Re: Whitehat hacker made FBI patsy
At 03:38 PM 05/09/2001 -0400, Faustine forwarded Kevin Poulsen's 9 May 01 article: ... BIND hole In May, 1998, the Internet was reeling from a devastating vulnerability discovered in a ubiquitous piece of software called the BIND named domain server. Formally known as the iquery BIND Buffer Overflow vulnerability the hole been publicly announced by Carnegie Mellon's Computer Emergency Response Team (CERT) a month earlier, and a software patch to fix it was available for download. But according to an FBI affidavit, the hole was still in place on Air Force systems, nuclear laboratories, the U.S. Departments of Commerce, Transportation and the Interior, as well as the National Institute of Health. Near the end of May, the hacker group ADM raised the stakes by publishing a computer program capable of spreading through vulnerable systems automatically. It was concern over the damage the worm could wreak on an unprepared Internet that spurred Butler to his fateful course. Mr. Butler modified the worm program to download and install the official software patch that repaired the BIND/named vulnerability from the software vendors' web site, Granick's motion reads. Mr. Butler used his modified worm to automatically get root access on machines through the named vulnerability and fix the named hole. It could have been an unsullied act of mass guerilla patching -- a relatively harmless hack that would have left the Internet a little more secure, while dappling only a few spots of gray on Butler's white hat. But Butler's worm also installed back doors on every system it patched, and reported their location back to Butler, giving him a way into the machines even as he locked out other hackers. That feature simultaneously made the crime harder to defend, and easier to solve. The Air Force was the first to realize what was going on; a lot of bases were being hit, a lot of flags were going up, says Eric Smith in an interview. All your base are belong to me. Not only are viruses a bad mechanism for getting people to install software you want them to install (after all, sometimes you really *do* know what's best for them better than they do), and prone to breaking things when the systems they infect don't quite match the assumptions the virus writer wrote, but here's yet another reminder that you shouldn't let people install them on your machines even if they don't realize that the viruses they're installing may have extra features added. Ratting on DEFCON attendees Butler's new mission: Attend the DEFCON hacker convention at the Plaza Hotel and Casino in Las Vegas -- the largest annual gathering of security experts, hackers and cybercops in the world. There, he was to collect PGP encryption keys from conference attendees and try to match people's real names with their hacker identities and with the keys, reads the motion. Also a reminder that if you're using multiple identities and don't want them leaked, be real careful about not mixing your digital signature keys, and don't leave PGP secret keyrings in unencrypted partitions on your disk (the keys themselves are encrypted in the keyfiles, but the user names aren't.) Out of curiousity, do most Defcon attendees pay for their rooms using credit cards with True Names on them? Or cash? Hotels generally don't like cash, though a number of the attendees are young enough that they may not have credit cards. Any guesses whether the Feds subpoena or otherwise obtain the hotel reservation records? It'd be a real interesting place to match up videotapes of guests registering with videotapes of other activities. On the other hand, the Alexis Park isn't a casino (I don't even remember slot machines there), so it may be much less rabidly camerafied than most of Vegas.
RE: No*Trace Computer Security Software
formerly available only to high level government agencies which is code for either marketing dept. says it would sound cool or it no longer offers acceptable levels of security so it's free for public consumption (remember skipjack?) or we don't need it now that we've upgraded our computers from the old IBM PC-XTs to the newer and more powerful 286 A few other explanations, though marketing dept. says it would sound cool probably wins. - they developed it for the government market, now they want to make money - ditto, but the original customers weren't buying :-) - their government customers require it to be commercial off-the-shelf software, to satisfy Federal Purchasing Buzzword Mantras, so they're satisfying that requirement by offering it to the public. Back when I was a tool of the military-industrial complex, we ran into the latter scenario fairly often. Federal cost-control rules, designed to reduce the extent to which the military pays millions of dollars in custom development costs for their 600-dollar hammers, tend to require COTS. They're totally independent of the requirements that the end users may have for highly customized features that nobody in the commercial world actually wants to buy, or features that may be individually available but not simultaneously available, like B1-rated operating system security, compliance with all POSIX standards including the Real-Time ones that weren't fully defined at the time and required cooking the kernel (which instantly breaks the Orange Book security certification), Ada (of course!) interfaces to all the cool kernel features, GOSIP Networking (that was the Government's OSI protocol stack, which of course also breaks the Orange Book Certs), TCP/IP over X.25 (both of which also broke the Orange Book Certs), and X.25 with the particular combination of options that the NSA consultant thought would be a good idea to help the security of the system (X.25 has zillions of options, nobody implements all of them to start with, much less in the combinations that the consultant thought would be cool.)
