Re: punkly current events
On Dec 10 2004, Eugen Leitl wrote: | | Because nodes are not geographically constrained to US jurisdiction? | | If mixter won't survive, it's due to spammers, and malware spreaders. The latter statement my well be true, I don't use the network, nor know the ratios of good/bad traffic. But I am very curious to find out what would be considered geographically safe jurisdictions in this sense. Not just today, but given the general trend, where would you see such a jurisdition being found in a year or five or ten?
Re: Another John Young Sighting
On Aug 20 2004, Bill Stewart wrote: | Yup. Reruns of the Daily Show are usually on at 7pm the following day, | though check your local cable schedule. Don't suppose anyone is willing to record and post for those of us who don't have access to US channels right now?
Re: [IP] When police ask your name, you must give it, Supreme Court says (fwd from dave@farber.net)
On Jun 21 2004, Steve Schear wrote: | Not a problem. Its legal to use any name you wish, including those that | use gyphs and sounds which cannot be represented by standard Roman and | non-Roman alphabets (as is common in some African tribes). So, those that | wish to avoid this data base nightmare can legally adopt name which does | not conform. Well, in principle this is a nice screw you method. But in practice... well, if you have to write down your name because the sound doesn't exist or can't be pronounced, you're that much more singled out eh... And for those of us who wish to travel, well, passports become difficult to manage I suspect. I am quite surprised with this ruling actually (I haven't yet read the specifics) but the first impression of it says that this does not bode well for opponents of the War on Terrorism (tm) or for anyone who doesn't like the great big database in the sky...
Re: Linksys WRT54G (and clones)
On Jun 20 2004, Eugen Leitl wrote: | Anyone here using that device? With Sveasoft's firmware? Building the | firmware yourself, or using VPNs/IPsec? I have one here at work. Works wonders. I didn't build it myself though. I actually paid the subscription too. The $20 seemed worthile to me. I don't see anywhere in this thing that allows me to make it a vpn endpoint, but I do have ipsec passthrough enabled and it works fine. | Sveasoft's forums contain lots of info, but are difficult to access. | If you're looking for same information we could mutually help each other by | starting a Wiki, or using a mailing list ([EMAIL PROTECTED] is largely | silent on crypto matters). I don't know what you have in mind, but I'm all for it. If this thing becomes a vpn endpoint that helps me out some, though the 200mhz proc might not handle as much as I'd like...
[David_Heinrich@urmc.rochester.edu: [mises] praxeology and game theory]
possibly of interest to some here... - Forwarded message from Pro-Choice [EMAIL PROTECTED] - Date: Thu, 20 May 2004 03:18:25 - From: Pro-Choice [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [mises] praxeology and game theory Today, in Managerial Economics, the professor talked about Game Theory. The subject made me hark back to Austrian Economics and Game Theory: a Stocktaking at http://tinyurl.com/2vyna. I also thought of *The Games Economists Play*, by Murphy, at http://tinyurl.com/2vgoq. I see some interesting elements of value in game theory. Fundamentally, it appears to be strongly influenced by praxeology, human action, as is indicated in the basic Prisoner's Dilemna. Furthermore, though Murphy notes that game theory has been used to justify state intervention (because the Nash-equilibrium is not the optimum cooperation), there are also those who have used game theory to argue against State intervention. See *The Possibility of Cooperation* by Michael Taylor. Anyways, a cruel alternative to prisoner's dilemna occured to me in the class. This was not really my own creation, but I remembered it from Baldur's Gate II. * If both push their buttons, both die. * If neither push their buttons, both die. * If one of them pushes their button, but the other doesn't, the one who did not push the button dies. * Each of them has one hour to decide whether or not to push the button * Neither of them can see whether the other is about to or has pushed his or her button Obviously, this is a one-shot game, so we need not considder repeated games. The following outcome table emerges (in each cell, the first listed outcome is what happens to A, the second listed one is what happens to B, given the inputs, which are the row and column headers: A - | | Push |Don't Push | |-||| | Push | D,D |D,L | B |-||| | Don't Push | L,D |D,D | - (clearly, this is a game that you don't want to play) At first, it appears that there are only three possible outcomes (I will not differentiate between them both dying from them both pushing, or them both dying from them both not pushing): D,D: A dies, B dies D,L: A dies, B lives L,D: A lives, B dies -- The Game Theorist Analysis -- The game theorist analysis, I would guess, would go as follows. A would prefer that A lives, B that B lives. A's analysis of the situation would go something like this: If A does not push the button, A will most certainly die, whether B pushes the button or not. However, if A pushes the button, he will live if B does not push the button, though he will die if B also pushes the button. It is at least conceivable to A -- albeit unlikely -- that if he pushes the button, he will survive. B's analysis proceeds in exactly the same manner. Thus, if each wishes for himself to live, both A and B will push the button. The Nash equilibrium is that they would both push the button, and thus that they should both die. In short, if they each picks the strategy that they see as allowing for the possibility that their-selves could live, they both will die. According to this standard line of game theory reasoning, it is impossible that either of them could live. -- Possible Psychological Ordinal Preference-Rankings -- In the following, I will list possible ordinal preference