Re: Identification of users of payphones
At 08:03 PM 3/14/03 -0800, Tim May wrote: ... They could be round, for easy handling. And milled for evidence of having been shaved. They could even be made of precious metals for high-value coins, and of base and inexpensive metals for low-value coins. Have you filed for the patent, yet? --Tim May "That government is best which governs not at all." --Henry David Thoreau --John Kelsey, [EMAIL PROTECTED]
RE: The burn-off of twenty million useless eaters and "minoritie s"
At 10:31 AM 2/24/03 +, Vincent Penquerc'h wrote: ... Now, I may have left my clue home, so feel free to explain *why* 100% capitalism (eg no state left, no other power) could never end up with power aggregation. I don't think you can *ever* prove a claim like that, since you're dealing with humans, who can be only very imperfectly modeled. There's no system that couldn't possibly fall into some horrible state, whether that's tyranny or chaos or lemming-like rush to an unwinnable war or ostrich-like refusal to prepare for clearly oncoming war. Systems of human decision makers are driven by the decisions made by those humans, and sometimes, they're a bunch of idiots. More centralized decision-making has the ugly property that a smaller set of decision-makers have to be idiots to run the whole society into a ditch. On the other hand, more centralized decision-making makes larger projects possible sometimes, especially ones involving big, long wars. -- Vincent Penquerc'h --John Kelsey, [EMAIL PROTECTED]
Re: The burn-off of Tom Veil
At 11:13 AM 2/21/03 -0500, Tyler Durden wrote: ... However, one way to see the situation is more of a buy-off. Arguably, the government plunders in order to "pay off" welfare society, because if they didn't the masses would rise up and kill off the system that does not really do much to equip them for the opportunities that immigrant kids come in and sweep up. (The term "Brain drain" comes to mind.) The reality is even more weird, I think. Suppose there's some struggling-to-make-it new family down the street, and I start helping out by bringing them dinner every night. If I do it for a few days, e.g., while the mom is in the hospital or something, it's a genuine act of kindness. If I do it every day for five years, then they are more-or-less going to become dependent on me. The day I decide I have better uses for my time than bringing them dinner, they're almost certainly going to be mad and bitter at me. (If you don't believe this, observe the interaction between a parent and newly-independent kid asking for money, or between a rich uncle and his hoping-to-inherit nephews.) Social programs in general work this way. It was a goodie being handed out once, but now, it looks to the people involved like a necessity, and they'll fight hard to keep it. This is just as true of social security and farm subsidies as of welfare. Listen to a Republican-voting farmer justify farm subsidies some time. You ought to have to *pay* for that kind of entertainment. (Oh, wait, I *am* paying for it.) In fact, smarter and better educated people will tend to be a lot more effective at fighting for their benefits than less intelligent, poorly educated people. So welfare reform, for all its weirdness, seems to be working much better than the attempts to reform farm subsidies, say. And even with Republicans in control of everything, I'll bet we don't see any major cuts to NEA, say. -TD --John Kelsey, [EMAIL PROTECTED]
Re: Blood for Oil (was The Pig Boy was really squealing today
At 10:50 AM 2/20/03 +, David Howe wrote: ... They don't need to build a pipeline though Afganistan any more then? I know they were pretty annoyed when the taleban refused to let them, prior to 9/11 I'm trying to think of something I'd personally be less interested in investing my own money in than an oil pipeline through Afghanistan. Lots of money invested up front, literally hundreds of small groups who could threaten to damage it as a way of demanding a share of the loot, very hard to defend, etc. What an opportunity! --John Kelsey, [EMAIL PROTECTED]
Re: Stand back or I'll jump....
