Be the best this year.
Paying too much for your prescriptions? We even have all the special products for men and women. Follow us to the lowest prices and most reliable service on the internet. Stop this message from this vendor here.
New Year Invitational.
Happy 2005
RE: 2004: The Year That Promised Email Authentication
I see RAHWEH is back from visiting the relatives... -TD From: R.A. Hettinga [EMAIL PROTECTED] To: cryptography@metzdowd.com, [EMAIL PROTECTED] Subject: 2004: The Year That Promised Email Authentication Date: Mon, 27 Dec 2004 16:49:01 -0500 http://www.circleid.com/print/855_0_1_0/ CircleID 2004: The Year That Promised Email Authentication By: Yakov Shafranovich From CircleID Addressing Spam December 27, 2004 As the year comes to a close, it is important to reflect on what has been one of the major actions in the anti-spam arena this year: the quest for email authentication. With email often called the killer app of the Internet, it is important to reflect on any major changes proposed, or implemented that can affect that basic tool that many of us have become to rely on in our daily lives. And, while many of the debates involved myriads of specialized mailing lists, standards organizations, conferences and even some government agencies, it is important for the free and open source software (FOSS) community as well as the Internet community at large, to analyze and learn lessons from the events surrounding email authentication in 2004. THE GHOST OF CHRISTMAS PAST The quest for email authentication did not start from scratch. Authentication systems are a well known field in computer security, and have been researched for quite some time. Nevertheless, it is only during this past year that email authentication has gained a prominent push mainly due to the ever increasing spam problem. As well known, the original email architecture and protocols was not designed for an open network such as the Internet. Therefore, the original designers failed to predict the virtual tidal wave of junk email that took advantage of lack of authentication in the Internet email. As the result, a junk email filter is considered one of the essential tools any Internet citizen must have in his toolkit today. The push towards email authentication started in earnest with the publication of a proposal called RMX by a German engineer called Hadmut Danisch in early 2003. While other previous proposals have been published, none have gained any kind of traction. Hadmut's proposal on the other hand coincided with the opening of the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF), which as an affiliate body of the IETF. The IETF created and currently maintains the Internet email standards, and an IETF affiliate was a logical body to work on addressing the spam problem on the Internet at large. Being that the ASRG brought together a sizable chunk of the anti-spam world, RMX gained more exposure that none of the previous work in the field ever had. What followed was a succession of proposals forked off the original RMX proposal until the spring of 2004 when most of them were basically confined to the dustbin of history together with RMX. In the end, only two proposals with any sizable following were left: Sender Policy Framework (SPF) and Microsoft's Caller-ID. The author of SPF, Meng Wong, managed to attract a large community to his proposal, giving it a much larger deployed base than any competitor. In many ways this effort can be compared to some of the open source projects, except this time this was an open standard rather than a piece of software. On the other side of the ring, so to speak, was Microsoft which surprised the email world with their own proposal called Caller-ID at the RSA conference in early 2004. Eventually, the IETF agreed to consider standardization of email authentication by opening a working group called MARID in March of 2004. With the merger of SPF and Microsoft's new Sender-ID proposal, hopes were running high about the coming success of email authentication and the coming demise of spam. Yet, ironically this working group earned itself a record by being one of the shortest in the existence of the IETF - it has lasted a little over six months until being formally shutdown in September of 2004. ALL THAT IS GOLD DOES NOT GLITTER During the work of IETF's MARID group the quest for the email authentication begun to permeate circles outside the usual cadre of anti-spam geeks. Technology publications, and even the mass media have begun to take note of the efforts occurring on an obscure mailing list tucked away among 200 other even more obscure groups, prodded in many cases by the public relations spokesmen of various companies in the anti-spam space, including Microsoft. Yet in many ways that was one of the fatal blows to the group and any hope of a common standard for email authentication. Several major issues arose during the operation of the working group. The first major issue that has been bubbling beneath the surface was technical in nature. SPF has come from a group of proposals that worked with the parts of the email infrastructure that was unseen by most users. This included email servers that exchanged email among ISPs and were unseen. In the technical lingo this type of