rankings for A and B in a list, with the most preferred outcome at the top of the list, progressively going towards less preferred outcomes. This seems to be simple, but in fact the list becomes rather long once you realize that it is perfeclty *possible* that A could prefer D,D, or that A could be indifferent between the three outcomes, or between two ofthe outcomes. In the case where there is indifference between two or three outcomes, they are listed side-by-side In the case where A is indifferent between two or three outcomes, that indifference cannot explain why he either pushes a button or does not push a button. I am aware that preference can only be revealed through action, and that indifference *cannot* be illustrated by action. These ordinal preferences I am listing are not all praxeological preferences, because action can only illustrate preference, not indifference. They are, rather, preferences from a prior psychological point of view. Praxeological ordinal rankings can only be revealed via action. This is an exhaustive list of all possible ordinal rankings. If I am either A or B, I know which ranking I prefer: 123456 D,L D,L L,D L,D D,D D,D L,D D,D D,D D,L
Re: Fornicalia Lawmaker Moves to Block Gmail
On Wed, Apr 14, at 08:22PM, Justin wrote: | I'm not concerned with the advertising itself. My concern is that the | Gmail service would provide an unacceptable level of detail on message | content to whoever's monitoring the advertisement logs. I only say something because I have seen this point before and find it ludicrous. How much more detail than the message itself does the advertizing agency need? Google is the one targetting the adds at its customers. Google is the organization with all the emails. If they want to know what's in your emails, they don't need to bother to come up with an elaborate scheme for it... You never have to delete email doesn't have to be an advertizing pitch for customers. Rather, it can be a nice nifty advertizing pitch for the feds. Why subpeana the advertizing logs when you can subpeana the emails themselves?
Anarchy and Capitalism in Africa of all places...
http://www.economist.com/World/africa/PrinterFriendly.cfm?Story_ID=2559183 (it requires a login... article pasted below) I specially like the part about taxation and the difficulties of implementing it... Somalia Coke and al-Qaeda Apr 1st 2004 | MOGADISHU From The Economist print edition Reuters Africa's most chaotic country is a bit calmer, but probably still home to anti-western terrorists Get article background THERE are two ways to run a business in Somalia. You can pay off the local warlord, not always the most trustworthy of chaps, and hope he will stop his militiamen from murdering your staff. Or you can tell him to get stuffed and hire your own militia. After 13 years of civil war, businessmen are increasingly plumping for the latter option, and their defiance has been rewarded. A veneer of normality is returning to the world's most chaotic country. An economy, of sorts, is beginning to thrive. Somalia's first Coca-Cola bottling plant opened in the capital, Mogadishu, last month. That its carbon dioxide chambers are encased in mortar-proof reinforced concrete is almost beside the point. Somalis now have the opportunity to rot their teeth like anyone else, and that feels good. Countrywide distribution will be smoothed by the presence of hundreds of experienced security guards, who are also responsible for protecting the odd foreign expert who drops in. Newcomers are encouraged to calm their nerves by firing off a few rounds or lobbing a hand-grenade shortly after arrival. It really works, enthuses a visiting Kenyan engineer. Perversely, this renaissance has been made possible by Somalia's continuing fragmentation. There is still no proper central government but, where once there was only a handful of warlords, there are now at least 24, and that is only the serious ones. With smaller fiefs to pillage, few can now afford the $100,000 or more that it costs to wage a six-hour battle, so such battles are less common. This is what passes for peace in Somalia, and it is enough to tempt many homesick exiles to return. They bring money as well as skills and contacts. In the past few years, hospitals, schools, businesses and even a university have appeared. In some ways, anarchy makes doing business easier. There are no formal taxesgiven how heavily-armed the average Somali is, these would be hard to collectand no regulation whatsoever. But the costs of chaos outweigh the benefits. You can roar through a warlord's road block unmolested if you have ten gunmen in the back of your pickup, but you have to pay your gunmen. Nationlink, one of the country's three mobile-phone operators, employs 300 guards to protect 500 staff. Everyone yearns for a restoration of stability and a proper government. A dozen attempts at negotiating a formal peace have failed. But since September 11th 2001, western governments, anxious to prevent al-Qaeda from using Somalia as a base, have pressed the warlords to make peace. On January 29th, after talks in Kenya, they were rewarded with a power-sharing agreement providing for a 275-strong parliament that is meant to represent all the country's main clans and minorities. Somalis are sceptical, however. Under the accord, warlords will choose the MPs, whose appointment will be confirmed by traditional elders. Who will pick the elders? Many worry that the warlords will. Some even argue that western support for the peace process encourages violence, by rewarding thugs with a share of power. Businessmen and other non-violent types have been excluded from the talks. We have built schools, repaired hospitals and rebuilt roads. Yet no one is asking us what we think, says Nationlink's managing director, Ahmed Abdi Dini. Since the power-sharing agreement, the talks have stalled. Amid the acrimony, consensus was reached on one issue: the warlords, many of them barely literate, unanimously agreed to abolish a clause barring those without a secondary