Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread Greg Broiles

At 03:48 PM 7/10/2002 -0700, [EMAIL PROTECTED] wrote:
> --
>On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
> > Thawte has now announced a round of major price increases.  New
> > cert prices appear to have almost doubled, and renewals have
> > increased more than 50%.
>[...]
>Why is not someone else issuing certificates?

See  for 
recent data re SSL certificate market share; Geotrust, at 
, has 11% of the market, and appears (from their 
web pages; I haven't bought one) to be ready to issue SSL server certs 
without the torturous document review process which Verisign invented but 
Thawte managed to make simultaneously more intrusive and less relevant.


--
Greg Broiles -- [EMAIL PROTECTED] -- PGP 0x26E4488c or 0x94245961




RE: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread Lucky Green

Peter Gutmann wrote, quoting Matthias Bruestle:
> Both Netscape 6 and MSIE 5 contain ~100 built-in, 
> automatically-trusted CA certs.
> 
>  * Certs with 512-bit keys.
> 
>  * Certs with 40-year lifetimes.
>  
>  * Certs from organisations you've never heard of before 
> ("Honest Joe's Used
>Cars and Certificates").
>
>  * Certs from CAs with unmaintained/moribund websites 
> ("404.notfound.com").

One thing to keep in mind is that the name of the CA on the
pre-installed root cert in some cases will bean no relation to the
actual issuer of the cert. Just because the business of
some.trusted.ca.nil has gone under does not mean their root keys are out
of circulation.

"Trusted roots" have long been bought and sold on the secondary market
as any other commodity. For surprisingly low amounts, you too can own a
trusted root that comes pre-installed in >95% of all web browsers
deployed.

In fact, it is considerably more expensive for an aspiring public CA
provider to incur the costs of policies and procedures development,
equipment expenditures, auditing cost, etc. required to have a root
added to browsers nowadays than it is to just buy an existing trusted
CA's Chrysalis or nCipher HSM.

--Lucky




Tax consequences of becoming a US citizen

2002-07-11 Thread Nomen Nescio

--
Oh shit.  It really is the empire.

According to http://www.techvisas.com/taxation.htm
Taxation of Aliens who Have Departed - Anti-Expatriation
Rules.

Aliens who live in the U.S. as residents, irrespective of
visa status, face special anti-expatriation rules. Such
rules were formerly applied only to U.S. citizens who
cancelled their U.S. citizenship in order to be free of
U.S. gift and estate taxes. As a result, termination of
lawful permanent resident status after several years will
result in continuing liability of the foreigners gifts
and patrimony (assets) to U.S. probate and estate taxes
for 10 years after such termination




[linux-elitists] Casual Encryption (fwd)

2002-07-11 Thread Eugen Leitl

-- Forwarded message --
Date: Wed, 10 Jul 2002 15:11:59 -0700
From: Aaron T Porter <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [linux-elitists] Casual Encryption


Just a quick plea for all the elitists to seriously consider
enabling SMTP-TLS on any and all mail servers they control. With the US
government in Ashcroft juggernaut mode for the forseable future, I fear
that the use of encryption will quickly become a red flag for further
observation. If we can reach a point where a sizable portion of SMTP
traffic is encrypted regardless of the content we can reduce any
implications of sending encrypted mail. Probably doesn't make your
standard Carnivore install too happy either.
On most mail systems, enabling TLS is incredibly easy (one line
config change on my Debian Sendmail box). It's a one-time fix that affects
even technologically challenged users. I've tacked some links below for
common MTA's.

Qmail http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch
Postfix http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
Exim http://www.exim.org/exim-html-3.20/doc/html/spec_38.html
Sendmail http://www.sendmail.org/~ca/email/starttls.html
___
linux-elitists 
http://zgp.org/mailman/listinfo/linux-elitists




Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread jamesd

--
On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
> Thawte has now announced a round of major price increases.  New
> cert prices appear to have almost doubled, and renewals have
> increased more than 50%. While Thawte proclaims this is their
> first price increase in five years, this comes at a time when we
> should be seeing *increased* competition and *lower* prices for
> such virtual products, not such price increases.  But of course,
> in an effective monopoly environment, it's your way or the
> highway, so this should have been entirely expected.

IE comes preloaded with about 34 root certificate authorities, and
it is easy for the end user to add more, to add more in batches.
Anyone can coerce open SSL to generate any certificates he
pleases, with some work.

Why is not someone else issuing certificates?

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 FgD9xqiaNt/GIr99+cDvezUuY9K7pVf/sr8sYLtx
 2U+1rnhprPRzvE4aLRCq4ADtyF4DDrnAKjbwHgbFn




Microsoft's Second DRM Patent

2002-07-11 Thread John Young

Cryptome offers Microsoft's second patent on digital rights management, 
invented by the same three persons as the first, Paul England, 
John DeTreville and Butler Lampson:

  http://cryptome.org/ms-drm-os2.htm

This second patent was issued on December 7, 2001, a week before the 
first available here:

  http://cryptome.org/ms-drm-os.htm

John DeTreville wrote on July 8, 2002, that neither he nor Butler
Lampson were Palladium programmers, as distinguished from Paul England
who was cited by Steven Levy in Newsweek as a Palladium programmer.
John referred to another patent underlying Palladium.

Cryptome did a search of the US Patent Office archives for other 
patents by the three inventors and for those assigned to Microsoft from 
1996 to July 9, 2002. Only two patents for digtial rights management 
were listed, out of more than 2,000 Microsoft patents for the period:
the two referenced above on Cryptome.

Ross Anderson reported yesterday that MSNBC has pulled the Palladium 
article by Steven Levy, which is now here:

  http://cryptome.org/palladium-sl.htm

See Ross's updated FAQ on TCPA and Palladium: 

  http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html




Re: Tax consequences...

2002-07-11 Thread F. Marc de Piolenc

Nomen Nescio wrote:

> So what you are suggesting is that I might as well take out US
> citizenship, since the IRS behaves just as piratically and
> imperially to anyone who gets a job in the US?

Considering only taxes, I think that's correct. You do need to consider
other things, such as what happens to your citizenship in your native
country if you are naturalized in a foreign country. Some governments
don't care, while others will treat you as an alien when you return.

As for the IRS: Your green card status means you have put yourself
squarely in their sights. Giving up the green card apparently doesn't
get you immediately off the hook, as they will still try to tax you like
a citizen. I recommend getting advice from a good US tax ATTORNEY (not a
tax preparer, who is basically an IRS employee paid by you), without
disclosing your SSN or any other identifying numbers even to him. You
also need to find out about tax treaties between your native country and
the US.

