Re: e voting
At 9:19 AM -0800 11/21/03, Tim May wrote: On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: Secretary of State Kevin Shelley is expected to announce today that as of 2006, all electronic voting machines in California must be able to produce a paper printout that voters can check to make sure their votes are properly recorded. http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story? coll=la-headlines-california Without the ability to (untraceably, unlinkably, of course) verify that this vote is in the vote total, and that no votes other than those who actually voted, are in the vote total, this is all meaningless. David Chaum has described a system where each voter gets a piece of paper which includes their vote, encrypted so they can't prove how they voted. The images of these pieces of paper are also posted on a web page, so the voters can look up their encrypted ballots to verify that their votes are being counted. These votes are passed through a number of mixes, which may be run by different organizations before they are completely decrypted and counted. (The mixes prevent a decrypted ballot from being associated with an input, encrypted ballot.) The encryption of the ballots is performed by over-printing the plain-text ballots, so the voter can verify the ballot's correctness before it is encrypted. The mixes are verified by random inspection. This system seems to meet the above requirements. Now, I can think of some ways to cheat with this system, but they are all a lot more likely to be found than cheats with the current systems. The big knock on all-electronic voting machines is that they are a step backwards in independent verification and audit from paper ballots, or even punch cards. (Yes, you can argue about hanging chad, pregnant chad, dimpled chad etc., but at least you have something tangible that represents each ballot.) The saving grace of the old mechanical voting machines is that they are mechanical, and hard to modify for cheating. Most anyone on this list can imagine the program in an electronic voting machine being different from the one that was audited and approved. That's hard to do with a mechanical system. We have seen failures where the mechanical systems lost all the votes made on them however, a failure that seems possible with the electronic systems as well. IMHO, the problem with Chaum's systems is that it is complex. I think that saving a printed paper ballot, along with the electronic totals, gives much the same level of security and assurance, with a system that the average voter can understand. Cheers - Bill - Bill Frantz| There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet. -- Dean Tribble | Los Gatos, CA 95032
Re: Vivendi to Destroy MP3.com archive
Somebody please tell me that this is a nightmare, and I am about to wake up. Let's see ... was there a contract to keep things up ad infinitum ? This is a good step, part of waking up from the dream that there are free things on Internet. If there is no eyeball-catching value to be derived from offering free service the service will cease to exist. This may well happen with free e-mail accounts as well - I wonder who will be the first to eliminate the free service in face of diminishing advertizing revenue - Yahoo ? Hotmail ? = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Re: e voting
I agree. The paper printout may be unconnected to fraudulent tally numbers produced later for publication. This is better than the literal nothing produced at present. There is a small chance many voters could use there receipts to counter fraudulent tally in low-vote ward. -Original Message- From: Roy M. Silvernail [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 12:12 PM To: [EMAIL PROTECTED] Subject: Re: e voting On Friday 21 November 2003 12:19, Tim May wrote: On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: Secretary of State Kevin Shelley is expected to announce today that as of 2006, all electronic voting machines in California must be able to produce a paper printout that voters can check to make sure their votes are properly recorded. http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story? coll=la-headlines-california Without the ability to (untraceably, unlinkably, of course) verify that this vote is in the vote total, and that no votes other than those who actually voted, are in the vote total, this is all meaningless. Quite true. But given the fact that we don't have that ability *now*, what exactly is the difference? Other than streamlining and centralizing the present distributed corruption?
