IRS May Help DOD Find Reservists
http://www.military.com/Content/Printer_Friendly_Version/1,11491,,00.html?str_filename=FL%5Firs%5F051804passfile=FL%5Firs%5F051804page_url=%2FNewsContent%2F0%2C13319%2CFL%5Firs%5F051804%2C00%2Ehtml Military Insider Newsletter IRS May Help DOD Find Reservists Fort Worth Star-Telegram May 18, 2004 FORT WORTH, Texas - The Defense Department, strapped for troops for missions in Iraq and Afghanistan, has proposed to Congress that it tap the Internal Revenue Service to locate out-of-touch reservists. The unusual measure, which the Pentagon said has been examined by lawyers, would allow the IRS to pass on addresses for tens of thousands of former military members who still face recall into the active duty. The proposal has largely escaped attention amid all the other crises of government, and it is likely to face opposition from privacy rights activists who see information held by the IRS as inviolate. For it to become practice, Congress and President Bush would have to approve the proposal, which would involve amending the tax code. Ari Schwartz, an associate director of the Center for Democracy and Technology in Washington, said granting access to any IRS data would open the door to more requests from other arms of the government. Just a few years ago, Congress strengthened the privacy provisions of the tax code, he said. There are other ways to solve the problem they have, without putting the tax information at risk, Schwartz said. We would hope that those members who worked only four or five years ago on strengthening tax-privacy laws would stand up and say this is a bad idea. Lt. Col. Bob Stone, a spokesman for the assistant defense secretary for reserve affairs, said the proposal was developed several years ago and is unconnected to the Army's current shortage of troops. Part or all of nine of the Army's 10 active-duty divisions are deployed to Iraq or Afghanistan, and 167,000 members of the reserves or National Guard are on active duty, with thousands more on alert for mobilization. Unknown to most Americans, though, is the existence of the Individual Ready Reserve, which has more than 280,000 members. The IRR is a distinctly different animal than the drilling reserves or National Guard. Those in the IRR are people who have completed their active-duty tours but are subject to involuntary recall for a certain number of years. For example, a soldier who serves four years on active duty remains in the IRR for another four years. During that time, however, they receive no pay, do not drill with a unit and are otherwise completely civilian. The problem for the Pentagon is that the whereabouts of 50,200 of those veterans are unknown to the Army, Navy, Marine Corps and Air Force. The largest number - 40,700 - are former Army GIs. Because Texas sends more people into the service than almost any other state, it's a good bet many are in the Lone Star State. While the military today is comprised of an all-volunteer force, every individual who volunteers for service in the armed forces voluntarily accepts an eight-year military service obligation, Stone said. The troops are required to keep the services' updated on their residences, but many do not. Thirty-four percent of former Army soldiers cannot be tracked. The unknowns in the other services are in the single digit percentages. One of the difficulties that the military services confront is keeping addresses current, Stone said. The Defense Department has called on members of the IRR before. About 7,000 people have been recalled since 9-11, Stone said. Approximately 30,000 were recalled for service during the buildup for the Persian Gulf War in 1990 and 1991, he said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: 3. Proof-of-work analysis
Here's a forward of parts of an email I sent to Richard with comments on his and Ben's paper (sent me a pre-print off-list a couple of weeks ago): One obvious comment is that the calculations do not take account of the CAMRAM approach of charging for introductions only. You mention this in the final para of conclusions as another possible. My presumption tho don't have hard stats to measure the effect is that much of email is to-and-fro between existing correspondents. So if I were only to incur the cost of creating a stamp at time of sending to a new recipient, I could bear a higher cost without running into limits. However the types of levels of cost envisaged are aesthetically unpleasing; I'd say 15 seconds is not very noticeable 15 mins is noticeable and 1.5 hrs is definately noticeable. Of course your other point that we don't know how spammers will adapt is valid. My presumption is that spam would continue apace, the best you could hope for would be that it is more targetted, that there are financial incentives in place to make it worth while buying demographics data. (After all when you consider the cost of sending junk paper mail is way higher, printing plus postage, and yet we still receive plenty of that). Also as you observe if the cost of spamming goes up, perhaps they'll just charge more. We don't know how elastic the demand curve is. Profitability, success rates etc are one part of it. There is an interplay also: if quantity goes down, perhaps the success rate on the remaining goes up. Another theory is