RE: layered deception
there is no requirement for maintaining log files (unless specifically directed otherwise.) log files contain either marketing value or sysadmin value -- in both cases specific ip addr info isn't necessary to maintain that value (except in case of anomalous activity). one could collect info without identifying information. same principle applies to e-mail. once mail is deleted from a pop or imap or whatever server, there is no requirement to keep the backup tapes of e-mail. in fact the larger isps no longer keep deleted e-mail...they maintain only e-mail headers for up to six months. smaller isps should follow in these steps (though i'd argue you shouldn't even keep header info.) don't save it if you don't really truly need it. phillip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Declan McCullagh Sent: Saturday, April 28, 2001 11:46 PM To: Anonymous Cc: [EMAIL PROTECTED] Subject: Re: layered deception I rather like the idea of encrypting the logs on the fly and shipping them offshore. Your offshore partner will be instructed to turn over the logs only if you are not asking for them under duress. (A reasonable protocol can probably be worked out. Would a court order instruct you to lie? If so, would it be valid?) -Declan On Sat, Apr 28, 2001 at 03:45:38PM -0600, Anonymous wrote: In view of the recent gimme-the-logs-or-we-fuck-you activities of armed men (http://www.indymedia.org/front.php3?article_id=36912group=webcast , http://seattle.indymedia.org/display.php3?article_id=3013 ) what would be the legal consequence of the following: 1. A virus is designed that spreads itself in some standard way and that deletes log files of popular http server implementations. 2. Files are deleted when virus receives a packet on a known port. 3. Detection of virus requires more than average admin can do. So when logs are requested an outside 3rd party can maliciously remove logs. The first several ISPs to contract this virus will probably get fucked, but by then it should become obvious that the ISP cannot effectively control the virus.
RE: PGP flaw found by Czech firm allows dig sig to be forged
"...As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine... Bear" I completely agree. Even if they didn't have access to the machine, losing the private key is a huge problem. I should point out a similar problem exists with microsoft's crypto api (capi). by replacing rsaenh.dll (and one other i could name later...details are on my research laptop and not on this machine) one could dummy down encryption or eliminate encryption control across all crypto api-compliant applications (like ms outlook, explorer, etc.) in fact this 'crack' is simiar to the 'upgrade' ms offers users to go from 56 to 128 bit encryption. interestingly, in order to gain export assurance for a crypto product, it's usually enough to state that your product's crypto relies on the MS crypto api. this is because the ms crypto api architecture has already received an "ok" for export (with caveats re: 128 bit encryption.) i've been through this process so I know the 'crack' and the export license information is correct (as of one year ago anyway). the most significant problem with pki, imho, is the fact one can't verify the publisher of the key. the public key could have been stolen/modified, or the issuer of the key may not have verified the true identity of the requestor. i could, right now, buy for $14.95, a digital cert from verisign claiming I'm napoleon bonaparte. and it would be published in their digital cert. directory as true. ya know, i'm going to do that right now. anyway, as many have already echoed here, gaining access to an adversary's machine provides more interesting possibilities than simply modifying a user's secret key. i would hope the cnsa would try to be more creative than that. phillip In article [EMAIL PROTECTED], Declan McCullagh [EMAIL PROTECTED] wrote: Pretty Good Privacy that permits digital signatures to be forged in some situations. Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists. ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature. A "vulnerability" that requires the opponent to have write access to your private key in order to exploit? Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it. As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine. Bear
RE: Re: As Dot-Coms Go Bust in the U.S., Bermuda Hosts a Little Boomlet
