Re: Team Building?? WIMPS!!

[Tyler Durden]

Well, I'd consider killing May as a big de-merit...if he's alive and 
conscious we can get video of his reaction to our monkeying around with all 
his stuff (including perhaps mass-mailing his PGP keys to feds and whatnot).

Or else maybe just get a black drag queen to give the ole coot a lapdance.
-TD
From: Justin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Team Building?? WIMPS!!
Date: Sun, 13 Feb 2005 18:01:40 +
On 2005-02-13T13:22:43+0100, Thomas Shaddack wrote:
> On Thu, 10 Feb 2005, Tyler Durden wrote:
>
> > Well, I didn't say it would be easy. We'd definitely need to split up 
into
> > teams...one to handle the alarm systems,
>
> Teamwork is essential here.
> ...
> Optionally just add couple more mines and then wait.[4]

Why not wait for him to leave the house and then pick him off?  If
necessary, jam one of his video cameras or shoot it with a silenced
rifle from afar.  When he ventures forth to determine what's wrong with
it, shoot him in the head.
Once he's dead, frustrating the alarm company is even easier.  Then you
have all the time you want to disarm mines, ransack the compound, hold
an Iraqi/Libyan hooker party, and prank call the White House and the NSA
(just before closing time; no sense in being around when the feds show
up, though perhaps they'd give everyone a reward for eliminating TCM).
--
Certainly there is no hunting like the hunting of man, and those who
have hunted armed men long enough and liked it, never really care for
anything else thereafter.   --Hemingway, Esquire, April 1936

How to Stop Junk E-Mail: Charge for the Stamp

[R.A. Hettinga]

Actually, it's not just "sender pays", it's "a whitlist for my friends, all
other others pay cash", but "sender pays" will do for a start. :-)

Cheers,
RAH
---




The New York Times

February 13, 2005
DIGITAL DOMAIN

How to Stop Junk E-Mail: Charge for the Stamp
 By RANDALL STROSS


OMPARE our e-mail system today with the British General Post Office in
1839, and ours wins. Compare it with the British postal system in 1840,
however, and ours loses.

 In that year, the British introduced the Penny Black, the first postage
stamp. It simplified postage - yes, to a penny - and shifted the cost from
the recipient to the sender, who had to prepay. We look back with wonder
that it could have ever been otherwise. Recipient pays? Why should the
person who had not initiated the transaction be forced to pay for a message
with unseen contents? What a perverse system.

Today, however, we meekly assume that the recipient of e-mail must bear the
costs. It is nominally free, of course, but it arrives in polluted form.
Cleaning out the stuff once it reaches our in-box, or our Internet service
provider's, is irritating beyond words, costly even without per-message
postage. This muck - Hotmail alone catches about 3.2 billion unsolicited
messages a day - is a bane of modern life.

Even the best filters address the problem too late, after this sludge has
been discharged without cost to the polluter. In my case, desperation has
driven me to send all my messages sequentially through three separate
filter systems. Then I must remember to check the three junk folders to see
what failed to get through that should have. Recipient pays.

Do not despair. We can now glimpse what had once seemed unattainable:
stopping the flow at its very source. The most promising news is that
companies like  Yahoo,  EarthLink, America Online,  Comcast and  Verizon
have overcome the fear that they would prompt antitrust sanctions if they
joined forces to reclaim the control they have lost to spammers.

 They belong to an organization called the Messaging Anti-Abuse Working
Group, formed only last year. It shares antispam techniques and lobbies
other e-mail providers to adopt policies that protect the commons. Civic
responsibility entails not merely screening incoming mail to protect one's
own customers but also screening outgoing mail that could become someone
else's problem.

Carl Hutzler, AOL's director of antispam operations, has been an especially
energetic campaigner, urging all network operators to "cut off the
spammer's oxygen supply," as he told an industry gathering last fall. And
those operators who do not "get smart soon and control the sources of spam
on their networks," he said, will find that they "will not have
connectivity" to his provider and others who are filtering outgoing e-mail.

 He did not spell out the implications for customers, but he doesn't need
to: we can select a service provider from the group with a spam-free zone,
or one that has failed to do the necessary self-policing required for
joining the gated community and is banished to the wilds of anything-goes.