Re: Kirkland SSN document, comments and snapshot of what we're talking about
At 08:39 AM 05/20/2001 -0700, Tim May wrote: At 10:59 AM -0400 5/20/01, Declan McCullagh wrote: Neither, actually. They claim that I'm acting in concert with justicefiles.org by quoting three lines from the site. And, Kirkland claims, that means I'm bound by the court's injunction against justicefiles.org. So, is the Google site acting in concert with justicefiles? No, because there's no intention or even scienter involved in Google's caching of the justicefiles.org documents. The judge could try to order them to delete their archives of the files, but can't bust them for their robots creating them in the first place. By contrast, Declan, as a journalist and news editor, was explicitly picking out the controversial bits, and knew about the court order. So there's a question about whether the court order would apply to Declan in the same way that it would apply to a friend of the gag-order-ees saying sure, I'll post them for you, since you can't any more, or whether he's acting independently (so the judge could also order him not to publish the information, but the original order doesn't apply to him), or whether he's a public-serving journalist reporting on the cops' attempts to cover up their activities and evade the public scrutiny and potential for lawsuits, or whether he's a member of the Vast Left-Wing Conspiracy* of Liberal Media who are nonetheless protected by the technicalities of the First Amendment, except when court orders can convince their editors to fold, or whether he's a Witness that the miscreants in Kirkland are trying to intimidate. I suspect a letter from the DA would easily enough get Google to roll over - most ISPs tend to do that, though a few are willing to pay the legal expenses for resisting, and it's worth a first attempt on the miscreants' part to send a threatening letter to see which category Declan and his ISPs are in. They've got their initial response :-), and since Declan is implicitly a customer of Blacknet, it's tough to effectively stamp out the data. * After all, it's now the Bush Administration...
Re: NYC Police PDA deployment
Yow! $3500 ? Not $350? Palm VIIx sale price is $199 at Fry's, or you can spend probably about $350 for a $99 Visor/Palm3/Palm100 plus an OmniSky modem. NYC may not have Fry's, but they've got 47th Street Computer, which will do just as well. You'd have to teach cops how to write Graffiti instead of just busting people for it... Alternatively, the RIM Blackberry and one of Motorola's 2-way text pagers are all under $500, and there are several products from the cell phone makers that also let you input text, albeit a bit more clumsily. What a scam. And with the Palm-like devices, adding encryption is just a Simple Matter of Programming, rather than something that required new PROMs or replacment of the operating system. But hey, it's another opportunity for police scanners or HERF. At 02:42 AM 05/24/2001 -0400, [EMAIL PROTECTED] wrote: Note on NSA fiber optic snarfing: they undoubtably had one of our national laboratories figure it out. I remember a long time ago an URL to Los Alamos National Labs, where it was a project for getting past locks. Will cops be more likely to ask people to identify themselves? (Identification wanderlust.) http://www.nytimes.com/2001/05/24/technology/24COP.html # #May 24, 2001 # #Patrol Officers Soon to Carry #Minicomputers on Gun Belts # #By THOMAS J. LUECK # #Weighing five ounces and closely resembling the ubiquitous black #pocket pager, it might be overlooked on the overstuffed gun belts #of police officers on foot patrol. But the device, a $3,500 #minicomputer, will let the officers check whether a car has been #stolen or someone they stop on the street is trying to conceal #an arrest record. # #After putting 15 of the gadgets through their paces in housing #projects, stolen vehicle chop shops and crime scenes in the #last year, senior police officials said yesterday that they #planned to buy 200 more this year in the first phase of a plan #to equip a larger segment of the patrol force with the devices. #The decision to give officers the new computers was first reported #yesterday in The Daily News. # #It works discreetly, without creating a fuss, said Rafael #Pineiro, the assistant chief in charge of the department's #Management and Information Systems Division. He added that the #New York Police Department would be the first in the nation to #use the minicomputers on routine street patrol. [snip] (yes, 'minicomputer' is the wrong terminology)
