nCipher says co-founder Nicko van Someren steps down from board
http://www.hemscott.com/news/latest-news/item.do?newsId=57266946539337 Hemscott London: 15:16, 24 Dec Home News Latest News nCipher says co-founder Nicko van Someren steps down from board nCipher says co-founder Nicko van Someren steps down from board LONDON (Thomson Financial) - Software company nCipher PLC said co- founder Nicko van Someren will step down from the board on Dec 31. The company said van Someren was chief technology officer for more than 11 years, but had reduced his working commitments earlier in the year. He has agreed to provide advice and support to the company for the first six months of 2008, nCipher added. The company said it expects to announce new executive appointments in the new year. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv]]
--- begin forwarded text Date: Wed, 14 Dec 2005 14:24:50 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv]] --- begin forwarded text Date: Wed, 14 Dec 2005 17:20:03 +0100 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv]] User-Agent: Mutt/1.5.9i Sender: [EMAIL PROTECTED] Just as well, I can spare writing up a blurb. - Forwarded message from Declan McCullagh declan@well.com - From: Declan McCullagh declan@well.com Date: Wed, 14 Dec 2005 08:00:49 -0800 To: politech@politechbot.com Subject: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv] User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) Previous Politech messages: http://www.politechbot.com/2005/12/05/european-data-retention/ http://www.politechbot.com/2005/09/23/european-commission-proposes/ http://www.politechbot.com/2005/06/16/feds-contemplate-forcing/ Original Message Subject: EU Parliament agrees to data retention Date: Wed, 14 Dec 2005 16:20:00 +0100 From: Ralf Bendrath [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Declan McCullagh declan@well.com Declan, something for Politech? Very bad news from Europe. The European Parliament this morning voted in favour of a backroom deal that had been made between the two big parties in Brussels and the Council of Ministers, currently chaired by the UK. The deal completely ignored the amendmends proposed by the Parliament's Rapporteur and by the Justice and Civil Liberties Committee that was (well - officialy) in charge of the process. After a hot debate and a number of signs of cracks in the party blocks, a majority of 378 parliamentarians voted in favour of mandatory retention of telecommunications data, 197 against, 30 abstained. This is in short what we will get now: - retention of telephone and internet connection data (including email addresses) and location data for mobile phone calls - no harmonisation of the retention period (6 to 24 months but longer is allowed: Poland wants 15 years) - no harmonisation of cost reimbursement for the needed investments on the providers' side - no limitation to certain types of crimes for which access is allowed - retention of unsuccessful call attempts - no independent evaluation - no extra privacy safeguards - follow-up committee without representation from civil rights organisations Civil liberties organizations, consumers organizations and all the telco industry associations as well as journalists associations had been fighting like hell against this major and unprecedented surveillance plan until the last minute. We did not win (the outcome is in fact the worst possible, exactly what the UK home affairs minister Clarke wanted), but we at least raised a lot of awareness and disturbed the conservative and social-democrat party lines. But the UK council presidency had pushed so hard after the London bombings that this directive will enter the EU history as the one which took the shortest time ever from the first Commission draft to the final vote (less than three months - normally they need years). The next steps will be the adoption by the Council of Ministers (before christmas) and then the implementation process into national laws. There will be challenges to this plan before the constitutional courts. I am pretty sure that the German constitutional court will not like it, as it recently had ruled unconstitutional a major eavesdropping plan on phone calls - and that one was only directed at suspicious persons, whereas the EU directive applies to every single communication of all 450 Million inhabitants of the EU. More information, including recordings of the EP debate, is available at http://wiki.dataretentionisnosolution.com/. Ralf (European Digital Rights, www.edri.org) ___ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may
[Clips] MIT Real ID Conference a Success: Participate in New Virtual Civic Conversation
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sat, 10 Dec 2005 17:48:40 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] MIT Real ID Conference a Success: Participate in New Virtual Civic Conversation Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] --- begin forwarded text Date: Sat, 10 Dec 2005 13:01:20 -0800 (PST) From: Daniel J. Greenwood [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: MIT Real ID Conference a Success: Participate in New Virtual Civic Conversation To: [EMAIL PROTECTED] This note is to inform you that the MIT Public Forum on the Real ID Act of 2005 was held on Monday, December 5th and we will be streaming video of the entire day from the MIT Media Lab web site within the next few days. To those of you who participated, thank you for making this event a true success. We plan a series of activities for the future, including publication of proceedings, further activity on the MIT Real ID Public Forum Blog, additional events and of course continued work with the Department of Homeland Security and other federal and state governmental agencies to provide a neutral forum within which to meet, hear from the public and interest groups and to consider opportunities for cross boundary cooperation. We intend to use publication of the final report of the proceedings of the day to highlight the many valuable perspectives and ideas that came forward throughout the event. Again, we encourage each of you to share any thoughts you may have regarding this important new federal statute. After the Department of Homeland Security published their draft regulations under the law, we anticipate another round of activity to support discussion and meaningful response. Finally, the MIT E-Commerce Architecture Program, hosted at the MIT Media Lab Smart Cities group, is now working with partners to make available a new more efficient mode of public dialog on important affairs of the day. Currently called Virtual Civic Conversations, this simple approach uses existing blog technology (including RSS feeds and track-back features), to set up shared meta-search terms for specific issues, allowing participants to post a topic on their blog and for it to appear as a new post on a large-scale multi-party communications blog. In this way, the many interest groups, governmental agencies, individuals and others who are all speaking to the same topic (next steps on the Real ID Act, in this case), can use a blog (such as the MIT Real ID Public Forum Blog) to compile all posts on all blogs related to that topic. In addition, it is possible for participants to respond to the posts across threads, blogs and topics, thereby creating a bounded but very open knowledge zone on that issue. We are setting up a Virtual Civic Conversation for the Real ID Act this weekend and early next week. Stay tuned for more information on exactly how to participate and to encourage others with relevant blogs to participate. MIT is pleased to use new technology and our capacity to convene to serve the civic interest. Thank you for your interest. Regards, - Dan Greenwood Daniel J. Greenwood, Esq. Lecturer, Massachusetts Institute of Technology The Media Lab, Program of Media Arts and Science Principal, CIVICS.com The InfoSociety Consultancy http://ecitizen.mit.edu http://civics.com 1770 Mass. Ave, #205, Cambridge, MA 02140 USA M: 857-498-0962 E: [EMAIL PROTECTED] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Pentagon Intelligence Agency Gathers Domestic Intelligence
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sat, 10 Dec 2005 20:51:58 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Pentagon Intelligence Agency Gathers Domestic Intelligence Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.drudgereport.com/flash5.htm The Drudge Report Support The DrudgeReport; Visit Our Advertisers Pentagon Intelligence Agency Gathers Domestic Intelligence Sat Dec 10 2005 18:20:11 ET Day after day, reports of suspicious activity filed from military bases and other defense installations throughout the United States flow into the Counterintelligence Field Activity, or CIFA, a three-year-old Pentagon agency whose size and budget remain classified, the WASHINGTON POST is planning to report on Sunday, newsroom sources tell DRUDGE. The Talon reports, as they are called, are based on information from civilians and military personnel who stumble across people or information they think might be part of a terrorist plot or threat against defense facilities at home or abroad. It is unclear how many Talon reports are filed each year. But just one of the military services involved in the program, the Air Force, generated 1,200 of them during 14 months, the paper reveals. The documents can consist of ``raw information reported by concerned citizens and military members regarding suspicious incidents,'' said a 2003 memo signed by then-Deputy Defense Secretary Paul Wolfowitz. The reports ``may or may not be related to an actual threat, and its very nature may be fragmented and incomplete,'' the memo said. The Talon system is part of the Defense Department's growing effort to gather intelligence within the United States, which officials argue is imperative as they work to detect and prevent potentially catastrophic terrorist assaults. The Talon reports _ how many are generated is classified, a Pentagon spokesman said _ are collected and analyzed by CIFA, an agency at the forefront of the Pentagon's counterterrorism program. The Pentagon's emphasis on domestic intelligence has raised concerns among some civil liberties advocates and intelligence officials. Developing... -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Engineer Outwits Fingerprint Recognition Devices with Play-Doh
Same story, different malleable substance... Cheers, RAH --- --- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sat, 10 Dec 2005 11:08:14 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Engineer Outwits Fingerprint Recognition Devices with Play-Doh Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.linuxelectrons.com/article.php/20051209175034721 Web LinuxElectrons Engineer Outwits Fingerprint Recognition Devices with Play-Doh Friday, December 09 2005 @ 05:50 PM CST Contributed by: ByteEnable Potsdam, New York - Eyeballs, a severed hand, or fingers carried in ziplock bags. Back alley eye replacement surgery. These are scenarios used in recent blockbuster movies like Steven Spielberg's Minority Report and Tomorrow Never Dies to illustrate how unsavory characters in high-tech worlds beat sophisticated security and identification systems. Sound fantastic? Maybe not. Biometrics is the science of using biological properties, such as fingerprints, an iris scan, or voice recognition, to identify individuals. And in a world of growing terrorism concerns and increasing security measures, the field of biometrics is rapidly expanding. Biometric systems automatically measure the unique physiological or behavioral 'signature' of an individual, from which a decision can be made to either authenticate or determine that individual's identity, explained Stephanie C. Schuckers, an associate professor of electrical and computer engineering at Clarkson University. Today, biometric systems are popping up everywhere - in places like hospitals, banks, even college residence halls - to authorize or deny access to medical files, financial accounts, or restricted or private areas. And as with any identification or security system, Schuckers adds, biometric devices are prone to 'spoofing' or attacks designed to defeat them. Spoofing is the process by which individuals overcome a system through an introduction of a fake sample. Digits from cadavers and fake fingers molded from plastic, or even something as simple as Play-Doh or gelatin, can potentially be misread as authentic, she explains. My research addresses these deficiencies and investigates ways to design effective safeguards and vulnerability countermeasures. The goal is to make the authentication process as accurate and reliable as possible. Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF. The project, ITR: Biometrics: Performance, Security and Societal Impact, investigates the technical, legal and privacy issues raised from broader applications of biometric system technology in airport security, computer access, or immigration. It is a joint initiative among researchers from Clarkson, West Virginia University, Michigan State University, St. Lawrence University, and the University of Pittsburgh. Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then read by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. Clarkson University Associate Professor of Electrical and Computer Engineering Stephanie C. Schuckers, with imitation fingers. Simple casts made from a mold and material such as Play-doh, clay or gelatin can be used to fool most fingerprint recognition devices. Schuckers, an expert in biometrics, the science of using biological properties, such as fingerprints or voice recognition, to identify individuals, is a partner in a $3.1 million interdisciplinary biometrics research project funded by the National Science Foundation with support from the Department of Homeland Security. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate. The machines could not distinguish between a live sample and a fake one, Schuckers explained. Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesized that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration but cadaver and spoof fingerprint images would not. In live fingers, perspiration starts around the pore, and spreads along the ridges, creating a distinct signature of the process. Schuckers and her research team designed a computer algorithm that would detect this pattern when
[Clips] Study Finds Mass Data Breaches Not as Risky as Smaller Lapses
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Thu, 8 Dec 2005 15:59:25 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Study Finds Mass Data Breaches Not as Risky as Smaller Lapses Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://online.wsj.com/article_print/SB113380595757914237.html The Wall Street Journal December 8, 2005 FISCALLY FIT By TERRI CULLEN Study Finds Mass Data Breaches Not as Risky as Smaller Lapses December 8, 2005 Two scenarios: a) You're notified by an online retailer that you're among millions of customers whose account information was lost or stolen; or b) you learn a former staffer has stolen employee names, addresses and Social Security numbers from your small business. Which one puts you at greater risk for identity theft? If you chose b, you'd be correct, according to a study released Wednesday by ID Analytics, a San Diego company that helps companies combat fraud using pattern-recognition technology. The company examined billions of bits of identifiable information, such as Social Security numbers, cellphone numbers, dates of birth and credit-card account numbers, from consumers who were victims of security breaches. The study analyzed four cases of security breaches, two involving the theft or loss of sensitive data, including names and Social Security numbers, and two involving credit-card account information only. SHARE YOUR THOUGHTS What do you think?1 Are corporate notifications of data security breaches necessary to prevent identity theft, or do they cause unnecessary panic? What should companies do to aid customers when they discover sensitive consumer data have been lost or stolen? Write to me at [EMAIL PROTECTED] Turns out size does matter: The study found that individuals involved in mass data security breaches are less likely to have their information misused than victims of smaller data breaches. The sheer volume of consumers affected slows identity thieves down, says Mike Cook, vice president of product services at ID Analytics and one of the company's co-founders. We applied identity theft to real work terms, eight-hour days, with breaks and vacation time, and found that it would take a fraudster 40 years to work a million stolen IDs, he says. Some disclosure: ID Analytics, which is in the business of detecting identity theft for companies such as financial-services firms and retailers, initiated the study at the request of the companies whose security breaches were examined. The companies didn't sponsor the study, but ID Analytics provides services to one of the breached companies and provided services to another of the companies in the past. The ID Analytics study also found that mass data security breaches didn't result in the identity theft free-for-all many had feared. The odds are less than one in 1,000 that misuse or fraud will be detected for individuals whose sensitive information is compromised in cases of large-scale security breaches. Identity theft was more common when there was an intentional effort to steal information, as opposed to security lapses that occurred by accident, the study found. So, for example, you're more likely to be a victim if a thief intentionally steals a laptop to access the sensitive consumer data it holds, rather than if the thief steals the laptop simply to hock it for cash. The study comes in the wake of a series of highly publicized mass security breaches this year, which raised concern about the potential for widespread identity theft. In June, for example, MasterCard International Inc. reported3 that someone had broken into the computer network of CardSystems Solutions Inc., an Atlanta company that processes credit-card transactions. The breach gave the thief access to names, account numbers and card security codes on more than 40 million credit-card accounts. When breaches such as this are disclosed, many consumers have no idea how likely it is that their information will be used to commit fraud, says Jay Foley, co-executive director of the Identity Theft Resource Center in San Diego, a nonprofit organization that assists victims of identity theft. What [ID Analytics] is doing is identifying quite accurately where the greatest potential danger is, he says. The study emphasizes the types of breaches [that] businesses and government need to look at closely and take seriously. What constitutes a higher-risk intentional breach? The riskiest category is one-on-one crimes, where a thief targets a victim to steal identification or account information. When information on thousands of individuals is stolen, however, the chances of one person in that group becoming a victim falls considerably, according to the study. As you pass information stolen on 200 people or more in one incident, the risk drops off sharply, he says. Consumers
[Clips] Diebold insider alleges company plagued by technical woes
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Tue, 6 Dec 2005 21:41:23 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Diebold insider alleges company plagued by technical woes Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://rawstory.com/news/2005/Diebold_insider__alleges_company_plagued_1206.html The Raw Story Originally published on Tuesday December 6, 2005 Last Updated: 12/6/2005 Diebold insider alleges company plagued by technical woes, Diebold defends 'sterling' record Miriam Raftery In an exclusive interview with RAW STORY, a whistleblower from electronic voting heavyweight Diebold Election Systems Inc. raised grave concerns about the company's electronic voting technology and of electronic voting in general, bemoaning an electoral system the insider feels has been compromised by corporate privatization. The Diebold insider, who took on the appellation Dieb-Throat in an interview with voting rights advocate Brad Friedman (BradBlog.com), was once a staunch supporter of electronic voting's potential to produce more accurate results than punch cards. But the company insider became disillusioned after witnessing repeated efforts by Diebold to evade meeting legal requirements or implementing appropriate security measures, putting corporate interests ahead of the interests of voters. Advertisement I've absolutely had it with the dishonesty, the insider told RAW STORY. Blasting Wally O'Dell, the current president of Diebold, the whistleblower went on to explain behind-the-scenes tactics of the company and its officers. There's a lot of pressure in the corporation to make the numbers: `We don't tell you how to do it, but do it.' [O'Dell is] probably the number one culprit putting pressure on people, the source said. Diebold spokesman David Bear rebuts the charges. Diebold has a sterling reputation in the industry, Bear said. It's a 144-year-old company and is considered one of the best companies in the industry. Previous revelations from the whistleblower have included evidence that Diebold's upper management and top government officials knew of backdoor software in Diebold's central tabulator before the 2004 election, but ignored urgent warnings-such as a Homeland Security alert posted on the Internet. This is a very dangerous precedent that needs to be stopped-that's the corporate takeover of elections, the source warned. The majority of election directors don't understand the gravity of what they're dealing with. The bottom line is who is going to tamper with an election? A lot of people could, but they assume that no one will. Concerns about Georgia, Ohio elections The insider harbors suspicions that Diebold may be involved in tampering with elections through its army of employees and independent contractors. The 2002 gubernatorial election in Georgia raised serious red flags, the source said. Shortly before the election, ten days to two weeks, we were told that the date in the machine was malfunctioning, the source recalled. So we were told 'Apply this patch in a big rush.' Later, the Diebold insider learned that the patches were never certified by the state of Georgia, as required by law. Also, the clock inside the system was not fixed, said the insider. It's legendary how strange the outcome was; they ended up having the first Republican governor in who knows when and also strange outcomes in other races. I can say that the counties I worked in were heavily Democratic and elected a Republican. In Georgia's 2002 Senate race, for example, nearly 60 percent of the state's electorate by county switched party allegiances between the primaries and the general election. The insider's account corroborates a similar story told by Diebold contractor Rob Behler in an interview with Bev Harris of Black Box Voting. Harris revealed that a program patch titled rob-georgia.zip was left on an unsecured server and downloaded over the Internet by Diebold technicians before loading the unauthorized software onto Georgia voting machines. They didn't even TEST the fixes before they told us to install them, Behler stated, adding that machines still malfunctioned after patches were installed. California decertified Diebold TSX touch screen machines after state officials learned that the vendor had broken state election law. In California, they got in trouble and tried to doubletalk. They used a patch that was not certified, the Diebold insider said. They've done this many times. They just got caught in Georgia and California. The whistleblower is also skeptical of results from the November 2005 Ohio election, in which 88 percent of voters used touch screens and the outcome on some propositions changed as much as 40 percent from pre-election exit polls. Amazing, the Diebold insider said. Diebold is headquartered in Ohio. Its
[Clips] RSA buys Cyota for $145 million
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Mon, 5 Dec 2005 14:38:43 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] RSA buys Cyota for $145 million Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.infoworld.com/article/05/12/05/HNrsacyota_1.html?source=NLC-SEC2005-12-05 InfoWorld RSA buys Cyota for $145 million Acquisition gives RSA broader range of authentication techniques By Nancy Gohring, IDG News Service December 05, 2005 Print this RSA Security (Profile, Products, Articles) on Monday said it plans to buy Cyota, the provider of online security and antifraud products, for $145 million. The acquisition will allow RSA to offer customers a broader range of authentication techniques. RSA hopes to offer a risk-based authentication approach, allowing customers to choose an authentication method to meet the specific risks they face. Customers will be able to choose from a portfolio that includes watermarking, digital certificates, tokens, and smart cards. In addition to the authentication offerings, RSA also plans to offer Cyota's services such as its antifraud service, which includes fraudulent site shut-down, detection of phishing attacks as well as a transaction-protection service that authenticates credit card users and identifies fraudulent activity in accounts. RSA expects the acquisition will add as much as $25 million in revenue in 2006. The price for the privately held company includes $136 million in cash for Cyota stock, $5.5 million in cash to fund a three-year retention pool and $3.5 million for outstanding Cyota stock options. The deal is expected to close within 30 days. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
At 2:29 PM -0800 12/3/05, John Gilmore wrote: ...how many people on this list use or have used online banking? To start the ball rolling, I have not and won't. Dan, that makes two of us. The only thing I ever use it for is to make sure the wires are in before I spend money. :-) Cheers, RAH Still living at the bottom of the bathtub curve... -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Call for IFCA Conference Sponsors, Financial Cryptography and Data Security '06
Um, what's Data Security? ;-) Cheers, RAH --- --- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sun, 4 Dec 2005 19:10:25 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Call for IFCA Conference Sponsors, Financial Cryptography and Data Security '06 Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] --- begin forwarded text To: Robert Hettinga [EMAIL PROTECTED] From: Patrick McDaniel [EMAIL PROTECTED] Subject: Call for IFCA Conference Sponsors, Financial Cryptography and Data Security '06 Date: Sun, 4 Dec 2005 18:52:19 -0500 (EST) Dear Robert, The Financial Cryptography and Data Security '06 is celebrating its 10th year in Anguilla, British West Indies from February 27 to March 2, 2006. This conference has become a yearly touch-stone for those involved in the construction and use of technology in commercial environments. To this end, the conference brings together top cryptographers, data-security specialists, and scientists with economists, bankers, implementers, and policy makers. Intimate and colorful by tradition, the FC'06 program will feature invited talks, academic presentations, technical demonstrations, and panel discussions. In addition, we will celebrate this 10th year edition with a number of initiatives, such as: especially focused session, technical and historical state-of-the-art panels, and one session of surveys. As a past attendee, IFCA wishes to make a plea for your sponsorship. The importance of this conference to the larger security community is clear, and it is largely sustainable through the generous support of its sponsors. The benefit to your organization is also well worth the sacrifice: sponsors receive the kinds unique exposure to the cognoscenti that can only be received at these events. Sponsorship opportunities are available at modest levels and beyond. If you are interested in sponsoring, we would be very interested in talking to you. Please visit the conference website: http://siis.cse.psu.edu/fc06/ Feel free reply to this message or send email to myself ([EMAIL PROTECTED]) or contact me via phone (814) 863-3599 for further information. Sincerely, Patrick McDaniel, General Chair, FC '06 --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Banks Seek Better Online-Security Tools
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Thu, 1 Dec 2005 16:54:00 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Banks Seek Better Online-Security Tools Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://online.wsj.com/article_print/SB113339543967610740.html The Wall Street Journal December 1, 2005 Banks Seek Better Online-Security Tools New Software Adds Layers To Verify Users' Identities; Ease of Use Remains Worry By RIVA RICHMOND DOW JONES NEWSWIRES December 1, 2005; Page B4 More banks, driven by rising online identity theft and regulators' concerns, are shopping for security technology to help ensure those logging into accounts are the customers they claim to be. But while banks want security that is stronger than standard user names and passwords, they also don't want the technology to turn off customers by diminishing the convenience of online banking. Software makers are aiming to help banks strike a tricky balance between security and convenience, with several, including Corillian Corp. and Entrust Inc., recently introducing systems that raise the bar for risky or suspect transactions. The software works behind the scenes to apply extra security measures when there is unusual or questionable activity -- say, account access from a cybercafe in Prague or a large money transfer that isn't a normal bill-payment routine. The emergence of these products reflects the industry's concerns that email identity-theft scams, called phishing, and hacker programs that steal consumers' account information could hurt online banking, which is valued by banks as a low-cost way of doing business. In the U.S., the Federal Financial Institutions Examination Council, a group that sets standards for banks, credit unions and thrifts, in October urged that online-banking security move beyond simple passwords by the end of next year. Its recommendation carries the force of regulation because banks' failure to comply would earn them black marks from bank examiners. Many of the new products would help banks respond to the FFIEC, which didn't endorse specific security technologies but encouraged banks to choose measures appropriate to the risk. Other suppliers of software for tightening security include closely held firms Cyota Inc., New York, and PassMark Security Inc., Menlo Park, Calif. The banks are being pushed to bring in stronger authentication, but match it to the risk of the transaction and to the user experience and their desires, said Chris Voice, a vice president at Entrust, of Addison, Texas. Authentication is a security measure for verifying a customer or transaction. Industry analysts think banks will employ several techniques to weigh risk and verify identities. One way is to halt any transactions from certain computers or countries with a high fraud risk. In addition to a user name and password, some of these new security systems add a fairly obscure personal question, such as What was your high-school mascot? Some also allow banks facing a suspicious transaction to send an extra four-digit security code for use online to a customer's cellphone. The idea is similar to credit-card-fraud systems that trigger phone calls to cardholders when they detect unusual activity, while letting the vast majority of transactions through without incident. Corillian, of Hillsboro, Ore., already provides the technology behind the online-banking operations of many banks and credit unions. Woodforest National Bank, which has 190 branches in Texas and North Carolina, is rolling out Corillian's security technology during the first half of 2006. Corillian also has sold the technology to three credit unions and says it is in talks with three of the top-10 U.S. banks. The key to keeping this channel open is keeping it secure, said Charles Manning, president and chief information officer of Woodforest, which operates most of its branches inside Wal-Mart stores. Corillian's Intelligent Authentication package, launched Oct. 25, tracks the behavior of online-banking customers and builds histories of their habits to create access signatures. Its files don't include personal information. But they do track the characteristics of the computers and Internet-service providers that a customer typically uses. It also records the normal geographic locations and the times of day a customer prefers to bank online, flagging exceptions for scrutiny. Meanwhile, security-software maker Entrust unveiled a major new version of its IdentityGuard product on Nov. 8 that offers a menu of user-verification methods banks can choose from to beef up security on transactions they deem risky. It has sold IdentityGuard to Miami-based Commercebank NA, a unit of Mercantil Servicios Financieros of Venezuela, and a number of European banks. European customers of Entrust's software