Just to add an interesting experience to this thread, I've flown to Bermuda and to the Cayman Islands (not an attractive place, but great diving). On the flight to Bermuda the in-flight magazine had several articles discussing Bermuda's aggressive moves against being a tax haven. Saw the same kinds of articles in the magazines while on the beach there. In stark contrast, the in-flight magazine to the Caymans had several large advertisements and one govt.-sponsored article promoting the fact that banking transactions of less than $50,000 (per transaction) are never reported to law enforcement inquiries unless it has been adquately proven that the transaction was the result of a drug deal. Other advertisements stated the cost of starting a bank (as little as $5K if I remember correctly) and of starting a private holding company (a little more than starting your own bank). Interestingly none of these islands/countries have the SA (societe anonamie (sp?)) laws of French islands. An SA company by definition never reveals the board members, officers, founders, etc. pz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Duncan Frissell Sent: Friday, January 12, 2001 11:04 AM To: [EMAIL PROTECTED] Subject: Re: Re: As Dot-Coms Go Bust in the U.S., Bermuda Hosts a Little Boomlet At 11:29 AM 1/10/01 +, Ken Brown wrote: One of the interesting, and to my mind odd, things is that they *aren't* "popping up in tax havens around the world". They are popping up in little islands that are formally or effectively under British colonial rule, if not actually occupied by the British army. The British colonial possessions discussed in the article are, indeed, tax havens and have been described as such by every writer on the topic from the flakiest up to the Economist Intelligence Unit http://store.eiu.com/description/M727des.asp. Red Tony's attempt to corral his colonies has been going on for a few years now. The OECD has gotten into the act with its Financial Action Task Force (http://www.oecd.org/fatf/) handling Money Laundering and the OECD, itself, http://www.oecd.org/daf/fa/harm_tax/harmtax.htm handling what it calls "Harmful Tax Practices". By the latter, it means evil countries that set their taxes too low. It does not mean the harm involved in tax collection itself. The Barbados meeting http://www.oecd.org/media/release/nw00-123a.htm was co-sponsored by the Commonwealth (formerly the British Commonwealth). They released a hopeful closing statement of agreement and cooperation but nothing is likely to come of it since the world's largest tax haven (the US) is never the subject of these talks. After watching these activities since shortly after the US government started to crack down on trusts back in 1962, I have learned to ignore what governments say and watch what they (and the market) actually do. More important than bank secrecy itself is the ability to easily create legal entities. One of the reason that the US is a popular tax haven (for non-US persons) is because it is so easy to create various business and personal entities here. The Net have only made things worse. With a dozen P2P payment intermediaries created in the last 18 months or so and hundreds of online securities brokerages, it's rough for the control forces. DCF "May the Lord enlighten ... the Swiss banks -- that they might uphold justice and preserve the integrity of their own laws and the laws of confidentiality, trust and basic decency between the banks and their clients." Imelda Marcos' Prayer for the Swiss Banks - Manila - Sunday 25 February 1996.
RE: Nader wants global U.N. Net-regulation body; Nader photos
I respectfully submit to you: 1. Ralph does not represent me or my own views. 2. His 1960's views of the industrial society view of government, a nation and corporations do not, imho, apply to the internet or information society. 3. Number 1 and 2 are worth mentioning again :) I do agree with you that in general most people are concerned with their own day-to-day lives and cannot or don't care to understand how decisions made in Europe or in Washington, DC regarding the internet do, or could, affect themselves or those they know. I don't know how to solve this problem, but my own observation is the media is quite capable of whipping people into a frenzy (perhaps as a distraction to the daily chore of worrying about whether there is enough or not there is enough jelly in the pantry). I certainly don't believe an 'egalitarian elitist' (is there such a thing?) like Ralph can solve our problems. Observations: - in the case of standards and practices, corporations will charge through and push standards and practices which enable the growth of their revenues. In their perception they are filling the voids standards bodies and legislative bodies leave open. Shame on standards bodies for taking so long to approve protocols, and creating the kind of research and peer review environment which rivals even mathematics research (which involves years.) Shame on legislative bodies who do not try to fully understand our new society and rush to pass laws which are awkward and unworkable. Corporations innovate and want to move forward; waiting years for peer review is not realistic for many standards (I'm referring especially to layer 4 