Re: smartcards, electronic ballots
This would seem relevant ... http://dailynews.yahoo.com/h/nm/20010206/ts/voting_systems_dc_1.html Tuesday February 6 12:23 PM ET Study: Old Voting Systems May Work Best By Deborah Zabarenko WASHINGTON (Reuters) - Looking back at Florida's election mess, scientists say the old ways of casting a vote may work best: paper ballots and lever machines give more accurate counts than punch cards or electronic devices. Another key message in a study of U.S. voting technology, released late on Monday, seems to be that the machines are not always the problem. ``We believe that human factors drive much of the 'error' in voting,'' scientists from the California Institute of Technology and the Massachusetts Institute of Technology (news - web sites) said in a Feb. 1 report to a task force that is studying voting problems in Florida. Florida was the final battleground state in the hotly contested 2000 presidential race, with the outcome ultimately decided by the U.S. Supreme Court (news - web sites) more than a month after the Nov. 7 Election Day. There were questions about voting equipment that may have hindered the accurate counting of thousands of Florida votes, notably Palm Beach County's controversial ``butterfly ballot,'' a two-column punch card ballot that confused many voters. Without mentioning the ``butterfly ballot'' specifically in this preliminary report, the scientists wrote, ``Some technologies seem to be particularly prone to over-voting (voting for more than one candidate for a single office), such as the punch card systems implemented in Florida in the 2000 election.'' Wide Range Of Equipment Part of the problem is the wide range of voting equipment used across the United States, starting with the simple paper ballots that were common in much of the country in the 19th century and ending with the direct-recording electronic devices (DREs) that were introduced in some areas in 2000. In between are punch card ballots, lever machines -- in which voters enter a booth and flick switches by their preferred candidates, then finally record their votes by pulling a large lever -- and optically scanned ballots, where voters use pencils to fill in circles beside the candidates they choose. Examining data on election returns and machines from about two-thirds of all U.S. counties over four presidential elections starting in 1988, the scientists found that manually counted paper ballots ``have the lowest average incidence of spoiled, uncounted and unmarked ballots.'' Lever machines and optically scanned ballots were most accurate after paper ballots, the report said, while punch card methods and DREs, which look and operate a bit like automatic teller machines, had ``significantly'' higher error rates. The difference in reliability between the best and worst systems was 1.5 percent, the report said. Part of the difficulty may lie in voters' unfamiliarity with new technology, said the group of social scientists that included experts on computers, politics and economics. ``We don't want to give the impression that electronic systems are necessarily inaccurate, but there is much room for improvement,'' the California institute's Thomas Palfrey said in a statement.
Re: it's not the crypto
> The notion that e-mail should be permitted to contain arbitrary > programs that are executed automatically by default on being opened > is so over the top from a security stand point that it is hard to > find language strong enough to condemn it. It goes far beyond the > ordinary risks of end systems. And, yet, digital rights folk argue that the only way data can be self protecting (the pre-requisite for data being out and about on its own), is to wrap said data in a program which the recipient must execute. All the music royalty or email self-destruction stuffs basically take this position. If auto-update of software really does take hold, whether by contract (UCITA) or by choice (whopping convenient, that), receiving an executable with long-lived aftereffect will be part of every ordinary person's day. Not denying your point at all -- merely trying to look well down range. I'm a send-by-reference-not-by-value sort of guy, but as I see the world, e-mail attachments are doubtless now the poor man's distributed filesystem, and the momentum is with ever increasing amounts of executables being transmitted. Consider, for an example actually rather related to this Javascript e-mail issue, the case of Zaplets (http://www.zaplet.com) which has $100M+ saying that this is the future, or the stored procedures in many specialized Oracle applications that take the form of Java applets you download silently to execute on your end. Contemplating retirement off the grid, --dan
Re: smartcards, electronic ballots
As seems universally the case in security design, there must be ugly tradeoffs. In particular (and without quoting acres of prior material), the proposed requirements for verifiability and non-coercibility are at odds and one must yield to the other. Paper systems make this tradeoff by, on the one hand, the polling booth (non-coercibility once within) and, on the other hand, the supervision of the counting process by opponents (verifiability by proxy), at a cost of zero technology. Bettering this in the real world is challenging. --dan == as used here verfiability -- voter may verify that his vote counted as he intended it to count non-coercibility -- voter cannot be compelled to show how he voted, during or after proposition: If the voter can verify, then he can be coerced to do so. contrapositive: If voter cannot be coerced, then he cannot verify. ==
Re: issuing smartcards is likely to be cheap [Was: electronic ballots]
[ likely too far off topic ] > Hmmm, I have a "voter registration card" and I believe that is > the case across the USA. Anything that is itself mechanically _required_ in order to vote must be provided to the voter gratis else it will be surely challenged as a poll tax. By just this detail alone, I do not think that electronic voting from the home has a future. Even if the smartcard were given away, that the rest of the apparatus (PC, reader, network, etc.) was self-funded by the voter as a matter of personal choice and convenience would almost surely be derided by some group or other as a sign that "rich folk" get counted first and easier. --dan
Re: Ashcroft on encryption
"We're not going to outlaw photography because someone takes dirty pictures. People use it for good things and bad things - and it's the same with encryption." -- Missouri Senator John Ashcroft (Rep.) make that Attorney General Ashcroft. --dan
