Re: sources on steganography
> I am writing my dissertation on steganography. Basically I'm writing a ^ ^ ^ ^ ^ You can't fool us. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
sources on steganography
I am writing my dissertation on steganography. Basically I'm writing a technical monograph that would be of use to undergraduate instructors. What do you think are the best sources on steganography on the Web? What about books other than Johnson, Katzenbeiser & Peticolas, and the volumes covering the four international workshops on information hiding. I am also interested in the history of the subject. One major problem with the available sources covering the history (like Kahn) is that they completely disregard China, India, and Arab countries. Any pointers? thanks, hector
Why asymmetrical warefare practitioners have nothing to fear from the FBI (and probably the rest of U.S. intelligence/law enforcement)
[An edited copy of "Who Let the Terrorists Succeed?" http://www.msnbc.com/news/758330.asp] The now-famous memo Minneapolis agent Coleen Rowley sent to Robert Mueller, director of the FBI, now widely known as the Federal Bureau of Incompetence. The May 21, 2002 memo, obtained by Time, is one scary document. It suggests [SURPRISE!] that we have a bunch of time-servers protecting our security, which no one is in charge of anything. If any of this changed after September 11, Rowley, a highly regarded veteran of the bureau, does not say so. Without mentioning names, Rowley basically fingers a mid-level FBI supervisory agent in the Hoover Building (in Washington) named Dave Frasca, who was supposed to be running the task force on religious fanatics. After the Minneapolis office took flight-student and hijacker-wannabe Zacarias Moussaoui into custody and obtained intelligence from the French indicating that he had terrorist ties, alert Minnesota agents didnt just passively push the case up the chain of command. They became, in Rowleys words, desperate to search his computer laptop. So desperate that they risked the wrath of higher ups by committing a real pre-9-11 no-no: contacting the CIA. Headquarters personnel didnt just deny the request to probe Moussaoui further. Even though they were privy to many more sources of intelligence information than field agents, as Rowley plaintively put it, they continued to, almost inexplicably, throw up roadblocks and undermine Minneapolis by-now desperate attempts to obtain a search warrant. Because Frascas not commenting publicly, we havent heard the other side of the story. But as anyone who has ever worked in an office knows, HQ always has its own take on events, and sometimes its even right. In this case a federal judge in Washington, Royce C. Lambreth, grew annoyed at the poor documentation involved in requests from federal prosecutors for search warrants and wiretaps. One prosecutor so angered Lambreth that he was actually barred from seeking any more approvals from judges, a move that sent a chilling career message down through the ranks of the Justice Department. So Frasca, knowing which way the wind was blowing in Washington, wasnt just going to rubber stamp the Minneapolis request. [Does this mean the complaints by civil libertarians that FESA were being heard?] Moreover, the very fact that HQ is, in Rowleys words, privy to many more sources of intelligence is actually a hindrance, not necessarily a sign of negligence. The more intelligence chaff that comes in, the harder it is to find the wheat. Frasca should have the chance to explain that, and Judge Lambreth should explain why he thought the warrant process was being abused. But Rowleys certainly correct when she tells Mueller that the problem with chalking this all up to the 20/20 hindsight is perfect problem is that this is not a case of everyone in the FBI failing to appreciate the potential consequences. It is obvious that the agents in Minneapolis who were closest to the action and in the best position to gauge the situation locally did fully appreciate the terrorist risk/danger posed by Moussaoui. Doesnt that sound familiar in your company? The branch offices never think headquarters knows whats really going on, while the home office VPs think the branch guys are a bunch of whiners without the chops to make it in the big time at HQ. But in this evergreen of bureaucratic in-fighting, one of HQs best arguments is usually that unlike the branch offices, it sees the big picture. This time, as Rowley notes, Frasca and company not only failed to see the big picture, they worked actively to keep others from trying to see it. Thats quite an indictment. And thats only part of her bombshell. Rowley, who is, fortunately for her, close to retirement, also goes after Mueller himself. I have deep concerns that a delicate and subtle shading/skewering of facts by you and others at the highest levels of the FBI has occurred and is occurring. She argues that Muellers reorganization, which would further empower the FBIs Washington headquarters, is exactly the wrong approach to preventing terrorism. As if to confirm Rowleys harsh judgment, Mueller last week classified her memo, though we learned after it was leaked that there is nothing even vaguely compromising about FBI sources and methods contained in it. He classified it for the same reason Bush and Cheney dont want an independent commission to investigate what happened: Its embarrassing. Now its up to the rest of us to decide. [Unfortunately its not. If it were the problem would have been addresses decades ago.] Is embarrassment a proper standard for classifying documents and sweeping poor performance under the carpet? Or is it perhaps more patrioticand better for preventing a futu
Re: When encryption is also authentication...