Anon_Terminology_v0.24
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Mon, 21 Nov 2005 12:14:40 +0100 From: Andreas Pfitzmann [EMAIL PROTECTED] To: undisclosed-recipients: ; Subject: Anon_Terminology_v0.24 Sender: [EMAIL PROTECTED] Hi all, Marit and myself are happy to announce Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management - A Consolidated Proposal for Terminology (Version v0.24 Nov. 21, 2005) for download at http://dud.inf.tu-dresden.de/Anon_Terminology.shtml We incorporated clarification of whether organizations are subjects or entities; suggestion of the concept of linkability brokers by Thomas Kriegelstein; clarification on civil identity proposed by Neil Mitchison; But most importantly: The terminology made it to another language. Stefanos Gritzalis, Christos Kalloniatis: Translation of essential terms to Greek Many thanx to both of them, in accompany with our kind request to translate two newly introduced terms. Translations to further languages are welcome. Enjoy - and we are happy to receive your feedback. Marit and Andreas -- Andreas Pfitzmann Dresden University of Technology Phone (mobile) +49 170 443 87 94 Department of Computer Science (office) +49 351 463 38277 Institute for System Architecture (secretary) +49 351 463 38247 01062 Dresden, Germany Fax +49 351 463 38255 http://dud.inf.tu-dresden.de e-mail[EMAIL PROTECTED] ___ NymIP-res-group mailing list [EMAIL PROTECTED] http://www.nymip.org/mailman/listinfo/nymip-res-group --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Cyberterror 'overhyped,' security guru says
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Thu, 24 Nov 2005 14:08:41 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Cyberterror 'overhyped,' security guru says Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://news.com.com/2102-7348_3-5968997.html?tag=st.util.print CNET News Cyberterror 'overhyped,' security guru says By Tom Espiner Story last modified Wed Nov 23 07:41:00 PST 2005 Fears of cyberterror could actually hurt IT security, a threats expert asserts. Bruce Schneier, who has written several books on security and is the founder of Counterpane Internet Security, told ZDNet UK that officials claiming terrorists pose a serious danger to computer networks are guilty of directing attention away from the threat faced from criminals. I think that the terrorist threat is overhyped, and the criminal threat is underhyped, Schneier said Tuesday. I hear people talk about the risks to critical infrastructure from cyberterrorism, but the risks come primarily from criminals. It's just criminals at the moment aren't as 'sexy' as terrorists. Schneier was speaking after the SANS Institute released its latest security report at an event in London. During this event, Roger Cummings, director of the U.K. National Infrastructure Security Coordination Center, said that foreign governments are the primary threat to the U.K.'s critical infrastructure. Foreign states are probing the (critical infrastructure) for information, Cummings said. The U.K.'s (critical infrastructure) is made up of financial institutions; key transport, telecom and energy networks; and government organizations. Schneier, though, is concerned that governments are focusing too much on cyberterrorism, which is diverting badly needed resources from fighting cybercrime. We should not ignore criminals, and I think we're underspending on crime. If you look at ID theft and extortion--it still goes on. Criminals are after money, Schneier said. Cummings also said that hackers are already being employed by both organized criminals and government bodies, in what he termed the malicious marketplace. Schneier agrees this is an issue. There is definitely a marketplace for vulnerabilities, exploits and old computers. It's a bad development, but there are definitely conduits between hackers and criminals, Schneier said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Sony suspends copy-protection scheme on CDs
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Fri, 11 Nov 2005 18:13:46 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Sony suspends copy-protection scheme on CDs Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.siliconvalley.com/mld/siliconvalley/business/technology/personal_technology/13143693.htm?template=contentModules/printstory.jsp The San Jose Mercury News Posted on Fri, Nov. 11, 2005? Sony suspends copy-protection scheme on CDs WASHINGTON (AP) - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers. Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the ``XCP'' technology as a precautionary measure. ``We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,'' the company said in a statement. The antipiracy technology, which works only on Windows computers, prevents customers from making more than a few copies of the CD and prevents them from loading the CD's songs onto Apple Computer's popular iPod portable music players. Some other music players, which recognize Microsoft's proprietary music format, would work. Sony's announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology's ability to avoid detection. Hackers discovered they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology. A senior Homeland Security official cautioned entertainment companies against discouraging piracy in ways that also make computers vulnerable. Stewart Baker, assistant secretary for policy at DHS, did not cite Sony by name in his remarks Thursday but described industry efforts to install hidden files on consumers' computers. ``It's very important to remember that it's your intellectual property, it's not your computer,'' Baker said at a trade conference on piracy. ``And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.'' Sony's program is included on about 20 popular music titles, including releases by Van Zant and The Bad Plus. ``This is a step they should have taken immediately,'' said Mark Russinovich, chief software architect at Winternals Software who discovered the hidden copy-protection technology Oct. 31 and posted his findings on his Web log. He said Sony did not admit any wrongdoing, nor did it promise not to use similar techniques in the future. Security researchers have described Sony's technology as ``spyware,'' saying it is difficult to remove, transmits without warning details about what music is playing, and that Sony's notice to consumers about the technology was inadequate. Sony executives have rejected the description of their technology as spyware. Some leading antivirus companies updated their protective software this week to detect Sony's antipiracy program, disable it and prevent it from reinstalling. After Russinovich criticized Sony, it made available a software patch that removed the technology's ability to avoid detection. It also made more broadly available its instructions on how to remove the software permanently. Customers who remove the software are unable to listen to the music CD on their computer. -- On the Web: Sony's XCP Page: http://cp.sonybmg.com/xcp Russinovich's Blog: www.sysinternals.com/Blog Symantec warning: http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html Computer Associates warning: http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=76345 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward
[Clips] Feds mull regulation of quantum computers
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sat, 12 Nov 2005 12:34:00 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Feds mull regulation of quantum computers Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://news.com.com/2102-11395_3-5942445.html?tag=st.util.print CNET News Feds mull regulation of quantum computers By Declan McCullagh http://news.com.com/Feds+mull+regulation+of+quantum+computers/2100-11395_3-5942445.html Story last modified Wed Nov 09 14:18:00 PST 2005 WASHINGTON--Quantum computers don't exist outside the laboratory. But the U.S. government appears to be exploring whether it should be illegal to ship them overseas. A federal advisory committee met Wednesday to hear an IBM presentation about just how advanced quantum computers have become--with an eye toward evaluating when the technology might be practical enough to merit government regulation. I like to say we're back in 1947 at the time transistors were invented, David DiVincenzo, an IBM researcher who focuses on quantum computing, told the committee. Only rough prototypes of quantum computers presently exist. But if a large-scale model can be built, in theory it could break codes used to scramble information on the Internet, in banking, and within federal agencies. A certain class of encryption algorithms relies for security on the near-impossibility of factoring large numbers quickly. But quantum computers, at least on paper, can do that calculation millions of times faster than a conventional microprocessor. It's clear there are promising avenues for doing this, DiVincenzo said of quantum computing research. There's lots and lots of work done at the basic research level and a sense of progress in the community. The technology industry has been long bedeviled by federal export regulations, which were born during the Cold War and renewed by executive order. And although the highly regulatory approach of the mid-'90s has been relaxed, the export of high-performance computers is still subject to several rules, as is encryption software. It's not clear what steps the federal government might take next, and no proposals were advanced during the meeting. The charter of the panel, called the Information Systems Technical Advisory Committee, calls for the panel to advise the Commerce Department on export regulations and what technology is presently available. A practical quantum computer may still be far off, but the use of quantum physics already appears in some commercially-available technology. An approach known as quantum cryptography provides encryption that is theoretically impossible to crack--and, at the moment, carries a hefty price tag. The federal advisory committee didn't address quantum cryptography in its open session. A closed session was scheduled for Thursday. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Spies in the Server Closet
If this most recent darknet-as-IP-bogeyman meme persists, Hollywood et al. is probably going to make Tim May famous. *That* should be interesting. :-) Cheers, RAH --- --- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sun, 13 Nov 2005 12:59:42 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Spies in the Server Closet Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.cio.com/archive/110105/tl_filesharing.html?action=print NOVEMBER 1, 2005 | CIO MAGAZINE FILE SHARING Spies in the Server Closet BY MICHAEL JACKMAN The Supreme Court might have stirred up a bigger problem than it settled when it ruled last June that file-sharing networks such as Grokster could be sued if their members pirated copyrighted digital music and video. Since then, some programmers have announced they would pursue so-called darknets. These private, invitation-only networks can be invisible to even state-of-the-art sleuthing. And although they're attractive as a way to get around the entertainment industry's zeal in prosecuting digital piracy, they could also create a new channel for corporate espionage, says Eric Cole, chief scientist for Lockheed Martin Information Technology. Cole defines a darknet as a group of individuals who have a covert, dispersed communication channel. While file-sharing networks such as Grokster and even VPNs use public networks to exchange information, with a darknet, he says, you don't know it's there in the first place. All an employee has to do to set one up is install file-sharing software written for darknets and invite someone on the outside to join, thus creating a private connection that's unlikely to be detected. The Internet is so vast, porous and complex, it's easy to set up underground networks that are almost impossible to find and take down, says Cole. He advises that the best-and perhaps only-defense against darknets is a combination of network security best practices (such as firewalls, intrusion detection systems and intrusion prevention systems) and keeping intellectual property under lock and key. In addition, he says, companies should enact a security policy called least privilege, which means users are given the least amount of access they need to do their jobs. Usually if a darknet is set up it's because an individual has too much access, Cole says. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA When I was your age we didn't have Tim May! We had to be paranoid on our own! And we were grateful! --Alan Olsen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] MIT Real ID Meeting Postponed to December 5th, AND Homeland Security to Propose Regulations - Join the Discussion
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Wed, 9 Nov 2005 18:43:07 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] MIT Real ID Meeting Postponed to December 5th, AND Homeland Security to Propose Regulations - Join the Discussion Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] --- begin forwarded text Date: Wed, 9 Nov 2005 15:16:43 -0800 (PST) From: Daniel J. Greenwood [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: MIT Real ID Meeting Postponed to December 5th, AND Homeland Security to Propose Regulations - Join the Discussion To: [EMAIL PROTECTED] ** In-Person Event Postponed to December 5th, 2005 ** This note is to inform you that the MIT Real ID Forum in-person meeting will take place on Monday, December 5th, 2005 at the Media Lab at MIT. The event will take place from 9am to 3pm. I encourage you to register, if you had not already, at http://ecitizen.mit.edu/realid.html and to participate in our pre-conference online discussion, at http://ecitizen.mit.edu/realid.html. The program had to be postponed from November 17th due to a last minute important meeting called by the Department of Homeland Security on regulations implementing the Real ID Act related to privacy. Understandably, key privacy advocates and relevant Homeland Security individuals must now attend this meeting in Washington, DC. For this reason, we have decided to postpone the event to December 5th. We apoligize for any inconvenience this may cause. ** Regulations Under Real ID -- Join the Discussion ** I invite anybody on this list who may have opinions you wish to share on the topic of Real ID regulatory issues to post those ideas to our online forum under the new topic Homeland Security Regulations. This topic thread is for participants in this Online Forum on the Real ID Act to share ideas you may have on problems and prospects associated with potential regulations under this federal law. All comments posted to this thread will be presented, as part of our conference proceedings, and published as part of our in-person conference to happen on December 5, 2005. The conference proceedings will also be presented to the Department of Homeland Security, as a record of the remarks made by participants, for their considerations as they determine how to implement the Real ID Act. I encourage you to attend the in-person meeting on December 5th at MIT and to participate in the dialog at the Online Forum. Best regards, - Daniel Greenwood Daniel J. Greenwood, Esq. Lecturer, Massachusetts Institute of Technology The Media Lab, Program of Media Arts and Science Principal, CIVICS.com The InfoSociety Consultancy http://ecitizen.mit.edu www.civics.com 1770 Mass. Ave, #205, Cambridge, MA 02140 USA [EMAIL PROTECTED] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] [EMAIL PROTECTED]: [IP] Apple tries to patent 'tamper-resistant software']
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Thu, 10 Nov 2005 12:00:24 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] [EMAIL PROTECTED]: [IP] Apple tries to patent 'tamper-resistant software'] Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] --- begin forwarded text Date: Thu, 10 Nov 2005 13:44:24 +0100 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: [IP] Apple tries to patent 'tamper-resistant software'] User-Agent: Mutt/1.5.9i Sender: [EMAIL PROTECTED] - Forwarded message from David Farber [EMAIL PROTECTED] - From: David Farber [EMAIL PROTECTED] Date: Wed, 9 Nov 2005 23:47:04 -0500 To: ip@v2.listbox.com Subject: [IP] Apple tries to patent 'tamper-resistant software' X-Mailer: Apple Mail (2.746.2) Reply-To: [EMAIL PROTECTED] Begin forwarded message: From: Dewayne Hendricks [EMAIL PROTECTED] Date: November 9, 2005 7:44:54 PM EST To: Dewayne-Net Technology List [EMAIL PROTECTED] Subject: [Dewayne-Net] Apple tries to patent 'tamper-resistant software' Reply-To: [EMAIL PROTECTED] Apple tries to patent 'tamper-resistant software' By Ina Fried http://news.com.com/Apple+tries+to+patent+tamper-resistant+software/ 2100-1045_3-5942107.html Story last modified Wed Nov 09 11:16:00 PST 2005 Apple Computer, which is in the process of switching to computers based on the omnipresent Intel processor, has filed a patent application describing a method for securely running Mac OS X on specific hardware. The Mac maker has applied for a patent to cover a system and method for creating tamper-resistant code. Apple describes ways of ensuring that code can be limited to specific hardware, even in a world in which operating systems can be run simultaneously, in so-called virtual machines. The patent application was made in April of 2004, but only made public last Thursday. In its application, Apple describes a means of securing code using either a specific hardware address or read-only memory (ROM) serial number. Apple also talks about securing the code while interchanging information among multiple operating systems. Mac OS X, Windows and Linux are called out specifically in the filing. This invention relates generally to the field of computer data processing and more particularly to techniques for creating tamper- resistant software, Apple says in its patent filing. Specifically, Apple refers to the technique of code obfuscation, in which software makers employ techniques that make it harder for those using debuggers or emulators to figure out how a particular block of code is working. Apple's patent application comes as the company prepares to offer its Mac OS X operating system for Intel-based chips, with the first machines slated to go on sale next year. Historically, the company has had to worry less about the Mac running on non-Apple hardware because it has used different chips and other components from those that power Windows PCs. With its move to Intel chips, though, the innards of the Mac will become more similar to those of its Windows-based counterparts. The company said it is not planning on supporting Windows or other operating systems on the Intel-based Macs it sells but has also said it doesn't plan on taking steps to prevent Mac owners from running other operating systems. We won't do anything to preclude that, Apple Senior Vice President Phil Schiller told CNET News.com in June. However, Schiller also said Apple has no plans to allow its operating system to run on non-Apple hardware. We will not allow running Mac OS X on anything other than an Apple Mac, he said. An Apple representative declined to comment Wednesday on the patent filing. Clearly, though, Apple is gearing up the intellectual property push around the Intel move. The company has reportedly been beefing up the technology that constrains the Intel versions of Mac OS X to run only on authorized machines, to this point a set of test Macs given to developers. The company has also applied for a trademark on Rosetta, its technology for running existing Mac programs on the Intel chips. Weblog at: http://weblog.warpspeed.com - You are subscribed as [EMAIL PROTECTED] To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] --- end
[Clips] Sony BMG's DRM provider does not rule out future use of stealth
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Wed, 9 Nov 2005 10:50:05 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Sony BMG's DRM provider does not rule out future use of stealth Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.tgdaily.com/2005/11/04/f4i_says_sony_bmg_xcp_is_not_rootkit/print.html Tom's Guide Daily Sony BMG's DRM provider does not rule out future use of stealth By Scott M. Fulton, III Published Friday 4th November 2005 22:27 GMT Oxfordshire (UK) - The CEO of the company which provides digital rights management tools and software to global music publisher Sony BMG, and which developed the XCP system that was the subject of controversy this week, told TG Daily in an exclusive interview that, despite what some security software engineers, news sources, and bloggers have suggested, XCP is not, and was never designed to be, a rootkit. We believe there are some comments that have been misunderstood in the media, said Matthew Gilliat-Smith, chief executive officer of First 4 Internet, the manufacturers of XCP. Our view is that this is a 'storm in a teacup,' as we say over here in the UK ... I want to confirm that this is not malware. It's not spyware. There's nothing other than pure content protection, which is benign. As we reported yesterday (http://www.tgdaily.com/2005/11/03/sony_bmg_xcp_is_it_a_rootkit/), security software engineer Mark Russinovich discovered, through the use of a program he wrote called RootkitRevealer, that drivers deposited on his system from a Sony BMG audio CD he purchased were using stealth techniques to hide their appearance not only from the user, but also from portions of the Windows operating system. These drivers had been installed in such a way that they were run perpetually, loaded automatically - even in safe mode - and were referenced in the Windows System Registry using a method that could not be deleted without extensive reworking of the Registry, to enable the operating system to recognize the CD-ROM drive again. In his investigation, he identified these drivers as part of the XCP copy protection system. Russinovich's story, posted to his company's Web site (http://www.sysinternals.com/Blog/), was widely read and generated enormous response from bloggers, some of whom believed either that Russinovich was suggesting, or that his evidence had substantiated, that XCP constituted a rootkit. Under the more technical definition of that term, it would have to open up an unmonitored Internet connection with a remote host, probably with the intention of delivering a malicious payload in a very undetectable manner. No such allegations were made of such behavior by Russinovich, yet the characterization hung in the air. There's areas of misinformation which I'd be very happy to set straight, Gilliat-Smith told us. The first is [the allegation that XCP is some form of] rootkit technology, in the form that would be used to spread malware. What it is, it's using cloaking techniques that are similar to a rootkit, for the purpose of making speed bumps on the content protection, to make it more difficult to circumvent the protection. Gilliat-Smith said his software does not open up any connection between the stealth driver and its host. Ours does not do that, he said. All we're doing is using a hook and a redirect, so when you look for a file, it is hidden. It is very widely used...since way back in 1994, by many shareware companies and anti-virus companies. A paper describing what appears to be the hook and redirect method to which Gilliat-Smith refers, published by the online hacker magazine Phrack.org, defines rootkit as a program designed to control the behavior of a given machine. This is often used to hide the illegitimate presence of a backdoor and other such tools. It acts by denying the listing of certain elements when requested by the user, affecting thereby the confidence that the machine has not been compromised. By backdoor, the paper can be presumed to mean a method by which a remote party can take control of the system undetected. Gilliat-Smith denies any such methods are, or have ever been, used by XCP. Furthermore, Gilliat-Smith stated, the version of XCP which utilized this hook and redirect method to hide the presence of the persistent driver, is no longer being used in new audio CDs. At the time these concerns arose, he said, we had already created the new version of the software, which provides a range of additional features for the consumer. We have moved away from the cloaking technology that gives rise to these concerns. First 4 Internet (F4i) has made available to Sony BMG a removal tool, which users can download from Sony BMG's Web site (http://cp.sonybmg.com/xcp/english/updates.html), that removes the XCP driver from users' systems and cleans up the mess
Big guns board Intertrust DRM bandwagon
http://www.theregister.co.uk/2004/10/05/coral_consortium/print.html The Register Biting the hand that feeds IT The Register » Internet and Law » Digital Rights/Digital Wrongs » Original URL: http://www.theregister.co.uk/2004/10/05/coral_consortium/ Big guns board Intertrust DRM bandwagon By Faultline (peter at rethinkresearch.biz) Published Tuesday 5th October 2004 15:36 GMT Intertrust, Philips and Sony have added more top consumer electronics, content and technology heavyweights to their attempt to create an open interoperable Digital Rights Management environment. The system promised at the turn of the year in interview with Philips has taken a step closer to becoming a reality today with a new DRM clustering of companies calling itself the Coral Consortium. Lining up with the expected triumvirate of Intertrust and its two owners Philips and Sony, are more powerful names in the form of Panasonic, Samsung, Hewlett-Packard and the News Corp controlled film company Twentieth Century Fox. Coral describes itself as a cross-industry group to promote interoperability between digital rights management (DRM) technologies used in the consumer media market and it is expected to put its weight behind the Nemo technology emerging from Intertrust. Nemo will act as a bridge between varying DRM systems, including Intertrust's partners systems and Microsoft Windows Media DRM. In Nemo there are defined a set of roles such as client, authorizer, gateway and orchestrator, and it assumes that they talk to each other over an IP network, and work is allocated to each of them such as authorization, peer discovery, notification, services discovery, provisioning, licensing and membership creation. The client simply uses the services of the other three peers, the authorizer decides if the requesting client should have access to a particular piece of content; the gateway takes on the role of a helper that will provide more processing power to negotiate a bridge to another architecture and the orchestrator is a special form of gateway that handles non-trivial co-ordination such as committing a transaction. The Consortium says its aim is to end up with an open technology framework offering a simple and consistent experience to consumers. Most DRM systems, such as Apple's Fairplay used in its iTunes service and on the iPod, prevent consumers from playing content packaged and distributed using one DRM technology on a device that supports a different DRM technology. Coral's answer is to separate content interoperability from choice of DRM technology by developing and standardizing a set of specifications focused on interoperability between different DRM technologies rather than specifying DRM technologies. Interoperability The resulting interoperability layer supports the coexistence of multiple different DRM technologies and permits devices to find appropriately formatted content in the time it takes to press the play button, without consumer awareness of any disparity in format or DRM . In a recent interview with Faultline, Ruud Peters, the chief executive of Philips's intellectual property and standards unit told us: We cannot force Microsoft to join. This whole thing has to be done on a voluntary basis, but if Microsoft systems means that there are devices which cannot play content, and if that content can play on all other devices, then it is Microsoft that will be seen as not friendly. He also explained that when moving a piece of content from under the control of one piece of DRM software to another, if it was to involve a Trust Authority deciphering the content using an authorized key, and then re-encrypting using another key, then there is never any need to break the encryption system in a competing DRM standard. Coral says it will provide interoperability for secure content distribution over web and home network-based devices and services but has yet to say anything in detail about the technology it will be using. More details will emerge at www.coral-interop.org (http://www.coral-interop.org/). This grouping speaks for over half the Hollywood feature films on the planet, around 25 per cent of all popular recorded music and substantially more of the branded consumer electronics goods, and probably has the strength to hold a standoff with Microsoft's PC based DRM. Twentieth Century Fox is also reported this week to have agreed to adopt the Blu-ray disc standard for next-generation DVD players. Not surprising, considering who its new DRM friends are. With Sony, its recently acquired MGM Studios and Fox backing the Blu-ray standard, it's almost a slam dunk for the Sony, Philips, Panasonic standard over the DVD Forum's HD DVD competing standard, which is still not ready. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity
National IDs for everybody?