Re: Schneier: Why Digital Signatures are not Signatures (was Re: CRYPTO-GRAM, November 15, 2000)
> As the US banking system (and especially the bank clearinghouses controlled > by the Federal Reserve system) has gone electronic, all the banks I know of > have stopped bothering to verify the signatures on checks, and similarly > those on credit- and debit-card drafts. Getting them to start using digital > signatures would be a big improvement over the current wide-open situation. As compared to the State of Oregon which has now gone over to keeping a digitized image of the ink signature of every registered voter for visual verification, the better to run its all-absentee election process, or for that matter FedEx, UPS, and numerous P.O.S. terminals all of which have copies of my hand signature, like it or not. --dan
Re: Qualcomm CEO Loses Laptop
> from http://www.wired.com/news/business/0,1367,38855,00.html I work at a security consulting firm and, in fact, have corporate IT in my portfolio. Our model for what constitutes a plausible posture is, FWIW, simple: 1. anyone can lose a laptop and, besides coming home with their tail between their legs, nothing bad happens 2. any of our consultants can work from any location, however hostile (no, we don't work at national labs...) 3. while we protect our corporate net from vandals, someone plugging into it will gain nothing of value I'm not here to argue if the above is perfect, but it is what we do, it is easy to explain, and it seems appropriate to the times. --dan
Re: reflecting on PGP, keyservers, and the Web of Trust
I said, >Note that it is trivial(*) to construct a self-decrypting >archive and mail it in the form of an attachment. The >recipient will merely have to know the passphrase. If >transit confidentiality is your aim and old versions >of documents are irrelevant once the ink is dry on the >proverbial bond paper, this is quite workable and involves >no WoT at all, just POTS. Steve said, >No! We've discussed this point many times before -- what if the >attacker sends a Trojan horse executable? David said, >If you have a secure channel to exchange a passphrase in, >you have no need for PK. Correct to both critics. I can, indeed, dictate the 40 page contract that is to be signed tomorrow afternoon over my STU3 telephone, if indeed both parties have one. I can rely on facsimile which is what J. Random Company's legal counsel would otherwise likely do. I can tell people never to accept an executable mailed to them from anywhere, which will get laughed at by all the people in the business world who mail each other so many attachments that it can be truly said that e-mail attachments are the poor man's distributed file system. All true. There is, indeed, nearly no security if one is really and truly serious. What I had hoped to convey was that there was a certain amount of "good" in getting the kinds of documents real businesses exchange under time pressure all day every day to be encrypted at a level of effort that approximates what they would be doing anyway. If the recipient needs no local environment pre-conditions other than the genes to call me up when he gets an attachment that says I demand a passphrase, I think it is in fact fair to say that a cost-effective improvement has been snatched from the jaws of defeat. Maybe, just maybe, if I can train them to think that unencrypted = anomalous we can take a step that matters, like locally installing some software whose miserable usability is proportional to its endorsement by the local security guy. There is nearly nothing I can do to prevent you from stealing my car if you want it way bad, but I sure as hell can make stealing my neighbor's car more attractive than stealing mine. That is risk management. --dan
Re: reflecting on PGP, keyservers, and the Web of Trust
> How do they exchange public keys? Via email I'll bet. Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If transit confidentiality is your aim and old versions of documents are irrelevant once the ink is dry on the proverbial bond paper, this is quite workable and involves no WoT at all, just POTS. --dan * trivial: memorizable by clerks in an all Windows world...
Re: reflecting on PGP, keyservers, and the Web of Trust
Well put, Greg. I do think that a small circle of trusted friends is a tautology -- if it is not small, it cannot be trusted. Was it not ever thus? --dan
Re: Electronic elections.
Along the same lines as this discussion, http://www.ivta.org was recently brought to my attention in/on the "cert-talk" ([EMAIL PROTECTED]) mailing list. I appreciate that pointer (and others like it such as are appearing here and elsewhere) a great deal, especially in quotation: "Encryption alone is not sufficient for an Internet voting process because voting is not an e-commerce transaction. Anonymity and integrity must be assured, and we must know that the results in an election have not been tampered with in any step of the process." as it demonstrates in full that, as in all of engineering, the heavy lifting is in getting the problem statement right. The advocates of Internet voting do not, repeat, do not have the problem statement right. There is no doubt whatsoever that the sanctity of a vote once cast can be absolutely preserved as it is moved from your house to the counting house. What cannot be done, now or ever, is to ensure the sanctity of the voting booth anywhere but in a physical and, yes, public location attended to by persons both known to each other and drawn from those strata of society who care enough to be present. There are no replacements for the voting booth as a moment of privacy wrapped in inefficient but proven isolation by unarguable witness, a place where we are equal as in no other. Move the dispatch of a vote to a remote browser and $100 bills, concurrent sex acts, a pistol to the head, wife-beating or any other combination of bribes and coercion is an undiscoverable concommitant of the otherwise "assured" integrity of the so-called vote. Internet voting is anti-democracy and those who cannot bestir themselves to be present upon that day and place which is never a surprise to do that which is the single most precious gift of all the blood of all the liberators can, in a word, shut up. Trust is for sissies, --dan
Re: NSA back doors in encryption products