On Wed, 29 May 2002, Curt Smith wrote: > I agree that under-the-hood encryption is becoming more and > more prevalent, and that it generally improves security. Also, > the widespread use of encryption technology helps protect > cryptorights in general as important to the public good. This is kinda the opposite of... > Both legally-binding and authentication technology should not > be completely transparent. Even "EULA's" require > user-intervention. Digitally signed messages should require > user-intervention. this. Having it be "transparent" where the user doesn't need to know anything about how it works does not have to destroy the effectiveness of digital signatures or crypto. When people sign a document they don't know all the ramifications because few bother to read all of any document they sign - most of it won't apply as long as you keep your part of the bargin, so why bother? The same thing should be true of digital signatures. The user shouldn't have to know a thing, other than they've made a promise they better keep or all the bad clauses really do apply, and the proof of their signature will come to haunt them. The way the digital signature works does not matter to them, and it shouldn't need to. If digital crypto, signatures or e-cash are going to get into mass appeal, then their operations will be "magic" to the majority. And it all has to work, to 1 part in 10^8th or better, without user comprehension. It may well take "user intervention" to create a signature, but they shouldn't have to know what they are doing. Patience, persistence, truth, Dr. mike
Re: When encryption is also authentication...
Mike Rosing wrote: > If digital crypto, signatures or e-cash are going to get into mass appeal, > then their operations will be "magic" to the majority. And it all has to > work, to 1 part in 10^8th or better, without user comprehension. > > It may well take "user intervention" to create a signature, but they > shouldn't have to know what they are doing. Agreed, the mechanics of a system are unimportant from a user's point of view, so long as it works and they can work it. What magic crypto should strive for, though, is an understanding in users of the effects its presence promotes, and the ramifications involved when it is lacking. SSL for commerce is readily in place without batting an eyelid these days. However, I'd be interested to know just how many users out there would enter their card details on an unprotected site, despite the unclosed padlocks and the alert boxes. Have security fears and paranoia been abated by widespread crypto to the point whereby users will happily transmit private data, whether encrypted or nay, just because they *perceive* the threat to now be minimal? Now that the media has grown tired of yet-another-credit-card-hack story? Pointers to any evidence/research into this much appreciated... ta. .g
Re: When encryption is also authentication...
On Wed, 29 May 2002, Curt Smith wrote: > A digital signatures must involve a conscious decision by the > signer to keep their part of an agreement. I maintain that > this requires user intervention to verify that the signer knew > that they making an agreement - a "click of understanding" or > pass phrase. Yes of course - the point of signing something is a promise. The act of signing by pen is just being transformed into a different kind of act. I think typing a pass phrase is better than a click, but we'll see what the market develops. Graham, there are many university profs interested in security on the net, and the medical field is just starting to get into this in a big way. I'm not sure they are following consumers, but a web search on "medical crypto" may find you a lot of interesting tidbits. Patience, persistence, truth, Dr. mike
Re: When encryption is also authentication...
