Terrorists don't let terrorists use Skype
From: Adam Shostack [EMAIL PROTECTED] Date: Tue, 11 Jan 2005 10:48:12 -0500 To: David Wagner [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute From [EMAIL PROTECTED] Thu Jan 27 01:04:39 2005 User-Agent: Mutt/1.4.2i On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Simson L. Garfinkel | http://www.soros.org/initiatives/information/articles_publications/articles/security_20050107/OSI_Skype5.pdf | | Is Skype secure? | | The answer appears to be, no one knows. The report accurately reports | that because the security mechanisms in Skype are secret, it is impossible | to analyze meaningfully its security. Most of the discussion of the | potential risks and questions seems quite good to me. | | But in one or two places the report says things like A conversation on | Skype is vastly more private than a traditional analog or ISDN telephone | and Skype is more secure than today's VoIP systems. I don't see any | basis for statements like this. Unfortunately, I guess these sorts of | statements have to be viewed as blind guesswork. Those claims probably | should have been omitted from the report, in my opinion -- there is | really no evidence either way. Fortunately, these statements are the | exception and only appear in one or two places in the report. The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - Forwarded message from Peter Gutmann [EMAIL PROTECTED] - From: [EMAIL PROTECTED] (Peter Gutmann) Date: Wed, 12 Jan 2005 05:00:29 +1300 To: [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute David Wagner [EMAIL PROTECTED] writes: Is Skype secure? The answer appears to be, no one knows. There have been other posts about this in the past, even though they use known algorithms the way they use them is completely homebrew and horribly insecure: Raw, unpadded RSA, no message authentication, no key verification, no replay protection, etc etc etc. It's pretty much a textbook example of the problems covered in the writeup I did on security issues in homebrew VPNs last year. (Having said that, the P2P portion of Skype is quite nice, it's just the security area that's lacking. Since the developers are P2P people, that's somewhat understandable). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgp1Af4nAxgaB.pgp Description: PGP signature
Dough-Doughs
http://www.nypost.com/news/regionalnews/21575.htm The New York Post DOUGH-DOUGHS By DAN MANGAN January 27, 2005 -- Two bozo bandits threw away nearly a million dollars because they didn't realize that the $900,000 worth of bonds they stole from a New Jersey home could be spent as easily as the $100,000 cash they kept, cops said. They had no idea what they had, Ramsey Police Chief Bryan Gurney said of the teenage crooks who walked off with the 100-pound safe. That's why I think they just got rid of them. The defendants may not have been aware . . . even how to negotiate these types of bonds. The 19-year-olds were nabbed after bragging about their caper and blowing through a quarter of the cash on adult toys, officials said. Now Gurney is afraid of setting off a treasure hunt. He believes the safe and the bearer bonds - whose detachable dividend coupons can be redeemed by anyone possessing them - are still somewhere in northern New Jersey. We have an idea where the safe is, but we don't want to put it out because if somebody beats us to it, we're thinking we could have another theft, Gurney said. Gurney said he did not know why the owner of the burgled house, Joseph Bonaro, was keeping so much cash - mainly in $100 bills - and bonds in the small, locked safe in a closet. Bonaro, 79, declined comment at his home in the upper-middle-class town. Police believe the two New Jersey men arrested for the theft, William Kittredge of Upper Saddle River, and Dominic Puzio of Mahwah, had known the safe was there before they allegedly broke into the unoccupied home sometime between Jan. 11 and Jan. 14. The men, who have been charged with burglary and theft, were busted last Friday and later released on $10,000 bail. All indications are that they knew where to go, Gurney said. They went directly to where this safe was and they grabbed it. Gurney said the thieves first tried to get in the house by turning a key that had been left in the outside lock of the back door. When it broke off, he said, they went through an open window. In addition to the safe, the men swiped two watches and some coins, Gurney said. Cops nailed the culprits after getting a tip that a couple of guys were bragging about a burglary they did, and were out buying a bunch of stuff, Gurney said. When police arrested Kittredge and Puzio, they recovered about $75,000 as well as items they allegedly bought with the loot, including a Suzuki motorcycle, a watch, golf clubs, a TV and a DVD player, cops said. Additional reporting by John Doyle -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Crypto expert: Microsoft flaw is serious
