ATTN: John Walker - RE: [speak-freely] Speak Freely for Windows and Speak Freely mailing lists (fwd)
How would you do it? Would you lift public key exchange from OpenSSL or GPG? Or just package a snapshot of GPG with Speak Freely, and adapt the call syntax? -- Forwarded message -- Date: Mon, 27 Jan 2003 01:25:26 -0500 From: Benjamin T. Moore, Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ATTN: John Walker - RE: [speak-freely] Speak Freely for Windows and Speak Freely mailing lists -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am elated that the development of Speak Freely is continuing. I think it is one of the best Voice over IP applications I have ever tried. I have been using Speak Freely for at least 8 or 9 years now. I have also been using PGP since version 2.3a was released. I have yet to get Speak Freely to interface with PGP the way it is supposed to as per the help file. I have tried many times with friends also equally adept at PGP and Speak Freely. We've never been able to have any success. We always have to generate a key and exchange it through encrypted e-mail. I would dearly love to have someone provide a step by step tutorial on how we should proceed. Or, if as I suspect, it doesn't work, I'd like to know that as well so I can stop losing sleep over it! :-) Any advice or help would put me forever in your debt. Thanks in advance! - -- Benjamin T. Moore, Jr. - [EMAIL PROTECTED] ICQ UIN - 8159114 *The Price of Freedom is Self-Reliance! The Cost is Education!*
Re: Big Brotherish Laws
Bill Stewart [EMAIL PROTECTED] writes: I have heard of one case where somebody was stopped in Nevada, and instead of presenting his California driver's license, if any, he presented his somewhere-in-the-Caribbean non-photo license and an international driver's license, and that was just fine for Nevada. That's because non-US licenses constitute automatic permission for minor traffic law violations. The scenario is something like the following: [Driver gets pulled over]. Driver: Gidday mate, hows it going? [Cop asks for license, looks at it] Cop: A, screw it, too much paperwork. Don't do it again. HAND. Peter.
Re: JILT: New Rules for Anonymous Electronic Transactions? An Exploration of the Private Law Implications of Digital Anonymity
At 07:56 AM 01/24/2003 -0500, Bob Hettinga wrote: http://elj.warwick.ac.uk/jilt/01-2/grijpink.html There's some interesting discussion about the ability of the Dutch legal culture to provide useful tools for regulating transactions in anonymous or semi-anonymous environments - if you can't find somebody, can you speak of enforcing contracts, etc. Not surprisingly, this has been discussed extensively by the Cypherpunks and other people exploring applications for cryptographically-protected communications. Some of the standard references are Tim May's Cyphernomicon paper (on the web), Orson Scott Card's novel Ender's Game, and Vernor Vinge's story True Names. (As the JILT paper says, systems like this may be quite complex to actually implement in practice, and fiction provides a good tool for exploring the social implications without doing the difficult detail work.) I do want to comment on the concept of pseudonymity and semi-anonymity. The paper appears to be using a definition in which a Trusted Third Party provides a pseudonym service, which knows the True Name behind each pseudonym and can provide it when required for a limited number situations, such as collecting unpaid debts or prosecuting ThoughtCrime, but otherwise the pseudonym is adequate for many activities, and the user can protect his privacy and conduct various activities under different pseudonyms without them being linked to each other or to his True Name.Unfortunately, the definitions of ThoughtCrime have been radically expanded in recent years, primarily due to intellectual property concerns from the music and movie publishers and the Church of Scientology, so the usefulness of these pseudonyms has decreased, even for pure communications applications without the anonymous digital payment systems that can enable anonymous business. An alternative definition of pseudonymity, which is more common in the Cypherpunks discussions, is the use of a persistent identity, verified by digital signatures, which permits the development of reputations without the need for True Names. The types of businesses that can be supported in this environment are more limited, because there's no way to throw somebody