.) wrote: Suppose malware appends a bogus entry to an infected machine's /etc/hosts (or more likely, MSwindows' \windows\blahblah\hosts file). (This constitutes a DNS attack on the appended domain name, exploiting the local hosts' name-resolution prioritization.) If the appended IP address points to the same victim (66.66.66.66) on all the virus-infected machines, and the appended (redirected) domain name is popular (google.com Cute, but sounds like a lot of work compared to other obvious attacks you could do if you're spreading a virus anyway. Yes if you have virally owned a machine you can do much nastier. But this attack has the advantage that its effects would not be immediately recognized, nor could they be fixed in one spot once detected. Evolved diseases don't kill their hosts. Google is too useful to redirect. On the other hand, you can redirect an entire TLD (eg .mil), albeit on one machine at a time. Try doing that to one of The DNS Roots (pbut). The more popular version of this attack is to try to hack DNS servers, or poison DNS requests, so that DNS requests for google report the wrong thing. Yes I've followed discussions about SecDNS etc before. The cute part of the local hostsfile attack is that local machines are *not* administered competently, whereas DNS servers (and even ISP caches) are more likely tended better. One problem with hacking the hosts files is that different versions of Windows tend to put them in different places, though perhaps if you target XP and 2000 and ME and 98 it's consistent enough to work. OS detection is trivial once in.. as is file/path detection. I bet a javascript program could do it, if the client security settings (ACLs) were poor. The real question is whether the bad guys would redirect to a victim, or to a fake web server run by them, so they could hand out bogus responses, such as redirects to various places around the web, potentially along with some advertising banners. That's the virus author's choice, of course. In fact, I first thought of the attack as a DNS-redirect on domain names ---intending on random (or even localhost) misdirection. Upon thinking about it, the utility of all those 9AM Monday clicks became apparent. Diagnosing the situation would be a bushel of fun in the first hours either way. If it's a virtual server machine, though, you can't do that without disrupting all the clients on it, which is too bad; Hadn't thought of virtual servers... all your eggs in one basket :-) If it's a router, that's a more interesting problem, You're right, routers merely drop port 80 incoming, any router DoS depends on sheer bandwidth --say routing the NYTimes.com clicks to Podunk-BackwaterTimes.com because many routers have wimpy CPUs and do the routine work in ASICs - ASICs are great except for exception handling, which is a vulnerability. I was working on Intel's network processors earlier this year. Amazing chips--they have hardware support for everything you do in an IP stack, buttloads of memory controllers, I/O up the kazoo, and a dozen hardware-supported thread contexts (hyperthreading) on each of a dozen high-clockrate RISC engines. But they all defer exception packet processing to the onboard ARM, which might alert the host system or at least log the exception by incrementing a counter. But the ARM is not as fast as the threads and could perhaps be overwhelmed. Perhaps the subject of a future Gedanken Design Idea. - When the rotary telephone first came out, people said, 'You mean I have to dial seven numbers?'
Re: Viral DNS Attack, DDos Idea
On Sunday, August 17, 2003, at 08:19 AM, Major Variola (ret) wrote: Evolved diseases don't kill their hosts. Google is too useful to redirect. On the other hand, you can redirect an entire TLD (eg .mil), albeit on one machine at a time. Try doing that to one of The DNS Roots (pbut). Many evolved diseases _DO_ kill their hosts. Look around. It is true that there are tradeoffs in lethality, time to death, and virulence, and that a disease which kills too quickly and too many won't spread adequately, but quite clearly all of the diseases of the past were evolved (until recently, none were created) and yet they often killed their hosts. --Tim May In the beginning of a change the patriot is a scarce man, and brave, and hated and scorned. When his cause succeeds, the timid join him, for then it costs nothing to be a patriot. -- Mark Twain
Re: Viral DNS Attack, DDos Idea
At 01:19 PM 08/15/2003 -0700, Major Variola (ret.) wrote: Suppose malware appends a bogus entry to an infected machine's /etc/hosts (or more likely, MSwindows' \windows\blahblah\hosts file). (This constitutes a DNS attack on the appended domain name, exploiting the local hosts' name-resolution prioritization.) If the appended IP address points to the same victim (66.66.66.66) on all the virus-infected machines, and the appended (redirected) domain name is popular (google.com Cute, but sounds like a lot of work compared to other obvious attacks you could do if you're spreading a virus anyway. The more popular version of this attack is to try to hack DNS servers, or poison DNS requests, so that DNS requests for google report the wrong thing. One problem with hacking the hosts files is that different versions of Windows tend to put them in different places, though perhaps if you target XP and 2000 and ME and 98 it's consistent enough to work. The real question is whether the bad guys would redirect to a victim, or to a fake web server run by them, so they could hand out bogus responses, such as redirects to various places around the web, potentially along with some advertising banners. Besides making google.com harder to reach, another effect is that lots of people send TCP SYN requests to 66.66.66.66 port 80 instead of google.com port 80, and if there's a web server on that port, they send it HTTP requests for URLs on google.com, which it presumably will reject. If 66.66.66.66 is an arbitrary victim computer with no web server, the main impact is a bunch of extra SYN requests, so the obvious defense is to filter them out from the router. If it's got a single web server, moving the server to a new IP address and using DNS to update it can help, at the cost of disrupting clients until its DNS update propagates, and getting its router to drop requests for port 80 (passing other ports is fine.) If it's a virtual server machine, though, you can't do that without disrupting all the clients on it, which is too bad; either hope you've got enough horsepower to handle rejecting the google.com requests, or front-end it with a squid proxy and kill it off there, which cuts down the CPU impact, though it doesn't cut down the bandwidth much. You could get fancy and have the squid redirect all the real requests to another IP or DNS name, e.g. example1.net/stuff to example2.net/stuff, where the new address is on a different machine and if necessary on a different access line. If it's a router, that's a more interesting problem, because many routers have wimpy CPUs and do the routine work in ASICs - so if the router has an HTTP interface for admin use, and it's not protected by ACLs for some reason, you might blow it away with the work required to reject google hits. But if you don't need the web interface, it's much easier to protect. Also, if the router is in an ISP, rather than at the customer premises, access to it may be blocked anyway, as a general security mechanism, and even if it's not, it's usually easy to add that kind of blocking, by null-routing the traffic rather than by ACLs. If the victim IP address were a router just upstream of the victim domain name, its extra fun for the victim domain --not only are they unavailable on infected machines, but clients pound their upstream when they try to connect. That's actually much less of a risk, except for CPU consumption, because if the router has enough capacity to handle google.com's traffic, it can handle the bunch of unsuccessful SYN packets that it gets instead. Thoughts? Has this ever been suggested or implemented? Never seen it. Another variation on this attack is to use random redirect addresses instead of a single target victim - that loses the focus for detection and correction that having a single victim can provide. If you scatter it around, people will still have trouble reaching Google, but almost no web servers will get enough rejected hits to swamp them, so admins are less likely to notice.
