arachne-digest Tuesday, January 11 2000 Volume 01 : Number 936 ---------------------------------------------------------------------- Date: Mon, 10 Jan 2000 13:07:42 -0800 From: Clarence Verge <[EMAIL PROTECTED]> Subject: Re: no packet driver found Guenter Bietzig wrote: > > Now let's make some tests what's going on in the COMPAQ. > > 1. Let see what the COMPAQ does with your COM-ports. > > - Start your machine to pure DOS. > - type 'debug' (it's in the DOS subdir) > - type 'd0:400' CR > > you get some lines with hex numbers. We only need the first line: > > 0000:400 F8 03 F8 02 00 00 00 00.............. > ----- ----- ----- ----- > ^ ^ ^ ^ > ADDR. COM1 COM2 COM3 COM4 > > Please check what port-address you get in which position. > > 2. Let see what the COMPAQ does with software interrupt 60h > to load the packet driver. > > - Start your machine to pure DOS. > - type 'debug' (it's in the DOS subdir) > - type 'd0:180' CR > > you get some lines with hex numbers. We only need the first line: > > 0000:180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ----------- ----------- ----------- ----------- > ^ ^ ^ ^ > ADDR. Int60h Int61h Int62h Int63h > > If there are all zero in it, these interrupts are free, otherwise > they are used by the COMPAQ :-(( > -------------- > <> > Arachne loads the packet driver, if used by the machine or not, to INT60h. > > Regards Nice to see your work again Guenter ! - - Clarence Verge - -- - - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/ - -- ------------------------------ Date: Mon, 10 Jan 2000 11:33:40 -0800 From: "Jim Varnum" <[EMAIL PROTECTED]> Subject: Re: Secure web sites Hi Sam... On Mon, 10 Jan 2000 11:44:44 +0100, Sam Heywood wrote: > Information I found at both sites was very interesting. Both sites speak > of public and private keys. Here is what I don't understand: > If I should encrypt a message by using a public key, and then transmit the > message to you, then there is nothing secret about it, because the key is > publicly available. On the other hand, if I should encrypt a message > by use of a private key, and if only you and I know what our private key is, > then we can encrypt and decrypt secret messages to each other. A public key > has no security value whatsoever. Oooops. This isn't how it works exactly. This is called 'asymmetrical encryption'. The public/private thing works like this: 1. You request a key set from the encrpyption program. 2. It generates 2 keys, 1 public and 1 private. 3. The important thing is that a message encrypted with one key can ONLY be decrypted with the other. So: 4. You make your public key known to all. (that's why you see PGP public key info in many peoples signatures) 5. If someone wishes to send you an encrypted message they simply use your Public Key to encrypt it. Remember, anything encrypted with a public key can only be decrypted with your private key. The fact that everyone on the net may have access to your public does not matter. 6. You receive the message and decrypt it with you private key. Obviously you keep your private key VERY private. Likewise, if you want to reply to the sender, you would encrypt the message with THEIR public key. If the key generating function is sound then the security of encryption is a function of the key length. That is, an 8 bit key could be broken by brute force within 256 tries. Therefore, a 128 or 256 bit key is very strong as it would take alot of very powerful computers a long time to brute force the code. Some asymmetrical techniques allow back doors (like the law enforcement access field 'LEAF' in Clipper) something to think about. Recently M$ was in the hotseat when it was discovered that their key generator actually generated a THIRD key called the NSA KEY. Hmmmm. One other point to consider. Because of the 'strength' of modern asymmetrical encryption techniques, even a relatively short key can prove sufficient. The question to ask yourself is: How important is the data I want to encrypt? If it is a credit card number encrypted with a 128 bit key it would likely take a hacker with a room full Pentiums a few years to break. Just to find that you only had $1000.00 left on your credit card?? That wouldn't even cover the cost of the electricity to crack the card number. (the card would've expired by then anyway wouldn't it?) All of the above speaks to the technique of asymmetrical encryption only. I personally don't buy