Denmark, update on Echelon

[Bo Elkjaer]

Hi
Just a short notice on the Echelon-discussion in Denmark

The danish parliament Folketinget has declined to aid the EU committee
which is investigating Echelon. The EU committee formally contacted the
head of the parliaments permanent select committee for controlling the
intelligence-services -- in danish: kontroludvalget for
efterretningstjenesterne -- asking for information regarding parliamentary
control with the danish intelligence services.

No confidential information was asked for. Just the basic info on how the
select committee works.

The head of the committee, Thor Pedersen from the liberal party Venstre
declined to aid the EU committee. He did this without informing the select
committee or the parliament. This caused some uproar when we disclosed his
doings in Ekstra Bladet, but later the decision has been upheld at a
meeting in the select committee. Complaints have now been filed against
Thor Pedersen.

This means that Denmark is one of only two EU-countries parliaments have
declined to help the EU committee: The other declining parliament is the
british. No other EU countries have stepped aside. Indeed they have been
rather helpful with the EU committee.

Thor Pedersens decision has infuriated the members of EU-parliament Lone
Dybkjaer, (party: Det Radikale Venstre, married to our prime minister) and
Torben Lund, (party: Socialdemokratiet, which is the governing party in
Denmark) Both are members of the EU committee, and both have declared they
have no doubt Echelon exists.

Meanwhile, the danish signals intelligence-service Forsvarets
Efterretningstjeneste is continuing to upgrade their equipment. The
SIGINT-site at Skibsbylejren has been equipped with three satellite
dishes, all 18 meters across. There are plans to erect further three
dishes of the same size. The dishes are solely planned for interceptions.
According to building plans a radius around the area must be cleared of
all electronic emissions, including cell phone towers and welding
equipment. Also tall buildings will be prohibited in the area around the
30 meters tall radomes containing the dishes. 

Yours
Bo Elkjaer, Denmark

EOT

Re: Knowing your customer

[Tom Vogt]

Nomen Nescio wrote:
  I guess an equivalent ID will do. in germany, you need your ID card to
  open a bank account (um, for those not in the know: we have state-issue
  ID cards in addition to passports. the passport is a travel document,
  used to visit non-EU countries. the ID card is used inside the EU and
  for national purposes (identification, mostly). you are NOT required to
  have it with you all the time or somesuch, but some activities, such as
  opening a bank account, require an ID card. driving license or other
  documents will do in many cases, but I think not for bank accounts).
 
 How often must your ID card be renewed?  What information does it (or the
 ID database) contain that a German passport does not?

it must be renewed every 10 or 5 years (there's two periods, I'm not
sure which one applies in what cases).

it contains:

name, birthday and birth town, nationality, your signature (as you made
it on the form), some string of number that contains your birth date and
some other information I'm not sure about but which has most likely been
published on the web somewhere.
on the backside it contains addresse, height, colour of eyes and the
issuing authority. there is also a field where you can have a pseudonym
or religious name printed if you want to use it for any "official"
activities (say, you're a rock star, actor or author and much more
people know you under your pseudonmyn than under your real name).
height and eye-colour are whatever you put in the form. I doubt it's
ever checked. I know mine have been different on all ID cards I've had
so far.
the frontside also contains a picture of you, almost forgot that.

I have no idea what kind of information is linked to this, i.e. what
exactly a cop can pull out of his database by entering your ID number.

Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re:

[Ken Brown]

Petro wrote:

  R. A. Hettinga wrote:
[...]
 As I've written, the FBI should run quality house cleaning services
 in large cities.
 
 How do you know they don't?

In every office or factory I've ever been in, including government ones
where we kept paper copies of tax returns (yes folks, I have worked for
the Inland Revenue) there are cleaners. They seem to come in 3 kinds -
middle-aged black women, African students working their way through
college, and people with vaguely asiatic features who sound as if they
are speaking Portuguese. (Sometimes you get a few white students working
their way through college but they are more likely to get jobs in bars)

If I wanted to hire spies or assassins, I'd go for the middle-aged black
women. Preferably short and dumpy and shabbily dressed.  Someone who
looks like a granny. They can go anywhere, no-one ever stops them or
asks them who they are. An invisible woman to match Chesterton's
Invisible Man.

