seeking information for Wired News article
--- begin forwarded text Status: RO From: Danit Lidor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: seeking information for Wired News article Date: Fri, 6 Sep 2002 13:19:21 -0700 Hi there, I am a reporter at Wired News. We received notice of the upcoming Cypherpunks10th anniversary bash. I am thinking of writing a short article about the history and current status of the cypherpunk community. Obviously, things have changed a lot in the last 10 years. I imagine that you and other cypherpunks would have much to say on the topic. Please feel free to rant and rave to me about whatever you feel would be relevant to this kind of article. When did the Cypherpunks come into existence? Who were the founding members? What was the inital purpose? What kinds of people are involved? Who (socially, i mean, not names!) exactly are the members of the group? How many at any one time? Is it a rotating membership, with people coming and going? There has been a substantial amount of press dedicated to the Cypherpunks, what's been the community response? Have their been internal discussions about the repercussions of the media's involvment and the like? WN has had a very familiar relationship with the cypherpunks - has it been viewed as a positive thing? Have the ideals of the group changed over the years? Are there any manifestos or official statements from the group that I can access? What are the future plans for the cypherpunks? I attempted to access cypherpunks.com but most of the links are dead, why isn't anyone maintaining it? Or is it unrelated to the current community? With whom else are the cypherpunks allied? What do you, personally, have to say about the future of the Internet, privacy, legislation, hacking, phreaking, cyber terrorism, the governement. etc? and finally, who else should I be talking to? Thanks for your time. I am hoping to get the story done before the end of next week (i.e. before the actual party.) Of course, I would never publish the location of the party or any other information that you don't feel comfortable about. Danit Lidor I am also available at 415.276.3925. please leave me a message if I'm away from my desk. I am more than happy to call you back. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
RE: Prosecutors' Contention That Hotmail E-mail Is Extremely Difficult To Trace
James wrote: On 5 Sep 2002 at 16:48, Steve Schear wrote: 3. After September 11, 2001, the FBI learned that Moussaoui had used a computer at Kinko s, in Eagan, Minnesota, to connect to the internet. When the FBI learned that Moussaoui had used a computer at Kinko s, the FBI investigated that Kinko s store and was informed that the Kinko s had since erased the data from its computers, as is Kinko s regular practice. Accordingly, the FBI did not seize the computers from Kinko s, Eagan, Minnesota. Moral: Always make erasing unneeded data a regular practice, if you want to keep your computers. Absolutely. Furthermore, encourage your customers to encrypt their data: Some European ISPs, fed up with the costs of complying with interception warrants and subpoenas, have begun to offer discounts to customers that exclusively utilize encrypting protocols. The logic being that it is cheaper to notify law enforcement that the ISP is unable to tap the information due to the link being encrypted than it is to tap a link. --Lucky Green
Re: Wolfram on randomness and RNGs
It would seem that while the bitstream generated by the center column of rule 30 might be a good random number source, its repeatability is the very thing that detracts from its usefulness in cryptographic application. An obviously poor application would be to have a one time pad where two parties would xor their plaintext with the bitstream produced by rule 30, starting at the top. While the resulting bitstream would appear random, an attacker with knowledge of the algorithm could just run rule 30 themselves and decode the result. To have cryptographically strong random numbers, one needs to have an *unreproducable* source of randomness -- the very thing that Wolfram seems to sneer at as being purely academic but that the above methodology makes clear. While a slightly modified approach of having both sides start at a secret row of rule 30 could be used, the key is now merely the row number; defeating the purpose. One interesting possibility might be to seed a wide row of rule 30 with bits gleamed from the environment; this would make it difficult to reproduce the bitstream without the bits representing the initial conditions, but without continuing to add bits to rows, the bit strength of the randomness is only the width of the seeded row (namely, if you're using 8 bits of randomness to seed rule 30, an attacker could brute force the 256 possibilities to find your random bitstream). The problem is, IMHO, exactly analogous to deriving randomness from irrational numbers, such as the digits of pi, e, or the square root of two; this just might be a slightly more efficient way to generate the bitstream. The point is, they're all very good sources of randomness, but the fact that their sequences are so well-defined keeps them from being a good source of secrecy; picking out which portions of the sequence to use end up becoming your secret and your sequence is truly only as unpredictable as this secret. In another sense, the sequence you're using is only as strong as its inputs. Just my $0.02; please bitchslap me if I got this wrong. David E. Weekly Founder Executive Director California Community Colocation Project (an OPG project) http://CommunityColo.net/ - the world's first non-profit colo! - Original Message - From: Steve Schear [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 06, 2002 1:57 PM Subject: Wolfram on randomness and RNGs Background Stephen Wolfram's book, A New Kind of Science, is nothing if not interesting. This encyclopedia-sized volume traces how his fascination with cellular automata, beginning in the 1970s, led him to spend decades exploring the significance of complexity created from simple rules. I hope the following will not be too wordy and generate interest in the cryptographic implications of his work. Intrinsic Generation of Randomness In the chapter Mechanisms and Programs in Nature, pp 297 - 361, he presents his case that behavioral similarities between certain simple programs and systems in nature are no coincidence but reflect a deep correspondence. In this section he explores three mechanisms for randomness: external input (noise) captured in so-called stochastic models, those related to initial conditions (e.g., chaos theory), and those based on the behavior of simple programs described in the book and which believes are the most common in nature. Under the section The Intrinsic Generation of Randomness he presents evidence for his third mechanism in which no random input from the outside is needed, and in which the randomness is instead generated inside the systems themselves. When one says that something seems random, what one usually means in practice is that one cannot see any regularities in it. So when we say that a particular phenomenon in nature seems random, what we mean is that none of our standard methods of analysis have succeeded in finding regularities in it. To assess the randomness of a sequence produced by something like a cellular automaton, therefore, what we must do is to apply to it the same methods of analysis as we do to natural systems ... some of these methods have been well codified in standard mathematics and statistics, while others are effectively implicit in our processes of visual and other perception. But the remarkable fact is that none of these methods seem to reveal any real regularities whatsoever in the rule 30 cellular automaton sequence. And thus, so far as one can tell, this sequence is at least as random as anything we see in nature. But is it truly random? Over the past century or so, a variety of definitions of true randomness have been proposed. And according to most of these definitions, the sequence is indeed truly random. But there are a certain class of definitions which do not consider it truly random. For these definitions are based on the notion of classifying as truly random only sequences which can never be generated by any simple
Re: Privacy/anonymity charities
--- begin forwarded text Status: U To: R. A. Hettinga [EMAIL PROTECTED] From: Ragnar [EMAIL PROTECTED] Date: Sat, 7 Sep 2002 11:08:36 -0700 (PDT) Subject: Re: Privacy/anonymity charities Liberty Impact ( http://www.libertyimpact.com )is a knowledge-based organization and newsletter that promotes privacy and liberty. Donations to Liberty Impact can be made via a 501(c)(3) organization called United Support for Humanity ( http://www.unsh.org ). USH gives to organizations that support teaching, scholarship, etc. To: [EMAIL PROTECTED] Subject: Privacy/anonymity charities Sender: [EMAIL PROTECTED] The company I work for has a charitable donation matching program. Do you have any suggestions for organizations with 501(c)3 status who would be worthy recipients of a donation? I have EFF and EPIC on my list. Are there others doing things to protect anonymity and privacy rights? I am more interested in actively working on developing ways of securing people's anonymity, rather than lobbying or litigation organizations. I think that the two I have above cover the latter nicely. TIA. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' = Regards, Ragnar CFO - http://www.gold-age.net Liberty Impact! Check out this free, hard-hitting weekly newsletter about privacy, liberty, offshore banking, tax avoidance digital currencies. http://www.libertyimpact.com Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
[labs@foundstone.com: Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP]
- Forwarded message from Foundstone Labs [EMAIL PROTECTED] - Date: Fri, 6 Sep 2002 10:54:17 -0700 From: Foundstone Labs [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP Foundstone Labs Advisory - 090502-PCRO Advisory Name: Remotely Exploitable Buffer Overflow in PGP Release Date: September 5, 2002 Application: PGP Corporate Desktop 7.1.1 Platforms: Windows 2000/XP Severity: Remote code execution and plaintext passphrase disclosure Vendors: PGP Corporation (http://www.pgp.com) Authors: Tony Bettini ([EMAIL PROTECTED]) CVE Candidate: CAN-2002-0850 Reference: http://www.foundstone.com/advisories Overview: In many locations where PGP handles files, the length of the filename is not properly checked. As a result, PGP Corporate Desktop will crash if a user attempts to encrypt or decrypt a file with a long filename. A remote attacker may create an encrypted document, that when decrypted by a user running PGP, would allow for remote commands to be executed on the client's computer. Detailed Description: A malicious attacker could create a filename containing: 196 byteseip9 bytesreadable address29 bytes The attacker would then encrypt the file using the public key of the target user. In many cases, public keys often contain banners of the utilized PGP client software and its associated version. The encrypted archive could then be sent to the target user; potentially via a Microsoft Outlook attachment. The email attachment could have a filename such as foryoureyesonly.pgp or confidential.pgp. When the unsuspecting user decrypts the archive (either via autodecrypt or manual), the overflow will occur if the file within the archive has a long filename. In some cases the attacker may also obtain the passphrase of the target user. PGP crashes immediately after the decryption of the malicious file and before the memory containing the passphrase is overwritten. Vendor Response: PGP has issued a fix for this vulnerability, it is available at: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.as p Foundstone would like to thank PGP for their cooperation with the remediation of this vulnerability. Solution: We recommend applying the vendor patch. Disclaimer: The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing, but no representation of any warranty is given, express, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way. - End forwarded message -