things on the net and have no experience with SSL so I can't comment on the security of that layer. Is it possible to sniff the data before it's encrypted? I tend to doubt it but I don't know. Jim > The best method of transmitting secret messages would involve only the sender > and the receiver having a copy of a unique randomly generated key. A > somewhat less secure, but fairly good method of transmitting secret messages > would involve the sender and the receiver agreeing to use a secret password, > a pass phrase, or a certain passage from a book to be used as a key for > encryption/decryption. No parties other than sender and receiver would have > knowledge as to whatever string of characters had been agreed upon for use as > a ciphering key. This is called symmetrical encryption (like one-time pads) and can be frighteningly secure as long as both parties gain access to the key without leaking it. But it brings up an important point that I totally neglected to mention. Asymmetrical encryption is ver processor intensive when encryting or decrypting messages. To improve efficiency when dealing with long messages, it is common to actually encrypt the message using 'Symmetrical' encryption and then to encrypt the Symmetrical Key with Asymmetrical encryption. That way the faster technique is used to encrypt the long message and the Asymmetrical technique to encrypt the key. Now you have the best of both worlds....Both parties use the same key while having a secure way to transmit it. I hope this helps. Jim - -- Arachne.....Registered.....Life doesn't get any better!! - -- Pixel32.....Registered.....OOPS!, Life just got better!! ------------------------------ Date: Mon, 10 Jan 2000 20:41:22 +0100 (CET) From: [EMAIL PROTECTED] (Richard Menedetter) Subject: Re: Secure web sites Hi "Samuel W. Heywood" <[EMAIL PROTECTED]> wrote: SH> Information I found at both sites was very interesting. Both sites speak SH> of public and private keys. Here is what I don't understand: OK ... first some general remarks. (please forgive my bad english - as you know I'm no native english speaker) In asymmetrical cryptography (PGP,SSL) a key consists of 2 parts: a private/secret part and a public part. The public part is known, and can be distributed and the secret key is known only by the owner. (and is usually protected by a password) The 2 parts form a BIG prime number. The crypto effect is that is is much easier to multiply 2 numbers, than to get the prime factors from the result of that multiplication. SH> If I should encrypt a message by using a public key, and then transmit SH> the message to you, then there is nothing secret about it, because the SH> key is publicly available. NO ... first you generate a session key. (randomly ... here is a point where you could possibly compromise the whole thing, if the RNG is deffective, eg the numbers are not well distributed) Than you take the newly generated session key, and apply the public key of your partner to the public part of your key. This can only be decrypted by anybody, who knows the _SECRET_ part of your partners key. Your partner sends answers back using the public part that you sent to him encrypted just before. These answers can only be decrypted with the secret part of the session key, that you have generated. SH> On the other hand, if I should encrypt a message by use of a private SH> key, and if only you and I know what our private key is, then we can SH> encrypt and decrypt secret messages to each other. A public key has no SH> security value whatsoever. You don't understand the asymmetrical crypto scheme. NEVER EVER give away you're secret key. ONLY YOU need it. GIVE away you're public key. Others need it to send crypted messages to you. SH> The best method of transmitting secret messages would involve only the SH> sender and the receiver having a copy of a unique randomly generated key. yes ... this is what SSL does. SH> What I mean to say here is that I cannot think of any method by which SH> sender and receiver can transmit secret messages to each other over SH> public SH> channels of communication with any reasonable level of security unless SH> both parties have previously agreed on an encryption/decryption key. See above ... I'm no crypto expert ... but if there would be a serious security flaw, than this would have been revealed loooooooooong time ago. The biggest problem is the extreme st*pidness of the american government conecrning crypto regulation. American programs which are exported can only use 40 bit keys. These are very insecure. Inside of the US and programs not made in the US use 128 bit keys, wich are secure ... PS: Rumour has it, that the USA government will drop these stupid crypto export regulations. (because they compomize free market, because US companys can't sell strong crypto to the rest of the world, while non US companies can) SH> Sam Heywood CU, Ricsi - -- Richard Menedetter <[EMAIL PROTECTED]> [ICQ: 7659421] {RSA-PGP Key avail.