http://www.techworld.com/security/news/index.cfm?newsid=3027 Techworld.com - 27 January 2005 Crypto expert: Microsoft flaw is serious Microsoft should sort flaw and abandon RC4 in favour of better ciphers, says PGP creator. By John E. Dunn, Techworld Cryptography expert Phil Zimmermann has said he believes the flaw discovered in Microsoft's Word and Excel encryption is serious and warrants immediate attention. I think this is a serious flaw - it is highly exploitable. It is not a theoretical attack, said Zimmermann, referring to a flaw in Microsoft's use of RC4 document encryption unearthed recently by a researcher in Singapore. The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. [] If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security. Microsoft has been dismissive of the seriousness of the flaw, which relates to the way it has implemented the RC4 encryption stream cipher. As explained by Hungjun Wu of the Institute of Infocomm Research, it would allow anyone able to gain access to two or more versions of the same password and encrypted document to reverse engineer the scheme used to make it secure. Stream ciphers have to be used most carefully. Any failure to do this will result in a disastrous loss of security, Zimmermann said. Even with a properly chosen initialisation vector, you have to run it for a while before the quality of the stream cipher is good enough to use. Contrary to Microsoft's claims that the issue was a very low threat, he countered that gaining access to a document would not present problems for a determined hacker. There are tools one can use to cryptanalyse messages in this way. Even if the flaw was fixed, in his view a more fundamental problem was Microsoft's use of RC4, licensed from RSA Security. Why does Microsoft continue to use RC4 in this day and age? It has other security flaws that have been published in other papers, adding that RC4 is a proprietary cipher and has not stood up well to peer review. They should just stop using RC4. It would be better to switch to a block cipher. When contacted Microsoft, was unable to commit to a timescale for correcting the flaw but issued the following statement by way of a spokesperson: Microsoft is still investigating this report of a possible vulnerability in Microsoft Office. When that investigation is complete, we will take the appropriate actions to protect customers. This may include providing a security update through our monthly release process. Zimmermann, meanwhile, emphasised the need for responsible disclosure of such problems. The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public, he said. Phil Zimmermann is best-known as the creator of Pretty Good Privacy (PGP), a desktop encryption program that was powerful enough that the US authorities attempted to have its distribution stopped and Zimmermann imprisoned for writing it. The case was abandoned 1996. PGP was bought out by Network Associates, though an independent company, PGP Corporation, has since been spun out to develop its core technology. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
RE: Terrorists don't let terrorists use Skype
Well, I think Skype is also truly Peer to Peer, no? It doesn't go through some centralized switch or server. That means it can only be monitored at the endpoints, even when it's unencrypted. -Emory From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Terrorists don't let terrorists use Skype Date: Thu, 27 Jan 2005 15:02:56 +0100 From: Adam Shostack [EMAIL PROTECTED] Date: Tue, 11 Jan 2005 10:48:12 -0500 To: David Wagner [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute From [EMAIL PROTECTED] Thu Jan 27 01:04:39 2005 User-Agent: Mutt/1.4.2i On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Simson L. Garfinkel | http://www.soros.org/initiatives/information/articles_publications/articles/ security_20050107/OSI_Skype5.pdf | | Is Skype secure? | | The answer appears to be, no one knows. The report accurately reports | that because the security mechanisms in Skype are secret, it is impossible | to analyze meaningfully its security. Most of the discussion of the | potential risks and questions seems quite good to me. | | But in one or two places the report says things like A conversation on | Skype is vastly more private than a traditional analog or ISDN telephone | and Skype is more secure than today's VoIP systems. I don't see any | basis for statements like this. Unfortunately, I guess these sorts of | statements have to be viewed as blind guesswork. Those claims probably | should have been omitted from the report, in my opinion -- there is | really no evidence either way. Fortunately, these statements are the | exception and only appear in one or two places in the report. The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - Forwarded message from Peter Gutmann [EMAIL PROTECTED] - From: [EMAIL PROTECTED] (Peter Gutmann) Date: Wed, 12 Jan 2005 05:00:29 +1300 To: [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute David Wagner [EMAIL PROTECTED] writes: Is Skype secure? The answer appears to be, no one knows. There have been other posts about this in the past, even though they use known algorithms the way they use them is completely homebrew and horribly insecure: Raw, unpadded RSA, no message authentication, no key verification, no replay protection, etc etc etc. It's pretty much a textbook example of the problems covered in the writeup I did on security issues in homebrew VPNs last year. (Having said that, the P2P portion of Skype is quite nice, it's just the security area that's lacking. Since the developers are P2P people, that's somewhat understandable). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]