One measure backed by advocates like Mr. Hutzler is already having a
positive impact: "Port 25 blocking," which prevents an individual PC from
running its own mail server and blasting out e-mail on its own. With the
block in place, all outgoing e-mail must go through the service provider's
mail server, where high-volume batches of identical mail can be detected
easily and cut off.

 Internet service providers are also starting to stamp outgoing messages
with a digital signature of the customer's domain name, using strong
cryptography so the signature cannot be altered or counterfeited. This is
accomplished with software called DomainKeys, originally developed by
Yahoo. It is now offered in open-source form and was recently adopted by
EarthLink and some other major services. A digital signature is what we
will want to see on all incoming e-mail.

 If your Internet service provider is not on the working group's roster,
you can insist that it take the oath of good citizenship. This month,  MCI
found itself criticized because a Web site that sells Send-Safe software
gets Internet services from a company that's an MCI division customer.
Send-Safe is spamware that offers bulk e-mail capability, claiming "real
anonymity"; it hijacks other machines that have been infected with a
complementary virus. Anyone can try it out for $50 and spray 400,000
messages. MCI, for its part, argues that it has an exemplary record in
shutting down spammers, but that the sale of bulk e-mail software is not,
ipso facto, illegal.

Unfortunately, there has been no good news on the legal front. When the
first batch of antispam bills was introduced in Congress in 1999, one could
have reasonably expected that legislators were ready to stamp out
unsolicited e-mail, just as they had banned unsolicited

Re: [FoRK] Google (fwd from rst@ai.mit.edu)

[Will Morton]

On 11 Feb 2005, at 20:20, Tyler Durden wrote:
Hum...I've been thinking about that...seems to me one could set up 
anonymity using even Hotmail and Yahoo by a careful selection of 
completely improbably emails addresses. The timing might be tricky, 
though:

1. Think up two email addresses no one would have utilized...a random 
list of letters and numbers.
2. Go to Yahoo mail and sign up using one the email addresses. Plug in 
the other as the 'reference' and point it at, say, hotmail.
3. Open another browser to hotmail, do the reverse.
4. Hit send.
5. Hit send.

	Seems like a lot of work... why not just use www.mytrashmail.com or 
one of the many identical sites?  (Need to change your hotmail password 
right away, obviously)

W

Cypherpunk help with Hal Finney demo

["Hal Finney"]

Here's a semi-urgent request.  I introduced the RPOW project last year
on this list, rpow.net.  It provides a sort of play-money form of digital
cash, an implementation of Nick Szabo's concept of "bit gold".

I am giving a talk at CodeCon, www.codecon.org, on this system, in about
an hour(!) and I could use some help from you.

One of the things I have done to demo a possible use is to make a
patched version of BitTorrent, the widely used file sharing program, that
exchanges RPOW data objects in order to reward people for uploading and
seeding files.  In exchange, people with RPOWs can get priority on future
downloads, so by seeding today you can get a better download tomorrow.
That's the concept, although at this point it is just an experiment.

What I need is to have a dozen or so people doing regular BitTorrent
downloads of a file I will offer during the demo, which will be at
about 5:15 PM Pacific Standard Time, 8:15 PM EST, 1:15 AM GMT.  That's 1
hour from now.  You don't need to use any special RPOW software, just
the regular BitTorrent client.

If you have a BitTorrent client and know how to use it, could you start
up and leave running a download of the following .torrent file:

http://www.finney.org/~hal/ArkyMovie.mpg.torrent

This is fully legal, it's just a home movie of my dog Arky playing on
the beach with his brother.

Nothing will happen with the download until I start the demo after 5.
But if you could start up your BitTorrent client before then and just
leave it running, it would be a big help for me.

If you are able to do this, please send me an email when you start up your
BT client, at [EMAIL PROTECTED]  If you've never used BT, don't bother to
try downloading and figuring it out.  I only really need a minimum of
4 or 5 people doing it, but as I said a dozen or more would be great.

Sorry about the last minute notice; I know that most people won't see
this until too late, but if anyone sees it now and you know how to use
BT I'd appreciate your help.

Thanks!

Hal Finney

RE: Break-In At SAIC Risks ID Theft

[Tyler Durden]

I worked for a subsidiary of SAIC for a number of years. Their "Private 
Stock" always seemed like a pyramid scheme to us engineers. And they 
couldn't manage us worth a damn.