Conspiracy theories are irresistable labor-saving devices in the face of complexity. -- Henry Louis Gates, speaking of OJ Simpson --dan
NPR on NSA
off topic, but http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate=03/14/2000&PrgID=3 http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate=03/15/2000&PrgID=3 http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate=03/16/2000&PrgID=3 contains a three part series on the NSA and listening posts; many familiar names heard from; less than 1/2 hour in sum --dan
Re: Interesting point about the declassified Capstone spec
I agree with Peter and Arnold; in fact, I am convinced that as of this date, there are only two areas where national agencies have a lead over the private/international sector, namely one-time-pad deployment and traffic analysis. Of those, I would place a bet that only traffic analysis will remain an area of sustainable lead, that traffic analysis is the only area where commercial interests will not naturally marshall the resources to threaten the lead of the national agencies. --dan
Re: US congressman blasts China crypto policy
previously sent to WSJ: | To the Editor: | | As reported, the Chinese government has moved to restrict the use | of privacy-enhancing technologies and to surveill use of the Internet | generally. Any country that does that ensures that in the global | economy the only role they can play is that of coolie labor. How | ironic for China to choose for itself such a role at this late date. --dan
Re: financial crypto - like conferences
I need to know, whether any of you know any other financial-crypto-like international conferences at the second half of this year. I want to submit several of my papers, and I can't wait for FC 2001. The conference need not to be very theorethical or very prestigious, preferably a little bit 'applicative', as long as the submission deadline has not passed yet :-) USENIX Security Symposium August 14-17 in Denver submission deadline is Thursday of this week http://www.usenix.org/events/sec2000 or, more specifically, http://www.usenix.org/events/sec2000/cfp/how_to_submit.html I am an officer of the organization and board liason for this conference. The audience here is, without doubt, the most engineeringly intense you are likely to find in a venue of scientific merit and commercial applicability. Expect keen competition should you choose to submit. --dan
Re: The problem with Steganography
If the picture was taken by an actual camera, the least significant bits will be random due to the nature of the way CCDs work in the real world. They might be biased, but it's not very hard to bias a "random" data stream. You could have the sender look at the bias in the odd frames, and use that in the following even frames, if the bias is similar. The recipient could compute the bias in the odd frames, and use that to normalize the stego in the even frames before applying the crypto. If the scene changes drastically, the bias may change, the sender wouldn't encode anything in that frame, and the recipient will need to resync somehow. Stego is subtle, but it's not impossible. After thinking about this a bit, perhaps the point is that any conversion, light-on-CCD to bits, bits to paper, etc., has a certain amount of bias-able "random" data and hence it is likely that any such process has a fingerprint that might even be unique as, of course, the color copier example shows can be made intentional. My knowledge of media reproduction technology in the large is near zero, but if a color copier can identify itself what is to keep it from identifying the time of day or serial numbering the individual copy or silently including a photo of the operator? Larger still, what's to prevent adding such a fingerprint to every copy of National Geographic, to every film processing lab's printing system, to every copy of every MP3 file, to the transmission of every PCS phone, etc., etc.? In short, is steganography the ultimate surveillance tool? --dan
Re: Blue Spike and Digital Watermarking with Giovanni
Working for Xerox I can assure you that all of our colour machines together with all our competitors colour machines leave a "trace". Pointer to how this trace is applied, recorded, accounted for, and handled when components are swapped out? --dan
PGP on an e-commerce site
My daughter was ordering a CD this evening from the site cdnow.com and I noted that besides the SSL option they also had a PGP option. Take a look at http://www.cdnow.com/cgi-bin/mserver/SID=0/pagename=/RP/HELP/order.html#8q This is new to me. --dan
Re: fwd: $100 secure phones from Starium
Did this "$100 secure phone" ever come to pass? I stopped off at http://www.starium.com/ but the page is unmodified since April last. Starium-ites, are you out there? --dan
Re: draft regulations?
... For that matter, what is "export"? Posting something to Usenet? Putting it up on a Web page or FTP server? The act of downloading it? Egad, Steve, a highest and best use for spam. I'll buy those 300,000 e-mail addresses and send them all a copy of the GPG source, each with another of those 300,000 addresses as apparent sender, of course. Or maybe chain letters; yeah, chain letters are good. Melissa, come here. I need you. --dan
Re: ECHELON Watch
> > >ACLU today launched a new web site www.echelonwatch.org... > > I find the phrasing of this site curious... You're talking about end-product... It is my strong suspicion that whereas the lead enjoyed by national agencies in crypto matters is substantial, such leads as they may still enjoy are diminishing rapidly with one exception, viz., traffic analysis. In that area -- the intelligence value of knowing who is talking to whom, by what channel, and with what pattern -- their lead is vast and likely sustainable. I suspect that this is the highest and best use of the Echelon data. That cataloging is of immense value, witness the vigor of the pushing and shoving in the matter of what it was that J. Pollard disclosed. --dan
yet another example of a secret signature
Always collecting examples of "secret signatures" that predate all the stuff we do, I offer this for your amusement/pleasure. --dan == "Marion Dorset," Progressive Farmer, November 1999, p31. His solution to hog cholera saved producers millions ... Besides contributing to the hog cholera vaccine, Dorset also invented the purple ink stamp that identifies USDA-inspected meat -- an ink that's used to this day. USDA won't reveal what's in Dorset's formula. It is kept secret to avoid replication of the stamp. ==
Re: 56 Bits?????
