Re: "If you use encryption, you help the terrorists win"
On Monday 27 October 2003 10:53 am, Tyler Durden wrote: > > Hum...can an ISP offer encryption as a service? > > -TD > Ummm, are we forgetting about the Patriot Act and siblings ? YOU want to do the encryption, not the ISP who can be secretly subpoenaed to hand over the plain text. At least if you get a subpoena you know about it. -- Neil Johnson http://www.njohnsn.com PGP key available on request.
Re: NSA Turns To Commercial Software For Encryption
At 10:01 PM 10/26/03 -0600, J.A. Terranson wrote: >On Sun, 26 Oct 2003, Eugen Leitl wrote: > > >>In the case of the NSA deal, the agency >>wanted to use a 512-bit key for the ECC system. This is the >>equivalent of an RSA key of 15,360 bits." > >Am I the only one here who finds this "requirement" excessive? My god: are >we looking to keep these secrets for 50 years, or 5 (or more) years? In meatspace engineering of life-critical systems, you might design for a few times more than you need under worst-case conditions. Eg, on a bridge: high winds, heavy trucks densely spaced, poor maintenance, poor materials. Remember that bridges fall down when you do something new, like use steel. Or nowadays: planes fall out of the sky because you don't know how composites fail. The NSA might be hedging against future algorithmic improvements. If tomorrow you could factor numbers (or the ECC equivalent) with twice the number of bits, will your spies die? Cf. East German Stasi files, and some south-american files being cracked.
Re: NSA Turns To Commercial Software For Encryption
At 11:00 PM 10/26/03 -0800, Morlock Elloi wrote: >Isn't it really simpler to use RSA and DH and ECC in series ? Why choose ONE ? >There is no good reason for that. 1. Silly Elloi, you can only use DH when both parties are online. And of course RSA and DH have similar failure modes -ie factoring. ECC may have similar failure modes with RSA/DH, I'm not sufficiently informed. A chain of different kinds of padlocks might look strong but they all dissolve in aqua regia. >Looks like PSYOP to me. That's an interesting explanation I hadn't considered in my previous post. (Sort of like putting a stone facade on that new iron bridge because some folks don't trust the newfangled iron bridges.) However using such keys are a heavy practical cost for PSYOPs.
"If you DON'T use encryption, you help the terrorists win"
"Basically they say things like "If you think the government can't break all the encryption schemes that we have, you're nuts." This guy was a math major too, so he understands the principles of crypto." Basically, the answer was hinted at by another poster. For anyone who doesn't trust the government, the point to make is that crypto use is currently a red flag. Last year I went through great pains on this list to point out that right now the gubmint probably doesn't even need to break most encrypted messages in order to know something's up. This is only possible because outside of a coporate context few individuals use encryption. If everybody uses encryption, then it matters MUCH less if the government can break any one message. What costs us pennies to encrypt may cost them thousands to break. That's the assymmetry we asyms can exploit. That's where we need to depart from a Tim May lone wolf approach to your friendly, smiling America-loving flag-waving cypherpunks: "If you don't use encryption then you help the terrorists win". This statement has the added irony of being objectively true, according to more international definitions of 'terrorism'. -TD From: Burning Cows with Strauss <[EMAIL PROTECTED]>(by way of Burning Cows with Strauss <[EMAIL PROTECTED]>) To: [EMAIL PROTECTED] Subject: Re: "If you use encryption, you help the terrorists win" Date: Sun, 26 Oct 2003 20:37:47 -0600 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: > Tim May wrote... > > secure (every ask anyone if they believed there was such a thing as > effectively 'unbreakable' encryption? Reglar folks always believe > SOMEBODY'S got the technology to break what scheme you use, so "why > bother"). I have a few friends like thisanyone have suggestions for ways to change their minds? Basically they say things like "If you think the government can't break all the encryption schemes that we have, you're nuts." This guy was a math major too, so he understands the principles of crypto. I feel pretty confident that 2048 bit encryption is reasonably safe for now, but how can I convince others, and how safe should I really feel in that opinion anyway? Steve - -- Steve Wollkind 810 C San Pedro [EMAIL PROTECTED] College Station, TX 77845 http://njord.org/~steve 979.575.2948 - -- All these worlds are belong to us, except Europa. Take off no zigs there. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/mwqO0uexoyuzySARApnNAKCUxOrLDh2gk1Ls5piL1zsnXzhHuwCfUW5l AYtOw2wfT0EqlvhWxo5rup4= =12ec -END PGP SIGNATURE- _ Concerned that messages may bounce because your Hotmail account has exceeded its 2MB storage limit? Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es