So much for legalities (which the IRS tends to ignore anyway, when they
don't suit them). Tactically, you have probably already disclosed
certain things to the IRS, and have immovable and illiquid assets within
their reach that are identifiable with you. You have to weigh the
advantages of simply moving offshore and telling them to pound salt
against what they can grab when/if you do so. You may find you need a
period of preparation during which you make your assets less vulnerable
and/or less easy to trace to you.

Marc de Piolenc

-- 
Remember September 11, 2001 but don't forget July 4, 1776

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. - Benjamin Franklin





Re: Ross's TCPA paper

2002-07-11 Thread Jay Sulzberger

On Fri, 5 Jul 2002, AARG!Anonymous wrote:

< ... />

> Right, and you can boot untrusted OS's as well.  Recently there was
> discussion here of HP making a trusted form of Linux that would work with
> the TCPA hardware.  So you will have options in both the closed source and
> open source worlds to boot trusted OS's, or you can boot untrusted ones,
> like old versions of Windows.  The user will have more choice, not less.

< ... />

Nonsense.  Let us remember what Palladium is:

Palladium is a system designed to enable a few large corporations and
governments to run source secret, indeed, well-encrypted, code on home
user's machines in such a way that the home user cannot see, modify, or
control the running code.

The Orwellian, strictly Animal Farmish, claim runs: "Why it is all just
perfectly OK, because anyone can run source secret, well encrypted, code in
an uncontrolled manner on anyone's machine at will!  We are all equal, it
is just that some, that is, We the Englobulators, will in practice get to
run source secret, well-encrypted, code on hundreds of millions of users'
machines while you, you will never run such code on anybody else's machine
except at a hobbyists' fair, precisely to demonstrate we are all equal.".

There are other advantages to Palladium:

No free kernel will ever freely boot on a Palladium machine.

And there is more.   If Palladium is instituted:

Microsoft will support the most vicious interpretation of the DMCA and
press for passage of the SSSCA, in order that the first crack does not
prove to the world that Palladium cannot prevent all copyright
infringement.  Microsoft will be able to say "See, it is these
GNU/BSD/XFree/Sendmail/Apache/CLISP folk who are causing all this dreadful
copyright infringement.  Why owning a non-Palladium machine should be
declared, no, not illegal, we are not monsters after all, but probative
evidence that the owner is an infringer, and more, a general infringer and
a member of the Copyright Infringement Conspiracy.  Why some of them even
write such code as the well known, and in CIC circles, widely used, tool of
infringement called 'cp'.  Senator, I know you will be as shocked as I was
when I learned what 'cp' stands for.  It stands for 'copy'.  And I do not
mean safe Englobulator-Certified Fair Use Copying, such as is provided by
the Triple X Box, which, for a reasonable license fee, allows up to six
copy-protected copies to be made before settling of accounts and
re-certification of the Box over the net.  No, I mean, raw, completely
promiscuous copying of any file on the machine, as many times as the
infringer wishes.  Without record, without payment to the artist, without
restraint.  Senator, I prefer to call cp 'The Boston Strangler', because
that is exactly what it is.  And every single non-Palladium operating
system in the world comes with cp already loaded, loaded and running.".

oo--JS.




Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread Jay Sulzberger

On Wed, 10 Jul 2002 [EMAIL PROTECTED] wrote:

> --
> On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
> > Thawte has now announced a round of major price increases.  New
> > cert prices appear to have almost doubled, and renewals have
> > increased more than 50%. While Thawte proclaims this is their
> > first price increase in five years, this comes at a time when we
> > should be seeing *increased* competition and *lower* prices for
> > such virtual products, not such price increases.  But of course,
> > in an effective monopoly environment, it's your way or the
> > highway, so this should have been entirely expected.
>
> IE comes preloaded with about 34 root certificate authorities, and
> it is easy for the end user to add more, to add more in batches.
> Anyone can coerce open SSL to generate any certificates he
> pleases, with some work.
>
> Why is not someone else issuing certificates?
>
> --digsig
>  James A. Donald

Because the buyers of certificates have a different model of what they are
buying.  They neither know, nor can they care, because they do not know,
about the subtle "protocols" published over the last twenty-five years that
supposedly, if executed carefully, provide certain "guarantees".  No.  The
customers know that to get stuff they want, such as permission to put the
label "Your credit card information is secure.  We use Thawte Certificates,
Thawte, the Guarantor, your Rock of Assurance." on their PAY HERE NOW web
page, they must buy a certificate from Thawte, and not from Captain Gull
Enterprises, Division of Certificates.  The customer knows that crypto is
subtle, and only a well known large corporation can be trusted.  After all,
they have the resources, and the name, and if you do not use them, and
something goes wrong, well perhaps a canny lawyer might be able to show
that you were not using the industry standard, which might lose you the
case.

oo--JS.




vulnerability in Outlook PGP plugin

2002-07-11 Thread John S. Denker

http://www.eeye.com/html/Research/Advisories/AD20020710.html

This vulnerability can be exploited by the Outlook user simply
selecting a "malicious" email, the opening of an attachment is 
not required. 
...
[NAI] have released a patch for the latest versions of the PGP
Outlook plug-in to protect systems from this flaw. Users can 
download the patch from:

http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp


=
By TED BRIDIS, Associated Press Writer

 WASHINGTON (AP) - The world's most popular software for scrambling
 sensitive e-mails suffers from a programming flaw that could allow
 hackers to attack a user's computer and, in some circumstances,
 unscramble messages.

 The software, called Pretty Good Privacy, or PGP, is the de facto
 standard for encrypting e-mails and is widely used by corporate and
 government offices, including some FBI ( news - web sites) agents and
 U.S. intelligence agencies. The scrambling technology is so powerful
 that until 1999 the federal government sought to restrict its sale
 out of fears that criminals, terrorists and foreign nations might use
 it.

 The new vulnerability, discovered weeks ago by researchers at eEye
 Digital Security Inc., does not exploit any weakness in the complex
 encrypting formulas used to scramble messages into
 gibberish. Instead, hackers are able to attack a programming flaw in
 an important piece of companion software, called a plug-in, that
 helps users of Microsoft Corp.'s Outlook e-mail program encrypt
 messages with a few mouse clicks.

