Re: feds try to argue touch tone content needs no wiretap order
On Fri, 09 Jan 2009 20:12:16 -0500 Perry E. Metzger pe...@piermont.com wrote: Just about everyone knows that the FBI must obtain a formal wiretap order from a judge to listen in on your phone calls legally. But the U.S. Department of Justice believes that police don't need one if they want to eavesdrop on what touch tones you press during the call. Those touch tones can be innocuous (press 0 for an operator). Or they can include personal information including bank account numbers, passwords, prescription identification numbers, Social Security numbers, credit card numbers, and so on--all of which most of us would reasonably view as private and confidential. That brings us to New York state, where federal prosecutors have been arguing that no wiretap order is necessary. They insist that touch tones cannot be content, a term of art that triggers legal protections under the Fourth Amendment. http://news.cnet.com/8301-13578_3-10138074-38.html?part=rsstag=feedsubj=News-PoliticsandLaw It's very much worth reading the whole article; the author, Declan McCullagh, does a good job with the historical background. I'll add one more historical tidbit: in the late 1980s, New York courts outlawed pen register taps, because the same equipment was used to detect touch tones as was used to record full content, and thus there was no protection against law enforcement agents exceeding the court's authority. If I may wax US-legal for a moment... According to a (U.S.) Supreme Court decision (Katz v U.S. 389 US 347 (1967)), phone call content is private, which therefore brings into play the full protection of the Fourth Amendment -- judges, warrants, probable cause, etc. However, under a later ruling (Smith v Maryland 442 US 735 (1979)), the numbers you call are information that is given to the phone company, and hence is no longer private. Accordingly, the Fourth Amendment does not apply, and a much easier-to-get court order is all that's needed, according to statute. (I personally regard the reasoning in Smith as convoluted and tortuous, but there have been several other, similar rulings: data you voluntarily give to another party is no longer considered private, so the Fourth Amendment doesn't apply.) The legitimate (under current law) problem that law enforcement would like to solve involves things like prepaid calling cards. Suppose I use one to call a terrorist friend, via some telco. The number of the calling card provider is available to law enforcement, under a pen register order, per Smith and 18 USC 3121, the relevant legislation. The telco will help law enforcement get that number. I next dial my account number; this is in effect a conversation between me and the calling card provider. Getting that number requires yet a different kind of court order, I believe, but I'll skip that one for now. I next dial the number of my terrorist friend. That's the number they now want -- and per Smith, they're entitled to it, since it's a dialed number via a telecommunications provider. There is no doubt they could go to that provider and ask for such a number. However, they want to ask the telco for it -- but the telco doesn't know what is a phone number, what is an account number, what is a password for an online bank account, and what is a password for an adult conference bridge. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
RE: MD5 considered harmful today, SHA-1 considered harmful tomorrow
Hi Victor, Bottom line, anyone fielding a SHA-2 cert today is not going to be happy with their costly pile of bits. Will this situation have changed by the end of 2010 (that's next year, by the way), when everybody who takes NIST seriously will have to switch to SHA-2? The first weakness shown in MD5 was not in 2004 but in 1995. Apparently it takes a very long time before the awareness about the implications of using weakened or broken crypto has reached a sufficient level. Though I understand the practical issues you're talking about, Victor, my bottom line is different. In my view, the main lesson that the information security community, and in particular its intersection with the application building community, has to learn from the recent MD5 and SHA-1 history, is that strategies for dealing with broken crypto need rethinking. [[Maybe in the previous sentence the word intersection should be replaced by union.]] Grtz, Benne de Weger PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/) offering the video and audio files of the 25c3 presentation MD5 considered harmful today, provide for integrity checking of those files their, uhm, MD5 hashes. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Bitcoin v0.1 released
Satoshi Nakamoto writes: Announcing the first release of Bitcoin, a new electronic cash system that uses a peer-to-peer network to prevent double-spending. It's completely decentralized with no server or central authority. See bitcoin.org for screenshots. Download link: http://downloads.sourceforge.net/bitcoin/bitcoin-0.1.0.rar Congratulations to Satoshi on this first alpha release. I am looking forward to trying it out. Total circulation will be 21,000,000 coins. It'll be distributed to network nodes when they make blocks, with the amount cut in half every 4 years. first 4 years: 10,500,000 coins next 4 years: 5,250,000 coins next 4 years: 2,625,000 coins next 4 years: 1,312,500 coins etc... It's interesting that the system can be configured to only allow a certain maximum number of coins ever to be generated. I guess the idea is that the amount of work needed to generate a new coin will become more difficult as time goes on. One immediate problem with any new currency is how to value