} - -=> Beware of the opinion of someone without any facts <=- ------------------------------ Date: Mon, 10 Jan 2000 21:11:07 +0100 (CET) From: [EMAIL PROTECTED] (Richard Menedetter) Subject: Re: Long filenames howto ? Hi "Rebel" <[EMAIL PROTECTED]> wrote: >> FAT16 doesn't have LFN - it's a work around that M$ has invented. R> Do you mean that FAT16 doesnt allow longfilenames? R> It's not true: even under FAT12 (3,5" floppy) you can have longfilenames. FAT16 does not support LFN !! There is an extension to it called VFAT (Virtual FAT) which uses HDD Label entries to store LFN on a FAT partition. R> Rebel CU, Ricsi - -- Richard Menedetter <[EMAIL PROTECTED]> [ICQ: 7659421] {RSA-PGP Key avail.} - -=> Daddy, what does FORMATTING DRIVE C: mean? <=- ------------------------------ Date: Mon, 10 Jan 2000 21:33:20 +0100 (CET) From: [EMAIL PROTECTED] (Richard Menedetter) Subject: Re: Secure web sites - -----BEGIN PGP SIGNED MESSAGE----- Hi Bernie <[EMAIL PROTECTED]> wrote: B> IIRC I "illegaly" downloaded the US version of Netscape 3.04G ;) Why not use fortify ?? www.fortify.net They are from Australia, and patch the NS.exe. (sourcecode can be downloaded for the paranoid :) I hope that Michael implements SSL into Arachne sooner or later. B> //Bernie CU, Ricsi PS: I sign this message to show those of you who don't know how a PGP-Sig looks like. - - -- Richard Menedetter <[EMAIL PROTECTED]> [ICQ: 7659421] {RSA-PGP Key avail.} - - -=> Avoid criticism - say and do nothing <=- - -----BEGIN PGP SIGNATURE----- Version: 2.6.3in Charset: noconv iQB1AwUBOHpeOeNavxmgmcTtAQHmJAMAi24TZn+jmTXm3kCFq9FgCsOCq6PnV6a9 atvsufCLN+GkmSp67Dcn14XGpKVughEv3hk66RIuu12wU66TX6LdqAEOvVjwj9tP PAkCY5APTnCUqRlqu6WcxetLccSNxdKq =I0Df - -----END PGP SIGNATURE----- ------------------------------ Date: Mon, 10 Jan 2000 19:51:00 +0000 From: "Mel Evans, Registered Arachne User" <[EMAIL PROTECTED]> Subject: Re: Secure web sites Hi Gangue, I beleive that most of the https:// sites are for SSL use by credit cards companies. In actual fact, you are probably relying on "Chase-Manhattan" or "Bank of Scotland" certifying they will not do anything naughty on such a site, or that they will refund anything that IS naughtily done rather than a real security set-up. It's not that much different from using a Credit Card in a shop, you rely on the integrity of the shop, the shopkeeper and the processing bank to see you are not defrauded. The main problem is that I could set up a site that looks as if I could be a multi-million dollar company, when in reality I have a corner of a shack in a junkyard somewhere, and total assets of a couple of hundred dollars. How would you know from the website? Caveat Emptor! Let the buyer beware! Regards Mel Visit http://www.santamail.freeserve.co.uk/santa.htm to send a note to Santa Arachne, the Internet Suite and Browser for DOS, supports tables, graphics, animations, forms, HTML 4.0 Transitional Pages and more. Visit Mel's UK Arachne Pages for details and FREE Download. Kick-start a 386/486 with Arachne, or use on a Pentium! http://www.arachne4dos.freeserve.co.uk e-mail to: [EMAIL PROTECTED] or: [EMAIL PROTECTED] http://www.bccscotland.freeserve.co.uk Web Pages of |British Caravanners Club, Scotland| http://www.euramcom.freeserve.co.uk Mel's Ham Radio Equivalents Pages ------------------------------ Date: Mon, 10 Jan 2000 21:44:30 +0100 (CET) From: [EMAIL PROTECTED] (Richard Menedetter) Subject: Re: Secure web sites Hi "Mel Evans, Registered Arachne User" <[EMAIL PROTECTED]> wrote: MU> In actual fact, you are probably relying on "Chase-Manhattan" or "Bank MU> of Scotland" certifying they will not do anything naughty on such a MU> site, or that they will refund anything that IS naughtily done rather MU> than a real security set-up. SSL only encrypts the data which is sent. What the recipient does with it, is can't be supervised by