RE: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp]
Yeah, Yeah dictionary attacks... The key is that the search space is actually thinly populated enough to make dictionary attack hard. Most usernames are 6 characters or more, many include numbers, that is about 26^6 worth of search space per domain. Of course this is not evenly populated, but the odd thing is that the usernames turn out to be more random than the average password. This is because random is not unguessable. Many usernames are surnames, many are compounds of initial plus surname, only a relative handfull are commonly used names and those tend to get grabbed fast. so you have a pretty big search space, millions of possibilities and that for each one of fifty million domains. The same does not hold for do-not-call lists. The problem there is that something like 80% of the numbers available at active exchanges are already allocated. Most of the stock of unused numbers are on exchanges that have not yet been allocated. Since something like 30% of subscribers sign up for do not call the result is that dictonary attacks are easy. Also we add out of service addresses that get spammed anyway to the list. So the list is not an accurate way to find out if an address is in service or not. Alan knows quite a few addresses that get spammed that are invalid. -Original Message- From: Hallam-Baker, Phillip [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 7:21 PM To: 'Steve Schear' Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp] We need to consider the technical workings of the do-not-spam list and the requirements that we would like the FTC to meet. I propose as a minimum: 1) Allow individual subscribers to list their email addresses with the service. 2) Permit mail sender to quickly determine whether a given email is on the list 3) Be distributable in a form that does not permit use as a mailing list. 4) Permit the storage of attributes in association with each listing, minimally the date of subscription. In addition we might add: 5) Allow domain name owners to list their domains. 6) Provide for authentication of listing requests These requirements can be met using completely generic and to my knowledge unencumbered technology. For the purposes of avoiding patent encumberabces I disclose the following - I published note on the basic idea of using a one way hash to conceal an email address on a do not spam list in 1995, I also implemented the scheme at that time. The idea is not entirely novel, hash databases have been used for at least twenty years, there may also be similar ideas in the cryptography litterature. My proposal would be to use a message authentication function such as HMAC-SHA1 with a key such as SHA1 (FTC Do Not Spam List) to create a unique digest function for the purpose. There is a security consideration here, use of a digest such as SHA1(email) might lead to chosen protocol attacks. To add an individual email address [EMAIL PROTECTED] to the list we calculate HMAC ([EMAIL PROTECTED]) to create the key. A domain may be represented by the string example.com. To determine whether the address [EMAIL PROTECTED] is on the list it is necessary to test for both the specific email address and the domain. [This can be made to meet arbitrarily complex requirements] The list is distributed as a set of key/value pairs. Sorting the list according to the key values allows rapid lookups by means of binary search, or since the hash function is guaranteed homogenous using ranged search using the hash value as an estimator for the index position. It is not necessary to distribute the list sorted. There are also a few tricks that can be used to reduce the usefulness of such a list for address validation. This same concept can be used to conceal the filter terms used in cersorware. Phill ___ Asrg mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/asrg
Vivendi to Destroy MP3.com archive
Vivendi et al. about to demonstrate how they value artists and their work. http://www.kuro5hin.org/story/2003/11/21/14616/561 Somebody please tell me that this is a nightmare, and I am about to wake up. Regards, proclus http://www.gnu-darwin.org/ -- Visit proclus realm! http://proclus.tripod.com/ -BEGIN GEEK CODE BLOCK- Version: 3.1 GMU/S d+@ s: a+ C UBULI$ P+ L+++() E--- W++ N- !o K- w--- !O M++@ V-- PS+++ PE Y+ PGP-- t+++(+) 5+++ X+ R tv-(--)@ b !DI D- G e h--- r+++ y --END GEEK CODE BLOCK-- pgp0.pgp Description: PGP signature
Re: Idea: GPG signatures within HTML - problem with inline objects
There is a problem with images and other inline objects. There is a solution, too. The objects included into the document can get their hash calculated and included in their tag; eg, IMG SRC=image.jpg HASH=SHA1:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 The tag has to be in the signed part of the document, so the hash can't be tampered with. Full digital signatures should be possible as well, eg. IMG SRC=image.jpg SIGNATURE=http://where.is.the/signature.asc; or IMG SRC=image.jpg SIGNATURE=identifier some HTML code here SIGNATURE TYPE=gpg NAME=identifier!-- -BEGIN PGP SIGNATURE- Version: GnuPG v0.9.11 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA31UOQaLeriVdUjc0RAjhBAJ4u1k5ex8+ZAtYi737GFXPOiBc51gCfU5+8 is2rD6L/6fIOWttfh5CYUW0= =WOv2 -END PGP SIGNATURE- --/SIGNATURE This way doesn't depend on the part of the document being signed, as the signature can't be effectively tampered with undetected anyway. Same scheme could be used in A HREF tags, allowing automated checking of signatures or hashes of downloaded binary files.