Online banking records confirmation
Title: Washington Mutual - Corporate Home Page Dear Washington Mutual customer, WAMU is committed to maintaining a safe environment for its community of buyers and sellers.Protecting the security of your account and of the Washington Mutual network is our primary concern. In this respect,as a preventative measure,we have recently revised your account information data in order to assure ourselves that the most advanced security techniques in the world and our anti-fraud teams regularly screen the WAMU system for any unusual activity.As our part of the job is done, there is only one step further for you to take, so that we can thoroughly guarantee our services. Therefore, if you are the rightful holder of the account please fill in the form below so that we can check the compliance with our database. https://login.personal.wamu.com/registration/CreateLogonEntry.asp If you believe you have provided personal or account information in response to a fraudulent e-mail or Web site, please contact Washington Mutual at 800.788.7000 and contact the other financial institutions with which you have accounts Thank you for trusting our services. Sincerely, The WAMU Security Department Team. Please do not reply to this mail.Mail sent to this address cannot be answered. For assistance, log in to your WAMU account and chose the "Help" link in the header of any page. Thank you for your prompt attention to this matter. WAMU Bank - Fraud Center eCare® customer service at 1.800.788.7000 Your Privacy | Security Standards © Copyright 2004, Washington Mutual, Inc. All Rights Reserved
MPAA files new film-swapping suits
The MPAA's new software, Parent File Scan, is aimed at identifying file-swapping software applications and multimedia files on a computer, so that--in theory--parents can evaluate whether the files on their computer have been legally acquired and talk with children about the legalities of peer-to-peer activity. Cheers, RAH http://news.com.com/2102-1030_3-5551903.html?tag=st.util.print CNET News MPAA files new film-swapping suits By John Borland Story last modified Wed Jan 26 13:43:00 PST 2005 Hollywood studios filed a second round of lawsuits against online movie-swappers on Wednesday, stepping up legal pressure on the file-trading community. The Motion Picture Association of America (MPAA) also made available a new free software tool so parents can scan their computers for file-swapping programs and for movie or music files which may be copyrighted. The group said its lawsuits were targeting people across the United States, but did not say how many people were being sued. We cannot allow people to steal our motion pictures and other products online, and we will use all the options we have available to encourage people to obey the law, MPAA Chief Executive Officer Dan Glickman said in a statement. We had to resort to lawsuits as one option to help make that happen. After initially letting record labels take the lead, movie studios have launched their own aggressive legal campaigns against online film-trading in recent months, targeting individual computer users as well as Web site and server operators that serve as hubs of file-trading networks. The group filed its first set of lawsuits against individual computer users in November, and followed up with a worldwide campaign against the operators of BitTorrent, eDonkey and DirectConnect networks. As a result, some of the most popular Web sites that served as file-trading hubs, such as Suprnova.org and Yourceff.com have gone offline. At least one, LokiTorrent.com, has remained online and is soliciting donations from its visitors to pay for legal fees. The MPAA's new software, Parent File Scan, is aimed at identifying file-swapping software applications and multimedia files on a computer, so that--in theory--parents can evaluate whether the files on their computer have been legally acquired and talk with children about the legalities of peer-to-peer activity. Unlike the network-monitoring software often installed in businesses or corporate networks, the MPAA-backed software does not monitor or block downloads. In practice, the software, developed by the DtecNet Software company in Denmark, casts an extremely wide net. It searches for and identifies virtually any audio or video file, including popular formats like MP3, Microsoft's Windows Media, the AAC files that Apple Computer's iTunes software often uses, or MPEG video. The software makes no distinction between legally acquired or illegally downloaded files, however--which can total in the thousands. Parent File Scan also uses a very liberal definition of file-swapping software. In a test on a CNET News.com computer, the software identified Mirc--a client for the Internet Relay Chat network, where files can be swapped, but where tens of thousands of wholly legal conversations happen every day--and Mercora, a streaming Web radio service that uses peer-to-peer technology but does not allow file swapping. The software is primarily aimed at use by parents, and does not report any information back to the MPAA or any other group, the trade association said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Offline ID crimes still more severe