that a sizeable chunk of spam is just a ponzi scheme: the person paying does not make money, but a lot of dummy's keep paying for it anyway. Another potential problem with proof-of-work on introductions only, is that if the introduction is fully automated without recipient opt-in, spammers could also benefit from this amortized cost. So I would say something like the sender sent a proof-of-work, and the recipient took some positive action, like replying, filing otherwise than junk or such should be the minimum to get white-listed. On the ebiz web site problem, I think these guys present a problem for the whole approach. An ebiz site will want to send lots of mail to apparent new recipients (no introductions only saving), a popular ebiz site may need to send lots of mail. Well it is ebiz so perhaps they just pass the cost on to the consumer and buy some more servers. Another possibility is the user has to opt-in by pre-white-listing them, however the integration to achieve this is currently missing and would seem a difficult piece of automation to retrofit. One of the distinguishing characteristics of a spammer is the imbalance between mail sent and mail received. Unfortunately I do not see a convenient way to penalize people who fall into this category. Also because of network effect concerns my current hashcash deployment is to use it as a way to reduce false positives, rather than directly requiring hashcash. Well over time this could come to the same thing, but it gives it a gentle start, so we'll see how long it is before the 1st genuine spam with hashcash attached. CAMRAM's approach is distinct and is literally going straight for the objective of bouncing mail without some kind of proof (hashcash or reverse-turing, or short term ability to reply to email challenge-response). Adam Richard Clayton wrote: [...] Ben Laurie) and I have recently been doing some sums on proof-of-work / client puzzles / hashcash methods of imposing economic constraints upon the sending of spam... Ben wanted to know how big a proof was needed for a practical scheme he was considering -- and I told him it wasn't going to work. We then carefully worked through all the calculations, using the best data that we could obtain -- and we did indeed come to the conclusion that proof-of-work is not a viable proposal :( Paper: http://www.cl.cam.ac.uk/~rnc1/proofwork.pdf
Re: Diffie-Hellman question
Thomas Shaddack wrote: I have a standard implementation of OpenSSL, with Diffie-Hellman prime in the SSL certificate. The DH cipher suite is enabled. Is it safe to keep one prime there forever, or should I rather periodically regenerate it? Why? If yes, what's some sane period to do so: day, week, month? No need. Kinda. The best known discreet logarithm attacks are such that if they succeed in the attack then they can easily apply their solution to anything encrypted with the same prime. A shared prime attracts attacks. Widely used primes can become a big target. These attacks are generally supposed to be beyond capability for the next X zillion years though. Or perhaps for ten years. This might seem garubonsendese in the naive it's safe' or 'it's not safe crypto paradigm. However, that isn't how crypto works. Cryptanalysis (the revealing of plaintext against the wishes of the encryptor) is an economic activity. No-one will bother putting in enough resources to break your 2k-bit modexp-based crypto unless they think it worthwhile. But if your prime is shared with several other people who are sending nuclear secrets, then your prime might become subject to attack. If the adversary has a log of a passively intercepted DHE-RSA-AES256-SHA secured SSL communication, presuming the ephemeral key was correctly generated and disposed of after the transaction, will the eventual physical retrieval of the DH prime (and the rest of the certificate) allow him to decode the captured log? The prime is public - anyone can know it - so it's retrieval won't affect anything. The question I think you are asking is if the secret key is retrieved, will I lose forward security, to which the answer is yes. For long-term forward secrecy you need to change the public key every every day or so. Use a long-term key to sign the daily keys. PGP does this. Once you have deleted the day's public key, you are OK (but see belaw!). The ephemeral keys cannot (or should not) be retrive(able)d. (below!) Or perhaps the question you were asking was if finding DL's mod _this prime_ becomes possible, will I lose forward security?, in which case the answer is yer fukked - as are we all - if one prime gets broken, they all will, sooner or later. -- Peter Fairbrother (Who is right now composing a talk about the uses of modexp in crypto, for those far more knowledgeable than I)
RE: EU seeks quantum cryptography response to Echelon
