Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
On Thu, 20 Oct 2005, cyphrpunk wrote: system without excessive complications. Only the fifth point, the ability for outsiders to monitor the amount of cash in circulation, is not satisfied. But even then, the ecash mint software, and procedures and controls followed by the issuer, could be designed to allow third party audits similarly to how paper money cash issuers might be audited today. One approach, investigated by Hal Finney, is to run the mint on a platform that allows remote attestation. Check out rpow.net - he has a working implementation of a proof of work payment system hosted on an IBM 4758. -David Molnar
Re: MD5 collisions?
At 09:04 PM 8/17/04 -0400, R. A. Hettinga wrote: >At 7:33 PM -0500 8/17/04, Declan McCullagh wrote: >>One is enough. Less is more. Let's eliminate redundancy, thus eliminating >>redundancy. LMAO RAH :-) = 36 Laurelwood Dr Irvine CA 92620-1299 VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP VOX: (949) 462-6726 (work -don't leave msgs, I can't pick them up) mnemonic: WIZ GOB MRAM ICBM: -117.7621, 33.7275 HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable) PGP PUBLIC KEY: by arrangement Send plain ASCII text not HTML lest ye be misquoted -- "Don't 'sir' me, young man, you have no idea who you're dealing with" Tommy Lee Jones, MIB No, you're not 'tripping', that is an emu ---Hank R. Hill
Re: no anon conversations?
An Metet wrote: What technologies currently exist for receiving a/psuedononymous message? With Mixmaster, sending mail, posting news, and even blog posting are possible, However, receiving replies securely or, better, holding a private conversation is difficult or impossible. Best bet seems is to encrypt and spam somewhere very public? Ugly, ugly. No technological method, just a few "trust me" remailers. Other options? Mixminion offers a basic building block called SURBs, Single User Reply Blocks. http://mixminion.net/ http://mixminion.net/minion-spec.txt There is a draft spec. for a nymserver which uses this building block but I've seen no news of an ongoing implementation: http://mixminion.net/nym-spec.txt Mixminion installation still indicates that anonymity is still not available, due to traffic levels still being too low. The mailing list discussed current traffic levels recently: http://archives.seul.org/mixminion/dev/Apr-2004/msg1.html
Re: Is there a Brands certificate reference implementation?
Steve Furlong wrote: Does anyone know of a reference implementation for Stefan Brands's digital certificate scheme? Alternatively, does anyone have an email address for Brands so I can ask him myself? (I haven't gotten anything back from ZKS's "contact us" address. But I don't know if Brands is still at ZKS.) He started a new company called Credentica. http://archives.abditum.com/cypherpunks/C-punks20020603/0053.html http://www.credentica.com/
Re: voting
>David Jablon wrote: >> [...] Where is the "privacy problem" with >> Chaum receipts when Ed and others still have the freedom to refuse >> theirs or throw them away? At 11:43 AM 4/16/04 -0700, Ed Gerck wrote: >The privacy, coercion, intimidation, vote selling and election integrity >problems begin with giving away a receipt that is linkable to a ballot. These problems begin elsewhere. Whether a receipt would add any new problem depends on further analysis. >It is not relevant to the security problem whether a voter may destroy >his receipt, so that some receipts may disappear. What is relevant is >that voters may HAVE to keep their receipt or... suffer retaliation... >not get paid... lose their jobs... not get a promotion... etc. Also >relevant is that voters may WANT to keep their receipts, for the same >reasons. These are all relevant issues, and the system needs to be considered as a whole. The threat of coercion is present regardless of whether there's a system-provided receipt, linkable, anonymous, or none. For example, I might be told that after I vote I'll come face-to-face with a thug around the corner, who will ask who I voted for, and who has a knack for spotting liars. Or I may be told there's a secret camera in the booth. Or I may think I'm at risk in simply showing up to vote, due to my public party affiliation records, physical appearance, etc. These issues must be addressed, and these concerns show that the integrity of receipt validation must be ensured to at least the same degree as the integrity of vote casting. But *absolute* voter privacy seems like an unobtainable goal, and it should not be used to trump other important goals, like accountability. -- David
Re: voting
I think Ed's criticism is off-target. Where is the "privacy problem" with Chaum receipts when Ed and others still have the freedom to refuse theirs or throw them away? It seems a legitimate priority for a voting system to be designed to assure voters that the system is working. What I see in serious voting system research efforts are attempts to build systems that provide both accountability and privacy, with minimal tradeoffs. If some kind of tradeoff between accountability and privacy is inevitable, in an extreme scenario, I'd still prefer the option to make the tradeoff for myself, rather than have the system automatically choose for me. -- David >> At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: >> >> >1. The use of receipts which a voter takes from the voting place to 'verify' >> >that their vote was correctly included in the total opens the way for voter >> >coercion. >John Kelsey wrote: >> I think the VoteHere scheme and David Chaum's scheme both claim to solve >> this problem. The voting machine gives you a receipt that convinces you >> (based on other information you get) that your vote was counted as cast, >> but which doesn't leak any information at all about who you voted for to >> anyone else. Anyone can take that receipt, and prove to themselves that >> your vote was counted (if it was) or was not counted (if it wasn't). At 06:58 PM 4/15/04 -0700, Ed Gerck wrote: >The flaw in *both* cases is that it reduces the level of privacy protection >currently provided by paper ballots. > >Currently, voter privacy is absolute in the US and does not depend >even on the will of the courts. For example, there is no way for a >judge to assure that a voter under oath is telling the truth about how >they voted, or not. This effectively protects the secrecy of the ballot >and prevents coercion and intimidation in all cases.
Re: Fwd: Re: The Neocon Case for Imprisoning War Opponents
On Wednesday 03 March 2004 02:54, R. A. Hettinga wrote: > NNTP-Posting-Date: Fri, 23 Jan 2004 15:17:31 -0600 > Subject: Re: The Neocon Case for Imprisoning War Opponents > Date: Fri, 23 Jan 2004 13:17:27 -0800 > From: Tim May <[EMAIL PROTECTED]> Heh. Missing Tim are we?
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
Eric S. Johansson writes: > Ben Laurie wrote: > > >Richard Clayton wrote: > > > >>and in these schemes, where does our esteemed moderator get _his_ stamps > >>from ? remember that not all bulk email is spam by any means... or do > >>we end up with whitelists all over the place and the focus of attacks > >>moves to the ingress to the mailing lists :( > > > > > >He uses the stamp that you generated. Each subscruber adds > >[EMAIL PROTECTED] as an address they receive mail at. Done. > >Trivial. > > take a look at my headers and you'll see a real example. > > ---eric (No. 1 generator of stamps on the Internet) It seems like one risk for hashcash is that, when mailing lists are whitelisted, a spammer can then use the lists to amplify spam (which I think is what Richard Clayton was suggesting above). For instance, you generated a single hashcash stamp for [EMAIL PROTECTED] of the same value as the stamp you generated for [EMAIL PROTECTED] That stamp would hypothetically induce metzdowd.com to send your message to _all_ of the cryptography subscribers, all of whom have hypothetically whitelisted the list. That means that, if your message were spam, you delivered it to the whole subscriber base at very low cost. Or does hashcash only help moderated mailing lists (where it "pays" the moderator for her time)? My current impression is that it will benefit individual e-mail recipients but not help subscribers to large unmoderated mailing lists. -- Seth David Schoen <[EMAIL PROTECTED]> | Very frankly, I am opposed to people http://www.loyalty.org/~schoen/ | being programmed by others. http://vitanuova.loyalty.org/ | -- Fred Rogers (1928-2003), |464 U.S. 417, 445 (1984)
Re: I am anti war. You stupid evil scum are pro Saddam.
On Monday 22 December 2003 13:49, Michael Kalus wrote: > > Well, in america instead of being the slave to "the man" (just yet) > you're the slave to your credit card bills By choice. > your employers By choice, through a range that is "barely enough to eat and drink" to unimaginable heights in historical terms. and all the > other robber barons you have in the industry, while under Castro you > are Well what? You can't travel to the US? You are not necessarily > always able to state your political opinions (which sound vaguely > familiar in the US right now) etc. Not even close to the US situation. Get a clue. A simple example, read Tim May's continued expressions on the state of the US. Now read this about Cuba: http://www.indymedia.org.uk/en/2003/05/67973.html Now, tell me that you still think the US is less free. > Repeat after me: Freedom is something that is defined differently by > every human being. > So Cuban's choose oppression and no free speech, in exchange for freedom of slavery to credit-card spending on luxury items, employment and robber barons? Have you been to Cuba?
Re: Sunny Guantanamo (Re: Speaking of the Geneva convention)
On Friday 19 December 2003 20:35, James A. Donald wrote: > > In fact Glaspie told Saddam that if he invaded Kuwait, the shit > would hit the fan. > > (That was not her words. Her words were "subject of concern", > Cite? The google groups article you linked to has two links to possible transcripts. Neither back up your claim.
Re: Drunken US Troops Kill Rare Tiger
On Monday 22 September 2003 12:37 pm, Sarad AV wrote: > > Vote for some one who promises freedom,democracy These two don't co-exist too well if you're idle.
Re: Logging of Web Usage
Bill Frantz writes: > The http://cryptome.org/usage-logs.htm URL says: > > >Low resolution data in most cases is intended to be sufficient for > >marketing analyses. It may take the form of IP addresses that have been > >subjected to a one way hash, to refer URLs that exclude information other > >than the high level domain, or temporary cookies. > > Note that since IPv4 addresses are 32 bits, anyone willing to dedicate a > computer for a few hours can reverse a one way hash by exhaustive search. > Truncating IPs seems a much more privacy friendly approach. > > This problem would be less acute with IPv6 addresses. I'm skeptical that it will even take "a few hours"; on a 1.5 GHz desktop machine, using "openssl speed", I see about a million hash operations per second. (It depends slightly on which hash you choose.) This is without compiling OpenSSL with processor-specific optimizations. That would imply a mean time to reverse the hash of about 2100 seconds, which we could probably improve with processor-specific optimizations or by buying a more recent machine. What's more, we can exclude from our search parts of the IP address space which haven't been allocated, and optimize the search by beginning with IP networks which are more likely to be the source of hits based on prior statistical evidence. Even without _any_ of these improvements, it's just about 35 minutes on average. I used to advocate one-way hashing for logs, but a 35-minute search on an ordinary desktop PC is not much obstacle. It might still be helpful if you used a keyed hash and then threw away the key after a short time period (perhaps every 6 hours). Then you can't identify or link visitors across 6-hour periods. If the key is very long, reversing the hash could become very hard. The logging problem will depend on what server operators are trying to accomplish. Some people just want to try to count unique visitors; strangely enough, they might get more privacy-protective (and comparably precise) results by issuing short-lived cookies. -- Seth David Schoen <[EMAIL PROTECTED]> | Very frankly, I am opposed to people http://www.loyalty.org/~schoen/ | being programmed by others. http://vitanuova.loyalty.org/ | -- Fred Rogers (1928-2003), |464 U.S. 417, 445 (1984)
Re: U.S. Drops 'E-Bomb' On Iraqi TV
at Tuesday, April 01, 2003 11:53 PM, Kevin S. Van Horn <[EMAIL PROTECTED]> was seen to say: > What's a legitimate government? One with enough firepower to make its > rule stick? One with real (not imagined) WMD to frighten off american presidents. NK being a good example...