Doesn't really suprise me, given the way they operate. I'd bet someone 
brought the risks to their attention, too and made a conscious decison that 
the risk wasn't worth the necessary expenditure.

-TD
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
To: cryptography@metzdowd.com, [EMAIL PROTECTED]
Subject: Break-In At SAIC Risks ID Theft
Date: Sat, 12 Feb 2005 07:54:34 -0500

The Washington Post
washingtonpost.com
Break-In At SAIC Risks ID Theft
Computers Held Personal Data on Employee-Owners
 By Griff Witte
 Washington Post Staff Writer
 Saturday, February 12, 2005; Page E01
 Some of the nation's most influential former military and intelligence
officials have been informed in recent days that they are at risk of
identity theft after a break-in at a major government contractor netted
computers containing the Social Security numbers and other personal
information about tens of thousands of past and present company employees.
 The contractor, employee-owned Science Applications International Corp. 
of
San Diego, handles sensitive government contracts, including many in
information security. It has a reputation for hiring Washington's most
powerful figures when they leave the government, and its payroll has been
studded with former secretaries of defense, CIA directors and White House
counterterrorism advisers.

Those former officials -- along with the rest of a 45,000-person workforce
in which a significant percentage of employees hold government security
clearances -- were informed last week that their private information may
have been breached and they need to take steps to protect themselves from
fraud.
 David Kay, who was chief weapons inspector in Iraq after nearly a decade
as an executive at SAIC, said he has devoted more than a dozen hours to
shutting down accounts and safeguarding his finances. He said the
successful theft of personal data, by thieves who smashed windows to gain
access, does not speak well of a company that is devoted to keeping the
government's secrets secure.
"I just find it unexplainable how anyone could be so casual with such vital
information. It's not like we're just now learning that identity theft is a
problem," said Kay, who lives in Northern Virginia.
 About 16,000 SAIC employees work in the Washington area.
Bobby Ray Inman, former deputy director of the CIA and a former director at
SAIC, agreed. "It's worrisome," said Inman, who also received notification
of the theft last week. "If the security is sloppy, it raises questions."
Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which
the company announced last week, occurred in an administrative building
where no sensitive contracting work is performed. Haddad said the company
does not know whether the thieves targeted specific computers containing
employee information or if they were simply after hardware to sell for
cash. In either case, the company is taking no chances.
 "We're taking this extremely seriously," Haddad said. "It's certainly not
something that would reflect well on any company, let alone a company
that's involved in information security. But what can I say? We're doing
everything we can to get to the bottom of it."
Gary Hassen of the San Diego Police Department said there are, at the
moment, "no leads."
 Haddad said surveillance cameras are in the building where the theft took
place, but he did not know whether they caught the perpetrators on tape. He
also did not know whether the information that was on the pilfered
computers had been encrypted.
 The stolen information included names, Social Security numbers, 
addresses,
telephone numbers and records of financial transactions. It was stored in a
database of past and present SAIC stockholders. SAIC is one of the nation's
largest employee-owned companies, with workers each receiving the option to
buy SAIC stock through an internal brokerage division known as Bull Inc.

 Haddad said the company has been trying through letters and e-mails to 
get
in touch with everyone who has held company stock within the past decade,
though he acknowledged that hasn't been easy since many have since left the
company.

 He said the company would take steps to ensure stockholder information is
better protected in the future, but he declined to be specific.
 The theft comes at a time when the company, which depends on the federal
government for more than 80 percent of its $7 billion annual revenue, is
already under scrutiny for its handling of several contracts.
 Last week on Capitol Hill, FBI Director Robert S. Mueller III testified
that the company had botched an attempt to build software for the bureau's
new Virtual Case File system. The $170 million upgrade was supposed to
allow agents to sift through differe

Break-In At SAIC Risks ID Theft

[R.A. Hettinga]

The Washington Post

washingtonpost.com
Break-In At SAIC Risks ID Theft
Computers Held Personal Data on Employee-Owners

 By Griff Witte
 Washington Post Staff Writer
 Saturday, February 12, 2005; Page E01

 Some of the nation's most influential former military and intelligence
officials have been informed in recent days that they are at risk of
identity theft after a break-in at a major government contractor netted
computers containing the Social Security numbers and other personal
information about tens of thousands of past and present company employees.