Ken

Gates to Privacy Rescue? Riiight! (was Re: BNA's Internet LawNews (ILN) - 12/8/00)

[R. A. Hettinga]

At 8:30 AM -0500 on 12/8/00, BNA Highlights wrote:


 THOUGH TECHNOLOGY MIGHT HELP PRIVACY
 A meeting of business leaders in Redmond, Washington led to
 a frank debate over the insufficiency of North American
 action on consumer privacy and the potential for technology
 to play a key role in protecting such privacy.  For example,
 Bill Gates announced that the next version of IE would
 better allow consumers to ascertain Web site privacy
 policies.
 http://www.nytimes.com/2000/12/08/technology/08SECU.html

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

$B:#Lk$O$3$A$i$G(B

[Delivery Boy]

$B$$$D$b$N7G<(HD!&=P2q$$!&%a!<%k%U%l%s%I%5%$%H$r$4MxMQBW$-(B
$BM-$jFq$&$4$6$$$^$9!#(B

$BK\F|$O?7$7$$%5%$%H$N$40FFb$r$5$;$FBW$-$^$9!#(B

http://homepage2.nifty.com/degedock/mori/


$B$b$7!"$4ITMW$G$7$?$i:o=|$7$F2<$5$$!#(B
$B:#8e!"$3$N$40FFb%a!<%k$4ITMW$N>l9g$O!"(B
$B$*!&$446A[$J$I!"$41sN8$J$/$3$A$i$^$G(B
[EMAIL PROTECTED]

Re: Questions of size...

[Ray Dillinger]

On Thu, 7 Dec 2000, petro wrote:

Mr. Brown (in the library with a candlestick) said:

(RAH might have called it a geodesic political culture if he hadn't got
this strange Marxist idea that politics is just an emergent property of
economics :-)

Just by the way, how widespread is this use of the word 'geodesic'?  

Offhand, I'd refer to many of the things I've seen it used for here 
as 'distributed' or 'fractal'.  Is 'geodesic' an accepted term of art 
for a network or protocol in which all the parts work roughly the same 
way?

Bear

Re: Questions of size...

[R. A. Hettinga]

-BEGIN PGP SIGNED MESSAGE-

At 8:46 AM -0800 on 12/8/00, Ray Dillinger wrote:


 Just by the way, how widespread is this use of the word 'geodesic'?

Not especially. :-).

 Offhand, I'd refer to many of the things I've seen it used for here
 as 'distributed' or 'fractal'.  Is 'geodesic' an accepted term of art
 for a network or protocol in which all the parts work roughly the same
 way?

As with everything else I know of any use, I stole it. :-).

It comes from Peter Huber's 1986 "The Geodesic Network", containing
(Huber's?) observation that as the price of switches gets lower, like
with Moore's "law", the price of network nodes gets lower versus the
price of network lines, and the network changes from a hierarchical
network with expensive switches with the most expensive switches at the
top to a geodesic one, with most switches tending toward the same price
in the aggregate.

Huber stole "geodesic" from Bucky Fuller, who in turn stole it from
topology, where it means the straightest line across a surface. In three
dimensions it's a great circle, for instance, the straightest line across
a sphere, which is what "geodesic" translates to literally. Bucky called
his domes geodesic, because when you pushed on a point on the dome force
radiated out in all directions to the ground.

Of course, the internet is the mother of all geodesic networks, right?

:-).

I've expropriated the word "geodesic" in all kinds of outlandish ways,
like a cash settled auction-priced single intermediary (with lots of
competing intermediaries, of course, just one between each buyer and
seller) internet market is a geodesic market, like my claim that
societies map to their communication architectures and thus we're moving
from a hierarchical society to a geodesic one, and so on.

There's a collection of essays on geodesic markets on
http://www.ibuc.com, and pointers there to other rants of mine with the
"G" word in them, as well.