Public hearing in Boston on Mass DMCA bill
For those on this list from the Boston area there is a public hearing on the Mass version of the Super-DMCA bill on Wed April 2nd at 10 AM in Room 222 of the Mass State house in downtown Boston. This might be a chance to find out who is sponsoring this legislation and raise some objections to its overbroad nature. The actual sponsor of this legislation is a Rep Stephen Tobin from Boston He advertises the bill as "legislation to establish a crime of illegal internet and broadband access". I hope some Mass list members show up... (And for some strange reason my [EMAIL PROTECTED] address has suddenly become blocked by lne.com as a spam site. This has never happened before and is rather scary. It suggests a targetted counterattack by someone). Dave Emery - [EMAIL PROTECTED]
Re: U.S. Drops 'E-Bomb' On Iraqi TV
at Thursday, March 27, 2003 6:36 AM, Sarad AV <[EMAIL PROTECTED]> was seen to say: > there is a lot of self imposed sensor ship in US on > the war.The Us pows's shown on al-jazeera were not > broadcasted over Us and those sites which had pictures > of POW's were removed as unethical graphics on web > pages. > May be the US itself might be stopping access to > al-jazeera networks. It certainly sounds probable. All the US and UK coverage is being very carefully stage-managed - all reporters are "embedded" into units for a reason - they are permitted to film what they are told, when they are told, and striking out on your own (or using a uplink to upload "raw" news to the newsroom carries the death penalty - as the ITN crew found out. Having a "raw" source of news - particularly one that carries pictures of young children being pulled from the rubble minus their legs - cannot possibly be tolerated. That isn't to say *that* source isn't biassed as well - try finding pro-COW coverage, and there must be at least some of the pro-COW coverage that our major media puts out that isn't faked.
Re: terror alert black
at Thursday, March 20, 2003 3:23 PM, Tyler Durden <[EMAIL PROTECTED]> was seen to say: > I've heard that for terror alert black we're all supposed to down a > few 100 milligrams of valium, and stay in our beds, butts-up. > For hidden weapons inspections, of course. *lol* might be close to the truth at that - At a recent incident in england, the police opened up the protester's *sandwiches* to check for concealed weapons in there. still, eggs can be lethal if not properly cooked :)
Re: I for one am glad that...
at Wednesday, March 19, 2003 3:39 AM, Keith Ray <[EMAIL PROTECTED]> was seen to say: > Which resolution took away any Member State's authority to "all > necessary means" to uphold resolution 690? I think the problem here is who gets to define what is "necessary" - the UN Security council thinks it is them, Bush thinks it is him personally.
Re: Journalists, Diplomats, Others Urged to Evacuate City
> About the threat to Washington: I think it's relatively high. A > nerve gas attack on buildings or the Metro seems likely. (The > Japanese AUM cult had Sarin, but was inept. A more capable, > military-trained operative has had many months to get into D.C. and > wait for the obvious time to attack. And he need not even be a > suicide bomber. A cannister of VX with a reliable timer is child's > play. Chemical weapons are legally dodgy - but under the Bush Doctorine, saddam could blow huge civilian areas of Washington away with missles, and just call it a "shock and awe" demonstration against a country that might attack it and that is known to have all three forms of WMD. I mean, that's reasonable isn't it? bush said it was
Re: Fw: Drunk driver detector that radios police
On Sunday 09 March 2003 18:16, A.Melon wrote: > On Sunday 09 March 2003 10:31 am, david wrote: > > Neither you nor anyone else has the right to force me or any > > other individual to subsidize your welfare. > > > > This device, if forced on individuals by a government entity, > > would violate fourth amendment protections against > > self-incrimination. DUI laws requiring breath or blood tests do > > the same thing. > > But you wouldn't mind if insurance companies required the device > in order for you to get a policy (whether or not it called the > police or just the insurance company) ? > > Right ? Not as long as it was truly a free market transaction involving no government regulation of the insurance company or laws requiring you to buy the insurance. Any transaction freely entered into by both parties is acceptable. David Neilson
Re: Fw: Drunk driver detector that radios police
On Sunday 09 March 2003 18:16, you wrote: > On Sunday 09 March 2003 10:31 am, david wrote: > > Neither you nor anyone else has the right to force me or any > > other individual to subsidize your welfare. > > > > This device, if forced on individuals by a government entity, > > would violate fourth amendment protections against > > self-incrimination. DUI laws requiring breath or blood tests do > > the same thing. > > But you wouldn't mind if insurance companies required the device > in order for you to get a policy (whether or not it called the > police or just the insurance company) ? > > Right ?
Re: Fw: Drunk driver detector that radios police
On Friday 07 March 2003 00:52, gann wrote: > A tiny fuel cell that detects the alcoholic breath of a > drink-driver and calls the police has been developed > I'm in favor of it Neither you nor anyone else has the right to force me or any other individual to subsidize your welfare. This device, if forced on individuals by a government entity, would violate fourth amendment protections against self-incrimination. DUI laws requiring breath or blood tests do the same thing. DUI laws define a political crime (as opposed to a crime with an actual victim) based on an arbitrary biological baseline (blood alcohol content). Reckless endangerment of another person is a real crime with a real victim regardless of the amount of alcohol or other drugs in the person's system. Laws against reckless endangerment can be enforced without violating constitutionally protected rights. DUI laws need to be abolished. This would all be academic if this were not a socialist country where the roads are built on stolen property with stolen money. If the roads were private property owned by private individuals then you would be free to travel on roads that required onboard breath testers, submission to random searches of your vehicle and body cavities, along with background checks of your criminal history, credit, and bank records if that made you feel safe and secure. If the terms of use of that road company were not to your liking you would be free to travel on a competing company's roads. Live free or die, David Neilson
Re: Scientists question electronic voting
> > at Thursday, March 06, 2003 5:02 PM, Ed Gerck <[EMAIL PROTECTED]> was seen > > to say: > > > On the other hand, photographing a paper receipt behind a glass, which > > > receipt is printed after your vote choices are final, is not readily > > > deniable because that receipt is printed only after you confirm your > > > choices. > > as has been pointed out repeatedly - either you have some way to "bin" > > the receipt and start over, or it is worthless (and merely confirms you > > made a bad vote without giving you any opportunity to correct it) > > That given, you could vote once for each party, take your photograph, > > void the vote (and receipt) for each one, and then vote the way you > > originally intended to :) > No, as I commented before, voiding the vote in that proposal after the paper > receipt is printed is a serious matter -- it means that either the machine made > an error in recording the e-vote or (as it is oftentimes neglected) the machine > made an error in printing the vote. Or more probably, as seen in the american case - the user didn't understand the interface and voted wrongly. of course, you could avoid this by stating that the voting software displays the vote and gives a yes/no choice before printing the slip, but there is no reason to actually display the slip if there is no hope of voiding it short of storming out of the booth and demanding someone "fix" it.
thirty year plan
Here's a link to an interesting article about the US plan to control the world's oil supply. It points put the hazard of inviting the wolves to watch your henhouse for you. http://www.motherjones.com/news/feature/2003/10/ma_273_01.html David Neilson
Re: Press Coverage, Snarky Media Personalities, and War
On Sat, 1 Mar 2003 16:14:58 -0600, Shawn K. Quinn <[EMAIL PROTECTED]> wrote: At least two of my prior e-mail addresses made "never ever spam these addresses" lists (unlike "remove" lists, these are actually heeded by a lot of spamming vermin), so I know that this can work. Where can one sign up to these "never ever spam" lists? Dave Hodgins
Re: Trivial OPT generation method?
> There is no weakness in it that I could come up with (presuming the audio > input is sufficiently random, which in case of badly tuned station it > seems to be; white noise generator would be better, though). Sounds good to me. you should certainly get 16 good bytes from 128, and while assuming a higher entropy would be faster, it is better to be conservative if you can afford it.
Re: The burn-off of twenty million useless eaters and "minoritie s"
at Friday, February 21, 2003 4:44 PM, James A. Donald <[EMAIL PROTECTED]> was seen to say: > Highly capitalist nations do not murder millions. but their highly capitalist companies sometimes do. is this a meaningful distinction?
Re: Blood for Oil (was The Pig Boy was really squealing today
at Thursday, February 20, 2003 1:28 AM, Harmon Seaver <[EMAIL PROTECTED]> was seen to say: > No oil but lots of dope, especially lots of high grade opium and > the CIA and the US scum military has been just desperate to get > control of the world heroin trade again like they did in Vietnam days. They don't need to build a pipeline though Afganistan any more then? I know they were pretty annoyed when the taleban refused to let them, prior to 9/11
Re: School of the future
at Thursday, February 20, 2003 2:04 AM, Harmon Seaver <[EMAIL PROTECTED]> was seen to say: > The real school of the future won't have classrooms at all, and no > "teachers" as we now know them. Instead there will be workstations > with VR helmets and a number of software "gurus" in the machine > tailoring themselves to the individual students needs and > personality. The machine will never be tired or grumpy or just having > a bad day or serious personality problems like human teachers. They would if I wrote them :) Some days you need a kind, understanding, sympathetic teacher; others, you need the Scary kind :)
Re: The burn-off of twenty million useless eaters and "minorities"
On Tuesday 18 February 2003 20:16, Bill wrote: > At 5:53 PM -0800 2/17/03, Tyler Durden wrote: > >Any kid coming to school > >with a knife or gun gets thrown out, period. > > Gee, when I was in high school, I was on the high school rifle > team. I still have the varsity letter with the crossed rifles on > it. Our ammo was paid for by the US military, who wanted > recruits who could shoot. I brought my gun to school at the > beginning of the season, and took it home at the end. > Teenager have the same right to self defense that adults do. Why would any sane kid want to go into one of those war zones unarmed? Why would any sane parent allow them to do so? David Neilson
Re: The burn-off of twenty million useless eaters and "minorities"
On Tuesday 18 February 2003 20:44, Tyler Durden wrote: (snip) > More than this, they couldn't even > really conceive of a life without the ubiquitous violence and > filth around them. There was no real reason to do well or get a > good job. In the end, it not only felt futile to work there, it > was depressing. > > Was this "black people's" fault? Nah. It's all of our fault. > That is utter bullshit. I didn't do anything to any of these people and I am in no position to change their circumstances. Abolishing the public school/juvenile delinquent factories and making schools compete for their students on based on the quality of the education offered would result in a tremendous improvement the quality of life of these kids. But that's just one of the things I can't change for them. The money I put into these systems is stolen from me. All I can do is homeschool my own kids. All this distributing collective blame and laying blanket guilt trips on all Americans for the sins of previous generations or the screw-ups of our betters gives me gas. David Neilson
Re: The burn-off of twenty million useless eaters and "minorities"
On Sunday 16 February 2003 21:16, you wrote: > (It's true that the military > consumes much, much more money than it should, but at least the > Army and Navy are constitutionally legitimate.) > Article 1, Section 8 of the Constitution says: The Congress shall have the Power To raise and support Armies, but no Appropriation of Money to that Use shall be for a longer Term than two Years; To provide and maintain a Navy; A permanent Navy is certainly authorized by the Constitution. A standing army is something the founders feared and clearly meant to circumvent by preventing any army from being funded for more than two years. Maintaining a permanent standing army by renewing its funding every two years is simply more treasonous bullshit from the fecal matter infesting Washington D.C. David Neilson
reasonable pledge
Initial draft of a reasonable pledge of allegiance: I Pledge Allegiance to the cause of Individual Liberty and I neither recognize nor subject Myself to any Ruler or Higher Authority. I swear to resist Tyranny on all fronts and to protect and advance freedom for Myself and other Sovereign Individuals. David Neilson, Gun-toting Anarchist
Re: Forced Oaths to Pieces of Cloth
On Tuesday 11 February 2003 09:52, Dr. mike wrote: > No reason we can't start a movement to plege alegiance to the > constitution The main body of the constitution does not apply to the individuals, it is the law the politicians and bureaucrats of the federal government are supposed to obey (and instead completely ignore). The fourteenth amendment prohibits the state governments from violately individual rights. What is needed is the death penalty or life imprisonment for politicians and bureaucrats who violate their oaths to uphold the constitution. The proper recipient of a pledge of allegiance is individual liberty. As Ben Franklin said, "Where liberty dwells, there is my country." David Neilson "This will be the best security for maintaining our liberties. A nation of well-informed men who have been taught to know and prize the rights which God has given them cannot be enslaved. It is in the religion of ignorance that tyranny begins." (also by Ben)
Re: Putting the "NSA Data Overwrite Standard" Legend to Death... (fwd)
at Monday, February 10, 2003 3:20 AM, Jim Choate <[EMAIL PROTECTED]> was seen to say: > On Sun, 9 Feb 2003, Sunder wrote: >> The OS doesn't boot until you type in your passphrase, plug in your >> USB fob, etc. and allow it to read the key. Like, Duh! You know, >> you really ought to stop smoking crack. > Spin doctor bullshit, you're not addressing the issue which is the > mounting of an encrypted partition -before- the OS loads (eg lilo, > which by the way doesn't really 'mount' a partition, encrypted or > otherwise - it just follows a vector to a boot image that gets dumped > into ram and the cpu gets a vector to execute it - one would hope it > was the -intended- OS or fs de-encryption algorithm). What does that > do? Nothing (unless you're the attacker). indeed. it usually boots a kernel image with whatever modules are required to get the main system up and running; > There are two and only two general applications for such an approach. > A standard workstation which isn't used unless there is a warm body > handy. The other being a server which one doesn't want to -reboot- > without human intervention. Both imply that the physical site is > -secure-, that is the weakness to all the current software solutions > along this line. The solution is only applicable to cold or moderately tamper-proofed systems, to prevent analysis of such systems if confiscated. It can only become a serious component in an overall scheme, but this is universally true - there is no magic shield you can fit to *anything* to solve all ills; this will add protection against the specified attacks and in fact already exists for windows (drivecrypt pluspack) - it is just non-windoze platforms that lack a product in this area.