Re: Idea: GPG signatures within HTML
Moin, Am Sat, 22 Nov 2003 14:54:39 +0100 (CET) schrieb Thomas Shaddack: A trick with HTML (or SGML in general) tag and a comment, a browser plugin(or manual operation over saved source), and a GPG signature over part of the HTML file should do the job, with maintaining full backward compatibility and no problems for the users not using this scheme. Opinions, comments? This is already done, although I'm not aware of any browser supporting an automated verification. For an example look at the HTML source of http://www.bundesverfassungsgericht.de/entscheidungen/frames/rk20030827_2bvr091103 -- Henryk Plvtz Gr|_e aus Berlin Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~ ~~ Help Microsoft fight software piracy: Give Linux to a friend today! ~
Re: [Politech] Congress finally poised to vote on anti-spam bill [sp]
At 04:13 PM 11/21/2003 -0600, Declan McCullagh [EMAIL PROTECTED] wrote: A copy of the bill is here: http://news.com.com/pdf/ne/2003/FINALSPAM.pdf I interpret paragraph 1037(a)1 - 5 as possibly prohibiting the use of anonymous remailers, or proxies and nyms in registering email accounts, for the purpose of commercial speech. steve
RE: [Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp]
We need to consider the technical workings of the do-not-spam list and the requirements that we would like the FTC to meet. I propose as a minimum: 1) Allow individual subscribers to list their email addresses with the service. 2) Permit mail sender to quickly determine whether a given email is on the list 3) Be distributable in a form that does not permit use as a mailing list. 4) Permit the storage of attributes in association with each listing, minimally the date of subscription. In addition we might add: 5) Allow domain name owners to list their domains. 6) Provide for authentication of listing requests These requirements can be met using completely generic and to my knowledge unencumbered technology. For the purposes of avoiding patent encumberabces I disclose the following - I published note on the basic idea of using a one way hash to conceal an email address on a do not spam list in 1995, I also implemented the scheme at that time. The idea is not entirely novel, hash databases have been used for at least twenty years, there may also be similar ideas in the cryptography litterature. My proposal would be to use a message authentication function such as HMAC-SHA1 with a key such as SHA1 (FTC Do Not Spam List) to create a unique digest function for the purpose. There is a security consideration here, use of a digest such as SHA1(email) might lead to chosen protocol attacks. To add an individual email address [EMAIL PROTECTED] to the list we calculate HMAC ([EMAIL PROTECTED]) to create the key. A domain may be represented by the string example.com. To determine whether the address [EMAIL PROTECTED] is on the list it is necessary to test for both the specific email address and the domain. [This can be made to meet arbitrarily complex requirements] The list is distributed as a set of key/value pairs. Sorting the list according to the key values allows rapid lookups by means of binary search, or since the hash function is guaranteed homogenous using ranged search using the hash value as an estimator for the index position. It is not necessary to distribute the list sorted. There are also a few tricks that can be used to reduce the usefulness of such a list for address validation. This same concept can be used to conceal the filter terms used in cersorware. Phill
Toronto man charged with wardriving, possession of child pornography