[a] >A 56-bit key of any algorithm, on any modern production machine >is, as far as I can tell, absolutely unconscionable. [b] >.. It would seem to be a relatively simple >matter for Apple to offer strong crypto domestically & weak >crypto everywhere else; Netscape and Microsoft already do this >with their browsers. Well, folks, on any other day the more hypergraphic cross-posters to/on/at these lists would be vigorously damning the regulatory necessity of American versions different from non-American versions as proof of the dark side's impending triumph. It is so ironic to contemplate damning a vendor for making you a citizen of the world. As much as I am myself a devout believer in crypto privacy verging on crypto anarchy, I suggest that "we" are seriously in danger of making the best the enemy of the good when we delude ourselves that first rate crypto can trivially appear in any mass market consumer gizmo commoditized to a faretheewell. Speaking with all the wisdom I can distill from my own security career in the real world of competing demands and distracted management chains, keeping honest people honest is a palpably high goal, perhaps the highest goal for which you can build a mass market product. Me, I'll use/buy the bloody best I can, but I will rest vastly easier when even middling encryption is a pervasive reality, i.e., when everybody's mother is using 56 bits my 128 bit super-encryption will be just as secure but much less likely to garner unwanted attention from people I can never out spend. In the meantime, buy-side companies driven by "prudent man" risk management are not now nor will they ever be as paranoid as we here are, and per the iron whim of the market it is their dollars that rule. --dan - Learn to be invisible
Re: Digital Contracts: "Lie in X.509, Go to Jail"
> For details of how to order, see www.xs4all.nl/~brands/order.txt What is it about wanting to change the instantaneous & electronic world that generates this sort of time & paper hazing ritual? Yours in irreverent confusion, Lightning Rod
Re: graphical authentication
Mention was made recently of a graphical keying method out of stanford (?) for palm-pilots. Does anyone have a reference or url for the paper/code involved? Best paper at USENIX 8th Security Symposium http://www.usenix.org/publications/library/proceedings/sec99/jermyn.html The Design and Analysis of Graphical Passwords Ian Jermyn, New York University; Alain Mayer, Fabian Monrose, Michael K. Reiter, Bell Labs, Lucent Technologies; and Aviel D. Rubin, AT&T Labs--Research Abstract In this paper we propose and evaluate new graphical password schemes that exploit features of graphical input displays to achieve better security than text-based passwords. Graphical input devices enable the user to decouple the position of inputs from the temporal order in which those inputs occur, and we show that this decoupling can be used to generate password schemes with substantially larger (memorable) password spaces. In order to evaluate the security of one of our schemes, we devise a novel way to capture a subset of the ``memorable'' passwords that, we believe, is itself a contribution. In this work we are primarily motivated by devices such as personal digital assistants (PDAs) that offer graphical input capabilities via a stylus, and we describe our prototype implementation of one of our password schemes on such a PDA, namely the Palm PilotTM. --dan
Re: Is There a Visor Security Model?
The Palm's security model is, by most accounts I've seen, non-existant. The issue is the lack of memory protection, i.e., that there is no protected space for keying material. Visor is said to use the PalmOS as is, so that is not a magic wand. Of course, if your OS has no memory protection, you can always rely on yet another external hardware device, as has already been mentioned. --dan
Re: No liberalization for source code, API's
I will be on stage at a minor league debating forum with Bill Reinsch on Thursday of this week. If you had one question you would want asked, what would it be? Reply directly, please. I'll read it all late Wednesday. --dan
Re: IP: Clinton comes after the Internet by Joseph Farah
A working group like this with only two years to go in an administration worrying about its place in history must be one of two things, only: 1. we are referring this to committee so that we can say we did something without having actually to do anything (what is sometimes rendered in Italian as a "bella figura") 2. we already have our draft conclusions in white paper form and we need to have the appearance of due process A betting pool might be in order, but I narrowly favor #2 --dan
Re: US Urges Ban of Internet Crypto
I've thought for some time that it's time to just solve the problem. All we need is a couple hundred million bucks. Given that Ross Perot was able to make a credible run for President on a hundred million dollars, it should be perfectly feasible to find someone who is electable, marketable, has a skeleton in his closet, and who will sign an executive order once elected. "honest politician" -- one who once bought stays bought --dan
Re: US Urges Ban of Internet Crypto
> Secrecy is more useful to the weak than to the strong. Governments everywhere hate privacy because the efficiency of regulation is proportional to the perfection of its surveillance. Quoting the ever-prescient Phil Agre, The global integration of the economy is ... commonly held to decentralize political power by preventing governments from taking actions that can be reversed through cross-border arbitrage. But political power is becoming centralized in equally important ways: the power of national governments is not so much disappearing as shifting to a haphazard collection of undemocratic and nontransparent global treaty organizations, and the power to influence these organizations is likewise concentrating in the ever-fewer global firms. These observations are not pleasant or fashionable, but they are nonetheless true. I submit that the mergers and acquisitions wave amongst governments themselves (EU, NAFTA, China Inc) makes governments everywhere a/the common enemy. Little different than the middle ages where distant lands with other customs may as well have not existed, and the Church and the State were one and the same. If we lose crypto, we must already have guns laid by. --dan
Re: US Urges Ban of Internet Crypto
[Forwarded because no one has brought up this notion in a while. My problem with it is that most people don't seem to like the 2nd amendment any more so this can hardly help to popularize the cause. My feeling is that the 4th and 5th amendments have more potential protection in them. --Perry] John, et al., In a moment of logic, as if that mattered, WHEREAS By the declaration of the state, cryptographic capacity is a weapon, and WHEREAS By the facts of use, cryptographic capacity is a personal weapon, and WHEREAS The (US) Second Amendment denies the (US) federal government the authority to restrict personal weapons, THEREFORE The right to bear crypto is a (US) constitutional right. Of course, logic has nothing to do with it because the very definition of politics is the art of making decisions based on the manipulation of emotion, but I am, whether by choice or by genotype, a man of logic and not of emotion, though I am pissed off... --dan
Re: House committee ditches SAFE for law enforcement version
