RE: Secure IDE?
[EMAIL PROTECTED]:[EMAIL PROTECTED] wrote: Trei, Peter [EMAIL PROTECTED] writes: No info on chaining modes, if any, nor of IV handling. DES/ECB, originally with a 40-bit key, more recently with 56-bit and 3DES. Keys generated by the manufacturer onto a USB dongle. No easy way to make backups of the dongle. It's a messy tradeoff: If you want something like laptop/data-theft-protection (which will suit the majority of the market), then DES-40/ECB is fine, but you want to be able to back up the dongle because if that goes (and after multiple insertions and removals it will) you've lost all your data. OTOH if you want protection from the MIB the fragile nature of the key storage is probably a benefit, but then you want 3DES/CBC to go with it. At the moment you have laptop-theft-protection crypto and MIB-protection key storage. You can buy truckloads of these things on ebay for about $20 a pop if you want to play with one. Peter. Color me dissapointed. It's a move in the right direction, but I wish they had followed through and done the right things: * [AES | 3DES]/CBC with a good distribution of IVs * User-generated keys (before initial disk setup, of course). * Shutdown on dongle removal. * Some kind of PIN or password protection on the dongle. eNova claims not to keep a database of keys (they don't say that 'there is no database of keys', which is a little different), and to get a key copied you have to send it to them. They do seem to supply a spare. Back a few years ago, I calculated that with the DES key search software then available, a single 200MHz machine could search 40 bits of keyspace over a long weekend. Today it would take a few hours. 40 bit DES is not secure against your kid sister (if she's a cypherpunk :-), much less industrial espionage. Quote from http://www.abit.com.tw/abitweb/webjsp/english/mb_spec.jsp?pPRODUCT_TYPE=Moth erBoardpMODEL_NAME=SecureIDE : 40-bit DES (US Data Encryption Standard) is adequate for general users Yeah. Right. Peter
RE: Secure IDE?
Trei, Peter ABIT has come out with a new motherboard, the IC7-MAX3 featuring something called 'Secure IDE', which seems to involve HW crypto in the onboard IDE controller: From the marketing fluff at http://www.abit.com.tw/abitweb/webjsp/english/news1.jsp?pDOCNO=en_0307251 For MAX3, the ABIT Engineers listened to users who were asking for information security. SecureIDE connects to your IDE hard disk and has a special decoder; without a special key, your hard disk cannot be opened by anyone. Thus hackers and would be information thieves cannot access your hard disk, even if they remove it from your PC. Protect your privacy and keep anyone from snooping into your information. Lock down your hard disk, not with a password, but with encryption. A password can be cracked by software in a few hours. ABIT's SecureIDE will keep government supercomputers busy for weeks and will keep the RIAA away from your Kazaa files. No, I have no idea what this actually means either. I'm trying to find out. Peter Trei Yeah, I know it's tacky to followup ones own messages, but I found a little more: http://www.abit.com.tw/abitweb/webjsp/english/SecureIDE.htm SecureIDE is a encryption device that uses the eNOVA X-Wall chipset that ensures confidentiality and privacy of your data through disk encryption. When booting up your system, go to DOS and implement the FDISK instruction. This instruction will make a partition to format the Hard Disk to accept the secure IDE key. After this procedure, there are no more extra steps to perform besides using the key to open the hard disk each time you boot up your system. The accompanying diagram shows a daughterboard sitting between the HD and the system, with a USB dongle coming off the side. eNova has more info at: http://www.enovatech.com/w/html/about.htm The USB dongle apparently acts only as a key store, for a DES or 3DES key. It needs to be present at boot time. It appears that the key is put on the device by the manufacturer though they promise Enova Technology does not maintain a database of X-Wall Secure Keys. On the good side, it seems to encrypt the whole disk, including the boot sector and swap. No info on chaining modes, if any, nor of IV handling. There is no mention of a PIN or other 'something you know' required to use the USB key. I can't tell if pulling the dongle shuts down the system. Might be neat, but as yet, insufficient information. Peter
RE: GPS blackbox tracking
Harmon Seaver[SMTP:[EMAIL PROTECTED] wrote: Before this, AFAIK, we only had to worry about getting a GPS transmitting device planted on our vehicles, which would be bulky enough to spot fairly easily by anyone checking out the cars underside, etc. Here's one that doesn't transmit, just records where you go, and that info can be retrieved later ala bluetooth from 30 feet away. http://www.blackboxgps.com Harmon Seaver Of course, if you have one of the newer 'enhanced 911' cellphones, you've done their work for them. Peter
RE: Cypherpunks archive