 Outlook itself has emerged as the world's standard for e-mail
 software, with tens of millions of users inside many of the world's
 largest corporations and government offices. Smaller numbers use the
 Outlook plug-in to scramble their most sensitive messages so that
 only the recipient can read them.

 "It's not the number of people using PGP but the fact that they're
 using it because they're trying to safeguard their data," said Marc
 Maiffret, the eEye executive and researcher who discovered the
 problem. "Whatever the percentage is, it's very important data."

 Maiffret said there was no evidence anyone had successfully attacked
 users of the encryption software with this technique. He said the
 programming flaw was "not totally obvious," even to trained
 researchers examining the software blueprints.

 Network Associates Inc. of Santa Clara, Calif., which until February
 distributed both commercial and free versions of PGP, made available
 on its Web site a free download to fix the software. The company
 announced earlier it was suspending new sales of the software, which
 hasn't been profitable, but moved within weeks to repair the problem
 in existing versions. The company's shares fell 50 cents to $17.70 in
 Tuesday trading on the New York Stock Exchange ( news - web sites).

 Free versions of PGP are widely available on the World Wide Web.

 The flaw allows a hacker to send a specially coded e-mail - which
would appear as a blank message followed by an error warning - and
effectively seize control of the victim's computer. The hacker could
then install spy software to record keystrokes, steal financial
records or copy a person's secret unlocking keys to unscramble their
sensitive e-mails. Other protective technology, such as corporate
firewalls, could make this more difficult.

 "You can do whatever you want - execute code, read e-mails, install a
 backdoor, steal their keys. You could intercept all that stuff,"
 Maiffret said.

 Experts said the convenience of the plug-ins for popular e-mail
 programs broadened the risk from this latest threat, since encryption
 software is famously cumbersome to use without them. Even the creator
 of PGP, Philip Zimmermann, relies on such a plug-in, although
 Zimmermann uses one that works with Eudora e-mail software and does
 not suffer the same vulnerability as Outlook's.

 A plug-in for Microsoft's Outlook Express - a scaled-down version of
 Outlook - is not affected by the flaw.

 Maiffret said his company immediately deactivated the vulnerable
 software on all its computers, which can be done with nine
 mouse-clicks using Outlook, until it could apply the repairs from
 Network Associates. The decision improved security but "makes it kind
 of a pain" to send encrypted e-mails, he said.

 Zimmermann, in an interview, said PGP software is used "quite
 extensively" by U.S. agencies, based on sales when he formerly worked
 at Network Associates. He also said use of the vulnerable companion
 plug-in was widespread. Zimmermann declined to specify which
 U.S. agencies might be at risk, but other experts have described
 trading scrambled e-mails using PGP and Outlook with employees at the
 FBI, the Energy Department and even the super-secret National
 Security Agency.

 In theory, only nonclassified U.S. information would be at risk from
 this flaw. Agencies impose strict rules against transmitting any
 class

Re: Tax consequences of becoming a US citizen.

2002-07-11 Thread Steve Furlong

On Wednesday 10 July 2002 09:55, Trei, Peter wrote:

> So, to the subject of the original question: I don't think taking up
> US citizenship, then retiring abroad, makes a hell of a lot of
> sense from a tax point of view, unless the Social Security payments
> are important...

I wouldn't figure SS payments into my calculations unless I were to 
retire in the next few years. As the SS crunch looms nearer, watch for 
payments to people outside the US to go on the chopping block.

Not that I expect to get anything from SS myself regardless of whether I 
stay in the US. 29 years until retirement, even if the age isn't pushed 
back again.

SRF

-- 
Steve FurlongComputer Condottiere   Have GNU, Will Travel

Vote Idiotarian --- it's easier than thinking




Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread Sean Smith

>IE comes preloaded with about 34 root certificate authorities, and
>it is easy for the end user to add more, to add more in batches.

A colleague of mine just loaded a new root into IE, and pointed
out that when one does this, the new root is apparently BY DEFAULT
enabled for all purposes, including some interesting ones
like "Digital Rights" and "Windows System Component Verification."

I just tried this, and it appears to be the case.  (But I haven't 
yet tried to see whether Windows will happily use my root for these 
OS-specific purposes)

--Sean











-- 
Sean W. Smith, Ph.D. [EMAIL PROTECTED]   
http://www.cs.dartmouth.edu/~sws/   (has ssl link to pgp key)
Department of Computer Science, Dartmouth College, Hanover NH USA




RE: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread Peter Gutmann

"Lucky Green" <[EMAIL PROTECTED]> writes:

>"Trusted roots" have long been bought and sold on the secondary market as any
>other commodity. For surprisingly low amounts, you too can own a trusted root
>that comes pre-installed in >95% of all web browsers deployed.

I'd heard stories of collapsed dot-coms' keys being auctioned off, that being
the only thing of value the company had left.  It makes the title of Matthias'
paper even more appropriate.

(However, I do think that anyone wanting to compromise your security will use
 this morning's MSIE hole to do it rather than buying a CA key.  OTOH it'd be a
 great universal skeleton key for government agencies charged with protecting
 the world from equestrians).

Peter.




Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread Peter Gutmann

[EMAIL PROTECTED] writes:
>On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
>>Thawte has now announced a round of major price increases.  New
>>cert prices appear to have almost doubled, and renewals have
>>increased more than 50%. While Thawte proclaims this is their
>>first price increase in five years, this comes at a time when we
>>should be seeing *increased* competition and *lower* prices for
>>such virtual products, not such price increases.  But of course,
>>in an effective monopoly environment, it's your way or the
>>highway, so this should have been entirely expected.
>
>IE comes preloaded with about 34 root certificate authorities, and it is easy
>for the end user to add more, to add more in batches. Anyone can coerce open
>SSL to generate any certificates he pleases, with some work.

Both Netscape 6 and MSIE 5 contain ~100 built-in, automatically-trusted CA
certs.

 * Certs with 512-bit keys.

 * Certs with 40-year lifetimes.
 
 * Certs from organisations you've never heard of before ("Honest Joe's Used
   Cars and Certificates").
   
 * Certs from CAs with unmaintained/moribund websites ("404.notfound.com").

These certs are what controls access to your machine (ActiveX, Java, install-
on-demand, etc etc).

  * It takes 600-700 mouse clicks to disable these certs to leave only CAs you
really trust.

(The above information was taken from "A rant about SSL, oder: die grosse
 Sicherheitsillusion" by Matthias Bruestle, presented at the KNF-Kongress
 2002).

>Why is not someone else issuing certificates?