to get a U.S. passport, obtain Social Security benefits, or even wander into a federal courthouse. States would be strong-armed into complying. Warns Barry Steinhardt of the American Civil Liberties Union: Congress shouldn't be providing a blank check to the Department of Homeland Security to design a national driver's license. It's not just a liberal sentiment. Says Stephen Lilienthal, a policy analyst at the conservative Free Congress Foundation: Many conservatives have expressed concern that proposals such as the Dreier bill are placed on the books with a limited set of objectives but will expand bit by bit to include all sorts of other information and be monitored constantly by the government to keep track of individuals from cradle to grave. Dreier should take note. Talking loudly about ID cards may boost his re-election bid next month, but voters won't be pleased when they've figured out what it actually means. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Credentica Web site is up
--- begin forwarded text From: Stefan Brands [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Credentica Web site is up Date: Tue, 5 Oct 2004 13:55:30 -0400 Dear All, This e-mail is to inform you that our corporate Web site at http://www.credentica.com is up. We welcome any suggestions for improvement, and encourage you to establish links to our home-page from your blogs, news postings, and Web sites! Best regards, Stefan Brands Credentica 740 Notre Dame W, #1500 Montreal, QC Canada H3C 3X6 Tel: +1 (514) 866.6000 PS Pages that may be of particular interest: - http://www.credentica.com/about.php (overview of what we do and how we differ) - http://www.credentica.com/solutions.php submenus (explanations of product benefits in key markets) - http://www.credentica.com/the_mit_pressbook.php (the entire MIT Press book available for free download) White papers and product data sheets are in preparation and will be posted in the next couple of months. PPS The site is best viewed with a Javascript-enabled browser, and has been tested only with leading browsers. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
QC Hype Watch: Quantum cryptography gets practical
infrastructure equipment. Quantum repeaters are under development to extend that range much farther. Finally, the end points of these QKD systems must reside in secure locations. However, since they are tamper-proof, if attempts are made to compromise them, they will stop running or fire off an alarm, thus ensuring ultimate information protection. The practical development of QKD systems has made them applicable for a number of industries such as financial services, biotech and telecommunications along with government sectors such as intelligence and the military. They don't require a physicist or an engineer to administer them. These appliances fit in standard racks, plug into existing networks, and are reliable around the clock. QKD systems interoperate with security standards such as IPsec-based VPNs providing an added layer of security to networks. Ask the right questions As you look for better ways to protect your company's most important information, QKD may be an option. However, be sure you understand the strengths and drawbacks of quantum key distribution by asking the right questions: 1. What does your organization's security policy say about the threat profile for high-value assets? 2. How frequently are your encryption keys changed and by what method? 3. What is the total cost of ownership for QKD products? Are there additional costs in support and training? 4. Are your competitors implementing QKD systems? 5. What infrastructure requirements must be met? 6. What personnel/staffing levels are required? 7. How does this QKD system work with existing cryptography systems? 8. What are the distance limitations of this system? QKD isn't an everyday desktop tool, but the technology makes sense for those organizations that have the resources and the capacity to use it effectively. Bob Gelfond is founder and CEO of MagiQ Technologies Inc., a vendor of quantum information processing services and products in New York. Additional Content White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. View all whitepapers Research Report This IDC white paper demonstrates growth in value of distributed applications accessed over the Web, especially for eCommerce applications, and analyses the requirements needed for performance management of distributed applications in today's complex heterogeneous environments. Distributed Applications Performance Management: The VERITAS i3 Approach Featured Webcast Network Computing Web Event See the latest innovations, including Sun servers and workstations based on AMD Opteron[tm], new Sun StorEdge[tm] solutions, and breakthrough technologies in Solaris[tm] 10. Sponsored Links A smart plan for assuring application quality:New webcast from Compuware Distributed Applications Performance Management: The VERITAS i3 Approach Download this free white paper from IDC Enterprise Solutions for Federal Government An IT infrastructure starts with robust technology. The IP migrationA wake-up call Enterprise Grid AllianceHelping make grid computing work for you About Us Contacts Editorial Calendar Help Desk Advertise Privacy Policy Copyright © 2004 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
CFP: Privacy Enhancing Technologies (PET 2005)
, University of Texas at Arlington, USA Papers should be at most 15 pages excluding the bibliography and well-marked appendices (using an 11-point font), and at most 20 pages total. Submission of shorter papers (from around 4 pages) is strongly encouraged whenever appropriate. Papers must conform to the Springer LNCS style. Follow the Information for Authors link at http://www.springer.de/comp/lncs/authors.html. Reviewers of submitted papers are not required to read the appendices and the paper should be intelligible without them. The paper should start with the title, names of authors and an abstract. The introduction should give some background and summarize the contributions of the paper at a level appropriate for a non-specialist reader. A preliminary version of the proceedings will be made available to workshop participants. Final versions are not due until after the workshop, giving the authors the opportunity to revise their papers based on discussions during the meeting. Submit your papers in Postscript or PDF format. To submit a paper, compose a plain text email to [EMAIL PROTECTED] containing the title and abstract of the paper, the authors' names, email and postal addresses, phone and fax numbers, and identification of the contact author (to whom we will address all subsequent correspondence). Attach your submission to this email and send it. By submitting a paper, you agree that if it is accepted, you will sign a paper distribution agreement allowing for publication, and also that an author of the paper will register for the workshop and present the paper there. Our current working agreement with Springer is that authors will retain copyright on their own works while assigning an exclusive 3-year distribution license to Springer. Authors may still post their papers on their own Web sites. See http://petworkshop.org/2004/paper-dist-agreement-5-04.html for the 2004 version of this agreement. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Paper submissions must be received by February 7. We acknowledge all submissions manually by email. If you do not receive an acknowledgment within a few days (or one day, if you are submitting right at the deadline), then contact the program committee chairs directly to resolve the problem. Notification of acceptance or rejection will be sent to authors no later than April 4 and authors will have the opportunity to revise for the preproceedings version by May 6. We also invite proposals of up to 2 pages for panel discussions or other relevant presentations. In your proposal, (1) describe the nature of the presentation and why it is appropriate to the workshop, (2) suggest a duration for the presentation (ideally between 45 and 90 minutes), (3) give brief descriptions of the presenters, and (4) indicate which presenters have confirmed their availability for the presentation if it is scheduled. Otherwise, submit your proposal by email as described above, including the designation of a contact author. The program committee will consider presentation proposals along with other workshop events, and will respond by the paper decision date with an indication of its interest in scheduling the event. The proceedings will contain 1-page abstracts of the presentations that take place at the workshop. Each contact author for an accepted panel proposal must prepare and submit this abstract in the Springer LNCS style by the Camera-ready copy for preproceedings deadline date. ___ NymIP-rg-interest mailing list [EMAIL PROTECTED] http://www.nymip.org/mailman/listinfo/nymip-rg-interest --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Tor 0.0.9pre1 is out (fwd from [EMAIL PROTECTED])
--- begin forwarded text Date: Fri, 1 Oct 2004 10:46:39 +0200 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Tor 0.0.9pre1 is out (fwd from [EMAIL PROTECTED]) User-Agent: Mutt/1.4i Sender: [EMAIL PROTECTED] From: Roger Dingledine [EMAIL PROTECTED] Subject: Tor 0.0.9pre1 is out To: [EMAIL PROTECTED] Date: Fri, 1 Oct 2004 03:19:44 -0400 Reply-To: [EMAIL PROTECTED] We've fixed quite a few bugs. We've also added compression for directories, and client-side directory caching on disk so you'll have a directory when Tor restarts. tarball: http://freehaven.net/tor/dist/tor-0.0.9pre1.tar.gz signature: http://freehaven.net/tor/dist/tor-0.0.9pre1.tar.gz.asc (use -dPr tor-0_0_9pre1 if you want to check out from cvs) Changes from 0.0.8: o Bugfixes: - Stop using separate defaults for no-config-file and empty-config-file. Now you have to explicitly turn off SocksPort, if you don't want it open. - Fix a bug in OutboundBindAddress so it (hopefully) works. - Improve man page to mention more of the 0.0.8 features. - Fix a rare seg fault for people running hidden services on intermittent connections. - Change our file IO stuff (especially wrt OpenSSL) so win32 is happier. - Fix more dns related bugs: send back resolve_failed and end cells more reliably when the resolve fails, rather than closing the circuit and then trying to send the cell. Also attach dummy resolve connections to a circuit *before* calling dns_resolve(), to fix a bug where cached answers would never be sent in RESOLVED cells. - When we run out of disk space, or other log writing error, don't crash. Just stop logging to that log and continue. - We were starting to daemonize before we opened our logs, so if there were any problems opening logs, we would complain to stderr, which wouldn't work, and then mysteriously exit. - Fix a rare bug where sometimes a verified OR would connect to us before he'd uploaded his descriptor, which would cause us to assign conn-nickname as though he's unverified. Now we look through the fingerprint list to see if he's there. - Fix a rare assert trigger, where routerinfos for entries in our cpath would expire while we're building the path. o Features: - Clients can ask dirservers for /dir.z to get a compressed version of the directory. Only works for servers running 0.0.9, of course. - Make clients cache directories and use them to seed their router lists at startup. This means clients have a datadir again. - Configuration infrastructure support for warning on obsolete options. - Respond to content-encoding headers by trying to uncompress as appropriate. - Reply with a deflated directory when a client asks for dir.z. We could use allow-encodings instead, but allow-encodings isn't specified in HTTP 1.0. - Raise the max dns workers from 50 to 100. - Discourage people from setting their dirfetchpostperiod more often than once per minute - Protect dirservers from overzealous descriptor uploading -- wait 10 seconds after directory gets dirty, before regenerating. -- -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
'Frustrated' U.S. Cybersecurity Chief Abruptly Resigns
http://www.local6.com/print/3776699/detail.html?use=print local6.com 'Frustrated' U.S. Cybersecurity Chief Abruptly Resigns POSTED: 11:32 AM EDT October 1, 2004 WASHINGTON -- The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave. Yoran said Friday he felt the timing was right to pursue other opportunities. It was unclear immediately who might succeed him even temporarily. Yoran's deputy is Donald Andy Purdy, a former senior adviser to the White House on cybersecurity issues. Yoran has privately described frustrations in recent months to colleagues in the technology industry, according to lobbyists who recounted these conversations on condition they not be identified because the talks were personal. As cybersecurity chief, Yoran and his division - with an $80 million budget and 60 employees - were responsible for carrying out dozens of recommendations in the Bush administration's National Strategy to Secure Cyberspace, a set of proposals to better protect computer networks. Yoran's position as a director -- at least three steps beneath Homeland Security Secretary Tom Ridge -- has irritated the technology industry and even some lawmakers. They have pressed unsuccessfully in recent months to elevate Yoran's role to that of an assistant secretary, which could mean broader authority and more money for cybersecurity issues. Amit's decision to step down is unfortunate and certainly will set back efforts until more leadership is demonstrated by the Department of Homeland Security to solve this problem, said Paul Kurtz, a former cybersecurity official on the White House National Security Council and now head of the Washington-based Cyber Security Industry Alliance, a trade group. Under Yoran, Homeland Security established an ambitious new cyber alert system, which sends urgent e-mails to subscribers about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves. It also mapped the government's universe of connected electronic devices, the first step toward scanning them systematically for weaknesses that could be exploited by hackers or foreign governments. And it began routinely identifying U.S. computers and networks that were victims of break-ins. Yoran effectively replaced a position once held by Richard Clarke, a special adviser to President Bush, and Howard Schmidt, who succeeded Clarke but left government during the formation of the Department of Homeland Security to work as chief security officer at eBay Inc. Yoran cofounded Riptech Inc. of Alexandria, Va., in March 1998, which monitored government and corporate computers around the world with an elaborate sensor network to protect against attacks. He sold the firm in July 2002 to Symantec for $145 million and stayed on as vice president for managed security services. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Reverse DMCA: Copyright Holder Held Liable in Landmark Legal Ruling
http://www.linuxelectrons.com/article.php/20040930201813382 LinuxElectrons - Reverse DMCA: Copyright Holder Held Liable in Landmark Legal Ruling Thursday, September 30 2004 @ 08:18 PM Contributed by: ByteEnable In a landmark case, a California district court has determined that Diebold, Inc., a manufacturer of electronic voting machines, knowingly misrepresented that online commentators, including IndyMedia and two Swarthmore college students, had infringed the company's copyrights. This makes the company the first to be held liable for violating section 512(f) of the Digital Millennium Copyright Act (DMCA), which makes it unlawful to use DMCA takedown threats when the copyright holder knows that infringement has not actually occured. The Electronic Frontier Foundation (EFF) and the Center for Internet and Society Cyberlaw Clinic at Stanford Law School sued on behalf of nonprofit Internet Service Provider (ISP) Online Policy Group (OPG) and the two students to prevent Diebold's abusive copyright claims from silencing public debate about voting. Diebold sent dozens of cease-and-desist letters to ISPs hosting leaked internal documents revealing flaws in Diebold's e-voting machines. The company claimed copyright violations and used the DMCA to demand that the documents be taken down. One ISP, OPG, refused to remove them in the name of free speech, and thus became the first ISP to test whether it would be held liable for the actions of its users in such a situation. This decision is a victory for free speech and for transparency in discussions of electronic voting technology, said Wendy Seltzer, an EFF staff attorney who worked on the case. Judge Fogel recognized the fair use of copyrighted materials in critical discussion and gave speakers a remedy when their speech is chilled by improper claims of copyright infringement. OPG Executive Director Will Doherty said, This ruling means that we have legal recourse to protect ourselves and our clients when we are sent misleading or abusive takedown notices. In his decision, Judge Jeremy Fogel wrote, No reasonable copyright holder could have believed that the portions of the email archive discussing possible technical problems with Diebold's voting machines were proteced by copyright . . . the Court concludes as a matter of law that Diebold knowingly materially misrepresented that Plaintiffs infringed Diebold's copyright interest. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A Proposed Nomenclature for the Four Horseman of The Infocalypse
I've been talking about this for the last decade, and never found a reference on the web whenever I was thinking about it. Thanks to Google, it was well within my prodigiously diminished attention span this morning. Given the events on the net over the past few years, I figure we might as well have fun with the idea. Humor is good leverage, and these days we need *lots* of leverage. In arbitrary order (in other words, *I* chose it. :-)), and with apologies to Toru Iwatani, by way of Michael Thomasson at http://www.gooddealgames.com/articles/Pac-Man%20Ghosts.html, here it is: A Proposed Nomenclature for the Four Horseman of The Infocalypse Horseman Color Character Nickname 1 TerrorismRedShadow Blinky 2 NarcoticsPink Speedy Pinky 3 Money Laundering Aqua Bashful Inky 4 Paedophilia Yellow Pokey Clyde It is acceptable to refer to a horseman by any of the above, i.e., Horseman No. 1, The Red Horseman, Shadow, or Blinky. Apparently there was a, um, pre-deceased, dark-blue ghost, used in Japanese tournament play, named Kinky, I leave that particular horseman for quibblers. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Swiss on a Roll With Quantum Crypto
http://www.lightreading.com/document.asp?site=lightreadingdoc_id=60160 Light Reading - Networking the Telecom Industry SEPTEMBER 29, 2004 ? Swiss on a Roll With Quantum Crypto GENEVA -- Deckpoint and id Quantique, two private companies active in the field of information technology and based in Geneva, Switzerland, and the University of Geneva announce, as a world premiere, the official opening of a data archiving network secured using quantum cryptography technology. A ceremony will take place on September 29th 2004, at 11 :00 am in Geneva. Carlo Lamprecht, the Minister of Economy, Labor and Foreign Affairs of the Republic and Canton of Geneva, as well as Professor André Hurst, the Dean of the University of Geneva, will attend this ceremony. In a world where the reliance on electronic data transmission and processing is becoming every day more prevalent, data archiving plays a critical role in the ability of an organization to operate continuously under all circumstances. In order to guarantee the highest availability of information, the use of remote backup solutions on several sites is increasing strongly. In such a scenario, the confidentiality and the integrity of sensitive information exchanged between two sites is of the utmost importance. Current cryptographic techniques used to guarantee this confidentiality are based on mathematical theories. In spite of the fact, that they are very widespread, they do not offer a foolproof security. They are in particular vulnerable to increasing computing power and theoretical advances in mathematics. On the contrary, quantum cryptography exploits the laws of quantum physics to guarantee in an absolute fashion the confidentiality of data transmission. « Quantum cryptography constitutes a revolution in the field of information security » says Professor Nicolas Gisin, of the University of Geneva. « It is the only solution offering long term confidentiality and which cannot be compromised by scientific or technological advances ». The University of Geneva, where research on quantum cryptography started in the early 90's, played a pioneer role in the development of this technology. At the end of 2001, four researchers, who were convinced of the potential of this technology, founded the company id Quantique to develop commercial applications. id Quantique and Deckpoint joined forces to develop and implement the first data archiving network secured using quantum cryptography. The data saved on a farm of 30 servers of the Deckpoint Housing Center, in the Acacias district of Geneva, are replicated on servers located at the Cern Internet Exchange Point, in Meyrin, in the suburbs of Geneva. The distance between the two sites is about 10 kilometers. This application, which will initially last about one month, constitutes a world premiere. id Quantique, the first company to bring quantum cryptography to the market, provided the hardware used in this application. « This world premiere is an excellent illustration of the of the potential of this technology » says Gregoire Ribordy, CEO. « The company confirms thus its leading position in applications of quantum technologies. » « We are convinced that security has become critical, in particular with the implementation of the Basel II standards in the banking industry as of 2006. The economic world cannot afford anymore not to have a complete information security strategy » adds Dominique Perisset, director of Deckpoint. Seduced by the ambitions and visionary nature of this project, Deckpoint granted access to its infrastructure and offered technical support to make the implementation of this network possible. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Federal judge rejects part of Patriot Act
http://msnbc.msn.com/id/6131670/print/1/displaymode/1098/ MSNBC.com Federal judge rejects part of Patriot Act Provision giving FBI access to business records overturned Reuters Updated: 12:11 p.m. ET Sept. 29, 2004 NEW YORK - A federal judge Wednesday found unconstitutional a part of the United States' anti-terror Patriot Act that allows authorities to demand customer records from businesses without court approval. U.S. District Judge Victor Marreo ruled in favor of the American Civil Liberties Union, which challenged the power the FBI has to demand confidential financial records from companies as part of terrorism investigations. The ruling was the latest blow to the Bush administration's anti-terrorism policies. In June, the U.S. Supreme Court ruled that terror suspects being held in places like Guantanamo Bay can use the American judicial system to challenge their confinement. That ruling was a defeat for the president's assertion of sweeping powers to hold enemy combatants indefinitely after the Sept. 11, 2001, attacks. The ACLU sued the Department of Justice, arguing that part of the Patriot legislation violated the Constitution because it authorizes the FBI to force disclosure of sensitive information without adequate safeguards. The judge agreed, stating that the provision effectively bars or substantially deters any judicial challenge. Under the provision, the FBI did not have to show a judge a compelling need for the records and it did not have to specify any process that would allow a recipient to fight the demand for confidential information. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Airlines Told to Turn Over Passenger Data
http://apnews.myway.com/article/20040921/D8586D6G1.html My Way News Airlines Told to Turn Over Passenger Data Sep 21, 1:36 PM (ET) By LESLIE MILLER WASHINGTON (AP) - The Transportation Security Administration announced on Tuesday that it will order domestic airlines to turn over personal information about passengers to test a system that will compare their names to those on terrorist watch lists. The system, called Secure Flight, replaces a previous plan that would have checked passenger names against commercial databases and assigned a risk level to each. That plan, which cost $103 million, was abandoned because of privacy concerns and technological issues. The airlines will have 30 days to comment on the proposed order, which Congress gave the TSA authority to issue. Air carriers will then have 10 days to turn over data that it gathered in June, called passenger name records. The amount of data in passenger name records varies by airline, but it typically includes name, flight origin, flight destination, flight time, duration of flight and form of payment. It can also include credit card numbers, address, telephone number and meal requests, which can indicate a person's ethnicity. Justin Oberman, who heads the office that's developing Secure Flight, said he hopes that the program can be implemented by mid to late spring. He said he expects the airlines to cooperate. We are going to work very closely with them, Oberman said. The TSA will also conduct a limited test in which they'll compare passenger names with information from commercial databases to see if they can be used to detect fraud or identity theft. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FSTC Project Update
. The business goals are to enable standards-based plug-and-play integration capabilities between institutions and customer platforms, whether ERP, Treasury Work Station (TWS), or desktop. A core group of financial institutions and technology companies has committed to launching this initiative in the second half of 2004. This project is considered on-hold until later this year. __ 4. Transformation to Open Mission Critical Systems The transformation of systems from higher cost or proprietary delivery to open systems is one of the most hotly debated and discussed topics in financial services IT. While there is great promise in the flexibility and efficiencies gained, there is also risk and cost. An FSTC project will soon form up to determine answers to such key questions as, Are those transformations viable? and What are the costs and processes by which a successful transformation program will be run? The vision of this initiative is to bring together financial institutions to investigate the needs, processes, best practices, technology issues, risk factors, organizational issues and lessons-learned for transformation projects which move core business processes from legacy IT assets to open systems. We will provide additional details shortly. If you are interested in joining an interest group around this topic, please contact us. __ 5. Minimum Essential Finance (MEF) In its early stages, FSTC and its members are in dialog with numerous government and industry organizations to explore interest in an initiative to identify the minimum essential elements of our financial system, and to develop a plan and process to ensure that it remains operational in the event of a disruption to normal operations. A workshop is currently being planned for this fall for multiple public and private sector organizations to develop this concept further. If you are interested in joining this dialog, please contact Zach Tumin at [EMAIL PROTECTED] . __ ## To subscribe or unsubscribe from this elist use the subscription manager: http://ls.fstc.org/subscriber --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
AOL to Sell Secure ID Tags to Fight Hackers
http://www.reuters.com/newsArticle.jhtml?type=internetNewsstoryID=6284760 Reuters AOL to Sell Secure ID Tags to Fight Hackers Mon Sep 20, 2004 06:18 PM ET NEW YORK (Reuters) - America Online will begin offering to sell members a security device and service that has been used to safeguard business computer networks, the world's largest Internet service provider said on Monday. AOL, a unit of Time Warner Inc. (TWX.N: Quote, Profile, Research) , signed a deal with Internet security company RSA Security Inc. (RSAS.O: Quote, Profile, Research) , to launch its new AOL PassCode, designed to add an additional layer of protection to member accounts. PassCode users will be provided with a small handheld six-digit numeric code key. To log onto an AOL account equipped with the service, users will have to type in the six-digits, which refresh on the device every 60 seconds, on top of using the regular password. The code-key device will cost $9.95. Monthly service costs range from $1.95 to $4.95. AOL PassCode is like adding a deadbolt to your AOL account by automatically creating a new secondary password every 60 seconds, said Ned Brody, senior vice president of AOL Premium Services. Hackers coined the term phishing in 1996 to refer to the act of swindling unsuspecting AOL customers into giving up their passwords through phony e-mails or instant messages. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
America Online To Launch Secure Password Service
http://online.wsj.com/article_print/0,,BT_CO_20040921_16,00.html The Wall Street Journal September 21, 2004 UPDATE: America Online To Launch Secure Password Service DOW JONES NEWSWIRES September 21, 2004 (Adds VeriSign announcement and comments from expert in paragraphs four through nine, and additional comment in paragraphs 14-15.) By Riva Richmond Of DOW JONES NEWSWIRES NEW YORK -- Password-generating devices long used by employees to securely access corporate networks are finally coming to consumers. Citing increased concerns among customers about rising identity theft online, Time Warner Inc. (TWX) unit America Online said it will launch on Tuesday a new, paid service that will allow members to log into their AOL accounts using devices, or tokens, made by RSA Security Inc. (RSAS). The gadgets, which can be put on a keychain, display six-digit passcodes that change every 60 seconds and are synchronized with AOL's servers, making it nearly impossible for fraudsters to access accounts with stolen passwords. Also on Tuesday, VeriSign Inc. (VRSN) plans to launch two token products that would compete with RSA. But the company, acknowledging that its rival has largely wrapped up the corporate market for remote employees' use, plans to market its devices to companies, particularly banks, as something business partners and customers could use to access corporate networks more safely. For instance, VeriSign is in negotiations with two financial-services firms that are interested in providing tokens to partner firms and high net worth clients. It has also worked with i-SAFE, a non-profit group that promotes safe Internet use for children, in a pilot program to provide students tokens that allow them to enter age-restricted chat rooms and access college Web sites where they can securely take tests. They hope to get government funding to take the project nationwide. Both of VeriSign's tokens plug into computers' USB ports and use smartcard technology, which can store multiple digital credentials. One of the tokens also has a screen that displays a changing six-digit passcode. The new interest in bringing so-called strong authentication to consumers reflects the significantly more hostile Internet they now face. Consumers have found themselves under assault from a wave of viruses, phishing attacks and spyware programs designed to steal their personal financial information for use in identity-theft fraud. We've seen the threats now changing to target individuals because they're not as sophisticated as corporations, says Howard Schmidt, former White House cybersecurity czar. The way to solve these (problems) in a fairly easy manner is by strong authentication, he said. Hacking can be reduced because people can't log in as other people. Fraud goes down because you have the ability to do instant validation If people can't harvest user IDs and passwords, phishing becomes irrelevant. AOL, Dulles, Va., said its main goal is to better protect its members, who use their accounts to make financial transactions and take care of other sensitive business, from such blights. AOL has been providing the devices to customers who called its agents expressing fears about the security of their accounts, making these members part of the company's testing effort. The impetus here really has to do with the deluge of spammers, scammers, con artists, phishers, hackers and other malcontents that are trying to dupe consumers into giving up their passwords or the security of their accounts, said AOL spokesman Nicholas J. Graham. It's another virtual deadbolt on the front door of their online experience. AOL already provides its members with free anti-spyware technology, parental controls, pop-up blocking and spam filtering. It also scans incoming and outgoing e-mail for viruses for free, while offering a premium full-blown antivirus service. Both services are provided by McAfee Inc. (MFE). For now, however, AOL's service won't allow single sign-on into other Web sites, such as banks and e-commerce sites, where members do business. Members who sign up for AOL's service, dubbed AOL PassCode, will be prompted when logging into AOL to enter the number shown on the token along with their screen name and normal password. AOL will charge subscribers $9.95 for each device and a monthly service fee of $1.95 to $4.95, depending on how many devices are associated with account screen names. But Schmidt thinks AOL's move will add momentum behind a move to this sort of federated identity, where one digital credential is recognized by multiple companies' Web sites, particularly since Microsoft Corp. (MSFT) is building support for RSA tokens into the next version of its Windows operating system. That's the vision, and I think that's realistic sooner than later, he said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street
VeriSecure Systems, Inc. Demonstrates Check 21 Fraud Prevention
