Re: powerline
At 02:16 AM 11/23/00 -, Ahmad Saufi wrote: hi, can u inform me about accessing internet via power line technology, if u have any news or info about it,please send/inform it to me. Any Cypherpunks discussion on the topic would be in the archives, at http://www.inet-one.com/ in Singapore. You're probably better off looking on a general-purpose web search engine, or looking at specialized sites such as nwfusion.com or eetimes.com. I think Nortel developed some of that technology, but I don't know if they're the latest and hottest stuff. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Re: Jim Bell arrested, documents online
Greg Newby wrote: Do people on this list really believe that the solution to problems is to kill people? Or are we just getting sarcastic and frustrated? we've run this planet for a couple thousand years by way of killing people. never touch a running system, you know?
RE: On 60 tonight
60" Sixty seconds? Is that a real quickie version of 60' (Sixty minutes? Notation counts (watch This Is Spinal Tap for another amusing example of this type of goof-up). Peter Trei -- From: [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED]] Reply To: [EMAIL PROTECTED] Sent: Sunday, November 26, 2000 6:32 PM To: [EMAIL PROTECTED] Subject: On 60" tonight My on-screen guide said "FISA", tvguide.com says, "Mike Wallace looks at one couple's claim that they were set up by the FBI and wrongly convicted of espionage."
Re: Jim Bell
Newby puzzles: Right, I agree. But what I'd like to consider is a recipe for "plain ordinary" folk to conspire anonymously to commit murder. Not just any murder: murder for some of the people who (some people on this list have said), are needing killin'. If a bunch of crypto anarchists or whoever decide to knock off Bill Gates or Al Gore (who really didn't invent the Internet well enough...), you can bet someone will come looking pretty hard! Again, I see this as a serious problem in applied cryptography. Did you even bother to read AP? RTFM, dude!
Re: On 60 tonight
Yep. Tim's post is closer to what a cypherpunk would do if elected. :) I suspect that as soon as the election is over, probably in two weeks, we'll hear plenty of calls for "healing" and enough GOP leaders will go along with such a move. -Declan On Sun, Nov 26, 2000 at 07:59:59PM -0600, Mac Norton wrote: Use your head. One of the first things Bush does is pardon Bill Clinton. After all, given who's in charge of the prosecution, if Gore gets elected Clinton gets prosecuted so the Repubs can keep that circus going; if Bush gets elected, it's not only no longer important, it looks vindictive, which is inconsistent with the compassionate conservatism we've been hearing less and less about lately and with "turning this country around", whatever that meant. So Bush pardons Clinton, which has the added plus of forcing Clinton to the choice of taking it or not. That's *real* revenge. Not that W. is that smart/mean, but his daddy is. MacN On Sun, 26 Nov 2000, Tim May wrote: At 6:32 PM -0500 11/26/00, [EMAIL PROTECTED] wrote: My on-screen guide said "FISA", tvguide.com says, "Mike Wallace looks at one couple's claim that they were set up by the FBI and wrongly convicted of espionage." I notice you're babbling about what's on "60 Minutes" but not saying a peep about the certification of the election in Bush's favor. Now that an incoming Republican Administration will be able to prosecute Bill for his various crimes, Hillary for her tax evasion and insider trading and Algore on treason charges, I can hear Air Force One warming up its engines for its flight to Cuba. Fidel has offered asylum to Bill and Al,but not to Hillary. She's too far left even for him. Hillary may have to take refuge with either the Palestinians, where she can hug Yassir's wife all she wants, or ZOG. Maybe she can set up a double-wide in "No Man's Land." A lesbian sistah like her would no doubt like the sound of that. Regarding the Demonrats who tried to steal this election, I say it's time to take out the trash. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
No Subject
I WANT TO KNOW ABOUT YOUR STUFFING LETTERS BUISNESS I CAN USE THE EXTRA MONEY.Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products.
