[p2p-hackers] Ideas for an opensource Skype lookalike (fwd from
At 12:45 PM 3/13/04 +0100, Eugen Leitl FORWARDED: - Forwarded message from Enzo Michelangeli [EMAIL PROTECTED] - Skype claims to use RSA-based key exchange, which is good for multi-party conferencing but does not preserve forward secrecy. Maybe some variant of ephemeral D-H authenticated by RSA signatures, with transparent renegotiation every time someone joins the conference, could do the job better. RSA (ie persistant keys) may be an option but MUST NOT be required, for secrecy reasons as mentioned. (At worst RSA keys can be used once, then discarded. Lots of primes out there :-) Also, this is *voice*, ie biometric auth, so public-key-web-o-trust verislime scam is unnecessary at best. (Although for ringing up a business it might be a useful redundancy in case you misdial, and if there are introducers more trusted and perhaps liable than verislime) But the thing I particularly would like to discuss here is if, and how, to leverage on existing P2P networks. Get Real Networks or AOL or M$ to bundle a free, open secphone with their regular products. In AOL case you can exploit their buddy (aka traffic analysis) system for your directory services. I bet its suggested monthly. And shot down by managers who have been shown photos of their personal indiscretions taken by spooks. One could always implement a brand new network, using Distributed Hash Table algorithms such as Chord or Kademlia, We don't give a flying fuck as to which shiny new algorithm you use, although were we a graph theory wonk, we might care. but it would be much easier to rely from the very beginning upon a large number of nodes (at least for directory and presence functionality, if not for the reflectors which require specific UDP code). What the NAT world (yawn) needs is free registry services exploitable by any protocol. Those NAT-users with RSA-clue can sign their registry entry. That would somehow repeat the approach initially adopted by Vocaltec when, in 1995, they launched their Iphone making use of IRC servers to publish dynamic IP addresses. Incidentally, the IRC users community didn't particularly appreciate ;-), triggering the Great Iphone War, which quickly led Vocaltec to set up its own dedicated IRC servers. Net was a smaller place in 95. A '95 machine didn't have MIPS to burn. Not so many broadband nodes. Bush was just an airhead redneck governor, not a rabid Caesar.
Return of the homebrew coder
Geodesic software, anyone? :-) Cheers, RAH --- http://www.economist.com/PrinterFriendly.cfm?Story_ID=2476892 The Economist MONITOR Return of the homebrew coder Mar 11th 2004 From The Economist print edition Software: Most modern software is written by huge teams of programmers. But there is still room for homebrew coders, at least in some unusual niches BEFORE Henry Ford unleashed the practice of mass production on the world, every little town had a few dozen artisans who made the lives of citizens easier. A cobbler made the shoes, a tailor sewed suits and a carpenter built furniture. Mass production sounded the death knell for many specialist craft jobs, and the rise of computerised supply chains finished off most of the rest. But now, a century later, the trend is reversing itself. The new craftsmen do not stitch leather, cut cloth or saw wood: instead, they write software. This is because, as digital gizmos proliferate, consumers are running into some niggling problems. How can you synchronise a Sony Ericsson smartphone with a Macintosh computer running Microsoft's Entourage software? How do you send instant messages from your PocketPC or Palm handheld? How do you maintain a weblog quickly and easily? Such difficulties are typically faced by just a few thousand people with specific and unusual requirements-too few to merit the attention of the big computer firms, but enough to provide opportunities for a growing band of homebrew coders who set out to develop niche products. In many cases these programmers are making a decent living in the process, thanks to the availability of high-speed internet connections, cheap web-hosting services and online-payment systems such as PayPal and Kagi-all of which make it quick and easy to distribute software and collect money from customers. The trend is also a response to the sorry state of the technology industry, following the bursting of the dotcom bubble. Where they could once command salaries of $100,000, programmers now worry about their jobs disappearing to India. So instead of