 The contractor, employee-owned Science Applications International Corp. of
San Diego, handles sensitive government contracts, including many in
information security. It has a reputation for hiring Washington's most
powerful figures when they leave the government, and its payroll has been
studded with former secretaries of defense, CIA directors and White House
counterterrorism advisers.

Those former officials -- along with the rest of a 45,000-person workforce
in which a significant percentage of employees hold government security
clearances -- were informed last week that their private information may
have been breached and they need to take steps to protect themselves from
fraud.

 David Kay, who was chief weapons inspector in Iraq after nearly a decade
as an executive at SAIC, said he has devoted more than a dozen hours to
shutting down accounts and safeguarding his finances. He said the
successful theft of personal data, by thieves who smashed windows to gain
access, does not speak well of a company that is devoted to keeping the
government's secrets secure.

"I just find it unexplainable how anyone could be so casual with such vital
information. It's not like we're just now learning that identity theft is a
problem," said Kay, who lives in Northern Virginia.

 About 16,000 SAIC employees work in the Washington area.

Bobby Ray Inman, former deputy director of the CIA and a former director at
SAIC, agreed. "It's worrisome," said Inman, who also received notification
of the theft last week. "If the security is sloppy, it raises questions."

Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which
the company announced last week, occurred in an administrative building
where no sensitive contracting work is performed. Haddad said the company
does not know whether the thieves targeted specific computers containing
employee information or if they were simply after hardware to sell for
cash. In either case, the company is taking no chances.

 "We're taking this extremely seriously," Haddad said. "It's certainly not
something that would reflect well on any company, let alone a company
that's involved in information security. But what can I say? We're doing
everything we can to get to the bottom of it."

Gary Hassen of the San Diego Police Department said there are, at the
moment, "no leads."

 Haddad said surveillance cameras are in the building where the theft took
place, but he did not know whether they caught the perpetrators on tape. He
also did not know whether the information that was on the pilfered
computers had been encrypted.

 The stolen information included names, Social Security numbers, addresses,
telephone numbers and records of financial transactions. It was stored in a
database of past and present SAIC stockholders. SAIC is one of the nation's
largest employee-owned companies, with workers each receiving the option to
buy SAIC stock through an internal brokerage division known as Bull Inc.

 Haddad said the company has been trying through letters and e-mails to get
in touch with everyone who has held company stock within the past decade,
though he acknowledged that hasn't been easy since many have since left the
company.

 He said the company would take steps to ensure stockholder information is
better protected in the future, but he declined to be specific.

 The theft comes at a time when the company, which depends on the federal
government for more than 80 percent of its $7 billion annual revenue, is
already under scrutiny for its handling of several contracts.

 Last week on Capitol Hill, FBI Director Robert S. Mueller III testified
that the company had botched an attempt to build software for the bureau's
new Virtual Case File system. The $170 million upgrade was supposed to
allow agents to sift through different cases electronically, but the FBI
has said the new system is so outdated that it will probably be scrapped.

 In San Antonio, SAIC is fighting the government over charges that the
company padded its cost estimates on a $24 million Air Force contract. The
case prompted the Air Force to issue an unusual alert to its contracting
officials late last year, warning them that "the Department of Justice
believes that SAIC is continuing to submit defective cost or pricing data
in support of its pricing proposals."

 SAIC has defended its

Re: [FoRK] Google (fwd from rst@ai.mit.edu)

[Eugen Leitl]

- Forwarded message from [EMAIL PROTECTED] -

From: [EMAIL PROTECTED]
Date: Fri, 11 Feb 2005 12:42:21 -0500
To: [EMAIL PROTECTED]
Cc: fork@xent.com
Subject: Re: [FoRK] Google
X-Mailer: VM 7.08 under Emacs 21.3.1

Lucas Gonze writes:

 > > P.S. Maybe I just hate the Google hype, of which there is much.
 > 
 > The creepy all-seeing eye is what gets me.  They can surely use my 
 > verification email for gmail to cross-ref me to google groups, my blog, 
 > and eventually all the way back to my ftp traces from the 80s.  It hurts 
 > to think about.

I never understood why the privace fuss over gmail centered on their
target ads.  Use of tracking cookies across multiple Google services
is a lot more worrisome.

