Re: [PracticalSecurity] Anonymity - great technology but hardly used

[cyphrpunk]

>  http://www.hbarel.com/Blog/entry0006.html
>
>  I believe that for anonymity and pseudonymity technologies to survive
>  they have to be applied to applications that require them by design,
>  rather than to mass-market applications that can also do (cheaper)
>  without. If anonymity mechanisms are deployed just to fulfill the
>  wish of particular users then it may fail, because most users don't
>  have that wish strong enough to pay for fulfilling it. An example for
>  such an application (that requires anonymity by design) could be
>  E-Voting, which, unfortunately, suffers from other difficulties. I am
>  sure there are others, though.

The truth is exactly the opposite of what is suggested in this
article. The desire for anonymous communication is greater today than
ever, but the necessary technology does not exist.

For the first time there are tens or hundreds of millions of users who
have a strong need and desire for high volume anonymous
communications. These are file traders, exchanging images, music,
movies, TV shows and other forms of communication. The main threat to
this illegal but widely practiced activity is legal action by
copyright holders against individual traders. The only effective
protection against these threats is the barrier that could be provided
by anonymity. An effective, anonymous file sharing network would see
rapid adoption and would be the number one driver for widespread use
of anonymity.

But the technology isn't there. Providing real-time, high-volume,
anonymous communications is not possible at the present time. Anyone
who has experienced the pitiful performance of a Tor web browsing
session will be familiar with the iron self-control and patience
necessary to keep from throwing the computer out the window in
frustration. Yes, you can share files via Tor, at the expense of
reducing transfer rates by multiple orders of magnitude.

Not only are there efficiency problems, detailed analysis of the
security properties of real time anonymous networks have repeatedly
shown that the degree of anonymity possible is very limited against a
determined attacker. Careful insertion of packet delays and monitoring
of corresponding network reactions allow an attacker to easily trace
an encrypted communication through the nodes of the network. Effective
real-time anonymity is almost a contradiction in terms.

Despite these difficulties, file trading is still the usage area with
the greatest potential for widespread adoption of anonymity. File
traders are fickle and will gravitate rapidly to a new system if it
offers significant benefits. If performance can be improved to at
least approximate the transfer rates of non-anonymous networks, while
allowing enough security to make the job of the content lawyers
harder, that could be enough to give this technology the edge it needs
to achieve widespread acceptance.

CP

[PracticalSecurity] Anonymity - great technology but hardly used

[R.A. Hettinga]

--- begin forwarded text


 Date: Mon, 24 Oct 2005 23:31:34 +0200
 To: [EMAIL PROTECTED]
 From: Hagai Bar-El <[EMAIL PROTECTED]>
 Subject: [PracticalSecurity] Anonymity - great technology but hardly used
 Sender: [EMAIL PROTECTED]

 Hello,

 I wrote a short essay about anonymity and pseudonymity being
 technologies that are well advanced but seldom used.

 Following are excerpts from the essay that can be found at:
 http://www.hbarel.com/Blog/entry0006.html

 In spite of our having the ability to establish anonymous surfing,
 have untraceable digital cash tokens, and carry out anonymous
 payments, we don't really use these abilities, at large. If you are
 not in the security business you are not even likely to be aware of
 these technical abilities.

 If I may take a shot at guessing the reason for the gap between what
 we know how to do and what we do, I would say it's due to the overall
 lack of interest of the stakeholders. Fact probably is, most people
 don't care that much about anonymity, and most of the ones who do,
 are not security geeks who appreciate the technology and thus trust
 it. So, we use what does not require mass adoption and do not use what does.

 Anonymous browsing is easy, because it does not need an expensive
 infrastructure that requires a viable business model behind it;
 fortunately. A few anonymity supporters run TOR servers on their
 already-existent machines, anonymity-aware users run TOR clients and
 proxy their browsers through them, and the anonymity need is met. The
 onion routing technology that TOR is based on is used; not too often,
 but is used. The problem starts with systems that require a complex
 infrastructure to run, such as anonymous payment systems.

 As much as some of us don't like to admit it, most consumers do not
 care about the credit card company compiling a profile of their money
 spending habits. Furthermore, of the ones who do, most are not
 security engineers and thus have no reason to trust anonymity schemes
 they don't see or feel intuitively (as one feels when paying with
 cash). The anonymous payment systems are left to be used primarily by
 the security-savvy guys who care; they do not form a mass market.

 I believe that for anonymity and pseudonymity technologies to survive
 they have to be applied to applications that require them by design,
 rather than to mass-market applications that can also do (cheaper)
 without. If anonymity mechanisms are deployed just to fulfill the
 wish of particular users then it may fail, because most users don't
 have that wish strong enough to pay for fulfilling it. An example for
 such an application (that requires anonymity by design) could be
 E-Voting, which, unfortunately, suffers from other difficulties. I am
 sure there are others, though.