Procedurally, what does he need to do to make this happen? Can any member of the house do it? Can the Speaker do this on his own, does it require a vote of the rules committee, the full house, or what? Also, the Supremes often use legislative history when making rulings. What would they do in a case like this? Is there any precedent? I'm wondering if there's some way to take advantage of having so many cooks. Also, when was the last time there was a classified briefing on the house floor like this? I would think that something so unusual would cause some eyebrows to raise even outside the pro-crypto community. Secrecy is not the point. This is a poison pill, a kill packet, a virus, ... Once you have had the classified briefing, YOU, the recipient of same, can no longer talk about anything covered in said briefing with anyone not cleared regardless of whether you knew it some other way. This is a GAG ORDER executed as an entrapment. It is the classic mistake to take the classified briefing. God bless Herb Lin and the other authors of C.R.I.S.I.S. for saying that they (1) had to take the classified briefing in the name of science but (2) they guarantee that it provided no details whatsoever that would have changed their minds. Anyone who is tempted should just assume that there are multiple occasions where real lives would be really lost and ask themselves if that would change their mind. If it would, then vote one way; if not, vote the other. But never ever take the classified briefing. --dan === C.R.I.S.I.S. = http://www.amazon.com/exec/obidos/ASIN/0309054753/o/qid=932741165/sr=8-1/002-01 98373-8395854 ===
Re: Padlock Size was Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)
> The point is that in Netscape, it is very hard to tell if a given link > is 40 bit or 128 bit. Sure, with enough poking around looking at page > info you could probably figure it out. Or maybe someone knows if the > little padlock means something like the little key used to. But I'm a > crypto-sophisticated person, and I don't know. What about people who > don't understand the technology at all? Good point 1. when evaluating, never underestimate the lure of convenience 2. Paul Kocher has found, as I recall, that the percentage of browsers that are 40bit is *growing* because of the inconvenience and invasiveness of what extra effort it takes to get your hands on the 128bit stuff. 3. having inertia & ignorance on your side is strongly advantageous --dan
Re: Sen. John McCain
McCain replied by stating his problem this way: he's sitting across the table from the Secretary of Defense, the CJCS, and the other leaders of the national security community, and they tell him encryption exports will harm national security. What can he say in response? Ask, as you say in reverse, whether they have any idea how to actually get domestic use restrictions without becoming the enemy of every persuasion. Point out that without domestic use restrictions, the current debate is just so much hogwash. --dan
Re: personal encryption? (fwd)
Do you imply having a machine with PCR's for some unique string in the authenticator's DNA? I see two problems. First, twins. Second, it's possible to grow DNA from fingernail clippings, hair, etc. It would be like habitually writing your password down on everything you touched :-) 1. quoting Schneier verbatim, "BIOMETRICS ARE NOT SECRETS" 2. for the ordinary Joe, never understimate the lure of convenience --dan
Re: personal encryption? (fwd)
>This DNA can then be sequenced and the message read. It seems to me that you could use the DNA encodings for common words like "the" and "and" as a marker for PCR. A soop of such initiators, followed by a gel for the longest fragments should crack this code quickly. You might need a second "backwards" PCR step to recover the very begining of the message. this does not lead to secret messages. this leads to the ultimate in biometrics. --dan
Re: Wiretaps tripled last year, and U.K. Parliament criticizes Enfopol
> ... About three-quarters of the > 1,329 wiretaps authorized were related to drug cases, And, FWIW, the score was 1329 approved and 2 rejected, though the FBI will and does rightly say that if you want to keep real score you should include the successful Motions to Suppress (evidence) when evaluating the cost and return of the wiretap program (from the law enforcement balance sheet perspective). They also will and do say that communications intercept is much less their worry than encrypted data storage where a search warrant, i.e., after a probable cause has been developed, is obtained so as to confirm the grounds for that finding of probable cause only to then discover that the smoking-gun evidence is encrypted in bulk and therefore beyond reach. (Scenario: "You are right, I encrypted that data and I would give you the key, really I would, but the trauma of my arrest has caused me to forget the password and I never wrote it down anywhere, honest!") --dan, who debated Bill Reinsch, Barry Smith & Stewart Baker only yesterday (though hardly single-handedly)...
Re: US spying on Europe
> What does shock me, however, is that so many European countries > have been completely blind to what has been going on up to this > point. Let us eliminate the impossible so that the remainder, however improbable, is true. (1) If the NYT has it, then it cannot be news to the victims (2) If it is not news to the victims, then it cannot be news to at least some of their governments (3) If it is not news to their governments, then governments must have a reason for tolerance (4) If there is a reason for tolerance that appears irrational, then there be either hidden paybacks or blackmail; either (4a) Hidden paybacks -- the spies "sell" some goods to anyone, or (4b) Hidden blackmail -- the spies "sell" anything to some buyers (5) If the broad spectrum is for sale, then there's some question of who's in charge; either (5a) Civilian US government is run from elsewhere, or (5b) The spies are not under civilian control Apolocalyptists and conspiratorialists will make much of this as it will tend to reinforce their view. Even Phil Agre observes: "The global integration of the economy is likewise commonly held to decentralize political power by preventing governments from taking actions that can be reversed through cross-border arbitrage. But political power is becoming centralized in equally important ways: the power of national governments is not so much disappearing as shifting to a haphazard collection of undemocratic and nontransparent global treaty organizations, and the power to influence these organizations is likewise concentrating in the ever-fewer global firms. These observations are not pleasant or fashionable, but they are nonetheless true." --dan
Re: [IWAR] CRYPTO An Analysis of Shamir's Factoring Device
I think that our history books should have a small line notation that in the space of four months, both DES-56 and RSA-512 were shown to be crackable within the capacity of a single wealthy individual, much less a national lab. As these correspond to the limits embodied in the exportability debate, I believe that said debate is therefore closed. Whether effective and outright domestic use restrictions are now the game remains the only imponderable. --dan
Re: references to password sniffer incident
With this being the state of the art in protection, why bother with intercepts, cryptoanalysis etc? Having just returned from the USENIX Workshop on Intrusion Detection, I'd say that all juicy targets are or will soon be thinking something like "better living through surveillance." It is clear that the only effective means now understood compare today's surveillance with some floating average of yesterday's, plus the steady accumulation of specific screens for yesterday's novel and not-so-novel attacks. I mean, wow, what they can do at Oak Ridge, Livermore, AT&T, etc., etc., is really pretty astonishing but relies on, say, keystroke monitoring campus wide or similar sorts of baseline audit generation. Or, putting it differently, I can't take care of you unless I shadow you... --dan
Re: IPSEC on a Palm III?
