Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
Thomas Shaddack writes: Reading some news about the email wiretapping by ISPs, and getting an idea. There are various email forwarding services, which are nothing more than a SMTP server with pairs of [EMAIL PROTECTED] -- [EMAIL PROTECTED] Right, mostly for use as disposable email addresses. I've used spamgourmet to good effect, myself. Messages in storage have much lower judicial protection than messages in transit. (This does not have much technical merit, in the current atmosphere of damn the laws - there are terrorists around the corner, but can be seen as a nice little potential benefit.) One thing I haven't understood in all the commentary is whether law enforcment still needs a warrant to access emails stored in this way. Apparently the ISP can read them without any notice or liability, but what about the police? Also, what if you run your own mail spool, so the email is never stored at the ISP, it just passes through the routers controlled by the ISP (just like it passed through a dozen other routers on the internet). Does this give the ISP (and all the other router owners) the right to read your email? I don't think so, it seems like that would definitely cross over the line from mail in storage to mail in transit. There can be an easy enhancement for such forwarder service; GnuPG proxy. Every email that arrives to the forwarder address, before it is forwarded to the real recipient, is piped through a GnuPG script; the recipient has then to upload his public key during the registration of the target address, otherwise the function is the same. That's a great idea. You'd want to be sure and encrypt the whole message including headers, and make the whole thing an encrypted attachment. Has the added side benefits of compressing the email, and you could even have the server do some spam filtering. For added benefit, the forwarder should support SMTP/TLS (STARTTLS) extension, so the connections from security-minded owners of their own mailservers would be protected. STARTTLS support at the proxy should pretty much go without saying these days, so you might as well do it, but if you're already PGP encrypting then it's not adding that much security. Well, maybe it does, but you're talking about a different threat. For the problem that ISPs can read your email in storage, STARTLS doesn't help much because it will only protect the email until it gets to your local ISP, who will store your email for you and can read it then (which is where the PGP comes in). Where STARTTLS would help is with power users who run their own mail servers. But those people don't suffer from the problem we are talking about here, legal access to the email by the ISP (I think, see above). Nevertheless a mail-receiving proxy that uses STARTTLS connections to power users would be kind of cool because it would keep anyone local from knowing anything about the incoming mail. Hopefully, STARTTLS will eventually become so widespread that this functionality will be redundant, but we are not there yet. The recipient himself then can either run his own mailserver and download mails through fetchmail, or receive mails using SMTP/ETRN (both methods allow automated decryption of such wrapped mail during its receiving), or use a POP/IMAP decryption proxy, or have a plugin in mail client. (I know, auto-decryption is dangerous, but we now talk about the system for one's grandma, transparent to use.) Absolutely, look at the threat model. You're not worried about someone breaking into your computer, you're worried about your ISP legally reading your email. To address this threat, auto-decryption is a perfect solution. Recently there was a proposal for a nym receiving service, http://www.freehaven.net/doc/pynchon-gate/, by Bran Cohen and Len Sassaman. They have a complicated protocol for downloading email anonymously. To hide the complexity, they propose to set up a POP compatible mail server agent on the user's computer running as a daemon process (Windows service). He would configure his mailer to connect to localhost:4949 or whatever, just like any other POP server. The service would periodically go out and poll for email using the fancy protocol, but then it would make it available to the local mail agent in perfectly vanilla form. The point is that this architecture hides the complexity and makes it transparent for end users to use arbitrarily complex crypto for mail receiving. Something similar would be perfect for your idea. The only vulnerable parts of the mail route then will be the sender's computer, the pathway between the sender and the forwarder server (if SMTP/TLS is not used correctly or at all), the forwarder server (if compromised), and the recipient's computer. The way between the forwarder and the recipient's ISP, including the recipient's mailbox, is secured. What do you think about this scheme? I think it's a great idea. Of course as you say
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
On Tue, Jul 06, 2004 at 11:36:11PM -0700, Major Variola (ret) wrote: At 06:58 AM 7/7/04 +0200, Eugen Leitl wrote: I can't imagine any intelligence professional wasting her time reading the crap at times coming over this list. Frankly sir, that's because you have no idea of their budget, or their fascistic urges.Its not paranoia to think you're tapped, its rationality. Of course we're tapped, despite funky headers like Received: from positron.jfet.org (positron.jfet.org [66.136.223.122]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN positron.mit.edu, Issuer positron.mit.edu (not verified)) by leitl.org (Postfix) with ESMTP id BDD9D3A8326 for [EMAIL PROTECTED]; Wed, 7 Jul 2004 08:39:41 +0200 (CEST) Received: from positron.jfet.org (localhost [127.0.0.1]) by positron.jfet.org (8.12.11/8.12.11/Debian-3) with ESMTP id i676giK6021720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for [EMAIL PROTECTED]; Wed, 7 Jul 2004 01:42:44 -0500 just don't fool yourself about all your fans at Mt. Spook central ejecting coffee through their nose at our jokes and witticisms. Databases, despite much improved, don't have a good sense of humor. -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpBX7H8lAFAM.pgp Description: PGP signature
Re: UBL is George Washington
At 09:32 PM 7/5/04 +0200, Anonymous wrote: Major Variola (ret) writes: The yanks did not wear regular uniforms and did not march in rows in open fields like Gentlemen. Asymmetric warfare means not playing by *their* rules. But asymm warfare has to accomplish its goal. It's not being very successful. Worked for Gen W. The only people who are siding with al-qaeda are those whose brains are already mush -statist socialists, to be precise. Of course their brains are mush, they are *religious*. Much like the xian loonies in DC God, we pray that our actions here give some glory back to you. We live in grace even here, and we are not afraid of death. ... None of us wants to die here, but death is the blink of an eye, and you wake up in paradise. US Navy Chaplain Wayne Hall http://msnbc.msn.com/id/4717595/ But you get better post-mortem sex if you're Muslim. If al qaeda bombed government buildings or targetted the private residences or offices of government officials, they might get more sympathy, from me at least. Destroying an pair of buildings and killing thousands of citizens -most of whom couldn't give an accurate account of U.S. forces distribution in the MidEast- is not a step forward. They are not after sympathy, they are after your attention. As in, don't tread on me. As in, get your filthy hands off my desert. As in, death to the Romans. The pentagon hit was apropos, but the pilot hit the wrong side. Still, nice taking it home like that. Not even UBL, who knows civil engineering, expected a pair of implosions. The pigs, fireman, civilians, etc were collateral damage --the point was the video. But architects have to show off, so down they went. Live and learn. But the replacement will be taller, a tower of Babel. More targets: soft targets with videocameras. Disneyland, Olympics, and of course kindergartens on days when parents would be there with cameras. Synchronized of course, so you have zero doubt who it was. Although they're religious, they know engineering and psyops as well as the xian loony hegemonists in DC. Basically its like this: even neighborhood bullies have to sleep. A wimp with a gallon of gasoline can make a point. David Goliath, remember? All's fair in love and war, baby.