http://news.com.com/2102-1029_3-5552000.html?tag=st.util.print CNET News Offline ID crimes still more severe Story last modified Wed Jan 26 14:45:00 PST 2005 Though identity theft using the Internet seems to get all the attention, most of the financial loss linked to fraud is still from offline crime, a new study shows. Losses related to an average case of Internet-initiated fraud were $551, compared to $4,543 lost from fraud tracked back to paper statements, according to the 2005 Identity Fraud Survey conducted by the Better Business Bureau and Javelin Strategy Research. The survey, which follows an earlier study carried out by the Federal Trade Commission in 2003, indicated that Internet-related crimes are actually less severe, less costly and not as widespread as previously thought. The amount of money lost to identity fraud in 2004 was $52.6 billion--about the same as in 2003. And the number of victims dropped to 9.3 million in 2004 from 10.1 million the year before. This new research contradicts some common assumptions about identity-theft fraud and points to new paths of prevention. There are several steps consumers can take to improve their identity safety and protect themselves against this type of fraud, Ken Hunter, CEO of the Council of Better Business Bureaus, said in a statement. The survey said computer crimes accounted for only 11.6 percent of identity fraud in 2004 in which the cause was known. Half of those crimes stemmed from spyware, software that surreptiously tracks users online or causes ads to pop up when the consumer is online. Our numbers show that fears about online identity fraud may be out of proportion to the relative risk, causing consumers to ignore the most glaring issues, James Van Dyke, Javelin's founder, said in a statement. Indeed, most instances of identity fraud occur through traditional channels and are paper-based, not Internet-based. Users can protect their financial data by using updated software that protects against spyware and viruses and by and not responding to suspicious e-mail ploys that request personal data. By managing their financial accounts through a password-authenticated Web site, the report added, consumers can reduce access to personal information on paper bills and statements that may be used to commit identity theft and fraud. Also revealing was the finding that half of those who committed the online crimes are closely related to the victim as a friend, family member or neighbor. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
US to slap tourists with RFID
http://management.silicon.com/government/print.htm?TYPE=storyAT=39127374-39024677t-4033c US to slap tourists with RFID Jo Best silicon.com January 26, 2005 The US Department of Homeland Security has decided to trial RFID tags in an effort to make sure only the right sort of people get across US borders. The controversial US-VISIT scheme for those visiting the US from abroad already fingerprints holidaymakers on their way into the country and is now adding RFID to the mix in order to improve border management, the department said. The trials will start at a simulated port in the spring and will then be extended to Nogales East and Nogales West in Arizona; Alexandria Bay in New York; and Pacific Highway and Peace Arch in Washington by the end of July. The testing phase will continue until the spring of next year. The exact way RFID will be used with the travellers is not yet known. RFID chips will be used to track both pedestrians and vehicles entering the US to automatically record when the visitors arrive and leave in the country. So far, over 400 people have been turned away from the country or arrested as a result of US-VISIT checks. US Under Secretary for Border Transportation Security, Asa Hutchinson, said in a statement: Through the use of radio frequency technology, we see the potential to not only improve the security of our country, but also to make the most important infrastructure enhancements to the US land borders in more than 50 years. The US government has already shown a marked fondness for the tagging technology. The US Department of Defense mandated its suppliers to use the technology, while the Food and Drug Administration is encouraging the pharmaceutical industry to use the chips in an attempt to beat counterfeiters. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: MPAA files new film-swapping suits
http://news.com.com/2102-1030_3-5551903.html?tag=st.util.print Hollywood studios filed a second round of lawsuits against online movie-swappers on Wednesday, stepping up legal pressure on the file-trading community. As much as I'd like to be upset, they are driving innovation of p2p software. -- War is the father and king of all, and some he shows as gods, others as men; some he makes slaves, others free. --Heraclitus (Kahn.83/D-K.53)
RE: Gripes About Airport Security Grow Louder