Re: Public Key Infrastructure: An Artifact...
problem is that consumer don't normally know that they want to check on a particular merchant's CRL entry until they realize that they want to go to that merchant site. in general, the consumer's aren't going to want keep a local (usenet) database of all CRL entries (however they are distributed) ... so it is more likely the ISP would have to keep all the entries ... pushed into a database ... and let the consumer do an online database lookup of the CRL entries (effectively the local ISP is keeping cached copy of all entries ... and uses usenet as the distribution infrastructure). sometimes, usenet can take several hrs to a day to propogate ... so the person may still want to do an online transaction against the agency that issued a certificate In which case, the local ISP would be considered a "stand-in" ... maintaining a negative file ... and returning positive answers if there isn't a match in the negative file for the online transaction ... in which case the consumer may still want to do another online transactions against the master file (located somewhere in the internet). Given that online transactions are being performed ... then it may even be more straightforward to use domain name infrastructure to manage distribution and management of cached entries. It has a somewhat better online transaction semantics than usenet (already). However, since this is turning into online transaction infrastructure ... it is then possible to eliminate both the certificates and CRLs totally and just use the straight-foward domain name infrastructure. back again to certificates typically being superfulous and redundant in an online infrastructure. "Arnold G. Reinhold" [EMAIL PROTECTED] on 11/27/2000 07:53:35 AM Please respond to "Arnold G. Reinhold" [EMAIL PROTECTED] To: Lynn Wheeler/CA/FDMS/FDC@FDC cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Public Key Infrastructure: An Artifact... At 11:17 AM -0800 11/23/2000, [EMAIL PROTECTED] wrote: Basically cetificates are an implementation of R/O partial replicated distributed data that were intended to address availability of information in a predominately offline environment. In the SSL server certificates, distribution of CRLs tend to create a problem for consumers because they aren't likely to want to see 99.% of the CRLs distributed and/or they aren't online at the time the CRLs are distributed (and/or if done via email would create a horrible spam issue ... every possible consumer in the world receiving email CRLs from every possile SSL server certificate issuing CA). Sounds like a job for Usenet. Arnold Reinhold For help on using this list (especially unsubscribing), send a message to "[EMAIL PROTECTED]" with one line of text: "help".
Re: Public Key Infrastructure: An Artifact...
On Mon, Nov 27, 2000 at 10:58:23AM -0800, [EMAIL PROTECTED] wrote: Hi Lynn! problem is that consumer don't normally know that they want to check on a particular merchant's CRL entry until they realize that they want to go to that merchant site. in general, the consumer's aren't going to want keep a local (usenet) database of all CRL entries (however they are distributed) ... so it is more likely the ISP would have to keep all the entries ... pushed into a database ... and let the consumer do an online database lookup of the CRL entries (effectively the local ISP is keeping cached copy of all entries ... and uses usenet as the distribution infrastructure). sometimes, usenet can take several hrs to a day to propogate ... so the person may still want to do an online transaction against the agency that issued a certificate In which case, the local ISP would be considered a "stand-in" ... maintaining a negative file ... and returning positive answers if there isn't a match in the negative file for the online transaction ... in which case the consumer may still want to do another online transactions against the master file (located somewhere in the internet). Given that online transactions are being performed ... then it may even be more straightforward to use domain name infrastructure to manage distribution and management of cached entries. It has a somewhat better online transaction semantics than usenet (already). However, since this is turning into online transaction infrastructure ... it is then possible to eliminate both the certificates and CRLs totally and just use the straight-foward domain name infrastructure. However, caching the revocation data (which DNS would do nicely) means that there needs to be some way for the relying parties to authenticate the cached revocation data. They could authenticate the DNS cache, but that means trusting all those DNS servers. More practically the DNS cache servers could authenticate the data as coming from a trusted DNS server (which is how DNSSEC works now I beleive). But that forces the relying parties to trust that the DNS server that they're getting the revocation data from has done the authentication. And it still doesn't address the issue of Mallet operating an evil DNS-CRL cache which sends out bogus revocation data. It also requires the DNS caches to do the public-key