Re: Putting the "NSA Data Overwrite Standard" Legend to Death... (fwd)
at Monday, February 10, 2003 3:09 AM, Jim Choate <[EMAIL PROTECTED]> was seen to say: > On Mon, 10 Feb 2003, Dave Howe wrote: >> no, lilo is. if you you can mount a pgpdisk (say) without software, >> then you are obviously much more talented than I am :) > Bullshit. lilo isn't doing -anything- at that point without somebody > or something (eg dongle) being present that has the -plaintext- key. > Without the key the disk isn't doing anything. So no, lilo isn't > mounting the partition. It -is- a tool to do the mount. I don't understand why this concept is so difficult for you - software *must* perform the mount; there is absolutely no way you could personally inspect every byte from the disk and pass decrypted data to the os at line speed yourself. lilo is the actor here. If you gave a program spec to a programmer and said "write this" you wouldn't be able to claim you wrote the code yourself, no matter how good or essential the program spec was. > As to mounting the disk without software, not a problem it could be > done all in hardware. Though you'd still need the passphrase/dongle. you couldn't *mount* a disk in hardware; you *could* decrypt on-the-fly and make the physical disk look like a unencrypted one, but you would still need non-crypto software to mount it. >> for virtual drives, the real question is at what point in the boot >> process you can mount a drive - if it is not until the os is fully >> functional, then you are unable to protect the os itself. if the >> bootstrap process can mount the drive before the os is functional, >> then you *can* protect the os. > No you can't. If the drive is mounted before the OS is loaded you can > put the system into a DMA state and read the disk (screw the OS) > since it's contents are now in plaintext. no, you can't. data from the hardware is *still* encrypted; only the output of the driver is decrypted, and a machine no longer running bootstrap or os is also incapable of decryption. you *could*, if good enough, place the processor in a halt state and use DMA to modify the code to reveal the plaintext, but it would be a major pain to do so and would require both physical access to the machine *while powered up and without triggering any anti-tamper switches* after the password has been supplied. This is actually a weakness in firmware cryptodrives (as I have seen advertised recently) - once the drive is "unlocked" it can usually be swapped over to another machine and the plaintext read. > You can also prevent the > default OS from being loaded as well. Indeed so, yes. however, usually that decision has to be made before the password would be entered - so making more awkward. you *could* finangle the bootstrap though; there must *always* be part of the code outside the crypto envelope (but of course this can be removable media such as the usb drive mentioned, and stored securely when not in use) > Clue: If you own the hardware, you own the software. indeed so. however, if that applied to machines not already running, the police wouldn't be so upset when they find encrypted files on seized hardware.
Re: A secure government
at Thursday, February 06, 2003 4:48 PM, Chris Ball <[EMAIL PROTECTED]> was seen to say: > Another point is that ``normal'' constables aren't able to action the > request; they have to be approved by the Chief Constable of a police > force, or the head of a relevant Government department. The full text > of the Act is available at: at least in theory. It was only a massive public "FaxYourMP" campaign that aborted the attempt to extend the "people able to authorise" list for interception to the head of any local government department (and a few other groups). I have no reason to believe that a similar paper would not have extended authority to demand keys right down to the dogcatcher general too :)
Re: A secure government
at Thursday, February 06, 2003 3:44 PM, Peter Fairbrother <[EMAIL PROTECTED]> was seen to say: > David Howe wrote: > a) it's not law yet, and may never become law. It's an Act of > Parliament, but it's two-and-a-bit years old and still isn't in > force. No signs of that happening either, except a few platitudes > about "later". Indeed - and the more FaxYourMP can do to keep that ever coming into force the better :) > b) Plod would have to prove you have the key, and refused to give it, > before you got convicted. Kinda hard to do. Not true - they have to prove you *had* the key at some point in the past. having lost the key isn't a defense > c) you already know this!!! probably - it was an oversimplification of a complex legal situation. the law *is* on the books, and as far as I can see, all that is stopping the first part of it coming into force is the desire of the HO to add a shopping list of new people to the list already defined in the act. I am assuming that the part we are discussing here is "held up in the queue" until the bits before it come into effect.
Re: Putting the "NSA Data Overwrite Standard" Legend to Death... (fwd)
at Thursday, February 06, 2003 2:34 PM, Tyler Durden <[EMAIL PROTECTED]> was seen to say: > I've got a question... > >> If you actually care about the NSA or KGB doing a low-level >> magnetic scan to recover data from your disk drives, >> you need to be using an encrypted file system, period, no questions. > > OK...so I don't know a LOT about how PCs work, so here's a dumb > question. > > Will this work for -everything- that could go on a drive? (In other > words, if I set up an encrypted disk, will web caches, cookies, and > all of the other 'trivial' junk be encrypted without really slowing > down the PC?) Provided the drive is mounted, yes. and there is no "without slowing down the pc" - obviously it *will* cost CPU time (you are doing crypto on each virtual disk sector on the fly), but it shouldn't impact on bandwidth unless you have a really slow pc. Virtual drives occupy a drive letter like a normal drive. most (including pgpdisk) have to be "mounted" while windows is already running - ie, there is nothing at that disk letter until you run a program and type a password. Some (like DriveCrypt Pluspack) allow the boot volume to be a virtual volume and be mounted *before* windows starts running. Easiest way to find out what you can and can't do is download Scramdisk or E4M, and play :)
Re: A secure government
at Thursday, February 06, 2003 11:21 AM, Pete Capelli > Then which one of these groups does the federal government fall > under, when they use crypto? In the feds opinion, of course. Or do > they believe that their use of crypto is the only wholesome one? Terrorism of course, using their own definition - they use force or the threat of force to achieve their political aims :)
Re: A secure government
> No, the various provisions of the Constitution, flawed though it is, > make it clear that there is no "prove that you are not guilty" > provision (unless you're a Jap, or the government wants your land, or > someone says that you are disrespectful of colored people). Unfortuately, this is not true in the UK - the penalty for non-decryption of encrypted files on request by an LEA (even if you don't have the key!) is a jail term.
Re: "Touching shuttle debris may cause bad spirits to invade your body!"
at Monday, February 03, 2003 3:48 AM, Sunder <[EMAIL PROTECTED]> was seen to say: > Think upgrading of circuit boards. Remove old board, insert new > board for example. Leaving the old board circling around may not be > a good thing. Just for example. Yeah, makes sense. ok, I withdraw my objections to the conspiracy theory :)
Re: Sovereignty issues and Palladium/TCPA
at Friday, January 31, 2003 2:18 AM, Peter Gutmann <[EMAIL PROTECTED]> was seen to say: > More particularly, governments are likely to want to explore the > issues related to potential foreign control/influence over domestic > governmental use/access to domestic government held data. > In other words, what are the practical and policy implications for a > government if a party external to the government may have the > potential power to turn off our access to its own information and > that of its citizens. And indeed - download patches silently to change the "disable" functionality to "email anything interesting directly to the CIA" functionality.
Re: the news from bush's speech...H-power
at Wednesday, January 29, 2003 11:18 PM, Bill Frantz <[EMAIL PROTECTED]> was seen to say: > Back a few years ago, probably back during the great gas crisis (i.e. > OPEC) years, there were a lot of small companies working on solar > power. As far as I know, they were all bought up by oil companies. > Of course, only a paranoid would think that they were bought to > suppress a competing technology. Actually, Oil companies are all in favour of competing technologies - provided they get to control them. Solar may be an exception though; wind is ok as the massive installations, land usage permissions and nature of the output fluctuations mean you really can't start off small (they are fine to feed into a large system where the overall average would be fairly level, though) but solar is just too easy to reduce down to individual installations in individual homes or businesses; only technologies that permit a service based business model (delivery of electricity and/or production of fuels that can't be done without massive plant) are encouraged :(
Re: [IP] Open Source TCPA driver and white papers (fwd)
at Friday, January 24, 2003 4:53 PM, Mike Rosing <[EMAIL PROTECTED]> was seen to say: > Thanks Eugen, It looks like the IBM TPM chip is only a key > store read/write device. It has no code space for the kind of > security discussed in the TCPA. The user still controls the machine > and can still monitor who reads/writes the chip (using a pci bus > logger for example). There is a lot of emphasis on TPM != Palladium, > and TPM != DRM. TPM can not control the machine, and for DRM to work > the way RIAA wants, TPM won't meet their needs. TPM looks pretty > useful as it sits for real practical security tho, so I can see why > IBM wants those !='s to be loud and clear. Bearing in mind though that DRM/Paladium won't work at all if it can't trust its hardware - so TPM != Paladium, but TPM (or an improved TPM) is a prerequisite.
