Cryptography-Digest Digest #389, Volume #14 Sat, 19 May 01 03:13:01 EDT
Contents:
Re: truth+integrity=sore losers ("Tom St Denis")
Re: closed door example (again with Cloakware) ("Jeffrey Walton")
Re: Questionable security measures (Cloakware!) (John Savard)
Re: Apology to Cloakware (open letter) ("Paul Pires")
Re: What about SDD? (Dennis Ritchie)
Re: wide-trail (David Hopwood)
Re: Censorship Threat at Information Hiding Workshop (NOYB)
Re: Questionable security measures (Cloakware!) ("Jeffrey Walton")
Re: Questionable security measures (Cloakware!) (Samuel Paik)
Re: Comparing two encrypted numbers (Paul Crowley)
Re: How to develop a 64-bit key (Paul Crowley)
Re: Questionable security measures (CIC and Cloakware!) (Crypto Neophyte)
Re: Apology to Cloakware (open letter) ("Matt Timmermans")
Re: People with x86 cpus (please reply) ("Matt Timmermans")
Re: OAP-L3: "The absurd weakness." (HiEv)
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: truth+integrity=sore losers
Date: Sat, 19 May 2001 02:11:15 GMT
"Eric Lee Green" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On 18 May 2001 17:40:46 GMT, SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
wrote:
> > Yes even the government thinks one a fool for telling the truth.
> >To keep most jobs you have to learn the unwritten rules. Bosses
> >seldom like to really hear the truth.
>
> Unfortunately, I wish I'd told the truth last March, when my boss was
> about to sell out his company to a fast-talking con artist. I'd
> visited this con artist's web site for his supposed "computer company"
> and found it to be, uhm, dubious (I mean, it didn't even have
> E-COMMERCE capability -- and this was supposed to be a big-money
> operation?!), and didn't bring my suspicions to his attention because
> I'd already come to the conclusion he didn't want to hear the truth
> (I'd been through this once before, after all, only one year prior,
> when my PREVIOUS employer was bought out).
>
> The con artist eventually got the boot when the investors figured out
> that they were being conned, but by that time it was too late. I do
> wish I had spoken out, though, even though it wouldn't have changed
> anything. At least then I could have legitimately said "I told you
> so" when the inevitable eventually happened.
That's unfortunate. The lesson I learnt is that the truth is very mystical
and rarely useful (just like a sixth toe on a foot).
Tom
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: closed door example (again with Cloakware)
Date: Fri, 18 May 2001 22:51:40 -0400
What a shame...
Its kind of like when Norton began buying up various utility companies.
Quality for the consumers really suffered.
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:6XdN6.127454$[EMAIL PROTECTED]...
: To those that say closed door crypto is a matter of business send your
: browser to
:
: www.pgp.com
:
: Nuff said,
: --
: Tom St Denis
: ---
: http://tomstdenis.home.dhs.org
:
:
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Questionable security measures (Cloakware!)
Date: Sat, 19 May 2001 02:51:43 GMT
On Fri, 18 May 2001 14:59:16 GMT, Stanley Chow
<[EMAIL PROTECTED]> wrote, in part:
>That code does not belong to Cloakware, and we at Cloakware are
>serious about respecting other people's intellectual property.
>We do not let people (even other employees let allow interns) see
>it just for fun.
>Our own technology will be open. There are already 5 patent
>applications that are published by PCT. We are slowly putting
>more information on our website. Interested parties are welcome
>to contact us for further information. Being in the security
>business, we fully intend to publish all details for public
>inspection. Being a small startup, we are trying to protect
>our lead by publishing only after the patents are public.
This is certainly a reasonable position. With any software product, if
one makes the source public, people can, even without infringing the
copyright, derive an advantage in writing something themselves by
reading it.
However, whatever circumstances apply, one issue does not go away. If
one is attempting, seriously, to use a product, whether software or
hardware, for a cryptographic purpose, one must be able to validate
its operation. This usually means having not only a copy of the
source, but a copy of the compiler used, and the options used to
compile it, to allow verifying that the program corresponds to its
source...among other things.
I'm not sure how many people could really do that with a Windows
program anyways, but, at least with, say, the DOS versions of PGP, one
could at least rely on the fact that someone else had done it, and you
could even compile the source yourself on more than one compiler.
Are there any Windows languages where a *text file* generates a
program complete with dialog boxes, no graphical resource editor
required, and which are handled by compilers made by more than one
company (which lets out FoxPro and Clarion, that come close)? I don't
think so, but maybe Smalltalk - or even Cobol, for all I know -
qualifies.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Apology to Cloakware (open letter)
Date: Fri, 18 May 2001 19:57:46 -0700
No class.