How many more do you need?

Peter.




Re: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread David Howe

[EMAIL PROTECTED] <[EMAIL PROTECTED]> was seen to declaim:
> IE comes preloaded with about 34 root certificate authorities, and
> it is easy for the end user to add more, to add more in batches.
> Anyone can coerce open SSL to generate any certificates he
> pleases, with some work.
> Why is not someone else issuing certificates?
Mostly because of the alarming things IE/NS/Whatever says if you haven't
already got the root cert in your browser when you visit a site relying
on a "homebrewed" cert. Certainly some time ago, the OpenCA project were
giving away ssl certs for free to all comers; the software they produced
is open source (and at sourceforge) so anyone could open their own CA
with whatever authentication criteria they wish (and indeed, the owner
of news.securecomp.org (nntp) is in the early stages of a X509-based CA
on a hierachical but distributed model (ie, regional CAs you can apply
personally to with proof of ID)
Doesn't help much when the sheeple won't trust anything that doesn't
come pre-installed by microsoft though.




RE: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread anonimo arancio

On 12 July 2002, Peter Gutmann <[EMAIL PROTECTED]> wrote:
> (However, I do think that anyone wanting to compromise your security will use
>  this morning's MSIE hole to do it rather than buying a CA key.  OTOH it'd be a
>  great universal skeleton key for government agencies charged with protecting
>  the world from equestrians).



Damn those equestrians and their great horse sense!




Re: Tax

2002-07-11 Thread Michael Motyka

>Nomen Nescio wrote:
>> > Are you saying that if someone is legally resident in the US
>> > for a while, the US IRS will attempt to get his assets all
>> > over the world forever?  I find this hard to believe.
>
>On 10 Jul 2002 at 15:40, F. Marc de Piolenc wrote:
>> Not necessarily "get" them, but tax them. Believe!
>
More like tax any income derived from those assets.




Rant: The U.S. facing the largest financial collapse ever

2002-07-11 Thread Tim May

On Thursday, July 11, 2002, at 08:09  AM, Steve Furlong wrote:

> On Wednesday 10 July 2002 09:55, Trei, Peter wrote:
>
>> So, to the subject of the original question: I don't think taking up
>> US citizenship, then retiring abroad, makes a hell of a lot of
>> sense from a tax point of view, unless the Social Security payments
>> are important...
>
> I wouldn't figure SS payments into my calculations unless I were to
> retire in the next few years. As the SS crunch looms nearer, watch for
> payments to people outside the US to go on the chopping block.
>
> Not that I expect to get anything from SS myself regardless of whether I
> stay in the US. 29 years until retirement, even if the age isn't pushed
> back again.

As everyone should know by now, and probably does, the Social Security 
scheme in the U.S. is nothing more than a large Ponzi scheme. Payroll 
taxes, amounting to about 15% of income up to some level (ratcheted 
upwards every few years), go straight into the General Fund, where the 
34%-39% top tax rate funds and all of the other taxes go into.

The General Fund (not its official name...it may not have one) issues 
the SS Geheimstatssecuritatwelfarefund an "IOU" for the trillions owed 
by the General Fund to the SS G.

Those IOUs are not even computed as part of the national debt. (!!) Talk 
about using Enron accounting!

The national debt is now estimated to be around $5 trillion, or about 
$67,000 per family. But this figure fails to account for two very 
important additional indebtednesses: first, the SS IOUs, and second, the 
"unsecured liabilities" that the U.S.G. has taken on due to 50 years of 
legislation. These unsecured liabilities include the rising pensions 
costs of our enormous military forces (no separate fund established), 
the loan guarantees to hundreds of unions and private retirement funds, 
and vast amounts of indebtedness for "guarantees" made to other nations, 
other organizations.

A friend of mine was an insurance industry expert. Some years ago he 
showed me the calculations of what the _actual_ indebtedness of the U.S. 
government is, based on accepted, standard accounting practices (as 
opposed to the Ponzi scheme accounting practices most governments use).

Based on legal, contractual agreements, the national debt at the time he 
showed me the figures (circa 1990) was $20 trillion ($20 x 10^12). 
Dividing by about 100 million households in the U.S., this is $200,000 
per household.

This of course exceeds by a wide margin the entire asset value of most 
households.

We owe more than we have. Which is typical of situations where people 
pay, as but one example, to have young black girls living in their own 
places with no job and no husband, just watching "Oprah" and having more 
babies and with the costs of this destructive nonproductiveness paid for 
the Ponzi way: "Just put it on my credit card!"

Or when $9 billion a year is given to Israel/Egypt (we give Israel $5 
billion a year to keep their economy and their stalags running, so we 
cut a deal with Sadat to give almost as much to Egypt to keep their 
Swiss bank accounts filling up), we pay for it by just saying "Charge 
it!"

Charge it...some future generation will pay. Our political system is set 
up to avoid hard decisions and simply to push tough decisions further 
out into the future. This is why more than $20 trillion is now part of 
our legal obligation.

(BTW, the old chestnut that "we just owe it to ourselves, so what's the 
big deal" doesn't fly. For lots of reasons I'm sure intelligent folks 
can figure out.)

Things get much, much worse when we look at the retirement of the Baby 
Boomers, the leading edge of which is set to start collecting SS and 
other benefits in about 6-7 years (not counting folks who retired 
early). The full impact of this wave will hit around 2020, when things 
get really squirrelly.

(Things could get squirrelly even earlier, should high interest rates 
come back. The offiicial national debt of $5-6 trillion is quite a bit 
higher than the ND was in the early 80s, when 14% interest rates were a 
real problem. If we see 10-15% rates again, with a national debt of $6 
trillion, it'll be "Katie, bar the door!")

Much of the income of the high earners, the productive engineers and 
others who make up for the Doritos-eating welfare breeders, is already 
taxed doubly or even triply. (No time for a rant, but corporate earnings 
are taxed at 40-50%, when corporate income taxes and payroll and other 
taxes are added up, then the dividends and capital gains paid out are 
taxed _again_ at 30-40%. And then there are the property taxes, the 
school taxes, the energy taxes, the sales taxes, and all the rest.

In about 15-18 years things are going to get real ugly in this country. 
Each high worth taxpayer (a subset of those estimated 100 million 
taxpaying households, most of whom pay much less in taxes than high 
worth taxpayers do) will have as his share of the national debt 
something 

Re: Microsoft censors Newsweek - and new version of TCPA FAQ

2002-07-11 Thread John Young

We failed to save a copy of Steven Levy's Palladium article in Newsweek 
and online at MSNBC, now withdrawn by MSNBC. We can find no copy 
online. Whoever save a copy: we would like to receive it for publication to 
assure its continued availability.