in jail if they default, but much of European merchant law evolved without this ability. For some applications, Reputation Capital provides enough protection - a name that's used for months or years of good transactions or writing good essays or making good investment recommendations has a value that will be lost if it's abused, but for other applications, escrow services substantially increase the types and values of transactions that are possible. Escrow can be used on a per-transaction basis, or the escrow service may be part of establishing a pseudonym, providing an amount of money that can be seized in a dispute resolution process without needing the True Name of the pseudonym-holder. Pseudonymity is becoming increasingly common in practice. AOL screen names were primarily intended to allow multiple family members to share an account, but are also useful for protecting privacy, especially of children in chat rooms. There's no explicit requirement for a True Name, though most accounts use credit cards which do provide some tracing ability, but the depth of credit checking performed by AOL is did their credit card company approve paying for their service this month, rather than how big a transaction can their assets cover or where do they sleep, in case the police want to arrest them. Yahoo Mail and Hotmail systems are relatively untraceable, however. EBay accounts have an organized reputation capital system, allowing buyers and sellers to rate whether the other party has met their obligations, and to allow prospective buyers and sellers to see the ratings and estimate whether they'll be defrauded or not. Unfortunately, EBay recently bought Paypal, so the privacy of Paypal users is no longer protected by the separation between the auction system and the payment system, since Paypal uses credit cards and therefore semi-traceable identities to pay people. Julf Helsingius's original Anonymous Remailer was originally intended to provide the stronger form of pseudonymity, but unfortunately he was forced to reveal the information he had about a user (because of the intellectual property Throughtcrime problem), though in fact that identity was another disposable email address. In order to respond to a growing need for anonymity in legal transactions, the regulations for organised semi-anonymity could also be extended (e.g. under property law), so that it will be possible to break through a person's anonymity retrospectively if necessitated by court order or by the law. Organised semi-anonymity (or pseudonymity) in legal transactions is therefore a useful weapon against a number of disadvantages of acting absolutely anonymously or spontaneously semi-anonymously, while retaining the envisaged protection of privacy. It is only with the
Secure voice app: FEATURE REQUEST: RECORD IPs
I am elated that the development of Speak Freely is continuing. I think it The versions of all the secure phones I've evaluated needed this feature: a minimal answering machine. With just the ability to record IPs of hosts that tried to call. (A local table can map these to your friends or their faces. Of course, this table should be encrypted when not in use.) Heck, you could even have an option to send email --or I suppose use that instant-messaging stuff that teenagers are fond of-- from the secure IP phone to you, when that phone rings but is not answered.
Re: ATTN: John Walker - RE: [speak-freely] Speak Freely for Windows and Speak Freely mailing lists (fwd)
Apart from bugfixes (like a tunable parameter to get rid of UDP buildup in system buffer due to sample rate skew) there has been some intersting discussion on tunnelling through NAT. I just noticed that speak-freely@ doesn't have a web archive. I'll be happy to forward relevant posts to anyone interested (privately, or dump them to cpunx-news to you can read them up from web archives). On Mon, 27 Jan 2003, Steve Schear wrote: I'd love to use SpeakFreely but one of its quirks is that it uses two different ports to initiate and respond to connections and communicate. Like many others I uses a firewall appliance. And like many firewall users we find features lacking for configuring our firewalls so that incoming traffic on one port can be associated with outgoing traffic from another. About two years ago I thought a programmer I knew was going to fix this, but it never happened. Hint: who ever takes up improving SpeakFreely, please add this to the change list.