Viral DNS Attack, DDos Idea
Suppose malware appends a bogus entry to an infected machine's /etc/hosts (or more likely, MSwindows' \windows\blahblah\hosts file). (This constitutes a DNS attack on the appended domain name, exploiting the local hosts' name-resolution prioritization.) If the appended IP address points to the same victim (66.66.66.66) on all the virus-infected machines, and the appended (redirected) domain name is popular (google.com for instance) then you get a DDoS attack on the appended IP host 66.66.66.66 that grows as the viral infection spreads in the population. You also get a DDoS on the popular domain name (google.com) you've redirected. If the victim IP address were a router just upstream of the victim domain name, its extra fun for the victim domain --not only are they unavailable on infected machines, but clients pound their upstream when they try to connect. Thoughts? Has this ever been suggested or implemented? --- In The Wild One bikers mount a DoS attack on a router: her name is Dorothy and she works at a plugboard. ca 1954
Re: Idea: Homemade Passive Radar System (GNU/Radar)
As an active twist, we can also use a separate unit, Illuminating Transceiver (IT), periodically broadcasting a pulse of known characteristics, easy to recognize by the LPs when it bounces from an aerial target. This unit has to be cheap and expendable - it's easy to locate and to destroy by a HARM missile. As a bonus, forcing the adversary to waste a $250,000+ AGM-88 missile on a sub-$100 transmitter may be quite demoralizing. There can be a whole hierarchy of ITs; when one of them Microwave oven. This has been done in recent years in various theatres. Even other sources can serve as involuntary ITs. The landscape is littered with cellular base stations and civilian TV and radio transmitters. Just pick the suitable frequency and listen on. There is enough wideband power in the ether above inhabited areas to make passive detection from reflected EM possible in theory (without any EM emanating from the target.) The space is illuminated, but the eyes are not good enough, yet. Signal levels are extremely low, but it's likely that a flying jet reflects back enough from hundreds of cellphone/celltower transmissions to be few dB above the background noise. However, without knowing where to look the receiver cannot use typical narrow beam high-gain antennas. What is needed is an array, like an insect's eye, and that will be a sizeable contraption - passive, but not small. In other words, the size of a passive eye is proportional to the wavelength. To get human eye resolution in 10cm band the size gets to 2km across. Big eye. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Idea: Homemade Passive Radar System (GNU/Radar)
The current developments in international politics, mainly the advent of rogue states attacking sovereign countries from air, causes a necessity of proliferation of cheap air defense solutions. Key part of air defense is the awareness, usually maintained by a network of ground radar stations. In the end of 50's, Czech Republic developed a passive radar system called PRP-1/Kopac (Korelacni Patrac, Correlation Seeker), which was later replaced by more advanced system Ramona and even more advanced Tamara. Then the Revolution came, bringing the inevitable international pressures that led to the bankrupcy of the Tamara developer company, following false indictments of its top managements which lead to revocation of the company's arms sale licence. Shortly after this, articles in the world press appeared about groundbreaking passive radar system being developed by - guess who? Lockheed. (After 15 years of research, good part of which consisted from reverse-engineering of seized shipment of I am not sure if Ramonas or Tamaras.) See also http://www.techtydenik.cz/tt1998/tt10/panoram5.htm The system allows locating and identification of aerial, ground, and (when installed on the shore) sea-based EM sources. The passive radar system consists from four main parts. Three are wideband receivers, listening for any characteristical transmitting activity. They talk to the fourth one, where a correlator is located - an electronic system calculating the position of the signal sources from the differences of times when the listening posts received their signals. The civilian sector electronics is developing fast; component prices fall down, computing power goes up, anybody can buy a machine that just few decades ago would make everyone in Pentagon salivating. Naturally, this opens interesting possibilities. The threat rogue states with overwhelming air force pose to other countries makes it a necessity to develop a cheap, open passive radar system, effectively bringing a key part of air defense down to easy affordability on a municipiality level. Let's call it GNU/Radar. We need the four stations: three listening ones, and the correlating one. The correlating station (CS) may be built as a MOSIX or Beowulf cluster. Its job is to handle signals from LPs, identifying the targets, and tracking their position. The listening posts (LPs) need a receiver - a suitably wideband one, a digitizer (a fast ADC card), optionally a DSP board to take some calculations off the shoulders of the CPU, a source of precise timebase for synchronizations (may be a GPS, which also provides information about the location of the listening post which is what the CS needs to know, or may be a receiver of a time synchronization signal broadcasted from somewhere if we want a backup for case of GPS being shut down. The receiver may be possibly adapted from the GNU/Radio project. The timing pulses can be also delivered optically, eg. by a modification in the Ronja unit mentioned later. The LPs crunch the received signals, isolate the interesting-looking ones, mark the precise moments of their reception, and send their arrival times and key characteristics to CS. The transmission channel may be anything with sufficient bandwidth - from an Internet leased line to Ronja-based 10Mbps optical links in case of direct visibility between LPs and CS. As an active twist, we can also use a separate unit, Illuminating Transceiver (IT), periodically broadcasting a pulse of known characteristics, easy to recognize by the LPs when it bounces from an aerial target. This unit has to be cheap and expendable - it's easy to locate and to destroy by a HARM missile. As a bonus, forcing the adversary to waste a $250,000+ AGM-88 missile on a sub-$100 transmitter may be quite demoralizing. There can be a whole hierarchy of ITs; when one of them transmits, the other ones sleep - when the transmitting one is destroyed, one of the sleeping units wakes up and continues in illuminating the airspace. This is within reach of capabilities of a simple microcontroller. Even other sources can serve as involuntary ITs. The landscape is littered with cellular base stations and civilian TV and radio transmitters. Just pick the suitable frequency and listen on. Remember that Kopac was built about 50 years ago, on vacuum tubes. It should be far from impossible to replicate it with contemporary COTS electronics. Using lower frequencies than the gigahertz band usual for modern military radars reduces accuracy, but also dramatically reduces the effectivity of aircraft stealth features. There are already prototype results in this field: http://www.wired.com/news/print/0,1294,16762,00.html Some other sources: http://ronja.twibright.com/ http://slashdot.org/articles/01/06/11/1617239.shtml Opinions, comments, ideas?
Re: Idea: Homemade Passive Radar System (GNU/Radar)
At 05:04 PM 8/11/03 +0200, Thomas Shaddack wrote: This unit has to be cheap and expendable - it's easy to locate and to destroy by a HARM missile. As a bonus, forcing the adversary to waste a $250,000+ AGM-88 missile on a sub-$100 transmitter may be quite demoralizing. Microwave ovens were used in the Yugo war for this. The invading air power can't ignore the ISM band because then you could use it for real missile trackers. Someone who can do vacuum and welding work could change the output freq of an oven magnetron, by changing the shorting-strap connections.
Re: Idea: Homemade Passive Radar System (GNU/Radar)
At 05:04 PM 8/11/03 +0200, Thomas Shaddack wrote: This unit has to be cheap and expendable - it's easy to locate and to destroy by a HARM missile. As a bonus, forcing the adversary to waste a $250,000+ AGM-88 missile on a sub-$100 transmitter may be quite demoralizing. Microwave ovens were used in the Yugo war for this. The invading air power can't ignore the ISM band because then you could use it for real missile trackers. Someone who can do vacuum and welding work could change the output freq of an oven magnetron, by changing the shorting-strap connections.
Re: idea: brinworld meets the credit card
You might find facecerts interesting. http://www.computer.org/proceedings/dcc/1896/18960435.pdf This is more for face-to-face checking, however. For your remote scenario some sort of one-way hash to verify the image might be intersting. It would have to allow for fuzzy matching after hashing (for obvious reasons). I think this just raises the bar a tiny bit though, as an attacker could stalk their victim before stealing their card to get an idea about what appearance to forge. (or capture webcam traffic before lifting the card / identity info) Cheers, Adam Lydick On Tue, 2003-07-08 at 12:16, Major Variola (ret) wrote: Authentication is Something you have / know / are. A simple plastic credit card + PIN provides the first two, including a photo provides the third something you are. A face is more often checked than the readily forgable signature, in live authentication. But as cameras become ubiquitous (e.g., in cell phones) some extra security could be obtained for *remote* authentication by sending a trusted photo of the account holder plus a live picture of the card user. A picture glued into the card could be forged, but a smartcard (with more data area than a magstripe) could include a picture of the account holder, so a thief has no idea what to look like. But the vendor can check the encrypted smartcard face to the face on the phone or webcam. For high-value remote transactions, where you pay someone to check faces, this might be viable in a few years. In a few years after that, machines might be able to check faces more cheaply, as reliably. The live face-check with embedded digital photos is already standard practice on high-security building-entry cards (and passports?), with the guard comparing the card-embedded face to the one before him. Ubiquitous cameras will bring that face-check to remote transactions, reducing cost due to lower fraud. Thoughts?
Re: Idea: The ultimate CD/DVD auditing tool (meow)
Then your ears are not golden, period. Harumph! But you misunderstand what the phase button does. If the speakers are wired out of phase anybody can hear that. Actually, it's a quite interesting thing to hear...nothing is really localizable. But the phase button inverts the absolute phase of the signal coming out of both speakers. In other words, with a bass drum hit do the speaker cones move outward at the initial strike or inward (as they are not supposed to). Supposedly this difference can be heard, but my speakers start rolling off below 100Hz, so I suspect that's why I have a very hard time discerning the absolute phase difference when I hit the button. -TD From: Jim Choate [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Idea: The ultimate CD/DVD auditing tool (meow) Date: Wed, 9 Jul 2003 23:51:47 -0500 (CDT) On Wed, 9 Jul 2003, Tyler Durden wrote: Somebody wrote... Yes this is for localization ---clicks are broadband, you need to identify which freq components are used. I still think humans can't discriminate the phase of a tone. An interesting thing to try is to play with the phase button on many high-end gear. This supposedly matters for low frequencies, but despite my unarguably golden ears, I'm still not convinced I can hear the difference. Then your ears are not golden, period. A standard test of audio systems in PA's for example is related to 'speaker phase' (ie all the cones move out or in together at the same time). This is tested by putting a click on the line and then standing between pairs of speakers. It is quite easy to tell when the speakers are in phase. The same can be said for music (and no you don't need expensive high end equipment), garble the phase and things like echo become very(!!!) wierd. You just have to have the experience to know what to 'look' for. A very(!) simple test to demonstrate/test your phase sensitivity (using even very low quality equipment) is to connect a speaker between the R and L channels (in essence it is driven by diff between the two channels). This tends to highlight the phase disparity between the two channels significantly enhancing the 'depth' of the music. Put a switch in there and then have a friend enable/disable the speaker without your knowledge. Then indicate what you think is the 'third speaker' setting. If you can't tell nearly 100% of the time then any money on high end equipment is a waste of your budget. This trick (was very popular in the 70's, especially for us Quadraphonic fans) was what eventually led to the sub-woofer we all know and love today (I do wish somebody would do something about those damn rattling cars though). -- We are all interested in the future for that is where you and I are going to spend the rest of our lives. Criswell, Plan 9 from Outer Space [EMAIL PROTECTED][EMAIL PROTECTED] www.ssz.com www.open-forge.org _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: Idea: The ultimate CD/DVD auditing tool