I agree that the signer does not need to understand the mathematics or underlying technology for digital signatures to be viable. However, what good is an agreement when the parties do not know what the terms of the agreement are? A signature (digital or otherwise) generally indicates that the signer not only made an agreement, but also understood the agreement. A digital signatures must involve a conscious decision by the signer to keep their part of an agreement. I maintain that this requires user intervention to verify that the signer knew that they making an agreement - a "click of understanding" or pass phrase. Curt --- Mike Rosing <[EMAIL PROTECTED]> wrote: ... > Having it be "transparent" where the user doesn't need to know > anything about how it works does not have to destroy the > effectiveness of digital signatures or crypto. When people > sign a document they don't know all the ramifications because > few bother to read all of any document they sign - most of it > won't apply as long as you keep your part of the bargin, > so why bother? > > The same thing should be true of digital signatures. The > user shouldn't have to know a thing, other than they've made > a promise they better keep or all the bad clauses really do > apply, and the proof of their signature will come to haunt > them. The way the digital signature works does not > matter to them, and it shouldn't need to. > > If digital crypto, signatures or e-cash are going to get into > mass appeal, then their operations will be "magic" to the > majority. And it all has to work, to 1 part in 10^8th or > better, without user comprehension. > > It may well take "user intervention" to create a signature, > but they shouldn't have to know what they are doing. > > Patience, persistence, truth, > Dr. mike = end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
Re: Government subsidies: our last, best hope for Cryptanarchy?
Hey, most of your points about crypto going under the hood are well taken. I wanted to echo Peter Gutmann's comments about PGP, and add that I see PGP as a protocol, and most of the protocols I use daily (TCP, IP, UDP, DNS, HTTP, SMTP) have not changed in the last 10 years and I don't need to upgrade my software to deal with them. Looking at PGP as a protocol gives you a different perspective. (I also see .doc, .xls and .ppt as protocols, and bad ones) Adam On Fri, May 24, 2002 at 01:44:53AM -0700, Lucky Green wrote: | You may be asking yourself: where, oh where, has all the crypto gone? | Where are the BlackNet's? Where is the untraceable Ecash? Where is the | Cryptanarchy that we've been waiting for? For that matter...where is the | crypto? | | The staunchest Cypherpunk will by now have noticed that PGP/GPG usage | even amongst list members, once the bellwether indicator of Cypherpunks | crypto adoption success, is in decline. | | NAI has pulled PGP off the shelves. Conspiracy theories as to what may | have been driving this business decision abound. The fact of the matter | is that the usage of PGP by businesses, the sole significant source of | NAI PGP revenue, had long passed its peek. How many business do you know | that rolled out PGP in the last year? How many do you know that quietly | stopped using PGP after formally adopting its use with big fanfare a few | years ago? The facts are that there are more of the latter than of the | former. Did NAI receive The Briefing? I don't know. Nor does it really | matter. There wasn't enough money to be made with PGP. | | A well-respected Cypherpunk recently expressed hope that if NAI's PGP | were to disappear for good, perhaps compatibility problems amongst | versions of PGP would diminish. A plausible sounding theory, if one were | to assume that the compatibility problems amongst versions of PGP are | between versions produced by different vendors. Presumably, the theory | would go, with only one major supplier left standing, that being GPG | (yes, I am aware there are others), interop problems with other vendors' | implementations would pretty much disappear by definition. | | However, a closer inspection of the PGP interoperability problems, which | have been at one of the issues coming up in just about every single | discussion I've had with anybody about PGP over the last year, shows | that the interop problems are not between current versions by multiple | vendors, but between versions, in some cases by the same vendor, that | were released over time. The current version of NAI-PGP will | interoperate just fine with the current version of GPG. | | So why is PGP interoperability such a frequently raised issue? And why | does the importance of this topic seem to diminish the further away you | stray from Cypherpunks into the realms of the casual PGP users? The | answer to the second question is straight-forward. Even the most casual | user of software tends to be familiar with and acceptant of the need for | occasional software upgrades. It appears that those that are | experiencing interop problems are those that are insisting on using up | to 5-year old versions of PGP. It is true and should come as no surprise | that those 5-year old versions do indeed have interop problems with | newer versions of PGP. | | Some may say: I shouldn't need to keep on upgrading my software to be | able to send encrypted email. Does anybody seriously believe that those | that insist on using 5-year old versions of PGP have not upgraded their | operating systems in those 5 years? Indeed, upgraded more their | operating systems more than once? Or does anybody seriously believe that | those that insist on using old versions of PGP still run the exact same | version of their MUA and text editor as they did 5 years ago? Of course | they don't. If they did, their boxes would long have become unusable due | to the warez traffic taking place on the machines as a result of the | countless remote exploits discovered over these last 5 years. | | The reluctance to upgrade to a newer version of PGP does not appear to | be driven by a refusal or inability to upgrade software in general. This | reluctance to upgrade appears PGP specific. Why this is the case I do | not know. (And don't greatly care. I am running the latest version of | NAI PGP and I can make my copy talk to any version of PGP 2.x or | higher). | | Now perhaps there may be the rare case of a PGP user that is still | running PGP 2.x on the same DOS box, using the same mailer and the same | text editor as they did 5 years ago. I don't know of any such users, but | that doesn't mean no such users exists within the vastness of the | Internet. What I do know is that those that I am aware of that are | complaining about PGP version interoperability problems do not fall into | the rare category of users who have not upgraded any software at all for | the last 5 years. | | Since the existence of multiple PGP sof
When encryption is also authentication...