A Microsoft programmer, John DeTreville, named in the alleged 
"Palladium" patent published on Cryptome, has written us 
(copy below) to deny the ms-drm-os patent is Palladium -- which 
he claims is based on another patent or several of them. We would 
appreciate leads on which patent or patents he is referring to.

Thanks.

-

Subject: Correction to cryptome.org
Date: Mon, 8 Jul 2002 17:07:45 -0700
From: "John DeTreville" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>

Are you a good contact person for the information on the Microsoft 
DRM patent (6,330,670) on cryptome.org?

The pages linked from http://cryptome.org/ms-drm-os.htm say that 
the authors of this patent (England, DeTreville, and Lampson) were 
identified by Newsweek as Palladium programmers.

I can reliably state that I (DeTreville) am not a Palladium programmer, 
and neither is Butler Lampson.

I believe that the Newsweek article was referring to a different patent. 
I'm sure that the Palladium participants jointly hold a significant number 
of important patents in the field of computer security.

Cheers,

John

-

John's message has been added to the file at:

  http://cryptome.org/ms-drm-os.htm




Re: Finding encrytion algorithm

2002-07-11 Thread Mike Rosing

On Thu, 11 Jul 2002, gfgs pedo wrote:

> suppose a cryptanalysis only has encrypted data-how is
> going 2 know which is the encrytion algorithm used 2
> encrypt the data ,so that he can effeciently
> cryptanalyse if
>
> 1:>he has large amount of cipher text only
> 2:>has large amount of plain text and corresponding
> cipher text.
>
> There r so many encryption algorithms,how does he know
> which algorithm was used?

Depends on how they got the source.  They may know it's one of 5
possible choices because of the person who sent (or received) it.
If it's just found on a disk in a garbage dump with no connections
to anyone, it's a bit tougher.  But every algorithm has some statistical
signature and if you've got enough cipher text you can compare that
signature with known algorithms to home in on fewer choices.

I'm not sure having the plaintext helps much more, but you could
use random keys to create several ciphertexts with known algorithms and
compare the statistics just to see if they compare better.

It's definitly challenging :-)

Patience, persistence, truth,
Dr. mike





Finding encrytion algorithm

2002-07-11 Thread gfgs pedo

i meant cryptanalyst-hope i spelled that rite :-)

Data.


__
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com




Finding encrytion algorithm

2002-07-11 Thread gfgs pedo

hi,



suppose a cryptanalysis only has encrypted data-how is
going 2 know which is the encrytion algorithm used 2
encrypt the data ,so that he can effeciently
cryptanalyse if

1:>he has large amount of cipher text only
2:>has large amount of plain text and corresponding
cipher text.

There r so many encryption algorithms,how does he know
which algorithm was used?

Regards Data.

__
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com




DNA databases to be classified

2002-07-11 Thread keyser-soze

Scientists build polio virus from scratch

Scientists have built the virus that causes polio from scratch in 
the lab, using nothing more than genetic sequence information from 
public databases and readily available technology. 

The feat proves that even if all the polio virus in the world were 
destroyed, it would be easily possible to resurrect the crippling 
disease. It also raises the worrying possibility that bioterrorists 
could use a similar approach to create devastating diseases such as 
ebola and smallpox without having to gain access to protected viral 
stocks.


To read the full story go to:
http://www.prq0.com/apps/redir.asp?link=XbdfjjdiDI,ZbccecfhcaCF&oid=UcjjbCB&iclitemid=XbdijfjaDF&tid=WbbcaffBE

Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? 
http://www.hush.com/partners/offers.cgi?id=domainpeople




RE: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread jamesd

--
On 11 Jul 2002 at 1:22, Lucky Green wrote:
> "Trusted roots" have long been bought and sold on the secondary
> market as any other commodity. For surprisingly low amounts, you
> too can own a trusted root that comes pre-installed in >95% of
> all web browsers deployed.

 How much, typically?

And who actually owns these numerous trusted roots? 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 y1gI63PXnGNK7Iznu3+gY+/0JLBPRaEEV/OWwPub
 20YHSnGmtg7lQW0NdXU4WMeKWfIQmlq3u3F/wjkOo




Re: Rant: The U.S. facing the largest financial collapse ever

2002-07-11 Thread keyser-soze

On Thursday 11 July 2002 13:32, Tim May wrote:


(Regarding SS and other USG liabilities)


> Charge it...some future generation will pay.

At 02:25 PM 7/11/2002 -0400, Steve Furlong wrote:
>I hope not. Addressing only the SS issue and not other USG debt, I'm 
attempting to organize a nation-wide grassroots movement. On a 
to-be-announced "F-day", every member of the movement will kill a 
designated old fart, one who has long since taken back out of SS 
anything s/he put into the system and is now subsisting solely on SS 
checks and other welfare. Bonus points for killing an old fart who has 
taken much more out of the system than he put in and yet was loudly 
agitating for an increase in benefits to help "the greatest generation, 
who gave so much for their country". Old farts who are still working or 
who are living on saved assets are exempt.

Wrong target.  Suggest you rename it "L-day" for federal Legislator Day.

Members should consider themselves patriots in the true sense.  Since not many 
citizens are so ideological, I suggest a voluntary redistribution of wealth from the 
ideological to the families of those patriots who take up the challenge.  Likely 
participants may be those who have been diagnosed with a terminal illness and have not 
been economically fortunate (or wasteful enough) to leave their families a meaningful 
inheretance.

The sooner the redistribution stops the sooner the economic health of the nation will 
improve.

Loading up the nation with debt and leaving it for the following generations to pay is 
morally irresponsible. Excessive debt is a means by which governments oppress the 
people and waste their substance. No nation has a right to contract debt for periods 
longer than the majority contracting it can expect to live.

"I sincerely believe... that the principle of spending money to be paid by posterity 
under the name of funding is but swindling futurity on a large scale." --Thomas 
Jefferson to John Taylor, 1816. ME 15:23 

Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? 
http://www.hush.com/partners/offers.cgi?id=domainpeople




Re: Rant: The U.S. facing the largest financial collapse ever

2002-07-11 Thread Steve Furlong

On Thursday 11 July 2002 13:32, Tim May wrote:

(Regarding SS and other USG liabilities)

> Charge it...some future generation will pay.