On 2003-07-08, Major Variola (ret) uttered to [EMAIL PROTECTED]: I haven't, but it does ring true. You'd get 2 Khz as well as other intermodulation products. Provided there's a nonlinearity, effective in the ultrasonic range, somewhere. Mere interference (which is what we usually refer to as beats) doesn't give rise to intermodulation. The beat, it isn't an audible frequency per se, but double the frequency you'd need to amplitude modulate a sinusoid halfway between the original sinusoids to get an equivalent result. You've read about the company trying to sell highly localized speakers? They modulate two intense ultrasound beams, and the air does the nonlinear mixing where they meet. You can do it with a single beam, too. MIT's Sonic Spotlight is one example, but there are better developed applications on the market. However, you need huge amplitudes to get the air to distort. (I've heard numbers in the 130-150dB range.) In the audiophile, lower-intensity case, the ears' nonlinearity would do it. I don't think it would. Before the nonlinearity gets to do its job, the sound needs to be conducted to the inner ear. But it probably won't be -- our ossicles and the tympanic membrane are too massive to operate in that frequency range. So I agree if the amplitudes are extreme, but otherwise I doubt it. -- Sampo Syreeni, aka decoy - mailto:[EMAIL PROTECTED], tel:+358-50-5756111 student/math+cs/helsinki university, http://www.iki.fi/~decoy/front openpgp: 050985C2/025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
Re: Idea: The ultimate CD/DVD auditing tool
Tim May wrote... Most so-called high end tube amps do in fact sound different, perhaps better, perhaps not. This is of course because tubes are usually rich in odd-order harmonics. That $4000 Krell tube amp is actually _coloring_ the sound. So much for 20-bit DACs in the signal source: the amp is altering the sound at about the 6th or 8th or whatever most significant bit. A couple of corrections, then the comment. First is that tubes boost the even order harmonics, making the sound much richer and fuller sounding. Also, the Krell is digital, not tube. But your point is correct, but also well-known within audiophile circles. In fact, single-end triode style tube amps (which hit the market about 10 years ago) have really rotten measureables, but they have continued to grow in popularity because of the the allegedly live/lush sound. (Another odd thing about them is that they have extremely low output powers--12W, 8W and 6W are common!) Everyone knows they are basically nearly random tone-control gizmos, but no one cares at this point. As for 24/96 (or 24/192), like I said there are real engineering reasons for doing this, but in the end there's not much reason to argue if you haven't heard. Go listen to a standard CD played on an upsampling machine and you will know in no uncertain terms that the sound is considerably better/fuller/realler. (A hint as to why can be seen when you look a square wave reproduced in 16/22 vs 24/96.) As for audiophile voodoo there's a lot out there, but there's a pretty easy way to differentiate voodoo from real (though 'inexplicable') high-end stuff. The voodoo dissappears within a year or two, but the real stuff keeps going. -TD A PS about double-blind: There's been lots of them done, some confirming audiophile expectations some contradicting. Some of the disparity is due to who the blindees are: high-end listening is a skill that is basically self-taught. Some of the high-end tweeks have differences that are not discernable to nonGolden ears (and some tweaks are obviously pure snakeoil). _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
Re: Idea: The ultimate CD/DVD auditing tool
Actually I thought humans are insensitive to phase relations, modulo inter-aural timing at low frequencies for spatial location. Perhaps that is what you meant? But spatial location isn't the same as the frequency-fetishing audiophiles go for. Au contrare...frequency accuracy vs spatial resolution is the classic Uncertainty principal in high end. A real high-end system present the ear with a truly 3-D soundscape...some instruments are clearly in the foreground, some are clearly in the background, and some are even higher than others. With a good recording, the hall ambience is also there. Put a great live recording on a great high-end sound system and you are there. -TD From: Major Variola (ret) [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Idea: The ultimate CD/DVD auditing tool Date: Wed, 09 Jul 2003 10:59:39 -0700 At 07:15 PM 7/8/03 -0700, Mike Rosing wrote: To produce 65kHz (for cats) my present boss prefers a 1 MHz sample rate. Do cats buy a lot of audiophile equiptment :8=|| The human hearing system is capable of noticing phase relations at 100kHz rates. Actually I thought humans are insensitive to phase relations, modulo inter-aural timing at low frequencies for spatial location. Perhaps that is what you meant? But spatial location isn't the same as the frequency-fetishing audiophiles go for. To do that well you need casts of the outer ear too. You doing owl-type studies on auditory localization? Audio-visual mapping and plasticity? Making the cats wear funky glasses? _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: Idea: The ultimate CD/DVD auditing tool
At 07:15 PM 7/8/03 -0700, Mike Rosing wrote: To produce 65kHz (for cats) my present boss prefers a 1 MHz sample rate. Do cats buy a lot of audiophile equiptment :8=|| The human hearing system is capable of noticing phase relations at 100kHz rates. Actually I thought humans are insensitive to phase relations, modulo inter-aural timing at low frequencies for spatial location. Perhaps that is what you meant? But spatial location isn't the same as the frequency-fetishing audiophiles go for. To do that well you need casts of the outer ear too. You doing owl-type studies on auditory localization? Audio-visual mapping and plasticity? Making the cats wear funky glasses?
Re: Idea: The ultimate CD/DVD auditing tool
On Wed, 9 Jul 2003, Major Variola (ret) wrote: Do cats buy a lot of audiophile equiptment :8=|| Nope. That's why I have a job (for another couple of months anyway, till the grant runs out.) Actually I thought humans are insensitive to phase relations, modulo inter-aural timing at low frequencies for spatial location. Perhaps that is what you meant? But spatial location isn't the same as the frequency-fetishing audiophiles go for. To do that well you need casts of the outer ear too. No, if you put 2 clicks out that are 10 usec's apart on right and left, most people can pick out which side came first. 90% of the time anyway. You doing owl-type studies on auditory localization? Audio-visual mapping and plasticity? Making the cats wear funky glasses? Yup. they sew coils into their eyes. For humans they use contacts :-) PETA is definitly a problem :-) Patience, persistence, truth, Dr. mike
Re: Idea: The ultimate CD/DVD auditing tool (meow)
At 11:45 AM 7/9/03 -0700, Mike Rosing wrote: On Wed, 9 Jul 2003, Major Variola (ret) wrote: Actually I thought humans are insensitive to phase relations, modulo inter-aural timing at low frequencies for spatial location. Perhaps that is what you meant? But spatial location isn't the same as the frequency-fetishing audiophiles go for. To do that well you need casts of the outer ear too. No, if you put 2 clicks out that are 10 usec's apart on right and left, most people can pick out which side came first. 90% of the time anyway. Yes this is for localization ---clicks are broadband, you need to identify which freq components are used. I still think humans can't discriminate the phase of a tone. In fact, MP3s use this to cut bits. You doing owl-type studies on auditory localization? Audio-visual mapping and plasticity? Making the cats wear funky glasses? Yup. they sew coils into their eyes. For humans they use contacts :-) PETA is definitly a problem :-) Gaak. I was thinking prism-glasses maybe bolted on that translate the vis field. Its ok for undergrads so its ok for cats. After the experiments, the cats will be ok, as I assume they're sufficiently plastic, unless you do brain staining on them. :-(Or your policy is the Tim McVeigh treatment. Cool stuff, though my domestic feline wants to know where you live. PS: have you identified the can opener sound brain-center yet? Cats manage biometrics and reputation better than most human systems..
Re: Idea: The ultimate CD/DVD auditing tool (meow)
On Wed, 9 Jul 2003, Major Variola (ret) wrote: Yes this is for localization ---clicks are broadband, you need to identify which freq components are used. I still think humans can't discriminate the phase of a tone. In fact, MP3s use this to cut bits. They can tell relative phase, but it takes a lot of training. After the experiments, the cats will be ok, as I assume they're sufficiently plastic, unless you do brain staining on them. :-(Or your policy is the Tim McVeigh treatment. both. They spend a year training the cats, then a year or 2 collecting data, then brain stain, then vaporize. Each cat is worth about $1M when it's all done, and it's got a lot of skull missing while it's alive. But it's well protected with a lot of aluminum and epoxy :-) Cool stuff, though my domestic feline wants to know where you live. PS: have you identified the can opener sound brain-center yet? I think you better keep it far away! And no, they don't play with higher order systems. The low level stuff is hard enough!! Cats manage biometrics and reputation better than most human systems.. :-) Patience, persistence, truth, Dr. mike
Re: Idea: The ultimate CD/DVD auditing tool (meow)
Somebody wrote... Yes this is for localization ---clicks are broadband, you need to identify which freq components are used. I still think humans can't discriminate the phase of a tone. An interesting thing to try is to play with the phase button on many high-end gear. This supposedly matters for low frequencies, but despite my unarguably golden ears, I'm still not convinced I can hear the difference. My Thiel speakers, however, claim to be phase coherent, and that seems to be an entirely different matter. In other words, the different frequency components of a sound are transmitted in correct phase relationships (ie, true to the original sound), and the result is a (sometimes) astonishing level of spacial detail. Of course, non-audiophiles will poo-poo that claim, but even they will hear that the Thiels are far more accurate than the crap that's sold in Circuit City or whatever. So I figure I may as well believe Jim Thiel's claim that phase coherence is important in a speaker. -TD From: Mike Rosing [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Idea: The ultimate CD/DVD auditing tool (meow) Date: Wed, 9 Jul 2003 14:32:53 -0700 (PDT) On Wed, 9 Jul 2003, Major Variola (ret) wrote: Yes this is for localization ---clicks are broadband, you need to identify which freq components are used. I still think humans can't discriminate the phase of a tone. In fact, MP3s use this to cut bits. They can tell relative phase, but it takes a lot of training. After the experiments, the cats will be ok, as I assume they're sufficiently plastic, unless you do brain staining on them. :-(Or your policy is the Tim McVeigh treatment. both. They spend a year training the cats, then a year or 2 collecting data, then brain stain, then vaporize. Each cat is worth about $1M when it's all done, and it's got a lot of skull missing while it's alive. But it's well protected with a lot of aluminum and epoxy :-) Cool stuff, though my domestic feline wants to know where you live. PS: have you identified the can opener sound brain-center yet? I think you better keep it far away! And no, they don't play with higher order systems. The low level stuff is hard enough!! Cats manage biometrics and reputation better than most human systems.. :-) Patience, persistence, truth, Dr. mike _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: Idea: The ultimate CD/DVD auditing tool
At 08:45 AM 7/7/03 -0700, alan wrote: But the real issue is that all of these DRM methods rely on security by obscurity. Such methods eventually fail. Either the actual method is discovered and published or the DRM method fails in the marketplace and is never heard from again. Hilary R and Jack V are *far* more fucked than mere security-by-obscurity. Any human-consumable (analogue) input is readily recordable with a single, one-time ADC, and thereafter is toast. DRM is a fraud perpetrated by engineers on Hollywood suits. Good for employment though.