Playing with gmail without getting tracked is tricky at best -- last
I checked, it just didn't work unless you took a search-tracking
cookie as well.  You could try to deal with that by setting up a
browser profile with its own cookie jar, and using it for gmail and
nothing else.  But I think you'd still need a securely pseudonymous
throwaway email address to set up the gmail account.  And the lack of
searches on that cookie would let them know, at least, that they're
dealing with a privacy freak.

FWIW, I'm really not sure what level of paranoia to adopt wrt Google.
"Don't be evil" is a nice slogan, though "evil" is to some extent in
the eye of the beholder.  They don't seem too upset to put a few more
bricks in the Great Firewall of China, for instance:

   http://news.zdnet.co.uk/internet/security/0,39020375,39167942,00.htm

But that makes them no different from a lot other American companies,
like Yahoo and Cisco, which have also been happy to cooperate, in
their own ways.  It's hard to make a case for Google as being uniquely
evil or dangerous based so far on public misdeeds.

But here, for what it's worth, is the most paranoid case I can easily
concot.  Suppose you were genuinely, unabashedly evil.  And suppose
you wanted to accumulate as much information as you could.  (If people
give you the information for free, so much the better).  And suppose
you wanted to get a lot of very smart people to make it easy to search
and access that information for your nefarious purposes.  (They, of
course, wouldn't need to know what they are ultimately working on).
You'd want access to everything at Google.  But you wouldn't
necessarily want to be up front and center promoting it in public.
Better by far to let some genuine idealists be the public face --
while your agents quietly hang out inside, subverting the place.

rst


___
FoRK mailing list
http://xent.com/mailman/listinfo/fork

- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net


pgprY2CT5MMqy.pgp
Description: PGP signature

RE: Team Building?? WIMPS!!

[Thomas Shaddack]

On Thu, 10 Feb 2005, Tyler Durden wrote:

> Well, I didn't say it would be easy. We'd definitely need to split up into
> teams...one to handle the alarm systems,

Teamwork is essential here.

Maybe attract a lightning with a rocket on a wire[1], the induced current 
will do the job with the sensors around. Optionally annoy the sensors with 
spurious alarms until they get written off as unreliable[2]. Keep 
disabling the technicians that come to check/repair them[3], until the 
base staff either runs out of technicians or writes off the sensors. 
Technology can be a strength, but overreliance on it is a weakness.

[1] I believe lightning researchers do this, in addition to having labs on 
tops of skyscrapers. See eg. .

[2] US agents did it with sugar pellets shot at the windows of the 
Russian embassy in Washington, DC, during the thunderstorms that are 
frequent there. The vibration sensors were causing false alarms, so they 
were disconnected. Then one night the agents successfully penetrated the 
object. Same with rebels in Afghanistan attacking Russian bases. (Bruce 
Schneier, Beyond Fear, page 56:
)

[3] I think it was used during WW2. The comm wires were cut, then the 
soldier dispatched to check the failure was ambushed. Used frequently by 
guerrillas fighting Germans in the mountains.

> one to handle the landmines,

Optionally just add couple more mines and then wait.[4]

[4] As a classic joke says. A farmer had a pumpkin field. Neighbourhood 
boys were stealing them. One day, he put up a sign: "One of the pumpkin is 
laced with cyanide." In the evening, he found scribbled there: "Now they 
are two".

> one to somehow fend off May's bullets.

History books are full of prior art.

Or just drive a remotely controlled tank in.

Or modify the strategy. As Sun Tzu says, the best battles are the ones won 
without fighting.

> And then, even if we somehow capture May, I'd bet he's got all sorts of 
> dead-man stuff like poison gas and whatnot. It'd be like a big game of 
> D&D, not that any Cypehrpunk knows what THAT is!

It would be closer to a LARP.

> And yeah, there's a good chance someone's not gonna make it. But think of it
> like this: Those genes were slowing down our species anyway.

The best fun often has the highest price.

> The only problem is, what do we do once we're in? Throw a big-ass drinking,
> whoring Shriners-like party? (I say we need a bevvy of black hookers.) Break
> into May's survivalist supplies?

Don't worry. Look at the Iraq Desert Adventure planning stage. Who needs a 
post-victory plan?

Re: Team Building?? WIMPS!!