Dwrowning baby chickens is next week.
Paul
Just Looking <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Fri, 18 May 2001 23:38:30 GMT, "Tom St Denis"
> <[EMAIL PROTECTED]> wrote:
>
> >Hello all,
> >
> >As most of you know I posted a message yesterday out of 2 parts anger and
> >many parts stupid. I was feeling "wronged" when really it was just an
> >annoyance.
> >
> >I want to apologize to all and especially Cloakware for the mess this
> >resulted in, that was not really my main intent. I was ranting mainly.
> >Fortunately no NDA's broken, no court-battles ahead.
> >
> >I hope you all can accept my sincere apology for being so immature with
> >regards to the matter at hand.
> >
> >Live and learn,
>
> Don't worry, Tom.
>
> None of us reading sci.crypt had any idea
> your, how did you put it?... oh yeah... "stupid"
> comments would cause any grief to you or
> your, what was that adjective?..."shameful"
> employer Cloakware.
>
> Thank goodness they had you to set them
> straight and we were all able to glean a bit
> more of your genius before they, completely
> without cause, gave you the boot.
>
> It was over so quickly I find myself harking
> back to better times when I could enjoy the
> your sage comments. Comments like:
>
> "This is a shameful crypto-practice and both
> companies should be a shame of themselves."
>
> "If believing in the principles of science and
> honesty are "bad corporate decisions" then
> I shall live in my unibomberstyle shack for the
> rest of my life. For I am much too young to sellout."
>
> Perhaps, you are too young to sellout.
>
> Thank goodness you're not too young to eat
> crow. You're really never too young for that,
> are you?
>
> And you're never too young to start developing
> the kind of reputation you've wisely started in
> sci.crypt. That of a knee-jerk loudmouth who
> shoots first and asks questions later. After all,
> with your hair-trigger mind, you haven't got time
> for stupid things like corporate protocol, loyalty
> to your company team, and discretion.
>
> Those things are for wimps, losers, and other
> lesser types who would not be able to even
> begin to grasp the depths of your capabilities.
>
> I only give thanks that you will still be around
> to remind us of this way too much, and that it
> will take more than standing in the blast of true
> reality to get you to tone it down a little.
>
> It would really be a letdown not to get your
> expert opinion on like, what, over 50% of the
> posts here?
>
> That, and your keen grip of business acumen.
>
> So don't worry, Tom.
>
> It's still all about you.
>
------------------------------
From: Dennis Ritchie <[EMAIL PROTECTED]>
Subject: Re: What about SDD?
Date: Sat, 19 May 2001 03:19:52 +0000
Rob Warnock wrote (quoting Georgiou):
>
> Harris Georgiou <[EMAIL PROTECTED]> wrote:
> +---------------
> | But how about sparse data distribution techniques? I mean
> | why can't we use a method that dynamically spreads the data
> | into a vast pool of white noise?
> +---------------
>
> Been done already. See:
>
> "Chaffing and Winnowing: Confidentiality without Encryption"
> Ronald L. Rivest
...
> http://theory.lcs.mit.edu/~rivest/chaffing.txt
...
Although this paper is as technically inventive and astute as one
one expects from Rivest, I can't and couldn't help feeling that
his tongue was firmly in his cheek during its writing. It's in part
a reductio ad absurdum of rules that allowed export of signature verification
techniques while regulating message crypto. Somehow (if the USG
had continued along the road parts of it wanted to), I don't think
it would have survived a court test.
For another idea along the same lines, this one is worth investigating
just for a giggle:
http://www.spammimic.com
Dennis
------------------------------
Date: Fri, 18 May 2001 07:48:06 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Re: wide-trail
=====BEGIN PGP SIGNED MESSAGE=====
Mark Wooding wrote:
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > What does it mean? I have heard it said before. Does it mean something
> > like a SPN where the diffusion is maximized?
>
> More or less.
>
> I believe it was first introduced in Joan Daemen's thesis `Cipher and
> Hash Design', in chapter 5, `Propagation and Correlation'.