Re: Idea: The ultimate CD/DVD auditing tool
Nobody wrote... There is a loss of quality if you go through an analog stage. Real and wannabe audiophiles will prefer the real thing, pure and undiluted by a reconversion phase. These are the people who are already swallowing the marketing line that the CD bandwidth limit of 22KHz is too low for good fidelity, despite being higher than they can hear. I'm in that category. And as someone who basically grew up in Carnegie Hall and the Metropolitan Opera, I trust my ears (I saw the opera Wozzeck twice by the time I was 17). There are engineering reasons for this that I'm willing to discuss, though the discussion will be tedious for engineers, and impossible to understand for non-engineers. Far easier will be for you to go and listen to a CD player that can upsample standard CD to 24bits/196kHz. The difference is not by any means subtle. As an audiophile (Krell+Levinson+Thiel gear at home), I definitely don't want to grab an analog signal. Doing that the signal is sure to retain characteristics of the extracting gear. But the vast majority of P2P kids won't care one iota that their file was analog for half a second. -TD From: Nomen Nescio [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Idea: The ultimate CD/DVD auditing tool Date: Tue, 8 Jul 2003 08:40:01 +0200 (CEST) Major Variola writes: Any human-consumable (analogue) input is readily recordable with a single, one-time ADC, and thereafter is toast. DRM is a fraud perpetrated by engineers on Hollywood suits. Good for employment though. There is a loss of quality if you go through an analog stage. Real and wannabe audiophiles will prefer the real thing, pure and undiluted by a reconversion phase. These are the people who are already swallowing the marketing line that the CD bandwidth limit of 22KHz is too low for good fidelity, despite being higher than they can hear. Consider how much more wine from Champagne is worth than that from a village just outside of the appelation limits. People want to feel that they are getting the authentic goods, and they'll pay for them. That's what the RIAA is counting on. _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
RE: Idea: The ultimate CD/DVD auditing tool
Tyler Durden[SMTP:[EMAIL PROTECTED] wrote: Nobody wrote... There is a loss of quality if you go through an analog stage. Real and wannabe audiophiles will prefer the real thing, pure and undiluted by a reconversion phase. These are the people who are already swallowing the marketing line that the CD bandwidth limit of 22KHz is too low for good fidelity, despite being higher than they can hear. I'm in that category. And as someone who basically grew up in Carnegie Hall and the Metropolitan Opera, I trust my ears (I saw the opera Wozzeck twice by the time I was 17). There are engineering reasons for this that I'm willing to discuss, though the discussion will be tedious for engineers, and impossible to understand for non-engineers. Far easier will be for you to go and listen to a CD player that can upsample standard CD to 24bits/196kHz. The difference is not by any means subtle. As an audiophile (Krell+Levinson+Thiel gear at home), I definitely don't want to grab an analog signal. Doing that the signal is sure to retain characteristics of the extracting gear. But the vast majority of P2P kids won't care one iota that their file was analog for half a second. -TD I'll ditto that - my brother is an extremist audiophile - he writes reviews for the high-end stuff (google Mike Trei). Many (by no means all) top end audophiles prefer all-analog equipment, and direct-cut vinyl records (ie, the master disk was cut directly at the performance, without a magtape master). I've listened to some of this stuff, and it just blows digital away. The general attitude is that while low-end digital beats low-end analog, high-end analog beats high-end digital. Digital places a distinct floor on how bad the quality can be, but it also puts a ceiling on it. The data capacity of a vinyl groove is a lot higher than a CD pit-track, but you need very good equipment to use it. While the ear can't hear above 22KHz, signal above that *can* effect the perceived sound, by heterodyne effects. For example, if you play a single tone of 28KHz, or a single tone of 30 KHz, you can't hear them. Play them together, however, and you *can* hear a beat frequency of 2KHz. Peter Trei
RE: Idea: The ultimate CD/DVD auditing tool
As an audiophile (Krell+Levinson+Thiel gear at home), I definitely don't want to grab an analog signal. Doing that the signal is sure to retain characteristics of the extracting gear. But the vast majority of P2P kids won't care one iota that their file was analog for half a second. -TD I'll ditto that - my brother is an extremist audiophile - he writes reviews for the high-end stuff (google Mike Trei). Many (by no means all) top end audophiles prefer all-analog equipment, and direct-cut vinyl records (ie, the master disk was cut directly at the performance, without a magtape master). I've listened to some of this stuff, and it just blows digital away. What else do you expect, when any audiophile who denies that inaudible frequencies make the music warmer proves himself to be a philistine with ears of tin? Remember, it was the fashion and clothing EXPERTS who were the most insistent that the emperor's new clothes were absolutely marvelous.
Re: Idea: The ultimate CD/DVD auditing tool
On Tue, 8 Jul 2003, stuart wrote: Now, when DRM gets into windows, I'm sure Virtual Audio Cable will stop working, RealAudio will stop making linux clients (why bother?), RIAA will (try to) make CDs that can only be played with windows clients, etc. Then someone will crack the formats of the audio streams and the CDs, and round and round she goes, where she stops, nobody knows. As things are now, it's easy to get the digital signal before it reaches the DAC, you don't need to go to DAC - ADC, you don't need to plug your line-out to your line-in and degrade your signal. If the RIAA get their content to only work on Windows-type boxes, and if MS gets DRM to work in their Windows, things will become much more difficult. But these are big ifs that can quite possibly be circumvented even if they do come to fruition. There's always high-end sound cards that don't even use analog. DRM is not going to stop file sharing. They're trying to catch smoke with nets. Yup, check out this dvd unit: http://www.220-electronics.com/dvd/daewoo5800.htm where it says: Custom modification with code free automatic and manual selection of regions and macrovision disabled. Excellent quality dvd player with all the features. and Price just reduced by over $100. Was 249.00 Now only $129.00 The Daewoo 5800 custom modification has been designed to make life a lot less complicated. It has superb Audio and video components outperforming major brands such as Sony, Panasonic and Pioneer. So it won't be long before bypass systems will be commercially available. At least in some parts of the _free_ world. Patience, persistence, truth, Dr. mike
Re: Idea: The ultimate CD/DVD auditing tool
On Tuesday, July 8, 2003, at 10:40 AM, Peter Fairbrother wrote: A curiosity, only tenuously related - I just came across a Feb 1994 copy of Elector magazine, with plans for a S/PDIF copybit eliminator (for SCMS). Seems people have been defeating copy protection for a while.. I've owned an Audio Alchemy SCMS-stripper since 1991, when I bought my first DAT machine. It cost about $99, was about the size of a deck of cards, and stripped the SCMS bits out of the digital bitstream. A later DAT machine I bought, a Tascam portable pro deck, has the SCMS stripped by default. (It takes in digital signals and writes to the DAT with the SCMS code set to unlimited number of digital copies allowed.) Likewise, a professional CD writer I own (HHB) bypasses SCMS. (Not just allowing a digital copy to be made, but making the resulting CD-R copyable freely.) A friend of mine bought his DVD player on EBay: it bypasses all region coding (i.e., it makes all DVDs region-free). Region coding is a different issue, but part of the DRM universe. Until George W. Bush and the Carlyle Group start putting money into these things and thus discover that SCMS strippers are terrorist tools, such tools will likely continue to be available. Use a logic analyzer, go to jail. --Tim May He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you. -- Nietzsche
Re: idea: brinworld meets the credit card
On Tue, Jul 08, 2003 at 12:16:36PM -0700, Major Variola (ret) wrote: Authentication is Something you have / know / are. [..] A picture glued into the card could be forged, but a smartcard (with more data area than a magstripe) could include a picture of the account holder, so a thief has no idea what to look like. But the vendor can check the encrypted smartcard face to the face on the phone or webcam. For high-value remote transactions, where you pay someone to check faces, this might be viable in a few years. In a few years after that, machines might be able to check faces more cheaply, as reliably. The live face-check with embedded digital photos is already standard practice on high-security building-entry cards (and passports?), with the guard comparing the card-embedded face to the one before him. Ubiquitous cameras will bring that face-check to remote transactions, reducing cost due to lower fraud. Thoughts? How does it allow the merchant to view the picture while preventing the thief from doing so? Saying it's encrypted is, at best, sweeping a very large problem under a small rug. Who holds the key? How does the card or the user authenticate a real merchant vs. a thief posing as a merchant? Those are the hard problems. No one in biometrics has yet been able to solve them in a general way. Eric
Re: Idea: The ultimate CD/DVD auditing tool
Tyler Durden leaves the fight club and writes: Do you have a reference? I don't remember reading that SACD was encrypted. What I DO remember is that the reason there's no standard SACD or DVD-A digital interface is because the Industry wants that digital interface to be encrypted. The detailed technical specs are apparently secret, but an overview of the multi-layered SACD copy protection is at http://www.sacd.philips.com/b2b/downloads/content_protection.pdf. If you don't like PDFs, most of the same information is at http://www.disctronics.co.uk/technology/dvdaudio/dvdaud_sacd.htm. Alan Clueless writes: Furthermore, people have come to expect that they should be able to play whatever disc shaped media in their computer. At some point there will need to be a software based player. Both of the documents above specifically deny that software based players will be allowed. I get the impression that the decryption will always be done in hardware, and if a PC is ever able to play one of these gadgets, it will be a Palladium system or something similar that can be locked down. Steve Shear writes: If you believe the article Myths and Misconceptions about Hardware Hacking, http://www.cptwg.org/Assets/Presentations/ARDG/ARDGHardware_hack05-28-03.pdf , recently posted to the Content Protection Technical Working Group, access to affordable commercial technology for reverse engineering has given hardware hackers the upper hand. That's mostly about how hardware hackers can use modern chips and custom PC boards without spending more than a few hundred dollars. Fine, but it's a long way from that to being able to pull an algorithm and/or device key out of a chip which has been designed to make that difficult.