At 03:21 PM 2/19/03 -0500, Tyler Durden wrote: "If their goal is to blackmail us into not invading them, I don't think they need to threaten to nuke LA or DC." As I said before, the obvious thing would be for North Korea to threaten to nuke itself! This should clearly be called the "Blazing Saddles" strategy. -TD --John Kelsey, [EMAIL PROTECTED]
Re: Crypto anarchy now more than ever
At 02:20 PM 2/15/03 -0800, James A. Donald wrote: ... They will be testing another missile soon. We shall see how far it goes. They would not waste a nuke on an untested missile --- which is why they test them. If their goal is to blackmail us into not invading them, I don't think they need to threaten to nuke LA or DC. We have a lot of troops in South Korea, within a few miles of the border. They can threaten them, or maybe threaten Tokyo or Seoul. No need to develop multi-billion dollar technology, when 1940s era fission bombs are all that's needed. If their goal is to extort money from us (this looks like the most likely goal), they have a somewhat different set of requirements. Then, their threat is really going to be about proliferation. They announce they have nukes, and make it clear that either we buy them, or someone else will be given the chance. The saber-rattling serves both to communicate the threat and to advertise for buyers. James A. Donald --John Kelsey, [EMAIL PROTECTED]
Re: Science Journal 'Self-Censorship'
At 06:58 PM 2/16/03 -0500, Pete Capelli wrote: http://abc.net.au/news/scitech/2003/02/item20030216103135_1.htm "Self-governance," the editors say, is "an alternative to government review of forthcoming journal articles." I don't edit any science journals, but I would expect there is no law requiring 'government review'. So what are the editors talking about? There's been a bit of discussion of this stuff in the US media, especially NPR. I think the idea is that the US government (and presumably others) want scientific publications to self-censor things that might be useful to terrorists, rogue states, and various other bad guys. Intuitively, this seems like a breathtakingly bad idea. (How does the information get out to working scientists, then? Do you create a situation where only people going to the best schools in the US and Europe get to learn the current state of the art in a bunch of fields of science? What do you do about preprints and such on the web?) But post-9/11, if three bureaucrats tell congress it's necessary to sacrifice a virgin a week in order to prevent the next terrorist attack, they'll vote unanimously to start drafting virgins and sharpening knives. *Nobody* wants to be blamed for "ignoring the warnings" of the next big terrorist attack. The creepier subtext here is the whole idea that there are some technologies that only the Elect (in the currently powerful nations) ought to be permitted, and that any attempt to investigate Banned Technologies just might get you arrested or invaded or bombed. This general idea seems to pop up a lot, e.g., in Bill Joy's essay "Why the Future Doesn't Need Us," in Vinge's wonderful novel _The Peace War_, in Larry Niven's Known Space stories. It's hard to imagine a better recipe for massively slowing the advance of technology, protecting incumbents in every field and industry, and generally making mankind worse off in order to protect him. And yet, it's an apparently natural reaction to being frightened by the threats of new technologies. (Ironically, the nasty terror weapons we're all worried about are mostly 1940s or earlier technology. Stuff that even a third-rate starving dictatorship can cook up.) -pete --John Kelsey, [EMAIL PROTECTED]
Re: Stupid security measures, a contest
At 10:11 AM 2/12/03 -0500, Adam Shostack wrote: "Human rights watchdog Privacy International has launched a quest to find the World's Most Stupid Security Measure. " I can't imagine this is the stupidest, but there's a state office building in Missouri where (no doubt due to some Directive From On High), they've put up a wooden shack in front of the main entrance, where anyone going in or out has to pass through a metal detector. The wooden shack isn't directly in front of the entrance, however--probably, that would make life too hard on the smokers, who now have to go outside to smoke. It's more like about 50' in front of it, completely unconnected to the building. The really entertaining bit is that, since most people going into the building are basically law abiding (state employees), most people seem to go through the shack and get checked for weapons, rather than around the shack to save time. --John Kelsey, [EMAIL PROTECTED]
Re: patriot act and public key encryption
At 04:29 PM 2/7/03 -0500, Steve Furlong wrote: ... Legal question: If Alice selected and used a system in which she wouldn't be _able_ to provide the decryption key or the decrypted documents on demand, would she still be liable under contempt or criminal charges for not providing them? Maybe she used a dongle with the key, which erased itself if not activated every 24 hours. Emphasis on her not taking any action to delete files or erase a key after being served or arrested. I'm mainly interested in US law, but would be interested in other jurisdictions, too. Practical question: Would someone trying to coerce you into giving up your key, whether the police or someone less likely to follow the rules, believe you couldn't get access to the files? Why not provide you with the right incentives and see what happens "Well, I guess you'll have to go back into your cell again, if you won't help us. What? You don't like Mongo as a cellmate? Pity, he sure seems to enjoy, er, like you." Steve FurlongComputer Condottiere Have GNU, Will Travel John Kelsey, [EMAIL PROTECTED]
Re: \"Touching shuttle debris may cause bad spirits
At 12:38 PM 2/4/03 -0800, [EMAIL PROTECTED] wrote: Not necessarily. It is a well documented phenomenon that people show up at hospitals with even some seemingly real conditions whenever there is a particular panic in the media, even in cases where it is simply not possible that they were made sick by the incident. Well, in a large population, there's also a certain fraction of people who are sick for other reasons--food poisoning, say, or coming down with the flu. If you tell all those people "you've just been exposed to dangerous chemicals that may make you ill," it's not a surprise if some of those people assume they're sick because of the dangerous space chemicals, rather than because of that potato salad they had at the picnic last Sunday. ... Jay --John Kelsey, [EMAIL PROTECTED]
Re: "Touching shuttle debris may cause bad spirits to invade your body!"