BTW, that thesis is at
http://www.esat.kuleuven.ac.be/~cosicart/ps/JD-9500/
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOwTFljkCAxeYt5gVAQH3sQf+O0zRhK/aKDIomLdh4l4iuKeB5Or8MTII
BKqvKVzv6jop4SgAnIP6QQNAupD7oVaDlGiFEQtg0zWtFldNM4JQ9PyrZa7RPRtE
GDxw1NPEwSM2is/ziQ7S0CjYX11ac+5Tn99PQCe8Nf0O9cgP7/za6/fWmqWFKD3D
dOT/gvY8ITyfOY33auLQ4qz/a4q3DqdWoUhYYEM+J4AX2xh7WJ/0lZX+fdoREhsc
phhoqBwu6tSFWeu1afCUuih9B7iBUOAr9NihRoSetGrsagTCdHZVBPSeb7dgErvl
9pgOUxt/5r2oAARtJucuOipJhpK1hDqO5Sjs3DLCudPV69YkhSiBjA==
=I/uC
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (NOYB)
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: 18 May 2001 20:13:57 -0700
"Roger Schlafly" <[EMAIL PROTECTED]> wrote in message
news:<zJrH6.48$[EMAIL PROTECTED]>...
> "Leonard R. Budney" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > The claim that "people are entitled to profit from their creativity"
> > *should* be axiomatic with you.
>
> The claim was that:
> > > >> The premise behind copyright law is that people are entitled to
> > > >> profit from their *creativity*, where creativity is defined to be
> > > >> "a specific work having some original content".
>
> I agree with Paul; that was certainly not the premise behind US
> copyright law.
>
> There is a legitimate argument that when there is profit from creativity,
> then the creator is entitled to some reasonable piece of the action.
>
> Whatever the premise of copyright law, different purposes lead to
> different conclusions. The laws are getting extremely pro-copyright,
> and it is hard to understand how the public good benefits from the
> heirs to "Gone With The Wind" suppressing a parody. See this essay.
>
> http://www.nytimes.com/2001/04/30/opinion/30LESS.html
>
> April 30, 2001
>
>
> Let the Stories Go
>
> By LAWRENCE LESSIG
>
>
>
>
>
> STANFORD, Calif. - When Margaret Mitchell published "Gone With the Wind" in
> 1936, the law gave her a copyright for up to 56 years. Under that agreement,
> the book should have fallen into the public domain in 1993. Why, then, was
> Mitchell's copyright, now owned by her estate, still powerful enough to
> prevent the planned publication this month of Alice Randall's "The Wind Done
> Gone," a retelling of the story of 19th- century Southern plantation life
> from an African-American viewpoint?
>
> ...
>
>
>
> begin 666 spacer.gif
> K1TE&.#EA`0`!`( ``._O[P```"'Y! $`````+ `````!``$```("1 $`.P``
> `
> end
Anybody care to sell a copy of the book? Even a copy of the copy is ok!
Thanks!
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (Cloakware!)
Date: Fri, 18 May 2001 23:29:28 -0400
With all due respect (and very little knowledge of the situation), I
think the reason you were asked to resign/dismissed was probably closer
to an insubordination issue. Basically, as an intern, the company
probably feels you over stepped your bounds when requesting a source
review and/or peer review of the crypto methods (regardless of how
correct or right you may think you are - or you may actually be).
I can't speak intelligently about Canada (or the U.S. for that fact),
but:
U.S. employees are generally protected from their government - not their
employers.
Employers can basically do what they want to employees. Some U.S.
states are right to work. Others states do not require an employer to
show cause for a resignation request/dismissal.
It could be the case that the decisions are a business flaw, but that's
something the strategic planners/senior management must decide.
Respectfully,
Jeff
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:72cN6.126101$[EMAIL PROTECTED]...
:
: "AY" <[EMAIL PROTECTED]> wrote in message
: news:9e3i46$f8f$[EMAIL PROTECTED]...
: >
: > >It seems this incident
: > >grew out of the fact that I didn't let Tom see the source code
: > >when he asked me.
: >
: >
: > Has he just got fired for asking for the source code? What exactly
are the
: > grounds for his dismissal?
: >
: > <Quoting from Tom>
: > They had no official reason for firing me except to say "if you
don't know
: > what you did wrong you shouldn't be here".
: > </Quote>
: >
: > Is that really the case? Is that an accepted reason for dismissal in
: Canada?
: >
: > I would think Tom has the best intentions to help you develop a good
and
: > secure product. If he got sacked just because you got p****d off
with him
: > then I think both of you lose out. How much have Tom posts damaged
your
: > company? To me, a Palm user, his dismissal means that I won't ever
buy
: your
: > product. You (or whoever fired him) did the damage to your company.
: >
: > I really wish to see some reconciliation here, perhaps from both
parties.
:
: See I wouldn't go this far. For all I know the product is perfectly
secure.
: But how do we know? They won't release the information to
cryptographers.
:
: Personally I got sacked because I pointed out a huge business flaw...
:
: Tom
:
:
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (Cloakware!)