Re: UBL is George Washington
On 2004-07-05T21:32:16+0200, Anonymous wrote: Major Variola (ret) writes: The yanks did not wear regular uniforms and did not march in rows in open fields like Gentlemen. Asymmetric warfare means not playing by *their* rules. But asymm warfare has to accomplish its goal. It's not being very successful. The only people who are siding with al-qaeda are those whose brains are already mush -statist socialists, to be precise. If al qaeda Who cares who sides with Al Qaeda? They're not keeping track of their sympathizers. It's foreign policy change, social change (reform perhaps?), and volunteers for martyrdom they want, not rhetorical support. bombed government buildings or targetted the private residences or offices of government officials, they might get more sympathy, from me at least. The WTC and the pentagon were specific, well-thought-out targets. The plane that crashed in PA was headed to the Capitol. If you're so eager to see Al Qaeda blow up better targets, why not suggest a few? Destroying an pair of buildings and killing thousands of citizens -most of whom couldn't give an accurate account of U.S. forces distribution in the MidEast- is not a step forward. As everyone else pointed out, Even though the 9/11 attacks may not have garnered your support, it accomplished other objectives.
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
At 02:47 PM 7/6/04 -0700, Hal Finney wrote: Messages in storage have much lower judicial protection than messages in transit. (This does not have much technical merit, in the current atmosphere of damn the laws - there are terrorists around the corner, but can be seen as a nice little potential benefit.) Ie zero. One thing I haven't understood in all the commentary is whether law enforcment still needs a warrant to access emails stored in this way. Apparently the ISP can read them without any notice or liability, but what about the police? You are state meat, whether 5150'd or not. Also, what if you run your own mail spool, so the email is never stored at the ISP, it just passes through the routers controlled by the ISP (just like it passed through a dozen other routers on the internet). Does this give the ISP (and all the other router owners) the right to read your email? I don't think so, it seems like that would definitely cross over the line from mail in storage to mail in transit. If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your the right to idioms.
Re: UBL is George Washington
At 08:44 PM 7/6/04 +, Justin wrote: It may be that the only way out is through, and that the only way to be free from Western Imperialism is to cause it to strangle itself. You don't get it. The way to be free from Colonialists is to remind the folks *behind the Colonialism* that they are not immune just because they are bordered by oceans and 0wn3d northern and southern placid colonies. UBL understands democracy better than most. Strangling has nothing to do with it; Tim May used to encourage such self-suffication, but that's not the Jihad plan. The plan is to provide negative reinforcement. How do you say that in Spanish?
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your the right to idioms. Well, I don't actually believe it's all recorded. As I've attempted to explain previously, they almost certainly have risk models in place. When several variables twinkle enough (eg, origination area, IP address, presence of crypto...) some rule fires and then diverts a copy into the WASP'S Nest. There's probably some kind of key word search that either diverts the copy into storage or into the short list for an analyst to peek it. -TD From: Major Variola (ret) [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Email tapping by ISPs, forwarder addresses, and crypto proxies Date: Tue, 06 Jul 2004 21:40:29 -0700 At 02:47 PM 7/6/04 -0700, Hal Finney wrote: Messages in storage have much lower judicial protection than messages in transit. (This does not have much technical merit, in the current atmosphere of damn the laws - there are terrorists around the corner, but can be seen as a nice little potential benefit.) Ie zero. One thing I haven't understood in all the commentary is whether law enforcment still needs a warrant to access emails stored in this way. Apparently the ISP can read them without any notice or liability, but what about the police? You are state meat, whether 5150'd or not. Also, what if you run your own mail spool, so the email is never stored at the ISP, it just passes through the routers controlled by the ISP (just like it passed through a dozen other routers on the internet). Does this give the ISP (and all the other router owners) the right to read your email? I don't think so, it seems like that would definitely cross over the line from mail in storage to mail in transit. If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your the right to idioms. _ MSN 9 Dial-up Internet Access helps fight spam and pop-ups now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/
Re: Privacy laws and social engineering
On Tue, 6 Jul 2004, Major Variola (ret) wrote: So, which is better, Schneier's books or Mitnick's? I suspect the former, but am curious what the community opinion is? You may like one side of the coin more than the other one, but they still belong to the same flat, dirty, formerly shiny and now dull and mildly corroded disc of an alloy of not so noble metals. Sometimes you get access by telnet. Sometimes by a voice call. Hack the mainframe. Hack the secretary. What's better? (Okay, I agree, you can't sleep with the mainframe.) There are many ways to the hilltop. Some travelers argue what one is better. Others quarrel if the hilltop is more important than the pathway or the other way. Some don't care and march forward. I feel zen today.