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_viewnewsId=20040920005169newsLang=en Search Results for Google September 20, 2004 09:00 AM US Eastern Timezone VeriSecure Systems, Inc. Demonstrates Check 21 Fraud Prevention FORT LAUDERDALE, Fla.--(BUSINESS WIRE)--Sept. 20, 2004--VeriSecure Systems(TM), Inc. announced that its Check Fraud Prevention System (CFPS) was tested under the auspices of the Financial Services Technology Consortium, whose members include the largest financial institutions in the US, as well as community banks, check clearing exchanges and other institutions. VeriSecure Systems technology was demonstrated to survive the check truncation, imaging and exchange and to offer security value throughout the process. In October of 2003, Congress passed legislation known as Check 21. This legislation becomes effective October 2004 and enables the banking industry to exchange bank check images in lieu of paper bank checks. Called Controlling Fraud in a Truncated Check Environment, the purpose of the project was to assess the survivability, performance and viability of next-generation document security features in image based operations for bank checks, by conducting real life simulated exchanges among ten institutions. VeriSecure Systems employed its Check Fraud Prevention System (CFPS) for the project, which is based on its US Patent #5,432,506 Counterfeit Document Detection System. The technology uses cryptography to create a unique code for each check. The security feature is applied as a standard printed barcode symbol by the check issuer. VeriSecure's software, developed in conjunction with Inlite Research, Inc., can provide a fully automated solution to read and validate the codes from either the actual paper documents or from the images of the documents. The software rapidly verifies the authenticity of the information printed on the checks, and identifies any alterations, thus preventing the most prevalent forms of fraud. Tom Chapman, VeriSecure's founder and the inventor of the technology said, This project has certainly helped to demonstrate how cryptography can easily and conveniently be put to use, to validate any type of physical documents or their images. Along with fraud losses, this technology has the potential to reduce operating expenses of financial institutions as well as remittance processing for corporations. Gene Manheim, President of Inlite Research explained that Industry standard barcodes serve as the robust foundation to secure check images, and enable innovative technologies like CFPS to provide fraud prevention across a huge range of images. Frank Jaffe, project manager for FSTC, said Based on the results of the project, and given the magnitude of the risks of loss from check fraud, FSTC believes that financial institutions and check issuers will be well served by the adoption of these new document security features. About VeriSecure Systems The Company licenses its patented technology which is designed to verify the authenticity of physical documents and/or captured images. It is located in Plantation, Florida. (954) 401-8378 http://www.verisecuresystems.com About Inlite Research Since 1992, Inlite Research Inc. offers its Image Processing and Barcode Recognition technologies to OEMs and solution providers in markets that demand the utmost accuracy, productivity and quality in business processes. It is located in Sunnyvale, California. (408) 737-7092 http://www.inliteresearch.com About The Financial Services Technology Consortium The Financial Services Technology Consortium (FSTC.ORG) is a consortium of leading North American-based financial institutions, technology vendors, independent research organizations, and government agencies. New York, NY. (212) 461-7116 http://www.fstc.org Contacts VeriSecure Systems, Inc., Plantation, Fla. Tom Chapman, 954-401-8378 Print this Release Terms of Use |© Business Wire 2004 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Time for new hash standard
security technologist. His latest book is Beyond Fear: Thinking Sensibly About Security in an Uncertain World. He can be reached at www.schneier.com. This article first appeared in his monthly newsletter Crypto-Gram and is reproduced with permission. Copyright rests with the author. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Symantec to acquire @Stake
http://www.siliconvalley.com/mld/siliconvalley/9682511.htm?template=contentModules/printstory.jsp The San Jose Mercury News Posted on Thu, Sep. 16, 2004 Symantec to acquire digital security company CUPERTINO, Calif. (AP) - Symantec Corp. said Thursday it is acquiring digital security consulting firm stake Inc. Financial details were not disclosed. The deal is expected to close next month. Cupertino, Calif.-based Symantec is one of the world's biggest information security companies, selling consulting services and software such as the Norton AntiVirus program. The company does business with individuals and corporations in more than 35 countries. Cambridge, Mass.-based stake sells consulting services and computer programs to protect networks from hackers and other security risks. Businesses that have purchased the company's SmartRisk and other products include six of the world's top 10 financial institutions and four of the world's 10 top independent software companies. ``Our customers are looking to us for a broad range of security expertise,'' said Gail Hamilton, a Symantec executive vice president. ``By joining forces with the leader in application security consulting, we expand the capacity and capabilities of our consulting organization.'' Symantec shares rose 31 cents to close at $51.32 Thursday on the Nasdaq Stock Market. -- On the Net: Symantec: http://www.symantec.com stake: http://www.atstake.com/ -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Openswan dev] [Announce] Openswan 2.2.0 released
--- begin forwarded text Date: Fri, 17 Sep 2004 17:48:25 +0200 (MET DST) From: Paul Wouters [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Openswan dev] [Announce] Openswan 2.2.0 released List-Id: Openswan developer mailinglist dev.openswan.org List-Archive: http://lists.openswan.org/pipermail/dev List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://lists.openswan.org/mailman/listinfo/dev, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Xelerance is proud to release Openswan 2.2.0 It is available at the usual locations: http://www.openswan.org/code/openswan-2.2.0.tar.gz ftp://ftp.openswan.org/openswan/openswan-2.2.0.tar.gz A seperate NAT-traversal patch and seperate KLIPS patch are available as well. RPMS have been released for RedHat-9, Fedora Core 2 and 3-test1, RHEL3 and Suse 9.1. (RedHat-9 still requires KLIPS support in the kernel). All released files have been signed with the [EMAIL PROTECTED] GPG key available from the keyservers. The following are the most important changes: * Added RFC 3706 DPD support (see README.DPD) * Added AES from JuanJo's ALG patches * Fixes for /proc filesystem issues that started to appear in 2.4.25 * Merge X.509 1.5.4 + latest security fixes (CAN-2004-0590) * Updated .spec for building RPMS compatible with Kernel 2.6 * Merge X.509 security fixes from 1.6.3 * Fixes for NAT-T on 2.6 pulled up from 2.1.x (Herbert Xu) * Fixes for SA Selectors on 2.6 pulled up from 2.1.x (Herbert Xu) Bugs can be reported via http://bugs.openswan.org/ or via one of the mailing lists at http://lists.openswan.org/ Paul ___ Announce mailing list [EMAIL PROTECTED] http://lists.openswan.org/mailman/listinfo/announce ___ Dev mailing list [EMAIL PROTECTED] http://lists.openswan.org/mailman/listinfo/dev --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
No Paper for Md. Anti-Touchscreen Voters
http://www.telegram.com/apps/pbcs.dll/article?Date=20040914Category=APAArtNo=409141037SectionCat=Template=printart Article published Sep 14, 2004 No Paper for Md. Anti-Touchscreen Voters By TOM STUCKEY Associated Press Writer Maryland's highest court Tuesday rejected demands for additional safeguards for touchscreen voting machines, saying elections officials have done everything necessary to ensure the paperless devices are accurate and secure. The Court of Appeals also rejected a call to allow citizens who do not trust touchscreen voting to use paper ballots in the Nov. 2 general election. The decision came in a two-paragraph order issued less than three hours after the judges heard arguments on a suit brought by TrueVoteMD. The citizens group alleges the electronic machines, used statewide for the first time in March, are vulnerable to fraud and that the state cannot guarantee fair and accurate election results. Lead plaintiff Linda Schade said that although the decision was not a surprise, it means voters are going to be forced to vote on an insecure system. Schade said the state delayed the suit so long that judges found themselves challenged to find a remedy for this upcoming election that could be implemented in time. Linda Lamone, state election laws administrator, said outside the courtroom that making significant changes in the voting system at this late date would have created chaos on Election Day. Asked about the security of the state's 16,000 Diebold AccuVote-TS electronic machines, Lamone said, I'm very confident they are accurate and secure. TrueVoteMD wants the state to equip all electronic machines with printers that would make a copy of each vote, although it acknowledged in court that it was too late to do that for the November election. For the upcoming vote, the group had sought paper ballots for voters who mistrust the computer voting system, as well as additional security measures, such as installing Microsoft Windows software patches on the computers used to tabulate votes. The group contends paper records would ensure that votes were properly recorded and could be used for recounts. We're basically playing Russian roulette, TrueVoteMD lawyer Ryan Phair said as he listed potential problems with electronic machines. We know there is vulnerability. It is just a matter of time until it happens. Assistant Attorney General Michael Berman said more than 20 successful elections have been held in Maryland using the Diebold machines with no evidence of fraud or allegations of inaccurate vote counts. Phair mentioned allegations of glitches with computerized systems in other states, but said it might be impossible to detect widespread fraud such as rewriting of software to skew election results. Phair said TrueVoteMD will continue its legal battle to force the state to use printers on electronic machines in future elections. Also Tuesday, a local election judge was ordered to return to the Montgomery County elections board an electronic voting machine that U.S. Sen. Barbara Mikulski, D-Md., had trouble using in a weekend demonstration. The machine marked the wrong vote when Mikulski's hand brushed against the screen, and it took her several attempts to correct the vote. The election judge, Stan Boyd, had tests performed on the machine, but would not elaborate on the tests or any findings. Kevin Karpinski, an attorney for the county board, said any problems testing might uncover could be misleading because the machine was only for demonstration purposes and does not have updated software that will be used in the November election. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
On the Voting Machine Makers' Tab
http://www.nytimes.com/2004/09/12/opinion/12sun2.html?th=pagewanted=printposition= The New York Times September 12, 2004 On the Voting Machine Makers' Tab As doubts have grown about the reliability of electronic voting, some of its loudest defenders have been state and local election officials. Many of those same officials have financial ties to voting machine companies. While they may sincerely think that electronic voting machines are so trustworthy that there is no need for a paper record of votes, their views have to be regarded with suspicion until their conflicts are addressed. Computer scientists, who understand the technology better than anyone else, have been outspoken about the perils of electronic voting. Good government groups, like Common Cause, are increasingly mobilizing grass-roots opposition. And state governments in a growing number of states, including California and Ohio, have pushed through much-needed laws that require electronic voting machines to produce paper records. But these groups have faced intense opposition from election officials. At a hearing this spring, officials from Georgia, California and Texas dismissed concerns about electronic voting, and argued that voter-verifiable paper trails, which voters can check to ensure their vote was correctly recorded, are impractical. The Election Center, which does election training and policy work, and whose board is dominated by state and local election officials, says the real problem is people who scare voters and public officials with claims that the voting equipment and/or its software can be manipulated to change the outcome of elections. What election officials do not mention, however, are the close ties they have to the voting machine industry. A disturbing number end up working for voting machine companies. When Bill Jones left office as California's secretary of state in 2003, he quickly became a consultant to Sequoia Voting Systems. His assistant secretary of state took a full-time job there. Former secretaries of state from Florida and Georgia have signed on as lobbyists for Election Systems and Software and Diebold Election Systems. The list goes on. Even while in office, many election officials are happy to accept voting machine companies' largess. The Election Center takes money from Diebold and other machine companies, though it will not say how much. At the center's national conference last month, the companies underwrote meals and a dinner cruise. Forty-three percent of the budget of the National Association of Secretaries of State comes from voting machine companies and other vendors, and at its conference this summer in New Orleans, Accenture, which compiles voter registration databases for states, sponsored a dinner at the Old State Capitol in Baton Rouge. There are also reports of election officials being directly offered gifts. Last year, the Columbus Dispatch reported that a voting machine company was offering concert tickets and limousine rides while competing for a contract worth as much as $100 million, if not more. When electronic voting was first rolled out, election officials and voting machine companies generally acted with little or no public participation. But now the public is quite rightly insisting on greater transparency and more say in the decisions. If election officials want credibility in this national discussion, they must do more to demonstrate that their only loyalty is to the voter. Making Votes Count: Editorials in this series remain online at nytimes.com/makingvotescount. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FSTC Issues Call for Participation for Two New Projects
) To subscribe or unsubscribe from this elist use the subscription manager: http://ls.fstc.org/subscriber --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Wireless security remains as main threat to mobility
http://www.ottawabusinessjournal.com/283824489528668.php Ottawa Business Journal - News Wireless security remains as main threat to mobility By Ottawa Business Journal Staff Mon, Sep 6, 2004 12:00 AM EST The wireless industry needs a lasting solution to one of its biggest threats: outside intrusion. According to Victor Shevchenko, director of business development for the Global Mobile Enterprise 2004 Conference, wireless security will be a main discussion point at the conference, Sept. 14 to 16 at the Brookstreet Hotel. Mainly, we're talking about the protection of electronic data transported and received by Palm Pilots, mobile phones and computers connected through wireless networks, said Mr. Shevchenko, who organized the conference with Zora Arnautovic, director of the organizing committee. The general trend is to get people mobile when they're offsite, but the key challenges are: how can we ensure that the communication is secure, that no data is compromised and that access to corporate networks through secure wireless channels is safe? said Mr. Shevchenko. Protecting the access and integrity of data being sent back and forth is the real challenge. There is no universal standard acknowledged by the wireless industry as the safest, he added. Virtual private networks (VPNs) are one way a company can improve its wireless security, he said, adding new-generation standards, such as WiMAX, are another. One of the main purposes of our conference will be to determine what the most promising (standard) is so the industry can move forward, he said. Mark Zimmerman, vice-president of sales at Toronto-based Nextair Corp., said there is no one-size-fits-all solution to the issue of standards. Mr. Zimmerman will attend the conference with Nextair CEO Ron Close, who will lead a discussion on wireless applications. There have been a number of hiccups along the way when securing information that's being delivered over the air (between two wireless devices), said Mr. Zimmerman, describing the early wireless fidelity standards as not very good from a security perspective. In the past, officials from the federal government's Communications Security Establishment (CSE) warned that cellphones, for example, should not be relied on for transmitting sensitive data. (They) could very easily be compromised, said Richard MacLean, a CSE communications security engineer, at a May conference on wireless security. In a bid to ensure the encryption capability of public sector cellphones is up to date, the CSE is testing global system for mobile phones equipped to handle top-secret voice data. Now we're approaching a level where (wireless standards) are secure for many applications, if not for all, said Mr. Zimmerman. The one thing not talked about is securing wireless devices themselves, he added. When you look at PDAs that leave a (company's) building, they often have the corporate crown jewels on them. In most cases, we do have the technology, but we need to spend more time educating the marketplace and our customers about using that technology and building it into products, rather than turning to security as an afterthought. Mr. MacLean's advice is to use approved cryptography solutions, strong passwords that are changed often and anti-virus software on PDAs and PCs that can be updated frequently. The threat of outside intrusion is very viable because of ample hardware and software capable of compromising wireless connectivity, said Mr. Shevchenko. Such equipment can have serious implications for corporate productivity, revenue and data, he added. While BlackBerries and other handheld e-mail devices are widely used by businesspeople, users should know that, without private keys that can encrypt the data, sensitive information can easily be poached, said Mr. MacLean. The medical and financial fields have led by example when it comes to wireless security, said Mr. Zimmerman, mostly because it's critical security failures are avoided in these fields. Currently, new medical standards are being worked on to ensure there is no electromagnetic interference with other pieces of medical equipment. In the transport industry, wireless security has become paramount, as airports adopt wireless baggage handling systems. To protect its wireless system, Toronto's Pearson International Airport, for example, uses additional software that encrypts and protects all baggage-related transmissions to ensure no one from the outside can manipulate the information in any way, according to Gary Long, general manager of information technology at the Greater Toronto Airport Authority. The transport industry will be the subject of a wireless case study at the conference, said Mr. Shevchenko. We want to see where this is going and how it can be ensured. In all honesty, I'm as eager as anyone to get some answers to some of these questions. -- - R. A. Hettinga mailto: [EMAIL PROTECTED
PGP Identity Management: Secure Authentication and Authorization over the Internet
., Lampson, B., Rivest, R. SPKI Certificate Theory. RFC 2693, September 1999 [BFL] Blaze, M., Feigenbaum, J., and Lacy, J. Decentralized Trust Management. Proceedings 1996 IEEE Symposium on Security and Privacy. [PGPTICKET] Moscaritolo, V. PGPticket - A Secure Authorization Protocol. Mac-Crypto Workshop, October 1998 Moscaritolo, V., Mione, A. draft-ietf-pgpticket-moscaritolo-mione-02.txt [PGPUAM] Moscaritolo, V. PGPuam - Public Key Authentication for AppleShare-IP. Mac-Crypto Workshop, October 1998 Now that applications have shifted to the Internet, the use of secret passwords is not scalable or secure enough. Instead, there are ways to implement federated identity management using strong cryptography and same PGP key infrastructure that is widely deployed on the Internet today. - Vinnie Moscaritolo, PGP Cryptographic Engineer Related Links * Expert advice from Jon Callas: Encryption 101 - Triple DES Explained * Video: HNS interview with Jon Callas *Summary: HNS interview with Jon Callas Company | Privacy Statement | Legal Notices | Site Map ©2002-2004 PGP Corporation. All Rights Reserved. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Spam Spotlight on Reputation
http://www.eweek.com/print_article/0,1761,a=134748,00.asp EWeek Spam Spotlight on Reputation Spam Spotlight on Reputation September 6, 2004 By Dennis Callaghan As enterprises continue to register Sender Protection Framework records, hoping to thwart spam and phishing attacks, spammers are upping the ante in the war on spam and registering their own SPF records. E-mail security company MX Logic Inc. will report this week that 10 percent of all spam includes such SPF records, which are used to authenticate IP addresses of e-mail senders and stop spammers from forging return e-mail addresses. As a result, enterprises will need to increase their reliance on a form of white-listing called reputation analysis as a chief method of blocking spam. E-mail security appliance developer CipherTrust Inc., of Alpharetta, Ga., also last week released a study indicating that spammers are supporting SPF faster than legitimate e-mail senders, with 38 percent more spam messages registering SPF records than legitimate e-mail. The embrace of SPF by spammers means enterprises' adoption of the framework alone will not stop spam, which developers of the framework have long maintained. Enter reputation analysis. With the technology, authenticated spammers whose messages get through content filters would have reputation scores assigned to them based on the messages they send. Only senders with established reputations would be allowed to send mail to a user's in-box. Many anti-spam software developers already provide such automated reputation analysis services. MX Logic announced last week support for such services. There's no question SPF is being deployed by spammers, said Dave Anderson, CEO of messaging technology developer Sendmail Inc., in Emeryville, Calif. Companies have to stop making decisions about what to filter out and start making decisions about what to filter in based on who sent it, Anderson said. The success of reputation lists in organizations will ultimately depend on end users' reporting senders as spammers, Anderson said. In the system we're building, the end user has the ultimate control, he said. Scott Chasin, chief technology officer of MX Logic, cautioned that authentication combined with reputation analysis services still won't be enough to stop spam. Chasin said anti-spam software vendors need to work together to form a reputation clearinghouse of good sending IP addresses, including those that have paid to be accredited as such. There is no central clearinghouse at this point to pull all the data that anti-spam vendors have together, said Chasin in Denver. We're moving toward this central clearinghouse but have to get through authentication first. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
First quantum crypto bank transfer
--- begin forwarded text From: Andrew Thomas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: First quantum crypto bank transfer Date: Fri, 20 Aug 2004 09:05:58 +0200 Sender: [EMAIL PROTECTED] Cryptography system goes underground (Aug 19) http://physicsweb.org/article/news/8/8/13 A group of scientists in Austria and Germany has installed an optical fibre quantum cryptography system under the streets of Vienna and used it to perform the first quantum secure bank wire transfer (A Poppe et al. 2004 Optics Express 12 3865). The quantum cryptography system consisted of a transmitter (Alice) at Vienna's City Hall and a receiver (Bob) at the headquarters of an Austrian bank. The sites were linked by 1.45 kilometres of single-mode optical fibre. -- Andrew G. Thomas --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Data watchdog slams ID card plans
http://www.theregister.co.uk/2004/08/16/id_card_surveillance_fears/print.html The Register Biting the hand that feeds IT The Register » Internet and Law » Digital Rights/Digital Wrongs » Original URL: http://www.theregister.co.uk/2004/08/16/id_card_surveillance_fears/ Data watchdog slams ID card plans By John Leyden (john.leyden at theregister.co.uk) Published Monday 16th August 2004 14:05 GMT Britain is at risk sleepwalking into a surveillance society because of David Blunkett's identity card scheme and other UK government plans, according to the UK's Information Commissioner. Richard Thomas also cited plans for a population register by the Office for National Statistics and a database on children, in warning of a slide towards a Big Brother-style system of ubiquitous surveillance in the UK. Thomas predicted Britain risks moving towards an East German Stasi-style snooping culture if current plans are followed through. Thomas's comments came in an interview (http://www.timesonline.co.uk/article/0,,2-1218615_2,00.html) with The Times published today. He said: My anxiety is that we don't sleepwalk into a surveillance society where much more information is collected about people, accessible to far more people shared across many more boundaries than British society would feel comfortable with. The Information Commissioner is not opposed to ID cards on principle. But he is concerned about what he sees as the Home Office's failure to clearly define a purpose for ID cards, the amount of information that would be held on any card and who might be able to access this information. Clamping down on benefit fraud, control illegal immigration and preventing terrorism have been cited as the main reason why Britain needs ID cards by the Home Office at one time or another. The government proposed ID card scheme will involve the establishment of a national register of citizens' personal details, widely accessible to government departments. This approach gives the UK's Information watchdog the fear. In response to the Home Office's consultation on identity cards, Thomas concludes whilst I am not fundamentally opposed to the introduction of ID cards I do have significant concerns about the current proposals. The privacy implications of an extensive national identity register are, in many ways, of far greater concern for individuals. This aspect needs more of a public debate. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cardholders clueless on chip and pin
http://www.theregister.co.uk/2004/08/13/clueless_chip_and_pin/print.html The Register Biting the hand that feeds IT The Register » Business » Small Biz » Original URL: http://www.theregister.co.uk/2004/08/13/clueless_chip_and_pin/ Cardholders clueless on chip and pin By Startups.co.uk (press.releases at theregister.co.uk) Published Friday 13th August 2004 08:46 GMT Retailers will be bracing themselves for what could be a chaotic festive season following the news that more than half of British cardholders know little or nothing about the new chip and pin card system. Up to 120 million new chip and pin cards will be winging there way to Christmas shoppers in time for the 1 January 2005 deadline, when retailers will be required to introduce the new system.? The new cards are designed to combat fraud by replacing magnetic strips with information stored on a microchip which customers must verify by keying in a four digit pin number. IT consultant and fraud specialists, Detica, who commissioned the research said that it had come across incidents where retailers had refused to serve customers failing to remember their pin or even refusing to use it in the first place. According to David Porter, Head of Fraud Security at Detica, a lot needs to be done between now and December. He said: Retailers need to act quickly to help their customers. Nearly three-quarters of the public are confident chip and pin will reduce theft and fraud once it's explained to them, but retailers can't afford to begin educating everyone individually at the busiest time of the shopping year. They need to begin a prominent education system in stores now. With 117 shopping days to Christmas, the clock is ticking. With the number of pin numbers to remember set to increase, analysts are also worried that cardholders may change all their pins to one number or share their pins, a danger that could adversely increase the likelihood of fraud. At present among those who have more than one pin or security code to remember, almost half pin-share for two or more things requiring a code. With one in three people affected by card fraud and a cost to the UK of £425m in 2002, Detica are still confident that the new system will significantly reduce card crime. However there are those who remain cautious about the immediate impact of chip and pin. A chip and pin spokeswoman said of Detica's findings: This contradicts all the research we have done. Transaction times are reduced with chip and pin, not necessarily in the first instance, but beyond that it is faster to use a pin than a signature. Copyright © 2004, (http://www.startups.co.uk/) Related stories Chip and PIN gathers pace (http://www.theregister.co.uk/2004/05/21/chip_and_pin/) UK terminally unready for Chip and PIN (http://www.theregister.co.uk/2004/05/18/chip_and_pin_retail_survey/) Visa trials RF credit cards (http://www.theregister.co.uk/2004/04/28/visa_contactless_creditcard/) © Copyright 2004 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Wrong Time for an E-Vote Glitch
not to push the bill forward during this legislative session, which ends Aug. 31. This means legislators will have to reintroduce a new bill next January when they reconvene. The bill (PDF), introduced by Johnson and state Senator Don Perata (D-Oakland), had bipartisan support and the backing of Secretary of State Kevin Shelley. I'm a little mystified why the committee has stalled the bill, Swatt said. E-voting machines, like them or not, are here to stay in California. It is clear that if we are going to be living with e-voting machines the only way to protect voters and to ensure that their votes are counted accurately is to have a paper trail. Swatt said she hoped the public would pressure the legislature to push the bill forward before the session ends. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Websites, Passwords, and Consumers (Re: CRYPTO-GRAM, August 15, 2004)
/ http://www.internetweek.com/e-business/showArticle.jhtml?articleID=2210 0149 or http://tinyurl.com/54b4g The Trojan: http://news.com.com/Pop-up+program+reads+keystrokes%2C+steals+passwords /2100-7349_3-5251981.html or http://tinyurl.com/yqeoe http://www.pcworld.com/news/article/0%2Caid%2C116761%2C00.asp A shorter version of this essay originally appeared in IEEE Security and Privacy: http://csdl.computer.org/comp/mags/sp/2004/04/j4088abs.htm -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RPOW - Reusable Proofs of Work
--- begin forwarded text To: [EMAIL PROTECTED] Subject: RPOW - Reusable Proofs of Work Date: Sun, 15 Aug 2004 10:43:09 -0700 (PDT) From: [EMAIL PROTECTED] (Hal Finney) Sender: [EMAIL PROTECTED] I'd like to invite members of this list to try out my new hashcash-based server, rpow.net. This system receives hashcash as a Proof of Work (POW) token, and in exchange creates RSA-signed tokens which I call Reusable Proof of Work (RPOW) tokens. RPOWs can then be transferred from person to person and exchanged for new RPOWs at each step. Each RPOW or POW token can only be used once but since it gives birth to a new one, it is as though the same token can be handed from person to person. Because RPOWs are only created from equal-value POWs or RPOWs, they are as rare and valuable as the hashcash that was used to create them. But they are reusable, unlike hashcash. The new concept in the server is the security model. The RPOW server is running on a high-security processor card, the IBM 4758 Secure Cryptographic Coprocessor, validated to FIPS-140 level 4. This card has the capability to deliver a signed attestation of the software configuration on the board, which any (sufficiently motivated) user can verify against the published source code of the system. This lets everyone see that the system has no back doors and will only create RPOW tokens when supplied with POW/RPOW tokens of equal value. This is what creates trust in RPOWs as actually embodying their claimed values, the knowledge that they were in fact created based on an equal value POW (hashcash) token. I have a lot more information about the system at rpow.net, along with downloadable source code. There is also a crude web interface which lets you exchange POWs for RPOWs without downloading the client. This system is in early beta right now so I'd appreciate any feedback if anyone has a chance to try it out. Please keep in mind that if there are problems I may need to reload the server code, which will invalidate any RPOW tokens which people have previously created. So don't go too crazy hoarding up RPOWs quite yet. Thanks very much - Hal Finney --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cyber Fears On Fed's Web Plan
http://www.nypost.com/business/18671.htm The New York Post CYBER FEARS ON FED'S WEB PLAN By HILARY KRAMER Email Archives Print Reprint August 15, 2004 -- With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month - a move critics say could open the U.S.'s banking system to cyber threats. The Fed moves about $1.8 trillion a day on a closed, stand-alone computer network. But soon it will switch to a system called FedLine Advantage, a Web-based technology. Proponents say the system is more efficient and flexible. The current system is outdated, using DOS - Microsoft's predecessor to the Windows operating system. But security experts say the threat of outside access is too big a risk. The Fed is now going to be vulnerable in two distinct ways. A hacker could break in to the Fed's network and have full access to the system, or a hacker might not have complete access but enough to cause a denial or disruptions of service, said George Kurtz, co-author of Hacking Exposed and CEO of Foundstone, an Internet security company. If a security breach strikes the very heart of the financial world and money stops moving around, then our financial system will literally start to collapse and chaos will ensue. FedLine is expected to move massive amounts of money. Currently, Fedwire transfers large-dollar payments averaging $3.5 million per transaction among Federal Reserve offices, financial institutions and federal government agencies. Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution. Of course, we will not discuss the specifics of our security measures for obvious reasons, she said. We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intru sion detection and Federal Reserve conducted reviews. Ron Gula, president of Tenable Network Security and a specialist in government cyber security, said he's sure the Fed is taking every precaution. But no system is 100 percent foolproof. If the motive was to manipulate the money transferring, there are Tom Clancy scenarios where there are ways to subvert underlying technologies, Gula said. For example, a malicious programmer can put something in the Fed's network to cause the system to self-destruct or to wire them money. The biggest concern isn't the 13-year-old who hacks into the Fedwire and sends himself some money - it's terrorism. On July 22, the Department of Homeland Security released an internal report saying a cyber attack could result in widespread disruption of essential services ... damag(ing) our economy and put(ting) public safety at risk. But the Fed's undertaking of this massive overhaul is considered a necessity. Our strategy is to move to Web-based technology because there are inherent limitations with DOS based technology and our goal is to provide better and robust product offerings to meet our customers' needs, said Laura Hughes, vice president of national marketing at the Chicago Fed, which has spearheaded this program. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The New Digital Media: You Might Have It, But Not Really Own It
, for instance, be able to make a copy of the Toy Story 4 DVD for your laptop -- but not do the same thing with Charlie's Angels 5. Those variations will likely require some form of labeling on DVDs so consumers will know what they're getting, according to companies involved in planning them. Alan Davidson, associate director of the civil liberties group Center for Democracy and Technology, says he isn't opposed to DRM, but worries consumers may not understand what rights come with content they purchase. DRM underscores the point that consumers are going to have to become a lot more sophisticated about what they're buying, he says. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cryptome on ABC Evening News?
