RE: layered deception

2001-04-29 Thread Phillip H. Zakas 


there is no requirement for maintaining log files (unless specifically
directed otherwise.)  log files contain either marketing value or sysadmin
value -- in both cases specific ip addr info isn't necessary to maintain
that value (except in case of anomalous activity). one could collect info
without identifying information.

same principle applies to e-mail. once mail is deleted from a pop or imap or
whatever server, there is no requirement to keep the backup tapes of e-mail.
in fact the larger isps no longer keep deleted e-mail...they maintain only
e-mail headers for up to six months.  smaller isps should follow in these
steps (though i'd argue you shouldn't even keep header info.)

don't save it if you don't really truly need it.

phillip

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Declan McCullagh
 Sent: Saturday, April 28, 2001 11:46 PM
 To: Anonymous
 Cc: [EMAIL PROTECTED]
 Subject: Re: layered deception



 I rather like the idea of encrypting the logs on the fly and shipping them
 offshore. Your offshore partner will be instructed to turn over the
 logs only if you are not asking for them under duress. (A reasonable
 protocol can probably be worked out. Would a court order instruct you
 to lie? If so, would it be valid?)

 -Declan


 On Sat, Apr 28, 2001 at 03:45:38PM -0600, Anonymous wrote:
  In view of the recent gimme-the-logs-or-we-fuck-you activities
  of armed men
  (http://www.indymedia.org/front.php3?article_id=36912group=webcast ,
  http://seattle.indymedia.org/display.php3?article_id=3013 )
  what would be the legal consequence of the following:
 
  1. A virus is designed that spreads itself in some standard way and that
  deletes log files of popular http server implementations.
 
  2. Files are deleted when virus receives a packet on a known port.
 
  3. Detection of virus requires more than average admin can do.
 
  So when logs are requested an outside 3rd party can maliciously
  remove logs. The first several ISPs to contract this virus will
  probably get fucked, but by then it should become obvious that the
  ISP cannot effectively control the virus.

RE: PGP flaw found by Czech firm allows dig sig to be forged

2001-03-22 Thread Phillip H. Zakas 


"...As far as I can tell, *NOBODY* offers security tools that offer real
protection in the event your opponent has physical access to the
machine...  Bear"

I completely agree.  Even if they didn't have access to the machine, losing
the private key is a huge problem.

I should point out a similar problem exists with microsoft's crypto api
(capi).  by replacing rsaenh.dll (and one other i could name later...details
are on my research laptop and not on this machine) one could dummy down
encryption or eliminate encryption control across all crypto api-compliant
applications (like ms outlook, explorer, etc.)  in fact this 'crack' is
simiar to the 'upgrade' ms offers users to go from 56 to 128 bit encryption.
interestingly, in order to gain export assurance for a crypto product, it's
usually enough to state that your product's crypto relies on the MS crypto
api.  this is because the ms crypto api architecture has already received an
"ok" for export (with caveats re: 128 bit encryption.)  i've been through
this process so I know the 'crack' and the export license information is
correct (as of one year ago anyway).

the most significant problem with pki, imho, is the fact one can't verify
the publisher of the key.  the public key could have been stolen/modified,
or the issuer of the key may not have verified the true identity of the
requestor.  i could, right now, buy for $14.95, a digital cert from verisign
claiming I'm napoleon bonaparte.  and it would be published in their digital
cert. directory as true.  ya know, i'm going to do that right now.

anyway, as many have already echoed here, gaining access to an adversary's
machine provides more interesting possibilities than simply modifying a
user's secret key.  i would hope the cnsa would try to be more creative than
that.

phillip


In article [EMAIL PROTECTED],
Declan McCullagh  [EMAIL PROTECTED] wrote:

   Pretty Good Privacy that permits digital signatures to be forged in
   some situations.

   Phil Zimmermann, the PGP inventor who's now the director of the
   OpenPGP Consortium, said on Wednesday that he and a Network Associates
   (NETA) engineer verified that the vulnerability exists.

   ICZ, a Prague company with 450 employees, said that two of its
   cryptologists unearthed a bug in the OpenPGP format that allows an
   adversary who breaks into your computer to forge your e-mail
   signature.

A "vulnerability" that requires the opponent to have write access
to your private key in order to exploit?

Okay.  What was PGP's threat model again?  I'd have sworn that this
was squarely outside it.

As far as I can tell, *NOBODY* offers security tools that offer real
protection in the event your opponent has physical access to the
machine.