Re: "If you use encryption, you help the terrorists win"
Nice! "You don't need to - just convince them that it is safe against casual snoopers (and to be honest, most "sensitive" email the government couldn't give a damn about, but your neighbours would find very interesting indeed :) As long as you get the desired end result (them using crypto) do you really care what they think?" Hum...can an ISP offer encryption as a service? -TD From: "Dave Howe" <[EMAIL PROTECTED]> To: "Email List: Cypherpunks" <[EMAIL PROTECTED]> Subject: Re: "If you use encryption, you help the terrorists win" Date: Mon, 27 Oct 2003 12:27:00 - [EMAIL PROTECTED] wrote: > On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: >> secure (every ask anyone if they believed there was such a thing as >> effectively 'unbreakable' encryption? Reglar folks always believe >> SOMEBODY'S got the technology to break what scheme you use, so "why >> bother"). > I have a few friends like thisanyone have suggestions for ways to > change their minds? > Basically they say things like "If you think the government can't > break all the encryption schemes that we have, you're nuts." This > guy was a math major too, so he understands the principles of crypto. Simpler solution there then is to say "well, good - that means that the Government can still monitor terrorists, but that the minimum-wage employees answering the helpdesk at AOL can't read though your mail while they are bored." > I feel pretty confident that 2048 bit encryption is reasonably safe > for now, but how can I convince others, and how safe should I really > feel in that opinion anyway? You don't need to - just convince them that it is safe against casual snoopers (and to be honest, most "sensitive" email the government couldn't give a damn about, but your neighbours would find very interesting indeed :) As long as you get the desired end result (them using crypto) do you really care what they think? _ Send instant messages to anyone on your contact list with MSN Messenger 6.0. Try it now FREE! http://msnmessenger-download.com
Re: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org)
Eric Cordian wrote: > Nonetheless, it's an indication that they don't think RSA has much of > a future. Not really - they could simply be covering all bases (supporting RSA, DH and EC, knowing if DH is broken then almost certainly so is RSA (and vice versa) leaving only EC to fill the gap) The smaller keysizes can't hurt either.
Re: "If you use encryption, you help the terrorists win"
[EMAIL PROTECTED] wrote: > On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: >> secure (every ask anyone if they believed there was such a thing as >> effectively 'unbreakable' encryption? Reglar folks always believe >> SOMEBODY'S got the technology to break what scheme you use, so "why >> bother"). > I have a few friends like thisanyone have suggestions for ways to > change their minds? > Basically they say things like "If you think the government can't > break all the encryption schemes that we have, you're nuts." This > guy was a math major too, so he understands the principles of crypto. Simpler solution there then is to say "well, good - that means that the Government can still monitor terrorists, but that the minimum-wage employees answering the helpdesk at AOL can't read though your mail while they are bored." > I feel pretty confident that 2048 bit encryption is reasonably safe > for now, but how can I convince others, and how safe should I really > feel in that opinion anyway? You don't need to - just convince them that it is safe against casual snoopers (and to be honest, most "sensitive" email the government couldn't give a damn about, but your neighbours would find very interesting indeed :) As long as you get the desired end result (them using crypto) do you really care what they think?