Re: UBL is George Washington
Somebody wrote WTC doesn't make sense as a target Everybody I knew was _much_ more upset about the WTC than the Pentagon. As one friend put it I don't care about the Pentagon. Now, partly that's because of the shock of the buildings collapsing, which seemed much more dramatic than the Pentagon getting an edge dented. And it's partly because 3000 people died, and 30,000 _could_ have died, but a lot of it's because attacking New York City is attacking American society, which was tremendously damaging to morale, while attacking the Pentagon is attacking the military, who spend their time attacking other people so all's fair. And the Feds planting anthrax in the Senate building and other places to keep us even more scared about terrorism so we'd be obedient really did make things worse. Tyler Durden [EMAIL PROTECTED] writes: If they took out a few key COs downtown one morning the effect on the economy would be significant. The effects on American business were dramatic, but for the telecommunications industry the big problems weren't the COs, they were the year-long disappearance of the travel industry (which uses huge amounts of high-value call center calls) and the general decline in the economy, and trashing business in Wall Street, plus it was kicking us while were were down because the dot-com crash and the related crash in the telecom industry were already going on. The loss of the CO capacity was somewhat balanced by the fact that nobody was allowed anywhere near that area to work. The Verizon CO was much more of a problem than the ATT one, partly because it had lots of access lines, while we mostly had a smaller number of larger trunks that are easier to reroute, plus fiber access rings which were mostly diverse, plus all the now-dead access lines from the Verizon POP. Industry did respond with a huge amount of diversification - taking out a CO today would cause much less damage, plus the huge increase in telecommuting means that offices are usually a less critical resource. At 07:42 PM 7/6/2004, Peter Gutmann wrote: If OBL took out (say) that huge ATT CO in the center of Manhattan (the skyscraper that looks like something out of a SF film), Do you mean the building that looks like antique furniture? That's just office space, and I think we'd sold it by then. Or does one of the actual POPs have old microwave dishes on the roof? every cellphone user in the country who's had any dealings with ATT would help him pack the explosives. Sigh. We've sold off ATT Wireless as a business and still nobody realizes it... I think they were still relatively popular back then, though they had real problems around New York City keeping up with rapidly-growing demand. But yeah, the best thing about them these days is that Cingular's buying them, so my stock has zoomed up to almost half what I paid for it instead of 10-20%. Bill Stewart [EMAIL PROTECTED]
Switzerland forcing registration of PrePay customers
- Forwarded message from NEXTEL-1 - -- Switzerland forcing registration of PrePay customers The Swiss parliament decided last year to make registration mandatory for prepaid cards. By law, all mobile providers will have be able to provide information about customers buying their prepaid products for at least two years after the purchase. As of 1 July 2004, customers will have to register when buying a prepaid card from Swisscom Mobile (NATEL easy). Those who started using their NATEL easy cards on or after 1 November 2002 will have to register retrospectively. The authorities are aiming to limit the misuse of prepaid cards by these measures. Customers will be registered when they buy a NATEL easy SIM card. For verification, proof of identity will be required in the form of a valid passport, identity card or other travel document accepted for entry into Switzerland. In addition to the customer's personal details, Swisscom Mobile must also record the type of and number of the form of identification presented. The NATEL easy card will only be activated for use when all the necessary customer details have been recorded. Customers attempting to make calls with an unregistered prepaid card will hear a greeting prompting them to register their NATEL easy card. Retrospective registration until end of October 2004 On 23 June 2004, the Federal Council decided that prepaid customers who started using SIM cards on or after 1 November 2002 would have until 31 October 2004 to register. Swisscom Mobile will seek to ensure that the registration of these customers takes place in line with the statutory requirements and in as customer-friendly a manner as possible. The customers affected will be prompted via SMS to register their SIM cards. Registration can be made wherever Swisscom Mobile NATEL subscriptions can be purchased. In addition to the customers' personal details, Swisscom Mobile will also have to record their SIM card and mobile phone numbers. In accordance with the regulation, Swisscom Mobile will be obliged to block the access of customers who have not registered by 31 October 2004. Retrospective registration also applies to those prepaid customers who have already registered voluntarily with Swisscom Mobile in the past. The only exceptions are NATEL® easy customers who have registered formally (i.e. on presentation of a valid passport or identity card) in a Swisscom Shop since the middle of April 2004. On the basis of current information, Swisscom Mobile believes that several hundred thousand NATEL easy customers will have to register retrospectively. Posted to the site on 05-Jul-04 http://www.cellular-news.com/story/11407.shtml -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Privacy laws and social engineering
A friend of mine botched a suicide attempt and in order to get any info I (we) pretended we were stepbrothers. It occurred to me a half hour later that we had the same first names. So it must have been confusing to our fictious stepmom :-) But if you play up a story about dysfunctional separated families, and adopting middle names as True Names, you can quickly get the questioner to feel uncomfortable enough to accept your ploy. Despite HIPAA. Welcome to the world of social engineering, Major. So, which is better, Schneier's books or Mitnick's? I suspect the former, but am curious what the community opinion is? Note that I am generally a guile-less person who does not weave arbitrarily complex webs of lies. In fact, brutally honest at times. But sometimes circumstances (like a brain damaged virtual brother) demand it. And I was bemused at my ability to maintain it. And multiple nurses/MDs to accept it. --- While interviewing for a security job, I overheard the building-guards shout passwords for the building as I waited in the lobby. I thought it a test at first, but realized later it was reality, in all its glory. The passwords were regexps based on the company's name, of course. I mentioned this to my future quasiboss, who dug it. Which made me feel better about him. PS: Major kiratsu do not appreciate extreme programming (or keeping the building open past 8PM). Dinosaurs whose eggs were eaten by warm furry little mutants did not do so well. Though aligators eat a few kids a year in FLA, and an ostrich can kick your ass, I ask you: who rules, mammals or reptiles and birds? Still, its a job, and a job these days is a pearl, even if the tech is succeptible to reverse engineering, which you try to point out but are told its ok to be lame. Maybe they'll hire me after the contract and we can do some PK/cert work for real. Or maybe they'll move strong passphrases around with PGP email. One can hope, if only to keep one's upper lip stiff, one's faith in mankind nominally intact. Hard sometimes. PS: what is Michael Jackson's medical report worth in the free market?