crypto. But, there's a solution- if the DNS servers and caches are sending out revocation data which is signed by the real authority for revocation data (whoever that may be for the application), and the relying parties do the verification, then there's no security problem with the intermediate DNS servers/caches. So, IMHO, signed CRLs serve a purpose. I agree that a cache system like DNS would be nice for CRL distribution but I think that a usenet-type system would be good enough in practice. I don't think that propagation delays are that big a problem in practical use for TLS sites. A CRL would only be issued if a merchant has shown some amount of bad behaviour, or if there's been a key compromise. For bad behaviour, there would likely be some sort of process involved in issuing the CRL- one single report of merchant fraud would not cause an issuer to revoke a cert instantly. So if a merchant goes "bad", there's likely to be quite a delay before they're revoked- notices, appeals, etc. A few hours taken in the distribution of the CRL once the issuer's completed the process isn't going to make the problem noticeably worse. It'd be nice to have instant CRL distribution for key compromise, but most sites will have been running with the compromised key for some time before it's detected. If a site really cares about security after a key compromise, it could just go get a new cert and use that (after fixing the problem that caused the compromise of course). -- Eric Murray Consulting Security Architect SecureDesign LLC http://www.securedesignllc.comPGP keyid:E03F65E5
ip: TechNews: NSA Builds Security Access Into Windows
--- begin forwarded text Date: Mon, 27 Nov 2000 19:29:40 -0600 To: [EMAIL PROTECTED] From: Robert Huddleston [EMAIL PROTECTED] (by way of [EMAIL PROTECTED]) Subject: ip: TechNews: NSA Builds Security Access Into Windows Cc: [EMAIL PROTECTED] http://www.guncontrolvictories.com/enemies_ms.html Gun Control Victories ECHELON (NSA) in Windows Technology News NSA Builds Security Access Into Windows A careless mistake (what a crock my comment) by Microsoft programmers has shown that special access codes for use by the U.S. National Security Agency (NSA) have been secretly built into all versions of the Windows operating system. Computer-security specialists have been aware for two years that unusual features are contained inside a standard Windows driver used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions including the Microsoft Cryptographic API (MS-CAPI). In particular, it authenticates modules signed by Microsoft, letting them run without user intervention. At last year's Crypto 98 conference, British cryptography specialist Nicko van Someren said he had disassembled the driver and found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with U.S. export regulations. But the reason for building in a second key, or who owned it, remained a mystery. Now, a North Carolina security company has come up with conclusive evidence the second key belongs to the NSA. Like van Someren, Andrew Fernandes, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY." The other was called "NSAKEY." Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to the "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge. But according to two witnesses attending the conference, even Microsoft's top crypto programmers were stunned to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. This discovery, by van Someren, was based on advance search methods which test and report on the "entropy" of programming code. Within Microsoft, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers. No researchers have yet discovered a programming module which signs itself with the NSA key. Researchers are divided about whether it might be intended to let U.S. government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by the NSA's burgeoning corps of "information warriors." According to Fernandes of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onward. "For non-American IT managers relying on WinNT to operate highly secure data centers, this find is worrying," he added. "The U.S government is currently making it as difficult as possible for 'strong' crypto to be used outside of the U.S. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers. "How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has installed a 'back door' for the NSA -- making it orders of magnitude easier for the U.S. government to access your computer?" he said. Van Someren said he felt the primary purpose of the NSA key might be for legitimate U.S. government use. But he said there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy," he said on Friday. Fernandes said he believed the NSA's built-in loophole could be turned round against the snoopers. The NSA key inside CAPI could be replaced by your own key, and used to sign cryptographic
Imagine