Re: ATTN: John Walker - RE: [speak-freely] Speak Freely for Windows and Speak Freely mailing lists (fwd)
At 12:38 PM 1/27/2003 +0100, you wrote: How would you do it? Would you lift public key exchange from OpenSSL or GPG? Or just package a snapshot of GPG with Speak Freely, and adapt the call syntax? I'd love to use SpeakFreely but one of its quirks is that it uses two different ports to initiate and respond to connections and communicate. Like many others I uses a firewall appliance. And like many firewall users we find features lacking for configuring our firewalls so that incoming traffic on one port can be associated with outgoing traffic from another. About two years ago I thought a programmer I knew was going to fix this, but it never happened. Hint: who ever takes up improving SpeakFreely, please add this to the change list. steve
Re: Secure voice app: FEATURE REQUEST: RECORD IPs
On Mon, Jan 27, 2003 at 08:23:15AM -0800, Major Variola (ret) wrote: I am elated that the development of Speak Freely is continuing. I think it The versions of all the secure phones I've evaluated needed this feature: a minimal answering machine. With just the ability to record IPs of hosts that tried to call. (A local table can map these to your friends or their faces. Of course, this table should be encrypted when not in use.) Pretty hard to do if people are using dialup. Or even dsl, unless they run a linux box they don't ever reboot -- although I've found my dsl ip changing sometimes on it's own, and with no rhyme or reason. Cable is a little more stable, when I had a cable modem it didn't change ip unless I shut off the modem for awhile, and not even always then. (snip) -- Harmon Seaver CyberShamanix http://www.cybershamanix.com
Semi-Deniable Thumbdrive...
I think the best way to think about any biometric is as a very cheap, moderately hard to copy identification token. Think of it like a good ID card that just happens to be very hard to misplace or lend to your friends. Well, if I was smuggling capacitors into Iraq I certainly wouldn't use a thumbdrive! But the above is pretty much the way I see it: 'reglar' folks can't 'figure out' my thumbprint, and couldn't use binoculars or whatever to see my password. More importantly, I don't have a lot of time to try to come up with some soft/hard gadget on my own these days. I pretty much need to be able to BUY something and come up to speed pretty quickly on how to use it. I need it like sex: cheap/dirty/fast. I can't really spend a lot of time worrying about some hyper-evil, hyper-powerful fed (just yet). Aside from the deniability aspect, another upgrade would be for me to be able to use my thumbprint as a PGP password. Then this thumbdrive wouldn't be readable via some off-the-shelf pin reader that any helpdesk knucklehead could buy. SO both of these upgrades might be available by fairly simple hacks, or by pestering Trek for them. I wouldn't have to spend a few weeks down in Dexter's laboratory coming up with a completely new, God-proof device. And then as further easy upgrades become available, I'll grab 'em. And who knows? With enough little hacks, some gadgets may eventually morph into inexpensive but quite fierce little black boxes. (As guitarist Robert Fripp has said: Incremental changes are transformative.) -TD Cheap, fast, easy, and MASSIVELY scalability: that's the real end-run. From: John Kelsey [EMAIL PROTECTED] To: Eugen Leitl [EMAIL PROTECTED], Thomas Shaddack [EMAIL PROTECTED] CC: Ben Laurie [EMAIL PROTECTED], Tyler Durden [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Deniable Thumbdrive? Date: Sun, 26 Jan 2003 22:16:52 -0500 At 10:06 PM 1/24/03 +0100, Eugen Leitl wrote: ... Frankly, the fingerprint is a lousy secret: you leak it all over the place. You can't help it, unless you're wearing gloves all the time. Ditto DNA. That's generally true of biometrics. Unless taking the measurement is so intrusive it's obvious when it's taken (e.g., maybe the geometry of your sinus cavities or some such thing that requires a CAT scan to measure properly), there's no secret. People constantly seem to get themselves in trouble trying to use biometrics in a system as though they were secret. The best you can usually do is to make it moderately expensive and difficult to actually copy the biometric in a way that will fool the reader. But this is really hard. In fact, making special-purpose devices that are hard to copy or imitate is pretty difficult. It seems enormously harder to find a hard-to-copy, easy-to-use token that just happens to come free with a normal human body. I think the best way to think about any biometric is as a very cheap, moderately hard to copy identification token. Think of it like a good ID card that just happens to be very hard to misplace or lend to your friends. --John Kelsey, [EMAIL PROTECTED] _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
Re: Secure voice app: FEATURE REQUEST: RECORD IPs