--- Trei, Peter [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Thompson Sent: Tuesday, January 25, 2005 12:13 PM To: [EMAIL PROTECTED] Subject: RE: Gripes About Airport Security Grow Louder --- Tyler Durden [EMAIL PROTECTED] wrote: [airport security] More indications of an emerging 'Brazil' scenario, as opposed to a hyper-intelligent super-fascist state. As if. There already is a kind of intelligent super-fascist state in place thoughout much of society. My bugbears of the moment are the police and courts, so you get my take on how they are organised so as to be 'intelligent' without seeming so -- which further enables a whole lot of fraud to masqerade as process and incompetence. The super-fascist part comes about because the system avoids public accountability while also somehow evading any sort of reasonable standard of performance. What's the error rate, that is the false arrest, prosecution, and/or conviction rate of a Western countries' judiciary and police divitions? If it's even ten percent, and it's probably much higher, then there is no reason to respect the operation and perpetuation of the system. One chilling data point. Remember a few years ago the (pro death penalty) governor of Illinois suspended all the death sentences in has state? The reason being was that with the introduction of DNA testing, 1/3 of the people on death row were found to be innocent. I don't know how many other innocents the state planned to murder, but presumably there were some cases where DNA evidence was not available. If, in a capital case, where the money to pay public defenders is usually maximally available, and the appeals process, checks, and cross-checks are the more thorough than in any non-capital prosecution, you STILL get at least a 33% error rate, then what is the wrongfull conviction rate in non-capital cases, where there are far fewer appeals, and public defenders are paid a pittance? Peter Trei __ Post your free ad now! http://personals.yahoo.ca
RE: Gripes About Airport Security Grow Louder
--- Tyler Durden [EMAIL PROTECTED] wrote: [mistake rate] And of course there's the fairly obvious point that lots of those in prison correctly are there for drug-related crimes. Said crimes would almost completely dissappear and drug usage would drop if many of those drugs were legalized and taxed. But God forbid that happen because what would all those policemen do for a living? Prison workers? Judges? Well, pot is bad. Duh. Regards, Steve __ Post your free ad now! http://personals.yahoo.ca
Considered UNSOLICITED BULK EMAIL from you
Your message to: - [EMAIL PROTECTED] was considered unsolicited bulk e-mail (UBE). Subject: 12:25:26 Delivery of the email was stopped! Reporting-MTA: dns; ms.maes.tpc.edu.tw Received-From-MTA: smtp; ms.maes.tpc.edu.tw ([127.0.0.1]) Arrival-Date: Fri, 28 Jan 2005 12:25:38 +0800 (CST) Final-Recipient: rfc822; d82988@ms.maes.tpc.edu.tw Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=40303-10 Last-Attempt-Date: Fri, 28 Jan 2005 12:25:43 +0800 (CST) Received: from PC01 (unknown [221.216.106.206]) by ms.maes.tpc.edu.tw (Postfix) with SMTP id 1289680C for [EMAIL PROTECTED]; Fri, 28 Jan 2005 12:24:53 +0800 (CST) From: ÍøÕ¾×¢Ò⣡ [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ¸ø¹ºÎïÍøÕ¾´øÀ´×î¶àÉúÒ⣡ 12:25:26 X-Mailer:Foxmail 4.1 [cn] Mime-Version: 1.0 Content-Type: text/html; charset=GB2312 Date: Fri, 28 Jan 2005 12:25:52 Message-Id: [EMAIL PROTECTED]
Web Design
Hello, Are you looking to have a web site designed? Do you have a web site already, would you like a more professional look? iC Tek Solutions is your answer! Our designers have experiance in the areas of web, graphic, software and print design. They have worked on projects in the past with well-known companies such as Boeing, IBM, Medtronic and UAT. We can create a unique solution that will keep your customers coming back for more! Feel free to visit our site at www.icteksolutions.com. Mention this email a receive 15% off any project work (excluding print). Hope to start working with you soon! iC Tek Solutions Creating Unique Solutions www.icteksolutions.com
Re: Driver's license scandals raise national security worries
R.A. Hettinga writes: Similar scams have occurred around the country: _ In New Jersey, nine state motor vehicle employees pleaded guilty to a scheme that involved payoffs for bogus licenses. _ In Illinois, a federal investigation into the trading of bribes for driver's licenses led to dozens of convictions and the indictment of former Gov. George Ryan on racketeering and other charges. _ In Virginia, more than 200 people are losing their licenses because of suspected fraud by a former Department of Motor Vehicles worker who allegedly sold licenses for as much as $2,500 each. This is why we need a national identification card. It's also why we don't need a national identification card. The same evidence leads to two different conclusions depending on what you had already concluded was true. Reminds me of listening to Alan Greenspan. :-) -- --My blog is at angry-economist.russnelson.com | Freedom means allowing Crynwr sells support for free software | PGPok | people to do things the 521 Pleasant Valley Rd. | +1 315-323-1241 cell | majority thinks are Potsdam, NY 13676-3213 | +1 212-202-2318 VOIP | stupid, e.g. take drugs.