At 10:19 AM 2/2/03 -0800, Tim May wrote: ... Speaking of journalists, why does Wolf Blitzer repeat this obvious lie about the metal bits and pieces being tainted by evil spirits? Because these so-called journalists are stooges for the state. Well, the bit about "18 times the speed of light," and other mistakes I've seen through the years, make me suspect that Wolf and company simply don't have the technical background and built-in BS detectors necessary to catch things like this. (For some reason I've never been able to fathom, many journalists seem to be remarkably gullable, when they're told something from the right kind of source, especially a government agency or other official source.) A real journalist would just roll his eyes and say "Look, folks, NASA wants these pieces to be aid in reconstructing the accident. There are no traces of liquid propellants and deadly chemicals on these pieces. And they certainly didn't stay hot for long. NASA is trying to get us to feed you jive so you'll be properly frightened and won't touch them.?" I recall a guy on NPR saying something like this, a bit more politely. Something like "The pieces surely aren't going to be dangerous, but moving them is going to mess up the investigation of the crash." Which presumably is what everyone with any technical background and common sense was thinking when they heard the original warning, right? --Tim May, Occupied America John Kelsey, [EMAIL PROTECTED]
Re: DNA evidence countermeasures?
At 07:50 PM 1/28/03 +, Ken Brown wrote: ... Think - you are a suspect. They find 2 human DNA signals at the scene of the crime, one from you, one from someone quite different from you. Well, they can look for the other guy in their own time, but they've got you. If they are using a stringent enough test (often they don't) the odds against it not being you are huge. Yep. Imagine leaving twenty random peoples' fingerprints at the scene along with your own. You might confuse the police for awhile, but eventually, they'd find the set of prints that matched with the suspect they were holding The creepier thing here is the possibility of planting DNA evidence, which seems very easy to me. It wouldn't be a big surprise if this had been done by now. A really careful investigation might detect the fraud, but if the planted evidence points in a really plausible direction anyway (e.g., the apparent murderer is the husband/ex-husband/disgruntled business partner/drug dealer of the victim), it may be hard to get anyone to take a second look at the data. The scary number of death-row inmates who've been more-or-less proven innocent by DNA evidence implies that the police, prosecutors, judges, and juries just aren't all that careful about checking the plausibility of evidence anyway. ... --John Kelsey, [EMAIL PROTECTED]
Re: Deniable Thumbdrive?
At 10:06 PM 1/24/03 +0100, Eugen Leitl wrote: ... Frankly, the fingerprint is a lousy secret: you leak it all over the place. You can't help it, unless you're wearing gloves all the time. Ditto DNA. That's generally true of biometrics. Unless taking the measurement is so intrusive it's obvious when it's taken (e.g., maybe the geometry of your sinus cavities or some such thing that requires a CAT scan to measure properly), there's no secret. People constantly seem to get themselves in trouble trying to use biometrics in a system as though they were secret. The best you can usually do is to make it moderately expensive and difficult to actually copy the biometric in a way that will fool the reader. But this is really hard. In fact, making special-purpose devices that are hard to copy or imitate is pretty difficult. It seems enormously harder to find a hard-to-copy, easy-to-use "token" that just happens to come free with a normal human body. I think the best way to think about any biometric is as a very cheap, moderately hard to copy identification token. Think of it like a good ID card that just happens to be very hard to misplace or lend to your friends. --John Kelsey, [EMAIL PROTECTED]
Re: Deniable Thumbdrive?