education from parliament. Meanwhile, a decade after its botched intervention to protect food-aid deliveries in Somalia, the United States is back; this time, hunting for terrorists. American intelligence officers are working with two warlords to gather information about suspected al-Qaeda people in Somalia. Last year, an American commando raid on a Mogadishu hospital netted a Yemeni terrorist suspect, now in Guantánamo Bay. Hussein Aideed, son of the warlord whom American troops tried but failed spectacularly to capture in 1993, was apparently paid $500,000 for 41 Strela missiles to ensure they did not fall into bin Ladenite hands. It is rumoured that other warlords have also been paid: enough, possibly, to restock dwindling weapons supplies. Your correspondent saw some impressive hardware, including four gleaming Howitzers, at the base of one of the warlords, Mohamed Qanyare Afrah. Short tempers, tall stories President George Bush's war on terror has won him few friends in Somalia. In 2001, America forced the closure of Somalia's
Jackbooted thugs, mercs and non-gov paramilitaries
I don't normally forward articles, but this one might be of interest to some here. I especially like the part where these guys are exempt from the legal system... http://www.economist.com/world/europe/PrinterFriendly.cfm?Story_ID=2539816 British companies have been grousing about losing out to the Americans in Iraq. But in one area, British companies excel: security THE sight of a mob of Iraqi stone-throwers attacking the gates to the Basra palace where the coalition has its southern headquarters is no surprise. What's odd is the identity of the uniformed men holding them off. The single Briton prodding his six Fijians to stand their ground are not British army soldiers but employees of Global Risk Strategies, a London-based security company. Private military companies (PMCs).mercenaries, in oldspeak.manning the occupation administration's front lines are now the third-largest contributor to the war effort after the United States and Britain. British ones are popular, largely because of the reputation of the Special Air Service (SAS) regiment whose ex-employees run and man many of the companies. They maintain they have twice as many men on the ground as their American counterparts. According to David Claridge, managing director of Janusian, a London-based security firm, Iraq has boosted British military companies' revenues from £200m ($320m) before the war to over £1 billion, making security by far Britain's most lucrative post-war export to Iraq. It's a lucrative business. A four-man ex-SAS team in Baghdad can cost $5,000 a day. Buoyed by their earnings, the comrades-in-arms live in the plushest villas in the plushest quarters of Baghdad. Their crew-cut occupants compare personal automatics, restock the bars and refill the floodlit pools of the former Baathist chiefs. Established companies have expanded; new ones have sprung up. Control Risks, a consultancy, now provides armed escorts. It has 500 men guarding British civil servants. Global Risk Strategies was a two-man team until the invasion of Afghanistan. Now it has over 1,000 guards in Iraq.more than many of the countries taking part in the occupation.manning the barricades of the Coalition Provisional Authority (CPA). Last year it also won a $27m contract to distribute Iraq's new dinar. Erinys, another British firm, was founded by Alastair Morrisson, an ex-SAS officer who emerged from semi-retirement to win a contract with Jordanian and Iraqi partners to protect Iraq's oil installations. CPA officials say the contract is worth over $100m. Erinys now commands a 14,000-strong armed force in Iraq. In industry jargon, these companies' manpower is split into Iraqis, .third-country nationals. (Gurkhas and Fijians) and .internationals. (usually white first-worlders). Iraqis get $150 a month, .third-country nationals. 10-20 times as much, and .internationals. 100 times as much. Control Risks still relies on westerners, but ArmorGroup, a British rival, employs 700 Gurkhas to shepherd America's primary contractors in Iraq, Bechtel and KBR. Erinys's corps of pipeline protectors is overwhelmingly Iraqi. The cheapness of the other ranks, compared with western soldiers, is one reason why PMCs are flourishing. .Why pay for a British platoon to guard a base, when you can hire Gurkhas at a fraction of the cost?. asks one. Nobody knows how long government contracts will last after the CPA dissolves on June 30th. But multi-billion World Bank and UN reconstruction funds should provide rich pickings. Amid rising violence, the Program Management Office, which handles America's $18.6 billion aid budget for Iraq, has raised its estimates of security costs from an initial 7% of contracts to 10%. Blackwater, the American firm protecting Iraq's American proconsul, Paul Bremer, says in many cases costs run to over 25%. That's bad news for Iraqis hoping for reconstruction, but great news for PMCs. The boom has led to two worries. The first is lack of regulation. Stressed and sometimes ill-trained mercenaries operate in Iraq's mayhem with apparent impunity, erecting checkpoints without authorisation, and claiming powers to detain and confiscate identity cards. A South African company guarding a Baghdad hotel put guns to the heads of this correspondent's guests. According to the CPA, non-Iraqi private-security personnel contracted to the coalition or its partners are not subject to Iraqi law. Even the industry is concerned. Regulation is vital, says ArmorGroup's Christopher Beese, if Iraq is not to descend into the law of the jungle. Second, the boom may be eroding Britain's defences. Just when the war on terror is stretching the SAS to the limit, the rising profitability of private sector work is tempting unprecedented numbers of its men to leave. An SAS veteran estimates that some 40 of its 300 corps requested early release from their contracts last year. Another guesses that there are more ex-SAS people in Iraq than there are currently serving in the regiment.