I hope not. Addressing only the SS issue and not other USG debt, I'm 
attempting to organize a nation-wide grassroots movement. On a 
to-be-announced "F-day", every member of the movement will kill a 
designated old fart, one who has long since taken back out of SS 
anything s/he put into the system and is now subsisting solely on SS 
checks and other welfare. Bonus points for killing an old fart who has 
taken much more out of the system than he put in and yet was loudly 
agitating for an increase in benefits to help "the greatest generation, 
who gave so much for their country". Old farts who are still working or 
who are living on saved assets are exempt.

I'd prefer a system which simply cut off benefits once a person's own 
"contributions" had been exhausted (sort of like, you know, a personal 
retirement account) but that seems to be a non-option. (I'd _really_ 
prefer a system where each person was responsible for his own late-life 
well-being, but that kind of talk just gets you thrown in the loony bin 
these days.)

Anyone interested in the F-day movement might also be interested in 
L-day (for lawyers) and CP-day (for career politicians). Web sites 
forthcoming.

SRF

-- 
Steve FurlongComputer Condottiere   Have GNU, Will Travel

Vote Idiotarian --- it's easier than thinking




Re: Finding encrytion algorithm

2002-07-11 Thread Ryan Sorensen

* Mike Rosing <[EMAIL PROTECTED]> [020711]:
> Depends on how they got the source.  They may know it's one of 5
> possible choices because of the person who sent (or received) it.
> If it's just found on a disk in a garbage dump with no connections
> to anyone, it's a bit tougher.  But every algorithm has some statistical
> signature and if you've got enough cipher text you can compare that
> signature with known algorithms to home in on fewer choices.
> 
Do you have any references for this? A quick google search was less than
revealing.

Thanks in advance.

> Patience, persistence, truth,
> Dr. mike

-- 
All that is not strictly forbidden is now mandatory.




Re: Rant: The U.S. facing the largest financial collapse ever

2002-07-11 Thread Anonymous

Tim May writes:
> As everyone should know by now, and probably does, the Social Security 
> scheme in the U.S. is nothing more than a large Ponzi scheme. Payroll 
> taxes, amounting to about 15% of income up to some level (ratcheted 
> upwards every few years), go straight into the General Fund, where the 
> 34%-39% top tax rate funds and all of the other taxes go into.
>
> The General Fund (not its official name...it may not have one) issues 
> the SS Geheimstatssecuritatwelfarefund an "IOU" for the trillions owed 
> by the General Fund to the SS G.
>
> Those IOUs are not even computed as part of the national debt. (!!) Talk 
> about using Enron accounting!

Standard accounting rules are completely inappropriate when looking at
the situation for an entire country over a period of decades.  By this
reasoning, a young family borrowing money to buy a house is making a huge
mistake because it will be in debt to the tune of several years' salary.

What is overlooked in this analysis is that the family, just starting
out in the world, can expect increased income over years to come.  In the
long run, that house will be very affordable based on the expected growth
in income.  But standard accounting principles do not take into account
expected future income.

This shows up most drastically in the case of Social Security, where we
are supposedly $20 trillion in debt.  What about the income which will
be used to pay off that debt?  Those figures are not included.

The fact is, like a young family starting out in the world, we have
every reason to expect our income levels to rise steadily over future
decades, just as they have done in the past.  The world is not a static
place.  Technology and science are improving at an ever-increasing rate.
These translate into productivity improvements, greater national income,
and a higher standard of living.

In fact, with biotech, nanotech, and all the other -techs that are
expected to become feasible within the next few decades, there is every
reason to expect that our income will begin growing at unprecedented
rates.  See some of the predictions at www.kurzweilai.net for examples
of what the future is likely to bring.  (For a good laugh, get Tim May
to repeat his prediction about how nanotech will never go anywhere!
This at a time when you can hardly pick up a business magazine without
finding another article about this new investment opportunity.  Take it as
further evidence of his prognosticative abilities, which are demonstrated
in this thread as well.)

Against this background, it's pointless to worry about a Social Security
debt amounting to $200,000 per household over many decades.  By the
time today's young people are old enough to begin collecting retirement,
two major changes will have occured:

First, the world will be a much wealthier place; standards of living will
likely have more than doubled; technology will have created commonplace
devices that would be literally priceless today.  For such a world,
providing the retirement benefits at the levels specified by today's
laws will be easy and cheap.

But second, and more importantly, health and longevity will likely have
increased substantially as well.  By 2040 it's highly unlikely that a 65
year old man will be facing the kinds of health limitations that a man of
that age has to deal with today.  Four decades of medical research will
allow people who are elderly by today's standards to retain considerable
health and vigor.  There will be no need to retire by 65 if people don't
want to; they can work productively for many more years.

Of course these changes will have almost infinite ramifications as they
affect other parts of society.  The world is likely to be a very different
place in the next decades, as the pace of progress continues to quicken.
It's impossible to predict how it will all work out.  But it seems safe
to say that the world will give people far more choices and opportunities
than we see today.

Those people who do choose to retire at a youthful 65 can be easily
supported by the incredible productivity increases which the working
population enjoys.  In fact, retirement benefits may well be increased
far beyond what seems practical today, as by the standards of our future
wealth, today's comfortable living is seen as the squalor of poverty.
We have seen this trend going on for many decades, and it is only going
to increase in the future.

There are great things ahead, and it's sad to see someone who claims to
have a clear vision of the future get caught up in such petty concerns
as Social Security obligations.  There are serious problems ahead, some
of which were brought up by Bill Joy in his famous article.  But paying
for Social Security isn't one of them.




SSZ Downtime - This weekend

2002-07-11 Thread Jim Choate


There will be a scheduled system upgrade beginning tomorrow evening
through Sunday evening. Reliability will suffer.

Use my Open Forge address for contacts in the interim.


 --


  When I die, I would like to be born again as me.

Hugh Hefner
 [EMAIL PROTECTED] www.ssz.com
 [EMAIL PROTECTED]  www.open-forge.org






Re: Rant: The U.S. facing the largest financial collapse ever

2002-07-11 Thread Jim Choate


The problem with your analysis is that it completely misses the impact of
the extended lifetimes (~150 years for anyone alive in or after 2020 that
doesn't die from accident or intent) that are going to accrue. And it's
only going to go up from there. Within 200 years the effective lifetimes
will be irrelevant. The current insurance and investment industry is
toast in about 20 years.