Cheers,
RAH



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com

iQEVAwUBOjEXhsUCGwxmWcHhAQGDigf+KobTrRn4xHJGvGHKauWEtsH90BVG+tJj
Z1hIyFD9O5I6Az5+SNt1SO8dYyBqKwk103GzWmu8Gbm+mUJdgy/dp+Aoxou5nPt/
n/Mi2FVpYnzdnRPRbnE10R6hqeBqWoerjonfhhSbWur3TGJUPsJUdbWKeglaygMW
4eMPGCBNeVUufvvbUcQ5iqkA0nxxa+46XREqtFhKybSzBYaA2LfcHPTRoMbzWM8J
c7+uias/tuT75pWo0xUA2vX5p2BQM8yHVrs46gunxBkAk2Lz8Ri7P9Pi2c0jOjwa
yyYy32ElXgw0gdR16DupSVw/2tTRtZPFyv664FsT8g+Q7/PsNPYiyg==
=fx+a
-END PGP SIGNATURE-
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Gates to Privacy Rescue? Riiight! (was Re: BNA's Internet Law News (ILN) - 12/8/00)

[Adam Shostack]

On Fri, Dec 08, 2000 at 09:07:38AM -0500, R. A. Hettinga wrote:
| 
| At 8:30 AM -0500 on 12/8/00, BNA Highlights wrote:
| 
| 
|  THOUGH TECHNOLOGY MIGHT HELP PRIVACY
|  A meeting of business leaders in Redmond, Washington led to
|  a frank debate over the insufficiency of North American
|  action on consumer privacy and the potential for technology
|  to play a key role in protecting such privacy.  For example,
|  Bill Gates announced that the next version of IE would
|  better allow consumers to ascertain Web site privacy
|  policies.
|  http://www.nytimes.com/2000/12/08/technology/08SECU.html

http://dailynews.yahoo.com/h/zd/20001207/tc/forrester_exec_injects_security_summit_with_harsh_truths_1.html
 

REDMOND, Wash. -- Just a few hours after Bill Gates opened Microsoft
Corp.'s (Nasdaq:MSFT - news) SafeNet 2000 security summit here
Thursday on an optimistic note, Forrester Research Inc.'s (Nasdaq:FORR
- news) John McCarthy blew it all up.

-- 
"It is seldom that liberty of any kind is lost all at once."
   -Hume

Re: Gates to Privacy Rescue? Riiight!

[Tim May]

[[EMAIL PROTECTED] removed from the distribution list. They claimed 
not to want any politics discussion, and they are a closed list, so 
why is political discussion going to it?]

At 11:50 AM -0500 12/8/00, Adam Shostack wrote:
On Fri, Dec 08, 2000 at 09:07:38AM -0500, R. A. Hettinga wrote:
|
| At 8:30 AM -0500 on 12/8/00, BNA Highlights wrote:
|
|
|  THOUGH TECHNOLOGY MIGHT HELP PRIVACY
|  A meeting of business leaders in Redmond, Washington led to
|  a frank debate over the insufficiency of North American
|  action on consumer privacy and the potential for technology
|  to play a key role in protecting such privacy.  For example,
|  Bill Gates announced that the next version of IE would
|  better allow consumers to ascertain Web site privacy
|  policies.
|  http://www.nytimes.com/2000/12/08/technology/08SECU.html

http://dailynews.yahoo.com/h/zd/20001207/tc/forrester_exec_injects_security_summit_with_harsh_truths_1.html

REDMOND, Wash. -- Just a few hours after Bill Gates opened Microsoft
Corp.'s (Nasdaq:MSFT - news) SafeNet 2000 security summit here
Thursday on an optimistic note, Forrester Research Inc.'s (Nasdaq:FORR
- news) John McCarthy blew it all up.

I read the article (thanks for the URL).

Nothing new, and, in fact, several of the old chestnuts about why 
regulation is needed.

The author also mentions that consumers dislike (so?) tracking of 
their purchases...and then in the next paragraphs cites the Firestone 
tire recall as an example of better policy than most Web sites have 
(or something like this...I re-read his analogy several times and 
still wasn't sure what his claim was). But the irony of juxtaposing 
Firestone and "customers dislike tracking" is delicious indeed! It is 
the existence of customer records--generally voluntarily provided by 
the customer--that allowed Firestone and Ford to contact hundreds of 
thousands of Explorer owners.