At 06:05 PM 1/24/03 +, Ben Laurie wrote: ... Nice! Get them to cut _all_ your fingers off instead of just one. Just say no to amputationware. This whole idea was talked to death many years ago on sci.crypt, and probably before that other places. The good news is that it's not too hard to come up with a design that lets you encrypt a large hard drive in such a way that there's no way to determine how many "tracks" of secret data are there. I believe one of Ross Anderson's students did a design for this; it doesn't seem like a really hard problem to solve if you don't mind losing most of your effective disk capacity. The bad news is that you *really* need to think about your threat model before using it, since there's necessarily no way for you to prove that there no more tracks of secret data. It takes no imagination at all to think of ways you might end up wishing you *could* convince someone you'd given them the key to all the tracks. IMO, the only way to do this kind of thing is to have the data, or at least part of the key, stored remotely. The remote machine or machines can implement duress codes, limits to the number ot password guesses allowed per day, number of invalid password guesses before the thing just zeros out the key and tells the person making the attempt it has done so, etc. Trust me, you *want* the server to loudly announce that it will zero the key irretrievably after the tenth bad password Cheers, Ben. --John Kelsey, [EMAIL PROTECTED]
Re: Petro's catch-22 incorrect (Re: citizens can be named as enemy combatants)
At 09:38 AM 1/16/03 -0800, Major Variola (ret) wrote: At 03:20 PM 1/15/03 -0800, Petro wrote: ... [Question of whether we could have avoided 9/11 and such things by not having an activist foreign policy] >Secondly, other groups would have been just as pissed off at us for >*not* helping them. Not if the USG had no policy towards anyone. One more time, George, for No policy toward anyone isn't possible once there's any kind of contact. There are terrorists who'd want to do nasty things to us for simply allowing global trade, or for allowing trade with repressive regimes like Saudi Arabia or Nigeria, or for selling weapons to countries with bad human rights records. Osama Bin Laden might not hate us, but *someone* would. And once we start allowing our foreign policy to be changed in response to terrorism, we're truly f*cked, since a lot of people would like to exert control over how the world's most powerful military is used, whom we trade with, etc. Even if we were just an economic giant with little foreign policy, we'd still have an impact by which countries we chose to trade with, and if someone could improve their fortunes by several billion dollars a year by finding a few gullable guys to strap dynamite to themselves and blow up shopping malls and such, I'm sure they'd do just that. I agree we'd be better off with a much less interventionist foreign policy, few well-chosen allies (e.g., we're not going to be cool with people invading Canada), and free trade with almost everyone (I'd like to see us not trade with countries with really bad human rights records, though that's not exactly the direction we're heading in now). ... --John Kelsey, [EMAIL PROTECTED]
Re: Desert Spam
At 06:56 AM 1/16/03 -0800, Mike Rosing wrote: On Thu, 16 Jan 2003, Anonymous wrote: > Does anyone know a source for a spam list for US military? > It would be great to start spamming them with messages about > how much they are hated by the entire world, how little real > support they have at home - "We hope you don't come home, > sucker, unless its in a bodybag." - and other nice, morale > destroying sentiments. A search on *.mil might get you a few addresses :-) Anyone with a harvestable e-mail address is immune to this. Yes, it's depressing that one set of spammers hates you and is going to sleep with your wife while you're getting your ass shot off in Iraq, but on the other hand, you've just found out how to make your penis four inches longer, and this Nigerian dude is wanting to give you a bunch of money for helping him out with a small banking matter. It all kind-of balances out. :) Patience, persistence, truth, Dr. mike --John Kelsey, [EMAIL PROTECTED]
Re: citizens can be named as enemy combatants
At 10:40 PM 1/13/03 -0800, Tim May wrote: On Monday, January 13, 2003, at 09:23 PM, John Kelsey wrote: ... Personally, I was shocked, *shocked*, to see the supreme court make a decision on the basis of politics instead of a careful reading of the constitution. Everything the Supreme Court did in the 2000 election was fully justified. The Dems lost, then tried to change the rules. That's not the way it looked to me. My impression was that both sides were willing to do anything that wouldn't actually get them thrown in jail to sway the outcome of the election, but that Bush had been dealt a better hand. The Florida court decision (with a big Democratic majority) went for the Democrats, the SC decision (with a Republican majority) went for the