Boondoggle. A solution in search of a problem: Monyk believes there will be a global market of several million users once a workable solution has been developed. A political decision will have to be taken as to who those users will be in order to prevent terrorists and criminals from taking advantage of the completely secure communication network, he said. Silliness itself, at this point. Practical quantum cryptography at this point is limited to transmission. The moment it goes O/E, it's as vulnerable as any other data. And terrorists aren't going to bother splicing fiber. Of course, primitive quantum storage (with error correcting codes!) is possible and done in laboratories, but we're talking tens of bits here. It'll be a decade before quantum storage is practical, and that's only IF someone can find a convincing reason to start developing it. -TD From: R. A. Hettinga [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: EU seeks quantum cryptography response to Echelon Date: Mon, 17 May 2004 14:32:34 -0400 http://www.nwfusion.com/news/2004/0517euseeks.html Network World Fusion EU seeks quantum cryptography response to Echelon By Philip Willan IDG News Service, 05/17/04 The European Union is to invest ยค11 million ($13 million) over the next four years to develop a secure communication system based on quantum cryptography, using physical laws governing the universe on the smallest scale to create and distribute unbreakable encryption keys, project coordinators said Monday. If successful, the project would produce the cryptographer's holy grail -- absolutely unbreakable code -- and thwart the eavesdropping efforts of espionage systems such as Echelon, which intercepts electronic messages on behalf of the intelligence services of the U.S., the U.K., Canada, New Zealand and Australia. The aim is to produce a communication system that cannot be intercepted by anyone, and that includes Echelon, said Sergio Cova, a professor from the electronics department of Milan Polytechnic and one of the project's coordinators. We are talking about a system that requires significant technological innovations. We have to prove that it is workable, which is not the case at the moment. Major improvements in geographic range and speed of data transmission will be required before the system becomes a commercial reality, Cova said. The report of the European Parliament on Echelon recommends using quantum cryptography as a solution to electronic eavesdropping. This is an effort to cope with Echelon, said Christian Monyk, the director of quantum technologies at the Austrian company ARC Seibersdorf Research and overall coordinator of the project. Economic espionage has caused serious harm to European companies in the past, Monyk said. With this project we will be making an essential contribution to the economic independence of Europe. Quantum cryptography takes advantage of the physical properties of light particles, known as photons, to create and transmit binary messages. The angle of vibration of a photon as it travels through space -- its polarization -- can be used to represent a zero or a one under a system first devised by scientists Charles Bennett and Gilles Brassard in 1984. It has the advantage that any attempt to intercept the photons is liable to interfere with their polarization and can therefore be detected by those operating the system, the project coordinators said. An intercepted key would therefore be discarded and a new one created for use in its place. The new system, known as SECOQC (Secure Communication based on Quantum Cryptography), is intended for use by the secure generation and exchange of encryption keys, rather than for the actual exchange of data, Monyk said. The encrypted data would then be transmitted by normal methods, he said. Messages encrypted using quantum mechanics can currently be transmitted over optical fibers for tens of kilometers. The European project intends to extend that range by combining quantum physics with other technologies, Monyk said. The important thing about this project is that it is not based solely on quantum cryptography but on a combination with all the other components that are necessary to achieve an economic application, he said. We are taking a really broad approach to quantum cryptography, which other countries haven't done. Experts in quantum physics, cryptography, software and network development from universities, research institutes and private companies in Austria, Belgium, Britain, Canada, the Czech Republic, Denmark, France, Germany, Italy, Russia, Sweden and Switzerland will be contributing to the project, Monyk said. In 18 months project participants will assess progress on a number of alternative solutions and decide which technologies are the most promising and merit further development, project coordinators said. SECOQC aims to have a workable technology ready in four years, but will probably require three to four
Re: al-qaeda.net node downtime
On Tue, 18 May 2004 05:18:06 -0400 Riad S. Wahby [EMAIL PROTECTED] wrote: I'm moving from Massachusetts to Texas, and unfortunately that means that my machine's connectivity will be in a state of flux for a while. Unless someone has a machine with a (fast, static) connection on which they want to let me host the node temporarily, al-qaeda.net will be down for some (unspecified, but hopefully not too long) time while I move. If you do have a place to put the node (I believe [EMAIL PROTECTED] once offered such a machine, but perhaps things have changed), let me know within the next day or two and I'll move everything over before I leave. -- Riad Wahby [EMAIL PROTECTED] MIT VI-2 M.Eng How ironic, I moved from Texas to Massachusetts .. You must be insane to go to TX -- Adam satyam, shivam, sundaram
ID Pass? But I Am Mayor..