Re: Entire ISP Forced to Close
At 11:50 AM 05/16/2001 -0700, Eric Cordian wrote: Jim Dixon wrote: Still, the Internet is for the most part a Star Network, with only the very largest providers multi-homed. This is not true, unless your definition of 'the very largest' is very loose indeed. There are many thousands of multi-homed ISPs. People periodically attempt to draw graphs of the relationships between ISPs. If you look at these you see nothing similar to a star network. This hasn't been my experience here in the US. I am familiar with about 10 ISPs, from small mom and pop operations, to mid-size regional providers. The smallest ones have a single line. Even a pretty big ISP can run on a single OC3, with a backup DS3. Most of my experience is with big backbone providers, big enterprises, web hosting services, and very small ISPs. Early on, there were three main backbone providers - MCI, UUNET, Sprint - and a small ISP would buy their first T1 feed from MCI (cheapest), and as soon as they could justify a second T1, they'd buy it from one of the other providers so that hopefully there wouldn't be bad routing instabilities on both at the same time. Things have gotten much more reliable, but also much bigger, and most ISPs still buy diverse connections when they need more than one. Almost every web hosting ad talks about having multiple connections, whether that's 2 T3s or 2 OC12s to different backbones, because you still need it for reliability. If you're out of service for a day, you lose customers, fast, while if your performance is doggy for a day, they'll usually stick around. Having N thousand small ISPs, and hundreds of small web hosting businesses, plus dozens of big ISPs and hosting services means there's lots of competition - if you provide undependable service, people will leave, unless they're somewhere geographically special or have other special issues. There are a few with a handful of OC12 and OC3 circuits, but these were generally obtained for specific customers. I can't imagine an ISP with 50+ distinct peers, with separate circuits to each. Most non-huge US ISPs don't have large numbers of physical peering circuits, but ISPs that use the public exchange points or carrier hotels often peer with a number of other ISPs, because that either requires just administrative agreements (on a routed exchange point) or additional PVCs (on an ATM exchange point.) Some exchange points work by everybody peering with the exchange rather than with each other, but it's a similar effect.
RE: Automatics
At 12:46 AM 06/11/2001 -0700, Tim May replied: Well said, but: In _The Irish War_ there's a description of IRA improvised recoilless 'rifles' which, like their .mil-industrial analogues, toss an equal mass out the back end. The reacting countermass is a bunch of flakes which dissipate the KE against the atmosphere. How this Irish makeshift recoilless rifle actually works is unknown to me, but the dissipation of KE by the chaff is not germane. The expulsions of some mass (M) at some velocity (V) is germane, as above, but not the way the mass behaves once it has been propelled backward. The military recoilless rifles are more or less bazookas - their objective is to fire a relatively large and usually explosive shell to blow up tanks, trucks, and other big hard targets, while still being conveniently portable. I'm also puzzled by the flakes comments - rapidly expanding gasses are plenty of reaction mass, though perhaps there's some sort of wadding to provide increased gas pressure that gets flaked in the explosion.