As Investigations Proliferate, Big Banks Feel Under the Gun
http://online.wsj.com/article_print/0,,SB110436575482112446,00.html The Wall Street Journal December 30, 2004 PAGE ONE Checking Accounts As Investigations Proliferate, Big Banks Feel Under the Gun Links to Cash-Transfer Firms Raise Troubling Questions About Money Laundering A Probe of Bank of America By GLENN R. SIMPSON Staff Reporter of THE WALL STREET JOURNAL December 30, 2004; Page A1 NEW YORK -- Until last year, federal prosecutors say, a tiny Brooklyn ice-cream shop was a vital cog in al Qaeda's global fund-raising operation. Carnival French Ice Cream sold only the occasional cone from its ground-floor nook in a four-story walk-up in the Park Slope neighborhood. Its real function, according to the government, was to move money. The shop took in $22 million between 1997 and 2003, the Justice Department alleges in federal court filings in New York. Prosecutors believe that Carnival diverted much of that money to a radical sheik in Yemen working with Osama bin Laden. The funds departed New York via the most modern and efficient method the American financial-services industry has to offer: an account at J.P. Morgan Chase Co. The Carnival case, according to prosecutors, illustrates how since the late 1990s, major U.S. banks doing business with suspect money-transfer outfits like the Brooklyn shop have wired billions of dollars into and out of New York for suspected terrorist and criminal organizations. One Yemeni-American man has been convicted of lying to the Federal Bureau of Investigation in the Carnival probe, and three others await trial on money-laundering and related charges. Prosecutors haven't accused J.P. Morgan Chase of wrongdoing related to Carnival. But the bank and some of its major rivals now find themselves in law enforcement's cross hairs, as regulators and prosecutors crack down on what they say is widespread abuse in the $50 billion international money-transfer industry. Bank executives say they are being asked to bear a heavy burden in seeking to root out criminals who use them to move money. The executives say they are avidly trying to comply, but the authorities counter that the industry must do even more. One unintended consequence of this friction is that banks are simply dropping many small money-transfer businesses as clients, a move that could hurt millions of poor immigrants who send cash to relatives overseas. All of this activity is taking place in the shadow of sensational revelations earlier this year about how Riggs National Corp., a storied institution in Washington, for years failed to make required reports to regulators about hundreds of millions of dollars in suspicious transactions. The Riggs affair involved transactions by foreign officials. But as with some cases involving storefront money-transmitters, Riggs was shown to have failed to sound an alarm over large and seemingly dubious money movements. Now, Robert Morgenthau, the local district attorney in Manhattan, has threatened to indict Bank of America Corp. on money-laundering charges related to a suspect Latin American firm, according to federal law-enforcement officials who have been briefed on the matter. Mr. Morgenthau, in an interview, acknowledges that he is talking with the bank over how to resolve allegations that it transferred hundreds of millions of dollars for a Uruguayan money-transmitting business linked to drug trafficking, tax fraud and other financial crimes. Bank of America spokeswoman Shirley Norton says it does not comment on its relations with customers or communications with regulators and law enforcement. She adds that the bank takes its anti-money-laundering responsibilities extremely seriously, and is routinely cooperating and partnering with law enforcement to investigate and help prosecute any individuals who might attempt to misuse our banking operations. Shortly after the Sept. 11, 2001, terrorist attacks, Congress toughened requirements on banks to investigate their own customers and alert the government to fishy activity. But a spate of recent fines, criminal investigations and prosecutions is raising questions about how effectively banks are fulfilling their role as front-line cops in the offensive against financial impropriety. In May, regulators imposed a $25 million fine on Riggs for its lapses; a federal criminal investigation is pending. In October, AmSouth Bancorp. of Birmingham, Ala., agreed to a pay $50 million in penalties for what federal banking regulators and prosecutors say was a breakdown in its money-laundering controls. And in November, The Wall Street Journal reported that Bank of New York Co. is negotiating with federal prosecutors to pay a fine of perhaps $24 million to avert a potential criminal indictment on charges that it failed to report suspicious activity at one of its branches. Bank of New York escaped criminal penalty in 2000 when a former executive and her husband pleaded guilty to laundering as much as $5 billion in
The story of Aldrich Ames and Robert Hanssen--from the KGB's point of view.