The current economics is based (unknowningly) on 'fast cycle' times
regarding resources and how quickly resources get returned to the pool as
individuals and such die out (it's that 'property right' thing). That is
about to change, so rapidly it will be a eyeblink (something 2-3 years)
compared to anything before.

Coupled with this is the DECREASED interaction between groups that these
technologies foster. They will create a force to fractionalize the
'market' into smaller more goal focused groups.

An additional stressor, and one which all current estimates ignore, is the
3rd World. One day in the very near future we will all, across the globe,
get up one morning and be confronted with a virus based solution for aging
(at least as we currently understand it). If a small group of people (ala
Beggars in Spain) are allowed and the rest are denied then a 'social
divide' (aka All hell breaking out all over at one time) is going to
occur. It will be violent, and it will have a negative effect on the
technology curve. This saving technology might kill us via side effects.

People came together because the technology wasn't there to allow them to
live alone. One day soon technology will reverse this as the level of
technology that is possible, compared to the level of technology in
general, to that available to the individual will become unity.

Why unity? Because technology will not, can not, extend forever. It will
not go on and on. The universe is too filled with 'exclusion rules' to
allow this. Yes the technology is rising exponentialy, because it's
a function of tanh. Thermodynamics will not be denied. [1]

Couple this with the fact that irrespective of the technology level the
Earth doesn't have the resources to support life indefinitely. The Earth
is not indefinite. This has some serious implication of its own.

The most important is that we must get off the planet as a race. Living on
planets that support life should, and will, become gardens where people
visit on vacations. Too precious to waste on individual ego. This implies
that mankinds future is to the stars.

But this very boundary condition limits the time that a planet has to get
off the planet, or drown in its own waste. My estimate is that it's about
200-250 years and we're about 50 years into it. We're not doing very well.

This also raises another potential explanation of why we don't see Roger.
The vast majority (as in asymptotic to 1) don't make it within the 200
year window. The result is a slow slide to eternity with the planet
getting more fucked up on a daily basis.

If you really understood what was going on, you wouldn't give a shit about
Social Security.

Tim's understanding of human psychology is about as swift as his
understanding of the Uncertainty Principle and running time 'backward'. As
usual he confuses ego and individual perspective as some universal. He
just can't seem to grasp the concept of 'observer dependency'. I guess
that's another example of 'May Pole Physics'.

ps I'm back, as I slowly dig out from a two month blizzard of work...

[1] As a complete aside, the realy interesting question here is will when
it is all said and done, will the maximum technology allow the
creation of other cosmoses? It would certainly explain why we don't
see Roger Ramjet scooting around on a daily basis.


On Fri, 12 Jul 2002, Anonymous wrote:

> Tim May writes:
> > As everyone should know by now, and probably does, the Social Security 
> > scheme in the U.S. is nothing more than a large Ponzi scheme. Payroll 
> > taxes, amounting to about 15% of income up to some level (ratcheted 
> > upwards every few years), go straight into the General Fund, where the 
> > 34%-39% top tax rate funds and all of the other taxes go into.
> >
> > The General Fund (not its official name...it may not have one) issues 
> > the SS Geheimstatssecuritatwelfarefund an "IOU" for the trillions owed 
> > by the General Fund to the SS G.
> >
> > Those IOUs are not even computed as part of the national debt. (!!) Talk 
> > about using Enron accounting!
> 
> Standard accounting rules are completely inappropriate when looking at
> the situation for an entire country over a period of decades.  By this
> reasoning, a young family borrowing money to buy a house is making a huge
> mistake because it will be in debt to the tune of several years' salary.
> 
> What is overlooked in this analysis is that the family, just starting
> out in the world, can expect increased income over years to come.  In the
> long run, that house will be very affordable based on the expected growth
> i

Re: Rant: The U.S. facing the largest financial collapse ever

2002-07-11 Thread Jim Choate


The problem with your analysis is that it completely misses the impact of
the extended lifetimes (~150 years for anyone alive in or after 2020 that
doesn't die from accident or intent) that are going to accrue. And it's
only going to go up from there. Within 200 years the effective lifetimes
will be irrelevant. The current insurance and investment industry is
toast in about 20 years.

The current economics is based (unknowningly) on 'fast cycle' times
regarding resources and how quickly resources get returned to the pool as
individuals and such die out (it's that 'property right' thing). That is
about to change, so rapidly it will be a eyeblink (something 2-3 years)
compared to anything before.

Coupled with this is the DECREASED interaction between groups that these
technologies foster. They will create a force to fractionalize the
'market' into smaller more goal focused groups.

An additional stressor, and one which all current estimates ignore, is the
3rd World. One day in the very near future we will all, across the globe,
get up one morning and be confronted with a virus based solution for aging
(at least as we currently understand it). If a small group of people (ala
Beggars in Spain) are allowed and the rest are denied then a 'social
divide' (aka All hell breaking out all over at one time) is going to
occur. It will be violent, and it will have a negative effect on the
technology curve. This saving technology might kill us via side effects.

People came together because the technology wasn't there to allow them to
live alone. One day soon technology will reverse this as the level of
technology that is possible, compared to the level of technology in
general, to that available to the individual will become unity.

Why unity? Because technology will not, can not, extend forever. It will
not go on and on. The universe is too filled with 'exclusion rules' to
allow this. Yes the technology is rising exponentialy, because it's
a function of tanh. Thermodynamics will not be denied. [1]

Couple this with the fact that irrespective of the technology level the
Earth doesn't have the resources to support life indefinitely. The Earth
is not indefinite. This has some serious implication of its own.

The most important is that we must get off the planet as a race. Living on
planets that support life should, and will, become gardens where people
visit on vacations. Too precious to waste on individual ego. This implies
that mankinds future is to the stars.

But this very boundary condition limits the time that a planet has to get
off the planet, or drown in its own waste. My estimate is that it's about
200-250 years and we're about 50 years into it. We're not doing very well.

This also raises another potential explanation of why we don't see Roger.
The vast majority (as in asymptotic to 1) don't make it within the 200
year window. The result is a slow slide to eternity with the planet
getting more fucked up on a daily basis.

If you really understood what was going on, you wouldn't give a shit about
Social Security.

Tim's understanding of human psychology is about as swift as his
understanding of the Uncertainty Principle and running time 'backward'. As
usual he confuses ego and individual perspective as some universal. He
just can't seem to grasp the concept of 'observer dependency'. I guess
that's another example of 'May Pole Physics'.

ps I'm back, as I slowly dig out from a two month blizzard of work...