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
At 02:47 PM 7/6/2004, Hal Finney wrote: Thomas Shaddack writes: There are various email forwarding services, which are nothing more than a SMTP server with pairs of [EMAIL PROTECTED] -- [EMAIL PROTECTED] Right, mostly for use as disposable email addresses. I've used spamgourmet to good effect, myself. They're also marketed as permanent addresses you can keep when you change ISPs, for example pobox.com was one of the first ones. Unfortunately, as far as I know, none of the forwarders let you forward mail from [EMAIL PROTECTED] to [EMAIL PROTECTED], which means that they don't support tag-based spam protection. When I want disposable addresses, I either use free providers, or I use tagged addresses at free / cheap providers like fastmail.fm. One thing I haven't understood in all the commentary is whether law enforcment still needs a warrant to access emails stored in this way. Apparently the ISP can read them without any notice or liability, but what about the police? Councilman currently only affects the First Circuit (the Northeast), and it was only the three-judge-panel version of the Appeals Court, so he could appeal it to the full court before going to the Supremes. My reading of the opinions is that the two majority judges totally failed to grasp the technology, while the dissenting judge got it, so even if the opinion stands, it's very narrow in scope - but it's a strong reminder that the current laws don't protect stored email very well, and that if judges aren't technical enough to understand it when it's laid out in front of their faces, they're certainly not going to be sufficiently uncooperative when police try to get warrants or subpoenas (or at least it probably won't be hard for police to find a cooperative judge.) Also, in the Steve Jackson Games case, the courts and Feds got away with declaring that the ECPA didn't apply to mail that had arrived in mailboxes, only to mail that was in transit. It's not clear that ISPs in general can read mail without any notice or liability - just that the obvious readings of the law that Councilman sued them under don't currently work in the 1st Circuit. He might have tried various business-related torts successfully, but the wiretapping laws looked like a slam-dunk. But that doesn't usually work against police, just businesses. Police reading mail like this really is a different case - they either need some kind of court papers to hand the ISP (though these days the Patriot Act seems to be used to justify almost anything and place a gag order on the activity, and a subpoena is easier to get than a warrant), or they need some bogus justification that the ISP has to obey administrative requests that aren't court-issued, or they need to wiretap the bits legally. Also, what if you run your own mail spool, so the email is never stored at the ISP, it just passes through the routers controlled by the ISP (just like it passed through a dozen other routers on the internet). Does this give the ISP (and all the other router owners) the right to read your email? I don't think so, it seems like that would definitely cross over the line from mail in storage to mail in transit. One scary thing about Councilman was that it happened in a case where the government was vaguely neutral and responsible for protecting the citizen's privacy - when the prosecutors are _trying_ to get outrageously twisted anti-privacy rulings they're more likely to win. In particular, does a message count as in transit if you're only hauling IP packets around with parts of the message rather than the whole message, or does each part count as in storage when it's gotten to a router that has to queue it before forwarding it on to the next hop? Or if the whole message is queued in your ISP's sendmail queue because you've got an MX there? What about _outgoing_ mail queued at your ISP, who's being a good anti-spammer and forcing you to use their mail transfer agent instead of sending directly to the destination? There can be an easy enhancement for such forwarder service; GnuPG proxy. There are several different threat models to think about - - Greedy ISP reading your mail for their own purposes - ISP responding to court-ordered wiretapping - ISP collaborating enthusiastically with police - Police wiretapping without court orders - All of the above, but for stored mailboxes, not in-transit - All of the above, but for traffic analysis / headers, not content Mail-handling services don't prevent any of the in-transit threats, but they can eliminate most of the threats to stored mailboxes, and they do let you move your vulnerability to a different jurisdiction, which can potentially reduce the likelihood that they'll wiretap you there. For instance, if you're using your local cable modem company for mailbox services, and you annoy your local police, they may try to tap you, but police in Anguilla will probably only try to tap you if you've gotten the US Feds or MI5/MI6 annoyed. Police in Sealand
Re: UBL is George Washington
Destroying an pair of buildings and killing thousands of citizens -most of whom couldn't give an accurate account of U.S. forces distribution in the MidEast- is not a step forward. Well, I think that was the point. At least, Al-Qaeda was saying (amongst other things) that the US public could no longer remain ignorant of US force activities. Or at least not without significant reprecussions. It's debateable wether they acheived this, however. The Spanish got the message, however. -TD From: Justin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: UBL is George Washington Date: Tue, 6 Jul 2004 16:31:16 + On 2004-07-05T21:32:16+0200, Anonymous wrote: Major Variola (ret) writes: The yanks did not wear regular uniforms and did not march in rows in open fields like Gentlemen. Asymmetric warfare means not playing by *their* rules. But asymm warfare has to accomplish its goal. It's not being very successful. The only people who are siding with al-qaeda are those whose brains are already mush -statist socialists, to be precise. If al qaeda Who cares who sides with Al Qaeda? They're not keeping track of their sympathizers. It's foreign policy change, social change (reform perhaps?), and volunteers for martyrdom they want, not rhetorical support. bombed government buildings or targetted the private residences or offices of government officials, they might get more sympathy, from me at least. The WTC and the pentagon were specific, well-thought-out targets. The plane that crashed in PA was headed to the Capitol. If you're so eager to see Al Qaeda blow up better targets, why not suggest a few? Destroying an pair of buildings and killing thousands of citizens -most of whom couldn't give an accurate account of U.S. forces distribution in the MidEast- is not a step forward. As everyone else pointed out, Even though the 9/11 attacks may not have garnered your support, it accomplished other objectives. _ Check out the latest news, polls and tools in the MSN 2004 Election Guide! http://special.msn.com/msn/election2004.armx
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
At 06:58 AM 7/7/04 +0200, Eugen Leitl wrote: I can't imagine any intelligence professional wasting her time reading the crap at times coming over this list. Frankly sir, that's because you have no idea of their budget, or their fascistic urges.Its not paranoia to think you're tapped, its rationality. --- Stop shedding our blood to save your own and the solution to this simple but complex equation is in your hands. You know matters will escalate the more you delay and then do not blame us but blame yourselves. Rational people do not risk their security, money and sons to appease the White House liar.