Re: U.S. Drops 'E-Bomb' On Iraqi TV
it is around 1130, local time, Geneva, Switzerland and http://www.aljazeera.net/ is working just fine. (well, it might be a fake, but not having ever seen the original, I don't know)
Re: U.S. Drops 'E-Bomb' On Iraqi TV
On Thu, Mar 27, at 01:12PM, Sunder wrote: The site was defaced last I saw it, I would suspect that to still be the case, or it is down for other reasons (overloaded, etc...) For those of you who are getting a dotster page, try using a different dns server than what your isp is giving you. It may not be 'jammed' from the US, but if ISPs want to use an easy way to stop average users from going there, they can just make their dns servers give false answers, which would explain what you're getting. From Switzerland: [EMAIL PROTECTED]:~$ traceroute -I www.aljazeera.net traceroute to aljazeera.net (213.30.180.219), 30 hops max, 38 byte packets 1 193.247.37.1 (193.247.37.1) 1.695 ms 1.531 ms 1.530 ms 2 i68ges-021-Serial4-4.ip-plus.net (164.128.74.85) 3.840 ms 3.741 ms 3.688 ms 3 i68ges-000-FastEthernet1-0.ip-plus.net (164.128.76.33) 3.714 ms 10.697 ms 3.661 ms 4 i68ges-005-fas2-2.ip-plus.net (164.128.35.73) 3.683 ms 3.701 ms 6.341 ms 5 UTA-Innsbruck.ip-plus.net (164.128.34.42) 14.780 ms 18.669 ms 14.908 ms 6 completel.sfinx.tm.fr (194.68.129.188) 16.237 ms 16.561 ms 15.889 ms 7 pos9-0-0.bbr1.ntr.completel.fr (213.244.1.226) 261.116 ms 18.268 ms 20.955 ms 8 213.30.128.94 (213.30.128.94) 44.155 ms 49.592 ms 43.292 ms 9 * * * From Massachussetts: [EMAIL PROTECTED]:~$ traceroute -I www.aljazeera.net traceroute to aljazeera.net (213.30.180.219), 30 hops max, 38 byte packets 1 E19-RTR-2-E2.MIT.EDU (18.244.0.1) 0.459 ms 0.372 ms 0.362 ms 2 EXTERNAL-RTR-2-BACKBONE.MIT.EDU (18.168.0.27) 0.470 ms 0.445 ms 0.438 ms 3 p4-1.cambridge1-cr1.bbnplanet.net (4.1.80.29) 1.162 ms 0.825 ms 0.988 ms 4 p4-2.cambridge1-nbr1.bbnplanet.net (4.1.80.6) 0.907 ms 0.992 ms 0.893 ms 5 p5-0.cambridge1-nbr2.bbnplanet.net (4.0.1.110) 1.126 ms 1.052 ms 1.140 ms 6 so-4-2-0.bstnma1-nbr2.bbnplanet.net (4.0.2.249) 0.998 ms 1.145 ms 1.145 ms 7 p9-0.nycmny1-nbr2.bbnplanet.net (4.24.6.50) 7.161 ms 7.269 ms 7.041 ms 8 so-7-0-0.nycmny1-hcr3.bbnplanet.net (4.0.7.13) 7.389 ms 7.380 ms 7.464 ms 9 interconnect-eng.NewYork1.Level3.net (63.211.54.121) 7.453 ms 7.255 ms 7.524 ms 10 so-4-0-0.gar2.NewYork1.Level3.net (209.244.17.81) 7.488 ms so-4-0-0.gar1.NewYork1.Level3.net (209.244.17.73) 7.510 ms so-4-1-0.gar2.NewYork1.Level3.net (209.244.17.85) 8.414 ms 11 unknown.Level3.net (209.247.9.205) 7.755 ms 7.381 ms so-7-0-0.mp1.NewYork1.Level3.net (64.159.1.181) 7.513 ms 12 so-0-0-0.mp1.London1.Level3.net (212.187.128.157) 73.252 ms 73.321 ms 73.260 ms 13 so-1-0-0.mp1.Paris1.Level3.net (212.187.128.41) 86.229 ms 86.054 ms 85.886 ms 14 unknown.Level3.net (212.73.240.71) 86.283 ms 86.235 ms 86.132 ms 15 212.73.242.66 (212.73.242.66) 86.943 ms 87.274 ms 87.239 ms 16 213.30.129.210 (213.30.129.210) 101.833 ms 103.349 ms 101.809 ms 17 213.30.128.126 (213.30.128.126) 103.526 ms 104.286 ms 103.711 ms 18 * * *
Re: U.S. Drops 'E-Bomb' On Iraqi TV
I just checked out http://www.aljazeera.net/ and there is a big red US flag on the front, courtesy of the Freedom Cyber Force Militia... well, perhaps aljazeera needs better network people...