Date: Sat, 19 May 2001 04:50:41 GMT
John Savard wrote:
> Are there any Windows languages where a *text file* generates a
> program complete with dialog boxes
There are independently implemented resource compilers. It's quite feasible
to develop MS Windows programs without any sort of graphical resource
editor--although some people may find this annoying/tedious. (Personally,
I find most graphical resource editors annoying and tedious....)
--
Samuel S. Paik | [EMAIL PROTECTED]
3D and digital media, architecture and implementation
------------------------------
Subject: Re: Comparing two encrypted numbers
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Sat, 19 May 2001 05:34:36 GMT
"Martin Schweitzer" <[EMAIL PROTECTED]> writes:
> Is anyone aware of a technique that allows two encrypted numbers to be
> compared without decryping them? I am told that there was a paper
> presented at RSA 2000 which mentions this, but I cannot find any
> reference to that paper.
What do you mean by "compare"? Compare for identity, or for which is
bigger?
The former is easy. The latter...well, you'll have to specify much
more precisely what you want...
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
"Conservation of angular momentum makes the world go around" - John Clark
------------------------------
Subject: Re: How to develop a 64-bit key
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Sat, 19 May 2001 05:47:47 GMT
[EMAIL PROTECTED] ("ritesh_swd") writes:
> I am a amateur cryptographer working in DES.i want to develop a PRNG
> for the DES.Can help me which algortihm to use for the
> generation.Provide me with detailed algorithm.
DES takes a 56-bit key. Please give more detail of what you want:
it's a little rude to demand "Provide me with detailed algorithm" when
you can only be bothered to write three lines about what your needs
are!
Also, check out Yarrow, and see if it meets your needs:
http://www.counterpane.com/yarrow.html
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
"Conservation of angular momentum makes the world go around" - John Clark
------------------------------
From: Crypto Neophyte <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (CIC and Cloakware!)
Date: Sat, 19 May 2001 06:05:48 GMT
On Fri, 18 May 2001 4:10:51 -0500, Tom St Denis wrote
(in message <vG5N6.125516$[EMAIL PROTECTED]>):
> Also I can't get canned for this since I haven't violated my NDA and it's
> not like what I am saying is a lie.
They can find a reason to fire you if they want to. Officially it won't have
anything to do with your post.
HKRIS
------------------------------
From: "Matt Timmermans" <[EMAIL PROTECTED]>
Subject: Re: Apology to Cloakware (open letter)
Date: Fri, 18 May 2001 23:12:12 -0400
"Paul Pires" <[EMAIL PROTECTED]> wrote in message
news:zvlN6.164026$[EMAIL PROTECTED]...
> No class.
>
> Dwrowning baby chickens is next week.
>
> Paul
Yeah, and spooky. He's obviously a regular here. I wish I know which one.
This suggests an on-topic question:
Has anyone heard of a reasonably successful algorithmic method for
identifying people by writing style?
------------------------------
From: "Matt Timmermans" <[EMAIL PROTECTED]>
Subject: Re: People with x86 cpus (please reply)
Date: Fri, 18 May 2001 19:24:35 -0400
On my Athlon 700: 175 cycles
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:DA7N6.125755$[EMAIL PROTECTED]...
> I need people with the following cpus to run a program (or alternatively
> build the source which is on my website) to test the speed of my cipher.
>
> - Pentium, PPro, PII, PIII
> - Amd K6, K6-II, K7 (original not T-bird)
> - Cyrix MII
>
> The program gives speeds in clock cycles so the clock rate of your cpu is
> irrelevant. The program was tested with DJGPP but should port easily to
> Linux via GCC. I need people to run the program in a shell prompt with
all
> other stuff closed (or alternatively goto dos completely). Once you run
it
> copy all of the output and email it to me.
>
> If you can help just download
>
> http://tomstdenis.home.dhs.org/tc15a_asm.zip
>
> or the binary
>
> http://tomstdenis.home.dhs.org/tc15a_spd.exe
>
> Thanks,
> --
> Tom St Denis
> ---
> http://tomstdenis.home.dhs.org
>
>
------------------------------
From: HiEv <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Sat, 19 May 2001 06:45:14 GMT
Darren New wrote:
>
> Anthony Stephen Szopa wrote:
> > Darren New wrote:
> > > If you don't know what a group is, maybe you should look it up, rather
> > > than pretending the flaw isn't clearly expressed.
> >
> > Now I know why war exists: it is to rid the planet of ignorance
> > that may become a threat to survival.
>
> Hi. We're from the nonsequitar police. We're not an official body, but
> we do like pizza.
LOL!
--
"Us loners gotta stick together."
- Nicki from "Spacehunter: Adventures in the Forbidden Zone"
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