I wonder if the author appreciates the irony here?

All of this folderol about laws being needed to control privacy must 
be fought at every stage.

--Tim May
-- 
(This .sig file has not been significantly changed since 1992. As the
election debacle unfolds, it is time to prepare a new one. Stay tuned.)

Re: Questions of size...

[Bill Stewart]

At 08:46 AM 12/8/00 -0800, Ray Dillinger wrote:


On Thu, 7 Dec 2000, petro wrote:

Mr. Brown (in the library with a candlestick) said:

(RAH might have called it a geodesic political culture if he hadn't got
this strange Marxist idea that politics is just an emergent property of
economics :-)

Just by the way, how widespread is this use of the word 'geodesic'?  

It depends on how many hops away from Bob Hettinga you are :-)


Thanks! 
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

Re: Re: Re: Re: Fractal geodesic networks

[Tim May]

At 3:57 PM -0800 12/8/00, Ray Dillinger wrote:
On Fri, 8 Dec 2000, Jim Choate wrote:


Fractal simply means non-integer dimension.


Yeah, that's where it started.  But I'm using it more in the
sense of meaning the properties that fractal structures have;
self-similarity across scales, for one, as in the big nodes
work the same way as the little nodes and larger patterns are
emergent from the interaction of simple rules. 

Computer networks, at least copper or fiber based, can't be fractal.

Physically, true.  There is a minimum size feature, in the sense
that some computing hardware and memory is required of every node. 
In terms of the flow of information, I'm not as sure.

Argg. Anyone claiming that something "can't be fractal," as 
Choate apparently does in the section you quote, just doesn't 
understand the meaning of fractal.

Or, in Choateworld, "Since all physical things have three spatial 
dimensions, there are no non-integer dimensions, and hence fractals 
cannot exist."

Like Choatian physics, Choatian economics, Choatian law, and Choatian 
history, such crankish ideas are neither useful nor interesting.


--Tim May
-- 
(This .sig file has not been significantly changed since 1992. As the
election debacle unfolds, it is time to prepare a new one. Stay tuned.)

Re: Re: Fractal geodesic networks

[R. A. Hettinga]

At 5:49 PM -0800 on 12/8/00, Bill Stewart wrote:


 At 02:47 PM 12/8/00 -0600, Jim Choate emetted:
'fractal geodesic network' is spin doctor bullshit.

 Well, buzzword bingo output anyway.

:-). "Neological" is so much more... euphemisitic...

And the Internet is most certainly NOT(!) geodesic with respect to packet
paths.

 more like a geodesic dome filled with boiled spaghetti...

Depends on what dimension you're measuring. For fun, I pick time.

I leave a definition of fractal time to the more mathematically creative
out there.

Cheers,
RAH

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Fractal geodesic networks

[Carol A Braddock]

perhaps the scale larger than the highest layer nodes is no longer
recognisable as being part of the fractal.
Likewise the nodes at each ppp have some organization as to how they handle
data internaly.

The shape of a shoreline is often used to illustrate fractal self
similarity, but you quickly reach a point where it is hard to call it a
shoreline anymore, it becomes grains of sand, pebbles, or boulders.

So say you -could- estimate a fractal dimension for the internet. What would
the number be good for?

- Original Message -
From: "Jim Choate" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 08, 2000 8:33 PM
Subject: Re: Fractal geodesic networks



 On Fri, 8 Dec 2000, Bill Stewart wrote:

 
  more like a geodesic dome filled with boiled spaghetti...
 

 If you think about it this is actually one way to view the Internet.
 Consider the highest layer nodes. Place them equidistant on a sphere and
 interconnect them with links. Whether they are geodesic or not isn't
 relevant (unless you'r using a shortest-path algorithm, which we don't).