Re: Switzerland: Another hit for phone privacy
On Thu, Mar 13, at 12:41AM, Lucky Green wrote: | What Swisscom's EasyRoam pre-paid SIMs offered that no other pre-paid | service that I am aware of offered, at least as of a year ago, was | roaming in nearly every country that has GSM service. Most pre-paid SIMs | are limited to roaming in just a few countries. In addition, EasyRoam | was reasonably priced. Do the providers that you mention above offer | global roaming on their pre-paids? Swisscom's prepaid cell phone service does not allow one to make calls from outside Switzerland. Receive calls, yes, make them, no. The issue has become murky along the way. I have had two swiss pre-paid cell phones and even while still in the Geneva area, if you're too close to France (very easy to do here) you lose the ability to make calls because you get caught up in a french network. Something is not being reported or something is being misreported on this one.
Was: (US health care...). Now: Child mortality in Sweden.
| PS - the infant mortality statistics are bogus; they are a | record-keeping artefact. Other countries (notably Sweden, to which the | USA is always being compared) don't count a child as born until it has | reached a certain age (three weeks in Sweden). Guess when most infant | deaths occur? Well, I got curious about the statement above so I went and checked. Well, I proxy-checked. A co-worker is a swede and I asked him to write and ask them what they had to say. At least as far as www.scb.se (Sweden's central office of statistics (the title loses a bit in the translation, but it is an oficial .gov body that does, well, statistics)) is concerned, infant deaths start counting as soon as the baby is born. Below is the exchange from my colleague and the person at the scb listed as a contact person on the website. (note that the website is also available in english...) --Gabe PS-The swedish characters get mangled by my mail client. If anyone actually reades swedish and would like to see a html version of the message (the only thing I altered was the email of my co-worker) I will gladly post the message on a website somewhere. -Original Message- From: *Befolkningsstatistik [mailto:[EMAIL PROTECTED]]=20 Sent: Thursday, January 30, 2003 10:59 AM To: ola nordbeck Subject: SV: Sp=E4dbarnsd=F6dlighet hej! sp=E4dbarnsd=F6dlighet =3D antalet barn som d=F6r under f=F6rsta = levnads=E5ret. 2001 var sp=E4dbarnsd=F6dligheten i Sverige 3,4 per 1000 levande f=F6dda. Det = finns en tabell i publikationen Befolkningsstatistik del 4, tab 4.12, Sp=E4dbarnsd=F6dligheten p=E5 1000 levanade f=F6dda 1951-2001 d=E4r = man indelar d=F6dligheten Under f=F6rsta levnadsdygnet, f=F6rsta levnadsveckan, = f=F6rsta levnadsm=E5naden etc, men sp=E4dbarnd=F6dlighet g=E4ller generellt = under f=F6rsta levnads=E5ret.=20 V=E4nliga H=E4lsningar/Yours Sincerely,=20 Margareta Larsson=20 Befolkningsstatistiken/Population Statistics=20 Phone: +46 19 176594=20 fax: +46 19 176942=20 e-mail: [EMAIL PROTECTED]=20 -Ursprungligt meddelande- Fr=E5n: ola nordbeck Skickat: den 30 januari 2003 10:35 Till: *Befolkningsstatistik =C4mne: Sp=E4dbarnsd=F6dlighet Vanligen, Enligt en kollega sa skulle scb m=E4ta Sp=E4dbarnsd=F6dlighet forst = efter 3 veckan efter fodseln. Enligt er definition sa skulle = Sp=E4dbarnsd=F6dlighet avse samtliga d=F6dsfall som intr=E4ffar f=F6re ett =E5rs =E5lder. Ar = detta samtliga dodsfall eller ar min kollegas uppgifter riktiga. Mvh, Ola nordbeck
[martin@quebecoislibre.org: [mises] Soviet propaganda posters]
I thought this might be amusing for some of our list members as well. --Gabe - Forwarded message from Martin Masse [EMAIL PROTECTED] - Date: Wed, 16 Oct 2002 20:22:33 -0400 From: Martin Masse [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [mises] Soviet propaganda posters List members may want to have a look at these hundreds of fascinating Soviet propaganda posters (there are six huge pages, click on bottom link to get more): http://poster.wz.cz/listy/russ1.htm Also some Czech and Polish posters: http://poster.wz.cz/listy/czech1.htm Martin Martin Masse dir. Le QL www.quebecoislibre.org/apmasse.htm - End forwarded message -
[labs@foundstone.com: Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP]
- Forwarded message from Foundstone Labs [EMAIL PROTECTED] - Date: Fri, 6 Sep 2002 10:54:17 -0700 From: Foundstone Labs [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Foundstone Labs Advisory - Remotely Exploitable Buffer Overflow in PGP Foundstone Labs Advisory - 090502-PCRO Advisory Name: Remotely Exploitable Buffer Overflow in PGP Release Date: September 5, 2002 Application: PGP Corporate Desktop 7.1.1 Platforms: Windows 2000/XP Severity: Remote code execution and plaintext passphrase disclosure Vendors: PGP Corporation (http://www.pgp.com) Authors: Tony Bettini ([EMAIL PROTECTED]) CVE Candidate: CAN-2002-0850 Reference: http://www.foundstone.com/advisories Overview: In many locations where PGP handles files, the length of the filename is not properly checked. As a result, PGP Corporate Desktop will crash if a user attempts to encrypt or decrypt a file with a long filename. A remote attacker may create an encrypted document, that when decrypted by a user running PGP, would allow for remote commands to be executed on the client's computer. Detailed Description: A malicious attacker could create a filename containing: 196 byteseip9 bytesreadable address29 bytes The attacker would then encrypt the file using the public key of the target user. In many cases, public keys often contain