http://www.opinionjournal.com/la/?id=110006088 OpinionJournal WSJ Online BOOKSHELF The Man Who Stole the Secrets The story of Aldrich Ames and Robert Hanssen--from the KGB's point of view. BY EDWARD JAY EPSTEIN Thursday, December 30, 2004 12:01 a.m. EST Recently a number of former CIA officers received an invitation from the Spy Museum in Washington to attend a luncheon for former KGB Col. Victor Cherkashin. The event, as the invitation said, would afford a once-in-a-lifetime opportunity to dine and dish with an extraordinary spymaster. In the heyday of the Cold War, such an offer, delivered with slightly more discretion, might have been the prelude to a KGB recruitment operation. Now it's merely the notice for a book party celebrating yet another memoir by a former KGB officer recounting how the KGB duped the CIA. In this case, there is a great deal to tell. Victor Cherkashin served in the KGB from 1952, when Stalin was still in power, until the Soviet Union disintegrated in 1991. During most of that time his mission was to organize KGB operations aimed at undermining the integrity, confidence and morale of the CIA. He seems to have been good at his job. His big opportunity came when he was the deputy KGB chief at the Soviet Embassy in Washington between 1979 and 1985. Those years were the height of a ferocious spy war within the Cold War. In Spy Handler, Mr. Cherkashin describes in detail how he helped convert two American counterintelligence officers--one well-placed in the CIA's Soviet Russia Division, the other in the FBI--into moles. Their names are notorious now, but over the course of a decade Aldrich Ames and Robert Hanssen operated with anonymous stealth, compromising most of the CIA's and FBI's espionage efforts in the Soviet Union. But that wasn't the end of Mr. Cherkashin's glory. Returning to Moscow, he helped run dangle operations in which KGB-controlled diplomats feigned a willingness to be recruited by their American counterparts, only to hand over disinformation when they were finally recruited. Thus when the CIA came around to investigating why its agents were being compromised in Russia, the KGB sent the CIA a disinformation agent, for example, to paint false tracks away from its moles. This agent--Mr. X--offered to betray the Soviet Union for $5,000. When the CIA snapped up the bait, Mr. X pointed it to its own secret communication center in Warrenton, Va., falsely claiming that the KGB was electronically intercepting data from its computers. The purpose, of course, was to divert the agency away from the mole, who continued betraying CIA secrets for eight more years. Told from the KGB's vantage point, Mr. Cherkashin's story provides a gripping account of its successes in the spy war. He shows Mr. Hanssen to have been an easily managed and highly productive penetration who operated via the unusual tradecraft of dead drops, leaving material at designated locations where it could be transferred without spy and handler ever meeting. (Indeed, the KGB never knew Mr. Hanssen's identity.) Mr. Ames, for his part, was a more complex case, since he had come under suspicion and the KGB had to concern itself with throwing the CIA off his trail. That America's counterespionage apparatus allowed both men to operate as long as they did is a testament to its complacency as much as to the KGB's cleverness. And indeed, Mr. Cherkashin skillfully torments his former adversary, the CIA, by attributing a large part of the KGB's success to the incompetence of the CIA leadership, or its madness. He asserts, in particular, that the CIA had been all but paralyzed by the paranoia of James Jesus Angleton, the CIA's longtime counterintelligence chief, who suspected that the KGB had planted a mole in the CIA's Soviet Russia division. Mr. Cherkashin is right that Mr. Angleton's concern retarded, if not paralyzed, CIA operations in Russia. After all, if the CIA was indeed vulnerable to KGB penetration, as Mr. Angleton believed, it had to assume that its agents in Russia would be compromised and used for disinformation. This suspicion would recommend a certain caution or tentativeness, to say the least. Mr. Cherkashin's taunt about Mr. Angleton's paranoia echoed what was said by Mr. Angleton's critics in the CIA, who resented his influence, believing that polygraph tests and other security measures immunized the CIA against such long-term penetration. But of course Mr. Angleton was right, too. On Feb. 21, 1994, Mr. Ames, the CIA officer who had served in the Soviet Russia division, was arrested by the FBI. He confessed that he had been a KGB mole for almost a decade and had provided the KGB with secrets that compromised more than 100 CIA operations in Russia. Mr. Hanssen was caught seven years later. Since Mr. Cherkashin had managed the recruitment of Mr. Ames and helped with that of Mr. Hanssen, his accusation that Mr. Angleton was paranoid for suspecting the possibility of a mole has the