Re: idea: brinworld meets the credit card
Those are the hard problems. No one in biometrics has yet been able to solve them in a general way. And the merchant example is the wrong application. The merchant doesn't care WHO you are - that's a false premise. Merchant cares if you can pay. Now, that's a completely solvable issue. Of course, we know who and why is trying to misrepresent this. All other applications of biometrics boil down to threatening with punishment (we know who you are, behave or else ...) - and then the biometrics ceases to be in the interest of the eyeball holder. Even granting door access to employees fits this category. You don't let any qualified mathematician willing to work to enter the lab - you let in only those that you know where they live, have signed contracts with them, etc. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Re: Idea: The ultimate CD/DVD auditing tool
On Tuesday, July 8, 2003, at 01:39 PM, Anonymous via the Cypherpunks Tonga Remailer wrote: As an audiophile (Krell+Levinson+Thiel gear at home), I definitely don't want to grab an analog signal. Doing that the signal is sure to retain characteristics of the extracting gear. But the vast majority of P2P kids won't care one iota that their file was analog for half a second. -TD I'll ditto that - my brother is an extremist audiophile - he writes reviews for the high-end stuff (google Mike Trei). Many (by no means all) top end audophiles prefer all-analog equipment, and direct-cut vinyl records (ie, the master disk was cut directly at the performance, without a magtape master). I've listened to some of this stuff, and it just blows digital away. What else do you expect, when any audiophile who denies that inaudible frequencies make the music warmer proves himself to be a philistine with ears of tin? Remember, it was the fashion and clothing EXPERTS who were the most insistent that the emperor's new clothes were absolutely marvelous. The harshness of a digital bitstream can be softened by operating LED clocks in the same room as the bitstream. The Tice Clock, for example, works by plugging in to any electrical socket in the room where the listener is located...of course, all that matters is that he _sees_ the Tice Clock plugged-in, and remembers that he paid $399 for this piece of wondrous technology, for the effect to work. That the bitstream as measured with a logic analyzer is unchanged with any of these digital enhancers is beside the point. Monster Cable, by the way, is doing a nice business selling Extra Special, Oxygen-Free Copper Shielded, Insulated with Rubber Hand-Rolled on the Thighs of Taiwanese Virgins cables for _USB_. Yep, for USB. Never mind that the bitstream either is there or it isn't...some people think they get superior data with special $80 cables. As for hearing heterodyning in 28 KHz and 30 KHz signals, maybe. CD players have brickwall filters to of course block such frequencies. Some analog groove-based systems can have some kind of signal up there at those frequencies, but not much. Very, very few microphones are rated at 22-25 KHz, so I have to wonder just where this signal is coming from. If not coming from actual musical instruments, and detected by the microphones, why bother? Sure, we may as well push the CD spec up to 24 KHz or so. That will probably even satisfy Neil Young. --Tim May
Re: Idea: The ultimate CD/DVD auditing tool
At 03:14 PM 7/8/03 -0700, Tim May wrote: As for hearing heterodyning in 28 KHz and 30 KHz signals, maybe. CD players have brickwall filters to of course block such frequencies. Some analog groove-based systems can have some kind of signal up there at those frequencies, but not much. Regular vinyl is (was) also recorded with all kinds of filters, too, including the lowpass ones. If you cut vinyl (or metal) through a signal chain that didn't impose the filtering, perhaps the ultrasonics would remain, which is perhaps the analogophiles claim. You would need a special vinyl cutter though. Some of the filtering imposed on vinyl was to not fry the cutter, or otherwise deal with its inertia. (BTW, I thought your Monster USB cable was a prank.. its not.. some folks just don't get digital..)
Re: Idea: The ultimate CD/DVD auditing tool
On Tuesday, July 8, 2003, at 04:09 PM, Major Variola (ret) wrote: At 03:14 PM 7/8/03 -0700, Tim May wrote: As for hearing heterodyning in 28 KHz and 30 KHz signals, maybe. CD players have brickwall filters to of course block such frequencies. Some analog groove-based systems can have some kind of signal up there at those frequencies, but not much. Regular vinyl is (was) also recorded with all kinds of filters, too, including the lowpass ones. If you cut vinyl (or metal) through a signal chain that didn't impose the filtering, perhaps the ultrasonics would remain, which is perhaps the analogophiles claim. You would need a special vinyl cutter though. Some of the filtering imposed on vinyl was to not fry the cutter, or otherwise deal with its inertia. (BTW, I thought your Monster USB cable was a prank.. its not.. some folks just don't get digital..) Yes, they are real. I perhaps should have inserted a this is not a joke, but I didn't think to. When I was the judge in the First Internet Witch Trial, one of the examples I used was how believing something doesn't make it so, despite what the believers think (though the psychological effects may be real). An example being some audiophile nonsense, such as the Tice Clock (which is/was also real...some people bought the snake oil about how an LED clock plugged in could soften the harshness of digital. With the Tice Clock, with the Monster USB cables, one can examine the effects on bit error rates, and even look at timing jitter (a claim some manufacturers of snake oil make). For any of us with a remotely scientific bent, seeing that the bitstream is unchanged, that the bit error rate is unchanged, is pretty convincing evidence that no matter what we _think_ we hear, especially in non-double blind listening tests, there simply _is_ no difference. And yet there are people who claim to hear differences between 5 dollar digital cables and thousand dollar digital cables, even when the bitstreams are identical. (And even if they are not, they are within the capture window of the next digital gadget, and hence are for all intents and purposes absolutely identical.) One might as well sell Monster Cable Power Cords for PCs, claiming they make the Pentium 4 perform more accurately. Actually, I'll bet the tweaks are already buying special power cords for their Athlon 2200+ homebrews. Most so-called high end tube amps do in fact sound different, perhaps better, perhaps not. This is of course because tubes are usually rich in odd-order harmonics. That $4000 Krell tube amp is actually _coloring_ the sound. So much for 20-bit DACs in the signal source: the amp is altering the sound at about the 6th or 8th or whatever most significant bit. Bob Carver and a few others have emulated the tube sound so well with DSPs that double-blind tests using audiophiles cannot tell the difference, and where the waveforms look identical.