I'd very much like to see the archives in a downloadable form. Peter -- From: Steve Furlong[SMTP:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 8:12 PM To: [EMAIL PROTECTED] Subject: Re: Cypherpunks archive On Monday 21 July 2003 19:49, someone wrote: Can you make the raw mbox archive available, or do you have that? If it's less than about 200 meg, I can also receive it as an attachment, if you're sadistic with your mail server. Let me think about it, and maybe ask some of the list members. The HTML that appears on the web page is sanitized a bit to prevent address harvesting. Not that c-punks' addresses are that hard to obtain other ways, but when I started the archive several people emphatically stated that they wanted the sanitizing. Maybe I'll write a short script to sanitize the addresses in the mbox. That'll take a while to develop, to make sure I don't miss anything and because my spare time is limited for the next month and a half. If I do make the mboxes available, they'll be available as .gz's off my top cypherpunks page. I'll post to the list if I do it. List members: any preferences? SRF -- Steve FurlongComputer Condottiere Have GNU, Will Travel If someone is so fearful that, that they're going to start using their weapons to protect their rights, makes me very nervous that these people have these weapons at all! -- Rep. Henry Waxman
RE: [Brinworld] Car's data recorder convicts driver
Googling on (event data recorders automobiles) will give a lot of hits. For example: http://wpoplin.com/EventDataRecordersAutomotiveBlackBoxes.pdf These devices are a byproduct of the introduction of airbags - the airbag processor stores the data which led it to deploy the bag. This can include delta v vehicle speed engine speed brake use throttle position driver seatbelt use The cited report claims they only store the most recent 5 seconds of data, snapshotted at 1 second intervals. It notes that the data can thus be confusing - for example, if a wheel leaves the ground the speed reported can be way off, and if the driver pumps the brakes, the 'brake use' data is ambiguous. It's not clear whether they store data continuously, or just when the airbag deploys. OTOH, I seem to remember reports of drivers of high-end cars (Audis? BMWs?) getting their warranties invalidated because the main car computer noted that they had exceeded certain speeds during the break-in period. Its not just the airbag computer that can narc you out Peter
RE: Airlines IDs [was RE: Amtrak The War On Drugs]
Tim May[SMTP:[EMAIL PROTECTED]] At 12:51 PM -0700 4/25/01, Woody Patterson wrote: --- [EMAIL PROTECTED] wrote: It's just as easy today- at least for one-ways. Just have the individual with the ID check in and hand the ticket to you. I've done it a million times. Free, encrypted, secure Web-based email at www.hushmail.com Just don;t do it on United Airlines. In several airports, there are cameras behind the check-in counter that take a photo of you when you check in. This photo is available on a computer screen at the gate to any employee of the airline that cares to look. Boarding for all flights I have taken in the past several years--Southwest, American, United--has been so hectic and rushed that no stewardess is bothering to compare the boarding passes to photos! In the case of Southwest, the boarding passes are of course not even associated with a person: they are just numbered pieces of plastic. (Yeah, I _suppose_ some sufficiently determined adversary could be recording that Boarding Pass # 37 was handed to Alice Smith and that the photo of the person handing in # 37 does not match the photo taken at the ticket check-in counterI guarantee this is not happening UNLESS Southwest has been tipped-off and is cooperating with FBI or DEA types.) --Tim May The bit Declan put in Wired today about the '4th Information Hiding Workshop', which contains some relevant material. Towards the end of the article, he notes: http://www.wired.com/news/politics/0,1283,43355,00.html -- start quote [...] Convenience can also lend itself to anonymity. Starting about a decade ago, U.S. airlines began to check travelers' identification before letting them board a flight. But to stave off long lines, U.S. Airways now offers electronic check-in services at some airports. The automated kiosks allow travelers -- at least those not checking luggage -- to select their seat assignment and board the plane after inserting a frequent flyer card. No government-issued identification or credit card is necessary. What's so encouraging about this is that even the most respectable companies see nothing socially stigmatizing about offering these options, said Rosen, the Georgetown University professor. It's extremely encouraging since it shows what an American value privacy is and how many people will (buy it). -- end quote Now, this isn't perfect - I suspect it only works for e-tickets, which have already been bought through an identifiable credit card, but it breaks the link between who buys the ticket, and who turns up at the airport. Note that someone who has a FF card is actually motivated to loan it out, since he'd get credited with the FF points. Sigh... Anyone remember People Express? You could get in line, get on the plane, and pay in-flight with cash (it was very cheap). No reserved seats, giant overhead bins for luggage. No IDs required. Now, *that* was private travel, circa 1980. Peter Trei