Re: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] (fwd from harley@argote.ch)
- Forwarded message from "Dr. Robert J. Harley" <[EMAIL PROTECTED]> - From: [EMAIL PROTECTED] (Dr. Robert J. Harley) Date: Sun, 26 Oct 2003 23:18:11 +0100 (CET) To: [EMAIL PROTECTED] Subject: Re: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] >Besides 4K-RSA + AES-256 + SHA-256 are all way way way stronger [...] Amusing that you choose 4K-bit RSA. Wasn't 2K supposedly to be total overkill recently? Actually wasn't 1K supposed to be overkill not long ago? Heck 768 seemed extravagant when everyone was on 512. A mere 15 years ago, 320 bits was thought to be enough. According to my logs, here are the > 320-bit factorisations that I ran today: 572972811505140538587970948254484718069 * 229535232834749685352787191218483748328512852024528924422553 31051130972407042496629431420168004379 * 22580614860205576513432855281188300547296895576002618168141213 1651123615682793488297475146389977666821 * 431607931720940152250713570720678507192603271368450344325511 876748124621739787801748776119951008903 * 625940962036087307316308134093495176626898913441644936896711 A mere 15 years ago, 160-ish bits was thought to be enough for ECC. Strangely, that's about 50 million times harder than the biggest cases of ECC broken to date. R PS: Oops, another one while I was typing: 4177340769425990287179093985822571 * 40278974418865128339952649479779348554858008977767026467354360871 .-. .-. / \ .-. .-. / \ / \ / \ .-. _ .-. / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / `-' `-' \ / \ / \ \ / `-' `-' \ / `-' `-' ___ FoRK mailing list http://xent.com/mailman/listinfo/fork - End forwarded message - -- Eugen* Leitl http://leitl.org";>leitl __ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature]
Re: "If you use encryption, you help the terrorists win"
At 12:57 PM 10/26/03 -0800, Jurgen Botz wrote: >Wasn't there a Mafioso who got busted and convicted based on >evidence that had been PGP encrypted and where they stole the >key with a keyboard dongle? Nicodemo Scarfo. He used his Dad's federal-prison ID number, but the Feds couldn't guess that, so they blackbagged his computer with a dongle. I don't know who was lamer. It *is* a parable for our community; they could also have used videobugs. There was also, later, some dude who keyboard-bugged Kinkos and got caught. Another sermon from the mount. What *is* your threat model?
Re: NSA Turns To Commercial Software For Encryption
On Sunday, October 26, 2003, at 07:37 PM, Neil Johnson wrote: I dunno know. It comes down to which of the following slogans you believe. ECC: "Our algorithm is so good it has been licensed by the NSA". or RSA: "Our algorithm is so good that the NSA tried to prevent it's publication, had it classified as a munition and export controlled, tried to get the government to ban it in favor of a key escrow system, arrested and harassed a programmer for implementing an program using it, etc." Depending on the orientation of your tin foil hat, either one can mean the algorithm is good or has a backdoor. Oh, the fodder for conspiracy theorists. Other theories: It's always in NSA's interest to make sure that the current "in vogue" crypto system require licensing even if it is a commercial license. At least it limits it's use in Open Source and Free Software. Or my theory: Part of outsourcing. I hear yawning. But there's more to outsourcing than simplistic notions that outsourcing lets the Pentagon (and NSA, CIA, etc.) save money: -- outsourcing puts the Beltway Bandits into the loop -- outside suppliers are a place for senior NSA cryptographers and managers to go when they have maxed out their GS-17 benefits ("sheep-dipping" agents is another avenue for them to work in private industry) -- outside suppliers are less accountable to Congress, are insulated in various well-known ways This is not just something out of a Grisham thriller, with a Crystal City corporation funneling NSA money into a Cayman account...this is the Brave New World of hollowing out the official agencies and moving their functions to Halliburton, Wackenhut, TRW, TIS/NAI, and the legion of Beltway Bandit subcontractors all around D.C. (When I left the D.C. area in 1970 the practice was in full swing, and even my father went to a Bandit in Rockville when he left the U.S. Navy, doing the same job but both better paid and less accountable. And he wasn't even a spook.) Put it this way, if Dick Cheney had worked for the NSA before going into private practice for his 8 years out of government, he'd want to go to a place like Certicom. And then return to government and help mandate that his former company's products be the Official Standard. Follow the money. --Tim May
Re: "If you use encryption, you help the terrorists win"
Tyler Durden wrote: Tim May wrote... "I predict we'll soon be seeing a new thought control campaign with this theme, that "if you use encryption, you help the terrorists win."" Well, I'm dubious. Right now I'm thinking their strategy has been to pull encryption down off of the social radar, and that's worked better I agree with this... and add the following... For the last decade or so many of the "bad guys" (by whoever's definition you want) have actually been using crypto, even if the general public has not. I think that by now the TLAs have learned that this works in their favor on both counts... 1) The general public doesn't really use crypto... partly because it's "off the social radar", partly because it's just too difficult, etc., etc. As a result the TLAs can employ the kind of Orwellian mass surveilance they would like and get useful information out of it. 2) The bad guys use crypto they know to be strong enough to stop brute force attacks even by "major governments". This does two things... it makes them stick out in mass surveilance, and it makes them put all their eggs in one basket (the encrypted one). The TLAs of course have many options other than brute force attack on the crypto itself... key theft, tempest, rubber hose, everyone here knows all the methods. The TLAs may have to make a little more effort, but the payoff is more likley to be very good. Wasn't there a Mafioso who got busted and convicted based on evidence that had been PGP encrypted and where they stole the key with a keyboard dongle? I'm sure that wasn't an exception; the TLAs have adapted to the technology and found that it doesn't /really/ make things harder for them... maybe it makes it easier because the bad guys feel more secure. So I think that they've learned that they really get the best of both worlds with the status quo, and I don't see any indication that they are about to rock this particular boat. This may change if the public infrastructure starts using more crypto by default and people use better key management (smart cards?) but I don't think that's really all that likely... at least at the moment there doesn't seem to be any good momentum in that direction. :j
Re: "If you didn't pay for it, you've stolen it!"