banners of the utilized PGP client software and its associated version. The encrypted archive could then be sent to the target user; potentially via a Microsoft Outlook attachment. The email attachment could have a filename such as foryoureyesonly.pgp or confidential.pgp. When the unsuspecting user decrypts the archive (either via autodecrypt or manual), the overflow will occur if the file within the archive has a long filename. In some cases the attacker may also obtain the passphrase of the target user. PGP crashes immediately after the decryption of the malicious file and before the memory containing the passphrase is overwritten. Vendor Response: PGP has issued a fix for this vulnerability, it is available at: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.as p Foundstone would like to thank PGP for their cooperation with the remediation of this vulnerability. Solution: We recommend applying the vendor patch. Disclaimer: The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing, but no representation of any warranty is given, express, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way. - End forwarded message -
Carnival Booth: An Algorithm for Defeating the CAPS System
http://swissnet.ai.mit.edu/6805/student-papers/spring02-papers/caps.htm Abstract To improve the efficiency of airport security screening, the FAA deployed the Computer Assisted Passenger Screening system (CAPS) in 1999. CAPS attempts to identify potential terrorists through the use of profiles so that security personnel can focus the bulk of their attention on high-risk individuals. In this paper, we show that since CAPS uses profiles to select passengers for increased scrutiny, it is actually less secure than systems that employ random searches. In particular, we present an algorithm called Carnival Booth that demonstrates how a terrorist cell can defeat the CAPS system. Using a combination of statistical analysis and computer simulation, we evaluate the efficacy of Carnival Booth and illustrate that CAPS is an ineffective security measure. Based on these findings, we argue that CAPS should not be legally permissible since it does not satisfy court-interpreted exemptions to the Fourth Amendment. Finally, based both on our analysis of CAPS and historical case studies, we provide policy recommendations on how to improve air security.
Re: status of various projects?
On Wed, Aug 14, at 10:58AM, Miles Fidelman wrote: | It seems like a lot of interesting projects haven't been active for a | while - notably Free Haven and Eternity Usenet. Where is the most active | work, these days, on distributed publishing systems? I forwarded this to Roger Dingledine who heads up the FreeHaven project. His answer is below. From [EMAIL PROTECTED] Thu Aug 15 16:46:59 2002 Date: Thu, 15 Aug 2002 16:46:59 -0400 From: Roger Dingledine [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: free haven status At this point, Free Haven has 3 major flaws, and I'm putting it on the back burner while I address them: * The reputation system is tricky and won't work. We need to replace the gossip/credibility system with a mechanism for verifiable transactions. See http://freehaven.net/doc/cfp02/cfp02.html for more details. * Retrieval is currently broadcast, which is insane. I'm letting other projects work on solutions here (eg Chord), and I'll pick my favorite when the time comes. * There is no anonymous communications infrastructure. This is the area we're focusing on currently. See http://mixminion.net/minion-design.pdf and http://pdos.lcs.mit.edu/tarzan/ --Roger
[aleph1@securityfocus.com: Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG]
Figured this might be of interest to folks here... - Forwarded message from [EMAIL PROTECTED] - Date: Mon, 12 Aug 2002 11:45:26 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG K. Jallad, J. Katz, and B. Schneier We recently noted that PGP and other e-mail encryption protocols are, in theory, highly vulnerable to chosen-ciphertext attacks in which the recipient of the e-mail acts as an unwitting decryption oracle. We argued further that such attacks are quite feasible and therefore represent a serious concern. Here, we investigate these claims in more detail by attempting to implement the suggested attacks. On one hand, we are able to successfully implement the described attacks against PGP and GnuPG (two widely-used software packages) in a number of different settings. On the other hand, we show that the attacks largely fail when data is compressed before encryption. Interestingly,the attacks are unsuccessful for largely fortuitous reasons; resistance to these attacks does not seem due to any conscious effort made to prevent them. Based on our work, we discuss those instances in which chosen-ciphertext attacks do indeed represent an important threat and hence must be taken into account in order to maintain confidentiality. We also recommend changes in the OpenPGP standard to reduce the effectiveness of our attacks in these settings. http://www.counterpane.com/pgp-attack.pdf http://www.counterpane.com/pgp-attack.ps.zip -- Elias Levy Symantec Alea jacta est - End forwarded message -
Re: cypherpunks@lne.com
On Wed, Jul 10, at 02:12AM, anonimo arancio wrote: | I am considering becoming a US citizen immediately before I leave. My concern is |that if I become a US citizen, the IRS might want to tax me wherever I go. We're starting to beat on dead horse. Yes, the IRS will tax you anywhere you go, or at least want to. At least past the first $70-80k/year you make outside the US.