Re: Singularity ( was Re: Policing Bioterror Research )
at Tuesday, January 07, 2003 1:14 AM, Michael Motyka <[EMAIL PROTECTED]> was seen to say: > financial resources, > other than those that pass through verified identity > gatekeepers; That's an odd way to spell "Campaign Fund Contributing Corporations"
Re: Correction of AP-CIA Disinfo.
at Monday, December 23, 2002 7:29 PM, Mike Rosing <[EMAIL PROTECTED]> was seen to say: > On Tue, 24 Dec 2002, Matthew X wrote: > >> The containment vessel may survive a jet impact but the control room >> and/or temporary pools of spent fuel lying outside the containment >> vessel might not survive. A nuclear core without monitored control >> because everything outside the containment vessel is incinerated can >> cause a modern day China Syndrome or Chernobyl disaster. > > Bwah haha ha ha heee "China syndrome" huh? go watch jane in > barberella, you'll learn more physics. This is what i get for > bypassing the kill file :-) but it is mighty funny! It isn't that wildly inaccurate - losing both control rooms would be (and has been on at least one occasion) an absolute nightmare. on that occasion, technicians had to get a five-year batch of radiation in ten minutes by going in, operating *one* valve by hand, then getting the hell out before they reached a lethal dose. >From *that* one they learnt that having two control rooms doesn't do jack if you run both sets of wire along the same trays - and have flamable insulation on the wires.
Re: Libel lunacy -all laws apply fnord everywhere
at Monday, December 16, 2002 8:34 AM, Major Variola (ret) <[EMAIL PROTECTED]> was seen to say: > "The network?" Sorry, its one wire from here to there. Even a router > with multiple NICs only copies a given packet to a single interface. That is unfortunately too much of a generalisation - although I would accept "normally" in that sentence. there are plenty of setups (broadcast domains, egmp etc) where a single packet is echoed out of multiple interfaces, and in fact some amplification attacks rely on that.
Re: Libel lunacy -all laws apply fnord everywhere
at Tuesday, December 17, 2002 5:33 AM, the following Choatisms were heard: > Nobody (but perhaps you by inference) is claiming it is identical, > however, it -is- a broadcast (just consider how a packet gets routed, > consider the TTL for example or how a ping works). ping packets aren't routed any differently from non-ping packets - they bounce up though your ISPs idea of best route to the recipient's ISP, who then use their idea of best route to the target (leaving aside the via IP flag). The reply bounces up their ISP's idea of best route to your ISP, and down though your ISP's best route to you. There isn't a sudden wave of "ping packet" travelling out across the internet like a radar pulse, and reflecting back to you - it is a directed transfer of a single discrete packet. The best analogy (made by someone else here earlier) is a telephone call; each call follows a routing path defined by the phone company's best idea of pushing comms one step closer to the destination at that time; it may be that a longer route (bouncing via a third country to get to a second, rather than using the direct line) has a lower "cost" due to the usage at that time, so that route is used.
Re: Photographer Arrested For Taking Pictures Of Vice President'S Hotel
Declan McCullagh wrote: >Also epic.org (not a cypherpunk-friendly organization, >but it does try to limit law enforcement surveillance) [...] Is the cypherpunks movement truly so radicalized that it is not willing to count even EPIC among its friends?
Re: CNN.com - WiFi activists on free Web crusade - Nov. 29, 2002 (fwd)
at Monday, December 02, 2002 8:42 AM, Eugen Leitl <[EMAIL PROTECTED]> was seen to say: > No, an orthogonal identifier is sufficient. In fact, DNS loc would be > a good start. I think what I am trying to say is - given a "normal" internet user using IPv4 software that wants to connect to someone "in the cloud", how does he identify *to his software* the machine in the cloud if that machine is not given a unique IP address? few if any IPv4 packages can address anything more complex than a IPv4 dotted quad (or if given a DNS name, will resolve same to a dotted quad) > The system can negotiate whatever routing method it uses. If the node > doesn't understand geographic routing, it falls back to legacy > methods. odds are good that "cloud" nodes will be fully aware of geographic routing (there are obviously issues there though; given a node that is geographically "closer" to the required destination, but does not have a valid path to it, purely geographic routing will fail and fail badly; it may also be that the optimum route is a longer but less congested (and therefore higher bandwidth) path than the direct one. For a mental image, imagine a circular "cloud" with a H shaped hole in it; think about routing between the "pockets" at top and bottom of the H, now imagine a narrow (low bandwidth) bridge across the crossbar (which is a "high cost" path for traffic). How do you handle these two cases?
Re: New Wi-Fi Security Scheme Allows DoS (fwd)
at Thursday, November 21, 2002 1:52 PM, Jim Choate <[EMAIL PROTECTED]> was seen to say: > http://www.extremetech.com/article2/0,3973,717170,00.asp LOL! which references - the archive of this list for bibliography :)
Re: Psuedo-Private Key -Methodology
at Thursday, November 21, 2002 2:26 PM, Sarad AV <[EMAIL PROTECTED]> was seen to say: > 'A' uses a very strong crytographic algorithm which > would be forced out by rubber horse cryptanalysis > Now if Aice could give another key k` such that the > cipher text (c) decrypts to another dummy plain > text(D) > the secret police gets to read > the dummy plain text(D) using the surrendered key k` > without compramising the real plain text(P). Depends on what (c) looks like and how it is obtained. if it is a random jumble of characters (like a scramdisk) then you might get away with claiming a key 'k is the otp key for it (and of course given (c) and the required plaintext, 'k is trivial to construct) if (c) is self-evidently in the format of a known encryption package (pgp, smime, lots of others) then your attackers are not going to believe they are really OTP encrypted if the message is intercepted, not sniffed (ie, you never receive a copy yourself) then you cannot construct 'k
Re: Transparent drive encryption now in FreeBSD
Tyler Durden wrote: >Sorry, I'm new, but does this refer to the notion of splitting up a document >"holographically", and placing the various pieces of numerous servers >throughout the 'Net? No. It is referring to conventional encryption of your local hard disk.
Re: Did you *really* zeroize that key?
at Thursday, November 07, 2002 6:13 PM, David Honig <[EMAIL PROTECTED]>
was seen to say:
> Wouldn't a crypto coder be using paranoid-programming
> skills, like *checking* that the memory is actually zeroed?
That is one of the workarounds yes - but of course a (theoretical)
clever compiler could realise that
int myflag;
myflag=0;
if (myflag!=0) { do stuff } ;
can be optimised away entirely as the result is constant.
the problem isn't so much a question of what would work now, but "is it
possible that your zeros could be optimised away by a theoretical future
compiler, and how do we make portable code that nevertheless can't be
optimised away?"
Re: Did you *really* zeroize that key?
At 03:55 PM 11/7/02 +0100, Steven M. Bellovin wrote: >Regardless of whether one uses "volatile" or a pragma, the basic point >remains: cryptographic application writers have to be aware of what a >clever compiler can do, so that they know to take countermeasures. Wouldn't a crypto coder be using paranoid-programming skills, like *checking* that the memory is actually zeroed? (Ie, read it back..) I suppose that caching could still deceive you though? I've read about some Olde Time programmers who, given flaky hardware (or maybe software), would do this in non-crypto but very important apps.
Re: What email encryption is actually in use?
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote: > - -- treat text as text, to be sent via whichever mail program one > uses, or whichever chatroom software (not that encrypted chat rooms > are likely...but who knows?), or whichever news reader software Hmm. I know of at least one irc server (and nntp server, as it happens, on the same box) that only allows access by ssh tunnel...
Re: What email encryption is actually in use?
at Monday, November 04, 2002 3:13 PM, Tyler Durden > This is an interesting issue...how much information can be gleaned > from encrypted "payloads"? Usually, the VPN is an encrypted tunnel from a specified IP (individual pc or lan) to another specified IP (the outer marker of the lan, usually the firewall/vpn combo box but of course that function can be split if needs be) sniffers can usually catch at least some of the initial login - normally a host name or user name is passed unencrypted as part of the setup - but any actual mail traffic will be indistinguishable from any other traffic; it is encapsulation of IP packets in an outer encrypted wrapper. similar statements can usually be made for Zeb, SSH and other similar tunnels - each encapsulates a low level (almost raw in the case of strict tunnels like zeb or ssh) packet passing tunnel in a crypto skin.
Re: What email encryption is actually in use?
at Monday, November 04, 2002 2:28 AM, Tim May <[EMAIL PROTECTED]> was seen to say: > Those who need to know, know. Which of course is a viable model, provided you are only using your key for private email to "those who need to know" if you are using it for signatures posted to a mailing list though, it just looks silly. > You, I've never seen before. Even if you found my key at the Liberal > Institution of Technology, what would it mean? it would at least give us a chance to check the integrity of your post (what a sig is for after all) and anyone faking your key on the servers would have to prevent you ever seeing one of your own posts (so that you can't check the signature yourself) > Parts of the PGP model are ideologically brain-dead. I attribute this > to left-wing peacenik politics of some of the early folks. The Web-of-Trust model is mildly broken - all you can really say about it is that it is better than the alternatives (X509 is not only badly broken, but badly broken for the purpose of hierachical control and/or profit) In the current case, one reason to sign important posts is to establish a pattern of ownership for posts, independent of real-world identity. If I know that posts a,b & c sent from nym x are all signed, I will be reasonably confident that key y is owned by the normal poster of nym x. that I don't know who that is in meatspace is pretty irrelevant. Where both systems break down is when trying to assert that key y is tied to anything but an email address (or possibly a static IP). There is little to bind a key to anything or anyone in the real world, unless you meet in person, know each other reasonably well (if only via third parties that can identify you both) and exchange fingerprints. in fact, WoT is simply an attempt to automate this process offline, so that you can be "introduced" to someone by a third party without all three of you having to meet; you still have to make a value judgement based on how sure you are about the third party's reliability and how confident they seem about the identity of x - however in the real world, both of those are vague, hard-to-define values and in the WoT they are rigid (you have a choice of two levels of trust for an introducer, and no way to encode how much third parties should rely on your identification)
Re: What email encryption is actually in use?
-BEGIN PGP SIGNED MESSAGE-
If you signed your messages on a regular basis, it would let me know
whether or not you're the same Tim May, I've been reading since back
when toad.com was the only server for the list.
If you're key was signed by anyone I've dealt with, who I know will
actually check your id, it would increase my confidence that you
really are Tim May, and not just a net persona.
It doen't make one iota of difference, whether you choose to
distribute your key or not. Your ideas are usually thought
provoking,
and consistent enough to form a persona in the minds of the list
readers. Or at least, in mine.
I know you know (whether or not you agree) with the above. It just
struck me as humourous that you'd sign the post, with the comment
to the effect that there isn't much point in doing so, with a key
that isn't on the servers.
Do you see the PGP web of trust as completly useless?
As to who I am, well...
I'm a programmer, living in London, Ont. Canada.
I've been lurking, off and on, since 94 or so. I don't think I've
actually posted anything to the list since back in 96, when I
wrote a freeware program to simplify using PGP with dos based
offline mail readers (MPI.ZIP).
While I normally promote privacy issues, only with those I meet
face to face, I still consider myself a cypherpunk. I normally
only post to the list, when my point of view isn't being
expressed by any of the regular posters.
Regards, Dave Hodgins.
Tim May wrote:
>
> On Sunday, November 3, 2002, at 06:14 PM, David W. Hodgins wrote:
>
> >
> > -BEGIN PGP SIGNED MESSAGE-
> >
> > The advantages really disappear, when the key used to sign the
> > message
> > isn't sent to the key servers {:.
> >
>
> Those who need to know, know.
>
> You, I've never seen before. Even if you found my key at the
> Liberal Institution of Technology, what would it mean?
>
> Parts of the PGP model are ideologically brain-dead. I attribute
> this to left-wing peacenik politics of some of the early folks.