 Anyway. The next thing you do is connect each single user machine to it's
 appropriate node. Cluster them in a similar manner. You get a globe with
 little partial globe 'bumps' centered on each 'parent' node. Then from
 each of these parent nodes, using a different length path for
 distinguishing, list the multi-user nodes. Then interconnect these nodes.
 Repeat add infinitum (well you can't realy since the lowest level link, a
 single ppp link for example can't be broken down into smaller physical
 links, the net is pseudo-fractal at best at this scale).

 You can also do them as 'sea urchins'.

 The reality is that the Internet, as big as it is, is simply too small
 by several orders of magnitude to be modelled by anything approaching a
 true fractal. However, by looking at it from the perspective of emergent
 behaviour from simple rules we can probably gain more understanding and
 control over its use. Something akin to cellular automatons with simple
 neighborhood rules interconnected by 'small network' models.

 

Before a larger group can see the virtue of an idea, a
smaller group must first understand it.

"Stranger Suns"
George Zebrowski

The Armadillo Group   ,::;::-.  James Choate
Austin, Tx   /:'/ ``::/|/  [EMAIL PROTECTED]
www.ssz.com.',  `/( e\  512-451-7087
-~~mm-'`-```-mm --'-
 

No Subject

[Anonymous]

update HONG KONG--Siemens has a solution for people who constantly forget computer 
passwords: a mouse that recognizes fingerprints. 

Called the ID Mouse, the device uses biometrics to take advantage of the unique 
features of people's fingerprints. German electronics maker Siemens, which showed off 
the ID Mouse this week at the ITU Asia Telecom 2000 fair, said the device works by 
allowing pre-authorized people to retrieve information from their PCs or laptops. 

By lightly tapping the fingertip sensor located at the top of the mouse, the device 
verifies the fingerprint against reference templates already input into the PC's 
system. Once a fingerprint is authenticated, the person can then access the PC's main 
operating system. 

Siemens is one of numerous companies headed in the direction of using unique features 
for identification. 

The mouse is powered by 65,000 sensing elements on the 0.25 square-inch fingertip chip 
that enables the device to scan and capture the fine details of a fingerprint. The 
system is so sensitive that it will recognize an authorized person even if there is a 
cut on the fingertip. 

For added security, if the mouse user takes a break, the screensaver is activated 
until the person touches the ID Mouse again. 

Other than that, the ID Mouse operates just like any Microsoft mouse. It has a wheel 
scroll for navigation and requires at least Microsoft Windows 98 and a USB connection. 

This week's conference is the International Telecommunications Union's 23rd telecom 
show since its 1971 debut in Geneva. The six-day fair, which ends Saturday, took place 
in Hong Kong this year and was expected to attract at least 50,000 visitors from more 
than 50 countries. 

Singapore.CNET.com's Priscilla Wong reported from Hong Kong.

Microsoft banned from security email list

[Nomen Nescio]

By Stephen Shankland
Staff Writer, CNET News.com
December 8, 2000, 1:05 p.m. PT
URL: http://news.cnet.com/news/0-1003-200-4062758.html 

The administrator of a popular computer security mailing list banned postings from 
Microsoft on Thursday after the company stripped detailed information out of its 
advisories, but a compromise is likely on the way. 

Microsoft last week pared down the security warnings it sends by email to the Bugtraq 
and NT-Bugtraq mailing lists as well as to 130,000 other subscribers who want to know 
about vulnerabilities and fixes to Microsoft software, said Scott Culp, Microsoft's 
security program manger. Instead, the emails include a link to a Web page with 
additional details. 

Microsoft made the change so customers get the most up-to-date and accurate 
information rather than potentially out-of-date news from an archived email. "The goal 
is to make sure the information is as useful as it can be, it's timely, and it's 
accurate," he said. 

But he acknowledged Microsoft still must send new email out if the Web site changes. 

Bugtraq moderator Elias Levy thought the change was a step in the wrong direction. "I 
will no longer be approving any advisories with little or no content that point you to 
some other place for information," he said in a posting Wednesday. The change meant 
information is a step farther away, not archived and available in a single central 
source that might not always be available, he said. 