http://www.mirror.co.uk/printable_version.cfm?method=printable_version_mirrorobjectid=14253448siteid=50143 ID PASS? BUT I AM MAYOR.. By Geoffrey Lakeman SELF-important mayor Anne Rey refused to open a police conference in her town - because she had to wear a security pass. Home Secretary David Blunkett will wear official ID at the meeting in Bournemouth, Dorset. But councillor Rey was insulted when asked for a passport photo for her pass, and said wearing her robes should be enough. Clive Chamberlain of the Dorset Police Federation, which is hosting the Police Federation Conference at Bournemouth International Centre, said: She's being very silly. The Home Secretary will be wearing a pass and when the Prime Minister comes to conferences he wears a pass too. I don't know who she thinks she is. Her stance will embarrass the people of Bournemouth. Bournemouth-born Mrs Rey, 47, said: I'd have thought going in my robes, wearing my chains and going with the mace-bearer would be enough. Deputy mayor David Baldwin, who will wear ID, will open the event. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA Several times a week, to enter a TV studio say, or to board a plane, I have to produce a tiny picture of my face. -- Christopher Hitchens
'Taxi! Fly Me To Cleveland'
Geodesic Air Travel is here. I flew out of Albuquerque last week with one of the guys from Eclipse Aviation. Okay. We were on the same plane. I was in steerage. He wasn't. :-). Cheers, RAH --- http://online.wsj.com/article_print/0,,SB108491821399715012,00.html The Wall Street Journal May 19, 2004 THE MIDDLE SEAT By SCOTT MCCARTNEY 'Taxi! Fly Me To Cleveland' New Four-Passenger Jets Spur Plans for Cab-Like Air Service; Memories of People Express May 19, 2004 Perhaps as soon as next year, travelers will have a new alternative to flying commercial airlines or buying their own jet. Using a new generation of small jets that are currently in flight testing, several entrepreneurs are trying to launch air taxi services. The goal is to let corporate travelers bypass crowded airports and fly into smaller, local airports, at half of the current cost of chartering a jet. The most advanced air-taxi effort is coming from the man who brought the bus to air travel. Donald C. Burr -- founder of People Express Airlines back in the 1980s -- plans to launch iFly Air Taxi Inc. service next year. He has teamed up with son, Cameron, as well as his onetime nemesis, Robert L. Crandall. The former chief executive of AMR Corp. and its American Airlines, Mr. Crandall once helped run Mr. Burr's People Express out of business. Venture capitalists and aircraft manufacturers say other groups are also developing plans for air-taxi service, but none has come forward publicly yet or has had to make a Securities and Exchange Commission filing as iFly did March 29. Air taxis are also envisioned as a growing part of the nation's air-transport system in a futuristic blueprint being developed by a government task force that will report to the White House later this year. One reason for optimism that now is the right time for air taxis: The arrival of a new generation of four-passenger micro jets that can operate more cheaply than conventional jets. These aircraft typically are much lighter than conventional private jets, and are powered by a new generation of small, fuel-efficient engines. None of the planes are in service yet. Manufacturers are accepting advance orders, which so far are being placed by a mixture of private individuals and hopeful air-taxi operators. The new planes have the potential to revolutionize transportation. Currently, chartering private jets is extremely expensive, costing $7,000 or more for a 500-mile hop, round-trip. Fractional ownership (where you buy a share of an aircraft that entitles you to use it periodically) is no bargain either. Corporate-owned jets, while sometimes economical for shuttling groups of executives, are often viewed as overly expensive perks. Air-taxi service would be different, in theory at least. Mr. Burr says he can provide rides for $3 to $4 a mile, on average -- which works out to be a bit more expensive than most first-class tickets. A trip to Cleveland from Teterboro, N.J., for example, might cost $1,000 to $1,400 on average. By comparison, an unrestricted first class ticket on Continental Airlines from Newark, N.J., to Cleveland costs $1,338. iFly is expected to announce an order for Adam