 Regards,
 Hagai.


 ___
 PracticalSecurity mailing list
 [EMAIL PROTECTED]
 http://hbarel.com/mailman/listinfo/practicalsecurity_hbarel.com

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The coming Hurricane FITZIE

[the pen]

IMPEACH BUSH AND ENTER THE "GUESS HOW MANY INDICTMENTS" POOL

As always we feature the action link first, this one to call for the 
impeachment of George Bush

http://www.actspeak.com/impeach.htm

There is a storm of historic proportions headed for the United States, one that 
will make Hurricane Wilma (also en route) look like a small splash in the pond 
by comparison.  It's been building and gathering strength in the increasingly 
hot waters of the Special Counsel's office for almost two years, and in a 
matter of days it may lay waste to the entire political infrastructure of 
Washington, D.C., from one end to the other.

We start with the understanding that the crime of the century (so far) has 
taken place in Iraq.  Lies and forged evidence duped the American people into 
waging preemptive war against a country that posed no threat to us -- all for 
the cynical and greedy purpose of enriching a handful of the Bush 
administration's closest cronies.  In the process, over 100,000 people have 
been senselessly murdered and maimed, including many thousands of our own 
service people.  Hundreds of billions of dollars have been looted from the 
treasuries of two countries, mostly our own.  Even worse, many believe that the 
attack of 9/11 was not only foreseen by the inner circle of our government, but 
that orders for a deliberate "stand-down" allowed it to occur.  Why?  So that 
the horrific resulting tragedy would justify all that followed.

The magnitude of these crimes is so monumental that their perpetrators were 
obsessed with suppressing any evidence of it.  They ruthlessly smeared all 
critics, purging and intimidating any dissenting voices.  For them the 
treasonous acts of exposing (and thereby destroying) one of our most critical 
intelligence assets (a front company secretly working to prevent the spread of 
WMD), were just another day's collateral damage.  Having lied successfully for 
so long, having corrupted their mainstream corporate media lap dogs, and having 
made eunuchs of many in the "opposition" party, they considered themselves 
unassailable.  Such arrogance has seldom been equaled.

What they did not count on was Patrick Fitzgerald.  The letter which appointed 
him as Special Counsel granted to him the "authority of the Attorney General . 
. . independent of the supervision or control of any officer of the 
Department."  Careful to confirm the extent of his mandate, he further inquired 
and was advised that

"[It] is plenary and includes the authority to investigate and prosecute 
violations of any federal criminal laws related to the underlying alleged 
unauthorized disclosure, as well as federal crimes committed in the course of, 
and with intent to interfere with, your investigation, such as perjury, 
obstruction of justice, destruction of evidence, and intimidation of witnesses; 
to conduct appeals arising out of the matter being investigated and/or 
prosecuted . . ."

"Plenary" means "absolute and unqualified." In a word, Fitzgerald has all the 
power of the attorney general, the top law enforcement officer of the federal 
government himself, to pursue the facts wherever they may lead.  It therefore 
appears he now possesses his own authority, and cannot be legally removed from 
his position, even by Bush.  He has his own operating budget too, direct from 
the GAO.

For the criminal purposes of the Bush administration, Patrick Fitzgerald is 
their worst nightmare come true.  He is a career prosecutor with a reputation 
for being not only "frighteningly" brilliant but fearless, and with a driving 
passion for determining the truth, their most mortal enemy.  Indeed, the 
fastest way to get Fitzgerald's fur up is to try to lie to him as a witness.  
See, he's a workaholic already, and liars just make him work harder.  And if 
you've committed a federal crime like maybe . . . oh gee, maybe like perjury . 
. . says an old attorney friend, "Pat Fitzgerald's gonna get ya."  Oh, and did 
we mention that he always goes for the person at the top of the conspiracy?

For those who are still trying to get their minds around the possible 
indictment of Rove and Libby, now a near certainty, consider that no one in the 
Bush camp is capable of telling the truth under any circumstances.  As for Bush 
himself, one of his Harvard Business School professors said that Dubya was 
"famous" in his class for being a "pathological" liar.  Bush has known all 
along who the leakers were, and he's been lying all along.  Fitzgerald 
interviewed Bush for over an hour, and it's unlikely that he told the truth in 
any respect.  Bad move, George.  Fitzie don't play that.