SSL. MU> The main problem is that I could set up a site that looks as if I could MU> be MU> a multi-million dollar company, when in reality I have a corner of a MU> shack in a junkyard somewhere, and total assets of a couple of hundred MU> dollars. How would you know from the website? Generally you can't, because you need to get certified. Ie. your key gets signed by a known Certification Authority. (eg VeriSign) If it is not signed, than the browser tells you immediately, that this site is NOT trusted ! MU> Regards MU> Mel CU, Ricsi PS: Michael if you implement SSL, you could also add S/MIME. (this is SSL for emails ;)) - -- Richard Menedetter <[EMAIL PROTECTED]> [ICQ: 7659421] {RSA-PGP Key avail.} - -=> Don't look a gift horse in the mouth <=- ------------------------------ Date: Mon, 10 Jan 2000 22:27:10 +0100 (MET) From: Bernie <[EMAIL PROTECTED]> Subject: Re: Secure web sites Mel wrote: >The main problem is that I could set up a site that looks as if I could be >a multi-million dollar company, when in reality I have a corner of a >shack in a junkyard somewhere, and total assets of a couple of hundred >dollars. How would you know from the website? Yes, some people did this in my neighbourhood. They got a nice website up with a name resembling a well known company (apparently, I had never heard of it) and soon people was stupid enough to pay them in advance. Never did find out what happened to them. Would have been interesting not to travel across the entire city just to see what the latest and coolest (which I never buy anyway) is. //Bernie http://hem1.passagen.se/bernie/index.htm DOS programs, Star Wars ... ------------------------------ Date: Mon, 10 Jan 2000 16:59:17 -0800 From: Clarence Verge <[EMAIL PROTECTED]> Subject: Re: Secure web sites Petri wrote: > > You only need to exchange public keys with SSL, and because they are > public, it doesn't matter if thousands of people can see them - they are > still secure. Not so with secret-key systems. > > Hope you (and the other Arachnids) understand it better now =) Hi Petri; This Arachnid needs to understand the relationship between your "public" key and your "private" key before the above will sound secure. Are you saying that you can generate a public key from your private key and any information encrypted with that public key is secure because it can only be decrypted by YOUR private key ? If someone has your public key AND the original material they intend to encrypt AND the encrypted result plus an understanding of the encryption process, do they not then have enough information to generate a copy of your private key ? Or, is that private key used ONLY ONCE ? If the answer is yes to all three, then I guess I understand. - - Clarence Verge - -- - - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/ - -- ------------------------------ Date: Mon, 10 Jan 2000 17:07:50 -0800 From: Clarence Verge <[EMAIL PROTECTED]> Subject: Re: Blank screen on inbox Mark David Roth wrote: > > I'm using Arachne v1.50 SRC. I'm getting a blank screen on my inbox. > Anybody know how to fix that? Hi Mark; It sounds like a path problem to me. I seem to remember that there were some path errors in src due to the new directory structure. The errors could be in mime.cfg or in some of the .ah and .htm files. Sorry I can't be more help but I use 1.50b2. - - Clarence Verge - -- - - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/ - -- ------------------------------ Date: Mon, 10 Jan 2000 17:02:22 -0800 From: Clarence Verge <[EMAIL PROTECTED]> Subject: Re: Oldies but goodies [was Re: HIMEM.SYS, are there different versions? Gregory J. Feig wrote: > > Clarence.......I have the complete "Programmers Tool Kit" package for > Zenith DOS, which I believe is MSDOS 3.31.....and it includes ALL > the BIOS and DOS source files.......are you interested in something > like this......????? Hi Gregory; YES. I am very interested. How big is it ? - - Clarence Verge - -- - - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/ - -- ------------------------------ Date: Mon, 10 Jan 2000 17:15:02 -0800 From: Clarence Verge <[EMAIL PROTECTED]> Subject: Re: how to generate oriental fnt? shenen wang wrote: > > I read FAQ and use ttf2fnt to convert windows's chinese True Type font to fnt > format. It did generate lots of .fnt files, but what's next? arachne -f seems > not work. Hello Shenen; I would like to help you but I have a similar