http://www.torontopolice.on.ca/newsreleases/release.php?id=4732 November 21, 2003 - 01:20 pm CHILD PORNOGRAPHY ARREST USING STOLEN INTERNET SIGNAL Corporate Communications 416-808-7100 On Wednesday November 19th, 2003 at approximately 5:03am, Sgt. Don Woods (7167) of 11 Division observed the accused driving his car the wrong way on a one way street in a residential subdivision in Toronto. The accused was investigated and observed to be naked from the waist down. He had a laptop computer on the passenger seat and on the screen was a young girl performing a sex act on an older man. The laptop had a wireless adapter card (known as a WI-FI card) allowing the accused to access the Internet through any insecure wireless Internet signal. (known as War Driving) The accused was taken to 11 Division and members of the Child Exploitation Section of the Sex Crimes Unit were called in. A lengthy investigation revealed that the accused also had been downloading child pornography using KaZaa, a peer to peer file sharing program and had been posing as a younger man in chatrooms to meet young girls. With the assistance of the O.P.P.s Project P, a search warrant was executed at the residence of the accused in Delhi, Ontario. 10 Computers and hundreds of compact discs containing hundreds of thousands of images and movies of child pornography were recovered. Accused : Walter NOWAKOWSKI 36 years Delhi, Ontario Charged : Possession of Child Pornography (2 Counts) Accessing Child Pornography Distribute Child Pornography Theft of Telecommunications Make Child Pornography The accused is in custody and will appear in courtroom #101 at Old City Hall, on Monday November 24th, 2003, at 10:00 a.m. for a bail hearing.. The public is reminded that if they are operating a wireless network at their home or business, their system needs to be secured against such actions. Sgt. Jim Muscat for Detective Sergeant Paul Gillespie and Staff Inspector Bruce Smollet
Idea: GPG signatures within HTML
Sometimes a problem appears with publishing information on the Web, when the authenticity of document, especially a widely-distributed one, has to be checked. I am not aware about any mechanism available presently. A trick with HTML (or SGML in general) tag and a comment, a browser plugin (or manual operation over saved source), and a GPG signature over part of the HTML file should do the job, with maintaining full backward compatibility and no problems for the users not using this scheme. It should be possible to make this HTML construction: HTML BODY blah blah blah blah blah unsigned irrelevant part of the document, eg. headers and sidebars which change with the site design SIGNED SCHEME=GPG!-- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 --! This is the PGP-signed part of the HTML document. !-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893 ihas7Ds9fXLR9ksWRdwNZXNA8SdshwAJ9zwXFDgvdg5G2mqXp5BD4Sx2ZmjwCfSs70 Kj8sQor6i+MUZBmp5pdM1vU= =hIsR -END PGP SIGNATURE- --!/SIGNED the unsigned rest of the HTML document /BODY/HTML The SIGNED.../SIGNED tags are ignored by browsers that don't know them, and provide leads for eventual browser plugins. The !-- -- comments are used to hide the signature from the user in standard browsers. The scheme is designed to allow signing only parts of documents, so they could be published in fast-changing environments like blogs or on dynamically generated pages, and to have many different signed parts on one page. It should also allow manual checking of the signature, eg. by curl http://url | gpg --verify Feel free to use the idea if it is good. Opinions, comments?