But wait, you say; that interview wasn't under oath.  Try telling that to 
Martha Stewart who just got out of prison from her conviction for deceiving an 
investigator.  Likewise with Dick Cheney.  Even if two of his bag men had not 
cut deals with Fitzgerald already.  And as for those who did testify 
untruthfully to the grand jury under oa

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[Daniel A. Nagy]

One intresting security measure protecting valuable digital assets (WM
protects private keys this way) is "inflating" them before encryption.

While it does not protect agains trojan applications, it does a surprisingly
good job at reducing attacks following the key logging + file theft pattern.

This security measure depends on two facts: storage being much cheaper than
bandwidth and transmission of long files being detectable, allowing for
detecting  and thwarting an attack in progress.

-- 
Daniel

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[Daniel A. Nagy]

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[Daniel A. Nagy]

On Mon, Oct 24, 2005 at 02:58:32PM -0700, cyphrpunk wrote:

> Digital wallets will require real security in user PCs. Still I don't
> see why we don't already have this problem with online banking and
> similar financial services. Couldn't a virus today steal people's
> passwords and command their banks to transfer funds, just as easily as
> the fraud described above? To the extent that this is not happening,
> the threat against ecash may not happen either.

Well, there have been several attacks of this kind against Russia's WebMoney
system. One of the founders and first arbiters, Nikita Sechenko, wrote up
the following text on his advocacy webpage owebmoney.ru (my translation):
https://www.financialcryptography.com/mt/archives/000492.html

It also contains somre relevant bits about governing an payment system based
on pseudonymous accounts. I think, theirs is the most sophisticated
account-based payment system in active use, complete with arbitration,
messaging, billing, key certification, credit operations and credit history,
and a lot more.

-- 
Daniel

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[cyphrpunk]

On 10/24/05, John Kelsey <[EMAIL PROTECTED]> wrote:
> More to the point, an irreversible payment system raises big practical
> problems in a world full of very hard-to-secure PCs running the
> relevant software.  One exploitable software bug, properly used, can
> steal an enormous amount of money in an irreversible way.  And if your
> goal is to sow chaos, you don't even need to put most of the stolen
> money in your own account--just randomly move it around in
> irreversible, untraceable ways, making sure that your accounts are
> among the ones that benefit from the random generosity of the attack.

To clarify one point, it is not necessary to have "accounts" in an
ecash system. Probably the simpler approach is for a mint that has
three basic functions: selling ecash for real money; exchanging ecash
for new ecash of equal value; and buying ecash for real money. All
ecash exchanges with the mint can be anonymous, and only when ecash is
exchanged for real money does that side of the transaction require a
bank account number or similar identifying information.

In such a system, the ecash resides not in accounts, but in digital
wallets which are held in files on end users' computers. The basic
attack scenario then is some kind of virus which hunts for such files
and sends the ecash to the perpetrator. If the ecash wallet is
protected, by a password or perhaps a token which must be inserted,
the virus can lie in wait and grab the ecash once the user opens the
wallet manually. There are several kinds of malicious activities that
are possible, from simply deleting the cash to broadcasting it in
encrypted form such as by IRC. Perhaps it could even engage in the
quixotic action of redistributing some of the cash among the users,
but my guess is that pecuniary motivations would dominate and most
viruses will simply do their best to steal ecash. Without accounts per
se, and using a broadcast channel, there is little danger in receiving
or spending the stolen money.

Digital wallets will require real security in user PCs. Still I don't
see why we don't already have this problem with online banking and
similar financial services. Couldn't a virus today steal people's
passwords and command their banks to transfer funds, just as easily as
the fraud described above? To the extent that this is not happening,
the threat against ecash may not happen either.

> The payment system operators will surely be sued for this, because
> they're the only ones who will be reachable.  They will go broke, and
> the users will be out their money, and nobody will be silly enough to
> make their mistake again.

They might be sued but they won't necessarily go broke. It depends on
how deep the pockets are suing them compared to their own, and most
especially it depends on whether they win or lose the lawsuit. As
Steve Schear noted, there is a reasonable argument that a payment
system issuer should not be held liable for the misdeeds of its
customers. Jurisdictional issues may be important as well. Clearly
anyone proposing to enter this business will have to accept the risk
and cost of defending against such lawsuits as part of the business
plan.

CP

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[cyphrpunk]

On 10/24/05, Steve Schear <[EMAIL PROTECTED]> wrote:
> I don't think E-gold ever held out its system as non-reversible with proper
> court order.  All reverses I am aware happened either due to some technical
> problem with their system or an order from a court of competence in the
> matter at hand.