it. Even ignoring the practical problem that virtually no one will accept it at first, there is still a difficulty in coming up with a reasonable argument in favor of a particular non-zero value for the coins. As an amusing thought experiment, imagine that Bitcoin is successful and becomes the dominant payment system in use throughout the world. Then the total value of the currency should be equal to the total value of all the wealth in the world. Current estimates of total worldwide household wealth that I have found range from $100 trillion to $300 trillion. With 20 million coins, that gives each coin a value of about $10 million. So the possibility of generating coins today with a few cents of compute time may be quite a good bet, with a payoff of something like 100 million to 1! Even if the odds of Bitcoin succeeding to this degree are slim, are they really 100 million to one against? Something to think about... Hal - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow
On Sat, Jan 10, 2009 at 11:32:44PM +0100, Weger, B.M.M. de wrote: Hi Victor, Bottom line, anyone fielding a SHA-2 cert today is not going to be happy with their costly pile of bits. Will this situation have changed by the end of 2010 (that's next year, by the way), when everybody who takes NIST seriously will have to switch to SHA-2? Extremely unlikely in the case of SSL/TLS and X.509 certs. There is a huge install-base of systems on which SHA-2 certs will failed SSL handshakes. When Windows XP systems are 1% of the install-base, when OpenSSL 0.9.8 is 1% of the install-base and 0.9.9 too (if the support is not added before it goes official), and all the browsers, Java libraries, ... support SHA-2, then you can deploy SHA-2 certs. I would estimate 5-8 years, if developers of all relevant mainstream implementations start to address the issue now. SHA-1 will be with us well after 2010. New applications written in 2010 will ideally support SHA-2, but SHA-1 will probably still be the default digest in many applications through 2013 or 2015. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
What risk is being defended against here?
Not cryptography, but the members of this list think in these terms, so... Just recently, my 8th-grade daughter took a school placement test. This test (the ISEE) is administered internationally. When we arrived, we learned that she would not be allowed into the test room without *one* of the following: - A photo ID - A copy of the verification letter sent to her The verification letter is actually available - even now, after the test is complete - on a web site. So ... just what risk is being defended against here? You could imagine that the verification letter is essentially a ticket - the letter itself says thats what it is - but in fact the testing locations have a complete list of who is supposed to take the test - and of course you aren't *required* to have it with you. Many such high value tests now require photo id's. Some go further - the LSAT's, required with law school applications, fingerprint all test-takers. (I think other, similar exams - like the MCAT's for medical school and the GMAT's for MBA programs do the same.) There's an obvious risk here: I can hire someone to take the test for me. A photo ID makes that harder and a fingerprint provides strong evidence in case any questions arise. But if I hired someone to take the ISEE in my daughter's place, presumably I could easily give them a copy of the verification letter. I suppose the *combination* of the two does work as a ticket: Either you have the actual verification letter, or you name is on the list and the photo ID proves that that's your name. Seems a bit elaborate, especially since taking over someone else's test spot can't gain you anything - the results will be sent to schools in *their* name, not yours. Besides, there's really nothing preventing you from *registering* in someone else's name to begin with. Any speculations (beyond bureaucracy at its finest)? (The actual administration of this requirement was a mess. How many kids this age - the exam actually has three levels, so the age range would be from perhaps 9 to 17 - carry, or even have, photo id's? The verification letter itself mentions, with no emphasis, that you should bring it with you on the test date - a fact not mentioned on the ISEE web site, where they tell you to bring pencils and pens and not bring calculators or cell phones. Moreover, the verification letter can arrive way before test day - 3.5 months before, in our case. Luckily, we live close to the test center, arrived early ... and were able to rush back home for my daughter's recently-acquired passport, the only photo ID she actually has. Many others were caught in the same mess; some had to leave and reschedule for another day.) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: What risk is being defended against here?
Jerry Leichter leich...@lrw.com writes: When we arrived, we learned that she would not be allowed into the test room without *one* of the following: - A photo ID - A copy of the verification letter sent to her The verification letter is actually available - even now, after the test is complete - on a web site. So ... just what risk is being defended against here? The risk being defended against is a reprimand against some bureaucrat for not doing enough to maintain test integrity. By demonstrating that they have tight procedures etc., they can deflect blame if any sort of cheating scandal occurs. In general, most such rules are designed for JobSec, not for ActualSec. In that light, a wide variety of stupid bureaucratic behavior becomes not merely explicable but obvious. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com