Re: Steganography and musical scores?
(resent) At 11:44 AM 6/13/03 -0400, Peter Wayner wrote: At 9:27 AM +0200 6/13/03, Thomas Shaddack wrote: See also something about computer-generated music: http://brainop.media.mit.edu/online/net-music/net-instrument/Thesis.html I'm told someone is trying to encode information by ordering the musical notes played in a chord with a Midi synthesizer. It's possible to hide information in the order of a set using a technique like this: http://www.wayner.org/books/discrypt2/sorted.php That's cute --there's no acoustic difference. There are also methods which produce nearly imperceptible differences --you can adjust the millisecond-scale timings, or the dynamics. Since these will vary with each performer's rendition anyway, they're fairly stealthy.
Re: An attack on paypal
At 03:39 PM 6/10/03 -0700, Bill Frantz wrote: At 5:12 PM -0700 6/8/03, Anne Lynn Wheeler wrote: somebody (else) commented (in the thread) that anybody that currently (still) writes code resulting in buffer overflow exploit maybe should be thrown in jail. Not a very friendly bug-submission mechanism :-) IMHO, the problem is that the C language is just too error prone to be used for most software. In Thirty Years Later: Lessons from the Multics Security Evaluation, Paul A. Karger and Roger R. Schell www.acsac.org/2002/papers/classic-multics.pdf credit the use of PL/I for the lack of buffer overruns in Multics. However, in the Unix/Linux/PC/Mac world, a successor language has not yet appeared. What about Java? Apart from implementation bugs, its secure by design. --- and then you go to jail is a bad error-handler for a protocol.
[Brinworld] Neighbor's surveillance camera?
Authorities said they were considering the possibility that a second person might have been involved in the abduction, based on video from a neighbor's surveillance camera. http://www.cnn.com/2003/US/West/06/09/california.abduction/index.html
Re: SIGINT planes vs. radioisotope mapping
t 10:23 AM 6/6/03 -0700, Tim May wrote: I certainly never implied in any way that a simple G-M tube would be useful for this. Implicit in my radioistope mapping comment was that a gamma ray spectrometer would be used. And note that this is just what can be easily bought on the open market...N.E.S.T. (Nuclear Emergency Search Team) and similar LEO people almost certainly have more miniaturized detector setups. Indeed, there is a group of GeigerCounterEnthusiasts on Yahoo whose members have/make this kind of thing. You use scintillation plastic photomultiplier tubes; you can get these on eBay. Sometimes they mount their detectors in cars and find that some sections of roads are hotter than background, or a hot railroad car. For this I used a pair of large sodium iodide crystals which also show up on eBay mode that resulted in a pair of gammas sent out in opposite directions. Also the principle behind PET scans. Mr. positron meets Ms. electron, and bang, two little Gammas carry the momentum away... GM tubes use avalanche to amplify; the scintillators, NaI, semiconductor junctions measure analogue energy, so you get an energy spectrum. Add a few comparators and a logic gate and you get a channel. .. Pierre Curie didn't die from radiation poisoning, he was hit by a horse drawn cart
You bought it, Who controls it? [TR Article]
article by Edward Tenner, Technology review, June 2003 p61-64 Also an article on deceipt detector p67-69 about using IR reflectivity of your frontal lobes to detect deceipt. Sort of a polygraph on steroids. (sorry, only cites, not URLs this time)
1st amend applies to video games
A federal appeals court panel has struck down a law that restricted children's access to violent video games, giving the software the same free-speech protection as that for works of art. A panel of the 8th Circuit Court of Appeals ruled Tuesday that a St. Louis County, Mo., ordinance that bans the rentals or sales of graphically violent video games to minors violates free-speech rights. In doing so, the panel reversed a ruling by the U.S. District Court for the Eastern District of Missouri and ordered the lower court to craft an injunction that would prohibit the ordinance from taking effect. In Tuesday's ruling, the panel decided that if the paintings of Jackson Pollock, the music of Arnold Schoenberg and the Jabberwocky verse of Lewis Carroll are protected by the First Amendment, then video games should be, too. http://news.com.com/2100-1043_3-1012882.html?tag=lh
Re: SIGINT planes vs. radioisotope mapping
At 05:28 PM 6/3/03 -0700, Tim May wrote: Possibly for construction of baseline maps of existing radioisotopes in university labs, hospitals, and private facilities. Then deviations from baseline maps could be identified and inspected in more detail with ground-based vans and black bag ops. Good call. I wonder if folks getting PET scans will have to kick back longer in the waiting areas lest they be snatched by delta teams... hopefully the .mils can distinguish Tc99 et al from other 'topes.. similarly with mobile industrial inspection rigs --except that they have the good stuff a RD gadget-maker would want. Maybe GPS + IFF beacons will be added to those. --- SAFETY RULES FOR US STRATEGIC BOMBERS 5.1. Don't use nuclear weapons to troubleshoot faults. http://cryptome.org/afi91-111.htm