Re: seeking information for Wired News article
Why, after reading the questions presented below, think that Danit is the *wrong* person to be writing this article? On Fri, 6 Sep 2002, R. A. Hettinga wrote: --- begin forwarded text Status: RO From: Danit Lidor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: seeking information for Wired News article Date: Fri, 6 Sep 2002 13:19:21 -0700 Hi there, I am a reporter at Wired News. We received notice of the upcoming Cypherpunks10th anniversary bash. I am thinking of writing a short article about the history and current status of the cypherpunk community. Note that the term community here, while probably not accurate in the strictest sense, is certainly a *LOT* more accurate than the implied term organization, which the vast majority of your questions approach. Cypherpunks are organized only in the sense that they manage to get their shopping done when they run out of food. There are CP's who fall all over the 4 corners of the political spectrum, and all over the physical world. Realisticaly, about the only thing that they all have in common is a strong interest in crypto, and a native suspicion for most forms of authority. Obviously, things have changed a lot in the last 10 years. I imagine that you and other cypherpunks would have much to say on the topic. Please feel free to rant and rave to me about whatever you feel would be relevant to this kind of article. Now you've done it: expect 700 emails per day from MattD :-( When did the Cypherpunks come into existence? When did Humanity come into existence? I'm serious here: CP merely utilized a new communications medium. Who were the founding members? Here we go with the membership thing again - You have it Completely Wrong. There are no members, there is no leadership, there is no Following or Group. CP's are individuals who happen to identify themselves as CP's - period. What was the inital purpose? The purpose? You mean What does The Group want to accomplish? See above. What kinds of people are involved? Doctors, Lawyers, Mathematecians, Felons, Druggies, Anti-druggies, Anarchists, Libertarians, Right-Wing-Fanatics, Left-Wing-Fanatics, Teachers, Housewives, Househusbands, students, cops, criminals... Who (socially, i mean, not names!) exactly are the members of the group? Agains, there IS NO GROUP. I'm not trying to be cute here - THERE IS NO GROUP. The whole concept of group is flawed in this context. How many at any one time? Anyone's guess. I personally know a bunch of folks who follow CP who do so only out of curiosity: do I count them in? How about all the federal agents who subscribe to the CP lists? Getting the drift? Is it a rotating membership, with people coming and going? No. There is no Membership. There has been a substantial amount of press dedicated to the Cypherpunks, what's been the community response? Varied. Like the press itself. Like the CP's themselves. It is not possible to place CP into any cubbyhole. Have their been internal discussions about the repercussions of the media's involvment and the like? OooOoOoooh Internal Discussions! I like that: it implies that (radical) Group thing again... :-( WN has had a very familiar relationship with the cypherpunks - has it been viewed as a positive thing? By some, and not others. Have the ideals of the group changed over the years? Sorry Kemosabe: most of the folks who refer to themselves as CP's are less than idealists. And, since there IS NO F*@#$ GROUP, this question is irrelevant. Are there any manifestos Many: Google Is Your Friend. or official statements Official Statements! That's rich!!! Tell you what - take one from Column-A, and one from Column-B, where each column is the source of your choice, and I'll [personally] acknowledge them as the Official Statements of Whomever You Like. from the group that I can access? What are the future plans for the cypherpunks? I guess you should ask each CP individually. Personally, my long term plans are to Get Out Of Dodge (USA), before it turns into Germany in 1941. My short term plans are to try and educate as many persons in authority as possible in How The Real World Works, and as many persons NOT in authority in How The Real World Works. I attempted to access cypherpunks.com but most of the links are dead, why isn't anyone maintaining it? Maybe if someone were to form a CypherPunks GROUP, they would get maintained? Or is it unrelated to the current community? With whom else are the cypherpunks allied? [I actually had to take a moment to wipe the tears of laughter from the question] Nobody. Any such alliance would require a Group Consensus - something which is just patently impossible. If you ever find two CP's who can agree on enough to come to a broad Consensus, you let me know so I can mark it on my calendar. What do you, personally, have to say about the future of the Internet, privacy, legislation,