waiting for things to improve, some have decided to strike out on their own. Brent Simmons is one such programmer. With the help of his wife, he runs Ranchero Software from his garage in Seattle. They make a clever piece of software called NetNewsWire, which runs on the Mac OS X operating system and makes it easy to read news and then post comments on to a weblog. I like being able to design and implement software and have the final say, says Mr Simmons. It's a higher level of creativity than working on someone else's software. I get to refine and market my own ideas. At $40 each, Mr Simmons needs to sell 2,000 copies of his program each year to earn what he would be paid as an employee elsewhere. Jonas Salling of Salling Software in Stockholm, meanwhile, has attracted a loyal following for his handy software utilities. One allows data from Microsoft's Entourage personal-information manager for Macintosh computers to be transferred to Sony Ericsson smartphones. The other allows such phones, and certain Palm handhelds, to be used as wireless remote-controls via a Bluetooth link. So you can, for example, advance slides in a presentation by clicking on your phone's keypad. The number of people who actually want to do this is quite small, but they want to do it enough to pay Mr Salling $10 for his software, which has won several awards. Even more successful are Gaurav Banga and Saurabh Aggarwbi, based in Sunnyvale, California. They sell VeriChat, a nifty piece of software that allows people to send and receive instant messages on smartphones, or on PocketPC and Palm handheld computers. VeriChat is sold on a subscription basis, and brings in $20 per user per year, collected via PayPal. The company's sales are expected to reach $1m this year. Another homebrew coder is Nick Bradbury, who lives in Franklin, Tennessee. He wrote one of the first web-publishing tools, called HomeSite, and sold it to Allaire, which is now part of Macromedia. Then he started Bradbury Software, which sells a web-page editor called TopStyle and a news-reading program called FeedDemon. Self-employment, he notes, has more than just financial benefits. I put in more hours, but those hours are very flexible, which in my case means I can spend a great deal of time with my two kids, he says. And he finds it very rewarding to know that his software is making people's lives a little easier-something I rarely, if ever, experienced while working in the corporate world. The phenomenon of the homebrew coder is not new, of course. For two decades, programmers have distributed their wares as shareware, initially through dial-up bulletin boards or via disks given away with computer magazines, and later via the internet. People can try a piece of software free of charge, and then send a cheque to its creator if they want to continue using it. This often entitles them to a registration code that unlocks extra
Career advise on entering the tech field
On Sun, 2004-03-14 at 07:36, Major Variola (ret) wrote: How are you going to land a sweet outsourced job if you ask others to do your homework? If Sarath is, in fact, a student who will soon be looking for work, he may do just fine. Getting a tech job has little to do with how much you know or how well you can do the work. Most of getting a job, at least in the US, has to do with putting together a resume that will get you a call-back, and with impressing the HR guys during the first interview. Neither of these need have any bearing on actual qualifications. Once he has a job in the tech field, someone with people skills sufficient to get others to do his work for him will get farther ahead than the techie who actually does the work. Of course, it's easier for a woman to pull this off in the typical tech-heavy company -- a woman just has to chat with the guys, whereas a man will have to actively brown-nose the bosses or ask favors of his co-workers.
Re: inverse finding
At 5:40 AM -0800 3/14/04, Sarad AV wrote: I can't stop outsourcing.Don't blame me.Blame your own govt. Bzzt. Right answer, wrong reason. Government don't cause markets. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: inverse finding
At 09:55 PM 3/12/04 -0800, Sarad AV wrote: if gcd(a,m)=1, for a*a inverse==1 mod m is it better to find a invese=a^(m-2) mod m by binary exponentiation modulo m or is it more time efficient by extended euclids algorithm for large 'm'? I dunno, why don't you think about it some? How are you going to land a sweet outsourced job if you ask others to do your homework?