Drug policy activist *searched and detained* by notorious South Carolina principal after being invited onto school grounds
Report by Dan Goldman ([EMAIL PROTECTED]) of Students for Sensible Drug Policy (http://www.ssdp.org) Forwarded from Loretta Nall ([EMAIL PROTECTED]) of the US Marijuana Party (http://www.usmjparty.com) Loretta said: This just in from my buddy Dan Goldman who is still on the ground in South Carolina --- Now I promised you a good story and here it is... On Thursday when I went back to Stratford High School, I had a rather unexpected encounter. I started the day out as usual, passing out DPA's information, SSDP's stickers and a few of the SSDP t-shirts that I had left. At one point, a pair of teachers walked passed and I offered both of them the pamphlet and booklet. One of them asked What is it? and one of the students around him answered, It has to do with keeping our school drug-free. A heavy-set man whose name I later learned was Mr. Green, took both the pamphlet and the booklet. The man next to him, a younger, smaller teacher whose name I later learned was Mr. McCombs refused my offer. In my youthful exhuberance, I said some snide remark to the effect of, Way to set an example for your students by remaining ignorant. I know I shouldn't have said something like that and I didn't even think he heard me, but I was mistaken. Read on... Now, after most of the students dispersed, I did what I did the day before and walked through a muddy foot path, about 30 feet over to the school grounds to pass out a few more flyers. As I was walking back through the foot path to my car, I saw both of the teachers again and I kindly offered my last pamphlet to Mr. McCombs, who had neglected to take it before. This time he was very upset. He wanted to know why I would say what I said to him about staying ignorant. He said, I've been to college and I've been teaching for 4 years, don't you think I may know a little something about keeping kids drug-free? I said, You may know a little something, but you probably haven't been exposed to what's in this pamphlet, so why don't you take one and find out? He told me he didn't have time to read one and I suggested he do what most people do and put it in his pocket to read when he does have time. Mr. McCombs continued to wonder aloud why I thought it was necessary to undermine him in front of students and I continued to wonder to myself how one snide comment can undermine the authority of a teacher who has their attention every day for an hour? Now at this point, the two teachers began threatening me with this whole issue of tresspassing on school grounds. Since I was in fact on school grounds momentarily without permission, I really didn't want to get into it with them. I was about to leave with the excuse of another appointment (which was true, Ian Mance was arriving around 4:30pm and I wanted to see him as I've been staying at his parents' house for the last week) but then they made me an offer I couldn't refuse They offered to take me to see Principal McCrackin. Now, last week Mr. McCrackin had sent home a letter to parents offering to meet with any of them that still had concerns about the drug raid. However, according to the parents I've spoken with who've tried to meet with him, he's always busy. So I didn't think I would have the chance to meet the man behind the myth, and when the chance just presented itself like that, I thought it was too good to be true. Well, like everything too good to be true... It was! As I walked through the school, continuing my witty banter with the two teachers, we entered the principal's office and to my surprise, there were two officers of the law instead of one Principal. Immediately, one of them, a very big man named Cpl. Aucoin demanded my identification. Now having just seen BUSTED, I wasn't immediately inclined to give it to him. However I did tell him my name and I showed him the materials I was distributing. I asked Cpl. Aucoin if I was free to go and he said, No, that he was detaining me. The two teachers insisted they caught me tressassing and I corrected them and explained they encountered me in between the back of strip mall and the school grounds on that muddy foot path. Then, in came McCrackin... I'm not sure how many of you have seen a picture of George McCrackin, but he's in his mid to late 50's, I would guess, dark hair that's greying but looks like he colors it. He's about 5 ft. 7in tall and maybe 170 lbs. He's a short, stout man, the kind with a Napolean complex of sorts. He looks tired beyond his years, like a man who has been at his job for too long. He's been principal of Stratford High School since it opened 20 years ago and before that he was assistant Superintendent of Schools in North Charleston and a principal and teacher for years before that, so the man has been in education for quite some time -- his entire adult life, in fact. That he cares for children was evident from speaking to many people in the community, but that he pre-judges
RE: DigiCash Saves PayPal?