>
- --Tim May
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBPcXu94s+asmeZwNpAQFQuAf+LbwrdQV8CPAc/lw2AF5HPvKLGopHCj3i
tFR+drfFAYDDA6UHMPJOFxzDdhFYrRbhQ3c3cSkExSSoI7Mce389KPdGimWQZTJZ
rCYyvnXtG+S//ya8yCELXC3SSwwra0+laPpoSz6lseIU6YJUYFyMLnnXaH5gpxHi
O7TtK8kfPFQVVdbBuJC4mp9SjNO3DqIM29UbPSrf9KZ1w2zPXA4eov9GL9jjU808
CzT+wncCYaE1EU8cT3C+TFJyd8r8B1S6CLbjX9hC71kIt5bVUt1EHMHUx8u2YaXZ
i4o2kKQGePbJvIIiOuwngIUOuwnbgLlGO7+zhsL4y2UuXeJ1/W5NVQ==
=8BJt
-END PGP SIGNATURE-
Re: What email encryption is actually in use?
-BEGIN PGP SIGNED MESSAGE-
The advantages really disappear, when the key used to sign the
message
isn't sent to the key servers {:.
Regards, Dave Hodgins.
Tim May wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
>
> (P.S. I'm going to do something I don't often do: sign a post.
> Reasons for not signing posts are manyfold. Advantages are few. But
> this is to
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use
iQEVAwUBPcXX8Is+asmeZwNpAQE9dQf/YKjY4AZRXEEdYmYDrDt+IAYmag8EhC31
tMpORG0FlZMzbIbwTCk0f4tAlvJHQXSDHSWLbJznmImMb2uRmYOkAOUdnYvTweCU
k65fBFC5ZM988/enSP5y4uJ0HW6iLvPTrUffojHh/gMJZlJ/DGh7BdIUpHKIzE7f
zqZB+Z5uyVGpDvYh+pRe1Js9k9XBo/HyYqO862sV8zPs4uVRtRCLwJlOnAsrAPcS
7cTlk2zF1LTr9LOBobNPSiWVq92vJY17kI/Xodasjhzk2/o7SlGCVjCtLlmiEey8
KOuiJfkPsUKNfm6Tn9Nw2hVR51qpBnVIc5KgBgebr/SR9xDjVBSMjQ==
=sWNd
-END PGP SIGNATURE-
ISP Utilty To Cypherpunks?
Cypherpunks, I run a 501(c)(3) non-profit focuses on providing free, donation-based colocation to individuals and other non-profits (i.e., no companies are hosted. Additionally, we try to do things that are useful to the not-for-profit Internet community as a whole; for instance, we run a freenode.info IRC server (freenode is used by a lot of Open Source development groups to coordinate developer teams). I'd like to understand how we could be useful to the cypherpunk community. I've got some wild guesses (run a public keyserver, run a mixmaster node, etc), but I don't really know what is most badly needed, or how we could provide the most bang for the bandwidth buck. (We do pay for bandwidth, so "serving up Debian ISOs" is not a viable way we can help the community at this time.) Ideally, we'd like to find applications that don't use a lot of bandwidth (<500kbps aggregate), but require a server that's got a fixed IP, is up all the time, and has very low latency to most of the Net. How can we help? David E. Weekly Founder & Director California Community Colocation Project http://CommunityColo.net/ PS: We are entirely volunteer-based. Nobody gets paid.
Re: Is password guessing legal?
at Monday, October 28, 2002 9:34 PM, Major Variola (ret) <[EMAIL PROTECTED]> was seen to say: > Did that Wired reporter just admit to a crime? Does it matter that > the site is overseas? That they're "Evil(tm)"?? nope, hacking into overseas servers is officially not a crime in the US - after that fbi-russia thing. well, you have a precident anyhow :)
Re: What is the truth of the anti war rallys?
James, I was in San Francisco and saw the tail end of the demonstrations. My best friend Nathan saw the brunt of it. 42,000 seems like a very just and reasonable estimate for the size of the total march. Then all of the reasonable people went home (when the permit was up) and there were left some ~300-odd total idiotic wackos (one proclaiming "technology is destroying us! culture is destroying us! we must smash civilization!" to much cheering and being immediately followed by a speaker emphasising the need for "increased research and development of solar cars" to cheering from the same people). The photos may have been of this group. I, for one, took a few photos of this group and the assorted police. There were, at no point in time that I could see, a mere group of forty people participating. There were well over 40 police officers alone, some horseback mounted, many in cars, many on motorcycles, some in paddywagons, and a HUGE number on foot, marching about like soldiers. The media is not pulling the wool over your eyes on this one. Think about it -- you really can't get away with misrepresentations of that magnitude. They may be fooling us in other regards, but this is not one of those. -david
Re: Office of Hollywood Security, HollSec
at Saturday, October 26, 2002 1:18 AM, Tim May <[EMAIL PROTECTED]> was seen to say: > Yes, but check very carefully whether one is in violation of the > "anti-hacking" laws (viz. DMCA). By some readings of the laws, merely > trying to break a cipher is ipso fact a violation. IIRC, you can't be arrested for cracking a cypher unless that cypher is in use to protect a copyrighted work
Re: more snake oil? [WAS: New uncrackable(?) encryption technique]
at Friday, October 25, 2002 6:22 PM, bear <[EMAIL PROTECTED]> was seen to say: > The implication is that they have a "hard problem" in their > bioscience application, which they have recast as a cipher. The temptation is to break it, *tell* them you have broken it (and offer to break any messages they encrypt in it just to demonstrate) but dont' tell them how you did it. That would probably be even more fustrating for them than the problem was :)
Re: The Register - UK firm touts alternative to digital certs (fwd)
at Monday, October 21, 2002 4:20 PM, Eric Murray <[EMAIL PROTECTED]> was seen to say: > Looking at their web site, they seem pretty generic about > what it's for, but I did not see any mention of using it for payments. > So I assume it's for logins. well, I was working from: "The Quizid registry The Quizid registry is a database that translates the customer profile information required to facilitate secure online payment. Once a customer has been authenticated by the Quizid vault, the payment transaction is completed between the registry and the acquiring bank using the appropriate payment protocols. The bank then performs the necessary clearing between acquirers and issuers. As well as storing credit and debit card details the registry can be used to securely hold any personal information you would rather not enter over the Internet. So you can pre-load your delivery address, details of loyalty cards or even your seating preference for airline tickets. As well as being more secure this makes shopping online faster and simpler as you don't have to enter in the same information time after time." plus the two of their demo sites I checked offer it only as a checkout payment option. > They do say that their servers are "benchmarked at 300 > transactions/sec". That's pretty darn slow for single des. Not sure that 1Des is the bottleneck. From my (perhaps incorrect) idea of the process: 1. user "checks out" with QuizID code 2. Website opens link to QuizID and presents *its* credentials 3. QuizID checks database, confirms valid login for the website 4. Website presents user ID and Quizid code 5. QuizID checks database, verifies that QuizID code was recently generated, the sequence number is in a reasonable range, and that the user hasn't closed his account or something 6. QuizID returns to Website any site-specific data held in its registry for that Website+Customer pair, plus any data that the user has marked of general accessability (such as delivery address) 7. Website requests payment of $amount 8. QuizID retrieves bank details from database for user, signs onto merchant services, and gets a authorization for the amount; signs on again and commits the payment; gets the account details for the Website owner from the database; signs on to the merchant services *again* and makes a payment of equal amount (presumably minus their fees) into the Website owner's account 9. QuizID sends a success (or fail) message to the Website there are probably enough individual comms and database lookup tasks there to slow things down quite a bit, even leaving aside the crypto aspects.
Re: The Register - UK firm touts alternative to digital certs (fwd)
at Monday, October 21, 2002 3:14 PM, Trei, Peter <[EMAIL PROTECTED]> was seen to say: > I'd be nervous about a availability with centralized servers, > even if they are "triple redundant with two sites". DDOS > attacks, infrastructure (backhoe) attacks, etc, could all > wreck havoc. Indeed so, yes. I suspect (if it ever takes off) that they will have to scale their server setup in pace with the demand, but to be honest I think 600/sec is probably quite a high load for actual payments - we aren't talking logins or web queries, but actual real-money-payment requests. I suspect that, if it became the dominant payment method for amazon or ebay, they would need a much more hefty server, but at this stage I suspect a heavy load would be two auths per second :)
Re: One time pads
at Wednesday, October 16, 2002 7:17 PM, David E. Weekly <[EMAIL PROTECTED]> was seen to say: > As for PKI being secure for 20,000 years, it sure as hell won't be if > those million-qubit prototypes turn out to be worth their salt. I wasn't aware they even had a dozen-qbit prototypes functional yet - but even so - assuming that each qbit is actually a independent complete machine (it isn't - you need to build a machine bigger than one bit) and you had a million-unit module built - this would be equivilent to building one million (2^20, I'll be generous and give you the extra few thousand) machines each able to cross-check their results instantly (so identify if one of the million has a correct answer) This will mean you can brute force a key as though it were 20 bits shorter in keylength. even assuming you can use the usual comparison (3Kbit RSA=128 bit symmetric) this leaves you the equivilient of a 108 bit key to break - and even assuming a quantum virtual machine ran as fast as a real world one, that would take a while. Of course, if you have a machine that will break a 108 bit key in under a hundred years, I am sure the NSA would like to make you an offer.. I can't remember the last time I used an asymmetric key as small as 3Kbits. my current key is 4K and has been for some years, and my next will probably be 6K just to be sure.