eBay Dumps Passport, Microsoft Calls It Quits
http://www.techweb.com/article/printableArticle.jhtml;jsessionid=IUVVYXUECEG4MQSNDBGCKHSCJUMEKJVN?articleID=56800077site_section=700029 eBay Dumps Passport, Microsoft Calls It Quits By TechWeb News December 30, 2004 (12:51 PM EST) URL: http://www.techweb.com/wire/ebiz/56800077 Another Online auction site eBay announced Wednesday that it will soon drop support for Microsoft's Passport for log-in to the site and discontinuing alerts sent via Microsoft's .Net alerts. Microsoft responded by saying that it will stop marketing Passport to sites outside its own stable. As of late January, eBay will no longer display the Passport button on sign-in pages nor allow users to log in using their Passport accounts. Instead, members must log-in directly through eBay. Likewise, eBay's dumping .Net alerts, which means that eBay customers who want to receive alerts -- for such things as auction closings, outbids, and auction wins -- will have to make other arrangements. The free-of-charge eBay Toolbar, for instance, can be used to set up alerts going to the desktop, while alerts to phones, PDAs, or pagers can be created from the user's My eBay page. eBay was one of the first to jump on the Passport bandwagon in 2001, but is only the latest site to leap off. Job search site Monster.com, for instance, dropped Passport in October. Microsoft has decided to stop marketing its sign-on service to other Web sites, the Los Angeles Times confirmed Thursday. The pull-back, which had been long predicted by various analysts, follows a stormy life for Passport, which among other things, suffered a pair of security breakdowns in the summer of 2003 that could have led to hackers stealing users' IDs. Microsoft also pulled its online directory of sites using Passport -- perhaps because the list would have been depressingly short -- stating in the online notice that We have discontinued our Site Directory, but you'll know when you can use your Passport to make sign-in easier. Just look for the .NET Passport Sign In button! Passport will continue to be the sign-on service for various Microsoft properties, including the Hotmail e-mail service and MSN.com. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Dept Homeland Security Research Conference in Boston, April 27-28
Not sure what mailing list this came from, but the DHS is running a shindig in Boston in April, if anybody wants to drop by. I've de-MIME-ified it, so it may be a bit harder to read. From: DHS Homeland Security Conference [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 29, 2004 5:45 PM Subject: Conference for Public/Private RD Partnerships in Homeland Security, CFP Dear Colleague, You are invited to participate in this inaugural, must-attend, national event, sponsored by the U.S. Department of Homeland Security, Science and Technology Directorate, scheduled for April 27 28, 2005 in Boston, to encourage public-private partnering among scientists and engineers from government, national laboratories, universities, research institutes, and private sector firms investing in RD. Private sector and university-based scientists can benefit from the technologies and technical approaches developed and deployed by the national and DHS labs. The laboratories in turn can explore leveraging opportunities with leading private sector and university-based research programs. Please take a moment to consider submitting a paper presenting your research at this conference. If you cannot submit a paper, attend and learn what others are doing and how you can work with them. We are also seeking conference cosponsors and exhibitors from both public and private sector organizations. Visit