Not to mention the pneumatic tube systems in department stores that sent your charge plate upstairs for approval. Those who do not learn from ... Oh, never mind. Cheers, Scott -Original Message- From: R. A. Hettinga [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 3:20 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Digital Bearer Settlement List; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; InfoSec News; [EMAIL PROTECTED] Subject: DigiCash Saves PayPal? And Greg Aharonian, San Francisco-based patent expert, said eBay could get the case dismissed if it finds a company or institution that developed its own trusted intermediary or similar electronic payment system even before ATT researchers filed for their patent. Bingo. Somebody at First Data should haul out the old DigiCash pitch-ware they probably have laying around, and beat ATT over the head with it... Cheers, RAH -- http://finance.lycos.com/qc/news/story.aspx?story=36570023 Lycos ATT: EBay, PayPal Infringe on Patents E-mail orPrint this story 20 November 2003, 6:03pm ET By RACHEL KONRAD AP Business Writer SAN JOSE, Calif. (AP) -- ATT Corp. reached out and smacked eBay Inc. with a patent infringement lawsuit Thursday, claiming the online auction company has been using a payment system that the telecommunications giant developed more than a decade ago. The case, filed in federal court in Delaware, comes on the heels of an August verdict in which a Virginia judge ordered eBay to pay $29.5 million to an inventor who accused the company of stealing his ideas for fixed price sales formats. ATT's suit demands that eBay pay an undisclosed amount in licensing fees because its lucrative PayPal division functions as a trusted intermediary between buyers and sellers who may not know each other. The system _ widely regarded as critical to eBay's gangbuster growth and a boon to e-commerce in general _ lets buyers provide credit card or bank account information to a reliable third party instead of individual sellers around the world. Buyers merely have to trust PayPal, and they don't have to worry about disreputable sellers using sensitive financial data for fraudulent purposes. ATT says three senior engineers working for the phone company filed for a patent in 1991 for exactly such a process, which they called Mediation of Transactions by a Communication System. The patent was granted in 1994, ATT said. EBay spokesman Chris Donlay dismissed the lawsuit as meritless, and he said customers should count on continuing to use PayPal. EBay acquired PayPal in October 2002, and the division immediately became an engine of profits for San Jose-based eBay, one of the few Silicon Valley companies to emerge unscathed from the dot-com collapse. PayPal produced $106.4 million in revenue in the third quarter of 2003, nearly twice what it generated in the same period last year. More than 11 million people used PayPal to conduct transactions from July to September, according to eBay's most recent earnings statement. Before PayPal, eBay relied on a similar system called Billpoint, which is also named in the lawsuit. Mentioned Last Change INDU 9605.7913.63 (0.14%) EBAY 51.800.23 (0.44%) T 19.630.53 (2.77%) ATT spokesman Gary Morgenstern said the lawsuit is the result of more than a year of negotiations between the two companies. EBay refused to pay any licensing fees, he said. ATT invests hundreds of millions of dollars every year in our research and development efforts, which have yielded a sizable portfolio of patents _ that's what we're vigorously protecting here, Morgenstern said. EBay and PayPal have refused to compensate us for patented technology, and so we're forced to take this to the courts. Numerous inventors and small companies have sued or threatened to sue eBay, and legal experts have been skeptical of many such claims. But some said the newest plaintiff's heft gives the ATT lawsuit the credibility that cases brought by obscure inventors and operators of now-defunct dot-coms lacked. To be sure, ATT's involvement makes this case different from others, said Neil A. Smith of the San Francisco-based law firm Howard, Rice, Nemerovski, Canady, Falk Rabkin. ATT's a well respected company that doesn't just wave around patent lawsuits unless there's some merit. Others, however, said that ATT is unlikely to even force a settlement _ which is the way Amazon.com and Barnesandnoble.com resolved what might have been the last such high-profile legal skirmish over Internet sales strategies. That case, involving Amazon's one-click checkout method, was filed in 1999 and settled last year. The companies have refused to disclose the terms. David Pressman, a San Francisco patent lawyer and author of Patent It Yourself, said at least half of all patent infringement lawsuits are won by the defense or eventually dropped before reaching the courtroom. And Greg Aharonian,
DigiCash Saves PayPal?