[Riad S. Wahby]

Thomas Shaddack  wrote:
> On Thu, 10 Feb 2005, Tyler Durden wrote:
> > And then, even if we somehow capture May, I'd bet he's got all sorts of 
> > dead-man stuff like poison gas and whatnot. It'd be like a big game of 
> > D&D, not that any Cypehrpunk knows what THAT is!
> 
> It would be closer to a LARP.

Considering its origins, and our own, I'd like to think that we could
make the whole thing as close to a Shadowrun[1] as possible.

[1] http://en.wikipedia.org/wiki/Shadowrun

-- 
Riad S. Wahby
[EMAIL PROTECTED]

Re: Team Building?? WIMPS!!

[Justin]

On 2005-02-13T13:22:43+0100, Thomas Shaddack wrote:
> On Thu, 10 Feb 2005, Tyler Durden wrote:
> 
> > Well, I didn't say it would be easy. We'd definitely need to split up into
> > teams...one to handle the alarm systems,
> 
> Teamwork is essential here.
> ...
> Optionally just add couple more mines and then wait.[4]

Why not wait for him to leave the house and then pick him off?  If
necessary, jam one of his video cameras or shoot it with a silenced
rifle from afar.  When he ventures forth to determine what's wrong with
it, shoot him in the head.

Once he's dead, frustrating the alarm company is even easier.  Then you
have all the time you want to disarm mines, ransack the compound, hold
an Iraqi/Libyan hooker party, and prank call the White House and the NSA
(just before closing time; no sense in being around when the feds show
up, though perhaps they'd give everyone a reward for eliminating TCM).

-- 
Certainly there is no hunting like the hunting of man, and those who
have hunted armed men long enough and liked it, never really care for
anything else thereafter.   --Hemingway, Esquire, April 1936

Re: [FoRK] Google (fwd from rst@ai.mit.edu)

[Tyler Durden]

 But I think you'd still need a securely pseudonymous
throwaway email address to set up the gmail account.  And the lack of
searches on that cookie would let them know, at least, that they're
dealing with a privacy freak.
Hum...I've been thinking about that...seems to me one could set up anonymity 
using even Hotmail and Yahoo by a careful selection of completely improbably 
emails addresses. The timing might be tricky, though:

1. Think up two email addresses no one would have utilized...a random list 
of letters and numbers.
2. Go to Yahoo mail and sign up using one the email addresses. Plug in the 
other as the 'reference' and point it at, say, hotmail.
3. Open another browser to hotmail, do the reverse.
4. Hit send.
5. Hit send.

This should cause the two email accounts to reference each other. Mightn't 
this work? If not, perhaps there's some way to delay one of the emails.

-TD

Re: What is a cypherpunk?

[ken]

James A. Donald wrote:

The state was created to attack private property rights - to
steal stuff.  Some rich people are beneficiaries, but from the
beginning, always at the expense of other rich people.
More commonly states defend the rich against the poor.  They are 
what underpins property rights, in the  sense of "great property" 
- until the industrial revolution that was mostly rights to land 
other people farm or live on. Every society we know about has had 
laws and customs defending personal property (more or less 
successfully) but it takes political/military power to defend the 
right to exact rent from a large estate, and state power to defend 
that right for thousands or millions of landowners.


Again, compare the burning of Shenendoah with the Saint
Valentine's day massacre.  There is just no comparison.
Governmental crimes are stupendously larger, and much more
difficult to defend against.
True.
The apposite current comparison is 9/11 the most notorious piece 
of private-enterprise violence in recent years, and the far more 
destructive  US revenge on Afghanistan and Iraq. Which was 
hundreds of times more destructive but hundreds of thousands of 
times more expensive, so far less cost-effective - but in a a war 
of attrition that might not matter so much. Of course the 
private-enterprise AQ & their friends the Taliban booted 
themselves into a state, of sorts in Afghanistan, with a little 
help from their friends in Pakistan and arguable amounts of US 
weaponry. Not that Afghanistan was the sort of place from which 
significant amounts of tax could be collected to fund further 
military adventures.

States can get usually get control of far larger military 
resources than private organisations, and have fewer qualms about 
wasting them.  Not that it makes much difference to the victims - 
poor peasants kicked off land wanted for oilfields in West Africa 
probably neither know nor care whether the troops who burned their 
houses were paid by the oil companies or the local government.