OTOH, a Palm isn't quite a 'secure' OS, either.. Sure, you can at least see what you are signing, but there is no secure key storage available. A trojan application could easily steal your credentials off a PalmPilot. I don't know if this is the case for an iButton. Adoption rates for hand-helds hinge on multi-functionality (something for everyone who'll buy) yet the power of the hand-held hinges on secure OS (authorization with teeth, as we here understand the concept). | secure OS | multifunction --+---+-- smartcard |yes| no --+---+-- Palm |no | yes So, which is easier to fix -- adding a security kernel to the Palm or adding multi-function-ness to the smartcard? I'd say the security kernel for the Palm is by far easier unless and until the physics of the smartcard flex requirement are beaten somehow -- but why bother? Except as a container object, I'd say that the niche smartcards occupy is going away and going away fast. Wallet elimination versus wallet thinning, as it were. --dan
Re: McCain and 64-bit crypto
> I guess it all depends on what "entities" means: point of information: in any policy document, the game is at least half over by the end of the "definitions" page. read them carefully before you invest... --dan
Re: Stego for watermarking Perl5 code?
Shabbir, In the 70's and early 80's, I was part of a team distributing a modestly massive Fortran program that we wanted people to use but not commercialize. Our solution then, well before we all got so smart, was to convert every label, variable, subroutine name, etc., to a random sequence of M, W and N, all six characters long (3^^6=729) and that seemed to derail the modifiers. We did, for what it is worth, hide a customer identifier in there somewhere. Low tech, but it seemed to work. --dan
Re: Army "Basic Cryptanalysis" field manual legal status?
Available all over; use "FM 34-40-2" as a search at www.google.com --dan
Re: Strengthening the Passphrase Model
Nick Szabo <[EMAIL PROTECTED]> writes, in part, ... One could generalize from their success to teach a cognitive discipline of passphrases which are more memorable than alphanumeric gibberish but less obvious than these old standbys. ... Perhaps a challenge, then, would be to tell a top level systems administrator at a large financial insititution how to craft a passphrase formula that would be memorable, unique and generative of passphrases for, say, 100 critical services which should not share a single passphrase. Naturally, a bit of "history" is lurking in the above. --dan
Re: Strengthening the Passphrase Model
Markus Kuhn <[EMAIL PROTECTED]> writes, in part, ... No matter what you do, you will not get around the fact that the average human brain has a long-term memory write bandwidth of a bit less then 1 bit/s. ... I am reminded that Gelernter's marker for intelligence is creativity which he concludes, in turn, is proportional to to the individual's memory bandwidth. --dan [ The Muse in the Machine, 1994, ISBN 0029116023 ]
lifetime of certs now in circulation
*** view this note in a fixed width font *** Colleagues, I got curious about what certificates are in circulation before the general public so I looked at what server certificates are out there in the browsers as we speak. Note that the rate at which the general public updates its browsers is not reliable and is constrained by bloat for those who have anything but the most recent machinery. First the raw data then a comparison. For each of Netscape v4.5 and Explorer v4.0, the certificates, ordered by expiration date are as follows: === Netscape v4.5 --- Wed Jul 15, 1998BelSign Secure Server CA #00 Thu Jul 16, 1998BelSign Class 1 CA Thu Jul 16, 1998BelSign Class 2 CA Thu Jul 16, 1998BelSign Class 3 CA Thu Jul 16, 1998MCI Mall CA Sat Sep 19, 1998BelSign Object Publishing CA #00 Thu May 06, 1999KEYWITNESS, Canada CA Wed Nov 03, 1999VeriSign/RSA Commercial CA Sat Dec 25, 1999BBN Certificate Services CA Root 1 Thu Dec 30, 1999AT&T Certificate Services Thu Dec 30, 1999GTE CyberTrust Secure Server CA Fri Dec 31, 1999CertiSign BR Fri Dec 31, 1999GTE CyberTrust Root CA #00 Fri Dec 31, 1999VeriSign Class 1 Primary CA #..01 Fri Dec 31, 1999VeriSign Class 2 Primary CA #..01 Fri Dec 31, 1999VeriSign Class 3 Primary CA #..01 Fri Dec 31, 1999VeriSign Class 4 Primary CA Fri Dec 31, 1999VeriSign/RSA Secure Server CA #..01 Tue Jan 16, 2001AT&T Directory Services Sun Apr 21, 2002Uptime Group Plc. Class 1 CA Sun Apr 21, 2002Uptime Group Plc. Class 2 CA Sun Apr 21, 2002Uptime Group Plc. Class 3 CA Sun Apr 21, 2002Uptime Group Plc. Class 4 CA Thu Feb 14, 2002GTIS/PWGSC, Canada Gov. Web CA Mon Aug 04, 2003GTE CyberTrust Japan Root CA Mon Aug 04, 2003GTE CyberTrust Japan Secure Server CA Wed Sep 17, 2003GlobalSign Class 1 CA Wed Jan 07, 2004VeriSign Class 2 Primary CA #..0D Wed Jan 07, 2004VeriSign Class 3 Primary CA #..32 Sat Dec 31, 2005TC TrustCenter, Germany, Class 0 CA Sat Dec 31, 2005TC TrustCenter, Germany, Class 1 CA Sat Dec 31, 