Re: Return of the homebrew coder
At 10:11 AM 3/14/04 -0500, R. A. Hettinga wrote: Return of the homebrew coder BEFORE Henry Ford unleashed the practice of mass production on the world, every little town had a few dozen artisans who made the lives of citizens easier. Software is also still in the craft stage where the designers actually do the building, in some cases. Know any architects that can handle an automatic nailer? The article doesn't address the real reason that lone software artisans (and small software businesses) can still exist: there are niches too small for Microsoft, not sexy enough for a squad of Open Source Gooncoders to replicate your work for free. Life in the 21st century feels like being a proto-mammal 65Mya, do not get squashed by the monster lizards nor noticed by the hungry others. Small, quick, furry, that's us. Sometimes it gets cold, the lizards can't move fast enough, so we eat them. Last two sentences sound like something Al Q could say :-)
Re: inverse finding
I can't stop outsourcing.Don't blame me.Blame your own govt. Sarath. --- Major Variola (ret) [EMAIL PROTECTED] wrote: At 09:55 PM 3/12/04 -0800, Sarad AV wrote: if gcd(a,m)=1, for a*a inverse==1 mod m is it better to find a invese=a^(m-2) mod m by binary exponentiation modulo m or is it more time efficient by extended euclids algorithm for large 'm'? I dunno, why don't you think about it some? How are you going to land a sweet outsourced job if you ask others to do your homework? __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com
Re: inverse finding
I can't stop outsourcing.Don't blame me.Blame your own govt. Holy Shit, Sarath...what's that got to do with Variola's little quip? And are you trying to suggest (On Cypherpunks, of all places) that the US government should somehow regulate outsourcing? (Me, I work with outsourced experts all the time and for the most part it works out just fine. However, if the US government should do anything, it should be to level the playing field so that outsourced jobs don't go to countries which have no child labor laws, no pollution control or etc..., and even on this I'll probably get hammered on THIS list, which in general doesn't really trust ANY government to do much at all besides shore up its own power) -TD From: Sarad AV [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: inverse finding Date: Sun, 14 Mar 2004 05:40:43 -0800 (PST) I can't stop outsourcing.Don't blame me.Blame your own govt. Sarath. --- Major Variola (ret) [EMAIL PROTECTED] wrote: At 09:55 PM 3/12/04 -0800, Sarad AV wrote: if gcd(a,m)=1, for a*a inverse==1 mod m is it better to find a invese=a^(m-2) mod m by binary exponentiation modulo m or is it more time efficient by extended euclids algorithm for large 'm'? I dunno, why don't you think about it some? How are you going to land a sweet outsourced job if you ask others to do your homework? __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com _ Get a FREE online computer virus scan from McAfee when you click here. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Re: [p2p-hackers] Ideas for an opensource Skype lookalike (fwd from em@em.no-ip.com)
On Sat, 13 Mar 2004, Eugen Leitl wrote: - Forwarded message from Enzo Michelangeli [EMAIL PROTECTED] - - Directories for location and presence. Nothing fancy here, already done before for P2P chat systems. I think I suggested it already somewhere. Use Jabber. Use Jabber ID instead of the phone number. This, if properly standardized, may open a way for small-scale third-party services, PSTN-to-VOIP gateways. Pay a small sum, get a phone number mapped to your Jabber ID, eg. in the scheme [+country-prefix][local-number-with-PABX][extension], where [extension] is mapped to the VoIP ID. That way, one person with one (or more) Jabber ID could be reachable on multiple phone numbers in multiple countries, local call in each of them. Maybe could be done as an extension for Jabber protocol, or maybe as in-band (so if you won't have a compatible Jabber client, you'd get the connection request in plaintext on your screen, kind of like what you'd get with nc -l -p 80 instead of running a webserver); this would have the advantage of being able to run as a proxy between a client of your choice and the Jabber server. snip What Speakfreely sorely lacks is a sensible session initiation protocol, and access to non-NATted reflectors to help NATted peers to find each other and exchange UDP traffic. That's where a P2P network (especially one supporting the concept of non-NATted ultrapeers) can save the day. I thought about a Jabber proxy that could launch SpeakFreely with specified parameters if being asked to. Do the connection negotiations over Jabber: request connection, be offered the capabilities (protocol to use, codecs, encryption algorithms...), pick your choices, then the proxies on both sides launch SpeakFreely (or other program of your choice) with the required parameters (eg, direct connection, if to use a reflector (and what one) when both are behind NAT, who initiates the connection when only one is behind NAT, ...). Other possibility is to not act as a proxy at all, but be just another Jabber resource (as I think you can be connected from multiple places at once with the same JID but different resource, but I don't really know enough about it to be sure it's viable and how well it will play with the clients already in the wild), and run as a separate client.
Re: Return of the homebrew coder
Major Variola (ret) [EMAIL PROTECTED] writes: Life in the 21st century feels like being a proto-mammal 65Mya, do not get squashed by the monster lizards nor noticed by the hungry others. Small, quick, furry, that's us. Sometimes it gets cold, the lizards can't move fast enough, so we eat them. Last two sentences sound like something Al Q could say :-) May you start to sound like John Young.