Re: Tax consequences of becoming a US citizen.
On Tue, Jul 09, at 05:11PM, Tim May wrote: | Mexico does not allow _any_ noncitizen to work! Two point. I did not know that about Mexico (I did say it was made about the countries I knew about.) Switzerland and Brasil both allow student visa holders to work, albeit with restrictions. Likewise for other EU nations. | Except for folks of either a) substantial resources, b) connected with a | U.S. employer. But try visiting a Mexican city and applying for a job at | a restaurant, bookstore, whatever. This was a plot element in The | Treasure of the Sierra Madre, more than 50 years ago, and it remains | true today. It is also difficult for non-citizens to work in many | European nations. I would imagine that people with or without a work permit would be able to find work at some mexican restaurants. That is the case the world over, I don't see why Mexico would be different here. | Meanwhile, like I said, see how long you live as an illegal alien in | Mexico or Nicaragua, and see if they will issue a work permit. I wholeheartedly agree with you, but then again, not too many countries have an economy that has as large a population of illegal workers as ours. | The U.S. is fucked up, to be sure, but talking about other countries | making it easier for foreigners to work is mostly nonsense. It may well be nonsense. But my opinions are expressed as based on my personal experience in other countries and this one.
Re: Markets (was Re: Hayek was right. Twice.)
On Thu, Jul 04, at 01:26AM, Sampo Syreeni wrote: | I can't see a market defined as anything else than private property and | voluntary exchange. | | Then you really must be blind. Markets not based on private property or | volition abound. The political process is one of them. Social control is | another. Gift economies, like Open Source, are a third. One might claim | most markets are based on something other than the above mentioned | combination. Property does not always consist of physical goods. Case in point would be the encrypted bits. To use some of your examples, the polical process involves votes, which are the property of the person casting the ballots, likewise, at least in this country, ballots are cast voluntarily. Gift economics. Who coined that phrase? Don't take credit for it, it is a stupid term. Time and effort are both considered property to be used as deemed fit by the person possessing, in this case, the skills to use them on an Open Source (the volunteer kind, since you can't seem to grasp that there are Open Source projects that make money.) | It does indeed. But unlike movies, Linux is a modular project. The kernel | would exist in the absence of the GNU toolset, and vice versa. X would | exist in the absence of UNIX, too. Each of the common desktop applications | could very well have been coded on top of something else than Linux. You're too ignorant to be replied to, I wish I hadn't wasted the time, but I digress. I can't think many things more modular than movies, except perhaps theatre, but movies have even more latitude. Actors can't be switched? Sets can't be constructed out of nothing on a computer screen? Movies can't be made with virtually no budget? Get a clue. | Why is it that there's no Buzz for Linux? No decent installer? (Not one of | them survives my hardware...) No workable Unicode support? A stable 64-bit | filesystem? Why is nobody willing to guarantee kernel stability, even when | paid big bucks? 'Cause the project is a gift, and only caters to a single | kind of need: something an individual developer/company really needs and | can afford to develop for him/itself, then losing little by exposing the | code to others. Usefulness thinly spread over a considerable user | community is completely forgotten. As someone who actually helps people with unix problems and who is a unix user, I want to let you know that you fall into the stupid user category if you can't get a linux distro to install on your computer. Linux is a new breed of project, if you want it and it really matters to you, the argument goes that you would either do it, (if you're capable, but you clearly aren't) or you pay someone else to do it. (this falls into the heading of put your money where your mouth is.) Throw in the fact that usefulness is an entirely relative term, and you have a really poor argument. | Well, what stupid people they are. I wouldn't go anywhere as far as | gettimg myself killed for the common good. Even paying for software I can | just copy is a stretch. What makes you think most people care enough to Do | the Right Thing? What makes you think relying on Doing the Right Thing is | a good idea? I mean, it's been tried before, and the consequences aren't | worth a second look. Well, here you show your ignorance of economics again. ( on this one point, don't feel too bad, though you are ignorant, you're in a league that is very well populated ) First off, not everyone is motivated by financial gain. profit is not necessarily a financial thing, when someone stops and helps you out when you have a flat, the odds are that they are not expecting you to pay them for their help. When someone helps you install linux on your computer, they aren't likely to expect financial remuneration, specially if you go to one of the great many Linux User Groups throughout this country and many others. Often the economic argument made is that people do what is in their best interest. The problem that arises is when people who aren't very bright (hint, hint) assume that that means financial reward of some kind. People are complex creatures, to presume that financial gain is the only motivation for people is a tad naive. | Indeed they are. So are ones assuming that anything not profitable to a | single person couldn't be to a larger number of individuals. Like most | things, private property rights and economic theory based solely on | bilateral trade are a matter of continuous dispute. It's not that I don't | consider them useful (I do; nowadays you could call me, too, a | libertarian), but taking them as granted isn't the way to go, either. Well, libertarians usually, though not always, go along with free markets, which is not what you're advocating. Usually, any economic theory that assumes that anything could have no value to anyone is wrong. Basic relativity (in the subjective sense) states otherwise. Bilateral trade is the only kind of exchange in a free market