Re: XORing bits to eliminate skew
at Thursday, October 17, 2002 4:38 PM, Sarad AV <[EMAIL PROTECTED]> was seen to say: > He wanted to know how I was able to do XOR on P(0) and > P(1) when xor is defined only on binary digits. you don't. P(x) is a probability of digit x in the output. ideally, P(0)=P(1)=0.5 (obviously in binary, only 0 and 1 are defined, so they are the only two possible outcomes. Now assume that one output (1 say) is more probable than the other. If this is true, you can define some value of probability (e) that is the amount a given outcome is more or less probable than the ideal. Now add a second bit. assume that the bits are (i) and (ii) so we know that the probability of (i) being 1 is 0.5-e and and being 0 is 0.5+e (there isn't a bias btw in that notation - e could be negative) so all the possible combinations are P(i=1, ii=1) =(0.5-e)(0.5-e) P(i=1, ii=0) =(0.5-e)(0.5+e) P(i=0, ii=1) =(0.5+e)(0.5-e) P(i=0, ii=0) =(0.5+e)(0.5+e) but of course if you XOR (i) and (ii) together, then (i=1, ii=1) = 0 (i=1, ii=0) = 1 (i=0, ii=1) = 1 (i=0, ii=0) = 0 collecting identical outputs allows you to say P(0)=P(i=1, ii=1)+P(i=0, ii=0) = (0.5-e)(0.5-e)+(0.5+e)(0.5+e) P(1) P(i=1, ii=0) + P(i=0, ii=1) = (0.5-e)(0.5+e)+(0.5+e)(0.5-e) reducing P(0) as in the example you gave gives you the probability of P(0) being 0.5+(2*(e^2)) so the answer is - you don't ever apply XOR to anything but binary - you do straight algebraic math on the *probabilities* of a given output (0 or 1)
Re: One time pads
at Wednesday, October 16, 2002 6:13 PM, Bill Frantz <[EMAIL PROTECTED]> was seen to say: > OTP is also good when: > (1) You can solve the key distribution problem. Its certainly usable provided key distribution isn't an issue - if it is also worth the trouble and expense is another matter. > (2) You need a system with a minimum of technology (e.g. no computers) it certainly does shine in this context - few decent encryption methods can be done with pencil and paper, and certainly by protecting the key with extra (discarded) characters, you can make the key document look innoculous indeed. Of course, indicating those characters then becomes a problem (unless you use some simplistic scheme like the second and second from last characters of each word in a specified book, but the odds of a random distribution from such is low)
Re: commericial software defined radio (to 30 Mhz, RX only)
at Thursday, October 17, 2002 4:54 AM, Morlock Elloi > Also, if regular cheapo PC sounboards can digitize 30 MHz (and > Nyquist says this requires 60 MHz sampling rate) then some product > managers need ... flogging. If I am reading this correctly, they don't need to - a fixed-frequency first mixer "bandshifts" a frequency block down to khz (with presumably a bandpass filter for selectivity), and the soundcard samples down in the ranges it is designed for. I could be reading it wrong though, DSP is nowhere near being my field :)
Re: One time pads
at Wednesday, October 16, 2002 7:17 PM, David E. Weekly <[EMAIL PROTECTED]> was seen to say: > Naive question here, but what if you made multiple one time pads > (XORing them all together to get your "true key") and then sent the > different pads via different mechanisms (one via FedEx, one via > secure courier, one via your best friend)? Unless *all* were > compromised, the combined key would still be secure. Pretty much, yes. at least one "real world" OTP system assumes you will be using three CDRW disks; the three are xored (as you say) together, the message sent, and after the keyfiles are exhaused (or the panic button hit) all three disks are automatically wiped and overwritten (several times) with random data. this isn't a new key (although it could be used as such I suppose) but cleanup before the disks are disposed of (the docs say to incinerate the disks, or in case of an emergency, microwave them on high. There is usually a good excuse for a microwave next to the machine, which is handy for the duty guy to heat his lunch without leaving his desk :)
Re: One time pads
at Thursday, October 17, 2002 2:20 AM, Sam Ritchie <[EMAIL PROTECTED]> was seen to say: > ACTUALLY, quantum computing does more than just halve the > effective key length. With classical computing, the resources > required to attack a given key grow exponentially with key length. (a > 128-bit key has 2^128 possibilities, 129 has 2^129, etc. etc. you all > know this...) With quantum computing, however, the complexity of > an attack grows only polynomially. Is this actually true or is it that it can scale proportionally in time and in number of qbits required? if you assume that a classic machine takes x^2 operations to break a key, but a quantum machine will take x operations with x qbits, that would have the same effect, provided you can create that many qbits. I haven't seen any papers that say that it is polynomial at all though - can you provide a reference or two?
Re: One time pads and Quantum Computers
> > David E. Weekly[SMTP:[EMAIL PROTECTED]] > > > Which means that you should start thinking about > > > using OTP *now* if you have secrets you'd like to keep past when an > > > adversary of yours might have access to a quantum computer. ... > > OTPs won't help a bit for that problem. > They're fine for transmitting new data if you've already sent a pad, > but they're useless for storing secrets, because you can only decrypt > something if you've got the pad around, and you have to burn the pad after > use. Yes, sorry -- I should have clarified as "you should start thinking about encrypting data transmissions using OTP *now* if you'd like to send secrets you'd like to keep..." -- destroying both pads after transmission should be obvious. I wasn't attempting to address secure data storage. -d
Re: One time pads
Naive question here, but what if you made multiple one time pads (XORing them all together to get your "true key") and then sent the different pads via different mechanisms (one via FedEx, one via secure courier, one via your best friend)? Unless *all* were compromised, the combined key would still be secure. As for PKI being secure for 20,000 years, it sure as hell won't be if those million-qubit prototypes turn out to be worth their salt. Think more like 5-10 years. In fact, just about everything except for OTP solutions will be totally, totally fucked. Which means that you should start thinking about using OTP *now* if you have secrets you'd like to keep past when an adversary of yours might have access to a quantum computer. I'd put 50 years as an upper bound on that, 5 years as a lower. -d - Original Message - From: "David Howe" <[EMAIL PROTECTED]> To: "Email List: Cypherpunks" <[EMAIL PROTECTED]> Sent: Wednesday, October 16, 2002 7:52 AM Subject: Re: One time pads > at Wednesday, October 16, 2002 2:01 PM, Sarad AV > <[EMAIL PROTECTED]> was seen to say: > > Though it has a large key length greater than or equal > > to the plain text,why would it be insecure if we can > > use a good pseudo random number generators,store the > > bits produced on a taper proof medium. > because you have replaced a OTP (provably secure) with a PRNG stream > cypher (only as secure as the PRNG). he isn't saying that stream cyphers > can't be secure - just that they aren't OTP. > There is also no point in distributing the output of a PRNG as a > tamperproof tape - you just run the PRNG at both sides, in sync. > if you use a *real* RNG, then you can do the tape disribution thing and > it *will* be a OTP - but its the tape distribution that is the difficult > bit (as he points out in the article) > > > why do we always have to rely on the internet for > > sending the pad?If it is physically carried to the > > receiver we can say for sure if P or R is intercepted. > two obvious points are > 1. it isn't aways possible to ensure secure delivery - if a courier is > compromised or "falls asleep" and the tape is substituted with another, > a mitm attack can be made transparently. > 2. if the parties are physically remote, they may not have time to > exchange tapes securely; unless there is a airplane link directly or > indirectly between the sites, it may be days or weeks in transit. > > > can some one answer the issues involved that one time > > pads is not a good choice. > OTP is the best choice for something that must be secret for all time, > no matter what the expense. > anything that "secure for 20,000 years" will be sufficient for, go for > PKI instead :)
Re: One time pads
at Wednesday, October 16, 2002 2:01 PM, Sarad AV <[EMAIL PROTECTED]> was seen to say: > Though it has a large key length greater than or equal > to the plain text,why would it be insecure if we can > use a good pseudo random number generators,store the > bits produced on a taper proof medium. because you have replaced a OTP (provably secure) with a PRNG stream cypher (only as secure as the PRNG). he isn't saying that stream cyphers can't be secure - just that they aren't OTP. There is also no point in distributing the output of a PRNG as a tamperproof tape - you just run the PRNG at both sides, in sync. if you use a *real* RNG, then you can do the tape disribution thing and it *will* be a OTP - but its the tape distribution that is the difficult bit (as he points out in the article) > why do we always have to rely on the internet for > sending the pad?If it is physically carried to the > receiver we can say for sure if P or R is intercepted. two obvious points are 1. it isn't aways possible to ensure secure delivery - if a courier is compromised or "falls asleep" and the tape is substituted with another, a mitm attack can be made transparently. 2. if the parties are physically remote, they may not have time to exchange tapes securely; unless there is a airplane link directly or indirectly between the sites, it may be days or weeks in transit. > can some one answer the issues involved that one time > pads is not a good choice. OTP is the best choice for something that must be secret for all time, no matter what the expense. anything that "secure for 20,000 years" will be sufficient for, go for PKI instead :)
Re: UK Censors, Shayler, Bin Laden
at Saturday, October 12, 2002 2:01 AM, Steve Furlong <[EMAIL PROTECTED]> was seen to say: > On Thursday 10 October 2002 13:13, Tim May wrote: > There are two advantages of web-based discussion fora over usenet: > propagation time and firewalls. Not sure about that - propagation time is a issue of course, but a web interface to nntp isn't that hard (dejanews offered it for years) and the propagation issue is "fixed" only by limiting the web forum to a single server or local cluster of servers - if you were setting up a web-based interface anyhow, you could get all the benefits of a single server node while not preventing users not using the web interface from participating. yes, NNTP submissions from other usenet servers might take a while to propagate to the "Master" server (or vice versa) but that wouldnt' affect the web interface users amongst themselves or indeed, anyone using nntp directly to that server. > On the other hand, few discussions are > so urgent that they need near-real-time reparte, and participants > shouldn't be cruising usenet from work. depends on the forum. there are groups I *only* read at work - technical ones of course, related to my job. Usenet is a resource, and at times a good one (provided you can live with the low signal-to-noise ratio). >> More generally, I've been watching the migration of many discussion >> groups over to "Web-based forums" (or fora). Usually the migration >> does not improve the discussion...it just puts dancing ads and cruft >> all over the pages. probably more to the point - *profit-making* dancing ads. > Something like...Google? You can't count on their sweep schedule, but > it does most of what you're looking for. deja-google is ok, but a lot of the more interesting threads include x-no-archive headers (which google respects, and rightly so) somewhere in them, so you have gaps...
Re: Echelon-like...
"Trei, Peter" <[EMAIL PROTECTED]> wrote: > It was Sweden. They didn't really have an excuse - over a year earlier, > Lotus announced their "International" version with details of the "Work > Factor Reduction Field" at the RSA Conference. I immediately invented > the term 'espionage enabled' to describe this feature, a term which has > entered the crypto lexicon. Indeed so, yes - If my memory isn't failing me though, their "excuse" was that the lotus salesdroid they had awarded the contract to hadn't disclosed it to them in his bid and in fact, the original tender had specified *secure* encryption, not *secure, except for the american spy industry*. I don't know enough sweedish to even attempt a google on it though :)
Re: Echelon-like...
On Wednesday, October 9, 2002, at 07:28 PM, anonimo arancio wrote: > The basic argument is that, if good encryption is available overseas > or easily downloadable, it doesn't make sense to make export of it > illegal. Nope. The biggest name in software right now is Microsoft, who wasn't willing to face down the government on this. no export version of a Microsoft product had decent crypto while the export regulations were in force - and the situation is pretty poor even now. If microsoft were free to compete in this area (and lotus, of notes fame) then decent security *built into* the operating system, the desktop document suite or the email package - and life would get a lot, lot worse for the spooks. I assume everyone knows the little arrangement that lotus reached with the NSA over its encrypted secure email?
Re: Echelon-like...
>> "I assume everyone knows the little arrangement that lotus >> reached with the NSA over its encrypted secure email?" > I'm new here, so do tell if I am wrong. Are you referring to the two levels > of Encryption available in Bogus Notes? More or less, yes. Lotus knew nobody would buy a 40 bit version of their crypto, so there is a two-level encryption all right, but not along those lines - in the export version, some of the session key is encrypted using a PKI "work reduction factor" key in the message header; this section of header is important, as lotus gateways won't accept messages that have had it disturbed. by decoding this block, the NSA have the actual keysize they need to block reduced to the legal export level of 40 bits; one government found this out *after* rolling it out to all their billing and contract negotiation departments... belgum or sweden by memory . Lotus thought it would be ok if only the NSA (and other US government orgs) could break the key, rather than letting everyone have an equal chance (and indeed, letting their customers know their crypto was still only 40 bit vs USA intel agencies) Still, even the domestic version was only 64 bits, which is painfully small even by the standards of the day. certainly, even "strong" lotus could have been crackable by the NSA, who after all own their own fab plant to make custom VLSI cracking chips.