There's a teaser for tonight's 6:30 news about a wesite that publishes pipeline maps and the names and addresses of government employees. The horror. :-) Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Hydan: Information Hiding in Program Binaries
http://crazyboy.com/hydan/ Hydan [hI-dn]: Old english, to hide or conceal. Intro: Hydan steganographically conceals a message into an application. It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions. It then encodes information in machine code by using the appropriate instructions from each set. Features: - Application filesize remains unchanged - Message is blowfish encrypted with a user-supplied passphrase before being embedded - Encoding rate: 1/110 Primary uses for Hydan: - Covert Communication: embedding data into binaries creates a covert channel that can be used to exchange secret messages. - Signing: a program's cryptographic signature can be embedded into itself. The recipient of the binary can then verify that it has not been tampered with (virus or trojan), and is really from who it claims to be from. This check can be built into the OS for user transparency. - Watermarking: a watermark can be embedded to uniquely identify binaries for copyright purposes, or as part of a DRM scheme. Note: this usage is not recommended as Hydan implements fragile watermarks. If you think of anything else, do let me know :) Platforms Supported: - {Net, Free}BSD i386 ELF - Linux i386 ELF - Windows XP PE/COFF Download: Version 0.13 News: Update: I've finally updated the hydan code, after a long time off. The encoding rate has been improved to 1/110 (thanks to a tip from sandeep!), and the code is now much cleaner too. In the mean time, hydan has been presented at: CansecWest 04 BlackHat Vegas 04 DefCon 04 A paper is to be published soon as well: Hydan: Hiding Information in Program Binaries Rakan El-Khalil and Angelos D. Keromytis. Which is to appear in the proceedings of the 6th International Conference on Information and Communications Security (ICICS), Malaga, Spain. To be published in Springer Verlag's LNCS. Hydan was initially presented at CodeCon on 02/23/2003. The following is a list of articles online from that presentation: - The Register: Hydan Seek (same article at BusinessWeek, and SecurityFocus) - Slashdot: Program Hides Secret Messages in Executables (could it be? crazyboy survived slashdotting?) - Punto-Informatico: Un tool cela segreti nei programmi (intl coverage! been getting a lot of hits from them) - Bruce Schneier's Crypto-Gram: March 15, 2003 Issue (and not in the snake-oil section either ;) Like my Work? Buy me books! Contact: Rakan El-Khalil rfe3 at columbia dot edu -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cryptome on ABC Evening News?
--- begin forwarded text Date: Thu, 12 Aug 2004 20:41:05 -0700 To: [EMAIL PROTECTED] From: John Young [EMAIL PROTECTED] Subject: Re: Cryptome on ABC Evening News? Sender: [EMAIL PROTECTED] There a text version of the report on abcnews.com and a video is available to subscribers. To keep the nation secure the web site is not named. Google search appears to do it based on hate mail coming in. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Too Much Information?
http://abcnews.go.com/sections/WNT/US/internet_sensitive_info_040812.html Too Much Information? Web Site Raises Questions About Public Access to Sensitive Government Info By JakeTapper ABCNEWS.com Aug. 12, 2004- John Young, a 69-year-old architect, was contacted a few weeks ago by Department of Homeland Security officials, who expressed concern about what he was posting on his Web site. Officials questioned Young about information he had posted about the 2004 Democratic National Convention, including satellite photos of the convention site and the location of specific police barricades referred to on the site as a complete joke. In response to a complaint, two special agents from the FBI's counterterrorism office in New York City interviewed Young in November 2003. They said, 'Why didn't you call us about this? Why are you telling the public?' And we said, 'Because it's out there and you can see it. You folks weren't doing anything,' Young told ABC News. The agents, according to Young, stressed they knew that nothing on the site was illegal. Young added: They said, 'What we'd like you to do, if you're approached by anyone that you think intends to harm the United States, we're asking you to let us know that.' I know there are a lot of people in the government who find him troublesome, said former White House terrorism adviser Richard Clarke, now an ABC News consultant. There is a real tension here between the public's right to know and civil liberties, on the one hand, and security on the other. But Young argues his actions enhance national security, since he points out to the public vulnerabilities the government does not want to acknowledge. Like others who run similar Web sites, Young does so by using information from the public domain, such as: * Photographs of preparations for the upcoming Republican National Convention at New York City's Madison Square Garden * Detailed maps of bridges and tunnels leading in and out of Manhattan * Maps of New York City's single natural gas pipeline * The location of an underground nuclear weapons storage complex in New Mexico Enabling the Enemy? I think it's very, very bad for the country to have anyone putting together information that makes it easier for anyone that wants to injure Americans to do so, said Rep. Chris Cox, R-Calif., chair of the House Homeland Security Committee. Law enforcement officials were particularly upset that Young posted the satellite photos and addresses for the homes of top Bush administration officials. We think public officials should be totally transparent. There should be no secrecy, said Young. We are opposed to government secrecy in all of its forms. Officials call that argument outrageous and argue some secrecy is necessary. The Department of Homeland Security has taken aggressive measures to protect critical infrastructure across the country, said a Department of Homeland Security spokeswoman. We discourage Web posting of detailed information about critical infrastructure. This information is not helpful to our ongoing efforts to protect the American people and our nation's infrastructure. When asked how he would respond to those who consider his Web site unpatriotic since it could provide useful information for those who seek to harm the United States, Young said, If this is not done, more Americans are going to die. More harm is going to come to the United States. It is more patriotic to get information out than to withhold it. Officials acknowledge there is not much they can do; Young has not broken any laws. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
ONLamp.com: Anonymous, Open Source P2P with MUTE
start their own project, add the features, and release their own version of MUTE. My contribution is anonymous file-sharing. HW: Do you need volunteers? What skills and contributions do you need the most? JR: I have been looking for people who have an idea for a feature that can be added to MUTE in a modular fashion, with a clean API separating it from the rest of the MUTE code. HW: What advice do you have for those who might want to modify the MUTE source? JR: MUTE is a layered architecture. The bottom layer is a secure socket implementation that is used to encrypt the contents of neighbor connections. Above that is the MUTE routing layer, which features a very clean API for controlling a MUTE node and sending or receiving messages through it. The file-sharing layer is built on top of the routing API, and it has a clean API of its own, which supports various file-sharing operations, like searching and downloading. The user interfaces are built on top of the file-sharing API, and two are included in the source: a text-based interface and a wxWindows GUI. If you want to build your own communication service on top of MUTE routing, I would suggest taking a look at the routing API. If you want to build a new client for file sharing - for example, a platform-specific GUI, then the file-sharing API will be useful. Understanding these layer APIs will also help you to modify the existing MUTE client. HW: As a programmer, what are some of the things you've been learning as you've been working on MUTE? JR: I have been programming for years, but my coding techniques improve every day. I'm always looking for more elegant ways to do things, and looking back at last year's code can be frustrating. I find the same to be true for any creative process, including writing, visual arts, and music: Since you constantly improve, your past work feels particularly shoddy in retrospect. My coding has improved in many subtle ways that I cannot necessarily put my finger on. In terms of more dramatic changes, the use of a layered architecture has made the MUTE project very easy to manage and understand. I have never used a layered architecture before, but I plan to use it in the future. HW: Have you considered the legal ramifications of what you're doing and prepared for any possible legal action? As everybody knows, the RIAA and its international counterparts have been going after both users and developers of P2P software quite aggressively. JR: So far, these organizations have confined their attacks to corporations that are peddling P2P and making money off of it. There is no precedent for a suit against an individual P2P developer who is releasing non-commercial, open-source software. Selling a product that helps people break the law is very different from giving it away. Furthermore, there is no explicit law against software like MUTE. That said, I could always be the precedent, and I am ready for anything. I believe that coding is part of my right to free speech, and I also believe that I have the right to encourage people to break an unjust law as a form of social protest. Many people look at the MUTE web site, which refers directly to how MUTE circumvents the RIAA's spy tactics, and say, Whoa, friend, I would be careful if I were you. Sure, many other P2P developers and companies blatantly lie about what their software is for, but I refuse to lie. You can write a book that encourages people to break the law - for example, The Anarchist Cookbook. Why can't I write a web site that does the same thing? To be honest, I think it is highly unlikely I will be sued, but only time will tell. HW: It's inevitable that a third-generation P2P service is probably on the horizon. Will you be so bold to say that yours, MUTE, is it? JR: Whatever the third-generation P2P system will be, it will certainly be anonymous. All past P2P innovations have been spurred by the legal tactics of the day. I don't see why the next leap will be any different. MUTE is probably more of a vanguard than the be-all, end-all third-generation P2P system, much like Gnutella was the vanguard for the second generation. Other P2P developers may be inspired by MUTE and start thinking about how to make P2P anonymous. Unfortunately, if history repeats itself, the most popular third-generation network may be owned by a corporation that was ultimately inspired by my work on MUTE. It would be nice to see an open-source and open-protocol network win this round, if only to ensure that at least one open-source application was on the majority of people's desktops. Howard Wen is a freelance writer who has contributed frequently to O'Reilly Network and written for Salon.com, Playboy.com, and Wired, among others. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end
SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement
--- begin forwarded text Date: Tue, 10 Aug 2004 09:56:44 -0700 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Bill Stewart [EMAIL PROTECTED] Subject: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement Cc: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Rick Moen suggested we have a Cypherpunks meeting in August, so: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement General Info: DATE: Saturday 14 August 2004 TIME: 12:00 - 5:00 PM (Pacific Time) PLACE: Stanford University Campus - Tressider Union courtyard Agenda: Our agenda is a widely-held secret. (This will be our first meeting since April 2003, so the agenda is somewhat up for grabs. Among upcoming events to note is the 7th annual Information Security Conference, aka ISC04, Sept. 27-29 at Xerox PARC, http://isc04.uncc.edu/ . Also of note: Our friendly Federalistas seem to be imposing unprecedented visa restrictions on visiting foreign cryptographers. Is it time for all international cryptography conferences to move off-shore? See: http://www.schneier.com/crypto-gram-0407.html#3 ) As usual, this is an Open Meeting on US Soil, and the public is invited. Location Info: The meeting location will be familiar to those who've been to our outdoor meetings before, but for those who haven't been, it's on the Stanford University campus, at the tables outside Tressider Union, at the end of Santa Theresa, just west of Dinkelspiel Auditorium. We meet at the tables on the west side of the building, inside the horseshoe U formed by Tresidder. Ask anyone on campus where Tressider is and they'll help you find it. Food and beverages are available at the cafe inside Tresidder. Location Maps: Stanford Campus (overview; Tressider is dead-center). http://campus-map.stanford.edu/campus_map/bldg.jsp?cx=344cy=471zoomto=50zoomfrom=30bldgID=02-300 Tressider Union (zoomed detail view). http://campus-map.stanford.edu/campus_map/results.jsp?bldg=Tresidder Printable Stanford Map (407k). http://www.stanford.edu/home/visitors/campus_map.pdf [ This announcement sent to the following mailing lists: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Mailing list complaints or address corrections to [EMAIL PROTECTED] Agenda and Location questions to Rick Moen, [EMAIL PROTECTED] ] Bill Stewart [EMAIL PROTECTED] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Microcontrollers bring cryptography onboard - Microchip Technology
http://www.electronicstalk.com/news/ari/ari172.html Electronicstalk Product news received on 12 August 2004 from Microchip Technology (contact details) Microcontrollers bring cryptography onboard Two new PIC Flash microcontrollers feature integrated Keeloq cryptographic peripherals, providing a complete solution for remotely controlled security systems and authentication applications. Two new PIC Flash microcontrollers feature integrated Keeloq cryptographic peripherals, providing a complete solution for remotely controlled security systems and authentication applications. Designers of such systems need an integrated solution that provides control of system power consumption and ensures reliable battery-powered operation. The new PIC12F635 and PIC16F636 microcontrollers meet these requirements by providing the Keeloq cryptographic peripheral, nanoWatt Technology power management modes, and reliable battery reset and detect features, including: programmable low voltage detect (PLVD), a wake-up reset (WUR) function, software-controlled brownout reset (BOR) and an extended watchdog timer (EWDT). Applications for the PIC12F635 and PIC16F636 include: remote security control (remote keyless entry, passive keyless entry and remote door locks and gate openers); authentication (property and identity); security systems (remote sensors and their communications); and other general purpose applications. The successful Keeloq technology is based on a proprietary, nonlinear encryption algorithm that creates a unique transmission on every use, rendering code capture and resend schemes useless. The new devices now feature this encryption algorithm as a hardware peripheral integrated within the PIC microcontroller. Key additional features of these two new PIC microcontrollers include: an 8MHz internal oscillator with software clock switching; ultra-low-power wakeup (ULPW); up to 3.5Kbyte of Flash program memory, and up to 256byte of EEPROM data memory; 64 or 128byte of RAM; and analogue comparators. The PIC12F635 and PIC16F636 are supported by Microchip's world-class development tools, including the MPLAB integrated development environment, MPLAB ICE 2000 in-circuit emulator, MPLAB PM3 universal device programmer, PICstart Plus low-cost development system, MPLAB ICD 2 in-circuit debugger/programmer and the PICkit 1 Flash starter kit. The two new PIC microcontrollers are available today for general sampling and volume production. The PIC12F635 offers a choice of 8-pin PDIP, SOIC and DFN-S packages, and the PIC16F636 comes in 14-pin PDIP, SOIC and TSSOP outlines. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Hackers download College's Patriot database
--- begin forwarded text Date: Thu, 12 Aug 2004 02:18:19 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Hackers download SIUE data, police say Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.stltoday.com/stltoday/news/stories.nsf/News/Metro+East/A3F75AB9CA0230BB86256EEE0012DF3B?OpenDocumentHeadline=Hackers+download+SIUE+data,+police+say By Trisha Howard Of the Post-Dispatch 08/11/2004 The names and passport information of more than 500 foreign students at Southern Illinois University Edwardsville was illegally downloaded last week by a fellow student at the school, according to a search warrant filed Wednesday by university police. Greg Conroy, an SIUE spokesman, said Wednesday that three students had been questioned Friday after university officials discovered the security breach. Conroy said he expected the university to seek criminal charges in the case. The search warrant, filed in Madison County Circuit Court, said that the hacker downloaded the information from a special database set up to comply with provisions of the federal Patriot Act. The data included names, dates of birth, Social Security numbers and visa information, Sgt. Marty Tieman of the SIUE Police Department said in his affidavit. Conroy said that employees in the university's Office of Information Technology found out about the breach on Friday while doing their daily check of activity logs. The log showed that someone had downloaded the information early that morning. Computer experts then tracked the computer to one of three students who share an apartment at Cougar Village, Conroy said. On Friday afternoon, police seized three computers from the apartment and questioned the three students, Conroy said. Tieman said in his affidavit that police were greeted at the door by one of the three students, who admitted that he had seen his roommate access the server and download the information. Conroy said that officials had not yet determined a motive. For all I know, these students could have been doing this as a prank, Conroy said. At this point, I don't know what they wanted to do with the information. Conroy said investigators from a Metro East law enforcement computer task force were examining all three computers for evidence. He emphasized that the system does not allow hackers to change vital information. But he said that the breach was possible because an employee had failed to disable a feature that gives people access to the system without a password. The students were scanning the system, they found the flaw, and they started downloading files, Conroy said. It's an unfortunate mistake, but it happened. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ISN] Hack . . . hack back . . . repeat
Survivor, when it was good. There wasn't exactly a book on how to organize your team or set strategy for this sort of thing. But our winning strategy as a team was organization. We organized everything from a rotating cat nap schedule to divvying up jobs along lines of expertise. Because offense was 80% of the overall score, you had to maintain support for your front-line attackers. The trick was to not ignore your defenses. If your defenses slipped, other teams could get in and score. As the Ghetto Hackers pointed out at the awards ceremony, we were solid attackers - not significantly better than other teams - but we had very good defense and were able to keep other teams from stealing flags from us. Most attacks we saw were levied against information in the database. Someone would figure out how to run the Wiki (a piece of server software that lets users freely create and edit Web page content using any Web browser) and do some obscure set of queries that would reveal flag data. Or someone would go into the Multi-User Dungeon, online game environments that use a great deal of bandwidth, and figure out if you walked north through the forest just the right way you'd be able to pick up a flag. We saw many failed attacks. Someone tried to buffer overflow the Web server with 800,000-byte null packets. Someone else tried to go after SNMP services to gain entry. Teams even attempted to capture their incoming Scorebot traffic and replay that same traffic in the direction of our machines in the hopes that our services would mistake them for the actual Scorebot and give up flags to them. If I were to apply my experiences to a more everyday situation than what was taking place at the off-the-strip Alexis Park hotel, five points would bubble to the top of the security cauldron: Unsecure, unnecessary services - such as terminal services and SNMP - are running on most Windows machines. You've got to take care to shut down or firewall all unnecessary ports used by these services. * Passwords are revealed frequently. To defend against this, periodically change all passwords, including those that give access to Web services and databases. * Customized Web applications typically leak critical information. To defend against this, applications must be modified so they do not have commands that give too much information without proper authorization or let users modify objects out of turn. * Unmonitored services are dangerously open to attack. Watch your logs like a hawk. * Hack attacks happen. Be very, very afraid. Thayer is principal investigator with Canola Jones, a security research firm in Mountain View, Calif. He can be reached at [EMAIL PROTECTED] Acknowledgements Thanks to the Ghetto Hackers for running a great contest. They put together a complex game and made it run under very stressful conditions and it worked great. Thanks also to Sk3wl of R00t for letting me join in. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Brin/FedWorld: Transparent Privacy
as the people's protectors. Exactly the way the government people picture themselves. Everyone is great at rationalizing why they should be elites. Funny how it always boils down to protecting the people by preventing them from seeing. But the real miracle of our civilization is that we're the only one in all of history that ever had the knack of holding elites accountable. We've done this, in part, by siccing our elites on each other, which is why alliances between corporate, aristocratic and government power are especially dangerous. The other way we've found of achieving this miracle is by learning to have the habit of looking. Q: Looking around us? A: Looking alpha monkeys in the eye. These people who suggest we're going to save our freedom by blinding alpha apes -- by denying sight and knowledge to big money, big government, big aristocrats -- they never explain how! Try this experiment. Go down to the zoo, climb into the baboon enclosure and try to poke a pointed stick into the eye of the biggest baboon. He won't let you. Elites won't let us blind them. All we'll accomplish by privacy regulations, as Robert Heinlein put it, is to make the spy bugs smaller. In that recent row over Total Information Awareness, the DARPA program, all the ruckus did was drive the same research deeper into shadows, where we know less about it. If there were a Big Brother, that's exactly what he'd want. Q: When you speak about these small spy bugs, I'm wondering about your thoughts on privacy and the new wave of subdermal RFIDs that can be implanted into people. There are good uses for them, medical histories and the like. A: Subcutaneous tags are good for finding lost pets, and people will routinely install them to protect their kids. Until the kids get big enough and learn enough to cut the damn things out themselves. The next generation's rite of passage, I guess. Their equivalent of long hair or piercings. I want to forbid any tags that a teenager can't learn to safely remove when the time is right. Hey, you can look at the future and shiver with fear, or you can peer ahead and say, 'How can we maximize the good while minimizing the bad?' It's a question that dichotomy pushers refuse ever to ask, and it's the only question that ever makes any sense. How can we get all the good stuff without having any of the bad? The mere fact that some people consider that question naive is not proof of the naivety of the question. It's proof that they've not even begun to think. Because maximizing the good and minimizing the bad is exactly what we do. It's why we fought for civil rights and the environment and universities and free schools for the poor while getting space telescopes, personal computers, 500 channels and 50 types of ethnic cuisine. Sure, we're only halfway to the efficient technologies and habits that will let everybody on Earth share a cake that's growing without limits. Still, more people have vastly more justice and freedom and safety and hope and cool toys and education and compassion and even cooler toys than ever before. The percentage of human beings who are healthy and happy has never been higher. The positive-sum goal has been proved possible. Anyway, just ask the world's have-nots what they want. They want all of that -- the universities and freedom and clean water and toys too. It's the only goal worth having. And we'll get there, if we cooperate and compete fairly with open eyes. Shane Peterson Associate Editor -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Interview with Bruce Schneier, Counterpane Internet Security
monoculture that allows malware programmers to make broadly-correct assumptions about the operating and application environments? A. Certainly the monoculture exacerbates the problem, but it isn't the core of the problem. Insecure, unreliable, and buggy software is endemic to software in general, and not just Microsoft in particular. This software causes security vulnerabilities, and would continue to do so even if there were several equally popular operating systems. What the Microsoft monoculture does is magnify the effects of these vulnerabilities, so that they are more disastrous to the Internet as a whole. One of the ways to maintain security - especially with insecure tools - is through diversity. Monoculture flies in the face of that security strategy. Q. You've said that you are a fan of open source: what in particular do you like about it? A. Open source isn't a solution to the world's computer problems, but it is a compelling alternative to proprietary software. Remember, though, that open source software isn't magically more secure. It has the potential to be more secure, because more people are looking at it, but it also has the potential to be equally insecure. The important thing is to have good security analysis: proprietary software vendors can buy it, and open source systems can get it for free. But it's also possible for both proprietary and open source software to ignore the need for security analysis. Q. If those writing software became liable for its faults, as you suggest, what would be the situation for open source software? A. I don't know. I presume there would be some exemption for open source, just as the United States has a good Samaritan law protecting doctors who help strangers in dire need. Companies could also make a business wrapping liability protection around open source software and selling it, much as companies like Red Hat wrap customer support around open source software. Q. Your books describe an interesting passage from optimism that technology can be a solution to computer security problems, to a rather more pessimistic view; how much of a danger do you think there is that things might get so bad that people will just disconnect themselves from the Internet - as is already starting to happen with email because of the unacceptably high levels of spam? A. I think it's very likely. People and companies make risk management decisions about network security. If they can't do something securely, at least some of them will decide not to do it at all. Q. If you were designing a replacement for the abandoned Internet, and had a completely free hand, what would you do differently in order to render it intrinsically more secure than Net 1.0? A. The problem isn't the Internet. The problem is the horribly insecure computers attached to the Internet. I would rather rewrite Windows than TCP/IP. Posted by glyn at August 16, 2004 08:57 AM | Subscribe -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Johansen breaks AirPort Express encryption
http://macnn.com/print/25830 MacNN Johansen breaks AirPort Express encryption Wednesday, August 11, 2004 @ 7:20pm Jon Lech Johnasen, author of DeCSS, has discovered the public key that the AirPort Express uses to allow software to play audio through it. Johnasen says that the audio stream is encrypted with AES and that the AES key is encrypted with RSA. The public key is available on his blog as well as a software application (for Windows command-line) that streams Apple Lossless MPEG-4 audio to an AirPort Express. Though JustePort is Windows-only software at the moment, it should be only days before graphical software exists for the Mac now that the public key is out in the open. Apple could choose to change it via an AirPort Express firmware update, but it should still be possible to retrieve the new key. This is a huge step forward in giving standard applications the ability to use an Express for audio output, according to one developer. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
How a Digital Signature Works
http://www.businessweek.com/print/technology/content/aug2004/tc20040810_3053_tc024.htm?tc Business Week AUGUST 10, 2004 NEWS ANALYSIS :TECH By Stephen H. Wildstrom How a Digital Signature Works Microsoft's new Service Pack makes life tough for programs lacking the proper electronic credentials. Here's why A technology called public key cryptography makes it possible for you to make sure that the publisher of any piece of software that claims to be from Microsoft (MSFT ) or any other publisher really came from there. It has the added benefit of insuring that the contents weren't maliciously altered or damaged in transmission. Here's how it works: The publisher first has to obtain a digital certificate from a recognized certificate authority or CA (VeriSign (VRSN ) is the largest and best known CA in the U.S.). The publisher receives a private and a public key, each of which is a long number of about 300 digits. These are used to create a digital signature for each program (see BW Online, 8/10/04, Windows of Vulnerability No More?). When the software is ready to be posted for download, the publisher runs it through a mathematical process called a one-way hash which reduces it to a long number called the message digest. The message digest is then encrypted using the publisher's private key, and the result, which looks like a string of gibberish when displayed, is appended to the program when it's downloaded. HASH SLINGING. The trick of public key encryption -- the best known approach is called RSA for the initials of its inventors -- is that one key can be used to scramble the data while a different, mathematically related, key is used to unscramble it. When you download a digitally signed program, the first thing your computer does is check the Web site's digital certificate. It then queries the CA that issues the certificate to make sure it's still valid and to obtain the public key. When the download is complete, your computer uses the public key to decrypt the message digest. It also runs the same one-way hash procedure on the downloaded software. If everything is as it should be, the decrypted message digest and the one just created should be identical. If they differ by a single bit, something is wrong and the downloaded software will be rejected. For the curious, here's the message digest of the five paragraphs above (as plain text), created using the MD5 algorithm from RSA Data Security Inc: c21196eb8e026d47a67883d746c72c8d. Wildstrom is Technology You columnist for BusinessWeek. Follow his Flash Product Reviews, only at BusinessWeek Online -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Spawning a culture of secrecy
group. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Fingerprinting Your Files
with it. On May 11, 1993, NIST proclaimed SHA as the nation's Secure Hash Algorithm. But the ink was barely dry on this decree when NIST announced that it had made a mistake. For reasons that would not be revealed at the time, NIST published a modified version of the Secure Hash Algorithm-the algorithm that we now call SHA-1. The conspiracy theorists in the cryptography community (and there are many) had a field day. Was SHA so powerful that the NSA had decided that it had to be dumbed down? Or had NSA perhaps planted a back door in SHA-and somebody at NIST had found out? Were both algorithms equally secure, and the cryptographers at the NSA were just messing with people's minds? In August 1998, the world more-or-less learned the answer to the SHA vs. SHA-1 mystery. Florent Chabaud and Antoine Joux, two French cryptographers, came up with a theoretical attack against the first version of SHA-an attack against which SHA-1 just happened to be secure. Almost certainly, the folks at NSA knew about this attack and proposed SHA-1 as a countermeasure. What's interesting here is that NSA's cryptographers probably didn't know about the attack when SHA was first proposed in 1993-which means that the world's top cryptographic agency was only five years ahead of the cryptographers in academia. Today hash functions are also commonly used to generate repeatable but unpredictable random numbers, for converting typed passwords into values suitable for using as encryption keys. Instead of storing passwords directly, many computer systems store the hash of a password. This prevents somebody who breaks into a computer from learning everybody's password. Hash functions have been proposed as a way to fight spam and as the basis for digital cash systems. Mathematician Peter Wayner published a book called Translucent Databases a few years ago in which he showed how hash functions could be used for storing information in a database in a way that's protected by the organization that's running the database. A college admissions department, for example, could store student social security numbers in the database so that these numbers could still be used as identifiers on applications, but so that nobody in the admissions office could sit down at a terminal and get a list of students and their numbers. So far, though, none of those approaches have really gotten off the ground. All in all, cryptographic hashes are one of the most interesting and useful mathematical techniques that cryptographers have come up with over the past 20 years-and we're still finding new uses for them all the time. Simson Garfinkel is the author of nine books on computing, including Database Nation. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Is Source Code Is Like a Machine Gun?