The dispute marks another chapter in the sometimes rocky relationship between 
Microsoft and security experts. While outside programmers often find problems with 
Microsoft's software, sometimes they earn Microsoft's ire by publishing the 
vulnerability before Microsoft has time to fix it. 

Levy wasn't the only one to complain. In a note Friday, programmer Forrest Cavalier 
voted to resurrect the older format, saying Microsoft has been known to move Web pages 
so older addresses no longer work. "There was a time that Microsoft URLs had a 
half-life of a few months," he said. 

Russ Cooper, moderator of a different security mailing list called NT-Bugtraq, 
applauded Microsoft's change. "Its very easy to have conflicting information about the 
scope of a vulnerability depending on which email version of the bulletin you're 
looking at," he said in a Wednesday posting. 

Culp, who spoke Friday with Levy at a Microsoft security conference, said Microsoft 
expects to change the format of the advisories to compromise. "There's a trade-off 
between how often can you send the (advisory) vs. the extra step of going to the Web 
page. Somewhere in there is a middle ground," Culp said. 

Levy began posting text versions of the Microsoft Web pages, but he said Microsoft 
told him "in no uncertain terms" that reproducing the information "would be considered 
an act of copyright violation." 

"So until Microsoft changes their policy or changes their email bulletins back to the 
old format, you won't see them on the list," Levy said. 

Microsoft is seeking email comment on the new advisory format. About 1,500 people so 
far have sent their opinions to the [EMAIL PROTECTED] email address, he said. 

Levy couldn't be reached for comment today. 

Another change that comes with the new format is that Microsoft can track who is 
reading its Web advisories through the use of invisible tracking software called Web 
bugs, according to Privacy Foundation chief technology officer Richard Smith, who 
noted that he didn't see that as "a big deal." 

"One thing that Microsoft is learning here is what bulletins people consider 
important," he said in a posting to Bugtraq. "With the older format, where all the 
info was in an email message, they did not get this feedb

NYT:The Nexus of Privacy and Security

[Anonymous]

By JOHN SCHWARTZ
 

EDMOND, Wash., Dec. 7 Ñ Trust us. Please? 
That is the message from leaders of high-technology businesses and advocacy groups at 
SafeNet 2000, a Microsoft-sponsored conference on computer security and privacy. 
The stated purpose of the conference, which opened here today, is to reach a consensus 
on issues like when and how to publicize vulnerabilities in a vendor's software Ñ 
like, say, Microsoft's Ñ that could compromise privacy or data security. 

But the freewheeling panel discussions today touched on all the major policy issues 
facing high technology companies. And it showed, as Microsoft's chairman, William H. 
Gates, said in a keynote address, that privacy and security "are tied together in a 
very deep way." 
Announcing a Microsoft initiative on consumer privacy, Mr. Gates said the next version 
of the company's Internet Explorer software for browsing the Internet would 
incorporate a technology that could make it easier to ascertain the privacy policies 
on Web sites. 

The conversation at the conference was remarkably frank, and sometimes quarrelsome. In 
a discussion of privacy issues, Nick Mansfield of Shell Services International, a 
computer services subsidiary of the Royal Dutch/Shell Group, praised consumer privacy 
rules passed by the European Union and said that in contrast, "I don't see anything 
intelligent in the privacy field in North America." 
The comment elicited a murmur of irritation in the packed meeting room, but a few 
minutes later, Microsoft's own chief privacy officer, Richard Purcell, said much the 
same thing. Consumers, he said, merely see an industry that is squabbling over 
position in the market, not one that is moving forward with any coherence on privacy 
issues. 

"How do we get to that vocabulary, that purpose and that channel of communication," he 
asked, "that assures consumers that we aren't a lot of evil-headed monsters?" 
It was notable, though little remarked by the attendees, that the conference's host 
has often been at the center of the privacy and security debate. Some of the most 
prominent computer virus attacks, including the "I Love You" program started early 
this year in the Philippines and the Melissa program last year, took advantage of the 
vulnerability of Microsoft's wares and their near- ubiquity around the globe. 
Some who did not attend the conference were not so gentle. "The irony of it is 
amazing," Jeff Bates, editor of the online technology news site known as Slashdot, 
said in an e- mail interview. He accused Microsoft of being "a company that leaves me 
vulnerable to security holes so that it can make my screen look prettier." 
Others at the conference noted that one of the meeting's goals Ñ to come up with 
standard procedures for reporting software flaws Ñ would serve Microsoft well, since 
it has long been the victim of "gotcha" announcements that describe bugs before the 
company has had a chance to fix them. 