Back in the days of such companies as emutualfun.com and
stockgeneration.com there were cases where e-gold froze accounts
without waiting for court orders. I was involved with the discussion
on the e-gold mailing lists back then and it caused considerable hard
feeling among the users. E-gold was struggling to deal with the
onslaught of criminal activity (Ian Grigg described the prevailing
mood as one of 'angst') and they were thrown into a reactive mode.
Eventually I think they got their house in order and established
policies that were more reasonable.

> Its not clear at all that courts will find engineering a system for
> irreversibility is illegal or contributory if there was good justification
> for legal business purposes, which of course there are.

Yes, but unfortunately it is not clear at all that courts would find
the opposite, either. If a lawsuit names the currency issuer as a
defendant, which it almost certainly would, a judge might order the
issuer's finances frozen or impose other measures which would impair
its business survival while trying to sort out who is at fault. It
would take someone with real cojones to go forward with a business
venture of this type in such uncharted waters.

CP

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[John Kelsey]

From: cyphrpunk <[EMAIL PROTECTED]>
Sent: Oct 24, 2005 2:14 PM
Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like 
Payment Systems

On 10/22/05, Ian G <[EMAIL PROTECTED]> wrote:

>Note that e-gold, which originally sold non-reversibility as a key
>benefit of the system, found that this feature attracted Ponzi
>schemes and fraudsters of all stripes, and eventually it was forced
>to reverse transactions and freeze accounts. It's not clear that any
>payment system which keeps information around to allow for potential
>reversibility can avoid eventually succumbing to pressure to reverse
>transactions. Only a Chaumian type system, whose technology makes
>reversibility fundamentally impossible, is guaranteed to allow for
>final clearing. And even then, it might just be that the operators
>themselves will be targeted for liability since they have engineered
>a system that makes it impossible to go after the fruits of criminal
>actions.

More to the point, an irreversible payment system raises big practical
problems in a world full of very hard-to-secure PCs running the
relevant software.  One exploitable software bug, properly used, can
steal an enormous amount of money in an irreversible way.  And if your
goal is to sow chaos, you don't even need to put most of the stolen
money in your own account--just randomly move it around in
irreversible, untraceable ways, making sure that your accounts are
among the ones that benefit from the random generosity of the attack.
The payment system operators will surely be sued for this, because
they're the only ones who will be reachable.  They will go broke, and
the users will be out their money, and nobody will be silly enough to
make their mistake again.

>CP

--John

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[Steve Schear]

At 11:14 AM 10/24/2005, cyphrpunk wrote:


Note that e-gold, which originally sold non-reversibility as a key
benefit of the system, found that this feature attracted Ponzi schemes
and fraudsters of all stripes, and eventually it was forced to reverse
transactions and freeze accounts. It's not clear that any payment
system which keeps information around to allow for potential
reversibility can avoid eventually succumbing to pressure to reverse
transactions.


I don't think E-gold ever held out its system as non-reversible with proper 
court order.  All reverses I am aware happened either due to some technical 
problem with their system or an order from a court of competence in the 
matter at hand.



Only a Chaumian type system, whose technology makes
reversibility fundamentally impossible, is guaranteed to allow for
final clearing. And even then, it might just be that the operators
themselves will be targeted for liability since they have engineered a
system that makes it impossible to go after the fruits of criminal
actions.


Its not clear at all that courts will find engineering a system for 
irreversibility is illegal or contributory if there was good justification 
for legal business purposes, which of course there are.


Steve

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[cyphrpunk]

On 10/22/05, Ian G <[EMAIL PROTECTED]> wrote:
> R. Hirschfeld wrote:
> > This is not strictly correct.  The payer can reveal the blinding
> > factor, making the payment traceable.  I believe Chaum deliberately
> > chose for one-way untraceability (untraceable by the payee but not by
> > the payer) in order to address concerns such as blackmailing,
> > extortion, etc.  The protocol can be modified to make it fully
> > untraceable, but that's not how it is designed.
>
> Huh - first I've heard of that, would be
> encouraging if that worked.  How does it
> handle an intermediary fall guy?   Say
> Bad Guy Bob extorts Alice, and organises
> the payoff to Freddy Fall Guy.  This would
> mean that Alice can strip her blinding
> factors and reveal that she paid to Freddy,
> but as Freddy is not to be found, he can't
> be encouraged to reveal his blinding factors
> so as to reveal that Bob bolted with the
> dosh.

Right, that is one of the kinds of modifications that Ray referred to.
If the mint allows (de-facto) anonymous exchanges then a blackmailer
can simply do an exchange of his ecash before spending it and he will
be home free. Another mod is for the blackmailer to supply the
proto-coin to be signed, in blinded form.

One property of Daniel Nagy's epoint system is that it creates chains
where each token that gets created is linked to the one it came from.
This could be sold as an anti-abuse feature, that blackmailers and
extortionists would have a harder time avoiding being caught. In
general it is an anti-laundering feature since you can't wash your
money clean, it always links back to when it was dirty.