A history professor from Uppsala Universitet in Sweden, called to tell me about this article she had read in which a Zimbabwe politician was quoted as saying that children should study this event closely for it shows that election fraud is not only a Third World phenomena. 1. Imagine that we read of an election occurring anywhere in the third world in which the self declared winner was the son of the former prime minister and that former prime minister was himself the former head of that nation's secret police (CIA). 2. Imagine that the self declared winner lost the popular vote but won based on some old colonial holdover (electoral college) from the nation's pre-democracy past. 3. Imagine that the self-declared winner's 'victory' turned on disputed votes cast in a province governed by his brother! 4. Imagine that the poorly drafted ballots of one district, a district heavily favoring the self-declared winner's opponent, led thousands of voters to vote for the wrong candidate. 5. Imagine that that members of that nation's most despised caste, fearing for their lives/livelihoods, turned out in record numbers to vote in near-universal opposition to the self-declared winner's candidacy. 6. Imagine that hundreds of members of that most-despised caste were intercepted on their way to the polls by state police operating under the authority of the self-declared winner's brother. 7. Imagine that six million people voted in the disputed province and that the self-declared winner's 'lead' was only 327 votes. Fewer, certainly, than the vote counting machines' margin of error. 8. Imagine that the self-declared winner and his political party opposed a more careful by-hand inspection and re-counting of the ballots in the disputed province or in its most hotly disputed district. 9. Imagine that the self-declared winner, himself a governor of a major province, had the worst human rights record of any province in his nation and actually led the nation in executions. 10. Imagine that a major campaign promise of the self-declared winner was to appoint like-minded human rights violators to lifetime positions on the high court of that nation. None of us would deem such an election to be representative of anything other than the self-declared winner's will-to-power. All of us, I imagine, would wearily turn the page thinking that it was another sad tale of pitiful pre- or anti-democracy peoples in some strange elsewhere."
Re: ZKS -- the path to world domination
Greg wrote earlier about ZKS' Managed Privacy services: what I wonder about with this is where ZKS' loyalties will appear to be. Consumers probably want to see their privacy software vendor as "on their side"; but commercial interests working on data collection are probably going to want to work with people who will help them advance their own goals, sometimes at the price of others' privacy. Well ZKS should have an interest maintaining a good reputation for acting in the interests of users privacy. Companies who use such services should also have an interest in using services of companies with good privacy reputations -- as this would tend to give better consumer confidence in the resulting systems. The closest parallel I can see is to environmental groups, who have in some cases endorsed certain corporations or certain practices as "green" or "environmentally friendly", and who have subsequently lost stature among some of their members and peers as having "sold out". I don't know if it will work well to be perceived as serving two masters - even if the corporate interests pay lip service to "protecting our customers' privacy". I guess the only answers are maintaining professionalism, and integrity and to maintain a strong stance on users privacy, with clear long term objectives (avoiding short-sighted small incremental improvements which may stay for a long time just because of the fact that built working systems don't get replaced as long as they continue to function). Openness would be a guiding principle too I would think -- so that users and technology critics can analyse and criticize the systems. Transparent functioning is a huge win for privacy. Adam
Re: Jim Bell
At 7:45 PM -0800 on 11/27/00, Tim May wrote: (I think any of us could be called as witnesses to refute a state claim that he was deploying a real system!) Which, unfortunately, and IIRC, he actually *pled* to, nonetheless. Sheesh. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Jim Bell
The affidavit/complaint we link to at cluebot.com contains an allegation from the Feds that Bell only 'fessed up to (in previous interviews with l.e.) authoring the AP essays. I do not recall reading about, or writing about, Bell being charged with deploying a working AP system. No, they've been prosecuting him using far more mundane allegations of SSN misuse, stinkbombs, and stalking. AP just gives it all spice, I suppose. -Declan On Mon, Nov 27, 2000 at 11:46:14PM -0500, R. A. Hettinga wrote: At 7:45 PM -0800 on 11/27/00, Tim May wrote: (I think any of us could be called as witnesses to refute a state claim that he was deploying a real system!) Which, unfortunately, and IIRC, he actually *pled* to, nonetheless. Sheesh. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Imagine
No User [EMAIL PROTECTED] wrote: A history professor from Uppsala Universitet in Sweden, called to tell me about this article she had read Uppsala Universitet has no female history professors. Sorry.