Re: Privacy laws and social engineering
At 08:10 AM 7/7/04 +0200, Thomas Shaddack wrote: On Tue, 6 Jul 2004, Major Variola (ret) wrote: So, which is better, Schneier's books or Mitnick's? I suspect the former, but am curious what the community opinion is? You may like one side of the coin more than the other one, but they still belong to the same flat, dirty, formerly shiny and now dull and mildly corroded disc of an alloy of not so noble metals. ... I feel zen today. You have no idea how Zen I have felt recently. No idea. As BS says, you go after people, not tech, these days. I was merely asking where I should spend my $, whether Mitnick was worth it, as Schneier by default is. Or what the hell, maybe my contract will become a job, and I'll buy 'em all. Meanwhile, watch your ass, the marketroids are full of detritus. And if you take cyanide salts, you dont' tell anyone about it.
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
On Tue, Jul 06, 2004 at 09:40:29PM -0700, Major Variola (ret) wrote: smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your the right to idioms. All this stuff goes into some database slot. It will only get reviewed by a human analyst if the ranking function trips over threshold (or reviewed forensically after the fact). I can't imagine any intelligence professional wasting her time reading the crap at times coming over this list. -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpsbjR4gltul.pgp Description: PGP signature
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
Absolutely, look at the threat model. You're not worried about someone breaking into your computer, you're worried about your ISP legally reading your email. Guaranteed, and encryption is bait. Use stego. That's very true, however there can be operators you trust more than your ISP, eg. a group of friends running such forwarder offshore. Until they're busted and open up... As Zappa sang, the hot iron sausage... and the sinister midget...
Re: UBL is George Washington
On Mon, 5 Jul 2004, Anonymous wrote: But asymm warfare has to accomplish its goal. It's not being very successful. The only people who are siding with al-qaeda are those whose brains are already mush -statist socialists, to be precise. If al qaeda bombed government buildings or targetted the private residences or offices of government officials, they might get more sympathy, from me at least. Destroying an pair of buildings and killing thousands of citizens -most of whom couldn't give an accurate account of U.S. forces distribution in the MidEast- is not a step forward. Right, WTC as a target doesn't make any strategic sense. Either they were very stupid at picking their targets, or their goals are not quite so obvious - Unless the strategy was to short-sell the stock market the day before. Did the FTC/FBI/NSA/CIA/etc find anything along these lines (yet)? I've not been paying much attention to the news as of late.
Email tapping by ISPs, forwarder addresses, and crypto proxies
Reading some news about the email wiretapping by ISPs, and getting an idea. There are various email forwarding services, which are nothing more than a SMTP server with pairs of [EMAIL PROTECTED] -- [EMAIL PROTECTED] Messages in storage have much lower judicial protection than messages in transit. (This does not have much technical merit, in the current atmosphere of damn the laws - there are terrorists around the corner, but can be seen as a nice little potential benefit.) There can be an easy enhancement for such forwarder service; GnuPG proxy. Every email that arrives to the forwarder address, before it is forwarded to the real recipient, is piped through a GnuPG script; the recipient has then to upload his public key during the registration of the target address, otherwise the function is the same. For added benefit, the forwarder should support SMTP/TLS (STARTTLS) extension, so the connections from security-minded owners of their own mailservers would be protected. The recipient himself then can either run his own mailserver and download mails through fetchmail, or receive mails using SMTP/ETRN (both methods allow automated decryption of such wrapped mail during its receiving), or use a POP/IMAP decryption proxy, or have a plugin in mail client. (I know, auto-decryption is dangerous, but we now talk about the system for one's grandma, transparent to use.) The only vulnerable parts of the mail route then will be the sender's computer, the pathway between the sender and the forwarder server (if SMTP/TLS is not used correctly or at all), the forwarder server (if compromised), and the recipient's computer. The way between the forwarder and the recipient's ISP, including the recipient's mailbox, is secured. What do you think about this scheme?