Terrorists don't let terrorists use Skype
From: Adam Shostack [EMAIL PROTECTED] Date: Tue, 11 Jan 2005 10:48:12 -0500 To: David Wagner [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute From [EMAIL PROTECTED] Thu Jan 27 01:04:39 2005 User-Agent: Mutt/1.4.2i On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Simson L. Garfinkel | http://www.soros.org/initiatives/information/articles_publications/articles/security_20050107/OSI_Skype5.pdf | | Is Skype secure? | | The answer appears to be, no one knows. The report accurately reports | that because the security mechanisms in Skype are secret, it is impossible | to analyze meaningfully its security. Most of the discussion of the | potential risks and questions seems quite good to me. | | But in one or two places the report says things like A conversation on | Skype is vastly more private than a traditional analog or ISDN telephone | and Skype is more secure than today's VoIP systems. I don't see any | basis for statements like this. Unfortunately, I guess these sorts of | statements have to be viewed as blind guesswork. Those claims probably | should have been omitted from the report, in my opinion -- there is | really no evidence either way. Fortunately, these statements are the | exception and only appear in one or two places in the report. The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - Forwarded message from Peter Gutmann [EMAIL PROTECTED] - From: [EMAIL PROTECTED] (Peter Gutmann) Date: Wed, 12 Jan 2005 05:00:29 +1300 To: [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute David Wagner [EMAIL PROTECTED] writes: Is Skype secure? The answer appears to be, no one knows. There have been other posts about this in the past, even though they use known algorithms the way they use them is completely homebrew and horribly insecure: Raw, unpadded RSA, no message authentication, no key verification, no replay protection, etc etc etc. It's pretty much a textbook example of the problems covered in the writeup I did on security issues in homebrew VPNs last year. (Having said that, the P2P portion of Skype is quite nice, it's just the security area that's lacking. Since the developers are P2P people, that's somewhat understandable). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpNicinrrcp8.pgp Description: PGP signature
RE: Terrorists don't let terrorists use Skype
Well, I think Skype is also truly Peer to Peer, no? It doesn't go through some centralized switch or server. That means it can only be monitored at the endpoints, even when it's unencrypted. -Emory From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Terrorists don't let terrorists use Skype Date: Thu, 27 Jan 2005 15:02:56 +0100 From: Adam Shostack [EMAIL PROTECTED] Date: Tue, 11 Jan 2005 10:48:12 -0500 To: David Wagner [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute From [EMAIL PROTECTED] Thu Jan 27 01:04:39 2005 User-Agent: Mutt/1.4.2i On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Simson L. Garfinkel | http://www.soros.org/initiatives/information/articles_publications/articles/ security_20050107/OSI_Skype5.pdf | | Is Skype secure? | | The answer appears to be, no one knows. The report accurately reports | that because the security mechanisms in Skype are secret, it is impossible | to analyze meaningfully its security. Most of the discussion of the | potential risks and questions seems quite good to me. | | But in one or two places the report says things like A conversation on | Skype is vastly more private than a traditional analog or ISDN telephone | and Skype is more secure than today's VoIP systems. I don't see any | basis for statements like this. Unfortunately, I guess these sorts of | statements have to be viewed as blind guesswork. Those claims probably | should have been omitted from the report, in my opinion -- there is | really no evidence either way. Fortunately, these statements are the | exception and only appear in one or two places in the report. The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - Forwarded message from Peter Gutmann [EMAIL PROTECTED] - From: [EMAIL PROTECTED] (Peter Gutmann) Date: Wed, 12 Jan 2005 05:00:29 +1300 To: [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute David Wagner [EMAIL PROTECTED] writes: Is Skype secure? The answer appears to be, no one knows. There have been other posts about this in the past, even though they use known algorithms the way they use them is completely homebrew and horribly insecure: Raw, unpadded RSA, no message authentication, no key verification, no replay protection, etc etc etc. It's pretty much a textbook example of the problems covered in the writeup I did on security issues in homebrew VPNs last year. (Having said that, the P2P portion of Skype is quite nice, it's just the security area that's lacking. Since the developers are P2P people, that's somewhat understandable). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]