Re: Optimal solution
> In the case of algorithms is the best algorithm always > the best solution to the problem,be the algorithm with > a constant run time or randomised algorithm. > i.e is the best solution always the optimal solution > for a problem. > how can we argue -either way? There is a field of mathematics (Algorithmics) dedicated to this question. I would try and answer, but I don't understand it well enough, and in any case it is a year-long course :)
Re: why bother signing? (was Re: What email encryption is actually in use?)
at Friday, October 04, 2002 9:07 PM, Major Variola (ret) <[EMAIL PROTECTED]> was seen to say: > In an environment where spoofing was common, folks would > sign (which is not incompatible with retaining anonymity, of course). It *is* possible to sign in the name of a nym; there is no reason why a nym can't build an independent reputation without having a known "handler"
Re: What email encryption is actually in use?
at Wednesday, October 02, 2002 3:13 AM, Peter Gutmann <[EMAIL PROTECTED]> was seen to say: > As opposed to more conventional encryption, where you're protecting > nothing at any point along the chain, because 99.99% of the user base > can't/won't use it. That is a different problem. if you assume that relying on every hop between you and your correspondent to be protected by TLS *and* the owner of that server to be trustworthy (not only in the normal sense, but resistant to legal pressure, warrants from LEAs and financial "incentives" from your competitors) then you are in for a rude awakening at some point. S/Mime isn't wonderful, but it is built-in to the M$oft email packages and you can trivially generate a key *for* your correspondents to be delivered to them out-of-band. installing is double-clicking a file, and decryption automatic. More security aware users will obviously want their own, a key from a recognised CA or prefer pgp, but that is upgrades to the basic security you can provide by five minutes work with a copy of OpenSSL. > In any case most email is point-to-point, which > means you are protecting the entire chain (that is, if I send you > mail it may go through a few internal machines here or there, but > once it hits the WAN it's straight from my gateway to yours). Depends on the setup. Few home users can afford always-up connections, and most dialup ranges are blocked from direct delivery anyhow. the typical chain goes Sender-->Sender's ISP-->Recipient's ISP-->Mailspool-->Recipient for a corporate user, a typical chain might go Sender-->sender's internal email system-->sender's outbound gateway-->recipient's firewall-->recipients inbound gateway-->recipient's email system-->recipient assuming *everyone* at both companies is trustworthy (or IT is on the ball and preventing sniffers from running on their lans; I will pause while everyone laughs and then drafts replies pointing out that is impossible) then you can get away with TLS-protecting just the link gateway-->firewall. Yes, crypto should be transparent and enabled *by default* in those M$ corporate products; no, the US government wasn't (and still isn't even under the more relaxed regime) willing to wear on-by-default unbreakable, easy crypto in mass-market products.
Re: What email encryption is actually in use?
-BEGIN PGP SIGNED MESSAGE- at Tuesday, October 01, 2002 9:04 PM, Petro <[EMAIL PROTECTED]> was seen to say: > Well, it's a start. Every mail server (except mx1 and > mx2.prserv.net) should use TLS. Its nice in theory, but in practice look how long it takes the bulk of the internet to install urgent patches - how long is it going to take to get people to install an upgrade to privacy that actually causes more problems for them? Besides the core here is that 1) everyone with a server enroute can read the mail 2) you are relying on every other link in the chain to protect your privacy clientside crypto fixes both these problems, reduces the total crypto load on the chain (encryption/decryption is only ever done once) and allows use of digital signatures. > Once you start using it, it becomes part of hte pattern by wich > other people identify you. Exactly the intention, yes :) Just for the sake of it (anyone who cares will have seen my signature enough times by now) I will sign this one :) -BEGIN PGP SIGNATURE- Version: PGP - Cyber-Knights Templar iQIVAwUBPZqzpWDKt9Hjj5SVAQFlwA//cQYGFRb3sJEM695lWJ+rUhymcS5lTSEV vG3eRUvxpbhLcAS+QsdMXX3pDlu60UzOhxubpQch9E59yE/+uaeU+5AzkfDQjc2q jQ8SppCqf56+uevoZlH1RiKkBT6Hx7ctPimEIlq3FXWsaqA3ocPVghZwFhMaxA1G twCtBxR7Q3y6VePzCzeealx7TDgcoS7hoBKNTsueAIWd/9xB9JYjFvS8OecOMdZG B+yvSLHZn1YJG62JfZ8EWXr1xKh5BZxdRVxLVzhaumtyAFr2hCDQffDiz5UtyGSa JdMoJAzmZZZ5EvcHc0rMDVs5BiDr5/EaSU+xecPz/YxY4BWxGFprqsRi7IapTkb1 26zgJQ4miGylFlmZM30cxKYudi5PdSJ4VUWpuoHRg9clZlH9KzC7f0suYAnACDXC bzr5Fgp3+bvRnziMD65NT4G1hxA5pYPl+4IudVSKcaMsHLWSTE8Lnf0US283MdeR VXKbINvyEr0p0zrl7lVmHZbmuLjdUHrgAoyQEKcaMelE+Q8suXynDYtSV7LCfdAE CjKBz2RxAiNhi1vAq6NuFOMx+R9c23Sxg2uUUbpYeRbl5fPbjamDzIhK2ccNNmpU euuWj3O9e6YMtW0KPezYbJ/9fMMkOAv3KnfdeAgcjSnipMqVvqgJ4sWil3gfUADY X0TKznTghWs= =3uOF -END PGP SIGNATURE-
Re: What email encryption is actually in use?
at Tuesday, October 01, 2002 6:10 PM, James A. Donald <[EMAIL PROTECTED]> was seen to say: > Not so. It turns out the command line is now different in PGP > 6.5.8. It is now pgp -sta to clearsign, instead of pgp -sa. > (Needless to say the t option does not appear in pgp -h *nods* its in the 6.5 Command Line Guide, but as "identifies the input file as a text file" The CLG is the best reference for this though - as it explictly lists sta as the correct option in section Ch2>Common PGP Functions>Signing Messages>Sign a plaintext ASCII file. I could email you a copy of the PDF of that (its about 500K) if you wish. > The clearsigning now seems to work a lot better than I recall > the clearsigning working in pgp 2.6.2. They now do some > canonicalization, or perhaps they guess lots of variants until > one checks out. its canonicalization - again according to the CLG (CH3>Sending ASCII text files to different machine environments) > Perhaps they hid the clear signing because it used not to work, > but having fixed it they failed to unhide it? its just an evolution. IIRC the command line tool was based at least partially on the unix version of pgp, which always had different command line switches. It would be nice if behaviour was more backwards compatable, but they *did* document it in the official M that you should RTF :)
Re: What email encryption is actually in use?
-BEGIN PGP SIGNED MESSAGE- at Tuesday, October 01, 2002 9:04 PM, Petro <[EMAIL PROTECTED]> was seen to say: > Well, it's a start. Every mail server (except mx1 and > mx2.prserv.net) should use TLS. Its nice in theory, but in practice look how long it takes the bulk of the internet to install urgent patches - how long is it going to take to get people to install an upgrade to privacy that actually causes more problems for them? Besides the core here is that 1) everyone with a server enroute can read the mail 2) you are relying on every other link in the chain to protect your privacy clientside crypto fixes both these problems, reduces the total crypto load on the chain (encryption/decryption is only ever done once) and allows use of digital signatures. > Once you start using it, it becomes part of hte pattern by wich > other people identify you. Exactly the intention, yes :) Just for the sake of it (anyone who cares will have seen my signature enough times by now) I will sign this one :) -BEGIN PGP SIGNATURE- Version: PGP - Cyber-Knights Templar iQIVAwUBPZrB22DKt9Hjj5SVAQF3eBAAh8RK5LgLIPv8JhBwX6kdj2x0c6NsrtdA xiH45Zb+bCNO07ac07n+qyKRZ5UiTGjekjQXjnSOczDFUgCyUymexqif7SnDZ04P S/55rQ31wfUWNRVrO/ULjdq4TVYHMsAUFKhrYgwvYyqJNOg2C+sBwgNsLM3gedm2 R0KRY6pO/wqpVsvki3c27h7wszfvCkmsRrqtuKTwktm23XdbmAs+21YWbThbqc3Y r1gtmH8QrJuUzhPXfE/L104reFo5yi2BMuY/ac1G7uXNc+6yAhy61q4z0v17OMcS glEASE0AO+XrtYFfq/3VXk1SN5S3x44GazHvKo9NgqpJn8pvoNq9TsXhXIa9c1/u hchVahwsuZ6rooMxur8ekLP86zTn8mfI+lFKd1n+LuFzcVbzezzKRH3PM+TjDMTF p0TzHsrDOeUkrYJ2ImznpJ1019oDPBVvDCwRyCqOeLZ9MvARTXLtO9gwjt1NAh2E h7WBYhQyMdlKeUMh6mUwIG7DOoitOnf/mQkmQWybPK7NT2tOhx9uHEWE92iWUxc+ AQF4UywdSvFpTskVBkQIQESsYWGs92A350zEapogB2+cDJxytqtRDN2mLGG6tPPt u+60lj65OQUdc0D91e2W3yif9mF7ul3aztt2Ca5qziyMRVwnoceSwbejDyr1fZLO 8MgGBffIDis= =jz44 -END PGP SIGNATURE- resent - with broken line wrap fixed. damned lousy MS email client :) Next time I *check* first before sending and don't look so clueless in a worldwide list :)
Re: What email encryption is actually in use?
at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann <[EMAIL PROTECTED]> was seen to say: > For encryption, STARTTLS, which protects more mail than all other > email encryption technology combined. See > http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02_slides.pdf > (towards the back). I would dispute that - not that it isn't used and useful, but unless you are handing off directly to the "home" machine of the end user (or his direct spool) odds are good that the packet will be sent unencrypted somewhere along its journey. with TLS you are basically protecting a single link of a transmission chain, with no control over the rest of the chain. > For signing, nothing. The S/MIME list debated having posts to the > list signed, and decided against it: If I know you, I can recognise a > message from you whether it's signed or not. Signing has a limited application - I wouldn't use it routinely other than to establish an association (key-->poster) early in a conversation, and then omit it except for things whose source *I* would want verified if I was receiving it. It is unusual for me to use a sig outside of encrypt+sign. > If I don't know you, > whether it's signed or not is irrelevant. Depends on the definition of "know". If a poster had a regular habit of posting at least one signed message every week, and had never protested that the sigs were faked, then you could assume that the poster whose sig just cleared is the same as the poster who has been posting for that time period - mapping that to any real-world individual is more problematic, but mostly you don't need to. There are plenty of people I only know online from email exchanges, and in some cases am not even sure what sex they are :)
Re: What email encryption is actually in use?
at Monday, September 30, 2002 7:52 PM, James A. Donald <[EMAIL PROTECTED]> was seen to say: > Is it practical for a particular group, for > example a corporation or a conspiracy, to whip up its own > damned root certificate, without buggering around with > verisign? (Of course fixing Microsoft's design errors is > never useful, since they will rebreak their products in new > ways that are more ingenious and harder to fix.) Yup. In fact, some IPSec firewalls rely on the corporate having a local CA root to issue keys for VPN access. from there it is only a small step to using the same (or parallel issued) keys for email security. The problem there really is that the keys will be flagged as faulty by anyone outside the group (and therefore without the root key already imported), and that will usually only work in a semi-rigid hierachical structure. There *is* an attempt to set up something resembling a Web of trust using x509 certificiates, currently in the early stages at nntp://news.securecomp.org/WebOfTrust > I intended to sign this using Network Associates command line > pgp, only to discover that pgp -sa file produced unintellible > gibberish, that could only be made sense of by pgp, so that no > one would be able to read it without first checking my > signature. you made a minor config error - you need to make sure clearsign is enabled. > I suggest that network associates should have hired me as UI > design manager, or failing, that, hired the dog from down the > street as UI design manager. It's command line. Most cyphergeeks like command line tools powerful and cryptic :)
Re: thinkofthechildren.co.uk censored
at Thursday, September 26, 2002 7:14 PM, Major Variola (ret) <[EMAIL PROTECTED]> was seen to say: The original fax from the Met is now online http://www.thinkofthechildren.co.uk/metfaxbig.shtml
Re: Best Windows XP drive encryption program?
at Monday, September 23, 2002 10:35 PM, Curt Smith <[EMAIL PROTECTED]> was seen to say: > http://www.drivecrypt.com/dcplus.html > DriveCrypt Plus does everything you want. I believe it may > have descended from ScramDisk (Dave Barton's disk encryption > program). It has. Basically, the author of Scramdisk took the NT version, added some XP support, a couple of new algos and launched it as a commercial, closed source product. The boot-time protection was requested repeatedly on the SD usenet forum (with several good discussions of different approaches) and it wasn't much of a surprise that it turned up in the commercial product. Personally, I think it is excellent and completely trustworthy - I just won't use it on principle as I don't run closed-source crypto. I am sticking with my (purchased) copy of SD4NT for now on W2K, and waiting on the SD4Linux project to produce something usable for that boot partition.