the conference web site, www.homelandsecurityresearchconference.org http://anzentech.c.topica.com/maac1jvabcT5eaIcCidcadIdN1/ , for more details often. It is constantly being updated. Working Together: Conference on Public/Private RD Partnerships in Homeland Security Sponsored by the U.S. Department of Homeland Security, Science Technology Directorate April 27 28, 2005 The Seaport Hotel and World Trade Center Boston, Massachusetts, USA Call for Technical Papers The First Annual Working Together: Conference on Public/Private Research Development (RD) Partnerships in Homeland Security This two-day Conference will focus on state-of-the-art science and technology to anticipate, prevent, respond to, and recover from high-consequence chemical, biological, radiological, nuclear, explosives and cyber terrorist threats. The conference will also address protection of the nation's critical infrastructure, and the harnessing of science and intelligence to reduce threat and risk. The objectives of this inaugural event are to encourage public-private partnering among scientists and engineers from government, national laboratories, universities and research institutes, and private sector firms investing in RD, to address the collective science and technology research goals of the U.S. homeland security community. Private sector and university-based scientists can benefit from the technologies and technical approaches developed and deployed by the national and DHS labs. The laboratories in turn can explore leveraging opportunities with leading private sector and university-based research programs. Through plenary and breakout sessions, posters and a companion Exhibition Conference Participants will: · learn about DHS awareness, countermeasures and response and recovery goals; · address the most pressing technical challenges; · identify the most critical knowledge gaps; · be introduced to the core capabilities of national and DHS laboratories, and the Departments university-based homeland security centers; and Background DHS is committed to science and technology leadership, and the creation of an enduring national capability for homeland security. Toward this end, the DHS ST Directorate supports and recognizes technical excellence in research, development, testing and evaluation (RDTE) of homeland security technologies; encourages collaborations and partnerships among RDTE performers across the homeland security science and technology complex; actively disseminates knowledge generated through the execution of RDTE programs and university-based homeland security centers; and to the greatest extent practical, enhances visibility and recognition of scientists and engineers dedicated to homeland security missions. Technical Topics We are seeking papers on the following topics: · Threat Characterization for: Chemical, Biological, Radiological / Nuclear, Conventional Explosives (CBRNE) · Threat and Vulnerability Assessment including: Knowledge Discovery (Semantic Graphs), Technology-based Emerging Threats (e.g., terrorist exploitation of advances in nanotechnology and biotechnology), Advanced Risk Modeling, Simulation and Analysis for Decision Support, Modeling and Simulation (Cognition and Behavior), Discrete Sciences, Visual Analytics · Sensors including: Performance Improvement, Next-Generation Designs, and Architecture for Devices and Systems · Forensics and Attribution for Chemical and Biological Events · Chemical Countermeasures Including: Detection (TICs and
Re: [CYBERIA] On-line Purchase Denied
--- begin forwarded text Date: Thu, 30 Dec 2004 16:19:51 -0800 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: Greg Broiles [EMAIL PROTECTED] Subject: Re: [CYBERIA] On-line Purchase Denied To: [EMAIL PROTECTED] On Thu, 30 Dec 2004 17:04:45 -0600, Mikus Grinbergs [EMAIL PROTECTED] wrote: For the second time in a month, I've had an on-line purchase denied. When I ask my credit card company, they say the refusal did not originate with them. And when I ask the merchant, they say they have contracted out the credit verification, and do not know what criteria are being used. The only potential explanation that I can think of is that my e-mail address points to an ALIAS of my ISP. Thus if the credit verification process attempts to reverse-lookup the (DYNAMIC!!) IP-address I used in