On Mon, Jan 27, 2003 at 07:06:24PM +0100, Thomas Shaddack wrote: Pretty hard to do if people are using dialup. Or even dsl, unless they run a linux box they don't ever reboot -- although I've found my dsl ip changing sometimes on it's own, and with no rhyme or reason. DSL lease timeout. A feature of DHCP-based dynamic IP addresses over permanent connections. Similar for cable, though the differences yo observed seem to be rather implementation-dependent than principial. No, not really. It's far too irregular for that, sometimes goes for over a month, then sometimes 2-3 times in a week. More like them doing work on the system. Not really dhcp anyway, it's Eoppp. Cable is usally dhcp, and is better because it authenticates on the mac address of the cable modem. And dhcp can be set up to always give the same ip to a certain mac address, but I don't think the eoppp can, or at least they don't -- it always has to negotiate a challange/passwd response which can be quite problematic -- sometimes the only way to get it to work again is to unplug the modem for 30 seconds or so, which, of course, frustrates any script you have to automagically reset dns for your domainname, or even just keep you online. Cable is a little more stable, when I had a cable modem it didn't change ip unless I shut off the modem for awhile, and not even always then. Idea: What about a caller ID system, based on eg. SSL certificates or PGP signed challenge-response? This would probably work okay, even ssh works despite ip changes, although it stops to ask. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com
Re: Secure voice app: FEATURE REQUEST: RECORD IPs
Pretty hard to do if people are using dialup. Or even dsl, unless they run a linux box they don't ever reboot -- although I've found my dsl ip changing sometimes on it's own, and with no rhyme or reason. DSL lease timeout. A feature of DHCP-based dynamic IP addresses over permanent connections. Similar for cable, though the differences yo observed seem to be rather implementation-dependent than principial. Cable is a little more stable, when I had a cable modem it didn't change ip unless I shut off the modem for awhile, and not even always then. Idea: What about a caller ID system, based on eg. SSL certificates or PGP signed challenge-response?
Re: Secure voice app: FEATURE REQUEST: RECORD IPs
Harmon Seaver [EMAIL PROTECTED] On Mon, Jan 27, 2003 at 07:06:24PM +0100, Thomas Shaddack wrote: DSL lease timeout. A feature of DHCP-based dynamic IP addresses over permanent connections. Similar for cable, though the differences yo observed seem to be rather implementation-dependent than principial. No, not really. It's far too irregular for that, sometimes goes for over a month, then sometimes 2-3 times in a week. More like them doing work on the system. That's about what I've seen. Not really dhcp anyway, it's Eoppp. Cable is usally dhcp, and is better because it authenticates on the mac address of the cable modem. And dhcp can be set up to always give the same ip to a certain mac address, but I don't think the eoppp can, or at least they don't -- it always has to negotiate a challange/passwd response which can be quite problematic -- sometimes the only way to get it to work again is to unplug the modem for 30 seconds or so, which, of course, frustrates any script you have to automagically reset dns for your domainname, or even just keep you online. Harmon Seaver There's probably an X10 module that would let your Linux box cycle the power on your modem/router/switch. try $50 : http://www.x10.com/automation/x10_ck11a.htm If you're not using a domain name then your script could publish your IP address on your home page ( in the clear or not as you choose ). Mike
Re: Secure voice app: FEATURE REQUEST: RECORD IPs
On Mon, 27 Jan 2003, Michael Motyka wrote: If you're not using a domain name then your script could publish your IP address on your home page ( in the clear or not as you choose ). The local friendly telco monopoly (~97% of all DSL connections in Krautland) separates the PPPoE modems at least once in 24 h. Unfortunately, the provider collaborates with the feds, and retain the connection info: http://www.heise.de/ct/aktuell/data/hob-14.01.03-000/ http://www.heise.de/bin/nt.print/newsticker/data/hob-14.01.03-001/?id=f8097b7ftodo=print I used to run a crontabbed script that queried a cgi-bin giving back the remote address #!/usr/bin/perl -w # # get own ip addres in plain text print Content-type: text/plain\n\n; print $ENV{REMOTE_ADDR}; which got parsed and uploaded as a HTML page to a fixed point in address space. However, thanks to dyndns.org and router with dyndns clients built-in this is now much more painless (no need to hack ddclient to parse your router's status page). More interesting, current wireless routers seem to support VPN tunnelling (IPsec, specifically). Given the capabilities, it would be a piece of cake to slip a VoIP package such as Speak Freely into it. With a headset/USB connection and a web interface to control the app it would certainly provide some added value and be immune to firewalling woes. Speaking of which, has anyone tried Tarzan http://www.pdos.lcs.mit.edu/tarzan/download.html? If yes, what is your opinion of it?
