Re: The future of security

2004-06-02 Thread Ben Laurie 
Peter Gutmann wrote:
No they won't.  All the ones I've seen are some variant on the build a big
wall around the Internet and only let the good guys in, which will never work
because the Internet doesn't contain any definable inside and outside, only
800 million Manchurian candidates waiting to activate.  For example
MessageLabs recently reported that *two thirds* of all the spam it blocks is
from infected PCs, with much of it coming from ADSL/cable modem IP pools.
Given that these spammers are legitimate users, no amount of crypto will
solve the problem.  I did a talk on this recently where I claimed that various
protocols designed to enforce this (Designated Mailers Protocol, Reverse Mail
Exchanger, Sender Permitted From, etc etc) will buy at most 6-12 months, and
the only dissent was from an anti-virus researcher who said it'd buy weeks and
not months.
SPF will buy me one thing forever: I won't get email telling me I sent 
people spam and viruses.

The alternative proof-of-resource-consumption is little better,
since it's not the spammers' resources that are being consumed.
Nevertheless these resources are limited, and better security would make 
them more limited.

There is one technological solution which would help things a bit, which is
Microsoft implementing virus throttling in the Windows TCP stack.  Like a
firebreak, you can never prevent fires, but you can at least limit the damage
when they do occur.  Unfortunately I don't see this happening too soon, both
because MS aren't exactly at the forefront of implementing security features
(it took them how many years to add the most basic popup-blocking?), and
because of liability issues - adding virus throttling would be an admission
that Windows is a petri dish.
Duh. So viruses would fix the stack.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

SMTP over TLS

2004-06-02 Thread Perry E. Metzger 

I view link encryption for SMTP -- i.e. SMTP over TLS -- as having two
functions.

1) It frustrates vacuum cleaner mail tapping efforts to some degree.
2) It can be used effectively for authenticating the posting of a
   mail message from an MUA to the first hop MTA.

I don't see it as being useful for making sure your mail is actually
secure, but I think it is a valuable thing to turn on as much as one
can, if only to reduce casual eavesdropping. It certainly can't stop
(for the most part) concerted attacks, but I don't think most people
view it as being useful for that.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Chalabi Reportedly Told Iran That U.S. Had Code

2004-06-02 Thread R. A. Hettinga 
http://www.nytimes.com/2004/06/02/politics/02CHAL.html?th=pagewanted=printposition=

The New York Times

June 2, 2004

Chalabi Reportedly Told Iran That U.S. Had Code
By JAMES RISEN and DAVID JOHNSTON

ASHINGTON, June 1 - Ahmad Chalabi, the Iraqi leader and former ally of the
Bush administration, disclosed to an Iranian official that the United
States had broken the secret communications code of Iran's intelligence
service, betraying one of Washington's most valuable sources of information
about Iran, according to United States intelligence officials.

The general charge that Mr. Chalabi provided Iran with critical American
intelligence secrets was widely reported last month after the Bush
administration cut off financial aid to Mr. Chalabi's organization, the
Iraqi National Congress, and American and Iraqi security forces raided his
Baghdad headquarters.

 The Bush administration, citing national security concerns, asked The New
York Times and other news organizations not to publish details of the case.
The Times agreed to hold off publication of some specific information that
top intelligence officials said would compromise a vital, continuing
intelligence operation. The administration withdrew its request on Tuesday,
saying information about the code-breaking was starting to appear in news
accounts.

Mr. Chalabi and his aides have said he knew of no secret information
related to Iran and therefore could not have communicated any intelligence
to Tehran.

American officials said that about six weeks ago, Mr. Chalabi told the
Baghdad station chief of Iran's Ministry of Intelligence and Security that
the United States was reading the communications traffic of the Iranian spy
service, one of the most sophisticated in the Middle East.

 According to American officials, the Iranian official in Baghdad, possibly
not believing Mr. Chalabi's account, sent a cable to Tehran detailing his
conversation with Mr. Chalabi, using the broken code. That encrypted cable,
intercepted and read by the United States, tipped off American officials to
the fact that Mr. Chalabi had betrayed the code-breaking operation, the
American officials said.

 American officials reported that in the cable to Tehran, the Iranian
official recounted how Mr. Chalabi had said that one of them - a
reference to an American - had revealed the code-breaking operation, the
officials said. The Iranian reported that Mr. Chalabi said the American was
drunk.

 The Iranians sent what American intelligence regarded as a test message,
which mentioned a cache of weapons inside Iraq, believing that if the code
had been broken, United States military forces would be quickly dispatched
to the specified site. But there was no such action.

The account of Mr. Chalabi's actions has been confirmed by several senior
American officials, who said the leak contributed to the White House
decision to break with him.

 It could not be learned exactly how the United States broke the code. But
intelligence sources said that in the past, the United States has broken
into the embassies of foreign governments, including those of Iran, to
steal information, including codes.

 The F.B.I. has opened an espionage investigation seeking to determine
exactly what information Mr. Chalabi turned over to the Iranians as well as
who told Mr. Chalabi that the Iranian code had been broken, government
officials said. The inquiry, still in an early phase, is focused on a very
small number of people who were close to Mr. Chalabi and also had access to
the highly restricted information about the Iran code.

 Some of the people the F.B.I. expects to interview are civilians at the
Pentagon who were among Mr. Chalabi's strongest supporters and served as
his main point of contact with the government, the officials said. So far,
no one has been accused of any wrongdoing.

In a television interview on May 23, Mr. Chalabi said on CNN's Late
Edition that he met in Tehran in December with the Iranian supreme leader,
Ayatollah Ali Khamenei, and the Iranian president, Mohammad Khatami. He
also said he had met with Iran's minister of information.

 Mr. Chalabi attacked the C.I.A. and the director of central intelligence,
George J. Tenet, saying the agency was behind what Mr. Chalabi asserted was
an effort to smear him.

 I have never passed any classified information to Iran or have done
anything - participated in any scheme of intelligence against the United
States, Mr. Chalabi said on Fox News Sunday. This charge is false. I
have never seen a U.S. classified document, and I have never seen - had a
U.S. classified briefing.

 Mr. Chalabi, a member of the Iraqi Governing Council, said, We meet
people from the Iranian Embassy in Baghdad regularly, but said that was to
be expected of Iraqi officials like himself.

Some defenders of Mr. Chalabi in the United States say American officials
had encouraged him in his dealings with Iran, urging him to open an office
in Tehran in hopes of improving relations

Article on passwords in Wired News

2004-06-02 Thread Perry E. Metzger 

An article on passwords and password safety, including this neat bit:

   For additional security, she then pulls out a card that has 50
   scratch-off codes. Jubran uses the codes, one by one, each time she
   logs on or performs a transaction. Her bank, Nordea PLC, automatically
   sends a new card when she's about to run out.

http://www.wired.com/news/infostructure/0,1377,63670,00.html

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: The future of security

2004-06-02 Thread Bill Stewart 
At 05:15 AM 6/2/2004, Ben Laurie wrote:
SPF will buy me one thing forever: I won't get email telling me I sent 
people spam and viruses.
Unfortunately, that won't work for me.
My email address is at pobox.com, the mail forwarding service
where the main proponent of SPF works,
but my SMTP service is whichever ISP I'm currently connected through
(DSL, dial, work, whatever) - which isn't under pobox's control.
So my incoming mail can recognize SPFs and block forgeries,
but my outgoing mail can't use them,
unless pobox changes their business model to provide outgoing SMTP relay
for their customers, doubling their bandwidth needs.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]