requesting the purchase, the domain-name returned for that IP-address would not match the e-mail domain-name I told the merchant. [But that *is* my correct e-mail address; I've used it for many years in making many many on-line purchases.] Being told in effect you're not good enough to buy from us seems a strange approach towards gaining new customers. But from the merchant's perspective, it's very difficult to know whether or not you're a customer, or a thief. Admittedly, that's not a very friendly posture to adopt relative to new business. However, if you're trying to buy something physical that the merchant is supposed to ship, a failed transaction is much worse than no transaction. If a bad guy orders something with a bad credit card number, and it gets shipped, the merchant is out-of-pocket for their wholesale cost for the item, order processing costs, shipping costs, a chargeback fee from their credit card processor, and a bunch of administrative time spent dealing with the bad order. (And, if you want to be really picky, they also may have lost the profit they'd have made if they were able to sell the same item to a real customer, if the item is in short supply.) If the order never happens, they haven't lost a thing - and, worst case, return the unsold merchanidse to their supplier, or sell it at a reduced price. That's a lot better than the outcome described above. The credit card payment system is set up so that the selling merchant loses if the transaction fails. (It is theoretically possible for them to shift the risk onto the bank(s) involved - but the rules to be followed are complicated enough, and burdensome enough, that it's easier to conceptualize them as merchant loses.) Thus, merchants become relatively conservative about the transactions they'll accept - they might refuse a transaction if the source IP for the transaction doesn't seem reasonable relative to the shipping address, if the shipping address doesn't match the card's billing address, if the buyer can't provide the three-digit verification code printed on the back of the credit card, or if the shipping address is to a country known for being the source of a lot of fraudulent activity. This makes life difficult for honest people in those countries to order things over the Internet - but the current setup also makes life difficult for honest people to sell things without getting screwed. So far, there's no easy answer, either. You could look at transaction systems where the risk of failure is allocated to the buyer, not the merchant, such as E-gold; or systems such as Paypal, where there's an intermediary who attempts to police everyone's behavior to make transactions work reasonably. (although those attempts are imperfect, like most things in this world.) This difficulty is an unavoidable consequence of legislation intended to, ironically, protect consumers - primarily the body of federal legislation controlling consumer credit and consumer debt collection, together with the FTC's regulations implementing the same. If a merchant believes that the cost of failure multiplied by the likelihood of failure is greater than the expected profit on the transaction, they'll decline to enter into the transaction. If you change the rules so that consumers and vendors can contract around the rules allocating risk, then riskier transactions are economically feasible, but bad things will happen, and sometimes they will happen to innocent consumers who will complain to their legislators .. and so on. -- Greg Broiles, JD, EA [EMAIL PROTECTED] (Lists only. Not for confidential communications.) Law Office of Gregory A. Broiles San Jose, CA ** For Listserv Instructions, see http://www.lawlists.net/cyberia Off-Topic threads: http://www.lawlists.net/mailman/listinfo/cyberia-ot Need more help? Send mail to: [EMAIL PROTECTED] ** --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL
Re: [IP] Cell phones for eavesdropping
From: Gadi Evron [EMAIL PROTECTED] Subject: Cell phones for eavesdropping - finally some public chatter Of course, the low-budget govt snoops go for the basestations and landline links. The pending cell phone virus which calls 911 should be a real hoot. I wonder if cell virii can carry a voice payload which they can inject as well. Or do we have to wait a few (viral) generations for that?