Airlines IDs [was RE: Amtrak The War On Drugs]
Ralph Wallis[SMTP:[EMAIL PROTECTED]] On Tuesday, 24 Apr 2001 at 16:13, Tim May [EMAIL PROTECTED] wrote: However, it used to be SOP to buy train tickets at the ticket window--for cash and with no I.D. or phone numbers or SS numbers or forehead marks. It looks like the temporary measures to combat the TWA 800 bombing sorts of events, even though TWA 800 almost certainly wasn't a bombing, are now spreading to the trains. I just read Database Nation, which notes that this was an immediate result of TWA 800 and the Atlanta Olympic bombing. (Along with similar policies for air travel.) So it's not a sign of spreading. Since Atlanta was 5 years ago, it's not a temporary measure either. I think you've both been blindsided as to the true reason why airlines ask for ID. While the FAA did for a while (after the TWA 800 crash) suggest that airlines ask for ID, it's my understanding that at no time was it actually a regulatory requirement (I'd welcome actual cites to the contrary.) My understanding is this: 1. It is not a regulatory requirement for an airline passenger in the US to produce identification. 2. In fact, it's a violation of the airline's common carrier status for them to do so - they must admit anyone who shows up with a valid ticket. The ticket is a bearer instrument. 3. Regardless of the legalities, US airlines will usually request ID. If you refuse, and stand your ground, and can cite the appropriate common carrier regs, and show that they can't cite any regulatory requirement, they in fact WILL let you fly without ID. However, doing so involves moving far up beyond the counter-droids to superdupervisors, calls to corporate legal counsel, and unfriendly attention from airport security. While you would win in the end, you will almost certainly have missed your plane. 4. The reason airlines do this has nothing to do with security, and everything to do with extracting the max from your wallet Before these regs existed, and citizen units rightfully refused to let themselves be pushed, filed, stamped, indexed, briefed, debriefed, or numbered to the extent they do today, the bearer instrument status of the tickets allowed people who traveled often to save money. It worked like this: In the US, unscheduled, immediate travel ticket prices are extremely expensive. On American Airlines, an unrestricted Boston to San Francisco coach return ticket is over $2400 if I leave today and return tommorrow. If I book a month ahead and stay over the weekend, it's a tad over $400, a $2000 dollar savings. Companies with lots of predictable travel (for example, one with offices near Boston and San Francisco) would buy 'John Doe' tickets a month ahead, scheduled for over-weekend stays. A traveller would go to the travel office, and pick up an outbound and return ticket (from different original trips) with dates and times which suited him, and execute his business trip at a fraction of the cost of it would have if he'd bought his ticket in the naive manner. By hassling travellers who try to use tickets with someone elses name, and lying that it is illegal to do so, airlines have greatly cut down on this cost saving strategy. If you're going to make more than one business trip between the same cities on predictable dates in the next year, you can still execute this strategy on a personal level, but it requires planning. So don't believe the lies of the airline spinmeisters. The only security they are enhancing is that of their bottom line. Peter Trei
RE: Airlines IDs [was RE: Amtrak The War On Drugs]
Sandy Sandfort[SMTP:[EMAIL PROTECTED]] wrote Peter wrote: My understanding is this: 1. It is not a regulatory requirement for an airline passenger in the US to produce identification. 2. In fact, it's a violation of the airline's common carrier status for them to do so - they must admit anyone who shows up with a valid ticket. The ticket is a bearer instrument. ... How about a citation? S a n d y That's a fair request. It looks like I can confirm assertion 1, but am (now at least) probably wrong on assertion 2. See: http://cas.faa.gov/faq.html -start quote--- Q. Do I have to have a photo ID to fly? A. The FAA does not prohibit the airline from transporting any passenger who does not present a photo ID. Airlines have available to them alternate procedures that allow them to transport passengers without ID. However, some airlines choose not to use such procedures, which is their prerogative. Q. Why didn't the airline ask for my ID? A. The FAA does not require all passengers to present ID. The FAA requires that airlines apply additional security measures to passengers who are unable to produce ID upon request. -end quote--- I know that in the pre-TWA800 days, it was common to travel on tickets issued to another name than one's own. I did so on numerous occasions. Of course, the airlines hated people saving money in this manner. Peter