protocols and above in the case of the ip stack). Imagine if Napster had waited for the RIAA to come around to a new way of music distribution...or waited for the IETF to come up with a peer-reviewed method of peer-to-peer file sharing. In many ways Napster acted like a corporation (albeit with a different motivation). - corporations and lobbying groups represent not a single entity (the corporation), but a group of people who are employed by the company and the shareholders of the company. Perhaps this is the .1% of the people you are referring to. Few things motivate people as much as money does. Oh, and free music is also apparently a great motivator. - for the rest of us not necessarily motivated by money the key method of influence is participation. Participation through corporations (change from within is sometimes not difficult to achieve); participation as a significant contributer to a movement or project (linux for example); or participation by creating a new kind of application which drives change. Anyway i'm frightened that people who are supposed to get it (dyson, nader, etc.) and don't are making the decisions. At least with a corporation you can buy shares, go to a shareholder meeting and speak your mind. How do you reverse poor judgement in an individual? pz btw I certainly don't think I get it any more than anyone else...I've just not heard anyone who has presented a world view that makes sense from top to bottom (maybe there is no comprehensive world view). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Sent: Thursday, January 11, 2001 6:44 AM To: Phillip H. Zakas Cc: [EMAIL PROTECTED] Subject: Re: Nader wants global U.N. Net-regulation body; Nader photos "Phillip H. Zakas" wrote: Not to worry. Ralph is only momentarily distracted. Just wait for the new administration to start chopping down thousand-year-old forests (and squishing some photogenic "poster animal" in the process). as a matter of fact, he DOES have a point. consumers have become the weaker part of the market food chain because they are not organized and because they ARE sheep. they'll cry murder every time you steal something from them, but never actually do something, and the few who do are too isolated to be even noticed. corporations, on the other hand, have been far more intelligent. from MPAA/RIAA straight to WTO they understood that lobby groups can increase their influence greatly and turn the playing field to their advantage. it's only fair to reply in kind and organize the consumers. or rather: the 0.1% of them who give a damn.
RE: Nader wants global U.N. Net-regulation body; Nader photos
Not to worry. Ralph is only momentarily distracted. Just wait for the new administration to start chopping down thousand-year-old forests (and squishing some photogenic "poster animal" in the process). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Declan McCullagh Sent: Wednesday, January 10, 2001 11:38 AM To: [EMAIL PROTECTED] Subject: Nader wants global U.N. Net-regulation body; Nader photos Date: Wed, 10 Jan 2001 11:35:09 -0500 To: [EMAIL PROTECTED] From: Declan McCullagh [EMAIL PROTECTED] Subject: Nader wants global U.N. Net-regulation body; Nader photos * I've put some photos of Ralph Nader, who is probably the least photogenic person in Washington, and that's saying a lot, at: http://www.mccullagh.org/theme/ralph-nader.html * http://www.wired.com/news/politics/0,1283,41106,00.html Nader Wants Internet Control by Declan McCullagh ([EMAIL PROTECTED]) and Nicholas Morehead 8:25 a.m. Jan. 10, 2001 PST WASHINGTON -- To most people, the Internet is a way to communicate, an untapped business opportunity, or a symbol of dot-com greed run amok. Not so Ralph Nader. The former Green Party presidential candidate sees an opportunity for a new global bureaucracy. On Tuesday, Nader called for the creation of a "World Consumer Protection Organization," comparable to the United Nations' World Intellectual Property Organization, only "more democratically run." Nader, at a National Press Club event, said the proposed WCPO would focus on regulation of privacy, e-commerce, intellectual property, antitrust and Internet governance -- areas he said affected consumers directly. "The technology of the Internet is far ahead of any legal framework, any ethical framework or global framework," Nader said. "Are we going to be left with self-regulatory standards set and implemented by individual companies? Are we going to be left with standards set by the Better Business Bureau as a last resort?" Another justification: Fraud. During the panel discussion organized by Forbes magazine, Nader said a recent Harris poll showed that 6 million Americans felt that they were "somehow defrauded" on the Internet during 2000. The odds of a WCPO being created anytime soon, of course, range between zero and infinitesimal. [...]