Re: Secure voice app: FEATURE REQUEST: RECORD IPs
I used to run a crontabbed script that queried a cgi-bin giving back the remote address I use a very similar system (in PHP), activated by a wget request from /etc/ppp/ip-up.local (Linux). Another tactics I use occassionally when having to improvise is a remote syslog and a crontab entry that each 5 minutes spits a heartbeat message into the log (so each 5 minutes I get an UDP packet telling me the address on which the machine currently is; brute force, reliable, small overhead, abuse-resistant). built-in this is now much more painless (no need to hack ddclient to parse your router's status page). More interesting, current wireless routers seem to support VPN tunnelling (IPsec, specifically). Given the capabilities, it would be a piece of cake to slip a VoIP package such as Speak Freely into it. With a headset/USB connection and a web interface to control the app it would certainly provide some added value and be immune to firewalling woes. Works, proven experimentally. One fateful day my ISP cut off all UDP traffic above and including port 1024 (they reinstated it two days later, so I suppose it was a hasty defense against a DDoS attack). I had a VPN connection to my office LAN, so I opened the two UDP ports on the firewall and set up portforwarding in iptables, and after some wrestling caused by my relative inexperience I got it working. Was surprisingly reliable. By the way - thought a bit about the ringing and authentication. Why we have to unite the call request system with the rest of the IP phone application? Couldn't we use it as an entirely separate process, maybe something simple based on eg. SSL or HTTPS, employing client certificates? This way we reduce the modifications of the VoIP component itself to bare minimum or perhaps none at all. Maybe it could be as simple as a perl or PHP script on the listening side, and a script calling curl on the other side.
Re: Secure voice app: FEATURE REQUEST: RECORD IPs
At 11:25 AM 1/27/03 -0600, Harmon Seaver wrote: On Mon, Jan 27, 2003 at 08:23:15AM -0800, Major Variola (ret) wrote: The versions of all the secure phones I've evaluated needed this feature: a minimal answering machine. With just the ability to record IPs of Pretty hard to do if people are using dialup. Or even dsl, unless they run a linux box they don't ever reboot -- although I've found my dsl ip changing sometimes on it's own, and with no rhyme or reason. Merely notifying me that someone called is useful. It wouldn't require rocket science to recognize an entire class C address as a friend. And remember this proposal is fully back compatible with earlier versions of a sec phone. If you wanted to mess with the protocol, you could obviously add an identifier exchange component. I am not familiar with SpeakFreely's protocol so I don't know if it can be extended without breaking compatability.
When you try to pronounce NGSCB...
...it sounds like some place-name in Mordor: Naagscab I suppose it should name a sulfurous cave, or some other, um, foul hole... Thanks to Charles Evans for the pronunciation hint. Microsoft has dropped the code name of its controversial security technology, Palladium, in favor of this buzzword- bloated tongue twister: next-generation secure computing base. Cheers, RAH Who liked Palladiated, too... -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'