problem trying to generate new fonts and I haven't had time to figure out the correct procedure. Maybe someone else will step in here and help us both. <g> - - Clarence Verge - -- - - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/ - -- ------------------------------ Date: Mon, 10 Jan 2000 23:19:07 +0100 (CET) From: [EMAIL PROTECTED] (Richard Menedetter) Subject: Re: Secure web sites Hi Clarence Verge <[EMAIL PROTECTED]> wrote: >> You only need to exchange public keys with SSL, and because they are >> public, it doesn't matter if thousands of people can see them - they are >> still secure. Not so with secret-key systems. CV> This Arachnid needs to understand the relationship between your "public" CV> key and your "private" key before the above will sound secure. They are created at the same time. If you encrypt something with your secret key, the other party needs you public key to decrypt it. Has my letter arrived to the list ?? CV> Are you saying that you can generate a public key from your private key NO ... You generate a public and a private key. (once) CV> and any information encrypted with that public key is secure because it CV> can only be decrypted by YOUR private key ? Yes. CV> If someone has your public key AND the original material they intend to CV> encrypt AND the encrypted result plus an understanding of the encryption CV> process, do they not then have enough information to generate a copy of CV> your private key ? No CV> Or, is that private key used ONLY ONCE ? no CV> - Clarence Verge CU, Ricsi - -- Richard Menedetter <[EMAIL PROTECTED]> [ICQ: 7659421] {RSA-PGP Key avail.} - -=> Cheerfulness smoothes the road of life <=- ------------------------------ Date: Tue, 11 Jan 2000 02:05:33 +0200 From: Or Botton <[EMAIL PROTECTED]> Subject: Re: Arachne on TV and arcademachine [SCART] Ben Hood wrote: > That would be either the 75 ohm coaxial antenna cable, or the RCA > "Audio/Video" sockets. AFAIK The 75 ohm socket is a PAL-only > cable/socket. Its the 75 ohm coaxial antenna 'in' plug. But one of the 2 TV sets has the RCA A/V plugs. Also, I remember that one of the "conversion" cables that I have has a RCA A/V plus in one side, and a SCART plug on the other side.. I wonder if I can use that cable to add a SCART plug to my TV? > > Didn't we have these discussions not long ago? Yep we did. Though I think it was on the SurvPC list. (Well, etleast this time I got the answers! ;) Or Botton [EMAIL PROTECTED] - - "Truth is stranger than fiction, because fiction has to make sense." - ----------------------------- http://members.xoom.com/dsdp/ ------------------------------ Date: Tue, 11 Jan 2000 00:08:29 +0100 (CET) From: Michael Polak <[EMAIL PROTECTED]> Subject: Re: wooooooooooow !!!! On Sat, 5 Jan 1980, Mel Evans, Registered Arachne User wrote: > Hi Michael and gangue, > > Sounds good V1.60! > > I like the idea of a "real" cut and paste in the text area if it can be > done, even more if it would cut and paste between applications as well! > and not just inside Arachne, but I suppose you can't have everything, > not at once anyway. Arachne cuts and pastes using clipboard stored in file called "clip.txt" But there is still some delay... - -- http://home.arachne.cz/ (homepage of Arachne, www browser for DOS & Linux) ------------------------------ Date: Mon, 10 Jan 2000 16:23:52 -0400 From: "L.D. Best" <[EMAIL PROTECTED]> Subject: Log Files [was Re: no packet driver found Just a bit more of a note on this ... The log files were developed for troubleshooting and beta testing. They're there to catch mistakes or CYA. That is why, if you use PoP.LOG in your setup, it is overwritten each time you download mail. And that is why, if nothing goes wrong with PPP connection, PPP.LOG is cleaned off your disk when you successfully exit Arachne. I believe the History. lst as currently configured was also set up more for debugging and beta testing than for end-user utility. I'm hoping that 1.60 will have a history list that actually shows you the last place you visited, the place that made you crash in the first place. <G> l.d. ==== On Sun, 09 Jan 2000 18:12:40 -0500, Glenn McCorkle wrote: > On Sun, 26 Dec 1999 12:09:25 +0000, Michael L. Dawley wrote: >> Hello all, >> I am wondering why the file ppp.log is not found on >> a computer that has a successful connection to the >> internet. > PPP.LOG gets deleted when you hangup the connection. > ---from arachne.bat--- > :termin > termin.com 0x60 > del ppp.log > goto end > <snip> > :end > if exist $roura?.bat del $roura?.bat > if exist %ARACHNETEMP%\$roura$.bat del %ARACHNETEMP%\$roura$.bat > if exist %TEMP%\$roura$.bat del %TEMP%\$roura$.bat > if exist *._$b del *._$b > if exist %ARACHNETEMP%\*._$b del %ARACHNETEMP%\*._$b > if exist %TEMP%\*._$b del %TEMP%\*._$b > if exist ip-up.bat del ip-up.bat > if exist ppp.log echo Type 'arachne -u' to terminate SLIP/PPP connection. > if exist lock del lock > echo. > ----------------------------- - -- Arachne V1.50;s.r.c., NON-COMMERCIAL copy, http://home.arachne.cz/ ------------------------------ Date: Mon, 10 Jan 2000 16:45:59 -0400 From: "L.D. Best" <[EMAIL PROTECTED]> Subject: Re: Secure web sites IANAE -- But I think I know how the "secure" websites work. First and foremost the page itself should reside in a password protected area of the server, so no casual hacker can access it and find the encrypt algorithm. Second, all Arachne users have seen the code produced and sent when we feed data to a page & submit it ... it usually overflows the URL line. <G> Well, I play a little game of hangman on-line once in awhile, and I wondered how in the heck the system knew which person trying to figure out which word was sending in a new letter guess. Then I looked carefully at that URL line and discovered that, along with my current guess, the word itself sat up there in encoded form. It's only a simple substitution code, but I haven't bothered to break it because then ALL the fun of the game would be gone. How does that code get to me? When I access the page, a word is chosen at random and is fed to the page I download -- in its encrypted form and as part of the data string that will be sent with each letter guessed. On the server is a decoder which looks at the actual word, and then checks to see if the letter I guessed is correct. If it is, it sends the letter back to my screen rewrite in its proper place; regardless of whether the letter is right or wrong, that letter is removed from the alphabet available for me to select from. On a secure website I would guess that the data I fill in and submit is encoded by some sort of filter program prior to it being sent to the store site's page where most people would expect to find credit card numbers, etc. I would further guess that it is stored in encoded format on the servers, and only decoded when a sales/service rep pulls up the order; that decoding would be done in an entirely different program separate from the website. If I were running such a system, I would have the decoding done at the terminal level and not even have the algorithm used at the server level. Now, my design may actually be better than the current "secure" sites; I can even think of a few additional things I would do to make it more secure. But I think that's the general idea. Bottom Line: The purchaser doesn't encrypt anything. The data supplied is encrypted by the website, or an appropriate link, prior to transmittal to the store accessible network. [insert SWAG disclaimer here] l.d. ==== On Sun, 09 Jan 2000 18:40:35 -0800, Clarence Verge wrote: > Samuel W. Heywood wrote: >> I do not understand how I could encrypt my credit card number, transmit >> the encrypted number, and then have the recipient to decrypt the number >> unless the recipient had a compatible decryption engine and had >> knowledge of the original encryption key (i.e the password or pass >> phrase that I use to encrypt the data). It would seem that somehow >> this kind of thing is what would have to happen when using a "secure" >> web site. How does this kind of "magic" work? > Hi Sam; > I don't know of a site that will provide the details you are looking for, > and, the following is just my own bumble so don't take it as fact. > Surely the simplest method would require that the recipient involved sends > you the encryption key and then you send the encrypted data. > How this prevents someone eavesdropping on the transaction from decrypting > your data is unclear to me because it seems he/she can end up with all the > necessary information. > Like I said. My bumble. > - Clarence Verge > -- > - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/ > -- - -- Arachne V1.50;s.r.c., NON-COMMERCIAL copy, http://home.arachne.cz/ ------------------------------ Date: Mon, 10 Jan 2000 17:09:13 -0400 From: "L.D. Best" <[EMAIL PROTECTED]> Subject: Re: (OT) memory management... was, Load EPPPD on COMPAQ 590 Clarence, I've seen mention of dropping the page frame, and wondered about why UBM should be selected when NOUMB is the default. But when I go to Manifest it clearly shows that the page frame 64K is placed *above* the 1Mb portion of memory. So getting rid of the page frame wouldn't make any addition memory available for loading EPPPD high. l.d. ==== On Sun, 09 Jan 2000 20:24:26 -0800, Clarence Verge wrote: > Glenn McCorkle wrote: >> (Test #5) >> ---Qemm config.sys--- >> rem OPENDOS 7.01 >> DEVICE=C:\QEMM\QEMM386.SYS RAM SH:N ARAM=CB80-CBFF R:1 ST:M >> S=FF00-FFFF UR=1M:80M >> (QEMM386.SYS line split for eMail format) >> device=c:\qemm\dos-up.sys @c:\qemm\dos-up.dat >> DOS=HIGH,UMB >> --------------------- >> Memory Type Total Bytes ( Kbytes ) Available For Programs >> Conventional 655,360 ( 640K ) 644,032 ( 629K ) >> Upper 307,040 ( 300K ) 190,272 ( 186K ) >> High 65,520 ( 64K ) 16,396 ( 16K ) >> Extended 66,060,288 ( 64,512K ) 0 ( 0K ) >> EMS 83,017,728 ( 81,072K ) 82,313,216 ( 80,384K ) >> Largest executable program: 644,016 ( 629K ) >> Total Free DOS memory: 834,304 ( 815K ) >> ------------------------------------------------------------------------ >> You may draw your own conclusions from these tests. >> I'll keep using QEMM. >> ------------------------------------------------------------------------ > You betchur bippy. Me too ! > And you get another 64k if you dump the EMS page frame.<g> > - Clarence Verge > -- > - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/ > -- - -- Arachne V1.50;s.r.c., NON-COMMERCIAL copy, http://home.arachne.cz/ ------------------------------ Date: Mon, 10 Jan 2000 18:19:11 -0400 From: "Samuel W. Heywood" <[EMAIL PROTECTED]> Subject: Re: Secure web sites On Mon, 10 Jan 2000 07:03:19 -0800 (PST), [EMAIL PROTECTED] (Steven Lawson) wrote: <snip> > I can also send out a message and "sign" it (apply my private key to an > authentication header but not encrypt it). Thus, anyone can read the > message, and can verify it's from me by checking the signature against my > public key. Nobody can *modify* my message however, because the > authentication header also contains a unique value calculated off the > content of the message which will change if the message is modified. Digital signature is also another fascinating topic that I understand nothing about. Can anyone please refer me to a web-site to learn more about this subject? Sam Heywood - -- This mail was written by user of Arachne, the Alternative WWW Browser ------------------------------ Date: Mon, 10 Jan 2000 18:10:04 -0400 From: "Samuel W. Heywood" <[EMAIL PROTECTED]> Subject: Re: Secure web sites On Mon, 10 Jan 2000 17:09:51 +0100 (CET), Petri <[EMAIL PROTECTED]> wrote: Hello - Thanks for the dissertation. Please see my comments and befuddlements. >> If I should encrypt a message by using a public key, and then transmit the >> message to you, then there is nothing secret about it, because the key is >> publicly available. > False; only the person with the corresponding SECRET key can read what the > PUBLIC outputs. There is only one "public key" that I know about. It looks like this and everyone either has a copy or can readily generate a copy by recalling the scheme by which the characters are ordered: ABCDEFGHIJKLMNOPQRSTUVWXYZ BCDEFGHIJKLMNOPQRSTUVWXYZA CDEFGHIJKLMNOPQRSTUVWXYZAB DEFGHIJKLMNOPQRSTUVWXYZABC EFGHIJKLMNOPQRSTUVWXYZABCD FGHIJKLMNOPQRSTUVWXYZABCDE GHIJKLMNOPQRSTUVWXYZABCDEF HIJKLMNOPQRSTUVWXYZABCDEFG IJKLMNOPQRSTUVWXYZABCDEFGH JKLMNOPQRSTUVWXYZABCDEFGHI KlMNOPQRSTUVWXYZABCDEFGHIJ LMNOPQRSTUVWXYZABCDEFGHIJK MNOPQRSTUVWXYZABCDEFGHIJKL NOPQRSTUVWXYZABCDEFGHIJKLM OPQRSTUVWXYZABCDEFGHIJKLMN PQRSTUVWXYZABCDEFGHIJKLMNO QRSTUVWXYZABCDEFGHIJKLMNOP RSTUVWXYZABCDEFGHIJKLMNOPQ STUVWXYZABCDEFGHIJKLMNOPQR TUVWXYZABCDEFGHIJKLMNOPQRS UVWXYZABCDEFGHIJKLMNOPQRST VWXYZABCDEFGHIJKLMNOPQRSTU WXYZABCDEFGHIJKLMNOPQRSTUV XYZABCDEFGHIJKLMNOPQRSTUVW YZABCDEFGHIJKLMNOPQRSTUVWX ZABCDEFGHIJKLMNOPQRSTUVWXY >> On the other hand, if I should encrypt a message >> by use of a private key, and if only you and I know what our private key is, >> then we can encrypt and decrypt secret messages to each other. > Wrong; explained above. > If I give you MY public key, and you give > me YOUR public key, we can communicate securely: If you encrypt something > with my public key, only I can read it (only I have access to my SECRET > key). When