And Greg Aharonian, San Francisco-based patent expert, said eBay could get the case dismissed if it finds a company or institution that developed its own trusted intermediary or similar electronic payment system even before ATT researchers filed for their patent. Bingo. Somebody at First Data should haul out the old DigiCash pitch-ware they probably have laying around, and beat ATT over the head with it... Cheers, RAH -- http://finance.lycos.com/qc/news/story.aspx?story=36570023 Lycos ATT: EBay, PayPal Infringe on Patents E-mail orPrint this story 20 November 2003, 6:03pm ET By RACHEL KONRAD AP Business Writer SAN JOSE, Calif. (AP) -- ATT Corp. reached out and smacked eBay Inc. with a patent infringement lawsuit Thursday, claiming the online auction company has been using a payment system that the telecommunications giant developed more than a decade ago. The case, filed in federal court in Delaware, comes on the heels of an August verdict in which a Virginia judge ordered eBay to pay $29.5 million to an inventor who accused the company of stealing his ideas for fixed price sales formats. ATT's suit demands that eBay pay an undisclosed amount in licensing fees because its lucrative PayPal division functions as a trusted intermediary between buyers and sellers who may not know each other. The system _ widely regarded as critical to eBay's gangbuster growth and a boon to e-commerce in general _ lets buyers provide credit card or bank account information to a reliable third party instead of individual sellers around the world. Buyers merely have to trust PayPal, and they don't have to worry about disreputable sellers using sensitive financial data for fraudulent purposes. ATT says three senior engineers working for the phone company filed for a patent in 1991 for exactly such a process, which they called Mediation of Transactions by a Communication System. The patent was granted in 1994, ATT said. EBay spokesman Chris Donlay dismissed the lawsuit as meritless, and he said customers should count on continuing to use PayPal. EBay acquired PayPal in October 2002, and the division immediately became an engine of profits for San Jose-based eBay, one of the few Silicon Valley companies to emerge unscathed from the dot-com collapse. PayPal produced $106.4 million in revenue in the third quarter of 2003, nearly twice what it generated in the same period last year. More than 11 million people used PayPal to conduct transactions from July to September, according to eBay's most recent earnings statement. Before PayPal, eBay relied on a similar system called Billpoint, which is also named in the lawsuit. Mentioned Last Change INDU 9605.7913.63 (0.14%) EBAY 51.800.23 (0.44%) T 19.630.53 (2.77%) ATT spokesman Gary Morgenstern said the lawsuit is the result of more than a year of negotiations between the two companies. EBay refused to pay any licensing fees, he said. ATT invests hundreds of millions of dollars every year in our research and development efforts, which have yielded a sizable portfolio of patents _ that's what we're vigorously protecting here, Morgenstern said. EBay and PayPal have refused to compensate us for patented technology, and so we're forced to take this to the courts. Numerous inventors and small companies have sued or threatened to sue eBay, and legal experts have been skeptical of many such claims. But some said the newest plaintiff's heft gives the ATT lawsuit the credibility that cases brought by obscure inventors and operators of now-defunct dot-coms lacked. To be sure, ATT's involvement makes this case different from others, said Neil A. Smith of the San Francisco-based law firm Howard, Rice, Nemerovski, Canady, Falk Rabkin. ATT's a well respected company that doesn't just wave around patent lawsuits unless there's some merit. Others, however, said that ATT is unlikely to even force a settlement _ which is the way Amazon.com and Barnesandnoble.com resolved what might have been the last such high-profile legal skirmish over Internet sales strategies. That case, involving Amazon's one-click checkout method, was filed in 1999 and settled last year. The companies have refused to disclose the terms. David Pressman, a San Francisco patent lawyer and author of Patent It Yourself, said at least half of all patent infringement lawsuits are won by the defense or eventually dropped before reaching the courtroom. And Greg Aharonian, San Francisco-based patent expert, said eBay could get the case dismissed if it finds a company or institution that developed its own trusted intermediary or similar electronic payment system even before ATT researchers filed for their patent. The question is, did anyone else have trusted third parties in the 1980s? My gut reaction is that they existed, said Aharonian, publisher of the daily Internet Patent News Service newsletter. Some university professor could have written an article on this, but no one paid attention and no banks