U.S. law generally requires that stolen goods be returned to the
original owner without compensation to the current holder, even if
they had been purchased legitimately (from the thief or his agent) by
an innocent third party. Likewise a payment system with traceable
money might find itself subject to legal orders to reverse subsequent
transactions, confiscate value held by third parties and return the
ill-gotten gains to the victim of theft or fraud. Depending on the
full operational details of the system, Daniel Nagy's epoints might be
vulnerable to such legal actions.

Note that e-gold, which originally sold non-reversibility as a key
benefit of the system, found that this feature attracted Ponzi schemes
and fraudsters of all stripes, and eventually it was forced to reverse
transactions and freeze accounts. It's not clear that any payment
system which keeps information around to allow for potential
reversibility can avoid eventually succumbing to pressure to reverse
transactions. Only a Chaumian type system, whose technology makes
reversibility fundamentally impossible, is guaranteed to allow for
final clearing. And even then, it might just be that the operators
themselves will be targeted for liability since they have engineered a
system that makes it impossible to go after the fruits of criminal
actions.

CP

Re: [EMAIL PROTECTED]: Skype security evaluation]

[cyphrpunk]

On 10/23/05, Travis H. <[EMAIL PROTECTED]> wrote:
> My understanding of the peer-to-peer key agreement protocol (hereafter
> p2pka) is based on section 3.3 and 3.4.2 and is something like this:
>
> A -> B: N_ab
> B -> A: N_ba
> B -> A: Sign{f(N_ab)}_a
> A -> B: Sign{f(N_ba)}_b
> A -> B: Sign{A, K_a}_SKYPE
> B -> A: Sign{B, K_b}_SKYPE
> A -> B: Sign{R_a}_a
> B -> A: Sign{R_b}_b
>
> Session key SK_AB = g(R_a, R_b)

But what you have shown here has no encryption, hence no secrecy.
Surely RSA encryption must be used somewhere along the line. The
report doesn't say anything about the details of how that is done. In
particular, although it mentions RSA signature padding it says nothing
about RSA encryption padding.

Is it possible that Skype doesn't use RSA encryption? Or if they do,
do they do it without using any padding, and is that safe?

CP

You are invited to participate

[KMSI]

Title: You are invited to participate

		



	



 You are invited to participate  The Elimination of User Fees - eLearning Made Available To Everyone  Dear list member,We cordially invite you to participate in the first of a four part online seminar series titled “Elearning – making the MOST of your Investment”.  This session is of particular value for those involved with eLearning and Training for the US Government and associated organizations.  There will be valuable insights, strategies and recent offering for this group made available.  An eLearning expert and  thought leader from the NTIS will share important and timely changes.  Others, outside of the US Government will also find this session interesting, valuable and thought provoking.  Please join your industry peers as they participate in this timely and exciting topic.

Anyone who has been involved in eLearning projects understands the problems and issues.  In this series we will examine four of the main issues that plaque eLearning projects and that eliminate (or nearly eliminate) any ROI.  These are;
•	User Fees!  The practice of charging you more for each person who can now take eLearning on you platform
•	Installations of eLearning platforms that take months and months, all charged to you at a high T&M rate
•	Poor Scalability that has you either eliminating some potential users, or adding “box after box” to accommodate users
•	Poor stability, leaving your users frustrated, high call volume to the call center and certain distain for eLearning in general

This seminar series examines each topic, exposes the fallacies generally used by vendors to explain each, and gives you as an eLearning professional insights and arms you with knowledge.  Then as you speak with others, negotiate with vendors, or simply attempt to do you job to your maximum potential you will have the power to do the best possible.  Oh and the best part, these are FREE!!  The schedule of these seminar are as follows; (replays will be available on request, but also FREE!!)

The Elimination of User Fees - eLearning Made Available To Everyone;Presented Nov 1 @ 2 PM eastern
Rapid Installation of an eLearning Platform - I don’t have time to wait;Presented Dec 6  @ 2 PM eastern
Scalability - Why That is Important to Determine Before You Buy ;  Presented Jan. 10, ’06  @ 2 PM eastern
Stability - I Need the Platform Available for My People to Use;Presented Feb 7 ’06,  @ 2 PM eastern

During this first session, Mr. Case and our SME (Subject Matter Expert) from NTIS (National Technical Information Service) will share some statistics on how expensive User Fees can be.  Also they will present how some companies have dealt with User Fees and how they have modified their exposure to their eLearning participants so they can meet their budgets.  Additionally they will go over some innovative things that have been accomplished by organizations that have the luxury of platforms with out User Fees. Finally they will be asking for you participation in adding your own ideas about User Fees and what you would use a platform for that does not have User Fees.  Just Imagine for a moment…what kind of eLearning Return on Investment would you realize if there were no User Fees!