Re: Jim Bell
At 1:19 AM -0500 on 11/28/00, Declan McCullagh wrote: I do not recall reading about, or writing about, Bell being charged with deploying a working AP system. Hmmm... Maybe it was Toto's ersatz-AP web page I was remembering, now that I think about it, which, of course, Toto *didn't* plead to... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Excerpts from The Design and Verification of a Cryptographic Security Architecture available
In August I finally submitted my PhD thesis, coming close to wrapping up my long career as a tenured graduate student. Although the work hasn't been accepted yet, there has been some interest expressed in portions of it so I've put a few chapters online. Note that these chapters represent a draft only and are not the completed work. The main part of the thesis, Chapters 1-5, is available from http://www.cs.auckland.ac.nz/~pgut001/pubs/thesis.html. These chapters look at an alternative way of building what people have been trying to do with Orange Book B3/A1-type systems, but in a way which is feasible and practical for an open source system where you don't have tens of millions of dollars and 5-10 years available to produce a product. The chapters are (from the web page, where they're links to the docs): The software architecture, wherein the cryptlib software architecture is presented The security architecture, wherein the cryptlib security architecture is presented The kernel implementation, wherein the implementation details of the cryptlib security kernel are examined Verification techniques, wherein existing methods for building secure systems are examined and found wanting Verification of the cryptlib kernel, wherein a new method for building a secure system is presented. Peter.
Re: Jim Bell
At 1:19 AM -0500 11/28/00, Declan McCullagh wrote: The affidavit/complaint we link to at cluebot.com contains an allegation from the Feds that Bell only 'fessed up to (in previous interviews with l.e.) authoring the AP essays. I do not recall reading about, or writing about, Bell being charged with deploying a working AP system. No, they've been prosecuting him using far more mundane allegations of SSN misuse, stinkbombs, and stalking. AP just gives it all spice, I suppose. More than spice, I think. I think _this_ time they plan to make AP part of their case. As your own article said, "When the feds searched Bell's home earlier this month, according to a one-page attachment to the search warrant, agents were looking for "items which refer to Assassination Politics."" I won't engage in the kind of speculation about how they might build their case, but I think this is where they are going. Granted, they will not try to claim that Bell was running a real AP lottery. But they may make claims that he was planning an assassination. Some jurors might be swayed by the language in AP and by the (alleged) utterance: "Say goodnight, Joshua." (Wasn't Joshua the computer in "War Games"?) On Mon, Nov 27, 2000 at 11:46:14PM -0500, R. A. Hettinga wrote: At 7:45 PM -0800 on 11/27/00, Tim May wrote: (I think any of us could be called as witnesses to refute a state claim that he was deploying a real system!) Which, unfortunately, and IIRC, he actually *pled* to, nonetheless. Sheesh. No, I don't recall any such plea. Inasmuch as AP is some years off into the future, as even Bell would probably acknowledge (and may have acknowledged, if one dredges up all of his posts and looks at them carefully), I doubt he'd make a plea agreement that he had deployed a working AP system. I think AP was just hovering on the periphery in the first two rounds. This time they may try to make it a more central part of some case. Hence my comment that some of us may be called by the defense to explain why AP could not possibly be an operational system at this time. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
Re: Public Key Infrastructure: An Artifact...
At 11:17 AM -0800 11/23/2000, [EMAIL PROTECTED] wrote: Basically cetificates are an implementation of R/O partial replicated distributed data that were intended to address availability of information in a predominately offline environment. In the SSL server certificates, distribution of CRLs tend to create a problem for consumers because they aren't likely to want to see 99.% of the CRLs distributed and/or they aren't online at the time the CRLs are distributed (and/or if done via email would create a horrible spam issue ... every possible consumer in the world receiving email CRLs from every possile SSL server certificate issuing CA). Sounds like a job for Usenet. Arnold Reinhold