the moving parts and thus does the functioning. Another way to put it is that all that a computer does is to manipulate text. The input is text, the program is text, and the output is text. And all that source code, or any other code, is is text. Now, of course, the protections of the first amendment are not absolute, so the writing and publication of source code, like any other text, can be forbidden if there is a strong enough justification. But, since code in no way resembles a machine gun, its resemblance to a machine gun cannot be that justification. And by the way, the fact that some text may be too ``functional'' to be copyrighted in no way suggests that it is not protected by the first amendment. If a text is useless there is, in fact, little reason to give it first amendment protection. This was written in considerable haste and undoubtedly contains large gaps in its reasoning. I have, however, some other work to do, and so I will end it here. After I posted that response to the Cyberprof list, I received the following inquiry off list: Just out of curiosity, would you liken software to the thought processes that are used to control the computer (and the machine gun)? If so, would restrictions on source code be more akin to thought control, rather then restrictions on devices? Here is my response to that question: [T]he quick answer is that I think of computers properly programmed as prosthetics that help us think (and perceive) like glasses and hearing aids and paper and pencils (and the invention of the alphabet and of mathematical notations) and so I do think that restrictions of software and also on computers amount to thought control. Consider the fact that there is hardly anyone left in the world who can calculate square roots now that it is so easy to do the calculation using a calculator. I consider doing arithmetical and logical calculations to be a (very small) part of what is involved in thought, but they definitely are thought processes. (I wouldn't say though that the thought processes are programs if one considers a program to be text. Programs are not processes, they are descriptions of or instructions for implementing a process.)2 For discussions of related issues see the entries on Expression Has Nothing to Do with It, Publishing Bombmaking Information and the First Amendment, and Copyright and the Confusion of ``Software''. Next: August 2, 2004 Up: August 6, 2004 Previous: August 6, 2004 Contents Peter D. Junger 2004-08-07 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
name of the Tor twin?
--- begin forwarded text Date: Sun, 8 Aug 2004 23:44:17 +0200 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: name of the Tor twin? User-Agent: Mutt/1.4i Sender: [EMAIL PROTECTED] I recall a TCP/IP traffic remixing network (not a socks proxy like Tor) coming over the list a while back. My bookmarks are away, what's the name of the thing? Not p2net, something similiar. Hello Brain, this is Pinky. Please help. -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cryptography Research Joins Smart Card Alliance
http://biz.yahoo.com/prnews/040803/sftu064_1.html Yahoo! Finance Press Release Source: Cryptography Research, Inc. Cryptography Research Joins Smart Card Alliance Tuesday August 3, 8:10 am ET Patented Countermeasures Help Industry Protect Against Differential Power Analysis Security Risks SAN FRANCISCO, Aug. 3 /PRNewswire/ -- Furthering its mission to help the smart card industry understand, evaluate and implement differential power analysis (DPA) resistant solutions, Cryptography Research, Inc. today announced it has joined the Smart Card Alliance, an industry group committed to the development and deployment of smart cards within the United States. With its broad portfolio of patents covering countermeasures to DPA vulnerabilities, Cryptography Research is able to help licensed chip manufacturers and smart card systems integrators protect their products against DPA-related security risks. ADVERTISEMENT We look forward to working closely with Smart Card Alliance members to help the industry develop secure products, said Kit Rodgers, director of licensing at Cryptography Research. We are excited about contributing to the Alliance's efforts to increase the success of the North American smart card market. Cryptography Research has long been a pioneer in developing and analyzing techniques for protecting smart cards against DPA and other attacks, said Randy Vanderhoof, executive director of the Smart Card Alliance. I am pleased to welcome Cryptography Research to the Smart Card Alliance. Their expertise and innovative contributions to smart card security make them a significant addition to the group. Smart Card Security Efforts at Cryptography Research Cryptography Research develops security technologies that are used in smart cards. The company's DPA-related patents provide the basis for implementing effective DPA countermeasures in smart cards and other devices. The company also provides the DPA Workstation(TM) to help companies improve resistance to DPA attacks, and to help unlicensed vendors recognize the need to obtain licenses and protect their products. Differential power analysis and related attacks were first discovered at Cryptography Research by Paul Kocher, Joshua Jaffe and Benjamin Jun. DPA involves monitoring the fluctuating electrical power consumption of smart cards and other devices then applying advanced statistical methods to infer secret keys and other information. Effective resistance to DPA is required to prevent counterfeiting of digital cash, impersonation, piracy of digital content, election fraud and other attacks. Cryptography Research has been awarded a portfolio of fundamental patents covering countermeasures to DPA attacks, including U.S. patents #6,654,884; #6,539,092; #6,381,699; #6,298,442; #6,327,661; #6,278,783; and #6,304,658. Other Cryptography Research patents are issued and pending in the United States, Europe, Japan, Canada and other countries. About the Smart Card Alliance The Smart Card Alliance is a not-for profit, multi-industry association of over 100 member firms working to accelerate the widespread acceptance of multiple application smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations, and open forums the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance also is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. More information about the Alliance is available at http://www.smartcardalliance.org . According to the Smart Card Alliance, in 2003 the United States became the third largest market for microprocessor-based smart cards in the world, with more than 70 million smart cards shipped to customers. About Cryptography Research, Inc. Cryptography Research, Inc. provides consulting services and technology to solve complex security problems. In addition to security evaluation and applied engineering work, CRI is actively involved in long-term research in areas including tamper resistance, content protection, network security, and financial services. Security systems designed by Cryptography Research engineers annually protect more than $60 billion of commerce for wireless, telecommunications, financial, digital television, and Internet industries. For additional information or to arrange a consultation with a member of our technical staff, please contact Jennifer Craft at 415-397-0123, ext. 329 or visit www.cryptography.com. Source: Cryptography Research, Inc. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire
NASA preps for launch of smart ID tags
comply with GSC-IS version 2, just as the NASA cards do. The DOD is said to be ready to issue 2 million to 3 million of the new cards annually. But the U.S. government is still moving cautiously. Rather than embrace a dual contact and contactless interface technology, it is requiring a separate contactless chip alongside the contact chip used to store digital credentials for use with computer and payment applications. NASA's cards use far less memory and are more basic than the next-gen DOD cards. The Philips Mifare DESFire V0.6 chip used in the cards incorporates 4 kbytes of E2PROM, a contactless interface, an 80C51 microcontroller core and additional gates for a Data Encryption Standard (DES) co-processing engine. It's designed to offer a fixed, common set of data exchange functions and features a 424-kbit/second data interface between smart card and reader. NASA this summer will carry out a field trial at the Marshall Space Flight Center in Huntsville, Ala., with potential expansion to 2,000 employees. If the trial is successful, NASA plans to deploy more than 100,000 smart cards for government employees and contractors by the end of the 2005 fiscal year. Transportation stronghold Sources at Philips said the relatively small number of cards requested for NASA access cards did not concern the Dutch company, which has already secured a stronghold for its Mifare chips in such transportation-related applications as contactless ticketing. In its efforts to comply with the GSC-IS spec, Duverne said, Philips worked very closely with the U.S. administration on this. The DESFire access-control technology on which the NASA card is based was developed a couple of years ago as a follow-on to the original Mifare chip, which features a cryptography scheme proprietary to Philips. The new technology's DES engine lets others build their own cryptographic algorithms, with attention to higher security levels. According to Philips, the development of DESFire was necessary to accommodate the needs of a broader user community, including the U.S. government, which objects to the use of products based on proprietary technology. Production of the V0.6 chips has ramped up in the past few months, Duverne said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA Several times a week, to enter a TV studio say, or to board a plane, I have to produce a tiny picture of my face. -- Christopher Hitchens - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Stepping on Big Brother's Toes
unstable environment for privacy, said Davies. The proclaimed need for protection of children and the fight against terrorism is often shamelessly used as the pretext for privacy invasion. This September, Privacy International plans to publish a comprehensive study of antiterrorism policy developments worldwide. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
How They Could Steal the Election This Time
. Greg Palast and Martin Luther King III have more than 80,000 signatures on their petition against paperless touch-screens and the purging of voter rolls. Global Exchange, the San Francisco-based organization, is inviting twenty-eight nonpartisan foreign observers to monitor the US election. Eleven members of Congress asked Kofi Annan to send UN monitors. Cindy Cohn of the Electronic Frontier Foundation is organizing attorneys for litigation against paperless electronic voting. In mid-June the California secretary of state approved the nation's first set of standards for a verified paper trail for touch-screen machines. A recent Voting, Vote Capture and Vote Counting symposium at Harvard's Kennedy School of Government has produced an Annotated Best Practices, available at www.ljean.com/files/ABPractices.pdf. On June 29 the Leadership Conference on Civil Rights and the Brennan Center for Justice, with the endorsement of Common Cause, the NAACP, People for the American Way and most of the leading scientific critics of paperless touch-screen voting, sent the nation's local election officials a call for new security measures for electronic voting machines, including local retention of independent security experts; the full report is available at www.civilrights.org/issues/voting/lccr_brennan_report.pdf. Douglas Kellner, the New York City election expert, believes the best practical remedy for the dangers of computerized vote-counting is voting on optical-scan systems, posting the election results in the precincts and keeping the ballots with the machines in which they were counted. In all computerized vote-counting situations the precinct results should be publicly distributed and posted in the precincts before they are transmitted to the center for final counting, Kellner says. Once they are sent from the precinct the audit trail is lost. Citizens can stay current on election developments via several websites: electionline.org, a reliable and up-to-date source; VerifiedVoting.org, Dill's group; notablesoftware.com, Mercuri's site; blackboxvoting.org, Bev Harris's site; countthevote.org, the site of the Georgia group led by Jekot; and these will key into many others. For a steady flow of news stories on this subject (and a few others) from around the country, get on the e-mail list of [EMAIL PROTECTED] Official information concerning each state is available online at each state's website for its secretary of state. People should go down to their local election departments and ask their supervisor of elections how they are going to know that their votes are counted--and refuse to take Trust us, or Trust the machines, for an answer. They can be poll watchers. Many organizations are fostering poll watching, including People for the American Way's Election Protection 2004 project. Common Cause has made election monitoring a major project, a spokesperson says. VerifiedVoting.org is concentrating on having people watch election technology, including pre-election testing as well as the procedures on election day. Bev Harris is organizing people to do such work (see her website). Rebecca Mercuri says that if you believe an election has been corrupted through voting equipment, you should collect affidavits from voters; get the results from every voting machine for all precincts; get the names and titles of everyone involved; inventory the equipment, including the software, and try to have it impounded; demand a recount; and go to the press. Noting that all counties that have rushed to purchase DRE voting systems also have paper-ballot systems in place to handle absentee voters, motor-voters and emergency ballots for when the system breaks down, she suggests mothballing the DREs and using paper ballots. Counties are saying there's nothing they can do but use the DREs in November, and that is simply untrue, Mercuri declares. Much of this would be unnecessary if Congress enacted either the Graham-Clinton or the Holt bill, which would empower voters to verify their own votes and create a paper trail. The computerized voting companies have precipitated a crisis for the integrity of democracy. Three months to go. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
ECC 2004
to be added to the mailing list for the third announcement, please send a brief email to [EMAIL PROTECTED] The announcements are also available from the web site www.cacr.math.uwaterloo.ca/conferences/2004/ecc2004/announcement.html --- REGISTRATION: The website for registration is open and can be found at: http://www.ruhr-uni-bochum.de/hgi/tanja.html For this year the full conference fee is 170 EUR, we offer a reduced fee of 80 EUR for students. Please register as soon as possible as the number of participants is limited. -- ACCOMMODATIONS: We set aside a number of rooms on a first-come first-serve basis at following hotels. To get the prices listed below include the respective quotations when making your reservation Hotel Acora http://www.acora.de/html/bochum.html Tel.: (+49)234 68 96 0 Fax: (+49)234 68 96 700 Nordring 44-50 (center of Bochum) single 66,50 EUR double 80,50 EUR both including breakfast mention ECC-Workshop These rooms are set aside till 30.07.2004. Holiday Inn Bochum http://www.ichotelsgroup.com/h/d/hi/394/de/hd/bocge Tel.: 49-234-9690 Fax: 49-234-969 Massenbergstrasse 19-21 (center, close to main station) single 85,00 EUR incl. breakfast mention ECC-Workshop These rooms are set aside till 13.08.2004. Hotel Haus Oekey http://www.oekey.de/ Tel.: (+49)234 388 13 0 Fax: (+49)234 388 13 88 Auf dem Alten Kamp 10 (halfway between university and city center) single 52 EUR double 70 EUR both including breakfast mention Ruhr-University, Lange These rooms are set aside till 10.08.2004. Hotel IBIS am Hauptbahnhof http://www.ibishotel.com Tel.: (+49)234/91430 Fax : (+49)234/680778 Kurt- Schumacher- Platz 13-15 (next to main station) single 58 EUR double 67 EUR (The prices include breakfast for 9 EUR.) The fee includes free public transport in Bochum mention ECC These rooms are set aside till 12.08.2004. Hotel Kolpinghaus http://www.kolpinghaus-bochum.de/html/hotel.html Maximilian-Kolbe-Str. 14-18 (close to main station, center) single 46 EUR double 24 EUR including breakfast. Facilities include linen and have communal bathrooms on each floor. Please make your booking via Tanja Lange [EMAIL PROTECTED] and mention with whom you would like to share a room. These rooms are available till 09.08.2004. Other hotels can be found at http://www.bochum.de/english/ http://www.bochum.de/bochum/bohotel.htm (the hotel page is available in German only) == FURTHER INFORMATION: For further information, please contact: Tanja Lange Information Security and Cryptography Ruhr-University Bochum e-mail: [EMAIL PROTECTED] Fax: +49 234 32 14430 Tel: +49 234 32 23260 == --- --- --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Meetingpunks] SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement
--- begin forwarded text Date: Tue, 27 Jul 2004 09:10:21 -0700 To: [EMAIL PROTECTED] From: Bill Stewart [EMAIL PROTECTED] Old-Subject: [Meetingpunks] SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement Subject: [Meetingpunks] SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement Approved: LISTMEMBER CPUNK Sender: [EMAIL PROTECTED] Rick Moen suggested we have a Cypherpunks meeting in August, so: SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement General Info: DATE: Saturday 14 August 2004 TIME: 12:00 - 5:00 PM (Pacific Time) PLACE: Stanford University Campus - Tressider Union courtyard Agenda: Our agenda is a widely-held secret. (This will be our first meeting since April 2003, so the agenda is somewhat up for grabs. Among upcoming events to note is the 7th annual Information Security Conference, aka ISC04, Sept. 27-29 at Xerox PARC, http://isc04.uncc.edu/ . Also of note: Our friendly Federalistas seem to be imposing unprecedented visa restrictions on visiting foreign cryptographers. Is it time for all international cryptography conferences to move off-shore? See: http://www.schneier.com/crypto-gram-0407.html#3 ) As usual, this is an Open Meeting on US Soil, and the public is invited. Location Info: The meeting location will be familiar to those who've been to our outdoor meetings before, but for those who haven't been, it's on the Stanford University campus, at the tables outside Tressider Union, at the end of Santa Theresa, just west of Dinkelspiel Auditorium. We meet at the tables on the west side of the building, inside the horseshoe U formed by Tresidder. Ask anyone on campus where Tressider is and they'll help you find it. Food and beverages are available at the cafe inside Tresidder. Location Maps: Stanford Campus (overview; Tressider is dead-center). http://campus-map.stanford.edu/campus_map/bldg.jsp?cx=344cy=471zoomto=50zoomfrom=30bldgID=02-300 Tressider Union (zoomed detail view). http://campus-map.stanford.edu/campus_map/results.jsp?bldg=Tresidder Printable Stanford Map (407k). http://www.stanford.edu/home/visitors/campus_map.pdf [ This announcement sent to the following mailing lists: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Mailing list complaints or address corrections to [EMAIL PROTECTED] ] Bill Stewart [EMAIL PROTECTED] ___ Meetingpunks mailing list [EMAIL PROTECTED] http://lists.cryptorights.org/mailman/listinfo/meetingpunks Bill Stewart [EMAIL PROTECTED] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Feds and Yahoo Muzzle DNC Security Whistleblower
--- begin forwarded text Date: Sun, 25 Jul 2004 14:39:14 -0700 To: [EMAIL PROTECTED] From: John Young [EMAIL PROTECTED] Subject: Feds and Yahoo Muzzle DNC Security Whistleblower Sender: [EMAIL PROTECTED] It appears that the Feds and LEA at the DNC Convention have ordered Yahoo to axe the mail list TSCM-L run by James Atkinson for his blistering attack on security at the convention. http://cryptome.org/dncsec-yahoo.htm Jim's reports on the inferior security: http://cryptome.org/dnc-insec.htm http://cryptome.org/dnc-dauphine.htm The mail list had nothing to do with these reports, and the gag appears to be spite against Atkinson for whistleblowing. However, the mail list purpose is likely to have scared them more than his insecurity reports: http://finance.groups.yahoo.com/group/TSCM-L/ TSCM-L Technical Security Mailing List Dedicated to TSCM specialists engaging in expert technical and analytical research for the detection, nullification, and isolation of eavesdropping devices, wiretaps, bugging devices, technical surveillance penetrations, technical surveillance hazards, and physical security weaknesses. This also includes bug detection, bug sweep, and wiretap detection services. Special emphasis is given to detecting and countering espionage and other threats and activities directed by foreign intelligence services against the United States Government, United States corporations, establishments, and citizens. The list includes technical discussion regarding the design and construction of SCIF facilities, Black Chambers, and Screen Rooms. This list is also for discussing DIAM 50-3, NSA-65, and DCID 1/21, 1/22 compliance. The primary goal and mission of this list is to raise the bar and increase the level of professionalism present within the TSCM business. The secondary goal of this list is and increase the quality and effectiveness of our efforts so that we give spies and eavesdroppers no quarter, and to neutralize all of their espionage efforts. This mailing list is moderated by James M. Atkinson and sponsored by Granite Island Group as a public service to the TSCM, Counter Intelligence, and technical security community. -- --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Lost Record '02 Florida Vote Raises '04 Concern
, are programmed not to record two votes, and if no vote is recorded, they say, it means the voter did not cast one. But The Sun-Sentinel of Fort Lauderdale, in a recent analysis of the March presidential primary, reported that voters in counties using touch-screen machines were six times as likely to record no vote as were voters in counties using optical-scan machines, which read markings on paper ballots. The A.C.L.U. of Florida and several other voting rights groups have sued to overturn the recount rule, saying it creates unequal treatment of voters. Counties that use optical-scan machines can conduct recounts, though only in extremely close races. Mr. Kaplan says that the system crashes had erased data from other elections besides Ms. Reno's, the most recent being municipal elections in November 2003. Under Florida law, ballot records from elections for state and local office need be kept for only a year. For federal races, the records must be kept for 22 months after an election is certified. It was not immediately clear what the consequences might be of breaching that law. Mr. Kaplan said the backup system was added last December. An August 2002 report from Miami-Dade County auditors to David Leahy, then the county elections supervisor, recommended that all data from touch-screen machines be backed up on CD's or elsewhere. Professor Jones said it was an obvious practice long considered essential in the corporate world. Any naïve observer who knows about computer system management and who knows there is a requirement that all the records be stored for a period of months, Professor Jones said, would say you should obviously do that with computerized voting systems. Buddy Johnson, the elections supervisor in Hillsborough County, which is one of the state's largest counties and which also uses touch-screen machines, said his office still had its data from the 2002 elections on separate hard drives. Mr. Kaplan of the Miami-Dade elections office could not immediately explain on Tuesday afternoon the system crashes in 2003. Martha Mahoney, a University of Miami law professor and member of the election reform group, said she requested the 2002 audit data because she had never heard an explanation of the supposedly lost votes that the A.C.L.U. documented after the Reno-McBride election. People can never be sure their vote was recorded the way it was cast, but these are the best records we've got, she said. And now they're not there. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Energy Dept. Shelves Removable Disks
http://www.washingtonpost.com/ac2/wp-dyn/A10205-2004Jul23?language=printer The Washington Post washingtonpost.com Energy Dept. Shelves Removable Disks Response to Security Breach at Lab Associated Press Saturday, July 24, 2004; Page A02 The Energy Department, in response to a security scandal at the Los Alamos weapons lab, ordered a halt yesterday to classified work at as many as two dozen facilities that use removable computer disks like those missing at the New Mexico lab. Energy Secretary Spencer Abraham said the stand-down at operations using the disks, containing classified material involving nuclear weapons research, is needed to get better control over the devices. The disks, known as controlled removable electronic media, or CREM, have been at the heart of an uproar over lax security at the Los Alamos National Laboratory, where work has been stopped as scientists search for two of the disks reported missing on July 7. Nineteen workers have been suspended pending the outcome of an investigation into the missing data devices and an incident in which an intern was injured recently in a laser accident. The missing Los Alamos disks raised concern at the Energy Department about the handling of the devices at other facilities involved in nuclear weapons research, department officials said. Abraham said he wants to minimize the risk of human error or malfeasance that could compromise the classified nuclear-related information held in the devices, which are used at Energy Department facilities nationwide in nuclear-related work. While we have no evidence that the problems currently being investigated are present elsewhere, we have a responsibility to take all necessary action to prevent such problems from occurring at all, Abraham said in a statement. The stand-down involves classified work across the government's nuclear weapons complex wherever the CREM storage devices are used, the official said. It will continue until an inventory of the devices is completed and new control measures on their use is put in place, said Energy Department spokesman Joe Davis. Employees using the disks must also undergo security training. Among the facilities that are preparing for an interruption of classified work are the Argonne National Laboratory outside Chicago; the nuclear weapons plant in Oak Ridge, Tenn.; and the Sandia National Laboratories in Albuquerque, where a missing classified disk was reported found last week. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cryptographers and U.S. Immigration
--- begin forwarded text Date: Fri, 23 Jul 2004 00:08:30 -0400 (EDT) From: Atom 'Smasher' [EMAIL PROTECTED] To: undisclosed-recipients: ; Subject: Cryptographers and U.S. Immigration List-Id: GnuPG development gnupg-devel.gnupg.org List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Subscribe: http://lists.gnupg.org/mailman/listinfo/gnupg-devel, mailto:[EMAIL PROTECTED] List-Archive: /pipermail Sender: [EMAIL PROTECTED] ...atom _ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 - When the government fears the people, you have liberty. When the people fear the government, you have tyranny. --Thomas Jefferson http://www.schneier.com/crypto-gram-0407.html#3 Cryptographers and U.S. Immigration Seems like cryptographers are being questioned when they enter the U.S. these days. Recently I received this (anonymous) comment: It seems that the U.S. State Department has a keen interest in foreign cryptographers: Yesterday I tried to renew my visa to the States, and after standing in line and getting fingerprinted, my interviewer, upon hearing that my company sells [a cryptography product], informed me that due to new regulations, Washington needs to approve my visa application, and that to do so, they need to know exactly which companies I plan to visit in the States, points of contact, etc. etc. Quite a change from my last visa application, for which I didn't even have to show up. I'm curious if any of my foreign readers have similar stories. There are international cryptography conferences held in the United States all the time. It would be a shame if they lost much of their value because of visa regulations. ___ Gnupg-devel mailing list [EMAIL PROTECTED] http://lists.gnupg.org/mailman/listinfo/gnupg-devel --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
U. of Tokyo, Fujitsu advance towards quantum cryptography
wavelengths and verified single photon transmission at the former wavelength. Verification of the latter is one of the upcoming goals for the team. The project hopes to develop a practical single photon generator by 2007 and Arakawa predicts commercial systems based on the technology could be available in 5 years. Details of the research are scheduled to be presented at the 27th International Conference on the Physics of Semiconductors, which will begin in Arizona, U.S., on July 26. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Identity theft case could be largest so far
http://www.cnn.com/2004/LAW/07/21/cyber.theft/index.html CNN Identity theft case could be largest so far Wednesday, July 21, 2004 Posted: 10:49 PM EDT (0249 GMT) WASHINGTON (CNN) -- A Florida man was indicted Wednesday in an alleged scheme to steal vast amounts of personal information, and the Justice Department said it might be the largest illegal invasion and theft of personal data to date. The 144-count indictment against Scott Levine, 45, also includes charges of conspiracy, fraud, money laundering and obstruction of justice, according to the Justice Department. Levine's alleged target was Acxiom Corp., one of the world's largest companies managing personal, financial and corporate data, federal authorities said. Levine is accused of stealing vast amounts of personal information from the company via the Internet. Federal officials said the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million. The protection of personal information stored on our nation's computer systems is critical to public trust in those networks and to the health of our economy, said Assistant Attorney General Christopher Wray at a news conference in Washington. We will aggressively pursue those who steal private information from computer networks and make it clear that there are serious consequences for such crimes, he said. Levine, a resident of Boca Raton, Florida, is described in the indictment as the controlling force in Snipermail.com Inc., a Florida corporation engaged in distributing advertisements via the Internet on behalf of advertisers and brokers. Acxiom, headquartered in Little Rock and Conway, Arkansas, stores and processes millions of bits of data on behalf of a wide range of clients that include IBM, GE, Microsoft and many major credit card companies. The invasions from Snipermail were discovered during another investigation of another intrusion at Acxiom last year, authorities said. The FBI's regional computer forensics laboratory in Dallas, Texas, and computer forensic experts from the FBI and the Secret Service were unleashed on the cyber intruders. The indictment alleges that Levine and others at the company attempted to hide computers from investigators. Six employees at the company agreed to cooperate with the investigation, authorities said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
EZ Pass and the fast lane ....