[1] As a complete aside, the realy interesting question here is will when
it is all said and done, will the maximum technology allow the
creation of other cosmoses? It would certainly explain why we don't
see Roger Ramjet scooting around on a daily basis.


On Fri, 12 Jul 2002, Anonymous wrote:

> Tim May writes:
> > As everyone should know by now, and probably does, the Social Security 
> > scheme in the U.S. is nothing more than a large Ponzi scheme. Payroll 
> > taxes, amounting to about 15% of income up to some level (ratcheted 
> > upwards every few years), go straight into the General Fund, where the 
> > 34%-39% top tax rate funds and all of the other taxes go into.
> >
> > The General Fund (not its official name...it may not have one) issues 
> > the SS Geheimstatssecuritatwelfarefund an "IOU" for the trillions owed 
> > by the General Fund to the SS G.
> >
> > Those IOUs are not even computed as part of the national debt. (!!) Talk 
> > about using Enron accounting!
> 
> Standard accounting rules are completely inappropriate when looking at
> the situation for an entire country over a period of decades.  By this
> reasoning, a young family borrowing money to buy a house is making a huge
> mistake because it will be in debt to the tune of several years' salary.
> 
> What is overlooked in this analysis is that the family, just starting
> out in the world, can expect increased income over years to come.  In the
> long run, that house will be very affordable based on the expected growth
> i

Re: CDR: Re: Tax

2002-07-11 Thread F. Marc de Piolenc

Right. 

Marc

Michael Motyka wrote:

> >On 10 Jul 2002 at 15:40, F. Marc de Piolenc wrote:
> >> Not necessarily "get" them, but tax them. Believe!
> >
> More like tax any income derived from those assets.




Virtuallizing Palladium

2002-07-11 Thread Albion Zeglin



Similar to DeCSS, only one Palladium chip needs to be reverse engineered and
it's key(s) broken to virtualize the machine.  Simulate a Pentium VI in Java and
all extant code could be accessed.  Similarly, is Microsoft's signing keys were
cracked  then any code could be signed.

If the software needs a real-time connection to the internet though, then
protection could be built into it.  Laptop applications would be vulnerable
until we have pervasive wireless connection.

How many bits do you think MS will use for the keys?

Albion.




Re: Finding encrytion algorithm

2002-07-11 Thread Mike Rosing

On Thu, 11 Jul 2002, Ryan Sorensen wrote:

> Do you have any references for this? A quick google search was less than
> revealing.

There was a discussion (probably several) a few years ago on sci.crypt.
If you point at usenet and try lots of different combinations of keywords
I'm sure you'll find something.  Since I've never done it, I don't have
any direct references, I just remember some of the discussion.  A question
on sci.crypt might get you a lot too.

Patience, persistence, truth,
Dr. mike





Re: Finding encrytion algorithm

2002-07-11 Thread Sandy Harris

Mike Rosing wrote:
> 
> On Thu, 11 Jul 2002, gfgs pedo wrote:
> 
> > suppose a cryptanalysis only has encrypted data-how is
> > going 2 know which is the encrytion algorithm used 2
> > encrypt the data ,so that he can effeciently
> > cryptanalyse if
> >
> > 1:>he has large amount of cipher text only
> > 2:>has large amount of plain text and corresponding
> > cipher text.
> >
> > There r so many encryption algorithms,how does he know
> > which algorithm was used?
> 
> Depends on how they got the source.  They may know it's one of 5
> possible choices because of the person who sent (or received) it.

It may not matter much. Suppose it could be one of a hundred
algorithms, a dozen of which you know how to break. If it is
important and you have the resources, you just try all twelve
breaks. If one works, then you know the algorithm. If not, you
don't care; you know it's one you cannot break, so details are
not important.

Doing this is only at worst 12 times harder than breaking a
single known cipher. If some of your 12 breaks are easy, then
total effort is much less than 12 times the hardest cipher.
When we're talking about 2^40 steps to break a laughably weak
cipher and > 2^100 for a good one, making it 12, or 1000,
times harder is not a very interesting difference.

> If it's just found on a disk in a garbage dump with no connections
> to anyone, it's a bit tougher.

Then you've no reason to think it is important enough to be
worth breaking. You can still try.  

> But every algorithm has some statistical signature

No. Any good algorithm should produce output that looks /exactly/
like random noise, hence they should all look like each other.

This may not be precisely true, but all decent algorithms will
look random enough to make distinguishing quite difficult.

> and if you've got enough cipher text you can compare that
> signature with known algorithms to home in on fewer choices.
> 
> I'm not sure having the plaintext helps much more, but you could
> use random keys to create several ciphertexts with known algorithms and
> compare the statistics just to see if they compare better.
> 
> It's definitly challenging :-)




RE: IP: SSL Certificate "Monopoly" Bears Financial Fruit

2002-07-11 Thread Lucky Green

James wrote:
> On 11 Jul 2002 at 1:22, Lucky Green wrote:
> > "Trusted roots" have long been bought and sold on the 
> secondary market 
> > as any other commodity. For surprisingly low amounts, you 
> too can own 
> > a trusted root that comes pre-installed in >95% of all web browsers 
> > deployed.
> 
>  How much, typically?

I'd rather not state the exact figures. A search of SEC filings may or
may not turn up further details.

> And who actually owns these numerous trusted roots? 

I am not sure I understand the question.

--Lucky




Re: Finding encrytion algorithm

2002-07-11 Thread Jim Choate


On Thu, 11 Jul 2002, Sandy Harris wrote:

> No. Any good algorithm should produce output that looks /exactly/
> like random noise, hence they should all look like each other.

Wrong, not all RNG's have the same statistical output. There is -nothing-
in the requirement for a RNG that requires it (radiation sources are not
equiprobable for example, they're much more 'zero' than 'one'). There may
be boundary conditions on crypto applications that require equiprobable
distributions with respect to characters or strings (that 'k' thing
again, see Knuth). But that doesn't apply to -all- RNG's or their
applications by a long shot.

Also, 'random noise' is redundent. 'Noise' is by -definition- random,
otherwise it wouldn't be noise, it would have a correlation factor, once
you found it you could remove the noise (assuming of course its
computationaly tractible).


 --


  When I die, I would like to be born again as me.

Hugh Hefner
 [EMAIL PROTECTED] www.ssz.com
 [EMAIL PROTECTED]  www.open-forge.org