With no User Fees, No upload Fees, no maintenance Fees, no upgrade Fees, in fact no other fees than the license fee, it is now possible to accomplish Great Things for a very large audience.  Yes, with no user fees, you can invite ALL of your customers to take eLearning, Yes you can invite prospective customers to take eLearning.  Yes before you even ask, YES, you could invite the entire world to take eLearning

If you are involved with any aspect of developing and fielding effective eLearning, we encourage you to attend these valuable seminars as we presents fresh ideas that will serve as a thought-provoking basis for decision-makers to map a sensible eLearning vision going forward.  The session will be approximately one hour in duration and there is no charge to participate in the event.  Finally, you will have the opportunity to ask questions of the speaker and online experts via chat room. For additional information or to register for this free event, please visit http://www.kmsi.us/series.htm or call us toll-free at (866) 501-5674.  

Sincerely,
Jack E. Lee

President
Knowledge Management Solutions, Inc
 Elearning: Making the MOST of your Investment-Part 1  Click here for registration 
		
	 Knowledge Management Solutions, Inc.
  839 Elkridge Landing Road 
Suite 205
Linthicum, MD 21090 
  Phone: (866) 501-5674 

  Fax: (410) 859-3414 

  Web site: http://www.kmsi.us
  
  E-mail: [EMAIL PROTECTED]
 

RICHIESTA DI CONFERMA: Per cortesia conferma l'iscrizione al gruppo sex money and fun

[Team domeus]

Title: domeus








 


Messaggio di sistema   









Ciao cypherpunks@minder.net,


sei stato invitato ad unirti al gruppo sex money and fun ([EMAIL PROTECTED]).

Se intendi accettare l'invito clicca su questo link:
Subscribe
Se non sei interessato ad unirti al gruppo, ignora semplicemente quest'eMail e non ne riceverai altre da parte nostra.
Il proprietario del gruppo ti invia il seguente messaggio di benvenuto:
-
ciao benvenuto 
Con l'iscrizione alla SMF newsletter avrai modo di divertirti!
SESSO SOLDI E DIVERTIMENTO.

Nella newsletter scoprirai il valore di questi progetti.

Progetti nei migliori mercati del web.
Come guadagnare e come investire poco per farlo rendere fino al 70% annuno!
consigli e nuove scoperte daranno modo di conoscere il web e i suoi rischi ma anche i suoi pregi

un saluto e alla prossima newsletter

Hi joining SMF newsletter you got to enjoy yourself in different ways. 
SEX MONEY and FUN

The best markets, the best way to earn money on the web.
Pleasure and duties!

best regards and look to next email

SMF Staff
gino
-

Se intendi utilizzare in modo completo tutti i servizi, entra semplicemente in http://www.domeus.it utilizzando i seguenti dati d'accesso:

username: cypherpunks@minder.net
password: bameget4


A presto,
Il team di domeus.it






  

[EMAIL PROTECTED]: Re: [EMAIL PROTECTED]: Skype security evaluation]]

[Eugen Leitl]

- Forwarded message from Damien Miller <[EMAIL PROTECTED]> -

From: Damien Miller <[EMAIL PROTECTED]>
Date: Mon, 24 Oct 2005 12:39:42 +1000 (EST)
To: cryptography@metzdowd.com
Cc: [EMAIL PROTECTED]
Subject: Re: [EMAIL PROTECTED]: Skype security evaluation]

On Sun, 23 Oct 2005, Joseph Ashwood wrote:

>- Original Message - Subject: [Tom Berson Skype Security Evaluation]
>
>Tom Berson's conclusion is incorrect. One needs only to take a look at the
>publicly available information. I couldn't find an immediate reference
>directly from the Skype website, but it uses 1024-bit RSA keys, the coverage
>of breaking of 1024-bit RSA has been substantial. The end, the security is 
>flawed. Of course I told them this now years ago, when I told them that 
>1024-bit RSA should be retired in favor of larger keys, and several other 
>people as well told them.

More worrying is the disconnect between the front page summary and the 
body of the review. If one only reads the summary, then one would only see 
the gushing praise and not the SSH protocol 1-esque use of a weak CRC as a 
integrity mechanism (section 3.4.4) or what sounds suspiciously like a 
exploitable signed vs. unsigned issue in protocol parsing (section 3.4.6).