Bear

RE: Re: As Dot-Coms Go Bust in the U.S., Bermuda Hosts a Little Boomlet

2001-01-12 Thread Phillip H. Zakas 


Just to add an interesting experience to this thread, I've flown to Bermuda
and to the Cayman Islands (not an attractive place, but great diving).  On
the flight to Bermuda the in-flight magazine had several articles discussing
Bermuda's aggressive moves against being a tax haven.  Saw the same kinds of
articles in the magazines while on the beach there.

In stark contrast, the in-flight magazine to the Caymans had several large
advertisements and one govt.-sponsored article promoting the fact that
banking transactions of less than $50,000 (per transaction) are never
reported to law enforcement inquiries unless it has been adquately proven
that the transaction was the result of a drug deal.  Other advertisements
stated the cost of starting a bank (as little as $5K if I remember
correctly) and of starting a private holding company (a little more than
starting your own bank).

Interestingly none of these islands/countries have the SA (societe anonamie
(sp?)) laws of French islands.  An SA company by definition never reveals
the board members, officers, founders, etc.

pz

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Duncan Frissell
Sent: Friday, January 12, 2001 11:04 AM
To: [EMAIL PROTECTED]
Subject: Re: Re: As Dot-Coms Go Bust in the U.S., Bermuda Hosts a Little
Boomlet



At 11:29 AM 1/10/01 +, Ken Brown wrote:
One of the interesting, and to my mind odd, things is that they
*aren't*  "popping up in tax havens around the world". They are popping
up in little islands that are formally or effectively under British
colonial rule, if not actually occupied by the British army.

The British colonial possessions discussed in the article are, indeed, tax
havens and have been described as such by every writer on the topic from
the flakiest up to the Economist Intelligence Unit
http://store.eiu.com/description/M727des.asp.

Red Tony's attempt to corral his colonies has been going on for a few years
now.  The OECD has gotten into the act with its Financial Action Task Force
(http://www.oecd.org/fatf/) handling Money Laundering and the OECD, itself,
http://www.oecd.org/daf/fa/harm_tax/harmtax.htm handling what it calls
"Harmful Tax Practices".  By the latter, it means evil countries that set
their taxes too low.  It does not mean the harm involved in tax collection
itself.

The Barbados meeting http://www.oecd.org/media/release/nw00-123a.htm was
co-sponsored by the Commonwealth (formerly the British Commonwealth).  They
released a hopeful closing statement of agreement and cooperation
but  nothing is likely to come of it since the world's largest tax haven
(the US) is never the subject of these talks.

After watching these activities since shortly after the US government
started to crack down on trusts back in 1962, I have learned to ignore what
governments say and watch what they (and the market) actually do.

More important than bank secrecy itself is the ability to easily create
legal entities.  One of the reason that the US is a popular tax haven (for
non-US persons) is because it is so easy to create various business and
personal entities here.

The Net have only made things worse.  With a dozen P2P payment
intermediaries created in the last 18 months or so and hundreds of online
securities brokerages, it's rough for the control forces.

DCF


"May the Lord enlighten ... the Swiss banks -- that they might uphold
justice and preserve the integrity of their own laws and the laws of
confidentiality, trust and basic decency between the banks and their
clients."  Imelda Marcos' Prayer for the Swiss Banks - Manila - Sunday 25
February 1996.

RE: Nader wants global U.N. Net-regulation body; Nader photos

2001-01-11 Thread Phillip H. Zakas 


I respectfully submit to you:

1.  Ralph does not represent me or my own views.
2.  His 1960's views of the industrial society view of government, a nation
and corporations do not, imho, apply to the internet or information society.
3.  Number 1 and 2 are worth mentioning again :)

I do agree with you that in general most people are concerned with their own
day-to-day lives and cannot or don't care to understand how decisions made
in Europe or in Washington, DC regarding the internet do, or could, affect
themselves or those they know. I don't know how to solve this problem, but
my own observation is the media is quite capable of whipping people into a
frenzy (perhaps as a distraction to the daily chore of worrying about
whether there is enough or not there is enough jelly in the pantry).  I
certainly don't believe an 'egalitarian elitist' (is there such a thing?)
like Ralph can solve our problems.  Observations:

- in the case of standards and practices, corporations will charge through
and push standards and practices which enable the growth of their revenues.
In their perception they are filling the voids standards bodies and
legislative bodies leave open.  Shame on standards bodies for taking so long
to approve protocols, and creating the kind of research and peer review
environment which rivals even mathematics research (which involves years.)
Shame on legislative bodies who do not try to fully understand our new
society and rush to pass laws which are awkward and unworkable.
Corporations innovate and want to move forward; waiting years for peer
review is not realistic for many standards (I'm referring especially to
layer 4 protocols and above in the case of the ip stack).  Imagine if
Napster had waited for the RIAA to come around to a new way of music
distribution...or waited for the IETF to come up with a peer-reviewed method
of peer-to-peer file sharing.  In many ways Napster acted like a corporation
(albeit with a different motivation).
- corporations and lobbying groups represent not a single entity (the
corporation), but a group of people who are employed by the company and the
shareholders of the company.  Perhaps this is the .1% of the people you are
referring to.  Few things motivate people as much as money does.  Oh, and
free music is also apparently a great motivator.
- for the rest of us not necessarily motivated by money the key method of
influence is participation.  Participation through corporations (change from
within is sometimes not difficult to achieve); participation as a
significant contributer to a movement or project (linux for example); or
participation by creating a new kind of application which drives change.

Anyway i'm frightened that people who are supposed to get it (dyson, nader,
etc.) and don't are making the decisions.  At least with a corporation you
can buy shares, go to a shareholder meeting and speak your mind.  How do you
reverse poor judgement in an individual?
pz
btw I certainly don't think I get it any more than anyone else...I've just
not heard anyone who has presented a world view that makes sense from top to
bottom (maybe there is no comprehensive world view).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tom
Sent: Thursday, January 11, 2001 6:44 AM
To: Phillip H. Zakas
Cc: [EMAIL PROTECTED]
Subject: Re: Nader wants global U.N. Net-regulation body; Nader photos



"Phillip H. Zakas" wrote:

 Not to worry.  Ralph is only momentarily distracted.  Just wait for the
new
 administration to start chopping down thousand-year-old forests (and
 squishing some photogenic "poster animal" in the process).


as a matter of fact, he DOES have a point. consumers have become the
weaker part of the market food chain because they are not organized and
because they ARE sheep. they'll cry murder every time you steal
something from them, but never actually do something, and the few who do
are too isolated to be even noticed.
corporations, on the other hand, have been far more intelligent. from
MPAA/RIAA straight to WTO they understood that lobby groups can increase
their influence greatly and turn the playing field to their advantage.
it's only fair to reply in kind and organize the consumers. or rather:
the 0.1% of them who give a damn.

RE: Nader wants global U.N. Net-regulation body; Nader photos

2001-01-10 Thread Phillip H. Zakas 


Not to worry.  Ralph is only momentarily distracted.  Just wait for the new
administration to start chopping down thousand-year-old forests (and
squishing some photogenic "poster animal" in the process).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Declan McCullagh
Sent: Wednesday, January 10, 2001 11:38 AM
To: [EMAIL PROTECTED]
Subject: Nader wants global U.N. Net-regulation body; Nader photos




Date: Wed, 10 Jan 2001 11:35:09 -0500
To: [EMAIL PROTECTED]
From: Declan McCullagh [EMAIL PROTECTED]
Subject: Nader wants global U.N. Net-regulation body; Nader photos


*

I've put some photos of Ralph Nader, who is probably the least photogenic
person in Washington, and that's saying a lot, at:
   http://www.mccullagh.org/theme/ralph-nader.html

*

http://www.wired.com/news/politics/0,1283,41106,00.html

Nader Wants Internet Control
by Declan McCullagh ([EMAIL PROTECTED]) and Nicholas Morehead

8:25 a.m. Jan. 10, 2001 PST
WASHINGTON -- To most people, the Internet is a way to communicate, an
untapped business opportunity, or a symbol of dot-com greed run amok.

Not so Ralph Nader. The former Green Party presidential candidate sees
an opportunity for a new global bureaucracy.

On Tuesday, Nader called for the creation of a "World Consumer
Protection Organization," comparable to the United Nations' World
Intellectual Property Organization, only "more democratically run."

Nader, at a National Press Club event, said the proposed WCPO would
focus on regulation of privacy, e-commerce, intellectual property,
antitrust and Internet governance -- areas he said affected consumers
directly.

"The technology of the Internet is far ahead of any legal framework,
any ethical framework or global framework," Nader said. "Are we going
to be left with self-regulatory standards set and implemented by
individual companies? Are we going to be left with standards set by
the Better Business Bureau as a last resort?"

Another justification: Fraud. During the panel discussion organized by
Forbes magazine, Nader said a recent Harris poll showed that 6 million
Americans felt that they were "somehow defrauded" on the Internet
during 2000.

The odds of a WCPO being created anytime soon, of course, range
between zero and infinitesimal.

[...]