Sunder wrote: > To add to this: > > There is no law stating that I cannot take my books and read them > backwards, skip every other word, read the odd chapters in reverse and the > even chapters forward, or try to "decode" the book by translating it to > another language, ask someone with better eyes than mine to read it to me, > or chose to wear green tinted lenses while reading it, read it to kids or > the elderly, lend it - or rent it to friends, use it as a paperweight, ^^^ this, I believe, there are laws about. At least here. > drop it on the floor, et cetera. I can take it with me to other countries > and read it there, as well etc. Once I bought it, it's mine. Again, only within the permitted uses. For example, copying it and selling copies is clearly not permitted. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: "If you didn't pay for it, you've stolen it!"
On Friday, October 24, 2003, at 09:00 AM, Steve Wollkind (by way of Steve Wollkind <[EMAIL PROTECTED]>) wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 24 October 2003 10:14, Harmon Seaver wrote: On Thu, Oct 23, 2003 at 10:43:22PM -0700, Tim May wrote: TM: the last two paragraphs were of course added by me. But the point is still valid, that much of Hollywood's claims about "illegal listening" are not really any different from "reading without buying" books and magazines in libraries. The more urgent issue is this crap Not to mention all the CDs and movies available in libraries. What's the difference in borrowing CDs from a library and taking them home and taping or mp3ing them and getting them from the net? There's no differenceboth are illegal. It's just much easier to catch people who leave a trail by downloading files than people who legally check a disc out of a library and then illegally copy it in the privacy of their own home. You are incorrect. "Both are illegal" is not correct. The Home Recording Act of 1992 explicitly made home use for noncommercial (no renting, no selling, no commercial use in bars or radio stations) fully legal. The text can be Googled and the topic has been covered here many times. In shyster terms, it created a "safe harbor" for home taping. The HRA even established a "blank tape and media tax," which is why many CD-Rs sold say "Music" on them (ostensibly these are the media for which the blank media tax was paid by someone, with revenues ostensibly given to Hollywood). The DMCA threw a spanner in the works in various ways, partly rewriting the HRA, partly adding new stuff. But the existence of the HRA and the money sent to Hollywood and Nashville through the HRA music taxes make successful prosecution of any home taper nearly impossible. --Tim May
Re: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org)
David Howe writes: > I doubt the NSA need, trust or want anyone else's actual software for EC Nonetheless, it's an indication that they don't think RSA has much of a future. So now they have a public key cryptosystem with smaller key lengths, and a more obtuse one-way function that can't be understood by Joe Schmo. We shall see what this portends. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
Re: NSA Turns To Commercial Software For Encryption
I dunno know. It comes down to which of the following slogans you believe. ECC: "Our algorithm is so good it has been licensed by the NSA". or RSA: "Our algorithm is so good that the NSA tried to prevent it's publication, had it classified as a munition and export controlled, tried to get the government to ban it in favor of a key escrow system, arrested and harassed a programmer for implementing an program using it, etc." Depending on the orientation of your tin foil hat, either one can mean the algorithm is good or has a backdoor. Oh, the fodder for conspiracy theorists. Other theories: It's always in NSA's interest to make sure that the current "in vogue" crypto system require licensing even if it is a commercial license. At least it limits it's use in Open Source and Free Software. Or they now have fast enough computers and fancy enough algorithms to factor most current sizes of RSA keys, and that in order to be secure that they have to start using such large RSA key sizes it's to inefficient to use in some systems anymore (micro transmitters for phone taps) or they figure someone will notice they are using 16K keys and wonder why. So they decide to switch to a more efficient (or just different) algorithm. -- Neil Johnson http://www.njohnsn.com PGP key available on request.