A former hacker who goes solely by the name of Mudge, who now works as a security 
consultant, defended Microsoft for having changed since the days when he and his 
friends would gleefully publish examples of its software flaws on the Internet. "There 
was a time when they would treat an information release quite differently," he said, 
by trying to sweep the problem under a rug. In recent years, Microsoft has poured 
money and personnel into responding to bugs, and has improved its relations with those 
who publicize them, Mudge said. 

Describing the new privacy features in Internet Explorer, Mr. Gates said they would 
let consumers decide what level of privacy protection they need Ñ whether, for 
example, the machine should accept cookies, the software deposited in consumers' PC's 
by Web sites to track visitors. The system, known as Platform for Privacy Preferences 
Project, or P3P, has long been under independent development. 
But the announcement means that Microsoft is pulling back from a simpler approach to 
giving consumers more control over their cookies by letting them block all "third 
party" cookies, those originating from sites other than the one that the Web surfer is 
visiting. Such cookies irk many privacy advocates, who say that they expose consumers 
to scrutiny by advertising firms, for example, without their knowledge or consent. 
On the security side, Mr. Gates said Microsoft, which suffered an embarrassing series 
of hacker intrusions in October, had been trying to act as a model for other companies 
by instituting a pilot program using "smart cards" to restrict access to the inner 
workings of the company's computer networks. The project put the cards into the hands 
of about 1,000 system administrators, who must insert them into special readers on 
their computers to make any changes on the company's networks. 
Barry Steinhardt of the American Civil Liberties Union said the example showed the 
frequent tension between privacy and security, since the technology allows a 

Personal Firewalls Fail the Leak Test

[Nomen Nescio]

By Brian McWilliams 
In an attempt to show that personal firewalls may afford their users little protection 
against serious threats, a respected PC security expert has released a new software 
tool that pokes holes in many of the leading desktop security packages. 

Security-conscious Internet users, especially those on broadband connections, have 
made desktop firewall software into a booming business for companies like Symantec and 
Network Associates. But according to Steve Gibson, president of Gibson Research, 
almost all of these utilities only provide "pseudo protection" against attacks. That's 
because they put most of their effort into blocking incoming hacker attacks, while 
paying only scant attention to what he calls internal extrusion. 

"I really believe the problem of software in your computer misbehaving is much bigger 
than the problem of hacker attacks. Most people don't have any vulnerabilities; 
there's nothing a hacker can do to you. So I argue against the necessity of any kind 
of inbound blocking tool," said Gibson. 

To prove his point, Gibson has developed a free utility called LeakTest. The 27-Kbytes 
program is a trojan-horse/spyware simulator that attempts to slip past a personal 
firewall's defenses and connect to a server on the Internet. 

Not surprisingly, popular intrusion detection programs like BlackIce Defender from 
Network Ice fail to catch the outgoing connection and report it to the user. But more 
disturbingly, several firewalls that claim to offer outbound detection are also fooled 
by LeakTest. Among them, the best selling Norton Personal Firewall and McAfeeFirewall. 

Both are among a small number of desktop firewall programs that attempt to address the 
problem of unauthorized outbound leakage, but Gibson says they fall short and can be 
easily fooled or bypassed because they come pre-programmed to allow some applications 
to pass through the firewall. 

"This idea of allowing all these apps pre-approval is ludicrous. It's trivial to get 
permission out of the firewall without notifying the user," said Gibson, who observed 
that only one firewall, ZoneLab's ZoneAlarm, prevents malware from masquerading as a 
trusted program. 

"They do a cryptographic signature of the programs you're allowing. That's not hard to 
do, but they're the only ones who do it," he said. 