Aircraft jets soon. The Adam A700, which at $2 million is half of the price of the cheapest Cessna Citation jet right now, began flight tests in July 2003. The Adam jet is one of a half-dozen new aircraft like this in development. Honda Motor Co. has been conducting test flights of its HondaJet in North Carolina; Toyota Motor Corp. is also working on a jet. Eclipse Aviation Corp., run by a former software executive with considerable financial backing, says it has orders for more than 2,000 jets. Other heavy hitters are working on the most important aspect, the engines. General Electric Co. is working on the Honda jet; Pratt Whitney, a unit of United Technologies Corp., is testing a new engine that will power the Eclipse jet; and Williams International is shrinking an engine currently used on Citation jets for the micro-jet class. It powers the Adam Aircraft jet. Corporate aviation has a solid safety record, with an accident rate per flight-hour about on par with commuter airlines, according to National Transportation Safety Board figures. Air-taxi operations also claim to offer convenience, since travelers would arrive and depart at small airports, park just a short walk from the plane, and could choose their own departure times. And taking a taxi would avoid security lines and reduce the chances of lost luggage. It's a highly simplified charter operation, Mr. Crandall says. We hope to run it like a limousine service. Much like airline tickets, iFly will be priced so that peak periods are more expensive than off-peak times. In addition the third and fourth seats on a taxi flight will be a lot cheaper than the first or second seats sold. This time, he says he intends to grow slowly. The lack of technology and aggressive growth ultimately cratered People Express, which
[Politech] Here's someone who actually likes political spam [sp]
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Tue, 18 May 2004 22:31:27 -0400 From: Declan McCullagh [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 0.6 (Macintosh/20040502) To: [EMAIL PROTECTED] Subject: [Politech] Here's someone who actually likes political spam [sp] List-Id: Declan McCullagh's politics and technology mailing list politech.politechbot.com List-Archive: http://politechbot.com/pipermail/politech List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://politechbot.com/mailman/listinfo/politech, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] [One quibble: I got a russospam sent to an address that I've never used. So it's not always sent to a real address. --Declan] Original Message Subject: Re: [Politech] Weekly column: Political spam, the new national pastime? [sp] Date: Tue, 18 May 2004 20:17:00 -0400 (EDT) From: Dean Anderson [EMAIL PROTECTED] To: Declan McCullagh [EMAIL PROTECTED] I'd rather have the email than the postal mail. 1) I can more easily quote it in email. If you are for the candiate or against, this is a good thing. 2) I can save it and search it. Nothing helps keep a politican honest than their old promises. 3) It is more cheaply stored. 4) Of course, there's always Sanford Wallace's old 'save trees' benefit. I don't really know what the problem is with political email. This isn't truly unsolicited in the sense of broadcast to bogus addresses, which is a bane to ISPs. Rather, it is broadcast to a list of real addresses. I think the anti-spam radicals must be succeeding in getting people conditioned against getting email. This is a good segue into noting that in January, 56% of the bulk emailers fully complied with CAN-SPAM, and 90something percent partially complied. I haven't seen more recent statistics, but there have also been some suits against real commerical operators who haven't complied with CAN-SPAM. So why is almost none of the spam compliant in my email box? Could it be that someone is just sending abuse in the hopes that it will annoy people? (I think the answer is yes) But, I read a book recently on Crypto-virology, which presented the premise that by sending a lot of email from one infected host to another and encrypting or encoding it at each hop, it was possible to create an anonymous communication system that the author called a mix-net. It went on to describe the utility of mix-nets in extortion and information theft via virus infection. Whether this non-commercial junk mail represents a mix-net or not I think is a testable hypotheses. One just needs to go back through