Republicans. Essentially everyone involved made decisions that were in the interests of their party winning the presidency. But seeing the SC make a highly-political decision that upset so many Democrats was entertaining, given the usual pattern of Conservatives complaining about activist, politicized courts, while Liberals explain that the Constitution needs to be "interpreted" in light of current events. (Note that with a more Conservative court, we can expect this pattern to reverse, just as Conservatives were complaining about too much Presidential power during the Clinton administration, but in favor of greater Presidential power in the Reagan and Bush years.) ... I'm not happy with Bush, to repeat this mantra that Gore/Lieberman actually won is knavish at best. That's not what I said at all. (And for what it's worth, I don't think Gore would be doing very much differently right now. It's not like Bush is sitting around, coming up with proposals for added surveilance and security on his own--these are recommendations from various parts of the bureaucracy, and those recommendations carry a lot of weight because nobody wants to be seen to have ignored the next set of warnings.) --Tim May --John Kelsey, [EMAIL PROTECTED]
Re: citizens can be named as enemy combatants
At 10:44 AM 1/13/03 -0800, you wrote: If you've got your brother counting the votes, and you can prevent anybody else from counting them, then you don't need to cancel elections. Personally, I was shocked, *shocked*, to see the supreme court make a decision on the basis of politics instead of a careful reading of the constitution. To get back to the broader point of the previous poster, I'm honestly a lot less creeped out by the idea that Bush has the power to order people assassinated or disappeared (though obviously that's a really bad thing) than with the idea that, sooner or later, that power is going to get spread out to a whole bunch of people, some of whom will be getting their performance evaluated based on how many suspected terrorists they've had killed or disappeared. "Gee, Fred, you're showing up to work on time, you're filling your paperwork out properly, but I'm afraid you're just not being effective enough at rooting out Al Qaida operatives. I'm sure you can do better, though--just find me five operatives in the next week" --John Kelsey, [EMAIL PROTECTED]
Re: biological systems and cryptography
At 08:55 PM 1/1/03 -0800, Michael Cardenas wrote: On Tue, Dec 31, 2002 at 12:23:51PM -0800, Tim May wrote: ... > Strong crypto is, ipso facto, resistant to all of the above. For the > obvious reason that the specific solution to a cipher is like a Dirac > delta function (a spike) rising above a featureless plain, this in > terms of the usual hill-climbing or landscape-learning models which all > of the above use in one form or another. People do break cyphers, by finding weaknesses in them. Are you saying that you think that current cyphers are unbreakable? Well, there's a difference between a system to recover plaintext given ciphertext (which ought not to work for any decent cipher, given a hill-climbing sort of approach), and a system to help a human work out the right way to cryptanalyze a system. Hill-climbing techniques make sense when analyzing a component of a cipher, say. (I know people have done stuff like this in various places, but I'm away from my library, so you'll have to look it up yourself.) Also, what about using biological systems to create strong cyphers, not to break them? This ought to just be the other side of using these systems to do analysis. If you can find an especially good way to partition the set of texts for a partitioning attack, you can use that to decide how to design your cipher to resist the attacks, for example. -- michael cardenas | lead software engineer, lindows.com hyperpoem.net | GNU/Linux software developer people.debian.org/~mbc | encrypted email preferred --John Kelsey, [EMAIL PROTECTED]
Re: Dossiers and Customer Courtesy Cards
At 01:46 PM 12/31/02 -0800, Bill Stewart wrote: ... The scalability of the problem is much different depending on your goals. If you want to sort through the transcriptions of people who bought drugs and knives and airline tickets but no luggage in an effort to find potential terrorists, that's useless. But if you've already got a suspect, like a Green Party member who wrote an annoyed letter to the President and threatened to tell her Congresscritter in person what a bad President he is, ... It's worth pointing out that if you can afford to do the computerized part of this search for your top 16 suspects today, you'll be able to do it for your top thousand suspects in less than ten years, just assuming processing and storage gets cheaper at current rates --John Kelsey, [EMAIL PROTECTED]
Re: Extradition, Snatching, and the Danger of Traveling to Other Countries