Re: Idea: The ultimate CD/DVD auditing tool
okay I'm a bit pissed now. actually i'm raging pissed! Wh!!! the nyquist/lindquist/someone-else-who-was-pissed sampling theorems are based on the possibility of mathematically extracting frequencies from digital information in a STEADY_STATE situation. That doesn't mean that a speaker will properly reproduce those frequencies. Consider the dynamics of energy transfer. A digital signal at near-1/2-sampling frequency will have two datum points. The transitiion between them will be dramatic! the possibilities of energy transfer will not be comparable to an analogue sinusoidal waveform. And that's why good analogue is better then good digital. Doug Self etc. did some work on ultra-fast analogue systems in the mid 90's, and designed some amps that were and are regarded as pretty good - but afaik he didn't get the theory right. YHHH!-- Peter Fairbrother
Re: Idea: The ultimate CD/DVD auditing tool
I wrote: the nyquist/lindquist/someone-else-who-was-pissed sampling theorems are based on the possibility of mathematically extracting frequencies from digital information in a STEADY_STATE situation. That doesn't mean that a speaker will properly reproduce those frequencies. Consider the dynamics of energy transfer. A digital signal at near-1/2-sampling frequency will have two datum points. The transitiion between them will be dramatic! the possibilities of energy transfer will not be comparable to an analogue sinusoidal waveform. and i missed a bit or two. Consider the entropic uncertainty of a signal that has two-and-a-bit datums, against a sine wave. Start from zero, and go to such a waveform. Is it a constant-amplitude sine wave at frequency z? or a decaying sine at a frequency (z-at)? There's more, and it's to do with the limits of fourier and sampling theory. Say you have a wave at a frequency of z that's sampled according to nyquist theory. can you distinguish it from a wave of a frequency z - delta z? It can be done, but it takes a while, and a good few samples to do it. And a good analogue system will do it quicker. someone (hopefully not me, i haven't the time just now) can probably apply wavelet theory and get all this from steady-state theory, and tie it up in a nice package. -- Peter Fairbrother
Re: Idea: The ultimate CD/DVD auditing tool
On Wed, 9 Jul 2003, Peter Fairbrother wrote: the nyquist/lindquist/someone-else-who-was-pissed sampling theorems are based on the possibility of mathematically extracting frequencies from digital information in a STEADY_STATE situation. That doesn't mean that a speaker will properly reproduce those frequencies. Nor does it mean the op amp driving the speakers will follow them either. High speed and power are a hard combination to build. Consider the dynamics of energy transfer. A digital signal at near-1/2-sampling frequency will have two datum points. The transitiion between them will be dramatic! the possibilities of energy transfer will not be comparable to an analogue sinusoidal waveform. And that's why good analogue is better then good digital. It's definitly why you need fast digital. To reproduce 20+ kHz you should use a 200kHz sample rate and have a nice filter stage before the power amp. good digital can do more things than good analog because the final output is good analog in both cases. The speaker driver is pure analog by definition. To produce 65kHz (for cats) my present boss prefers a 1 MHz sample rate. The guys who do bats think it's good enough for 200kHz, but my boss won't do bats - much too complex. We've got a 25 bit dac which updates at 1 MHz, but we still need a nice filter and analog output stage for 120 dB clean signals. (I'm only getting 100 dB because it costs too much to really do the best possible.) Clearly a digital system can be built that can create any wave form a speaker can follow, and it's easier to control than an analog system. The human hearing system is capable of noticing phase relations at 100kHz rates. So any sample rate faster than 200kHz is outside the range of human detection. Cats can notice phase shifts in the 200kHz range, and bats are out in the 400kHz range. Biological systems *are* impressive. But digital vs analog is a silly argument, the final stage is analog. Patience, persistence, truth, Dr. mike
Re: Idea: The ultimate CD/DVD auditing tool
At 02:33 AM 7/7/03 +0300, Sampo Syreeni wrote: On 2003-07-06, Major Variola (ret) uttered to [EMAIL PROTECTED]: There's a good reason why, viz: it would cost the drive developer to allow or export this flexibility. I'd guess either because of a) terminal stupidity or b) benefits to scale in making it sure people go with compatibility. As there probably have to be some limits to how stupid engineers capable of making things like writable CD's can be, I'd have to go with the second alternative. Frankly its obvious you haven't worked (or thought about the constraints) on a commercial product with a deadline / resource constraints or worked on something extremely cost sensitive like commodity drives/chipsets. Here, ponder this: why are there no oxygen sensor or manifold temperature or ignition-phase (etc) displays in ordinary cars? (Although there probably are in custom race cars) You know (much like the analog CD signal) they're being measured and used by the ECU. So, why not? Chew on that one for a while, grasshopper. Economics is applied physics.
Re: Idea: The ultimate CD/DVD auditing tool
Do you have a reference? I don't remember reading that SACD was encrypted. What I DO remember is that the reason there's no standard SACD or DVD-A digital interface is because the Industry wants that digital interface to be encrypted. -TD From: Nomen Nescio [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Idea: The ultimate CD/DVD auditing tool Date: Mon, 7 Jul 2003 07:30:05 +0200 (CEST) Thomas Shaddup writes: As a welcomed side effect, not only we'd get a device for circumvention of just about any contemporary (and possibly a good deal of the future ones) optical media protections This is only for the minimal forms of protection which are designed to work with existing CD/DVD players. If you look at the new audio formats like SACD, they use encrypted data. All your lasers won't do you any good unless you can pry a key (and the algorithm!) out of a consumer player, which won't be easy assuming it is in a tamper-resistant unit. And you can bet the industry won't make the mistake again of allowing software-based players, as they did with the DeCSS affair. In short, you're fighting yesterday's war. Try looking ahead a bit to see where the battlegrounds of the future will be contested. _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: Idea: The ultimate CD/DVD auditing tool
At 07:30 2003-07-07 +0200, Nomen Nescio wrote: This is only for the minimal forms of protection which are designed to work with existing CD/DVD players. If you look at the new audio formats like SACD, they use encrypted data. All your lasers won't do you any good unless you can pry a key (and the algorithm!) out of a consumer player, which won't be easy assuming it is in a tamper-resistant unit. If you believe the article Myths and Misconceptions about Hardware Hacking, http://www.cptwg.org/Assets/Presentations/ARDG/ARDGHardware_hack05-28-03.pdf , recently posted to the Content Protection Technical Working Group, access to affordable commercial technology for reverse engineering has given hardware hackers the upper hand. steve There is no protection or safety in anticipatory servility. Craig Spencer
Re: Idea: The ultimate CD/DVD auditing tool
At 03:08 PM 7/6/03 +0300, Sampo Syreeni wrote: . A writing drive capable of working at such a low level could be used to experiment with new encodings beyond what standard CD's can do -- say, substituting CIRC with RSBC and gaining some extra room on the disc, getting rid of the subchannels, a more intelligent coding of disc addresses... Breaking compatibility wouldn't be too useful, but it sure would be fun. And think of the ulcers you would cause the TLAs! Assuming they got your disks and not your custom drive... Now you simply can't do it. There's a good reason why, viz: it would cost the drive developer to allow or export this flexibility. Since very few customers are sick enough :-) to want to invent their own incompatible formats it simply isn't worth their development-engineering time or end-product resources (eg gates) in such a commodity product.
Re: Idea: The ultimate CD/DVD auditing tool
As a basic idea it seems relatively workable. However, there's one detail that perhaps you might want to know about: We can push the idea a step further, making a stripped-down CD/DVD drive that would be able basically just to follow the spiral track with its head in constant linear velocity Unlike a vinyl record, the CD grooves don't form a spiral...they are concentric circles. Also, the beginning of the CD is towards the center, the end towards the edge. -TD From: Thomas Shaddack [EMAIL PROTECTED] To: cypherpunks [EMAIL PROTECTED] Subject: Idea: The ultimate CD/DVD auditing tool Date: Sun, 6 Jul 2003 04:13:32 +0200 (CEST) Pondering. Vast majority of the CD/DVD protection methods is based on various deviations from the standards, or more accurately, how such deviations are (or aren't) handled by the drive firmware. However, we can sidestep the firmware. The drive contains the moving part with the head assembly. There is an important output signal there: the raw analog signal bounced from the disk and amplified. We can tap it and connect it to a highspeed digital oscilloscope card. And sample obscene amount of data from it. In comparison with fast-enough ADCs, disk space is cheap. The problem can be in bandwidth, but for the drive speed set up to possible minimum (or for normal players) the contemporary machines should be sufficient. Real-time operating system (maybe RTOS-Linux) may be necessary. We get the record of the signal captured from the drive's head - raw, with everything - dirt, drop-outs, sector headers, ECC bits. The low-level format is fairly well documented; now we have to postprocess the signal. Conversion from analog to digital data and then from the CD representation to 8-bit-per-byte should be fairly straightforward (at least for someone skilled with digital signal processing). Now we can identify the individual sectors on the disc and extract them to a disc image file that we can handle later by normal means. We can push the idea a step further, making a stripped-down CD/DVD drive that would be able basically just to follow the spiral track with its head in constant linear velocity (easier to analyze than CAV) mode, with the ability to control the speed in accordance with how fast (and expensive) ADC, bus, and disks we have, and the possibility to interrupt/resume scanning anytimes in accordance with how much disk space we have (or to scan just a small area of the disc). As a welcomed side effect, not only we'd get a device for circumvention of just about any contemporary (and possibly a good deal of the future ones) optical media protections, but we would also get a powerful tool for retrieving data from even very grossly damaged discs, for audit of behavior of CD/DVD writers and CD vendors (eg, if they don't attempt to sneak in something like a hidden serial number of the writer), and for access to all areas of the discs - including the eventual ones unreachable through the drive's own firmware. If we'd fill this idea with water, would it leak? Where? Why? _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: Idea: The ultimate CD/DVD auditing tool
There's a good reason why, viz: it would cost the drive developer to allow or export this flexibility. Since very few customers are sick enough This will go the same way as radio. First, you have hundreds of separate boxes, each doing some custom modulation/frequency gig (am, fm, shortwave, TV, cell, spread spectrum, whatever) and you had to have a separate apparatus for each instance. With software radio, you just have one box that can do it all (and it made all protection-by-custom-modulation obsolete ... I've seen it playing protected HDTV signals.) So it's easy to imagine universal software disc player/recorder that let's one do any modulation technique. Not that it would provide protection, because the same tools will be available to attackers, but at least the crypto may become more fun, going back to physical domain. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Idea: The ultimate CD/DVD auditing tool
Pondering. Vast majority of the CD/DVD protection methods is based on various deviations from the standards, or more accurately, how such deviations are (or aren't) handled by the drive firmware. However, we can sidestep the firmware. The drive contains the moving part with the head assembly. There is an important output signal there: the raw analog signal bounced from the disk and amplified. We can tap it and connect it to a highspeed digital oscilloscope card. And sample obscene amount of data from it. In comparison with fast-enough ADCs, disk space is cheap. The problem can be in bandwidth, but for the drive speed set up to possible minimum (or for normal players) the contemporary machines should be sufficient. Real-time operating system (maybe RTOS-Linux) may be necessary. We get the record of the signal captured from the drive's head - raw, with everything - dirt, drop-outs, sector headers, ECC bits. The low-level format is fairly well documented; now we have to postprocess the signal. Conversion from analog to digital data and then from the CD representation to 8-bit-per-byte should be fairly straightforward (at least for someone skilled with digital signal processing). Now we can identify the individual sectors on the disc and extract them to a disc image file that we can handle later by normal means. We can push the idea a step further, making a stripped-down CD/DVD drive that would be able basically just to follow the spiral track with its head in constant linear velocity (easier to analyze than CAV) mode, with the ability to control the speed in accordance with how fast (and expensive) ADC, bus, and disks we have, and the possibility to interrupt/resume scanning anytimes in accordance with how much disk space we have (or to scan just a small area of the disc). As a welcomed side effect, not only we'd get a device for circumvention of just about any contemporary (and possibly a good deal of the future ones) optical media protections, but we would also get a powerful tool for retrieving data from even very grossly damaged discs, for audit of behavior of CD/DVD writers and CD vendors (eg, if they don't attempt to sneak in something like a hidden serial number of the writer), and for access to all areas of the discs - including the eventual ones unreachable through the drive's own firmware. If we'd fill this idea with water, would it leak? Where? Why?