Payyless for Wndows 2003 Server Datacenter
Minnesota, which can clinch a wild-card playoff spot with a loss by either Carolina or St. Louis this weekend, appeared on its way to retaking the lead. But a holding penalty on Birk -- the Vikings were flagged nine times for 78 yards -- wiped out a 16-yard run by Michael Bennett that would have given them the ball at the Green Bay 40 just before the 2-minute warning. The Vikings (8-7), though, couldn't get what they needed from a pass defense that has struggled all season. Government spokesman Raanan Gissin said four soldiers were killed. Six people were taken to hospital -- four badly hurt, one with moderate injuries and one lightly injured, military sources said. The sources said another soldier remained beneath the rubble. Gissin said rescue operations were continuing Sunday night. The attack "indicates that unless there is decisive and sustained effort taken to dismantle the terrorist organization, it will be impossible to move towards normalizations and towards political negotiations," Gissin told a news crew. "And I think the responsibility on that lies with the Palestinian Authority." Shortly after the first blast, a second explosion was heard in southern Gaza, but its precise location was not immediately known. Hamas, in a phone call to CNN, said it had set off the first explosion near Rafah in cooperation with a group called the Fatah Hawks. There was no immediate information available on that group, although it was believed to be linked to the Fatah movement formerly led by the late Palestinian leader Yasser Arafat. Israeli military sources said it was a coordinated attack, with Palestinians firing mortar shells and guns at the post when the explosives were detonated. It was not clear whether there were Palestinian casualties. News video of the aftermath showed soldiers using stretchers to transport troops who appeared to be severely wounded. In a pamphlet distributed after the attack, Hamas said it had used 1.5 tons of explosives and had recorded video of the incident. Palestinians have used tunnels in the area to smuggle weapons from Egypt. Israel has carried out operations to crack down on the smuggling.Shell explosion in schoolyard An Israeli tank shell exploded in a Gaza schoolyard Sunday morning, wounding eight Palestinian schoolchildren, Palestinian medical and security sources said. The children between the ages of 6 and 12 -- sustained moderate to light injuries, the sources said. The violence happened in Khan Yunis in central Gaza Israeli military sources said that forces in the area identified what they thought was a number of mortar shells being fired towards Israeli settlements nearby. In response, the forces fired towards the positions with light weapons, but did not fire a tank shell, the military sources said. semper78.gif
State of Fear by Michael Crichton
Just finished reading it (It was a Christmas present). The story involves the heroes foiling a plot by eco-terrorists who attempt to create natural disasters in an effort to push their agenda regarding global warming. Along the way the Crichton presents a pretty convincing argument that scientists don't really have a good enough understanding of our climate to really estimate the impacts of mankind and that many of the events claimed to be evidence of global warming are statistically insignificant and contain a huge amounts of bias. In addition, he provides references to many examples where mankind has failed miserably at trying to manage and preserve the environment. He also makes a feast (literally, read the book :-) ) of Hollywood stars who push environmental causes and claim to pine for the more simplistic and environmentally friendly life of native islanders all the while living in their huge mansions, driving their SUV's and traveling around the world in private jets. The title State of Fear comes the concept well known to many on the list that best way to control society is via fear. In this case fear of global warming. There are a lot of footnotes and an extensive bibliography of the current research both supporting and debunking global warming. It will interesting to see if this book makes it into a movie (It almost seems like a rebuttal of the movie The Day After Tomorrow). Crichton's other books include, The Andromeda Strain (I'm sure most of us old-timers on the list will recognize that one), Disclosure, Airframe, and (the one most new subscribers will recognize), Jurassic Park. I recommend taking a look.
Re: Finally, the Killer PKI Application
-BEGIN PGP SIGNED MESSAGE- R.A. Hettinga [EMAIL PROTECTED] writes: http://sys-con.com/story/print.cfm?storyid=47592 But SSL's greatest weakness is that it is oriented toward synchronous transactions, requiring a direct connection between participants. Yep. Makes it difficult to thwart traffic analysis. Security in the Message The solution to this problem, as put forth in standards by OASIS and the W3C, is to absorb security into the message itself. That is, provide a means of authentication, integrity, and confidentiality that is integral to the message, and completely decoupled from transport channels. .. the way encrypted email has always been. The Trend Away from Channel-Level Security ... Furthermore, everyone is building systems predicated to have key pairs on both sides of a transaction: at the message producer (client), and the message consumer (server). ... SSL is sufficient for Web-like, client/server application, but large enterprise computing is built on asynchronous messaging; This is welcome news also for pseudonymous p2p commerce. So PKI is back. Maybe a work-around can be devised. Scott Morrison D. Popkin -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQBVAwUBQdDl3PPsjZpmLV0BAQGyVAIAu5Zc+PFv8CuKkzFv3hmnkIlZ/bXVmMNQ zg2o1rG/4omH5RFn9B4VXJsCxespviw+Ysnpa31XgQ8f9LdxYCIz4w== =MbdB -END PGP SIGNATURE-