Re: maximize best case, worst case, or average case? (TCPA
On Mon, Jul 01, at 10:10PM, Anonymous wrote: | Brilliant. Let the market solve the problem. Why bother with the auction | part, then? If the market's going to solve the problem for the 2nd guy | to hold the copy, why not let it solve the problem for the 1st? The fact | is, quoting this mantra is simply a way of avoiding the hard issues. | You've got to show *how* the market is going to solve the problem. | Why would content creators get a lot of money, cash? Obviously, only | if your #2 guy knows that he is also going to get a lot of money for it. | So you haven't taken a step towards solving the problem; you have simply | handed the problem off from #1 to #2. Actually, this is not a question for the individual person, rather a rhetorical question. Did anyone know how much television would change the radio industry? In fact, for the first several years after its inception, TV was a money losing business. The question of *how* doesn't need to be answered now (this is a proverbial now which actually means ever or for a long time to come.) In fact, we have these problems now and they don't seem to retard the economy in any way, rare anythings pose this problem everyday. In fact, relative values pose this problem everyday. Ever hear One man's trash is another man's treasure? | The fact is that the market can't solve this kind of problem. That's | right, markets are not perfect. They do fine for ordinary, private | goods. But information objects, absent successful DRM restrictions, | are effectively public goods. That is, you can't restrict their | dissemination. If you try to provide such goods only to a small group | of people, you've effectively given them to everyone. Well, since markets are made up of individual people going about their business to create the market as a whole, I don't see any problems with this whatsoever. Joe Musician knows that this is the way music works. In the olden days, people copied music from one another by word of mouth over and over, songs were stolen by musicians and played for other audiences. The musical business wasn't the joke that it is today. Back then, it was accepted that music is sound and sound, well, can be repeated, if not by a recording on a cassette or cd, then by voice. It isn't a market problem that some people don't get their way. Nor is it a good idea to have the government dictate who gets what in a free and willing exchange scenario. Joe Musician does not have to play his music or give it to anyone (imagine the hoopla when someone records a live show) he does so willingly and of his own free will. Are we to accept that because he doesn't feel he gets enough for his music that we should bank the cost of having it mandated that we pay Joe? If he doesn't get enough for his music, he is free to NOT release it, DON'T publish the damn thing and stop bitching. I mock those who present reports showing that the market didn't correspond to previously created models. Markets aren't wrong folks, the models are. | This idea of digital content as a public good is developed in detail at | http://www.tidbits.com/tb-issues/TidBITS-602.html#lnk5. | Markets do not handle public goods well. Markets are people, people don't handle public goods well. Perhaps because people as a whole see the inpracticality of restricting access to goods that are, well, public. Maybe there is a lesson to be learned there somewhere. | Kelsey and Schneier's Street Performer protocol don't work because of | free riders. This is interesting. Just about every system in the world has free riders. This country has free riders that are tax-evaders, car thieves, you name it the standard, society has someone who doesn't abide by it. That does not in any way make a system broken. That the system has flaws is to be expected, unless he who designed the system doesn't recognize basic human mistakes. Systems with free riders are not necessarily broken systems, nor are systems without free riders necessarily working ones. | The traditional way to provide for public goods is by government. | If we don't get DRM, that's probably what we will end up with: government | subsidies of the arts. Most musicians and other artists won't be able to | make enough money to live on even if their works are relatively popular. | The government will have to tax consumers and distribute the proceeds | to artists (and the RIAA, etc) in order to protect the content industry. There is no content industry in the tradional market sense. Such an industry is a fiction created by government exerting control far and beyond the original intent of government itself. It is proposterous that because a small group of people cannot get what they want by free association, they manage to get what they want by manipulating the law to their benefit. Don't get me wrong, there is a market for content and music, as long as someone puts a subjective value to a song, there will be a content market, likewise for