the viruses that have been released or captured sending junk mail, and see if they resend messages after some encyption steps. If they do, then a mix-net is possible. If they don't, then this is just so much hypothesizing. But assuming that this 'mix-net' theory is true, then it certainly means that we need to have much more attention from law enforcement on viruses and virus operators. Not only will this halt extortion and information theft, but it will halt the deluge of junk email that isn't a real commercial offer. My expectation has been that these non-commerical messages coming from viruses are just anti-spammers trying to annoy people into banning spam. Many of these messages appear at first glance to be commercial, and appear unlikely to be coded. But some messages contain random words and character strings. It had been supposed that this is to confuse Bayesian anti-spam filters, though I doubt it, because bayesian filters shouldn't be confused--they are trying to distinguish wanted from unwanted, not spam from non-spam. But there is some increasing portion of spam that could be suspected as containing coded messages in the random words and characters. But this is somewhat academic, though interesting. In either case, it is imperative to have more law enforcement attention on viruses and virus operators. There really isn't any question of that. And that is the road to spam solutions. Just ignore what the anti-spammers tell you. Dean Anderson CEO Av8 Internet, Inc On Tue, 18 May 2004, Declan McCullagh wrote: http://news.com.com/2010-1028-5213287.html?tag=nefd.acpro Political spam as national pastime May 17, 2004, 4:00 AM PT By Declan McCullagh Aaron Russo wants your vote so badly, he's willing to spam you for it. Last week, Russo, a Hollywood producer who is running for president as a Libertarian Party candidate, fired off thousands of unsolicited e-mail messages announcing his campaign and asking recipients to help support Russo financially with automatic monthly contributions. Russo, whose films include The Rose and Trading Places, is not alone. Political spam has become a thoroughly nonpartisan communications technique, with Democrats, Republicans and third parties alike turning to bulk e-mail in numbers that are still small but steadily increasing. Two percent of all
RE: EU seeks quantum cryptography response to Echelon
Tom Shaddack wrote: On Tue, 18 May 2004, Tyler Durden wrote: Monyk believes there will be a global market of several million users once a workable solution has been developed. A political decision will have to be taken as to who those users will be in order to prevent terrorists and criminals from taking advantage of the completely secure communication network, he said. Hope the technology hits the streets fast enough after getting on the market. Monyk apparently doesn't believe that people who don't have the money to buy the Official Approval have no right to access to this technology. Actually, I read this as the sort of puffery we more often see from the snake-oil vendors; Our proprietary Auto Generated One Time Pad (TM) crypto is s strong that the government may ban it - get it while you can! Peter
Modexp
At 12:22 AM 5/19/04 +0100, Peter Fairbrother wrote: Peter Fairbrother (Who is right now composing a talk about the uses of modexp in crypto, for those far more knowledgeable than I) Modexp is Prometheus send from Olympia to let us speak between ourselves. Modexp has many implementation subtleties. Modexp performs what, in a block cipher, would be called mixing, by using multiplication. (e.g., The IDEA block cipher uses multiplication for this.) Modexp is stirring dye into water by turning the cranks of an eggbeater a certain number of times, and then getting the dye back to its original position by reversing the motion a different, but related, number of times. DH is ephemeral, where identity is merely a communication endpoint constant for the session. RSA lets you release (not necessarily publish in the phone book sense) *persistant* authenticators for persistant identities. So you can assure that an endpoint is the same across sessions across time. Modexp is the core of it all. All is number -Pythagoras
Re: al-qaeda.net node downtime
At 05:18 AM 5/18/04 -0400, Riad S. Wahby wrote: I'm moving from Massachusetts to Texas, and unfortunately that means Congrats on being able to exercise your 2nd amendment rights a little bit more..