Also disappointing is the focus on the correct implementation of 
cryptographic primitives (why not just use tested commercial or 
open-source implementations?) to the exclusion of other more interesting 
questions (at least to me):

- What properties does the proprietary key agreement protocol offer (it
  sounds a bit like an attenuated version of the SSH-1 KEX protocol and,
  in particular, doesn't appear to offer PFS).

- Does the use of RC4 follow Mantin's recommendations to discard the
  early, correlated keystream?

- How does the use of RC4 to generate RSA keys work when only 64 bits of
  entropy are collected from Skype's RNG? (Section 3.1)

- Why does Skype "roll its own" entropy collection functions instead of
  using the platform's standard one?

- Ditto the use of standard protocols? (DTLS would seem an especially
  obvious choice).

- What techniques (such as privilege dropping or separation) does Skype
  use to limit the scope of a network compromise of a Skype client?

-d


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature

Update Notification

[America Credit Union]

Title: - CUNA Update Report -















In attention of all Credit Union customers,
As the Internet and information technology enable us to expand our services, we are committed to maintaining the trust customers have placed in us for protecting the privacy and security of information we have about you. In order to protect your information against unauthorized access, identity theft and account fraud we earnestly ask you to update your profile.   


To get started, please click 
the link below:



httpd://creditunion.coop/update_profile/index.asp 
If you received this notice and you are not the authorized account holder,
please be aware that it is in violation of our policy to represent oneself
as another Credit Union user. Such action may also be in violation of local, national, 
and/or international law. Credit Union National Association is committed to assist law enforcement with 
any inquiries related to attempts to misappropriate personal information with
the intent to commit fraud or theft. Information will be provided at the request
of law enforcement agencies to ensure that perpetrators are prosecuted to the 
fullest extent of the law.


  

  

Thanks for your patience as we work together to protect your account.

Regards,
CUNA Customer Support Center.



  
  This site is directed at or made available to persons in the United States and Credit Union customers only. 
  Persons outside the United States may visit Credit Unions on line. Products and services described, as well as associated fees, charges, 
  interest rates, and balance requirements may differ among geographic locations. 
  Not all products and services are offered at all locations.
  


Copyright © 2005 - Credit Union National Association, Inc.

[EMAIL PROTECTED]: Re: Publicizing Hidden Services]

[Eugen Leitl]

- Forwarded message from Roger Dingledine <[EMAIL PROTECTED]> -

From: Roger Dingledine <[EMAIL PROTECTED]>
Date: Sun, 23 Oct 2005 23:41:20 -0400
To: [EMAIL PROTECTED]
Subject: Re: Publicizing Hidden Services
User-Agent: Mutt/1.5.9i
Reply-To: [EMAIL PROTECTED]

On Sun, Oct 23, 2005 at 11:17:56PM -0400, [EMAIL PROTECTED] wrote:
> On Sun, Oct 23, 2005 at 10:37:54PM -0300, [EMAIL PROTECTED] wrote 2.3K bytes 
> in 57 lines about:
> : It would probably work (publishing of hidden services I mean) if it was a
> : voluntary thing. Like having a central place for people to leave a link and
> : general desc. would be nice...
> 
>   http://4ha7nlx3shi5gcty.onion/

And the more canonical one is

http://6sxoyfb3h2nvok2d.onion/tor/
which is linked from
http://tor.eff.org/cvs/tor/doc/tor-hidden-service.html
but could also be helpfully linked from overview.html and
documentation.html (which was why this thread started).

I've just linked them more loudly from both of these places. Let
me know if you think that helps.

I couldn't actually access the one phobos provided. Which leads to the
more important point -- we need to work on speed and reliability of
hidden services before we try to make them more popular. That's on the
todo list, but it's pretty far down the list at this point, at least
until somebody with funding decides that this is important to them.

--Roger

- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature

[EMAIL PROTECTED]: Re: Access for the uncomputed]

[Eugen Leitl]

- Forwarded message from Geoffrey Goodell <[EMAIL PROTECTED]> -

From: Geoffrey Goodell <[EMAIL PROTECTED]>
Date: Sun, 23 Oct 2005 21:54:04 -0400
To: [EMAIL PROTECTED]
Subject: Re: Access for the uncomputed
User-Agent: Mutt/1.5.6+20040907i
Reply-To: [EMAIL PROTECTED]

I see the problem as this: not everyone can run Tor on the machines from
which they browse the web, and not everyone can configure their proxy
settings to point at an open Tor proxy.  

I hacked serifos to function as a proxy that sends traffic through Tor.
It is not entirely perfect, but it usually works.  Known limitations
include failure to properly munge image and link tags on SSL-encrypted
pages and an inability to properly handle redirections resulting from
Javascript code.

