>Is making an SSL connection creating a VPN? It's really not much
>different in an abstract sense. Most applications are using browsers
I've been saying for some time that we need a IP-over-SSL tunneling
protocol standard. ISPs would *never* dare block TCP port 443, since
as we all know the onl
>Sounds like some interested parties should take some GPS gear and some
>radio receiving and test gear to one of the spots where the millatree
>is warning airmen that "for the next two weeks, GPS doesn't work
>here", and see just what sort of jamming they are using...
A good idea, but I note that
>To decrease the jamming power required (this -is- spread spectrum,
>after all), it's helpful to have your jammer hop the same way your
>receiver will be hopping. This is pretty easy to do, since your
>jammer can trivially figure out the hops by observing the satellites
>you can see. Note also t
>As for RAIM, my Garmin GNS430 (spiffy aviation GPS) has RAIM. Luckily
>I've never actually seen the RAIM warning flag. My understanding of
>RAIM matches what's been said before, position information is
>heuristically computed and when an anomalous position/speed occurs,
>the flag is raised. Su
>There is a CRC or something similar on the C/A code, and this is all
>publicly documented. I'm quite sure there is nothing that would
>qualify as 'authentication' in any strong sense. One of the
It's actually a Hamming code. But yes, it it used only for error detection, and
does not qualify as
>If I were worried about integrity of timing signals, I'd use a
>GPS-disciplined rubidium oscillator. I think most of the available
>devices like this are not quite as concerned with integrity as phase
>noise reduction in the normal case, so some tweaking of the
These are actually quite common i
As you say, there are two coded GPS signal streams: C/A (Clear/Access
or Coarse/Acquision, depending on the reference) and P
(Precision). These are in turn placed on two L-band RF frequencies, L1
and L2.
The C/A and P signal structures are fully documented in the open
literature. See:
http://www
>Judge Kaplan aims at settling the code as expression
>dispute, citing Bernstein, Karn and Junger cases, and
>the First Amendment loses to Copyright and DMCA Acts.
This is one of the sloppiest and misinformed judicial opinions I've
read in a long time. E.g., he states that copyright infringement
>There have been over 26,000 downloads and they are now going out at
>600 per hour.
I hope you're keeping only the total counts, not the detailed access logs.
Phil
>NEC's system creates a intermediate key of several thousand bits in
>length from the master key, and that serves as the base for the
>encryption process. [...]
Can anybody say "key schedule generation"?
Phil
So it appears that there is now a significant difference in the
treatment of source code and object code, even object code compiled
from open source already on the net. Am I correct?
If so, this could complicate the wholesale incorporation of crypto
libraries and applications as packages (e.g., .
>>"a.4. Specially designed or modified to reduce the compromising
>>emanations of information-bearing signals beyond what is necessary
>>for the health, safety or electromagnetic interference standards;"
>So, who gets to say what's a standard?
>Some people's standards are higher than the gover
Pursuant to 15 CFR Part 734, as revised on January 14, 2000, notice is
hereby given that files including freely-available (open source)
source code for cryptographic functions is being published on the
World Wide Web at URL
http://people.qualcomm.com/karn/code/des/index.html
Phil Karn
>Apache 2.0 has general programming hooks that are sufficient for adding
>crypto.
And so does the UNIX shell:
tar cf - . | ssh -C foo 'tar xvf -'
Dunno how far they tried to control this even under the old regs.
Phil
Okay, I've read the latest version of the regs. As usual, they're long and
confusing, with exceptions to the exceptions to the exceptions. But
several things seem to stand out.
1. You can export pretty much anything to anyone but a foreign
government or to the seven pariah countries (Libya, Iraq,
>No, October 28, 2000 is when the act of circumventing an effective
>technological measure becomes a violation (with exceptions for fair
But if it was an "effective technological measure", it couldn't have
been circumvented. And by circumventing CSS, wasn't it shown to not be
an effective technol
Yet another illustration of how true security can only be provided by
the users themselves on an end-to-end basis. Saltzer, Reed & Clark
(authors of "End-to-End Arguments in Systems Design") have been proven
right yet again. So has Machiavelli, author of "The Prince".
The necessary hook for CDMA
>http://www.zixmail.com/ZixFAQ/index.html#4
>claims that a 3DES email security procuct has been approved for export.
>Is there something about the security of this system that is compromised?
That's because it implements key recovery. They don't stress that fact,
but it's there if you dig.
Phil
>I recognize that this issue is controversial, unless we address
>this situation, use of the Internet to distribute encryption products
>will render Wassenaar's controls immaterial."
Gee, I thought Reinsch said it didn't matter that encryption software
was distributed on the Internet because no
I worked on cryptanalyzing A5-1 several years ago. I built a
tree-based search routine that could retire many keys in each test
cycle. The exact number per cycle varied enormously depending on how
far into the tree I was when I found a conflict with the keystream
that would let me prune the branch
>I agree. There -is- a little nit in that they seem to conflate
>"low-level", "assembly language", and "machine code" as all being
>exactly the same thing, with the implicit presumption that humans
>never read or write assembly language and that only a "high-level"
>language like C or Lisp might
I just read the opinion. These judges actually *got* it! Or at least
two of them did, judges Bright and Fletcher. There's some marvelous
stuff in their opinion, such as the observation that Bernstein's code
had more than a little political expression to it since by showing how
to turn a hash funct
>sniffible, none of my passwords were. I happen to be one of the lucky
>few who has made it through the politics of large companies to "open
>up the firewall". Yes, corporate IT people see something even as
>secure as SSH as 'opening the firewall'.
>Clearly we need to teach the MIS/IT personnel
>...And of course nobody has compromised any of the ssh binaries on the
>workstations...
Workstations? What workstations? Anybody serious about security brings
their own laptops. And then they worry about them being tampered with
by the hotel custodial staff.
Laptops are also easier to lug into
Actually, things are getting much better in the IETF terminal rooms.
SSH is now *very* widely used, with encrypted Telnet and IPSEC
trailing well behind.
Phil
I don't specfically know about MAE-West, but there are any number of
attacks on ISPs that involved setting up password sniffers on major
transit Ethernets.
Phil
Judge Oberdorfer has granted our request for discovery and a hearing
in my long-running court case challenging the crypto export
controls. Read the judge's ruling:
http://people.qualcomm.com/karn/export/lbo_ruling.html
Other material on my case is available under
http://people.qualcomm.com/karn
>I f I recall correctly, the US Patent and Trademark Office has said that it
>would not consider information placed on the Internet to be published for
>patent purposes. Preparoing papers for journals or conferences is a pain,
Is this really true? I thought I had heard the opposite, but I'm not s
>I've always wanted to set up some secret-sharing filesystem where
>you have to download multiple "shares" to reconstruct the data.
>But other combinations of those exact same shares give other data.
I've also been toying with this idea for a few years. Throw in
Reed-Solomon code, and you can mak
>Take disk files as an example. Hashing files (ignoring the name)
>would be a saner way to discover whether you have duplicate files on your
>disk than to compare every file with every other.
I actually played with this many years ago when I wrote a utility
to traverse a UNIX file system looking
30 matches
Mail list logo