RE: 2004: The Year That Promised Email Authentication
I see RAHWEH is back from visiting the relatives... -TD From: R.A. Hettinga [EMAIL PROTECTED] To: cryptography@metzdowd.com, [EMAIL PROTECTED] Subject: 2004: The Year That Promised Email Authentication Date: Mon, 27 Dec 2004 16:49:01 -0500 http://www.circleid.com/print/855_0_1_0/ CircleID 2004: The Year That Promised Email Authentication By: Yakov Shafranovich From CircleID Addressing Spam December 27, 2004 As the year comes to a close, it is important to reflect on what has been one of the major actions in the anti-spam arena this year: the quest for email authentication. With email often called the killer app of the Internet, it is important to reflect on any major changes proposed, or implemented that can affect that basic tool that many of us have become to rely on in our daily lives. And, while many of the debates involved myriads of specialized mailing lists, standards organizations, conferences and even some government agencies, it is important for the free and open source software (FOSS) community as well as the Internet community at large, to analyze and learn lessons from the events surrounding email authentication in 2004. THE GHOST OF CHRISTMAS PAST The quest for email authentication did not start from scratch. Authentication systems are a well known field in computer security, and have been researched for quite some time. Nevertheless, it is only during this past year that email authentication has gained a prominent push mainly due to the ever increasing spam problem. As well known, the original email architecture and protocols was not designed for an open network such as the Internet. Therefore, the original designers failed to predict the virtual tidal wave of junk email that took advantage of lack of authentication in the Internet email. As the result, a junk email filter is considered one of the essential tools any Internet citizen must have in his toolkit today. The push towards email authentication started in earnest with the publication of a proposal called RMX by a German engineer called Hadmut Danisch in early 2003. While other previous proposals have been published, none have gained any kind of traction. Hadmut's proposal on the other hand coincided with the opening of the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF), which as an affiliate body of the IETF. The IETF created and currently maintains the Internet email standards, and an IETF affiliate was a logical body to work on addressing the spam problem on the Internet at large. Being that the ASRG brought together a sizable chunk of the anti-spam world, RMX gained more exposure that none of the previous work in the field ever had. What followed was a succession of proposals forked off the original RMX proposal until the spring of 2004 when most of them were basically confined to the dustbin of history together with RMX. In the end, only two proposals with any sizable following were left: Sender Policy Framework (SPF) and Microsoft's Caller-ID. The author of SPF, Meng Wong, managed to attract a large community to his proposal, giving it a much larger deployed base than any competitor. In many ways this effort can be compared to some of the open source projects, except this time this was an open standard rather than a piece of software. On the other side of the ring, so to speak, was Microsoft which surprised the email world with their own proposal called Caller-ID at the RSA conference in early 2004. Eventually, the IETF agreed to consider standardization of email authentication by opening a working group called MARID in March of 2004. With the merger of SPF and Microsoft's new Sender-ID proposal, hopes were running high about the coming success of email authentication and the coming demise of spam. Yet, ironically this working group earned itself a record by being one of the shortest in the existence of the IETF - it has lasted a little over six months until being formally shutdown in September of 2004. ALL THAT IS GOLD DOES NOT GLITTER During the work of IETF's MARID group the quest for the email authentication begun to permeate circles outside the usual cadre of anti-spam geeks. Technology publications, and even the mass media have begun to take note of the efforts occurring on an obscure mailing list tucked away among 200 other even more obscure groups, prodded in many cases by the public relations spokesmen of various companies in the anti-spam space, including Microsoft. Yet in many ways that was one of the fatal blows to the group and any hope of a common standard for email authentication. Several major issues arose during the operation of the working group. The first major issue that has been bubbling beneath the surface was technical in nature. SPF has come from a group of proposals that worked with the parts of the email infrastructure that was unseen by most users. This included email servers that exchanged email among ISPs and were unseen. In the technical lingo this type of