Re: "If you use encryption, you help the terrorists win"
> I have a few friends like thisanyone have suggestions for ways to change > their minds? > > Basically they say things like "If you think the government can't break all > the encryption schemes that we have, you're nuts." This guy was a math major > too, so he understands the principles of crypto. It is impossible to rationalise long term consequences of data harvesting into immediate threat for most people. The only way to change behaviour in absence of the perceived threat is propaganda ... and those who have means for that have different agendas. What's left is a personal-level propaganda but the effects are negligible. You can't really save anyone. You can, however, make crypto tools that make things easier. Or surveillance tools that make things obvious. The latter, I think, is more effective. Time to open source Echelon ? = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/
Re: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org)
On Sun, 26 Oct 2003, Eugen Leitl wrote: >In the case of the NSA deal, the agency >wanted to use a 512-bit key for the ECC system. This is the >equivalent of an RSA key of 15,360 bits." Am I the only one here who finds this "requirement" excessive? My god: are we looking to keep these secrets for 50 years, or 5 (or more) years? Or am I missing something? -- Yours, J.A. Terranson [EMAIL PROTECTED] "Every living thing dies alone." Donnie Darko
Re: NSA Turns To Commercial Software For Encryption (fwd from brian-slashdotnews@hyperreal.org)
Eugen Leitl wrote: >[1]Roland Piquepaille writes "According to eWEEK, the National >Security Agency (NSA) has [2]picked a commercial solution for its >encryption technology needs, instead on relying on its own >proprietary code. I was under the impression they had just licenced their *patent* - I would assume that the NSA were fully aware of EC, but were unwilling to admit to any prior art (and licencing the patent avoids the potential embarrassment if an NSA system were discovered to be already using this patented technology - remembering that other than prior art invalidating a patent which is a fairly drawn out legal process, there is no other defense against patent infringement) I doubt the NSA need, trust or want anyone else's actual software for EC :)
Re: "If you use encryption, you help the terrorists win"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 25 October 2003 04:27 pm, Tyler Durden wrote: > Tim May wrote... > > secure (every ask anyone if they believed there was such a thing as > effectively 'unbreakable' encryption? Reglar folks always believe > SOMEBODY'S got the technology to break what scheme you use, so "why > bother"). I have a few friends like thisanyone have suggestions for ways to change their minds? Basically they say things like "If you think the government can't break all the encryption schemes that we have, you're nuts." This guy was a math major too, so he understands the principles of crypto. I feel pretty confident that 2048 bit encryption is reasonably safe for now, but how can I convince others, and how safe should I really feel in that opinion anyway? Steve - -- Steve Wollkind 810 C San Pedro [EMAIL PROTECTED] College Station, TX 77845 http://njord.org/~steve 979.575.2948 - -- All these worlds are belong to us, except Europa. Take off no zigs there. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/mwqO0uexoyuzySARApnNAKCUxOrLDh2gk1Ls5piL1zsnXzhHuwCfUW5l AYtOw2wfT0EqlvhWxo5rup4= =12ec -END PGP SIGNATURE-
Re: NSA Turns To Commercial Software For Encryption
Isn't it really simpler to use RSA and DH and ECC in series ? Why choose ONE ? There is no good reason for that. Looks like PSYOP to me. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/
Re: "If you didn't pay for it, you've stolen it!"
On Sun, 2003-10-26 at 14:29, Ben Laurie wrote: > Sunder wrote: > > the elderly, lend it - or rent it to friends, use it as a paperweight, > ^^^ this, I believe, there are laws > about. At least here. Aside from tax laws, I don't know of any US Federal or New York State laws applying to renting books. A quick search didn't turn up anything in the US, either. (Though there's so much law out there that 'quick search of the law' is oxymoronic.) I don't have any resources other than Google for checking English law.
What Really Happened to Whatreallyhappened.com
Everyone's favorite link farm of news stories which annoy Neocons, http://www.whatreallyhappened.com/ disappeared suddenly and has been unavailable for 2 days now. Anyone know What Really Happened to it? Hopefully just a minor hardware problem. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"