--- begin forwarded text Date: Fri, 2 Jul 2004 21:34:20 -0400 From: Dave Emery [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: EZ Pass and the fast lane User-Agent: Mutt/1.4.1i Sender: [EMAIL PROTECTED] Having been inspired by some subversive comments on cypherpunks, I actually looked up the signaling format on the EZ-Pass toll transponders used throughout the Northeast. (On the Mass Pike, and most roads and bridges in NYC and a number of other places around here). They are the little square white plastic devices that one attaches to the center of one's windshield near the mirror and which exchange messages with an interrogator in the FAST LANE that debits the tolls from an account refreshed by a credit card (or other forms of payment). They allow one to sail through the toll booths at about 15-20 mph without stopping and avoid the horrible nuisance of digging out the right change while rolling along at 70 mph in heavy traffic. Turns out they use Manchester encoded on-off keying (EG old fashioned pulsed rf modulation) at 500 kilobits/second on a carrier frequency of 915 mhz at a power a little under 1 mw (0 dbm). The 915 mhz is time shared - the units are interrogated by being exposed to enough 915 mhz pulsed energy to activate a broadband video detector looking at energy after a 915 mhz SAW filter (presumably around -20 dbm or so). They are triggered to respond by a 20 us pulse and will chirp in response to between a 10 and 30 us pulse. Anything longer and shorter and they will not respond. The response comes about 100-150 us after the pulse and consists of a burst of 256 bits followed by a 16 bit CRC. No present idea what preamble or post amble is present, but I guess finding this out merely requires playing with a transponder and DSO/spectrum analyzer. Following the response but before the next interrogation the interrogator can optionally send a write burst which also presumably consists of 256 bits and CRC. Both the interrogators and transponders collect two valid (correct) CRC bursts on multiple interrogations and compare bit for bit before they decide they have seen a valid message. Apparently an EEPROM in the thing determines the partition between fixed bits set at the factory (eg the unit ESN) and bits that can get written into the unit by the interrogators. This is intended to allow interrogators at on ramps to write into the unit the ramp ID for units at off ramps to use to compute the toll... (possibilities for hacking here are obvious for the criminally inclined - one hopes the system designers were thoughtful and used some kind of keyed hash). No mention is made of encryption or challenge response authentication but I guess that may or may not be part of the design (one would think it had better be, as picking off the ESN should be duck soup with suitable gear if not encrypted). But what I have concluded is that it should be quite simple to detect a response from one's transponder and activate a LED or beeper, and hardly difficult to decode the traffic and display it if it isn't encrypted. A PIC and some simple rf hardware ought to do the trick, even one of those LED flashers that detect cellphone energy might prove to work. Perhaps someone more paranoid (or subversive) than I am will follow up and actually build such a monitor and report whether there are any interogations at OTHER than the expected places... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493 --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Third announcement ECC 2004
for registration is open and can be found at: http://www.ruhr-uni-bochum.de/hgi/tanja.html For this year the full conference fee is 170 EUR, we offer a reduced fee of 80 EUR for students. Please register as soon as possible as the number of participants is limited. -- ACCOMMODATIONS: We set aside a number of rooms on a first-come first-serve basis at following hotels. To get the prices listed below include the respective quotations when making your reservation Hotel Acora http://www.acora.de/html/bochum.html Tel.: (+49)234 68 96 0 Fax: (+49)234 68 96 700 Nordring 44-50 (center of Bochum) single 66,50 EUR double 80,50 EUR both including breakfast mention ECC-Workshop These rooms are set aside till 30.07.2004. Hotel Haus Oekey http://www.oekey.de/ Tel.: (+49)234 388 13 0 Fax: (+49)234 388 13 88 Auf dem Alten Kamp 10 (halfway between university and city center) single 52 EUR double 70 EUR both including breakfast mention Ruhr-University, Lange These rooms are set aside till 10.08.2004. Hotel IBIS am Hauptbahnhof http://www.ibishotel.com/ Tel.: (+49)234/91430 Fax : (+49)234/680778 Kurt- Schumacher- Platz 13-15 (next to main station) single 49 EUR breakfast is available for 9 EUR. The fee includes free public transport in Bochum mention ECC These rooms are set aside till 12.08.2004. Hotel Kolpinghaus http://www.kolpinghaus-bochum.de/html/hotel.html Maximilian-Kolbe-Str. 14-18 (close to main station, center) single 46 EUR double 24 EUR including breakfast. Facilities include linen and have communal bathrooms on each floor. Please make your booking via Tanja Lange [EMAIL PROTECTED] and mention with whom you would like to share a room. These rooms are available till 09.08.2004. Other hotels can be found at http://www.bochum.de/english/ http://www.bochum.de/bochum/bohotel.htm (The hotel page is available in German only) == FURTHER INFORMATION: For further information, please contact: Tanja Lange Information Security and Cryptography Ruhr-University Bochum e-mail: [EMAIL PROTECTED] Fax: +49 234 32 14430 Tel: +49 234 32 23260 == --- --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cryptography Research's Nate Lawson to Speak at USENIX '04
http://biz.yahoo.com/prnews/040628/sfm086_1.html Yahoo! Finance Press Release Source: Cryptography Research, Inc. Cryptography Research's Nate Lawson to Speak at USENIX '04 Monday June 28, 9:05 am ET Presents Lessons Learned in Secure Storage for Digital Cinema SAN FRANCISCO, June 28 /PRNewswire/ -- Digital cinema transforms the protection and physical transport of film cans into an outsourced storage security problem, but security expert Nate Lawson believes that conventional IT solutions are not up to the task. Lawson, senior security engineer at Cryptography Research, Inc., has used open source software to rapidly prototype digital cinema storage solutions and will offer advice on how to maintain security throughout the entire cinema life cycle, from filming and production to projection, at the USENIX '04 Annual Technical Conference. ADVERTISEMENT Lawson's presentation, Building a Secure Digital Cinema Server Using FreeBSD, is scheduled for 3:30 p.m. on Tuesday, June 29 in the Boston Marriott Copley Place Hotel. Traditional storage security solutions are designed to operate within a data center under the data owner's physical management and control, but in digital cinema, the data representing the film passes through multiple parties with different incentives and levels of security, said Lawson. While encryption is important, it is not sufficient to ensure data integrity or provide the evidence needed to ensure accountability and mitigate leaks at critical junctures in film production and distribution. According to Lawson, the projection booth at the local cinema is rapidly taking on many of the aspects of a traditional IT data center, with racks of computers and storage devices, high-bandwidth LANs and SANs, and other equipment. Digital cinema is still in an embryonic stage, with about 90 digital cinema-ready theaters across the U.S. Lawson's talk will present new criteria for evaluating storage security solutions, from disk encryption or file system encryption to other storage security products, and show how open source software supported the rapid development of a prototype digital cinema server in a proprietary environment. Lawson will also discuss the importance of standardization efforts, including the Digital Cinema Initiative. Nate Lawson, senior security engineer at Cryptography Research, is focused on the design and analysis of platform and network security. Previously, he was the original developer of ISS RealSecure and various products for digital cinema, storage security, network mapping, and IPSEC. Nate has evaluated cryptographic systems for FIPS 140 and other secure standards. He is a FreeBSD developer in his spare time, contributing a SCSI target driver and working on ACPI and CAM. Nate holds a B.S. computer science degree from Cal Poly and is a member of USENIX and SMPTE. USENIX, the Advanced Computing Systems Association, supports and disseminates practical research, provides a neutral forum for discussion of technical issues and encourages computing outreach into the community at large. USENIX conferences have become essential meeting grounds for the presentation and discussion of advanced developments in all aspects of computing systems. About Cryptography Research, Inc. Cryptography Research, Inc. provides consulting services and technology to solve complex security problems. In addition to security evaluation and applied engineering work, CRI is actively involved in long-term research in areas including tamper resistance, content protection, network security, and financial services. This year, security systems designed by Cryptography Research engineers will protect more than $60 billion of commerce for wireless, telecommunications, financial, digital television, and Internet industries. For additional information or to arrange a consultation with a member of our technical staff, please contact Jennifer Craft at 415-397-0329 or visit www.cryptography.com. Source: Cryptography Research, Inc. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ISN] Network Associates Up For Sale, Sources Say
--- begin forwarded text Date: Tue, 22 Jun 2004 05:58:53 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Network Associates Up For Sale, Sources Say Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.crn.com/sections/breakingnews/breakingnews.jhtml;jsessionid=UBOYD1ZT3NRE0QSNDBESKHA?articleId=22101131 By Dan Neel CRN Jun. 21, 2004 Network Associates is for sale, and Microsoft is rumored to be the buyer. The maker of McAfee antivirus and security products has not made it public, but a for sale sign figuratively hangs from Network Associates' front door, according to Wall Street sources and channel partners. A public announcement concerning either the pending or closed sale of the company to a buyer could come as early as July 1 when Network Associates also plans to announce layoffs associated with the company's for-sale status, these sources said. Network Associates executives declined to comment and would neither confirm nor deny that the Santa Clara, Calif.-based company is for sale or planning layoffs. Network Associates' reseller partners across the United States said more than a few of the company's field representatives have recently begun circulating resumes. A lot of [Network Associates] salespeople have opened up feelers for where they are going to land, one partner said. Some Network Associates employees gave partners July 1 as the date Network Associates planned to execute the layoffs. The partners asked to remain anonymous. Microsoft enters the picture as a potential buyer based on the Redmond, Wash.-based software giant's desire to ascend to a level in the security market competitive with Network Associates rivals such as Symantec, Computer Associates International and Trend Micro, sources said. Microsoft is armed with a number of antivirus tools for Windows and is rolling out a next-generation application layer firewall, a VPN and a Web cache solution. But possession of Network Associates' extensive intellectual property would complete a security offering for Microsoft that could go head-to-head with Symantec, CA, Trend Micro and others. Microsoft representatives said it was policy not to comment on the company's acquisition plans. Still, Microsoft may also be the only willing buyer, Wall Street sources said, as few companies with the wherewithal to purchase Network Associates are interested. It appears that Network Associates has been grooming itself to fit the bill for an acquisition by Microsoft, many Network Associates partners said. One partner, who is also a veteran of the Digital Equipment Corp./Compaq merger, said the signs coming from Network Associates are similar to that of pre-merger DEC, citing Network Associates' sale of its PGP encryption product line, its Gauntlet firewall business and most recently its Sniffer network monitoring division. The partner said Network Associates' downsizing was exactly what DEC did in order to fit within Compaq. It was a divestiture of all the things Compaq didn't want, the partner said. The sudden, announced departure of Donna Troy, Network Associates' executive vice president of worldwide channel sales, and the sudden, unannounced departure of Gary Brand, director of channel sales, each resonated with partners as signs of impending change. At Network Associates' recent Partner Symposium in San Antonio partners were repeatedly encouraged to make sure their product licensing was up to date, another sign that the company was trying to set its house in order prior to a sale, partners said. _ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!) --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Antipiracy bill targets technology
http://news.com.com/2102-1028_3-5238140.html?tag=st.util.print CNET News Antipiracy bill targets technology By Declan McCullagh Staff Writer, CNET News.com http://news.com.com/2100-1028-5238140.html Story last modified June 17, 2004, 5:32 PM PDT A forthcoming bill in the U.S. Senate would, if passed, dramatically reshape copyright law by prohibiting file-trading networks and some consumer electronics devices on the grounds that they could be used for unlawful purposes. News.context What's new: A bill called the Induce Act is scheduled to come before the Senate sometime next week. If passed, it would make whoever aids, abets, induces (or) counsels copyright violations liable for those violations. Bottom line:If passed, the bill could dramatically reshape copyright law by prohibiting file-trading networks and some consumer electronics devices on the grounds that they could be used for unlawful purposes. More stories on this topic The proposal, called the Induce Act, says whoever intentionally induces any violation of copyright law would be legally liable for those violations, a prohibition that would effectively ban file-swapping networks like Kazaa and Morpheus. In the draft bill seen by CNET News.com, inducement is defined as aids, abets, induces, counsels, or procures and can be punished with civil fines and, in some circumstances, lengthy prison terms. The bill represents the latest legislative attempt by influential copyright holders to address what they view as the growing threat of peer-to-peer networks rife with pirated music, movies and software. As file-swapping networks grow in popularity, copyright lobbyists are becoming increasingly creative in their legal responses, which include proposals for Justice Department lawsuits against infringers and action at the state level. Originally, the Induce Act was scheduled to be introduced Thursday by Sen. Orrin Hatch, R-Utah, but the Senate Judiciary Committee confirmed at the end of the day that the bill had been delayed. A representative of Senate Majority Leader Bill Frist, a probable co-sponsor of the legislation, said the Induce Act would be introduced sometime next week, a delay that one technology lobbyist attributed to opposition to the measure. Though the Induce Act is not yet public, critics are already attacking it as an unjustified expansion of copyright law that seeks to regulate new technologies out of existence. They're trying to make it legally risky to introduce technologies that could be used for copyright infringement, said Jessica Litman, a professor at Wayne State University who specializes in copyright law. That's why it's worded so broadly. Litman said that under the Induce Act, products like ReplayTV, peer-to-peer networks and even the humble VCR could be outlawed because they can potentially be used to infringe copyrights. Web sites such as Tucows that host peer-to-peer clients like the Morpheus software are also at risk for inducing infringement, Litman warned. Jonathan Lamy, a spokesman for the Recording Industry Association of America, declined to comment until the proposal was officially introduced. It's simple and it's deadly, said Philip Corwin, a lobbyist for Sharman Networks, which distributes the Kazaa client. If you make a product that has dual uses, infringing and not infringing, and you know there's infringement, you're liable. The Induce Act stands for Inducement Devolves into Unlawful Child Exploitation Act, a reference to Capitol Hill's frequently stated concern that file-trading networks are a source of unlawful pornography. Hatch is a conservative Mormon who has denounced pornography in the past and who suggested last year that copyright holders should be allowed to remotely destroy the computers of music pirates. Foes of the Induce Act said that it would effectively overturn the Supreme Court's 1984 decision in the Sony Corp. v. Universal City Studios case, often referred to as the Betamax lawsuit. In that 5-4 opinion, the majority said VCRs were legal to sell because they were capable of substantial noninfringing uses. But the majority stressed that Congress had the power to enact a law that would lead to a different outcome. At a minimum (the Induce Act) invites a re-examination of Betamax, said Jeff Joseph, vice president for communications at the Consumer Electronics Association. It's designed to have this fuzzy feel around protecting children from pornography, but it's pretty clearly a backdoor way to eliminate and make illegal peer-to-peer services. Our concern is that you're attacking the technology. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire
Breaking Iranian Codes (Re: CRYPTO-GRAM, June 15, 2003)
other intelligence source of theirs. During the 1950s, the Americans dug under East Berlin in order to eavesdrop on a communications cable. They received all sorts of intelligence until the East Germans discovered the tunnel. However, the Soviets knew about the operation from the beginning, because they had a spy in the British intelligence organization. But they couldn't stop the digging, because that would expose George Blake as their spy. If the Iranians knew that the U.S. knew, why didn't they pretend not to know and feed the U.S. false information? Or maybe they've been doing that for years, and the U.S. finally figured out that the Iranians knew. Maybe the U.S. knew that the Iranians knew, and are using the fact to discredit Chalabi. The really weird twist to this story is that the U.S. has already been accused of doing that to Iran. In 1992, Iran arrested Hans Buehler, a Crypto AG employee, on suspicion that Crypto AG had installed back doors in the encryption machines it sold to Iran -- at the request of the NSA. He proclaimed his innocence through repeated interrogations, and was finally released nine months later in 1993 when Crypto AG paid a million dollars for his freedom -- then promptly fired him and billed him for the release money. At this point Buehler started asking inconvenient questions about the relationship between Crypto AG and the NSA. So maybe Chalabi's information is from 1992, and the Iranians changed their encryption machines a decade ago. Or maybe the NSA never broke the Iranian intelligence code, and this is all one huge bluff. In this shadowy world of cat-and-mouse, it's hard to be sure of anything. Hans Buehler's story: http://www.aci.net/kalliste/speccoll.htm -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Post-9/11 laws expand to more than terrorism
surveillance. The Patriot Act wasn't needed when police searched library records in the hunt for Unabomber Ted Kaczynski or the effort to track New York's Zodiac killer, Mello noted. Many government activities under the Patriot Act remain shrouded in secrecy. One of the provisions not expiring is an expansion of police powers to obtain sneak-and-peek warrants allowing surveillances - including break-ins - without notifying the people being watched. The government is being more aggressive in asking courts for surveillance warrants. The Justice Department last year made a record 1,727 requests for wiretap approvals from the secretive Foreign Intelligence Surveillance Court, but does not publicly disclose how many investigations that might involve. Attorney General John Ashcroft told the Senate Judiciary Committee last week that the Patriot Act has been used judiciously, and he urged Congress to give speedy consideration to extending it. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
He Pushed the Hot Button of Touch-Screen Voting
father also served in Congress and the California Legislature, where, he was one of two lawmakers to vote against the internment of Japanese-Americans in World War II. My dad's vote seems like a no-brainer now, Mr. Shelley said. But at the time, it spoke to who he was and what he believed in, and he passed that on to me. (Jack Shelley died of lung cancer in 1974, when his son was 18.) Mr. Shelley began his career as a legislative director in Washington for Representative Phil Burton, a liberal icon in California. He was elected to the San Francisco Board of Supervisors and then the State Assembly, where he served for the allowable limit of three two-year terms and became majority leader. He said he ran for secretary of state because he wanted to counteract the decline in voting, though he has used the office to highlight other issues, like domestic partner rights and corporate responsibility. Mr. Shelley did not deny an interest in the governor's office someday but said his goal for now was to make policy and set precedent; it has nothing to do with my future. Eric Jaye, a political consultant here and longtime associate of Mr. Shelley, said he had transformed what was essentially an administrative post into a bully pulpit. Several recent analyses have bolstered Mr. Shelley's view that touch screens need more security. These include a recommendation by the chairman of the federal Election Assistance Commission that every voting jurisdiction that uses touch screens enhance their security, with either paper trails or other methods, by November. A joint report issued yesterday by the Kennedy School of Government at Harvard and the National Science Foundation endorsed touch screens with paper trails as the most effective voting system. Still, many officials who run elections believe the push for paper trails is more window-dressing than a necessary expense. San Bernardino County, which is among those suing Mr. Shelley, plans to ignore his directive to provide separate paper ballots for those uncomfortable with touch screens. It would be an expression of a lack of confidence in the machines, for which the county just spent $14 million, said David Wert, a spokesman for the county supervisors. In May, the supervisors noted that Mr. Shelley had certified the county's system before the March 2 primary and that absolutely nothing has occurred since that certification to call the system's performance or reliability into question. To those who say he is only fanning fears, Mr. Shelley laughs. If a machine breaks down in San Diego, and it breaks down in Georgia, and they break down in Maryland, and they break down in Alameda and we have high schools where they can hack into the systems, the deficiencies are in the machines, he said. Look, he added, I believe these machines have a very, very firm place in our future, but I also believe that in responding to the chaos in Florida in 2000 these machines were rushed out before all the kinks were worked out. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[osint] TIA Offices Discovered - Where Big Brother Snoops on Americans
.© DARPA tried to interest Groxis in becoming part of the TIA project but the company declined, saying the project was neither feasible nor ethical. Hawken says he knows people with the National Security Agency who refused to work on TIA because of ethical concerns. The dangers of TIA have created a coalition of strange bedfellows. The American Civil Liberties Union has teamed up with conservative Phyllis Schlafly©s Eagle Forum and even the Heritage Foundation to fight not only TIA but other abuses of Constitutional rights under the USA Patriot Act. Even former member of Congress Bob Barr, a conservative firebrand, has joined the effort. Yet even with all this attention, TIA still exists and still watches Americans 24/7 from the office building on Fairfax Drive in Arlington. Although employees who work in the building are supposed to keep their presence there a secret, they regularly sport their DARPA id badges around their necks when eating at restaurants near the building. The straps attached to the badges are printed with ©¯DARPA© in large letters. ©¯Yeah, they©re the spooks who work in the building over there,© says Ernie, the counterman at a deli near 3701 Fairfax Drive. ©¯If this is how they keep secrets, I guess we should really be worried.© © Copyright 2004 by Capitol Hill Blue Yahoo! Groups Sponsor ~-- Yahoo! Domains - Claim yours for only $14.70 http://us.click.yahoo.com/Z1wmxD/DREIAA/yQLSAA/TySplB/TM ~- -- Want to discuss this topic? Head on over to our discussion list, [EMAIL PROTECTED] -- Brooks Isoldi, editor [EMAIL PROTECTED] http://www.intellnet.org Post message: [EMAIL PROTECTED] Subscribe:[EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
High hopes for unscrambling the vote
site to make sure the encrypted sequence corresponds to what's posted. Or, if they choose, they can hand their receipt to a trusted organization like the League of Women Voters and ask them to do the verification. It's conceptually easy, Neff said during an interview at the conference sponsored by Rutgers University's theoretical computer science center. But it has to be plugged into the process that (voting machine) vendors use. Concocting arcane mathematical formulae is almost trivial, compared with the arduous process of convincing vendors and state election officials to adopt verifiable, encrypted systems. Neither group is known as an aggressive early adopter of new technologies. Hundreds of millions of dollars are at stake. State governments are racing to install electronic voting machines as a result of the federal Help America Vote Act, which was enacted after the 2000 election and gives states hefty federal grants if they meet certain deadlines. One key date: Any state accepting those grants must replace all its punch card and lever machines by Nov. 2, 2004. Because of that looming deadline, many states have already bought replacements for their oldest systems and are reluctant to write a second set of checks to add encrypted receipt technology. In addition, Chaum's system won't be in production until after the November election. Neff expressed frustration at the difficulty of convincing voting vendors such as Diebold Election Systems to license VoteHere's technology and produce encrypted receipts. They're just not technically savvy, Neff said. They've got incredibly limited technical abilities, and they're desperately clinging to the hope that all this (concern about e-voting) will blow over. They want to sing the praises of the little box they plop on someone's table and not worry about it. The other conjecture is that somewhere, they appreciate the fact that, moving toward the future, the verification technology follows what Microsoft did to hardware in the early days. It becomes more important than the box. So far, Neff's VoteHere company has inked a deal with Sequoia Voting Systems to license its encrypted receipt technology, though it's nonexclusive. Unlike Chaum's system that requires a special viewfinder, any electronic voting machine equipped with a printer can produce the receipts. State election officials aren't exactly biting, but Neff says it looks very realistic that we can do a pilot in California or Maryland for the November election. Diebold has attracted the most criticism of any e-voting machine maker. In April, the California Secretary of State took the drastic step of banning Diebold-made systems from being used in some counties. Last November, California began investigating allegations of illegal vote tampering with Diebold machines. An earlier blow came in June 2003, when university researchers concluded that a voter could cast unlimited ballots without detection. Neff of VoteHere acknowledged that encrypted ballots aren't a complete solution for all voting problems. For instance, election officials must be trusted to prevent people from voting twice under different names or at multiple voting locations. We've addressed 80 percent of the threats and 100 percent of the really bad threats, Neff said. We can't (seem to) get beyond that remaining 20 percent. But skeptic Mercuri argued that even that number is optimistic. I don't agree you've addressed 80 percent of the threats, she said. It depends on your threat model. Related News * Fight over e-voting leaves election plans as casualties May 20, 2004 http://news.com.com/2100-1028-5216643.html * California votes against Diebold April 22, 2004 http://news.com.com/2100-1028-5197870.html * E-voting smooth on Super Tuesday March 2, 2004 http://news.com.com/2100-1028-5168670.html * Voting machine fails inspection July 24, 2003 http://news.com.com/2100-1009-5054088.html * Get this story's Big Picture http://news.com.com/2104-1028-5227789.html Copyright ©1995-2003 CNET Networks, Inc. All rights reserved. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
