[Clips] Great Computer Skills Are a Must For Anyone Emulating Deep Throat
--- begin forwarded text Date: Sun, 5 Jun 2005 23:00:05 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Great Computer Skills Are a Must For Anyone Emulating Deep Throat Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] ...meanwhile on that Internet thing, progress in modern snitchery apparently proceeds apace... Cheers, RAH Who damns Bill Gates to Hell for capitalizing the I in the Word spell checker way back when... --- http://online.wsj.com/article_print/0,,SB111800810686151189,00.html The Wall Street Journal June 6, 2005 PORTALS By LEE GOMES Great Computer Skills Are a Must For Anyone Emulating Deep Throat June 6, 2005 A generation ago, the original Deep Throat had to rely on 2 a.m. meetings at the bottom level of an underground garage to offer guidance to reporters investigating Watergate. Today, he would probably use the Internet. But whether he would be able to remain anonymous for three more decades would depend on his computer skills. That's because the Web today remains a confusing mixture of absolute privacy and shocking exposure, and most laypeople -- including those with no aspirations to emulate Deep Throat -- don't know which is happening when. Pieces of the Internet experience are secure from eavesdropping to an extreme degree of certainty -- such as when you are communicating with your bank. Those interactions are encrypted, or scrambled, and centuries of mathematicians have worked to guarantee, as much as is humanly possible, that some interloper won't be able to read them. When you fill in your credit-card number on a Web commerce page and press send, the contents of that page are turned into a jumble of random characters that can be turned back into your card number only at their destination. And the guarantee is nearly absolute: No one, be they hackers or police investigators, will be able to read what you are doing. This veil of secrecy protects everyone, be they Web shoppers, whistle-blowers or al Qaeda members. In fact, one of the great conundrums of the Internet is that the same technology that makes it safe for Amazon also makes it safe for child pornographers. Then again, the same thing is true for other technologies, like electricity, which can be used by all. But how do you know it is really your bank you are talking with, and not a server in a former Soviet republic that has been set up as part of the latest phishing scam to snatch credit-card numbers and passwords? Or how do you know that the tape file with your credit-card number won't be left lying on some shelf somewhere, for anyone to filch? A decade ago, in the early days of the Internet, the patrons and boosters of the Web pointed to the mature science of encryption as the answer to all questions about the safety and security of doing business online. They assumed that the main threat on the Internet would be the same threat over which cryptographers for centuries had fretted -- someone trying to break your code and read your messages. But the real Web security problems have turned out to be far more prosaic: overseas teenage criminal hackers or knuckleheaded practices by data-storage companies. The industry is only now beginning to grapple with them, and while bad things happen far less frequently than headlines might suggest, vigilance is still required from all concerned. With a little bit of effort, you shouldn't have to think twice about an eavesdropper ever reading your emails. But you do need to be on guard against some phony email claiming to be from Meg Whitman that is attempting to persuade you to type in your eBay password. While today's Deep Throat could sleep secure in the knowledge that no one else could read his emails, he would still have to worry that someone would know he was sending them. Whenever you are doing anything at all on the Web, you are telling some other computer to send data to yours. You can't go online without revealing the IP number of your machine any more than you can buy something by mail order and not list an address or P.O. box. If the machine you are communicating with keeps a log of what it is doing -- and many of them do -- then it becomes a pretty simple matter to trace the connection back to you. That's one way the record industry has been able to go after music downloaders. They know the IP address to which a bootleg MP3 was downloaded; they can then get a court order forcing your Internet service provider to reveal your real-world name and address. Potential Deep Throats should thus realize that determined investigators equipped with subpoena powers can be as much of a formidable adversary online as they are in the real world. Still, if you are willing to inconvenience yourself a bit, you can greatly increase the odds of preserving both your privacy and your anonymity online. You might, for instance, find a wireless Internet connection somewhere, and then log on to it with your
Re: Opinion on Israeli espionage plot
While I completely agree that the TH case in Israel must represent the tip of the iceberg and for sure there will be similar cases in Europe and the US (have already been). But it is pretty useless to blow this particular horn.I am sure many Israeli firms are scanning their machines to look for the presence of Trojans, but apparently the impact in the US has been close to zero.Not until security incidents actually occur do most companies respond. So just wait -Stiennon www.threatchaos.com At 03:58 AM 6/4/2005, Hagai Bar-El wrote: List, In the following link is an opinion about the espionage act discovered in Israel a week ago. In short: This case is probably one of dozens, but the only one that was discovered probably due to three non-typical mistakes that were done. http://www.hbarel.com/Blog/entry0004.html Hagai. --- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] Richard Stiennon The blog: http://www.threatchaos.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Papers about Algorithm hiding ?