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
On Tue, 6 Jul 2004, Hal Finney wrote: There are various email forwarding services, which are nothing more than a SMTP server with pairs of [EMAIL PROTECTED] -- [EMAIL PROTECTED] Right, mostly for use as disposable email addresses. I've used spamgourmet to good effect, myself. I wrote the patch for qmail's fastforward for similar purposes. Everything in the name that is beyond the specified wildcard is ignored when resolving the mail alias (but stays there for procmail processing). As added benefit, the addresses that receive spam can be used for teaching bogofilter. Messages in storage have much lower judicial protection than messages in transit. (This does not have much technical merit, in the current atmosphere of damn the laws - there are terrorists around the corner, but can be seen as a nice little potential benefit.) One thing I haven't understood in all the commentary is whether law enforcment still needs a warrant to access emails stored in this way. Apparently the ISP can read them without any notice or liability, but what about the police? Let's expect them so as well. The ISP can hand them over to the police anyway, like a nosy neighbour fink finding your grass stash. Also, what if you run your own mail spool, so the email is never stored at the ISP, it just passes through the routers controlled by the ISP (just like it passed through a dozen other routers on the internet). Does this give the ISP (and all the other router owners) the right to read your email? I don't think so, it seems like that would definitely cross over the line from mail in storage to mail in transit. If it passes through their SMTP servers, I am not sure. If it goes only through their routers, I'd think it's definitely in transit. There can be an easy enhancement for such forwarder service; GnuPG proxy. Every email that arrives to the forwarder address, before it is forwarded to the real recipient, is piped through a GnuPG script; the recipient has then to upload his public key during the registration of the target address, otherwise the function is the same. That's a great idea. You'd want to be sure and encrypt the whole message including headers, and make the whole thing an encrypted attachment. Has the added side benefits of compressing the email, and you could even have the server do some spam filtering. The original idea I based it on was encrypting everything including the headers on the sender, then decrypting it on the receiver relay, and adding the data about the decryption of the message into the headers in some unspoofable way (eg. if the headers were there already when the message arrived to the decrypting script, prepend X- to them - not really bulletproof but rather decent). For added benefit, the forwarder should support SMTP/TLS (STARTTLS) extension, so the connections from security-minded owners of their own mailservers would be protected. STARTTLS support at the proxy should pretty much go without saying these days, so you might as well do it, but if you're already PGP encrypting then it's not adding that much security. Well, maybe it does, but you're talking about a different threat. It hides the fact encrypted comm is in use. Which may be handy on its own. For the problem that ISPs can read your email in storage, STARTLS doesn't help much because it will only protect the email until it gets to your local ISP, who will store your email for you and can read it then (which is where the PGP comes in). That's true. But it protects the data in transit nearly for free. Where STARTTLS would help is with power users who run their own mail servers. But those people don't suffer from the problem we are talking about here, legal access to the email by the ISP (I think, see above). Nevertheless a mail-receiving proxy that uses STARTTLS connections to power users would be kind of cool because it would keep anyone local from knowing anything about the incoming mail. Hopefully, STARTTLS will eventually become so widespread that this functionality will be redundant, but we are not there yet. STARTTLS is by far not widespread. Few people use it, including the knowledgeable ones. :((( (I know, auto-decryption is dangerous, but we now talk about the system for one's grandma, transparent to use.) Absolutely, look at the threat model. You're not worried about someone breaking into your computer, you're worried about your ISP legally reading your email. To address this threat, auto-decryption is a perfect solution. It's always better to select overly restrictive threat model and then loose it when necessary, than the other way. An omission then results in more work instead of a security hole. He would configure his mailer to connect to localhost:4949 or whatever, just like any other POP server. With a local SMTP server, you can run such service as a daemon (or from cron) with function
Re: UBL is George Washington
Sunder wrote: Right, WTC as a target doesn't make any strategic sense. Doesn't hitting a world financial center impede the funding of imperialism? If you apply the same standards the US uses to classify dual use infrastructure, and organizations linked to the enemy, I think the WTC is pretty high on the target list. The US bombed water treatment plants, electrical facilities, and bridges in Iraq. Certainly not military targets either. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division Do What Thou Wilt Shall Be The Whole Of The Law
Re: UBL is George Washington
On Tue, 6 Jul 2004, Justin wrote: On 2004-07-06T11:28:41-0700, Eric Cordian wrote: Sunder wrote: Right, WTC as a target doesn't make any strategic sense. Doesn't hitting a world financial center impede the funding of imperialism? Empirically, I don't think so. Since September 11th, funding to the military and security industries have increased substantially through DHS and military contracts. It may be that the only way out is through, and that the only way to be free from Western Imperialism is to cause it to strangle itself. Precisely. They are doing to us what we did to the soviets: they making us spend ourselves right out of existence. In the short term, however, terrorists have not succeeded in getting our imperialist policies changed. 9/11 with Dubya at the helm can have only one result. Dubya at the helm can have only 1 result. 9/11 was just his cover. If you apply the same standards the US uses to classify dual use infrastructure, and organizations linked to the enemy, I think the WTC is pretty high on the target list. Yep. Even ignoring specific entities that officed in the WTC, it was an effective target. When a government is in debt 70%+ of the GDP (2002 - $10.4T), there's little distinction between private financial targets and government targets. And this was a prime target. Financial disruption from *just* the tower collapses was significant across the economy as a whole: lost records, insurance claims, lawsuits, etc., exacted a very substantial loss against their enemy. The US bombed water treatment plants, electrical facilities, and bridges in Iraq. Certainly not military targets either. Each democratic government likes to flood the logos with the notion that it only attacks military targets; it convinces citizens that their government is humane, and helps to pacify the non-interventionists. In practice, intelligence is never accurate. Hitting only military targets, even if that were the goal which is clearly not the case -- is not possible. Nonetheless, the military *does* consider places like WTC to be legitimate *military* targets. -- Yours, J.A. Terranson [EMAIL PROTECTED] ...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them. Osama Bin Laden
Re: UBL is George Washington
Tyler Durden [EMAIL PROTECTED] writes: If they took out a few key COs downtown one morning the effect on the economy would be significant. It depends on what your goal is. As someone else on this list pointed out, terrorism is just another form of PR. If OBL took out (say) that huge ATT CO in the center of Manhattan (the skyscraper that looks like something out of a SF film), every cellphone user in the country who's had any dealings with ATT would help him pack the explosives. Sure, there'd be some economic damage, but Joe Sixpack would barely notice, and certainly wouldn't care. OTOH the WTC had enough significance and enough lives involved that everyone had to sit up and take notice. He knew exactly what target to hit to create the biggest mess (I offer the results in the last two years as proof). Peter.