I reply, I use your public key. Again, only you can read it > with YOUR secret key. This is the strength of public-key crytography, as > used in SSL. With the system I am thinking of, only we and our fellow members of the secret net have access to OUR secret key. Everyone has the same public key, but only we members of the secret net have the private key. With the type of crypto system that I am thinking of, the public key, as shown above, is the same for everyone - everyone including eavesdroppers and spies know how to generate the pubic key. Therefore the public key need not be exchanged because it is already known, and there is nothing secret about it. In my way of thinking, any key needed for crypto purposes and required to be passed somehow among members of the secret communications net is a "private key". It seems a contradiction in terms to refer to a "public key" as one that must be exchanged among the members of the secret net. In the system I am referring to, a code page, conventionally consisting of randomly generated five-letter groups is used by the secret net for encryption and decyption. The messages generated from the code sheet and by using the public key as an overlay are of course also streams of random characters. Messages encoded in this way will totally defy any code-breaking system based on a statistical analysis of the frequency of the occurences of certain character groups. As there is no character substitution involved, and because the characters are all randomized, this method is highly secure. > Authentication is the reverse process - I encrypt something with my secret > key, then you decrypt it with my public key to see if it matches. > This public-key system is what makes SSL works. (of course, the mechanisms > are more complex than this, but this is the part you need to know) > The mathematics behind this is very complex, but it actually works. SSL > *is* safe, works very well, and IMHO should be implemented in every web > browser. =) >> somewhat less secure, but fairly good method of transmitting secret messages >> would involve the sender and the receiver agreeing to use a secret password, >> a pass phrase, or a certain passage from a book to be used as a key for >> encryption/decryption. No parties other than sender and receiver would have >> knowledge as to whatever string of characters had been agreed upon for use as >> a ciphering key. I agree that the method of encrytion described above would not be secure if there did not exist a secure method of exchanging passwords among the members of the secret net. > a) It is much less secure if you do not have a secure way of xchanging > passwords, as is the case with SSL webservers. Besides, you're supposed to > be able to communicate securely per SSL without having to do special key > setup. I still do not understand how data can be exchanged securely without first having exchanged passwords or pass phrases in a secure manner. > b) Only a secure group of people can use it - can't be used in public > systems. >> What I mean to say here is that I cannot think of any method by which sender >> and receiver can transmit secret messages to each other over public channels >> of communication with any reasonable level of security unless both parties >> have previously agreed on an encryption/decryption key. > You only need to exchange public keys with SSL, and because they are > public, it doesn't matter if thousands of people can see them - they are > still secure. Not so with secret-key systems. A secret key system remains highly secure as long as the code page is not compromised. People who use the secret key systems usually will afford themselves even higher levels of security by using a different code page for a different day or hour. Here is one thing that I utterly fail to grasp: Why do we use the term "public key", outside the context of being a key readily available to the public just for the asking, as in the case of the "public key" that I have posted. I think we have different concepts as to what a "public key" is. We are talking about two different things. Hence my difficulty in comprehending the concepts you are presenting. Sam Heywood > Hope you (and the other Arachnids) understand it better now =) - -- This mail was written by user of Arachne, the Alternative WWW Browser ------------------------------ End of arachne-digest V1 #936 *****************************