At 02:10 PM 12/15/02 -0500, cubic-dog wrote: On Sat, 14 Dec 2002, John Kelsey wrote: ... > running on a pro-freedom slate, politicians will be found to do that. Note > that guns are still legal in the US, despite the fact that armed private > citizens are apparently *very* unpopular with the decisionmaking elite in > the US. (This makes sense, too. My risks of being shot by anyone are > quite low, as I live in a middle-class neighborhood and take reasonable > precautions. But if you're a politician or public figure, you're much more > likely to be a target, and much more likely to be able to hire an off-duty > cop or other carefully-screened person to carry a gun and defend you.) When was the last time in these here Untied Status that a political figure was shot for political reasons? That's not really the point of my example. The fact that privately-owned guns are both: a. Still mostly legal b. Seriously unpopular with many or most of the decisionmakers implies that when there's enough popular support for pro-liberty positions, they can overcome the natural desire of politicians, judges, and bureaucrats to expand their power and budgets without bound. In practice, gun control laws are only really useful as a defense against assassination by random nuts. A serious terrorist or an assassin hired by the opposition party is going to be able to get the necessary weapons, as is a serious criminal. [Discussion of various assassinations that may have had political motive.] You left out Martin Luther King, whose assassination was apparently politically motivated. (You don't have to hold office to be worth assassinating; repressive regimes routinely kill off the most likely opposition leaders, for example.) Also, several abortion doctors have been murdered for political/terror reasons, several civil rights activists were killed in the 50s and 60s, and I believe George Wallace was shot while running for president (I don't know the would-be assassin's reasons, but it wouldn't be hard to guess them.). ... Political assasination by populists in this country? Hardly. Political kidnapping? Nope. I'd say a lot of the reason for this is that there are usually better options available to deal with the problem. You can try to figure out how to evade dumb or evil laws, move out of the state, or even emigrate to another country to avoid them. And if the politicians in power annoy the voters enough, they *will* get voted out. Terrorist tactics are more likely to backfire on your movement (as they have on the anti-abortion movement) than win you supporters. Along with this, most of us realize that we don't want to live in a country where assassination, terrorist bombings, death squads, kidnappings, etc., become the standard way to bring about social and political change. The world's already full of such countries. At the first serious sign of the US becoming such a country, presumably a lot of us will be looking for another place to live. ... --John Kelsey, [EMAIL PROTECTED]
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
At 12:53 PM 12/15/02 -0500, Adam Shostack wrote: ... I think that a law which re-affirmed the rights to be anonymous, to call yourself what you will, to be left alone, to not carry or show ID would transform the debate about privacy into terms in which the issue could be solved. (At least as it affects private companies.) Companies would be able to do what they want with your data as long as you had a meaningful and non-coercive choice about handing it over. I think this would help, but I also think technology is driving a lot of this. You don't have to give a lot more information to stores today than you did twenty years ago for them to be much more able to track what you buy and when you buy it and how you pay, just because the available information technology is so much better. Surveilance cameras, DNA testing, identification by iris codes, electronic payment mechanisms that are much more convenient than cash most of the time, all these contribute to the loss of privacy in ways that are only partly subject to any kind of government action (or inaction) or law. The records are being created and kept by both government and private entities. The question is whether to try to regulate their use (with huge potential free-speech issues, and the possibility of companies being able to, say, silence criticism of their products or services) or leave them alone (with the certainty that databases will grow and continue to be linked, creating pretty comprehensive profiles of almost everyone's reading, musical, spending, and travel patterns, and with anyone who takes serious measures to avoid being profiled having obvious gaps in their profiles to indicate their wish for privacy in some area). Some kinds of privacy are, IMO, in the process of all but disappearing. Other kinds are being made possible by technology, which would never have even been possible before, but it's not at all clear they'll really come into being for many people. (How many people are sure their machines are secure against the best spyware the feds can come up with?) ... Adam --John Kelsey, [EMAIL PROTECTED]
Re: Extradition, Snatching, and the Danger of Traveling to Other Countries