Re: UBL is George Washington
And this was a prime target. Financial disruption from *just* the tower collapses was significant across the economy as a whole: lost records, insurance claims, lawsuits, etc., exacted a very substantial loss against their enemy. That was nothing compared to the real damage, which I've heard few people point out. There was a telecom CO in (I think) #4 World Trade Center, and falling debris took the giant Verizon CO across the street on West Street offline for almost a week. The result was that Wall Street was basically cut off for several days...the effect of that dwarfs all the other stuff. (Although I wonder...Pipar Jaffrey was pretty much wiped out. Even if the records survived, they lost so much manpower that might have actually had a small but worldwide impact.) Of course, I truly doubt OBL his posse realized this when they targeted the WTC (and the fact that they continue to pretty much ignore relatively ungarded COs shows they still don't realize this). If they took out a few key COs downtown one morning the effect on the economy would be significant. From: J.A. Terranson [EMAIL PROTECTED] To: Justin [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: UBL is George Washington Date: Tue, 6 Jul 2004 18:59:22 -0500 (CDT) On Tue, 6 Jul 2004, Justin wrote: On 2004-07-06T11:28:41-0700, Eric Cordian wrote: Sunder wrote: Right, WTC as a target doesn't make any strategic sense. Doesn't hitting a world financial center impede the funding of imperialism? Empirically, I don't think so. Since September 11th, funding to the military and security industries have increased substantially through DHS and military contracts. It may be that the only way out is through, and that the only way to be free from Western Imperialism is to cause it to strangle itself. Precisely. They are doing to us what we did to the soviets: they making us spend ourselves right out of existence. In the short term, however, terrorists have not succeeded in getting our imperialist policies changed. 9/11 with Dubya at the helm can have only one result. Dubya at the helm can have only 1 result. 9/11 was just his cover. If you apply the same standards the US uses to classify dual use infrastructure, and organizations linked to the enemy, I think the WTC is pretty high on the target list. Yep. Even ignoring specific entities that officed in the WTC, it was an effective target. When a government is in debt 70%+ of the GDP (2002 - $10.4T), there's little distinction between private financial targets and government targets. And this was a prime target. Financial disruption from *just* the tower collapses was significant across the economy as a whole: lost records, insurance claims, lawsuits, etc., exacted a very substantial loss against their enemy. The US bombed water treatment plants, electrical facilities, and bridges in Iraq. Certainly not military targets either. Each democratic government likes to flood the logos with the notion that it only attacks military targets; it convinces citizens that their government is humane, and helps to pacify the non-interventionists. In practice, intelligence is never accurate. Hitting only military targets, even if that were the goal which is clearly not the case -- is not possible. Nonetheless, the military *does* consider places like WTC to be legitimate *military* targets. -- Yours, J.A. Terranson [EMAIL PROTECTED] ...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them. Osama Bin Laden _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
On Wed, Jul 07, 2004 at 10:28:01AM -0400, Tyler Durden wrote: Well, I don't actually believe it's all recorded. As I've attempted to explain previously, they almost certainly have risk models in place. When several variables twinkle enough (eg, origination area, IP address, presence of crypto...) some rule fires and then diverts a copy into the WASP'S Nest. There's probably some kind of key word search that either diverts the copy into storage or into the short list for an analyst to peek it. How much plain text can ~10^9 online monkeys daily enter into their keyboard? A ~10^3 average ballpark gives you a TByte/day (minus the redundancy), which is currently a 1U worth of SATA RAID/day, or 3 years worth of world's entire traffic in a 10^3 node cluster, which is on the low side these days. Hard drive storage density goes up exponentially, and probably faster than people can go online (the old world has saturated) -- it isn't a problem, given that population increase doesn't occur at these growth rates. You don't have to delete anything, ever. Given what Google manages with some 10^4..10^5 nodes, this problem set looks puny in comparison. Keeping the data on a cluster gives you the local crunch to do some very nontrivial data mining, especially if you narrow the scope down sufficiently to be able to lock the data in memory and crunch it there. Fax OCR/telex is just as easy, speech recognition doable, given the budget. We don't know whether they are actually doing it (I *think* these people are too conservative to be doing clusters right now, so they're probably doing storage hierarchies with tape libraries -- but then they as well could be MIB types years ahead of the mainstream), the point it is that they could, given the documented amount of hired talent and official budget. -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpge4v738Vwi.pgp Description: PGP signature
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
At 07:28 AM 7/7/2004, Tyler Durden wrote: If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your the right to idioms. Well, I don't actually believe it's all recorded. As I've attempted to explain previously, they almost certainly have risk models in place. When several variables twinkle enough (eg, origination area, IP address, presence of crypto...) some rule fires and then diverts a copy into the WASP'S Nest. There's probably some kind of key word search that either diverts the copy into storage or into the short list for an analyst to peek it. Perhaps, but at a Bay Area meeting a few years back held to discuss NSA/SIGINT, I think it was held on the Stanford campus, a developer disclosed that an American contractor manufacturer had won a contract to install 250,000 high-capacity disk drives at one of these agenicies. stveve
Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