Re: Best Windows XP drive encryption program?
at Monday, September 23, 2002 10:35 PM, Curt Smith <[EMAIL PROTECTED]> was seen to say: > http://www.drivecrypt.com/dcplus.html > DriveCrypt Plus does everything you want. I believe it may > have descended from ScramDisk (Dave Barton's disk encryption > program). As an aside - Dave Barton? Shaun Hollingworth was the author of SD as far as I know. I can't remember exactly, but seem to recall Dave Barton did a delphi wrapper around some of the SD function calls...
Re: Cryptogram: Palladium Only for DRM
AARG! Anonymous wrote: >Lucky Green wrote: >> In the interest of clarity, it probably should be mentioned that any >> claims Microsoft may make stating that Microsoft will not encrypt their >> software or software components when used with Palladium of course only >> applies to Microsoft [...] > >First, it is understood that Palladium hashes the secure portions of >the applications that run. [...] > >With that architecture, it would not work to do as some have proposed: >the program loads data into secure memory, decrypts it and jumps to it. >The hash would change depending on the data and the program would no >longer be running what it was supposed to. I think Lucky is right: Palladium does support encrypted programs. Imagine an interpreter interpreting data, where the data lives in the secure encrypted "vault" area. This has all the properties of encrypted code. In particular, the owner of the machine might not be able to inspect the code the machine is running. If you want a more concrete example, think of a JVM executing encrypted bytecodes, or a Perl interpreter running encrypted Perl scripts. For all practical purposes, this is encrypted software. Whether this scenario will become common is something we can only speculate on, but Palladium does support this scenario.
Re: Wolfram on randomness and RNGs
It would seem that while the bitstream generated by the center column of rule 30 might be a good random number source, its repeatability is the very thing that detracts from its usefulness in cryptographic application. An obviously poor application would be to have a "one time pad" where two parties would xor their plaintext with the bitstream produced by rule 30, starting at the top. While the resulting bitstream would appear random, an attacker with knowledge of the algorithm could just run rule 30 themselves and decode the result. To have cryptographically strong random numbers, one needs to have an *unreproducable* source of randomness -- the very thing that Wolfram seems to sneer at as being purely academic but that the above methodology makes clear. While a slightly modified approach of having both sides start at a secret row of rule 30 could be used, the key is now merely the row number; defeating the purpose. One interesting possibility might be to "seed" a wide row of rule 30 with bits gleamed from the environment; this would make it difficult to reproduce the bitstream without the bits representing the initial conditions, but without continuing to add bits to rows, the "bit strength" of the randomness is only the width of the seeded row (namely, if you're using 8 bits of randomness to seed rule 30, an attacker could brute force the 256 possibilities to find your random bitstream). The problem is, IMHO, exactly analogous to deriving randomness from irrational numbers, such as the digits of pi, e, or the square root of two; this just might be a slightly more efficient way to generate the bitstream. The point is, they're all very good sources of randomness, but the fact that their sequences are so well-defined keeps them from being a good source of secrecy; picking out which portions of the sequence to use end up becoming your secret and your sequence is truly only as unpredictable as this secret. In another sense, the sequence you're using is only as strong as its inputs. Just my $0.02; please bitchslap me if I got this wrong. David E. Weekly Founder & Executive Director California Community Colocation Project (an OPG project) http://CommunityColo.net/ - the world's first non-profit colo! - Original Message - From: "Steve Schear" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 06, 2002 1:57 PM Subject: Wolfram on randomness and RNGs > Background > Stephen Wolfram's book, "A New Kind of Science," is nothing if not > interesting. This encyclopedia-sized volume traces how his fascination > with cellular automata, beginning in the 1970s, led him to spend decades > exploring the significance of complexity created from simple rules. > > I hope the following will not be too wordy and generate interest in the > cryptographic implications of his work. > > Intrinsic Generation of Randomness > In the chapter "Mechanisms and Programs in Nature," pp 297 - 361, he > presents his case that behavioral similarities between certain simple > programs and systems in nature are no coincidence but reflect a deep > correspondence. In this section he explores three mechanisms for > randomness: external input (noise) captured in so-called stochastic models, > those related to initial conditions (e.g., chaos theory), and those based > on the behavior of simple programs described in the book and which believes > are the most common in nature. > > Under the section "The Intrinsic Generation of Randomness" he presents > evidence for his third mechanism in which no random input from the outside > is needed, and in which the randomness is instead generated inside the > systems themselves. > > "When one says that something seems random, what one usually means in > practice is that one cannot see any regularities in it. So when we say that > a particular phenomenon in nature seems random, what we mean is that none > of our standard methods of analysis have succeeded in finding regularities > in it. To assess the randomness of a sequence produced by something like a > cellular automaton, therefore, what we must do is to apply to it the same > methods of analysis as we do to natural systems" > > ... some of these methods have been well codified in standard mathematics > and statistics, while others are effectively implicit in our processes of > visual and other perception. But the remarkable fact is that none of these > methods seem to reveal any real regularities whatsoever in the rule 30 > cellular automaton sequence. And thus, so far as one can tell, this > sequence is at least as random as anything we see in nature. > > But is it truly random? > > Over the past century or so, a variety of definitions of true randomness > have been pr
Re: Cryptographic privacy protection in TCPA
Nomen Nescio wrote: >Carl Ellison suggested an alternate way that TCPA could work to allow >for revoking virtualized TPMs without the privacy problems associated >with the present systems, and the technical problems of the elaborate >cryptographic methods. [...] >Instead of burning only one key into the TPM, burn several. Maybe even >a hundred. And let these keys be shared with other TPMs. Each TPM has >many keys, and each key has copies in many TPMs. > >Now let the TPMs use their various keys to identify themselves in >transactions on the net. Because each key belongs to many different >TPMs, and the set of TPMs varies for each key, this protects privacy. >Any given usage of a key can be narrowed down only to a large set of >TPMs that possess that key. One challenge is that, if I can interact with the same TPM many times and convince it to use a different signing key each time, I can learn its entire set of signing keys and thereby have a reliable identity marker. One way to convince a TPM to use a different key each time might be to present a different revocation list each time. It's not clear to me exactly how to defend against this sort of attack.
Re: responding to claims about TCPA
AARG! Anonymous wrote: >In fact, you are perfectly correct that Microsoft architectures would >make it easy at any time to implement DRL's or SNRL's. They could do >that tomorrow! They don't need TCPA. So why blame TCPA for this feature? The relevance should be obvious. Without TCPA/Palladium, application developers can try to build a Document Revocation List, but it will be easily circumvented by anyone with a clue. With TCPA/Palladium, application developers could build a Document Revocation List that could not be easily circumvented. Whether or not you think any application developer would ever create such a feature, I hope you can see how TCPA/Palladium increases the risks here. It enables Document Revocation Lists that can't be bypassed. That's a new development not feasible in today's world. To respond to your remark about bias: No, bringing up Document Revocation Lists has nothing to do with bias. It is only right to seek to understand the risks in advance. I don't understand why you seem to insinuate that bringing up the topic of Document Revocation Lists is an indication of bias. I sincerely hope that I misunderstood you.
Re: Thanks, Lucky, for helping to kill gnutella (fwd)
R. A. Hettinga wrote: >[Ob Cypherpunks: Seriously, folks. How clueful can someone be who >clearly doesn't know how to use more than one remailer hop, as proven >by the fact that he's always coming out of the *same* remailer all >the time? I hope I don't need to point out that always using the same exit remailer does *not* prove that he is using just one hop. One can hold the exit remailer fixed while varying other hops in the path. Your question seems to be based on a mistaken assumption about how remailers work.
Re: dangers of TCPA/palladium
Ben Laurie wrote: >Mike Rosing wrote: >> The purpose of TCPA as spec'ed is to remove my control and >> make the platform "trusted" to one entity. That entity has the master >> key to the TPM. >> >> Now, if the spec says I can install my own key into the TPM, then yes, >> it is a very useful tool. > >Although the outcome _may_ be like this, your understanding of the TPM >is seriously flawed - it doesn't prevent your from running whatever you >want, but what it does do is allow a remote machine to confirm what you >have chosen to run. > >It helps to argue from a correct starting point. I don't understand your objection. It doesn't look to me like Rosing said anything incorrect. Did I miss something? It doesn't look like he ever claimed that TCPA directly prevents one from running what you want to; rather, he claimed that its purpose (or effect) is to reduce his control, to the benefit of others. His claims appear to be accurate, according to the best information I've seen.
Re: Seth on TCPA at Defcon/Usenix
AARG! Anonymous wrote: >His description of how the Document Revocation List could work is >interesting as well. Basically you would have to connect to a server >every time you wanted to read a document, in order to download a key >to unlock it. Then if "someone" decided that the document needed >to un-exist, they would arrange for the server no longer to download >that key, and the document would effectively be deleted, everywhere. Well, sure. It's certainly how I had always envisioned one might build a secure Document Revocation List using TCPA or Palladium. I didn't realize this sort of thing would need explaining; I assumed it would be obvious to cypherpunk types. But I'm glad this risk is now clear. Note also that Document Revocation List functionality could arise without any intent to create it. Application developers might implement this "connect to a server" feature to enforce some seemingly innocuous function, like enforcing software licenses and preventing piracy. Then, after the application has been deployed with this innocuous feature, someone else might eventually notice that it could also be used for document revocation. Thus, Document Revocation List functionality could easily become widespread without anyone realizing it or intending it. This is a risk we should make think about now, rather than after it is too late.
Re: Challenge to TCPA/Palladium detractors
> Same version of compiler on same source using same build produces > identical binaries. It doesn't though - that is the point. I am not sure if it is simply that there are timestamps in the final executable, but Visual C (to give a common example, as that is what the windows PGP builds compile with) will not give an identical binary, even if you hit "rebuild all" twice in close succession and compare the two outputs, nothing having changed.
Re: Challenge to David Wagner on TCPA
Jon Callas wrote: > On 8/1/02 1:14 PM, "Trei, Peter" <[EMAIL PROTECTED]> wrote: > > >>So my question is: What is your reason for shielding your identity? >>You do so at the cost of people assuming the worst about your >>motives. > > > Is this a tacit way to suggest that the only people who need anonymity or > pseudonymity are those with something to hide? >