At 09:15 AM 12/13/02 -0800, Mike Rosing wrote: ... [Discussion of the lack of pro-freedom candidates.] There are more choices than that. It just takes a while for the masses to figure that out. When there are no choices, then we can fight with weapons. For now, words are sufficient. The thing that's being missed here is that, if elections can be won by running on a pro-freedom slate, politicians will be found to do that. Note that guns are still legal in the US, despite the fact that armed private citizens are apparently *very* unpopular with the decisionmaking elite in the US. (This makes sense, too. My risks of being shot by anyone are quite low, as I live in a middle-class neighborhood and take reasonable precautions. But if you're a politician or public figure, you're much more likely to be a target, and much more likely to be able to hire an off-duty cop or other carefully-screened person to carry a gun and defend you.) But gun owners will largely show up for the Republican candidate when the Democrat makes gun control a big issue, and will largely stay home (thus hurting the Republican) when both candidates have the same position on gun control. IMO, the Republicans won the midterm elections because most Americans are more scared of Saddam Hussein and Osama bin Laden than of George Bush and John Ashcroft. As long as that continues, being seen to take bold and far-reaching steps to fight the war on terrorism is going to be necessary for anyone who wants to win an election. So we're going to continue to see cosmetic security measures (like confiscating nail clippers at airport gates), and security measures that have horrible potential for abuse (like letting the president disappear anyone he claims is an unlawful combattant), and even security measures that are likely to make citizens less safe from terrorist violence (like invading Iraq). Patience, persistence, truth, Dr. mike --John Kelsey, [EMAIL PROTECTED]
Re: Katy, bar the door
At 09:32 PM 10/31/02 -0800, Tim May wrote: ... >If the attackers/hijackers cannot get into the cockpit and gain control >of the plane, then the most they can do with disabling/lethal/nerve >gases is to cause the plane to essentially crash randomly...which kills >a few hundred people, but probably not many more. > >Which is yet another reason why securing the cockpit door very, very >well is the single most important, and cheapest, solution. Hmmm. I agree, but if the attackers chose the right time (while the plane's on autopilot) to release the gas or whatever, they might have an hour or two to get through the cockpit door, with no resistance at all from the now-dead passengers or crew. Securing a cockpit door in those circumstances is *much* harder than securing it against someone with a shorter time to get through, and with the possibility of active resistance from the other side. (I seem to recall hearing some pilot comment that he was very confident of his ability to keep someone from breaking through the door, just by flying so that it's almost impossible to stay on your feet. Certainly, trying to use a hacksaw or cutting torch or something wouldn't be much fun while the pilot did loops or something.) On the other hand, the pilot or copilot pretty much just have to figure out something is wrong and indicate this fact to the people on the ground, and there will be a plane along shortly to shoot them down if necessary. And I don't think this kind of gassing attack would work all that smoothly in practice--some people would be affected before others, due to nonuniformity in the way air is distributed in the cabin and different levels of susceptibility. The combination of a hard-to-break-into cockpit and some kind of response to prevent these planes being used as low-tech cruise missiles seems like a win. Maybe it would make sense to add some kind of remote surveilance of the cockpit, though I imagine this wouldn't be too popular with pilots, and they'd definitely need to secure the channel properly. >--Tim May --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED]
Re: Confiscation of Anti-War Video
At 12:01 PM 10/28/02 -0800, Tim May wrote: ... >By the way, there are perfectly good fixes to the current hysteria >about things carried on board planes. Besides the obvious absurdity of >issuing alarms when fingernail clippers are found (but ignoring razor >sharp edges in things like laptops with metal cases!), there are many >fixes which can be applied: I think the best fix is to accept that a determined suicidal attacker will probably manage to bring down the plane, but make sure that's the worst he can do. That removes the externality problem. The current algorithm for this is some combination of pilots being told not to go along with hijackers' demands, and maybe some chance of getting a military jet in place to shoot the hijacked plane down, if it is taken over by the hijackers. (It seems like this wouldn't be practical most of the time, e.g., if someone takes over the plane as it's