This is somewhat related to what ZKS did in their version 1 [1,2] mail system. They made a transparent local pop proxy (transparent in that it happened at firewall level, did not have to change your mail client config). In this case they would talk to your real pop server, decrypt the parts (they were reply-block like onions), remove duplicates (as with mixmaster etc you can send duplicates via separate remailers to improve reliability). So the transparent proxy would leave alone your normal mail that you received in the pop box and remove duplicates only from the reply-block delivered pseudonymous mail. Actually they implemented the reply-block from scratch, it always seemed to me it would have been less development work to use mixmaster (it was implemented before I started). The ZKS reply block did not even use chunking (ala mixmaster) so traffic analysis would have been trivial as the message size would show through. At least that's what I recall, no chunking. However I am finding the security issues paper [1] says otherwise. The 1.0 architecture document [2] is ambiguous, there is no mention of chunking. (I've sent mail to one of the original developers to check I have it right). It was also unreliable because it did not use SMTP, it used its own transport AMTP and its own retry-semantics on nodes called MAIPs. (Mail AIPs, an AIP is an Anonymous Internet Proxy). Then we implemented a replacement version 2 mail system that I designed. The design is much simpler. With freedom anonymous networking you had anyway a anonymous interactive TCP feature. So we just ran a standard pop box for your nym. Mail would be delivered to it directly (no reply block) for internet senders. Freedom senders would send via anonymous IP again to get sender anonymity. Used qmail as the mail system. Unfortunately they closed down the freedom network pretty soon after psuedonymous mail 2.0 [3] was implemented. There is an interesting trade-off here. The interactive communications are perhaps more vulnerable to real-time powerful adversary traffic analysis than mixmaster style mixed chunked delivery. However they are less vunerable to subpoena because they are forward-secret on a relativey short time-frame. (1/2 hr if I recall; however more recent designs such as chainsaw internal prototype, and cebolla [4] by ex-ZKSer Zach Brown change keys down to second level by using a mix of backward-security based on symmetric key hashing (and deleting previous key) and forward security using DH.) It would be nice to get both types of anonymity, but I suspect for most typical users the discovery / subpeona route is the major danger, and if that is thwarted it is unlikely that their activities would warrant the effort of real time analysis. Well we have carnivore now, so they could potentially do real-time traffic analysis more routinely if they were to distribute enough collaborating analysis carnivore plugins. Adam [1] http://www.homeport.org/~adam/zeroknowledgewhitepapers/security-issues.pdf [2] http://www.homeport.org/~adam/zeroknowledgewhitepapers/arch-notech.pdf [3] http://www.cypherspace.org/adam/pubs/freedom2-mail.pdf [4] http://www.cypherspace.org/cebolla/ On Tue, Jul 06, 2004 at 02:47:43PM -0700, Hal Finney wrote: Recently there was a proposal for a nym receiving service, http://www.freehaven.net/doc/pynchon-gate/, by Bran Cohen and Len Sassaman. They have a complicated protocol for downloading email anonymously. To hide the complexity, they propose to set up a POP compatible mail server agent on the user's computer running as a daemon process (Windows service). He would configure his mailer to connect to localhost:4949 or whatever, just like any other POP server. The service would periodically go out and poll for email using the fancy protocol, but then it would make it available to the local mail agent in perfectly vanilla form. The point is that this architecture hides the complexity and makes it transparent for end users to use arbitrarily complex crypto for mail receiving. Something similar would be perfect for your idea.
Re: Final stage
On Wed, 7 Jul 2004, J.A. Terranson wrote: On Wed, 7 Jul 2004, Anonymous via the Cypherpunks Tonga Remailer wrote: Praise Allah! The spires of the West will soon come crashing down! SCREED Deleted Laying it on just a little thick, no? Here we go again. Get ready for more FUD from the LEO's, I can see Fox news now. Cypherpunks a hotbed of crypto-anarchist scum is now being used by Al Qaeda to setup new terrorist attacks... Expect to see a sidebar about rogue or evil anonymous remailers and how they're un-patriotic, etc. Bah, some feeb had too one too many Crappachino's with lunch today and pulled a Cornholio :( A few years ago it was requests on how to make bombs, now it's this shit.
Final stage
Praise Allah! The spires of the West will soon come crashing down! Our Brother wishes for us to meet at the previously discussed southeastern roadhouse on August 1st, in preparation for the operations scheduled for August 6th and 9th. Alternative targets have been chosen. Contact Jibril if you have not heard of the changes since the last meeting. The infidels have machines that detect the biologicals, so make sure the containers are sealed and scrubbed as discussed. Leave excess semtex behind. The more we transport, the more likely the infidels are to detect us. We have received more funding and supplies from our brothers in Saudi Arabia and Syria. Be prepared for another operation before January. Praise Allah! May the blood of the infidels turn the oceans red!
Re: Final stage
J.A. Terranson [EMAIL PROTECTED] wrote: Laying it on just a little thick, no? Either it's a slow day in law enforcement or someone forgot to take their meds again. :-P -- Riad S. Wahby [EMAIL PROTECTED]
Re: Privacy laws and social engineering
On Wed, 7 Jul 2004, Thomas Shaddack wrote: Sometimes you get access by telnet. Sometimes by a voice call. Hack the mainframe. Hack the secretary. What's better? (Okay, I agree, you can't sleep with the mainframe.) I feel zen today. Me too: http://www.openbsd.org/lyrics.html#31 ftp://ftp.openbsd.org/pub/OpenBSD/songs/song31.ogg ftp://ftp.openbsd.org/pub/OpenBSD/songs/song31.mp3 BSD fight buffer reign Flowing blood in circuit vein Quagmire, Hellfire, RAMhead Count Puffy rip attacker out Crackin' ze bathroom, Crackin' ze vault Tale of the script, HEY! Secure by default Can't fight the Systemagic Uber tragic Can't fight the Systemagic Sexty second, black cat struck Breeding worm of crypto-suck Hot rod box unt hunting wake Vampire omellete, kitten cake Crackin' ze boardroom, Crackin' ze vault Rippin' ze bat, HEY! Secure by default Chorus Cybersluts vit undead guts Transyl-viral coffin muck Penguin lurking under bed Puffy hoompa on your head Crackin' ze bedroom, Crackin' ze vault Crackin' ze whip, HEY! Secure by default Crackin' ze bedroom, Crackin' ze vault Crackin' ze whip, HEY! Secure by default Chorus