2005TC TrustCenter, Germany, Class 2 CA Sat Dec 31, 2005TC TrustCenter, Germany, Class 3 CA Mon Aug 14, 2006American Express CA Thu Feb 23, 2006GTE CyberTrust Root CA #01 Mon Jul 16, 2007BelSign Secure Server CA #01 Wed Sep 19, 2007BelSign Object Publishing CA #01 Mon Aug 11, 2008GTE CyberTrust Root 2 Sun Aug 10, 2008GTE CyberTrust Root 3 Thu Jan 07, 2010VeriSign/RSA Secure Server CA #..C0 Tue Aug 13, 2013GTE CyberTrust Root 4 Tue Sep 17, 2013GlobalSign Partners CA Wed Aug 14, 2013American Express Global CA Wed Aug 14, 2013GTE CyberTrust Root 5 Fri May 27, 2016Canada Post Corporation CA Sat May 20, 2017IBM World Registry CA Sat May 20, 2017Integrion CA Tue Apr 25, 2017GTIS/PWGSC, Canada Gov. Secure CA Fri Aug 24, 2018Equifax Premium CA Mon Aug 13, 2018GTE CyberTrust Global Root Wed Aug 22, 2018Equifax Secure CA Thu Dec 31, 2020TC TrustCenter, Germany, Class 4 CA Thu Dec 31, 2020Thawte Personal Basic CA Thu Dec 31, 2020Thawte Personal Freemail CA Thu Dec 31, 2020Thawte Personal Premium CA Thu Dec 31, 2020Thawte Personal Server CA Thu Dec 31, 2020Thawte Server CA Tue Jan 07, 2020VeriSign Class 1 Primary CA #..25 === Explorer v4.0 (or 4.72.2106.8 if you prefer) --- Thu Jul 16, 1998MCI Mall CA Thu May 06, 1999KEYWITNESS, Canada CA Wed Nov 03, 1999VeriSign/RSA Commercial CA Thu Dec 30, 1999AT&T Certificate Services Thu Dec 30, 1999Microsoft Timestamp Root Fri Dec 31, 1999GTE CyberTrust Root CA #00 Fri Dec 31, 1999VeriSign Class 1 Primary CA #..01 Fri Dec 31, 1999VeriSign Class 4 Primary CA Fri Dec 31, 1999Verisign Commercial Software Publishers CA Fri Dec 31, 1999Verisign Individual Software Publishers CA Fri Dec 31, 1999Microsoft Authenticode(tm) Root Tue Jan 16, 2001AT&T Directory Services Wed Jan 07, 2004VeriSign Class 2 Primary CA #..0D Wed Jan 07, 2004VeriSign Class 3 Primary CA #..32 Wed Jan 07, 2004Verisign Commercial Software Publishers CA Wed Jan 07, 2004Verisign Individual Software Publishers CA Wed Jan 07, 2004Verisign Time Stamping Service Root Fri Jan 01, 2010Microsoft Root SGC Authority Tue Jan 07, 2020VeriSign Class 1 Primary CA #..25 Thu De
Re: France Allows 128 Bit Crypto
There was a US case discussed in a similar thread a year or two ago (and I think it was on this list, although it may have been on cypherpunks) where the issue was a safe combination, and the power of the court to hold a person in contempt until the safe was opened. Be prepared to destroy the key, then. See, in spirit, Boneh&Lipton's paper on revocable backups http://theory.stanford.edu/~dabo/abstracts/backups.html http://www.usenix.org/publications/library/proceedings/sec96/boneh.html Froomkin's and Sergienko's analyses, cited here previously, are compelling, of course. Unless I missed it in these two cites, however, there is an open question of whether deleting a key amounts to destroying evidence as, to this layman, it ain't evidence until it is admitted. (Why am I recalling Geraldo's opening Al Capone's vault?...) --dan
Re: Intel announcements at RSA '99
[I let this through because it makes a new point. Don't assume I'll let other posts go through if they are "me too!", though -- we've beaten the RNG topic to death. --Perry] > Intel has announced a number of interesting things at the RSA conference. > The most important, to me, is the inclusion of a hardware random number > generator (based on thermal noise) in the Pentium III instruction set. > They also announced hardware support for IPSEC. An interesting question (for me, at least) is: how will I know that the hardware RNG is really producing stuff based on thermal noise, and not, say, on the serial number, some secret known to Intel, and a PRNG? You don't. More to the point, there is no way to test a random number generator within the small (and shrinking) automated test time that is part of the production line. The falsifiable hypothesis for a multiplier, say, is that it gets the right answer. The falsifiable hypothesis for a RNG is a long slog through volumes of output. All the production line can say is "turns out a stream of bits that ain't all ones or zeroes." I'd imagine that failed devices will be common enough to be a intellectual curiousity, at least. --dan "Conspiracy theories are irresistable labor-saving devices in the face of complexity." -- Henry Louis Gates
Re: Duke/HP CPU average 3.75 hrs to crack 40-bit crypto
old rumor brought to mind by: ... The UNIX password, a more-formidable challenge, allows users to specify up to 5,132,188,731,375,620 combinations of letters, numbers or symbols. "The machine we had access to doesn't quite have enough computing power," Kedem acknowledged. "I think it would take us almost a year to break a UNIX password outright. ... was that our friends at the Fort long ago (like early 80's) simply computed the entire UNIX password space, sorted it to tape, and kept the index around for whenever it seemed useful any confirming/disconfirming comments? --dan
Re: What was the quid pro quo for Wassenaar countries?