So, you can visit:

http://serifos.eecs.harvard.edu/proxy/TOR_HTTP_URL

where TOR_HTTP_URL is any HTTP or HTTPS URL, and the Tor client running
on serifos will take you to your specified URL.  For example,

http://serifos.eecs.harvard.edu/proxy/http://www.whatismyip.com/

This is how it works:

First, I configured apache on serifos to use mod_proxy:


ProxyPass /proxy/ http://localhost:8119/


Then, I ran my own proxy script that feeds requests to Privoxy and
munges HTML replies to properly translate image and link tags.  The code
is here:

http://afs.eecs.harvard.edu/~goodell/blossom/src/edgeproxy

I invoke this script as follows:

$ edgeproxy -l localhost:8119 -r localhost:8118

Finally, I ran Privoxy on port 8118, in the normal manner specified
on the Tor website.

Please check it out if you are interested and feed me bug reports if you
find anything broken (other than what I described).

Thanks,

Geoff

On Thu, Oct 20, 2005 at 11:08:43PM +0800, Patrick Coleman wrote:
> CGIProxy is quite good in my experience; it seems to proxify URLs
> better than CECID does. It performs exactly the same task as CECID,
> though CECID has a few extra features (banned word filtering).
> 
> I did mention a while ago that I would modify CECID to work as a
> frontend for tor, but its not looking like I'm going to get time to do
> that anytime soon (though I live in eternal hope). The codes all in
> CVS (http://cecid.sf.net), if anyone's interested in picking it up and
> working on it drop me a line.
> 
> -Patrick
> 
> On 20/10/05, Joel Franusic <[EMAIL PROTECTED]> wrote:
> > I just ran across: CGIProxy
> > (http://www.jmarshall.com/tools/cgiproxy/cgiproxy-beta.html)
> >
> > A Proxy over CGI of sorts, similar to CECID (?). This looks like a
> > perfect front end for Tor.
> >
> > It supports SSL and it looks like it can be easily configured to use a
> > proxy (Tor).
> >
> > Has anybody tried this out?
> >
> > --Joel
> >
> > On 6/22/05, Patrick Coleman <[EMAIL PROTECTED]> wrote:
> > > Brilliant. I'll see if I cant get something going.
> > > Thanks,
> > > Patrick
> > >
> > > Roger Dingledine wrote:
> > > > On Wed, Jun 22, 2005 at 10:45:17AM +0800, Patrick Coleman wrote:
> > > >
> > > >>shouldn't be too hard. I was actually considering interfacing it
> > > with a proper anonymizer at some
> > > >>point, like Tor, so I'd be happy to do that if thats what you want.
> > > >
> > > >
> > > > That would be wonderful. We really do need something like this, that
> > > > lets people point their browsers somewhere and be able to access .exit
> > > > or .onion addresses.
> > > >
> > > > It should be even easier to find mirrors for you now too, because the
> > > > mirrors don't need to be exiting the traffic themselves.
> > > >
> > > > Thanks,
> > > > --Roger
> > > >
> > > >
> > >
> > >
> > > On 23/06/05, Patrick Coleman <[EMAIL PROTECTED]> wrote:
> > > > [I'll mail this to the list - I am subscribed, but at [EMAIL PROTECTED]
> > > >
> > > > Hey,
> > > > The client certainly hasn't had any work done on it for ages, so I was
> > > > thinking of ditching that, certainly after I discovered tor. It was
> > > > certainly a bit more complex than I bargained for :)
> > > >
> > > > With the script, it hasn't been developed in quite a while. I have
> > > > been intending to do some work on it, though - I've got some working
> > > > code that should fix a few problems, like SSL, forms and cookies.
> > > > These fixes will also mean a rewrite of the HTTP fetching code, so
> > > > working in HTTP proxying shouldn't be too hard. I was actually
> > > > considering interfacing it with a proper anonymizer at some point,
> > > > like Tor, so I'd be happy to do that if thats what you want.
> > > >
> > > > The script -shouldn't- be breaking stylesheets, so I'll have a look :)
> > > > Thanks,
> > > > Patrick
> > > > +++
> > > > Public Key ID 0x4A6880B2
> > > > Key Fingerprint: 7867 E238 1608 1A20 89C4  BA6C 8FC3 C6EB 4A68 80B2
> > > > http://warhn.org/pcoleman/pubkey.txt
> > > >
> > > > On 22/06/05, Roger Dingledine <[EMAIL PROTECTED]> wrote:
> > > > > On Tue, Jun 21, 2005 at 03:26:33PM -0700, Joel Franusic wrote:
> > > > > > Some quick searches on sf.net and freshmeat.net turn up:
> > > > > > http://cecid.s