Re: [ISN] Safe and insecure
At 12:06 PM 5/19/04 -0400, R. A. Hettinga wrote: --- begin forwarded text http://www.salon.com/tech/feature/2004/05/18/safe_and_insecure/index.html By Micah Joel May 18, 2004 Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and So why am I doing this? In a word, privacy. By making my Internet Plausible deniability its called. There's also the 802.11b freenet movements, a serious experiment/implementation of free access. (Some perhaps are facetious but some are real.) You could fly a flag of the warchalking symbol. Or put a decal on your window. As evidence of your freenet intent. Practically, you could buy another AP, set it up secure, and use that for your own access. Not a bad recycling of old .11b-only APs, setting up free hotspots. Interference should be small, even if your parallel, secured AP system (which probably supports more modern cards/protocols/bands) has to drop down to the same .11b that your freenet uses. Its also a bit of a honeypot and sniffer. Its like putting an extension of your phone on the street, limited to free local calls only, but obviously capable of recording all calls. (A rather interesting art/experiment..) Could lead to trouble before the trial though. Like being an anon email endpoint. YMMV. IANAL.
[ISN] Safe and insecure
--- begin forwarded text Date: Wed, 19 May 2004 07:20:30 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Safe and insecure Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.salon.com/tech/feature/2004/05/18/safe_and_insecure/index.html By Micah Joel May 18, 2004 Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. And with DHCP logging turned off, there's really no way to know who's using it. What's wrong with me? Haven't I heard about how malicious wardrivers can use my connection from across the street to stage their hacking operations? How my neighbors can steal my bandwidth so they don't have to pay for their own? How I'm exposing my home network to attacks from the inside? Yup. So why am I doing this? In a word, privacy. By making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me. In mid-April, Comcast sent letters to some of its subscribers claiming that their IP addresses had been used to download copyrighted movies. Since Comcast is not likely to improve customer satisfaction and retention with this strategy, it's probable the letter was a result of pressure from the Motion Picture Association of America or one of its members. And to Comcast's credit, it stopped short of direct accusation; instead it gives users an out. Says the letter, If you believe in good faith that the allegedly infringing works have been removed or blocked by mistake or misidentification, then you may send a counter notification to Comcast. That's good enough for me. I've already composed my reply in case I receive one of these letters someday. Dear Comcast, I am so sorry. I had no idea that copyrighted works were being downloaded via my IP address; I have a wireless router at home and it's possible that someone may have been using my connection at the time. I will do my best to secure this notoriously vulnerable technology, but I can make no guarantee that hackers will not exploit my network in the future. If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes? If that were the case, we'd all be liable for the Blaster worm's denial of service attacks against Microsoft last year. Don't get me wrong. I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it. That's no different from the millions of people who haven't installed anti-virus software and the millions more who don't keep theirs up to date. Yes, their vulnerabilities allow viruses to spread more quickly, but that's their choice, right? What about the security of my home network? A determined hacker may be able to crack my passwords or exploit weaknesses in the operating system that I never even thought of, but how is that different from before? There's no system that's completely secure, so whether hackers are inside or outside my firewall will make little difference. I'm willing to trade a little security for privacy. It feels strange to be opening up my network after years of vigorously protecting it, and it's not without a tinge of anxiety that I do so. But there's also a sense of liberation, of sticking it to the Man, that's undeniable, as well as an odd sense of community. It seems there's safety in numbers after all, even among strangers. - - - - - - - - - - - - About the writer Micah Joel is a systems engineer for a software company, an award-winning tech presenter and an early adopter of home wireless. _ ISN mailing list Sponsored by: OSVDB.org --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Mixmaster Protocol Draft (revision)
An updated version of the Mixmaster Protocol Specification has been published: http://www.ietf.org/internet-drafts/draft-sassaman-mixmaster-01.txt I'd like this to be the last revision, so if you have any comments on it (or if you've raised issues in the past that you don't see addressed), please let me know. Comment should be emailed to: [EMAIL PROTECTED] Thanks, Len
RE: EU seeks quantum cryptography response to Echelon
On Tue, 18 May 2004, Tyler Durden wrote: Monyk believes there will be a global market of several million users once a workable solution has been developed. A political decision will have to be taken as to who those users will be in order to prevent terrorists and criminals from taking advantage of the completely secure communication network, he said. Hope the technology hits the streets fast enough after getting on the market. Monyk apparently doesn't believe that people who don't have the money to buy the Official Approval have no right to access to this technology. Silliness itself, at this point. Practical quantum cryptography at this point is limited to transmission. The moment it goes O/E, it's as vulnerable as any other data. And terrorists aren't going to bother splicing fiber. There are quite many important activities that don't require storage of the transported data. For example, very very few people record their phone calls.