> What an incredibly talented liar, I mean diplomat, he is. Ah, but you forget that the definition of diplomacy is the art of lying in State. --dan
Re: Building crypto archives worldwide to foil US-built Berlin Walls
Tradeoff time. Q: Is it better for the providers of crypto resources to alarm/log accesses to their websites or not? I'd strongly argue not; Team Despot will disguise itself and we are surveilled as we speak; Team Legion loses if it creates targets for harvesting. Q: Is coordinated integrity control (code signing) a Good Thing? I'd weakly argue not; The absence of a coordinated signing strategy does not preclude verification so avoiding common-mode fraud, e.g., long-running denial of service attacks on the central signing agent, seems advantageous. Alternative argument; Integrity of crypto code can be signed via quorumed split-key means so that no single actor fraud is effective yet only the minimum quorum need be online at any given time; this has the advantage that a completed split-key signature cannot be attributed to which quorum subset made it yet is verifiable by ordinary client means once complete. Since intermediate (partial signing) results do not leak fragment holder identity, quorum members can indirectly communicate through commonly held dead-drops. Q: Should requestors routinely avoid surveilled identification? I'd argue strongly for: We, Team Legion, must commit to a cell organization with pseudonymity coverage such as through the "Crowds" system; to avoid any one of us being guilty we must all be. Getting the problem statement right for this endeavor is the most important thing we have left to do. If the above sample is misguided, say so. To the extent it is incomplete, fix it. If one of us goes off the air, step into their place. It is time for us to walk the fine line between undue paranoia and a heightened state of awareness. --dan
Re: Building crypto archives worldwide to foil US-built Berlin Walls
Assuming that this line is monitored, let me join the brave souls before me and put my name to this idea and in print big enough "that King George will be able to read it without his spectacles." We have the will and we are legion. Daniel E. Geer, Jr., Sc.D.
Re: DCSB: Risk Management is Where the Money Is; Trust in Digital Comm
Dear Annoymous <[EMAIL PROTECTED]>, I refer you to a paper by Don Davis, "Compliance Defects in Public-Key Cryptography", Proc. 6th Usenix Security Symp, (San Jose, CA, 1996), pp. 171-178 which you can retrieve from http://world.std.com/~dtd/compliance/compliance.ps After some further discussion with Don, a long time colleague of mine, I forward to you his rejoinder in lieu of my own. --dan -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> The full cost of revocation testing is proportional to the square of >> the depth of the issuance hierarchy. > >The first statement is false. Revocation testing is not proportional to >the square of the depth of the issuance hierarchy. If you had, say, a 5 >level deep issuance chain, you do not need to check 25 revocation lists. >You only need to check 5. i'm sorry, gentle reader, but you are mistaken. you see, we are making an obvious assumption that you, like most of the industry, have missed: revocations will not, in general, be handled by CAs. this is an obvious assumption for several reasons: * large-scale financial applications demand prompt revocations; * no CA yet offers prompt revocations; * no available CA software supports prompt revocations; * CAs are inherently off-line by design, while revocation authorities must be highly-available; * as scaling problems, certificate issuance and prompt revocation are inherently and radically different. so, there's no reason to expect a single organization necessarily to fulfill both tasks. we assume that when revocation-checking service becomes generally available, it will be provided by a plethora of revocation-authorities, just as many CAs propose to issue certificates now. we expect to see a wide variety of revocation authorities for the same reasons that inspired the creation of the various "root" CAs: * any software vendor who solves the "prompt revocation" problem will want to sell their solution repeatedly; * some organizations will want to run their own revocation authorities in-house; * other organizations will prefer to hire the problem out; * still other organizations will take up the business of selling up-to-date revocation information; * the problem of delivering timely revocation information to the whole network is probably too big for one company, for social, financial, and scaling reasons. in such a multi-rooted environment, we can reasonably expect to see several revocation-authorities handling revocations that pertain to a single root-CA's certificate tree. further, we should assume that these various revocation-authorities will sign their revocation-info with public keys that have been signed into certs by any of various CAs. the resulting heterogenous PKI is not the pretty picture that CCITT painted in the X.509 standard, but it seems inevitable. thus, to check that _one_ level of a certificate-issuance chain has not recently been revoked, you must either: * examine a revocation-list (if you don't need promptness), or * ask a revocation-list managing service. either way, each level gives you a new signature to check (from the revocation-list author), and thus a new certificate-chain to validate. these 5 new certificate chains for the pertinent revocation-services can all be outside your original 5-deep issuance chain. further, each link in these 5 revocation-related issuance chains must, in turn, be validated and revocation-checked. when the validation of revocation- authority certs is taken into account, one immediately finds that a certificate _chain_ becomes a binary tree of certificates, and that revocation-checking is indeed an explosively recursive problem: RA7 CA7 RA6 CA6 RA4 CA4 RA1 CA1 <-- Root-level \ / \ | | / | / \ / \ /\ / \ / RA5 CA5RA2 CA2 \ /\ / \ / \ / RA3CA3 \/ \ / \/ \ / \/ \ / user-cert for each edge in this graph, the validator must check one signature. for a 2-link chain, like "CA1 signs CA2's cert," 2 signatures must be checked. for a 3-link chain, like "CA1 signs CA2's cert, who signs CA3's cert," 6 signatures must be checked; for 4 links, as in the picture, 14 signatures must be checked; and for 5 links, 30 sigs must be checked. in reality, the revocation-problem will be sub-exponential in its growth, as dan says, because the number of higher-level authoriti