WPES04 submission deadline extended
Commission/Ontario, Canada Susan Landau, Sun Microsystems Laboratories, USA Andreas Pfitzmann, Dresden University of Technology, Germany Andrew Patrick, National Research Council, Ottawa, Canada Marc Rennhard, ETH Zurich, Switzerland Pierangela Samarati, University of Milan, Italy Matthias Schunter, IBM Zurich Research Laboratory, Switzerland Tomas Sander, Hewlet Packard, USA Marianne Winslett, U. of Illinois Urbana-Champaign, USA ___ NymIP-res-group mailing list [EMAIL PROTECTED] http://www.nymip.org/mailman/listinfo/nymip-res-group --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Not Ready For Prime Time
http://www.sitnews.us/HowardDean/060104_dean.html Stories in the News Electronic Voting - Not Ready For Prime Time By Howard Dean June 01, 2004, 2004 Tuesday In December 2000, five Supreme Court justices concluded that a recount in the state of Florida's presidential election was unwarranted. This, despite the desire of the Florida Supreme Court to order a statewide recount in an election that was decided by only 537 votes. In the face of well-documented voting irregularities throughout the state, the U.S. Supreme Court's decision created enormous cynicism about whether the votes of every American would actually be counted. Although we cannot change what happened in Florida, we have a responsibility to our democracy to prevent a similar situation from happening again. Some politicians believe a solution to this problem can be found in electronic voting. Recently, the federal government passed legislation encouraging the use of touch screen voting machines even though they fail to provide a verifiable record that can be used in a recount. Furthermore, this equipment cannot even verify as to whether a voter did indeed cast a ballot for their intended candidate. Unfortunately, this November, as many as 28% of Americans - 50 million people - will cast ballots using machines that could produce such unreliable and unverifiable results. Only since 2000 have touch screen voting machines become widely used and yet they have already caused widespread controversy due to their unreliability. For instance, in Wake County, N.C. in 2002, 436 votes were lost as a result of bad software. Hinds County, Miss. had to re-run an election because the machines had so many problems that the will of the voters could not be determined. According to local election officials in Fairfax County, Va., a recent election resulted in one in 100 votes being lost. Many states, such as New Hampshire and most recently Maine, have banned paperless touch screen voting and many more are considering doing so. Without any accountability or transparency, even if these machines work, we cannot check whether they are in fact working reliably. The American public should not tolerate the use of paperless e-voting machines until at least the 2006 election, allowing time to prevent ongoing errors and failures with the technology. One way or another, every voter should be able to check that an accurate paper record has been made of their vote before it is recorded. Both Democrats and Republicans have a serious interest in fixing this potentially enormous blow to democracy. A bipartisan bill, sponsored by Rep. Rush Holt (D-N.J.), is one of several paper trail bills in the House and Senate and it should be passed as soon as possible. A grassroots movement for verified voting, led by organizations like VerifiedVoting.org, is gaining momentum nationwide. There is nothing partisan about the survival of our democracy or its legitimacy. We cannot and must not put the success of one party or another above the good of our entire country and all our people. To the governments of the fifty states, Republican or Democrat, I ask you to put paperless e-voting machines on the shelf until 2006 or until they are reliable and will allow recounts. In a democracy you always count the votes no matter who wins. To abandon that principle is to abandon America. Email Howard Dean at [EMAIL PROTECTED] Howard Dean, M.D. and former governor of Vermont, is the founder of Democracy for America, a grassroots organization that supports socially progressive and fiscally responsible political candidates. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: [ISN] Simple passwords no longer suffice
--- begin forwarded text Date: Fri, 4 Jun 2004 01:29:59 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ISN] Simple passwords no longer suffice Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Forwarded from: [EMAIL PROTECTED] I consider password security to be most important. I understand regular users cannot think of thousands of passwords and not write them down. Because my memory is also not perfect I have developed the following password scheme: I memorized 8 difrent sequences of alphanumerical characters, let's call them SAC's. (just inventing a new abbreviation here). Each difrent in size and using some Uppercase letters. I give them all a number (so SAC1, SAC2, SAC3 etc.) For every account I select three of these sequances of alphanumerical characters, and put them in a certain order. That is my password. I then write down the order in a password protected database. (with a simpler password, don't care that much if the database is compromised) So for example: For hotmail I might use sequance SAC4, SAC5, SAC2. I just add to my password database Hotmail 452 and I know what the password is. For sequance SAC1, SAC8, SAC3 I use with my mail certificate the note I have written down is mail certificate 183 Somewhere else I have as a reminder a list of all my SAC's but only with the first two characters being correct, the rest is put there as desinformation. So I actually look only at the first two characters and then remember what that SAC was again. So I have a list that looks like this: SAC# written down - real password SAC1 fuh355y9wtga9 - fuh5y05edh SAC2 g8betb8g - g8bs=hb56hRRTYsh SAC3 l;kyh35h9 - l;g588bas3DR SAC4 aBfbvsdh4 - aBbdnitbAA$ SAC5 GgfasdG - Gggrw422a~ SAC6 GSDFGWRw444 - GAEB53th8g3e SAC7 BbgRhgw52354 - Bdghbwtrb53 SAC8 6775u3ed5us - 67hJ^$6493 So for example when I need my password to get into hotmail I just open my password database or grab my paperprint out of the list and lookup the hotmail account, I see Hotmail 452. I also look up my SAC list up here and by looking at the first few characters I remember what each SAC is. So the password is aBbdnitbAA$Gggrw422a~g8bs=hb56hRRTYsh without the quotes. Once you have the discipline to set up something similar and stick to it your password security will be increadable. (and it's worth the look on peoples faces when they see you enter passwords of more then 20 characters at lightning speed, try to sneak up that one =D ) Also I try to maintain my habit to type in numbers on the number keypad and as I do so cover up my hand with the other hand so it cannot really be seen or recorded by camera's. Just as one would protect their pin-code. (also considering those credit thieves that build in camera's in ATM machines and devices that record your magnetic strip. Haha, have fun with my strip, but you couldn't see my pin code :P) Greetings, Da paranoid android ;-) -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens InfoSec News Verzonden: Thursday, June 03, 2004 09:31 Aan: [EMAIL PROTECTED] Onderwerp: [ISN] Simple passwords no longer suffice http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/i ndex.html June 1, 2004 (AP) -- To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password. For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out. As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such passwords-plus systems. Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication. A password is a construct of the past that has run out of steam, said Joseph Atick, chief executive of Identix Inc., a Minnesota designer of fingerprint-based authentication. The human mind-set is not used to dealing with so many different passwords and so many different PINs. When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like 1234 or a nickname. _ ISN mailing list Sponsored by: OSVDB.org --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its
Re: Chalabi Reportedly Told Iran That U.S. Had Code
At 5:42 PM -0700 6/3/04, Eric Rescorla wrote: http://www.rtfm.com/movabletype/archives/2004_06.html#000934 4.It's all a hoax and the NSA is reading the traffic some other way, perhaps by bugging the Iranian embassy. In this case, the NSA might actually want to have it spread around that they've broken the Iranian codes since it makes them look extremely competent and there's a good chance that the Iranians will change codes and then be confident that their communications are secure. I'll take door number four, Monty, with the snitch variant... Either that, or it's just plain made up. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FSTC Call for Participation: Counter-Phishing Phase I
--- begin forwarded text Date: Wed, 02 Jun 2004 17:17:48 -0400 From: Jim Salters [EMAIL PROTECTED] Subject: FSTC Call for Participation: Counter-Phishing Phase I To: [EMAIL PROTECTED] thread-index: AcRI5w3YXO0+/SUMRSeOkiOpFEA8WQ== List-Post: mailto:[EMAIL PROTECTED] List-Subscribe: http://ls.fstc.org/subscribe, mailto:[EMAIL PROTECTED] List-Archive: http://ls.fstc.org/archives/members/ List-Help: http://ls.fstc.org/elists/admin.shtml, mailto:[EMAIL PROTECTED] List-Id: members.ls.fstc.org To: FSTC Members and Friends From: Jim Salters, Director of Tech Initiatives and Project Development We are pleased to issue this call for participation in FSTC's Counter-Phishing Phase I initiative. You can download the project prospectus at: http://fstc.org/projects/new.cfm#phishing . The cost to financial institutions for this 5-month project is $20,000, and technology companies $15,000. These project fees are tiered by the same percentage as FSTC's membership tiers (see below). Participation commitments are requested by June 18th. An informational conference call has been scheduled for: Wednesday June 9th, 2pm EDT 512-225-3050, 71782# __ Project Summary: FSTC proposes to launch a three-phase initiative to address the problem of phishing in financial services as it affects the relationship between customer and firm. In collaboration with other industry groups, FSTC will focus on defining the unique technical and operating requirements of financial institutions (FIs) for counter-phishing measures; investigating counter-phishing technical solutions, proving and piloting solution sets enabled by technology to determine their fit against FI criteria and requirements; and clarifying the infrastructure fit, requirements, and impact of these technologies when deployed in concert with customer education, enforcement and other industry initiatives. Phase 1 will last five months. Principal deliverables for Phase 1 comprise knowledge statements and options, recommendations, and plans for implementations, including: * A registry of current and known future phishing threat, vulnerabilities and attack models * A cost/impact framework for the assessment of counter-phishing options * A taxonomy of phishing * A comprehensive inventory of available solutions sets * The financial services operating criteria and technical requirements for counter-phishing solutions * A compendium of proposals to pilot, test and evaluate promising solutions, with implementation, test and resource plans * A test plan and evaluation criteria * An executive summary and recommendations for quick hit implementations, if any; new tools development; and design of dynamic technical monitoring and threat updating capability __ Project Fees: Financial Institutions: $20,000 Assets over $100 billion (including affiliates) $16,000 Assets from $50 to $99 billion (including affiliates) $12,000 Assets from $20 to $49 billion (including affiliates) $4,400 Assets under $19 billion (including affiliates) Technology Companies: $15,000 Revenue/funding over $100 million $12,000 Revenue/funding from $50 to $99 million $9,000 Revenue/funding from $20 to $49 million $3,300 Revenue/funding under $19 million To subscribe or unsubscribe from this elist use the subscription manager: http://ls.fstc.org/subscriber --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Polygraph Testing Starts at Pentagon in Chalabi Inquiry
enforcement officials said he could be investigated in the future. They said a decision on that could be left to the new Iraqi government. In the 1990's, the Iraqi National Congress was part of a C.I.A. covert action program designed to undermine Saddam Hussein's rule. But Mr. Chalabi had a falling out with the C.I.A., and agency officials concluded that he was untrustworthy. He subsequently forged an alliance with major conservative Republicans in Washington. When President Bush took office, Mr. Chalabi and the Iraqi National Congress were embraced by senior policy makers at the Pentagon, which became his main point of contact in the American government. In a telephone interview on Wednesday, Mr. Markham, one of Mr. Chalabi's lawyers, said that Mr. Chalabi had been subjected to increasing adverse comments by American officials as his disagreements with the Bush administration over the future of Iraq had intensified. Nevertheless, Mr. Markham said, Mr. Chalabi is very happy to come to the United States to appear before Congress or be interviewed by legitimate investigative agents in this matter. The lawyers' letter said that Dr. Chalabi would never endanger the national security of the U.S. Those responsible for such leaks, however, we submit are the same individuals within the U.S. government who have undermined the President's policies in Iraq and efforts to bring democracy and stability to that country, and are using Dr. Chalabi as a scapegoat for their own failures that have cost this country dearly in the past year in Iraq, the letter said. Last month, American and Iraqi forces raided Mr. Chalabi's Baghdad compound and carted away computers, overturned furniture and ransacked his offices. The raid was said to be part of an investigation into charges that Mr. Chalabi's aides, including a leading lieutenant, had been involved in kidnapping, torture, embezzlement and corruption in Iraq. It is still unclear what the connection might be between that raid and the continuing counterintelligence investigation of the possible leaks of secrets to Iran. Richard A. Oppel Jr. contributed reporting for this article. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
BBN Technologies Unveils World's First Quantum Cryptography Network
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK3.storySTORY=/www/story/06-03-2004/0002186418EDATE=THU+Jun+03+2004,+07:50+AM Silicon Valley Biz Ink :: The voice of the valley economy June 3, 2004 Computers/Electronics News Press release distributed by PR Newswire BBN Technologies Unveils World's First Quantum Cryptography Network back Quantum Cryptography Breakthrough Delivers Absolute Security Based on Laws of Physics CAMBRIDGE, Mass., June 3 /PRNewswire/ -- BBN Technologies announced today that it has built the world's first quantum cryptography network and is now operating it continuously beneath the streets of Cambridge, Massachusetts. Today the DARPA Quantum Network links BBN's campus to Harvard University; soon it will stretch across town to include Boston University as a third link. The Harvard University Applied Physics Department and the Boston University Photonics Center have worked in close collaboration with BBN to build the network under Defense Advanced Research Projects Agency (DARPA) sponsorship. Information traveling over open networks such as the Internet is often encrypted to prevent unauthorized eavesdropping. Currently, complex mathematical algorithms are the most common method used to scramble (encrypt) and de-scramble (decrypt) messages that require secure transmission. Although this method can provide high levels of security, it is not infallible. In contrast, the DARPA Quantum Network introduces extremely high levels of security for Internet-based communications systems by encrypting and decrypting messages with keys created by quantum cryptography. Quantum cryptography, invented by Charles Bennett and Giles Brassard in the 1980s, prepares and transmits single photons of light, through either fiber optic cable or the atmosphere, to distribute cryptographic keys that are used to encrypt and decrypt messages. This method of securing information is radically different from methods based on mathematical complexity, relying instead on fundamental physical laws. Because very small (quantum) particles are changed by any observation or measurement, eavesdropping on a quantum cryptography system is always detectable. The DARPA Quantum Network has improved on these techniques to create a highly robust, six-node network that is both extremely secure and 100% compatible with today's Internet technology. Patent-pending BBN protocols pave the way for robust quantum networks on a larger scale by providing any to any networking of quantum cryptography through a mesh of passive optical switches and cryptographic key relays. People think of quantum cryptography as a distant possibility, said Chip Elliott, a Principal Scientist at BBN and leader of its quantum engineering team, but the DARPA Quantum Network is up and running today underneath Cambridge. BBN has built a set of high-speed, full-featured quantum cryptography systems and has woven them together into an extremely secure network. This kind of breakthrough is the essence of BBN, said Tad Elmer, president and CEO of BBN. We were ahead of the technology curve with the ARPANET and the first router, and our quantum network exemplifies the same kind of forward thinking and innovation that has made BBN a technology leader for over 50 years. About BBN Technologies BBN Technologies was established as Bolt Beranek and Newman Inc. in 1948. From its roots as an acoustical design consulting firm, BBN grew to implement and operate the ARPANET (the forerunner of today's Internet) and develop the first network email, which established the @ sign as an icon for the digital age. Today BBN Technologies provides technical expertise and innovation to both government and commercial customers. Areas of expertise include: quantum information, speech and language processing, networking, information security, and acoustic technologies. BBN has more than 600 employees in offices across the US. For more information, visit http://www.bbn.com. Media Contact: Joyce Kuzmin 617-873-8193 [EMAIL PROTECTED] This release was issued through eReleases(TM). For more information, visit http://www.ereleases.com. © 2004 Silicon Valley Business Ink. All rights reserved. This material may not be published, broadcast, rewritten for broadcast or publication or redistribution directly or indirectly in any medium. Neither these Silicon Valley Business Ink. materials nor any portion thereof may be stored in a computer except for personal and non-commercial use. Silicon Valley Business Ink. will not be held liable for any delays, inaccuracies, errors or omissions therefrom or in the transmission or delivery of all or any part thereof or for any damages arising from any of the foregoing. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street
Chalabi Reportedly Told Iran That U.S. Had Code
between Iran and Washington. Those defenders also say they do not believe that his relationship with Iran involved any exchange of intelligence. Mr. Chalabi's allies in Washington also saw the Bush administration's decision to sever its ties with Mr. Chalabi and his group as a cynical effort instigated by the C.I.A. and longtime Chalabi critics at the State Department. They believe those agencies want to blame him for mistaken estimates and incorrect information about Iraq before the war, like whether Iraq possessed weapons of mass destruction. One of those who has defended Mr. Chalabi is Richard N. Perle, the former chairman of the Defense Policy Board. The C.I.A. has disliked him passionately for a long time and has mounted a campaign against him with some considerable success, Mr. Perle said Tuesday. I've seen no evidence of improper behavior on his part. No evidence whatsoever. Mr. Perle said he thought the C.I.A. had turned against Mr. Chalabi because he refused to be the agency's puppet. Mr. Chalabi has a mind of his own, Mr. Perle said. American intelligence officials said the F.B.I. investigation into the intelligence leak to Iran did not extend to any charges that Mr. Chalabi provided the United States with incorrect information, or any allegations of corruption. American officials said the leak about the Iranian codes was a serious loss because the Iranian intelligence service's highly encrypted cable traffic was a crucial source of information, supplying Washington with information about Iranian operations inside Iraq, where Tehran's agents have become increasingly active. It also helped the United States keep track of Iranian intelligence operations around the world. Until last month, the Iraqi National Congress had a lucrative contract with the Defense Intelligence Agency to provide information about Iraq. Before the United States invasion last year, the group arranged for Iraqi defectors to provide the Pentagon with information about Saddam Hussein's government, particularly evidence purporting to show that Baghdad had active programs to develop weapons of mass destruction. Today, the American intelligence community believes that much of the information passed by the defectors was either wrong or fabricated. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Library talk on cryptography begins technology series
http://www.zwire.com/site/news.cfm?newsid=11830032BRD=1091PAG=461dept_id=425695rfi=6 NEWS SEARCH The Princeton Packet Library talk on cryptography begins technology series By: Jennifer Potash , Staff Writer 06/01/2004 Expert promises a nontechnical approach. No decoder rings are needed for an upcoming talk about the science of computer cryptography at the Princeton Public Library, but curious minds will be welcome. The library kicks off the summer series of its popular Tuesday Technology Talks program at 7 p.m. today with a lecture by Brian Kernighan, a professor at Princeton University's Computer Science Department. Mr. Kernighan, who often gives talks for nontechnical audiences, will lead an examination of how modern cryptography works, where it is used, some of the places where it hasn't worked well and a bit of cryptopolitics. Janie Herman, a reference librarian and founder of the series, said cryptography has come a long way since the days when Julius Caesar encoded messages by shifting the alphabet over a few places and when the British decoded the German Enigma machine during World War II. Today, cryptography is at the heart of security for our computers at home and at work, she said. It lets us buy and sell securely over the Internet and it's relied on by both the good guys and bad guys to keep their secrets safe. Ms. Herman said she's thrilled to have a speaker of Dr. Kernighan's stature as a guest for the series - he played key roles in the development of the Unix and C computer languages, and authored numerous books about programming in various computer languages. But don't call him an expert on cryptography - he claims to cringe when he saw that word used in another article promoting his library talk. My interest in cryptography is more of a dilettante interest, he said with a laugh. His talk, stripped of the jargon and tech speak found in his classroom lectures, will be split between a historical perspective on the cryptography used by the Romans on clay tablets to the codes used by spies in World War II and ending with the modern uses. Basically, the difference between cryptography then and now is the size of the numbers used for the encoding - in the premedieval days cryptography might be more a matter of shifting letters around while today the numbers are big, but not infinitely so, Dr. Kernighan said. The mathematics used in the encoding process were developed back in the 18th century and largely remain unchanged today, he said. Cryptography works by arranging information in a series of coded numbers accessible only to users with the correct key, he said. In practical terms, a user typing in a credit card number to make a purchase at an online business would have the sensitive information encoded to keep it safe from any unauthorized users, he said. While the early days of Internet sales brought tales of thefts of customers' credit card numbers, today the enterprise is much safer, Dr. Kernighan said. The problems with credit card number theft are more of a bricks-and-mortar problem. It's like sending your credit card number in an armored truck to a cardboard box, he said. Cryptography has also turned up in popular culture such as the Matrix movies and the best selling novel The Da Vinci Code. The novel didn't appeal to Dr. Kernighan. I thought the writing was horrible, he said. Also, the study of smaller codes based on letters is really not what he researches. Dr. Kernighan, who received his doctorate from Princeton University in 1969, worked for Bell Labs in the computing science research center in Murray Hill until 2000. After a few stints as an adjunct professor at Princeton and Harvard universities, Dr. Kernighan decided to take up teaching full time. It's a great place to have a second childhood, said Dr. Kernighan, who resides in Princeton Borough with his wife. Princeton Public Library is at 65 Witherspoon St. in Princeton Borough. Special assistance is available for library customers with disabilities. Those with special needs should contact the library 48 hours before any program to arrange for accommodations. Call (609) 924-9529. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]