approaching landing, there probably wouldn't be anyone in place to shoot in time. And faster response time means less time to discover a mistake.) I've heard of an idea for a mechanism for putting some kind of remote-control piloting mechanism on the plane, so that it can be taken over from the ground. This adds new attack points, but it might be workable. And of course, rockets have long had self-destruct mechanisms; presumably, there's stuff off the shelf from NASA or the DoD that does this with some reasonable level of security. (This last one would be politically unacceptable, but it's not really all that different from having a fighter shoot the hijacked plane down.) Both of these introduce a bunch of new vulnerabilities, though. Your list left out the obvious technique, which I think is more-or-less used by El Al: Screen your passengers really well, probably using secret databases, various kinds of racial profiling, etc. Routinely turn passengers away, or make boarding the plane such an ordeal that they elect not to fly anymore. (One of the many problems with this is that most flights are within the US; make flying sufficiently nasty, and people will take trains, busses, or their own cars. I think this is already happening a great deal, which is one reason most airlines are doing so poorly.) ... >4. Finally, market solutions are usually best. Any of the above could >be implemented. If customers feel safer with a different baggage >policy, they'll pick it. ... I can't imagine this being done in practice, but I wish it were. The problem *is* an externality, but not the one you pointed out. Politicians in office right now will be blamed if there's another hijacking. So if I choose to fly Allahu Akbar Airlines for the short security checking lines, I get the benefit, but part of the cost lands on incumbent congressmen and the President. And those incumbents, unlike most people who get stuck with such costs, have the power to do something about it. (Something pretty similar happens with the FDA, right? If you get the new cancer drug a year earlier, you get all the benefit (maybe you get to go on living); the FDA gets the added risk of their being some horrible side effect. So they force a different trade-off on you than you'd prefer.) >--Tim May --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED]
Re: employment market for applied cryptographers?
At 04:21 AM 8/16/02 -0400, dmolnar wrote: ... >Don't forget schedule pressure, the overhead of bringing in a contractor >to do crypto protocol design, and the not-invented-here syndrome. I think >all of these contribute to keeping protocol design in-house, regardless of >the technical skill of the parties involved. Also, designing new crypto protocols, or analyzing old ones used in odd ways, is mostly useful for companies that are offering some new service on the net, or doing some wildly new thing. Many of the obvious new things have been done, for better or worse, and few companies are able to get funding for whatever cool new ideas they may have for the net, good or bad. And without funding, people are a lot more likely to either decide to do the security themselves, apply openSSL and a lot of duct tape and hope for the best, or just ignore security. Sure, it may cost a lot later, but they're going broke *now*. >-David --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED]
Re: employment market for applied cryptographers?
At 12:57 PM 8/16/02 -0400, Perry E. Metzger wrote: ... >I've seen very high rates of unemployment among people of all walks of >life in New York of late -- I know a lot of lawyers, systems >administrators, secretaries, advertising types, etc. who are out of >work or have been underemployed for a year or longer. I'm not sure >that it is just cryptographers. This is my experience, too. A huge number of the people I know around here (RTP area, mid-North Carolina) are out of work, or are worried that they soon will be. This set of people includes only one cryptographer (and he's got a job). >Always keep in mind when you hear the latest economic statistics that >measuring the size of the US economy, or the number of unemployed >people, is partially voodoo. Also that regions and industries can vary enormously in how their economy is going. Areas where a lot of jobs are in the computer or travel industries, for example, are going to have a lot of unemployment, as this area does. And also, it's important to note that most of us in this field might move to a different field (e.g., more general software development, teaching, etc.) rather than live without paychecks for a long time. Or might decide that now is the time to go back to school. Unemployment stats measure (if I'm remembering it right) only people who are not working, but are actively looking for work. (I don't know what definition is used to decide if you're really looking or not.) I feel very fortunate to still have a job, given all that's going on in this industry. >Perry --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED]