From: Ian G [EMAIL PROTECTED] Sent: Jun 4, 2005 6:43 AM To: Steve Furlong [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Papers about Algorithm hiding ? GPG is an application that could be delivered by default in all free OSs. BSD is more or less installed automatically with SSH installed. Linux machines that are set up are also generally set up with SSH. I think you need one more step here to get the protective coloration effect you'd like, where encrypted files aren't automatic evidence of wrongdoing: During installation, generate 50 or so random passwords with too much entropy to feasibly guess (easy to do when no user need ever remember them), and encrypt some reasonable-length files full of binary zeros with them. The number of randomly-generated files needs to be randomized, naturally, and probably should follow some kind of distribution with a big tail to the right, so that it's not that uncommon for a random install to put several hundred encrypted files on the drive. The value of this is that an attacker now sees encrypted files on every machine, most of which nobody on Earth can decrypt. If this is normal, then it's not evidence. (There are probably a bunch of issues here with putting plausible tracks in the logs, datestamps on the files, etc. But it seems like something like this could work) ... Certainly using another app is fine. What would be more relevant to the direct issue is that it becomes routine to encrypt and to have encryption installed. See the recent threads on where all the data is being lost - user data is being lost simply because the companies don't protect it. Why aren't they protecting it? Because there are no easy tools that are built in to automatically and easily protect it. Huh? There have been effective tools for protecting data from disclosure for a long time, though it's not clear what good they'd do for a company whose whole business was just selling access to that data for a fee. I'll bet the Choicepoints of the world are pretty careful protecting, say, their payroll and HR records from disclosure. It's just *your* data they don't mind giving out to random criminals. No amount of crypto could have helped this. iang --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Paying Extra for Faster Airport Security
The [express-line security] program will be operated by New York-based Verified Identity Pass Inc., a private company run by Steven Brill, whose former ventures included Court TV and The American Lawyer magazine. The program marks the first time a private company has teamed up with the government to speed up airport security lines. Yesterday, the Greater Orlando Aviation Authority board awarded the contract for its new system to Verified Identity Pass's system, opting for its prospectus over a proposal from Unisys Corp. I wonder what testing is planned and what penalties are specified in the contract for false negatives. My guess: little and none. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Papers about Algorithm hiding ?
At 01:14 PM 6/3/2005, [EMAIL PROTECTED] wrote: I think we are already in a state where practically everybody that has a computer has crypto available, and it's not difficult to use it! Of course they have it - the problem is having crypto in a way that's not suspicious, and suspicious is highly dependent on your threat model. For instance, Microsoft Word has crypto - it's lousy crypto, which isn't directly relevant here, but it's a utility that people view as normal, while PGP is inherently suspicious-looking. No reason that OpenOffice couldn't have crypto that's actually reasonable quality. The rename the binaries strategy is probably more reliable than cyphersaber etc. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Using Corporate Logos to Beat ID Theft
former chair of x9a10 working group did quite a bit of work on this approach ... although it was more oriented towards being able to validate websites as opposed to email ... and none of it shows up in the x9.59 standard http://www.garlic.com/~lynn/index.html#x959 for some topic drift ... recently i had opportunity to repeat the story about ISO/OSI directive prohibiting work on standards that violated OSI model http://www.garlic.com/~lynn/2005j.html#33 and happen to remember during the 90s work on x9.59, somebody trying to claim that (some?) ISO organization couldn't do work on standards involving digital signatures unless they were certificate-based infrastructures; collection of certificate-less based postings http://www.garlic.com/~lynn/subpubkey.html#certless Using Corporate Logos to Beat ID Theft http://www.eweek.com/article2/0,1759,1822978,00.asp The Mountain View, Calif., company's technology uses corporate logos to distinguish legitimate e-mail messages from those that fake, or spoof, their origin. Iconix is preparing to announce its first product next quarter, said company officials. ... snip ... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Digital signatures have a big problem with meaning
Peter Gutmann wrote: Yup, see Why XML Security is Broken, http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Mind you ASN.1 is little better, there are rules for deterministic encoding, but so many things get them wrong that experience has shown the only safe way to handle it is to do an exact bit-for-bit copy from A to B, rather than trying to re-code at any point. I've frequently commented that there is only one workable rule for encoding objects like X.500 DNs, and that's memcpy(). there was another issue with digital signatures supposedly acquiring attributes of human signatures aka implication that human had actually read, understood, approves, agrees, and/or authorizes the content ... as well as intent. so at least some financial institutions in the mid-90s were realizing that x.509 identity certificate ... potentially overloaded with enormous amounts of personal information, represented significant liability and privacy concerns ... were looked at switching to relying party only certificates ... basically containing some sort of database record locator (where all the real information was located) and a public key. however, it was trivial to demonstrate that such certificates were redundant and superfluous. http://www.garlic.com/~lynn/subpubkey.html#rpo there was another issue involving the typical 4k-12k byte size of such certificates ... when appended to a typical payment transaction of 60-80 bytes ... besides