Typical PGP user mistakes
I recall reading at least one study of learning PGP and its UI. I have had the chance to observe half a dozen (albeit, smarter than normal) others' (mostly engineers) learning curves. All are using PGP 7.03 and Eudora 3.05. We are not using public key servers. Mistakes include: * neglecting to encrypt to an intended recipient's key * encrypting to self (only) * not encrypting to self, requiring a recipient to send it back to you * accidentally multiply encrypting a message (ie, you encrypt the encrypted ASCII) Problems also include not being able to rename the email address associated with a key, leading to some recipients being recognized and encrypted to, others not. Also errors if there are spaces added to the PGP ASCII block. Yes, there are checkbox-features and PGP Groups and sufficient GUI feedback such that these mistakes are not the tool's fault. And I/we appreciate these features and overall excellent design. Yet there are also people who enjoy studying UI design, cognition, learning, etc. and perhaps these anecdotal observations would be useful. After all, Enigma was broken by exploiting the man-machine interface. No one new to any tool should be using it for life-critical apps before competent. The above mistakes more self-inflicted denial of service problems than tool weaknesses. In fact, one group member accidentally sent email to a random user in the sender's ISP (because of the sender's Eudora-alias not matching the alias he typed in the To: field). This didn't matter because the content was encrypted. You often put locks on things (cars, homes, throwaway email accounts) to protect against benign, accidental intrusions, even if the lock is easily defeated/circumvented. We just happened to be using a strong lock, endorsed by the Red Brigade :-) --- Pierre Curie didn't die from radiation poisoning, he was hit by a horse drawn cart
Re: PGP Encryption Proves Powerful
At 11:18 AM 6/1/03 -0400, Ian Grigg wrote: There is a reason that the AK47 is the weapon of choice: it is an extraordinarily simple weapon. Training is probably about half the requirements of say the M16. That makes a difference, much more so than, say, the increased accuracy of the M16! Got evidence? The benefits of the AK involve the *weapon's* robustness, not its user interface. Also, a 7.62 beats a 5+change mm any day. Phsycologically, it makes us unhappy to realise that the 911 attackers were actually quite simple, so we don't. We build up Osama bin Laden to be a mastermind, a sort of James Bond-qualified evil guy who constructs plans of insidious cunning. OBL is at least 2 standard deviations smarter than Bush, and probably one more than Rummy too. Thinking otherwise is buying into the madman propoganda. All this is a long winded way of saying your average terrorist is much more like your grandma when it comes to tech. Highly competant in the kitchen, but can't send an email to save herself. Except that post sat-phone, the Base has plenty of motivation to train well in opsec. Or catch a tomahawk. You working for Fox News these days? Or just wishful thinking?
Re: Brinworld: Streisand sues amateur coastal photographer at californiacoastline.org
At 10:00 PM 5/30/03 -0400, Tyler Durden wrote: You think that's bad? I know someone who was offerred $1,000 a night to play lead trumpet for Streisand. When he heard that a major requirement was that he was not to lock eyes onto Streisand (ie, look at her), he declined the offer. Who cares? That's a private transaction. Neurosis is not criminal. You can hire Streisand to sing on the condition that she keeps her nose up your ass, so long as its a mutually consensual transaction. But you can't use the threat of violence (ie law) to coerce photogs publishing what anyone can see. *That* is the point.
IQ, g, flying
At 02:30 PM 5/30/03 -0700, Tim May wrote: The second irony is that just today I took my first flying lesson, in a Diamond Katana composite/carbon single-prop plane. I took off from the Watsonville Airport, which is, I assume, the home airport of Adelman. Just FYI, if you read up on G (general intelligence factor), you will learn that the *only* cause of death that increases with G is dying in airplanes. (This is evidence that G is real, and general, and intelligence is adaptive.) You might also enjoy http://www.av8n.com/ which I once stumbled upon because Denker now does crypto.
Re: Maybe It's Snake Oil All the Way Down
At 08:32 PM 5/31/03 -0400, Scott Guthery wrote: Hello, Rich ... When I drill down on the many pontifications made by computer security and cryptography experts all I find is given wisdom. Maybe the reason that folks roll their own is because as far as they can see that's what everyone does. Roll your own then whip out your dick and start swinging around just like the experts. Are you trying to confirm that either the WASTE folks are homosexual, or puerile, as one might guess from the names of some of their projects? (Not that either impugns their code.) On the other hand, both AES and 3DES are US gov't approved. Which is sufficient reason to use Blowfish. Some of the other critiques of WASTE methods are substantial, however, in particular the SSL recommendations are useful tidbits to remember.
Re: 8-bit modular exponentiation code?