Re: 'Special skills draft' on drawing board
R. A. Hettinga (2004-03-14 23:42Z) wrote: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/03/13/MNG905K1BC1.DTLtype=printable Richard Flahavan, a spokesman for the Selective Service System, said planning for a possible draft of linguists and computer experts had begun last fall after Pentagon personnel officials said the military needed more people with skills in those areas. A targeted registration and draft is is strictly in the planning stage, said Flahavan, adding that the whole thing is driven by what appears to be the more pressing and relevant need today -- the deficit in language and computer experts. Computer experts? In-crip-shin? Dig-a-tail? I don't KNO3 nothin'. Donald Fauntleroy Duckfeld ought to be planning a draft of philosopher-ayatollahs. -- That woman deserves her revenge... and... we deserve to die. -- Budd, Kill Bill
'Special skills draft' on drawing board
http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/03/13/MNG905K1BC1.DTLtype=printable www.sfgate.com 'Special skills draft' on drawing board Computer experts, foreign language specialists lead list of military's needs Eric Rosenberg, Hearst Newspapers Saturday, March 13, 2004 ©2004 San Francisco Chronicle | Feedback | FAQ URL: sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/03/13/MNG905K1BC1.DTL Washington -- The government is taking the first steps toward a targeted military draft of Americans with special skills in computers and foreign languages. The Selective Service System has begun the process of creating the procedures and policies to conduct such a targeted draft in case military officials ask Congress to authorize it and the lawmakers agree to such a request. Richard Flahavan, a spokesman for the Selective Service System, said planning for a possible draft of linguists and computer experts had begun last fall after Pentagon personnel officials said the military needed more people with skills in those areas. Talking to the manpower folks at the Department of Defense and others, what came up was that nobody foresees a need for a large conventional draft such as we had in Vietnam, Flahavan said. But they thought that if we have any kind of a draft, it will probably be a special skills draft. Defense Secretary Donald Rumsfeld has said he would not ask Congress to authorize a draft, and officials at the Selective Service System, the independent federal agency that would organize any conscription, stress that the possibility of a so-called special skills draft is likely far off. A targeted registration and draft is is strictly in the planning stage, said Flahavan, adding that the whole thing is driven by what appears to be the more pressing and relevant need today -- the deficit in language and computer experts. We want to gear up and make sure we are capable of providing (those types of draftees) since that's the more likely need, the spokesman said, adding that it could take about two years to to have all the kinks worked out. The agency already has in place a special system to register and draft health care personnel ages 20 to 44 in more than 60 specialties if necessary in a crisis. According to Flahavan, the agency will expand this system to be able to rapidly register and draft computer specialists and linguists, should the need ever arise. But he stressed that the agency had received no request from the Pentagon to do so. The issue of a renewed draft has gained attention because of concerns that U.S. military forces are over-extended. Since the Sept. 11, 2001, terrorist strikes, U.S. forces have fought two wars, established a major military presence in Afghanistan and Iraq and are now taking on peacekeeping duties in Haiti. But Congress, which would have to authorize a draft, has so far shown no interest in renewing the draft. Legislation to reinstitute the draft, introduced by Rep. Charles Rangel, D-N.Y., has minimal support with only 13 House lawmakers signing on as co- sponsors. A corresponding bill in the Senate introduced by Sen. Fritz Hollings, D-S.C., has no co-sponsors. The military draft ended in 1973 as the American commitment in Vietnam waned, beginning the era of the all-volunteer force. Mandatory registration for the draft was suspended in 1975 but resumed in 1980 by President Jimmy Carter after the Soviets invaded Afghanistan. About 13.5 million men, ages 18 to 25, are registered with the Selective Service. But the military has had particular difficulty attracting and retaining language experts, especially people knowledgeable about Arabic and various Afghan dialects. To address this need, the Army has a new pilot program underway to recruit Arabic speakers into the service's Ready Reserves. The service has signed up about 150 people into the training program. A Pentagon official familiar with personnel issues stressed that the armed forces were against any form of conscription but acknowledged the groundwork already underway at the Selective Service System. We understand that Selective Service has been reviewing existing organizational mission statements to confirm their relevance for the future, the official said. Some form of 'special skills' registration, not draft, has been a part of its review. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: inverse finding
--- Tyler Durden [EMAIL PROTECTED] wrote: And are you trying to suggest (On Cypherpunks, of all places) that the US government should somehow regulate outsourcing? It doesnot matter what i think.Neither can I help it It already is http://news.bbc.co.uk/1/hi/business/3535893.stm Any way,I am enlightened. :) Sarath. __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com