Re: [Asrg] Re: 3. Proof-of-work analysis
I'm still amazed that anyone takes this proof-of-work/hashcash stuff seriously. At best it's the War Games approach, let's make the server play tic-tac-toe with itself to avoid nuclear holocaust, or the Bill Shatner logical paradox that makes the robot's head blow up. The Sphinx's riddle also comes to mind, works better for supernatural beings however. I realize the defense of the dumbest ideas is always that any criticism can be represented as rudeness, ``how rude of you not to see the brilliance of my ideas!'', so one goes on and on anyhow but I wonder if there's any way to disabuse this nonsense once and for all, particularly in the minds of those who think it's a good idea? In the words of someone famous whose name I'll leave out of this: This idea isn't right, why, it isn't even wrong! -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
RE: EU seeks quantum cryptography response to Echelon
Thomas Shaddack wrote... There are quite many important activities that don't require storage of the transported data. For example, very very few people record their phone calls. Storage wasn't my point per se. My point was that quantum cryptography only becomes unsnoopable* when it's in the optical form. With current optical fiber technologies this would limit the useful bandwidth distance product to short distances (ie, 10s of Km for key exchanges). After that, the signal must go O/E and then it's just the same as any normal digital signal. Where Quantum Crypto might have application is in small metro area deployments, like downtown NYC or the DC Beltway, and where people are completely totally balls-to-the-wall paranoid about security (ie, they assume an attacker is willing to tap into their fiber and has all of the test sets needed to pull out a useful packet exchange--that ain't no pimply-face DoS script bunny, and hell it ain't Al Qaeda either). Of course, to extend quantum protection beyond mere transport you'd need all sorts of quantum logic gates and processors (in addition to storage), but don't look for that in our lifetimes. -TD *: With quantum crypto it is of course possible to 'eavesdrop', depending on the coding, but that will cause the eavesdropper to quickly be revealed. _ Express yourself with the new version of MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Re: [Asrg] Re: 3. Proof-of-work analysis
At 03:02 PM 5/19/2004, Barry Shein wrote: I'm still amazed that anyone takes this proof-of-work/hashcash stuff seriously. I think it's grounded in some well-accepted DoS defence principles that are found in cookie protocols like Photuris and ISAKMP. Mark At best it's the War Games approach, let's make the server play tic-tac-toe with itself to avoid nuclear holocaust, or the Bill Shatner logical paradox that makes the robot's head blow up. The Sphinx's riddle also comes to mind, works better for supernatural beings however. I realize the defense of the dumbest ideas is always that any criticism can be represented as rudeness, ``how rude of you not to see the brilliance of my ideas!'', so one goes on and on anyhow but I wonder if there's any way to disabuse this nonsense once and for all, particularly in the minds of those who think it's a good idea? In the words of someone famous whose name I'll leave out of this: This idea isn't right, why, it isn't even wrong! -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo* ___ Asrg mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/asrg