At 07:30 AM 5/24/03 +0100, Adam Back wrote: Colin Plumb's crypto library bnlib supports multiple word size I believe. On Fri, May 23, 2003 at 11:36:58AM -0700, Major Variola (ret.) wrote: Anyone know of any open-source modexp code for 8-bit cpus? Thank you for your response, however (for the record) that code requires at least a 16bit CPU. From bnlib.doc (an amusing read, BTW): It is written in C, and should compile on any platform with an ANSI C compiler and 16 and 32-bit unsigned data types Small is defined as less than 65536, the minimum 16-bit word size supported by the library.
Re: 8-bit modular exponentiation code?
At 10:34 AM 5/30/03 -0700, Bill Frantz wrote: I think your best bet for an 8 bit CPU will be an assembly language routine. Likely so. For those interested, I found this article, which does in fact use enhanced (it has a multiplier) Z80 assembly, included in the article: http://www.ddj.com/documents/s=1030/ddj9309e/9309e.htm The Z80180 and Big-number Arithmetic Squeezing 512-bit operations out of 8-bit microcontrollers Burton S. Kaliski, Jr. For instance, in one recent project, our challenge was to implement 512-bit RSA private-key operations in less than 10 seconds on Zilog's 8-bit Z80180 microcontroller running at 10 million cycles/second. . The folks at cyphercalc.com have a cyphermath8 library, albeit commercial. See http://cyphercalc.com/math/features.htm They give this performance data for the Rabbit CPU (see http://cyphercalc.com/math/performance.htm) 780 milliseconds for a modular exponentiation with a 128-bit base, 40-bit exponent, and 128-bit odd modulus. Exponent ones density: 50%. Target: Rabbit Semiconductor RCM2020, running at 18.4Mhz. Compiled under Dynamic C, version 6.03, with assembly optimizations in effect. [no affiliation] . Smartcard vendors tend to include a modexp co-processor.
Re: U.S. Drops 'E-Bomb' On Iraqi TV
At 04:56 PM 4/6/03 -0700, Bill Stewart wrote: A lot of these struck me as desparate attempts by the bomb designers to find *something* useful to do with the damned things besides pray that they sit in their silos, rusting, and are never, never used. Yes, that's about right... I think that is grossly unfair. They all-of-a-sudden had a several-order-of-magnitude change in the cost of explosions, and as applied scientists, looked for beneficial applications. Fact is, if the sheeple weren't so ignorant/afraid, peaceful, clean uses of nukes could benefit, e.g., excavating canals at a fraction of the cost/time of conventional work. This is economics physics, with politics smothering the whole affair. --- Of what use is a new borne babe? -Faraday
Maryland legislators decide to fuck the constitution
I realize that this bill basically says you can tap someone's phone for jaywalking, and normally I would say, 'No way,' said Del. Dana Lee Dembrow (D-Montgomery). But after what happened on September 11th, I say screw 'em. http://www.washingtonpost.com/wp-dyn/articles/A12099-2002Mar24.html Just in case you didn't know how a totalitarian police-state coup grows, more excerpts: Given the potential for mass casualties, said Del. Robert A. Zirkin (D-Baltimore County), the occasional intrusion into lives seems worth the risk. I know it's hard to swallow, Zirkin said. But I think we need to take a couple steps in that direction right now. Reminds me of when a sociologist was interviewing a southern farmer: Why do you think the murder rate is higher in the south? I guess more southerners need killin'.
RE: I'm no agent. Sez the cretin agent.
At 08:33 PM 3/22/02 -0600, Aimee Farr wrote: Tim wrote: Don't hire a single lawyer. As soon as even a single lawyer is hired, you're lost. Because it means you're thinking in terms of using the legal system, of striking business deals with those whose products you napster, and with working within the system. Not hiring a single lawyer, not even _consulting_ with a lawyer, means you are fully aware of how much you are relying on the laws of mathematics rather than the laws of men. I find your lack of faith disturbing. -- Darth Vader Read the source, Luke What happens if you break the laws of mathematics? Jah gets *really* pissed. Or, does couching a choice of law between the laws of men, and the laws of mathematics smack of some fallacy? Been fellating a lot of legislative numerical illiterates recently, have we Aimee? Not hiring a single lawyer, not even _consulting_ (emphasis his) a lawyer, more truly means you are a complete moron and disdain even calculated risk. No, it means you're observant and have discounted the lawhores. If you break the law by a significant act in that direction, you set your own hook for co-option, especially in espionage. What if you do no wrong, but the RIAA/MPAA brings heavy artillery upon you? Naah, can't happen here, Suzy Creamcheese. Most of the information you need is open source, Dream on or can be gained by acumen with low-risk. Add in the traitor element and the go to jail consideration, and it looks like a no-go to me. We have some questions about the optimal voltage/flow rate used when electro-spraying CO2 nutrient deprived anthrax cultures...