Re: Idea: The ultimate CD/DVD auditing tool
On Saturday, July 5, 2003, at 07:13 PM, Thomas Shaddack wrote: Pondering. Vast majority of the CD/DVD protection methods is based on various deviations from the standards, or more accurately, how such deviations are (or aren't) handled by the drive firmware. However, we can sidestep the firmware. The drive contains the moving part with the head assembly. There is an important output signal there: the raw analog signal bounced from the disk and amplified. We can tap it and connect it to a highspeed digital oscilloscope card. And sample obscene amount of data from it. In comparison with fast-enough ADCs, disk space is cheap. The problem can be in bandwidth, but for the drive speed set up to possible minimum (or for normal players) the contemporary machines should be sufficient. Real-time operating system (maybe RTOS-Linux) may be necessary. No RTOS/Linux is needed for fast sampling, which has been happening for several decades now. Nor is a digital oscilloscope needed. (FWIW, I used a Nicolet digital oscilloscope, and also a LeCroy CAMAC digitizer, for some high-speed single-shot event capture--the strike of an alpha particle--nearly 25 years ago. The OS for our data collection computers were, variously, RSX-11M and VMS.) Video ADC cards are already vastly capable at sampling video streams. We get the record of the signal captured from the drive's head - raw, with everything - dirt, drop-outs, sector headers, ECC bits. The low-level format is fairly well documented; now we have to postprocess the signal. Conversion from analog to digital data and then from the CD representation to 8-bit-per-byte should be fairly straightforward (at least for someone skilled with digital signal processing). Now we can identify the individual sectors on the disc and extract them to a disc image file that we can handle later by normal means. So? Yes, this is all possible. Any moderately well-equipped lab can do this. So? If we'd fill this idea with water, would it leak? Where? Why? I have no idea what you mean by fill this idea with water, but by all means go ahead and rig up such a machine. Personally, I already make about 1-2 recordable DVDs per day, on average, without any hint of copy protection or Macrovision. I usually use the 3-hour speed on my DVD recorder, and can put one high-quality movie on the first part and then, by using a slightly slower speed, another movie on the remaining part. If DVD quality is needed, I record at the 2-hour setting. If better than DVD quality is needed, as from a DV camcorder source, I record at the 1-hour speed. If you build a machine which has even higher digitization rates, taken ahead of any DVD spec circuitry, you will get about what I am getting at the 1-hour setting. A very limited market for consumers to buy such machines. Video pirate labs very probably already have such rigs set up. --Tim May Extremism in the pursuit of liberty is no vice.--Barry Goldwater
Re: Idea: The ultimate CD/DVD auditing tool
At 04:13 AM 7/6/03 +0200, Thomas Shaddack wrote: Pondering. Vast majority of the CD/DVD protection methods is based on various deviations from the standards, or more accurately, how such deviations are (or aren't) handled by the drive firmware. However, we can sidestep the firmware. The drive contains the moving part with the head assembly. There is an important output signal there: the raw analog signal bounced from the disk and amplified. We can tap it and connect it to a highspeed digital oscilloscope card. This is a valid idea. You do have to get in there with delicate probes to read the amplified analog signal, its not available past the drive. The people who already do this are called test engineers for CD drive companies. Or the data-recovery techs for the NSA et al. I doubt that hardcore pirates bother, they may as well just do a single high quality ADC. That, as has been mentioned here before, is always the fatal flaw, even if you put the DAC in your DRM chip (and solve the resulting noise issues..) Yes, we know they have logic analyzers in Hong Kong --a Sony engineer when confronted with weaknesses in the design of a DRM box
Re: IDEA
* Peter Palfrader [EMAIL PROTECTED] [2003-03-22 16:08]: On Sat, 22 Mar 2003, Eric Murray wrote: I think that line means that mixmaster's install script isn't properly identifying the version of Openssl. If it were me, I'd fix the Mixmaster install script. The install script needs to die. I think nobody argues that point. Now that I've worked with this install script for a bit, I have to agree. This script is driving me nuts. There are all these little loops, and then an all encompasing loop that I can't find. I'm about done with it. Someone mentioned a beta version 3.0 that doesn't use the install script. Where can I obtain this version?
Idea: Snort/Tripwire for RF spectrum?
Messing around TSCM.com, musing over detection of bugs. Getting an immediate idea I'd like to get peer-reviewed. There is a problem with bug sweeps in some countries. The legal TCSM providers can be legally required to not inform the client about a police-authorized bug, and/or legally forbidden to tamper with it. So a customer-operated solution should exist. GNU-Radio project seems to me to be flexible enough to be suitable as a bug detector. With proper tuner (or a selectable set of tuners to be wideband enough), the device could act as a 24/7-running frequency analyzer, checking the electromagnetic spectrum, alerting the operators about suspicious changes - suddenly appearing signals, suspicious pulses, something that looks like a spread-spectrum transmission. (Because of the equipment limitations, we can't see all the spectrum at once; this approach is more similar to a guardian walking around the facility, listening and looking wherever he is at the moment, eventually returning a bit and looking closer if he hears a suspicious sound. Will have some probability of missing pulse-nature signals, if they will be off during the scan in their part of the spectrum, but will have chance proportional to their duty cycle to see them too, and with proper software it could be instructed to check the frequencies where a signal once is and once isn't for pulsed signals (listening on the suspected frequencies for longer time).) With proper software, the system could write alert reports including characteristics of the suspicious signals, or even recorded samples of the signals for further evaluation. Could serve as a 24/7 TCSM spectrum sweep, limited by the positions of the antennas. (Though there could be several antennas, switched periodically, in order to detect even more directional signals.) The advantage of 24/7 approach is easy time correlation of a suspicious signal with eventual suspicious physical events (a visitor, a facility without anyone present...). Usage of several antennas could allow triangulation of the signal source within (or outside of) the supervised facility. Correlation of signals that should be the same from several antennas could reveal even transmitters trying to hide in stronger nearby transmitters (so called snuggling). The interesting part will of course be the software, either automatically correlating present signals with past ones and sending reports of suspicions, or some advanced visualisation system showing the 3D (4D) data (time, frequency, intensity(, source antenna)). Could cover the cases of bugs implanted into protected objects during black-bag jobs or by the insiders, wireless microphones carried by hostile visitors, and even increased rate of communication on the related frequencies when a raid or a blackbag job is being prepared, if the adversary doesn't keep radio silence. Could deny the adversaries undetected usage of RF transmitters, at least in sane frequency ranges, significantly limiting their technological options. Could it work? Why not? If I would fill this idea with water, where it would leak? Do I watch way too many spy movies? Feel free to comment, feel free to forward anywhere where it could spur some interest or further comments. Shaddack, the Mad Scientist
do you have an idea?
Title: Untitled Document You have received this email because you have signed up at http://www.jackpot101.com or one of our affiliate sites. To unsubscribe please click here http://www.jackpot101.com and we will be glad to take you off of our mailing list. Remember to check the site daily to see if you have won !