Tom Powledge, Symantec's product manager for Norton Internet Security, said the risks 
outlined by Gibson are low if users are running both a firewall and anti-virus 
software. And he said Symantec knows of no instances of programs that specifically 
target Norton Personal Firewall, which is shipped with NIS. 

But in response to Gibson's critique, Symantec plans to revise the application 
integrity checking feature in NIS, with an update available to users over Live Update 
by early next week. In the meantime, Powledge said concerned users can turn off 
automatic firewall rule creation. 

Judging by comments on the LeakTest message board at Gibson's site, plenty of users 
are concerned about the newly exposed porosity of their favorite firewall software. 
But Symantec's Powledge said their fears could have been avoided if Gibson had given 
vendors the customary advance notice before releasing LeakTest. 

"We were seeing no concern about this, and no exploits have been written. And while 
this makes customers aware of a potential issue, it also makes hackers aware," said 
Powledge. 

But Gibson, who had an earlier run-in with RealNetworks over the privacy behavior of 
its RealDownload product, said he's learned that unless pressure is brought to bear, 
companies are resistant to change. 

"These firewalls are not going to get better unless there's someone saying and able to 
prove -- and to enable the user to prove -- that these things are junk." 

RE: Signatures and MIME Attachments Getting Out of Hand

[Tim May]

At 10:14 AM -0500 12/8/00, Trei, Peter wrote:

   File: SMIME.txt

  
Sean writes:

ASCII plain text *is* The Way.  But guess what, PGP/MIME *is* plain text.
You can even parse it with your eyeballs.


Sean: Guess what: Your message comes as an attachment, which I have
to open seperately.

Peter

By the way, the same problems with MIME, HTML, attachments, etc. is 
hitting the Newsgroups as well. Some of the newsgroup folks are 
posting reminders (from charters, FAQs) not to do this.

Here's one I just saw in the comp.lang.ruby group:

"  (a) General format guidelines:

 - Use *plain* text; don't use HTML, RTF, or Word.
 - Include examples from files as *in-line* text; don't
   use attachments.
 - PLEASE NOTE! Include quoted text from previous posts
   *BEFORE* your responses. And *selectively* quote as much
   as is relevant.
"


Good advice for our list as well.


--Tim May
-- 
(This .sig file has not been significantly changed since 1992. As the
election debacle unfolds, it is time to prepare a new one. Stay tuned.)

Re: Knowing your customer

[Ken Brown]

"R. A. Hettinga" wrote:

[...]

 
 I am not, of course, a banking lawyer, but I certainly hang out with enough
 of those folks these days, I've certainly had enough of this stuff shoved
 into my head over the years, and, I expect that to get a bank account
 without a Social Security number in most states of the US, you probably
 need to prove that you are indeed a foreign national, *and* provide a valid
 passport as proof of same, and that, frankly, the passport number would be
 used *somewhere* as a proxy for SSN where possible.


I manage to pay some US income tax (on some share dividends) without
ever having a US SSN. They seem happy not to identify you when they are
taking your money.  Funny that :-)

[...]

 Modern nation-states have bound up so much of their regulatory and tax
 structure into book entry settlement, that it is very hard, more probably
 impossible, to get a bank account in this country without being completely,
 positively, whatever that means, identified -- biometrically identified, if
 it were cheap enough, and certainly with a state-issued identification
 number.

UK domestic bank accounts usually require some proof of id, though not
our equivalent of your SSN (The "national insurance number" - I suspect
most people don't know theirs, but it is printed on every payslip 
probably hard to keep secret). There is no official government id in UK,
except for passports which of course many people have not got. 

Banks are very keen on proof of address, they ask to see "official"
letters (like the gas bill - or an account from another bank) addressed
to your name at your house. In fact it is all but impossible to get a
bank account without a permanent address. As these days many employers
only pay wages through bank accounts... well, that's just one of the
reasons the number of homeless people in London went steadily up during
the 1980s  early 1990s when employment and prosperity were increasing 
the value of welfare benefits was falling.

[...]

Ken