being redundant and superfluous ... also would represent horrendous payload bloat. now the certificate crazed periods of the 90s also had something called the certificate non-repudiation bit ... which large segments of the market was interpreting as meaning that digital signatures with appended certificates containing the non-repudiation bit ... couldn't be repudiated by the person making the digital signature. in the retail payments scenario ... the task was to convince consumers to pay $100/annum for redundant and superfluous, payload bloating relying party only certificates with the non-repudiation bit set. supposedly the scenario being sold retail merchant industry was that while the current retail payment environment had the burden of proof (in any consumer dispute) placed on the merchant ... if the consumer would be so kind to append an redundant and superfluous, enormous payload bloating certificate with the non-repudiation bit set ... the burden of proof in a dispute would be shifted from the merchant to the consumer. there was some hypothetical investigation that even if the consumer did digitally sign a retail payment transaction and appended a redundant and supefluous, payload bloating relying party only certificate ... w/o the non-repudiation bit set that merchants could possibly substitute a similar certificate which did have the non-repudiation bit turned on ... possibly harvested from some convenient, cooperating LDAP trusted certificate repository. besides all the other practical and legal issues about digital signatures being interpreted as simply something you have authentication ... from 3-factor authentication model http://www.garlic.com/~lynn/subpubkey.html#3factor * something you have * something you know * something you are and NOT as human signature implying intent, read, understood, agree, approve, and/or authorize ... there was the issue that the non-repudiation bit within a certificate was supposedly creating liability on behalf of the digital signer ... however the PKI protocols contained no provision for proving what specific certificate the person applying a digital signature had actually appended to any specific transaction ... aka the digital signature was only on the transaction itself ... and there was no digital signature armoring/binding which digital certificate might actually have been originally appended to any specific digitally signed transaction (possibly allowing merchants to substitute non-repudiation certificates when none had been intended). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Citigroup Says Data Lost On 3.9 Million Customers
--- begin forwarded text Date: Mon, 6 Jun 2005 17:44:44 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Citigroup Says Data Lost On 3.9 Million Customers Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://online.wsj.com/article_print/0,,SB111807147451351811,00.html The Wall Street Journal June 6, 2005 3:52 p.m. EDT MARKETS Citigroup Says Data Lost On 3.9 Million Customers A WALL STREET JOURNAL ONLINE NEWS ROUNDUP June 6, 2005 3:52 p.m. Citigroup Inc. said that computer tapes containing personal information on about 3.9 million customers were lost by United Parcel Service Inc. while in transit to a credit-reporting bureau. The tapes contained names, Social Security numbers, account numbers and payment history of CitiFinancial customers in the U.S., as well as clients with closed accounts from its CitiFinancial retail-services unit. The tapes didn't include any customer information from the New York financial-service giant's auto, mortgage or any other Citigroup business, or its CitiFinancial customers in Canada or Puerto Rico, the company said. There is little risk of the accounts being compromised because customers have already received their loans, and no additional credit may be obtained from CitiFinancial without prior approval of our customers, either by initiating a new application or by providing positive proof of identification, said Kevin Kessinger, executive vice president of Citigroup's global consumer group, in a statement. Beginning in July, this data will be transmitted electronically in encrypted form, he said. The likelihood of having the information compromised is very remote given the type of equipment that is required to read it, Debby Hopkins, Citigroup's chief operations and technology officer, said in an interview. Additionally, the information is not in a format that an untrained eye would even know what to look for. The tapes were lost during a routine shipment from a data center in Weehawken, N.J., to a credit-reporting bureau in Texas. UPS confirmed that it had misplaced one box containing the tapes. We sincerely regret that we've been unable to find this missing package, says Norman Black, a spokesman for UPS in Atlanta. We have conducted an exhaustive search and there is no evidence or indication that it was stolen. Citigroup began a companywide effort last year to eliminate the need to physically ship data tapes. The bank similarly lost a batch of tapes last summer in Singapore when a vendor didn't follow their prescribed policy. Citigroup isn't alone. Time Warner Inc. and Ameritrade Holding Corp. both recently had to notify customers that their personal information had been lost in transit. Meanwhile, Bank of America Corp. and Wachovia Corp., along with other major banks, recently notified more than 100,000 customers that their accounts and personal information may be at risk after former bank employees' allegedly stole customers' private information. Separately, Bank of America also lost computer backup tapes containing names and Social Security numbers on about 1.2 million federal-government charge cards. In all, millions of individuals have been affected. Most organizations have been encouraging individuals to call credit-reporting agencies and put fraud alerts on their files, though some companies have offered free credit-report monitoring services for a limited time. Citigroup is offering affected customers free credit monitoring for 90 days. The latest breach highlights the vulnerability of corporate data-handling procedures. While some of the recent data losses have been the result of break-ins by computer hackers, the loss of computer tapes, as was the case with Bank of America and Time Warner, reveals gaps in trucking, air transport and other traditional logistical systems. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]