Re: 40 teraflops (fwd)
Unfortunately, the article that Bob Hettinga excerpted from the South China Morning Post is a pay-only article. http://www.es.jamstec.go.jp/ - Japanese government site. http://www.es.jamstec.go.jp/esc/eng/ - Good page http://www.es.jamstec.go.jp/esrdc/eng/menu.html - The ES center http://www.es.jamstec.go.jp/esc/gallary/index_e.html - Pictures. (This sucker appears to be *big*. Some pictures want Flash.) Here are a couple of articles from 2000 about how cool the machine will be: http://www.nec.co.jp/press/en/0005/3001.html - NEC press release http://www.ess.nec.de/hpc/HPCwire/17830.htm - Some technical detail Cool lecture by Jack Dongarra (a name you should know) overview of high-performance computing. Spring 2002 CS594 UTenn. http://www.cs.utk.edu/~dongarra/WEB-PAGES/SPRING-2002/lect01.pdf Most Important Slide is the pointer to http://www.netlib.org The other reference site for this stuff: http://www.top500.org Article about Google doing work on parallel projects http://www.cosmiverse.com/tech03250202.html
Re: DoJ Summons Offshore Credit Cards
At 11:28 PM 03/25/2002 -0800, John Young wrote: Full press release: http://cryptome.org/doj-doe-cards.htm [Expletive deleted]! That's outrageous! It's one thing to issue a John Doe summons for evidence about a specific crime known to have occurred. But this is a Go Fish summons - they're looking for anybody who *might* be evading taxes, at least if their press release is to be believed. One way individuals divert income and evade their U.S. tax obligations is by maintaining bank accounts in foreign tax havens and using credit or debit cards issued by the offshore bank. It is not illegal to have an offshore credit card. However, people use these cards to tap into foreign bank accounts to get easy access to cash while evading paying taxes. They can use the cards to pay for everyday expenses like groceries and gas or even purchase luxury items such as boats and cars. Well, duh! That's one of the big reasons people get cards on foreign banks... If it's not illegal, they shouldn't be asking for them.
Re: 1024-bit RSA keys in danger of compromise
At 05:38 PM 03/23/2002 -0800, Lucky Green wrote: While the latter doesn't warrant comment, one question to ask spokespersons pitching the former is what key size is the majority of your customers using with your security product? Having worked in this industry for over a decade, I can state without qualification that anybody other than perhaps some of the HSM vendors would be misinformed if they claimed that the majority - or even a sizable minority - of their customers have deployed key sizes larger than 1024-bits through their organization. Which is not surprising, since many vendor offerings fail to support larger keys. While SSL implementations are mostly 1024 bits these days, aren't PGP Diffie-Hellman keys usually 1536 bits?
Re: The Streisand imagecriminal lives 2-3 parcels away from me
At 11:00 AM 06/03/2003 -0400, Sunder wrote: That's all nice and good, but why should it be on cypherpunks? Where's the relevance to this list? Why is Ken, or his addres or helipad an interest to the cypherpunks? Why is PGE's monopolistic's actions against him relevant to the topics of this list? What's next? The Cypherpunk Equirer? Well sure - because not all the Black Helicopters flying over Tim's house have belonged to Feds/UN/etc. - one of them's probably been Ken's :-) I've also found Tim's comments on Pynchon living nearby interesting. IMHO, neither he, nor the Streisand creature have any relevance here - there perhaps was some relevance in terms of that lawsuit the bitch started, but, who gives a shit who your neighbors are? I'd say issues of putting aerial photography on the internet and how that changes the status of previously secret information are pretty close to our core issues - they're not directly cryptography, but neither are the guns, lots of guns discussions. I don't know if Hugh ever pulled off the export RSA by standing in a bar-code when the Russian 1-meter-resolution spy satellites fly over...
Re: Chomsky: Iraq is a trial run
At 07:00 PM 04/04/2003 -0600, Kevin S. Van Horn wrote: Tyler Durden wrote: This should be seen as a trial run. Iraq is seen as an extremely easy and totally defenceless target. I beg to differ. Haiti and Yugoslavia were the trial runs; but since they happened under a Democratic president, the left didn't make a fuss. Grenada and Panama. After the Vietnam war PR fiasco (oh, and also the defeat...), it was a while before the US was willing to get into an officially recognized war, as opposed to quieter Nicaragua things. Grenada was a quick and easy invasion, and the public accepted it, (especially because they'd invaded and won in a day or so, about as fast as it took the press to take notice at all,) which gave the Pentagon the confidence to try invading Panama, which the public also accepted just fine, and after that they did Desert Scam, which did get lots of protest but primarily got good support from CNN and the other media, especially with the quick and effective bombing raid killing a couple hundred thousand people (about half soldiers and half civilians) and getting the Iraqi army out of Kuwait. Bush