I agree that under-the-hood encryption is becoming more and more prevalent, and that it generally improves security. Also, the widespread use of encryption technology helps protect cryptorights in general as important to the public good. The fundamental problem with "under-the-hood" is that the user is not required to have any understanding of the process. Furthermore encryption technology is often also authentication technology. This includes transparently sending S/MIME documents (encrypted and/or signed) as a default without requiring additional user intervention. In many places this results in legally binding documents. Furthermore, anyone with access to a system can send legally binding e-mail documents on the user's behalf. Both legally-binding and authentication technology should not be completely transparent. Even "EULA's" require user-intervention. Digitally signed messages should require user-intervention. --- Lucky Green <[EMAIL PROTECTED]> wrote: ... > I indeed consider passive encryption methods alone to be > typically insufficient for some of my personal security needs > and am continuing to utilize encryption that requires me as > the user to make that trust decision. But that does not mean > that no security benefits are to be had from opportunistic > encryption of Internet traffic. ... > How does the increased use of strong crypto under-the-hood > help Cypherpunks? The answer reminds me of the response > another Cypherpunk gave to my posting statistics about the > nature of the USENET traffic seen by a major node. I > expressed surprise at these rather revealing statistics, > musing that there had to be a lesson to be learned from the > fact that the bulk of the data is generated in newsgroups > that one would not initially consider mainstream. His > response was illuminating: "Yes, the lesson is: just look at > all that cover traffic". > > --Lucky = end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
ANSI X9.17 STANDARDS
hi, I have an idea of what x9.17 standards says but no idea behind the mathametcial background of it. x9.17 standards is a standard but why is it so.mathametically what makes it a secure key generator? Could some 1 pls address the issue. Thank u very much. Data. __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
Key verification schemes...
(in response to a topic mentioned in various threads) I agree that neither CA-verification nor WoT-verification is as useful as Key Fingerprint-verification for secure communication between crypto-aware individuals. After all, CA's can be subverted and WoT is probably best used as a back-up option when direct key verification is not possible. Key Fingerprints can be verified in both PGP and S/MIME, but neither system enforces it. I would prefer for Key Fingerprint-verification to be more central to the system. --- [EMAIL PROTECTED] wrote: ... > The hierarchical verisign model is useful when one wishes to > verify that something comes from a famous and well known > name --that this software really is issued by Flash, that > this website really does belong to the Bank of America. In > this case, however, only famous and well known names need > their keys from verisign. No one else needs one. > > When one wishes to know one is really communicating with Bob, > it is best to use the same channels to verify this is Bob's > key, as one used to verify that Bob is the guy one wishes to > talk to. The web of trust, and Verisign, merely get in the > way. ... --- Eric Murray <[EMAIL PROTECTED]> wrote: ... > And to be honest, exactly zero of the PGP exchanges I have > had have actually used the web of trust to really verify a > PGP key. I've only done it in testing. In the real world, I > either verify out of band (i.e. over the phone) or don't > bother if the other party is too clueless to understand what > I want to do and getting them to do PGP at all has already > exausted my paticnce. ... = end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
Re: Anti-snooping operating system close to launch
> Anti-snooping operating system close to launch http://www.m-o-o-t.org/ didn't change much code-wise in the last year or so, except for the "news" section. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com