Re: IDEA
On Sat, 22 Mar 2003, [EMAIL PROTECTED] wrote: IDEA is listed on the fourth line, so it seems IDEA was installed with OpenSSL, but MixMaster's install may be improperly detecting that IDEA is absent. It's when I run the Mixmaster install that I get the error: ... Looking for libz.a... Found at /usr/lib/libz.so. Found source directory zlib-1.1.4. Use the source if the pre-installed library causes compilation problems. Use source? [n] Looking for libpcre.a... Found source directory pcre-2.08. Looking for libcrypto.a... Found at /usr/local/ssl/lib/libcrypto.a. ./Install: [: 90701f: integer expression expected ./Install: [: 90701f: integer expression expected ./Install: [: 90701f: integer expression expected Looking for libncurses.a... Found at /lib/libncurses.so. ./Install: tmptst.c: Permission denied ^^^ gcc: tmptst.c: No such file or directory Do you have write permissions do the directory? Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgp0.pgp Description: PGP signature
Re: IDEA
On Sat, Mar 22, 2003 at 09:40:50AM +, [EMAIL PROTECTED] wrote: IDEA is listed on the fourth line, so it seems IDEA was installed with OpenSSL, but MixMaster's install may be improperly detecting that IDEA is absent. It's when I run the Mixmaster install that I get the error: ... Looking for libz.a... Found at /usr/lib/libz.so. Found source directory zlib-1.1.4. Use the source if the pre-installed library causes compilation problems. Use source? [n] Looking for libpcre.a... Found source directory pcre-2.08. Looking for libcrypto.a... Found at /usr/local/ssl/lib/libcrypto.a. ./Install: [: 90701f: integer expression expected I think that line means that mixmaster's install script isn't properly identifying the version of Openssl. If it were me, I'd fix the Mixmaster install script. ./Install: tmptst.c: Permission denied gcc: tmptst.c: No such file or directory Yep, the install script needs help. BTW, if you will be posting Mixmaster messages to the cpunks list, could you fix it so it uses an informative Subject: line instead of Mixmaster Type III Message? Eric
Re: IDEA
On Sat, 22 Mar 2003, Eric Murray wrote: I think that line means that mixmaster's install script isn't properly identifying the version of Openssl. If it were me, I'd fix the Mixmaster install script. The install script needs to die. I think nobody argues that point. BTW, if you will be posting Mixmaster messages to the cpunks list, could you fix it so it uses an informative Subject: line instead of Mixmaster Type III Message? That's mixminion, not mixmaster. And mixminion is not operational at the moment - this will take at least a few more months. Whoever relies on it for anonymity cannot be serious. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgp0.pgp Description: PGP signature
Re: IDEA
On Sat, 22 Mar 2003, Eric Murray wrote: Looking for libcrypto.a... Found at /usr/local/ssl/lib/libcrypto.a. ./Install: [: 90701f: integer expression expected I think that line means that mixmaster's install script isn't properly identifying the version of Openssl. If it were me, I'd fix the Mixmaster install script. It's been a while since I really worked on the Install script -- Mixmaster 3.0 doesn't use it -- but this looks to be to be a bug that existed and was fixed sometime around a year ago. What version of Mixmaster are you using? Please use the release version -- 2.9.0. BTW, if you will be posting Mixmaster messages to the cpunks list, could you fix it so it uses an informative Subject: line instead of Mixmaster Type III Message? Those messages are from people testing the Mixminion software. Mixminion isn't ready for actual use yet. It is my understanding that the user has no control over the subject line in the current Mixminion system though -- the servers remove it. I think this will be changed before the final release. Mixmaster 4.0 (which will interoperate with Mixminion) will place no restrictions on user's Subject lines. --Len.
Re: IDEA
* Len Sassaman [EMAIL PROTECTED] [2003-03-22 18:52]: On Sat, 22 Mar 2003, Eric Murray wrote: It's been a while since I really worked on the Install script -- Mixmaster 3.0 doesn't use it -- but this looks to be to be a bug that existed and was fixed sometime around a year ago. What version of Mixmaster are you using? Please use the release version -- 2.9.0. I'm using version 2.9.0. I intentionally dodged the betas to get something stable going, but it seems there is still some bleeding edgeness to it. Maybe I'll troubleshoot the problem more, now that we've narrowed it down a bit. I certainly was to a point where I was going to give up, because I had no idea (get it? No IDEA) whether the problem was in OpenSSL or MixMaster. It seems people are sure this is the MixMaster Install script. Maybe I'll grab the absolute latest Install script, and compare it.
IDEA
I compiling the Mixmaster remailer, I get an error the OpenSSL was not compiled with IDEA support. However, OpenSSL was supposed to have compiled with IDEA out of the box, with only an option to disable it. What am I missing?
RE: IDEA
Mindfuq wrote: I compiling the Mixmaster remailer, I get an error the OpenSSL was not compiled with IDEA support. However, OpenSSL was supposed to have compiled with IDEA out of the box, with only an option to disable it. What am I missing? You in all likelihood fell victim to some misguided nonsense that seems to spread through the Open Source community at present. Some distributions have disabled IDEA and other patented algorithms to cleanse the code from non-free math to maintain the patent-purity of the software. Cypherpunks of course reject such nonsense, just as they rejected RSA DSI's and David Sternlight's claims that PGP must not be used because it supposedly infringed on some patents. Do a Google search for IDEA and the name of your OS or distribution to find out how to recompile with IDEA support enabled. --Lucky
Re: IDEA
* Lucky Green [EMAIL PROTECTED] [2003-03-22 09:13]: Do a Google search for IDEA and the name of your OS or distribution to find out how to recompile with IDEA support enabled. I might need my hand held on this one. I did an exhausting search before posting. Part if the problem is that 'idea' is an english word, which makes it difficult to search. It's a shame there aren't any good web search engines that allow Lexis/Nexis type of expressions. Anyway- I'm using a 3-year-old version of Mandrake. The OpenSSL documentation claims IDEA is enabled by default, and there are only switches for disabling it. To verify that IDEA is enabled in OpenSSL, I ran 'openssl ciphers': DHE-RSA-AES256-SHA: DHE-DSS-AES256-SHA: AES256-SHA: EDH-RSA-DES-CBC3-SHA: EDH-DSS-DES-CBC3-SHA: DES-CBC3-SHA: DES-CBC3-MD5: DHE-RSA-AES128-SHA: DHE-DSS-AES128-SHA: AES128-SHA: IDEA-CBC-SHA: IDEA-CBC-MD5: RC2-CBC-MD5: DHE-DSS-RC4-SHA: RC4-SHA: RC4-MD5: RC4-MD5: RC4-64-MD5: EXP1024-DHE-DSS-DES-CBC-SHA: EXP1024-DES-CBC-SHA: EXP1024-RC2-CBC-MD5: EDH-RSA-DES-CBC-SHA: EDH-DSS-DES-CBC-SHA: DES-CBC-SHA: DES-CBC-MD5: EXP1024-DHE-DSS-RC4-SHA: EXP1024-RC4-SHA: EXP1024-RC4-MD5: EXP-EDH-RSA-DES-CBC-SHA: EXP-EDH-DSS-DES-CBC-SHA: EXP-DES-CBC-SHA: EXP-RC2-CBC-MD5: EXP-RC2-CBC-MD5: EXP-RC4-MD5: EXP-RC4-MD5 IDEA is listed on the fourth line, so it seems IDEA was installed with OpenSSL, but MixMaster's install may be improperly detecting that IDEA is absent. It's when I run the Mixmaster install that I get the error: ... Looking for libz.a... Found at /usr/lib/libz.so. Found source directory zlib-1.1.4. Use the source if the pre-installed library causes compilation problems. Use source? [n] Looking for libpcre.a... Found source directory pcre-2.08. Looking for libcrypto.a... Found at /usr/local/ssl/lib/libcrypto.a. ./Install: [: 90701f: integer expression expected ./Install: [: 90701f: integer expression expected ./Install: [: 90701f: integer expression expected Looking for libncurses.a... Found at /lib/libncurses.so. ./Install: tmptst.c: Permission denied gcc: tmptst.c: No such file or directory WARNING: Your version of OpenSSL has been configured without IDEA support. If you continue, Mixmaster will be installed with reduced functionality. This means (among other things) that Mixmaster will not creade an RSA OpenPGP key (to avoid mail loss in the Type I system). You may want to re-install OpenSSL before proceeding. This will not concern you if you only plan to run a type II remailer or simply want a type II client. If anyone has any clues for me, please post them. Thanks!
Re: IDEA
On Sat, Mar 22, 2003 at 09:40:50AM +, [EMAIL PROTECTED] wrote: IDEA is listed on the fourth line, so it seems IDEA was installed with OpenSSL, but MixMaster's install may be improperly detecting that IDEA is absent. It's when I run the Mixmaster install that I get the error: ... Looking for libz.a... Found at /usr/lib/libz.so. Found source directory zlib-1.1.4. Use the source if the pre-installed library causes compilation problems. Use source? [n] Looking for libpcre.a... Found source directory pcre-2.08. Looking for libcrypto.a... Found at /usr/local/ssl/lib/libcrypto.a. ./Install: [: 90701f: integer expression expected I think that line means that mixmaster's install script isn't properly identifying the version of Openssl. If it were me, I'd fix the Mixmaster install script. ./Install: tmptst.c: Permission denied gcc: tmptst.c: No such file or directory Yep, the install script needs help. BTW, if you will be posting Mixmaster messages to the cpunks list, could you fix it so it uses an informative Subject: line instead of Mixmaster Type III Message? Eric
Re: IDEA
On Sat, 22 Mar 2003, Eric Murray wrote: I think that line means that mixmaster's install script isn't properly identifying the version of Openssl. If it were me, I'd fix the Mixmaster install script. The install script needs to die. I think nobody argues that point. BTW, if you will be posting Mixmaster messages to the cpunks list, could you fix it so it uses an informative Subject: line instead of Mixmaster Type III Message? That's mixminion, not mixmaster. And mixminion is not operational at the moment - this will take at least a few more months. Whoever relies on it for anonymity cannot be serious. Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred.| : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `-http://www.debian.org/ pgp0.pgp Description: PGP signature
Re: IDEA
* Len Sassaman [EMAIL PROTECTED] [2003-03-22 18:52]: On Sat, 22 Mar 2003, Eric Murray wrote: It's been a while since I really worked on the Install script -- Mixmaster 3.0 doesn't use it -- but this looks to be to be a bug that existed and was fixed sometime around a year ago. What version of Mixmaster are you using? Please use the release version -- 2.9.0. I'm using version 2.9.0. I intentionally dodged the betas to get something stable going, but it seems there is still some bleeding edgeness to it. Maybe I'll troubleshoot the problem more, now that we've narrowed it down a bit. I certainly was to a point where I was going to give up, because I had no idea (get it? No IDEA) whether the problem was in OpenSSL or MixMaster. It seems people are sure this is the MixMaster Install script. Maybe I'll grab the absolute latest Install script, and compare it.