I handed Clinton a Presidency that had soldiers actively fighting or getting into Iraq, Bosnia, and Somalia, and the Iraq War had reminded the world that the Military-Industrial-Complex was still in charge and that nobody had better mess with them just because they no longer had the mission of Fighting Communism. As far as the Left not making a fuss because Clinton was a Democrat, I disagree with that - the Left never thought that Clinton was a liberal, just the best of the three Republicans running for president that year (Bush, Perot, and Clinton) who promised to spend money on Liberal causes. Besides, the Republicans were running a Reverse Wag The Dog, using the sex scandal to cover the War in Albania and Foobaristan, and the left was busy bashing the Republicans for being so amazingly tacky about their attacks on Clinton's sex life, not that Clinton didn't keep pitching them softballs like Whitewater and Travelgate even before they found out about Monica. And at least some of the Haiti things were reinstating a popular Leftist president and kicking out some of the nastiest people around, and the nobody remembers who's who in Yugoslavia anyway
Re: Looting of museums, banks, shops, factories--South Central LA writ large
At 11:19 PM 04/11/2003 -0700, Tim May wrote: As Anne Coulter and her fellow republidykes have suggested, invade their country, take their oil, give their children blue eyes, convert them all to Christianity, and kill those who don't convert. The Brits did a nice PR spin on some of this - BBC reports that in some town in Southern Iraq, where the secular Baath Party hasn't let the Shiitte muezzin do the public call to prayer for 15 years, the British army has set up a PA system, and made sure they have the religious freedom for the call to prayer again. In Basra, it's a similar story, though in that case the mosque building was destroyed in the 1991 bombing, but Shiite prayers have been banned for more like 30 years, according to the IHT.
Re: People converting to the winning side...
At 12:06 AM 04/12/2003 -0700, Tim May wrote: I'm not surprised to see some of my friends and associates (not necessarily on this list...I actually do interact with people off-list) switching sides from being anti-war to the other side. They natter about how Saddam was a tyrant (true enough, and there are a hundred other such tyrants), to how he must have had the magical word WMD (no evidence so far, and he certainly didn't use them when he should have), and how this will prove to the A-rabs that America stands tall (debatable). My neighbor has been flying a flag on our shared balcony for a couple of years (aargh...) He's a retired pilot, who when he was young was in the Navy; his job was to fly bombers off aircraft carriers and drop nukes on targets, which he said he wouldn't do now. When the war started, I asked him to take it down. He agreed to take it down in a week, unless there were WMDs used in the US, but that it was expressing his concern for the soldiers over there, and also told me that his wife was strongly against the war, and what he'd done in the Navy. A couple days later the flag was down, and he'd said that he'd decided that Bush was lying about all this WMD stuff. .. As Chomsky notes, the Big Lie has been hinted at in such a way that more than half the sheeple in the U.S. are now convinced that Saddam Hussein was behind 9/11. (This whole episode ought to be a major new chapter in Manufacturing Consent.) Yup. On the other hand, at least from what's in the news, the number of Iraqis killed in this war has been pretty low (www.iraqbodycount.org estimates 1100-1400), which is probably pretty close to the number of people killed by dictatorships and other evil governments that the US is supporting, and it's only 4-5 times the number of people Bush had killed as governor of Texas. More to the point, it's less than the average death rate that the UN estimates has been caused by the destruction of the water supplies in the last war and subsequent embargo (about 100K/year.) So if getting rid of Saddam leads the US to rebuilding Iraq for PR reasons, or at least gets rid of the embargo and lets the Iraqis rebuild, things may get better. (On the other hand, after the war's over, we'll probably find that there were a lot more deaths, mainly in bombed buildings.)
Re: unregistered shell
At 09:48 AM 06/09/2003 -0700, Major Variola (ret.) wrote: Capitol Police spokeswoman Jessica Gissubel said police stopped the car as it was traveling on Constitution Avenue on the north side of the Capitol because it had a gasoline container strapped to its roof. The man, who was not identified, voluntarily handed over the ammunition, described as a shotgun shell. It is illegal to carry unregistered ammunition in the District of Columbia. Normally I would make some cynical remark about the appropriateness of Constitution Avenue as a venue for violating the second amendment, but this sounds like a case of Darwin catching up with the guy in a way that only eliminates *him* from the gene pool rather than taking out innocent bystanders when the gas can falls off his car roof He's clearly from the clue-deprived side of the street about a variety of issues.