If You Want to Protect A Security Secret, Make Sure It's Public
http://online.wsj.com/article_print/0,,SB107930573476054980,00.html The Wall Street Journal March 15, 2004 PORTALS By LEE GOMES If You Want to Protect A Security Secret, Make Sure It's Public Here is some news that is shocking but true: The most sensitive, most highly classified secrets of the U.S. government will soon be in the hands of two foreigners, both of them self-described Linux hackers. It's nothing to be alarmed about, though. Joan Daemen and Vincent Rijmen, two Belgian mathematicians, won a U.S.-sponsored global competition in 2000 to design the encryption system that will henceforth encode the secret communications of the U.S. government. The contest was an entirely open affair, and the winners selected after a lengthy public process. You can go online yourself and test the Daemen-Rijmen Advanced Encryption Standard, assuming you're handy with the likes of matrix multiplication. It seems that the world's cryptographers, while dealing with keeping secrets, do most of their work in public. That's worth remembering as the country moves to electronic voting. The connection between cryptography and voting may not be immediately apparent. But in both fields, the integrity of something secret must be maintained, often in very hostile circumstances. After the Florida recount debacle, there is now a big push in the U.S. toward electronic-voting systems; 50 million people are expected to be using them this November. The problem is that most of the systems being purchased by local election officials are proprietary, black box solutions sold by companies who, citing trade secret issues, won't let others look inside them. It's not just conspiracy theorists who are worried about this, but leading computer scientists. Proprietary balloting software leaked by corporate insiders has been discovered by outside evaluators to be full of security holes. Thus, the good folks working to guarantee secret ballots should learn something from the people who work to guarantee secret messages. They never trust anyone who says trust us. The basic approach in modern cryptography is to keep the pattern of your specific key a secret, but not to worry if the overall design of your lock gets out. It's called Kerckhoffs' Principle, after Auguste Kerckhoffs, a 19th-century cryptographer who, like Messrs. Daemen and Rijmen, was Flemish. He listed six guidelines for a reliable encryption system. No. 2 was, It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. The idea is counterintuitive, and for most of the long history of secret codes, it was ignored. But with the rise of computer-assisted cryptography in the past 50 years or so, there has been a sea change in the working assumptions of cryptographers. Now, you can't get good cryptography by designing in secret, says Whitfield Diffie, co-inventor of the public key encryption system that revolutionized the field, and currently chief security officer at Sun Microsystems. If you use the Internet, you are using an alphabet soup of different encoding methods, all available for public inspection: RSA, SSL and more. Many security problems exist on the Internet, but none involve these algorithms. Why make this stuff public? Because even the smartest people make mistakes. David Kahn, author of The Codebreakers, says that hubris is something of an occupational hazard among code makers. One of the patterns in cryptographic history is how people always believe the system they just created is unbreakable, he says. Someone very clever will create a cipher, but then someone even cleverer will come along and find a flaw in it. Mr. Kahn notes that the German businessmen who began selling the famed Enigma machine in the 1920s thought they had an unbreakable system. They marketed the device by boasting that even if someone else had an Enigma, he couldn't read your messages. Lucky for us, they were wrong. Polish, and later British, cryptographers were able to defeat Enigma, in part because at least in the early years, it gave away a clue by repeating the first three characters of a transmission twice in a row. These days, tens of thousands of cryptographers use the Internet as a kind of global Bletchley Park, the famed World War II site where the British cracked Enigma. Indeed, cryptographer Paul Kocher notes a pattern: Cryptographic systems developed in public tend to stand up; those developed in secret, like those for DVD systems or European-style GMS phones, often get broken. But if the entire world can see your encryption method, couldn't some smart bad guy find a flaw in it and quietly use the information against you? In theory, yes. But the real world doesn't work that way. Think of all the graduate students eager to make a name for themselves by pointing out someone else's mistake. Mr. Kocher, for instance, is a cryptocelebrity because as a student, he found a subtle but serious theoretical flaw in the
Re: If You Want to Protect A Security Secret, Make Sure It's Public
R. A. Hettinga (2004-03-15 02:07Z) wrote: http://online.wsj.com/article_print/0,,SB107930573476054980,00.html If You Want to Protect A Security Secret, Make Sure It's Public What is terrible article titles for $500, Alex? -- That woman deserves her revenge... and... we deserve to die. -- Budd, Kill Bill
