Nullsoft's WASTE communication system
http://www.nullsoft.com/free/waste/ - Overview http://www.nullsoft.com/free/waste/security.html - Security section http://www.nullsoft.com/free/waste/network.html - Network design http://slashdot.org/article.pl?sid=03/05/29/0140241mode=threadtid=126tid=93 - Slashdot discusssion Nullsoft, who did Winamp and Gnutella, just released a package called W A S T E which does encrypted communications within small groups of people. It doesn't appear to have had outside analysis of its security yet, but they do invite it, and they say it needs some work. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: PGP Encryption Proves Powerful
The article hedges on whether or not PGP was used on the Psion mentioned. The Psion might have been using one of the other programs listed at http://www.ericlindsay.com/epoc/sicrypt5.htm. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PGP Encryption Proves Powerful
Aside from the whole governments-and-people-and-terrorists thing, I will say that there was an event last year at my former employers' that made us very glad we were using PGP. An engineer's laptop got stolen. With the entire source tree of an enterprise application that licensed for $25K a seat on it. Fortunately, since it was in an encrypted archive, we didn't need to worry too much. I don't know how many incidents like this happen every year. I don't think governments care that much about the kind of risk companies not using crypto to protect their livelihoods take. They don't become aware of crypto when it averts trouble. They become aware of crypto when it causes trouble. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PGP Encryption Proves Powerful
If the FBI cannot crack PGP that does not mean other agencies with greater prowess cannot. It is unlikely that the capability to crack PGP would be publicly revealed for that would close an invaluable source of information. Intel crackers hardly ever reveal their most essential tools, though there are orchestrated releases of capability to mislead. In the case of the VENONA decrypts, there have been only partial public releases, along with misleading stories about how the decrypts were done -- the official story they were done only by dedicated cryptanalysts without help of code books or other assists, that Russian carelessness of OTP preparation provided the crib. Unofficial stories are that Russian codebooks were used, at least for some of the decrypts -- Thomas Powers, for one, recounts this version in several reprinted essays in The Intelligence Wars. That cover stories have been arranged for how the deciphering was actually done, some not privy to the hardworking NSA crackers. An undisclosed amount of the VENONA messages remain undeciphered, or at least not made public. Speculation is that NSA and whomever do not want to tell the full story of the decrypt capability, again, as with most intelligence agencies it is more beneficial to never reveal full capabilities, in particular not to temporary allies with the understanding that allies always spy on each other, whether those are US TLAs or foreign friends. Ther recent opening of domestic cooperation among the intel agencies and law enforcement will not likely get any of them to share fully. Still, it is impressive that PRZ valiantly argues that PGP is algorithmically impregnable. That should satisfy its users as well as its crackers. An uncracked code is the perfect spying tool. Based on a mulitude of accounts of sophisticated espionage deceptions it might be suspected that is the origin of PK crypto, and why it was leaked, and leaked again, and crypto export was eased, then greased again. Presumably there will be periodic reports of cryptographic impregnability to foster wider if not wiser use. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
web apps with large volumes of bidirectional http traffic
I need to find some relatively widely deployed applications which have frequent user interactions (rapid clicking on links, from as large a population of links as possible, and also form filling and such). (it should be pretty obvious what this is for) I'd like: 0) *rapid*/frequent user interactions; fast clicking on things (like every second, no more than 5 seconds) 1) sticky...long interactions with a given site (on the order of hours) (also all links need to be under the same url/same server) 2) large number of potential links for users to click on, with desirable properties for click distribution (I *think* I want them to be nearly equally likely, but I might just want a defined distribution, or I might even want the opposite of that) 3) relatively small data sizes for downloaded data, UNLESS downloaded data is generated unique and randomly 4) widely deployed already on the internet, or compelling enough that there would be a decent number of potential server operators. Obviously I could *create* an app which has the desirable characteristics, but I'd like something which can deal with existing data or apps served over the internet) 5) good data on how likely users are to click on things, how fast they click, etc., so one could easily operate within those parameters. So far, the best ideas: 1) Porn 2) Mailing lists with lots of internal links (next, reply, etc.) 3) Sites with search engines with lots of linked data (encyclopedia, etc.) 4) html games (or flash, maybe) -- either imagemaps, or just tables, things like chess, or puzzles, or whatever I'd definitely appreciate any suggestions on possible web apps which meet these criteria; reply to lists or [EMAIL PROTECTED] I'll post when it's ready. Thanks, Ryan -- Ryan Lackey [RL960-RIPE AS24812] [EMAIL PROTECTED] +1 202 258 9251 OpenPGP DH 4096: B8B8 3D95 F940 9760 C64B DE90 07AD BE07 D2E0 301F - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PGP Encryption Proves Powerful
At 1:22 PM -0400 5/29/03, Ian Grigg wrote: The following appears to be a bone fide case of a threat model in action against the PGP program. Leaving aside commentary on the pros and cons within this example, there is a desparate lack of real experience in how crypto systems are attacked. IMHO, this leads to some rather poorly chosen engineering decisions that have shown themselves to stymie or halt the success of otherwise good crypto systems. Does anyone know of a repository for real life attacks on crypto systems? Or are we stuck with theoretical and academic threats when building new systems? iang There is a lot of material from the World War II era (e.g Silk and Cyanide by Leo Marks) and the early cold war (e.g. http://www.nsa.gov/docs/venona/). Government cryptographic successes are usually highly classified and kept that way for decades. There was one recent story about the FBI's apparent use of a keyboard logger to get a accused organized criminal's password. The latest U.S. Government wiretap report http://www.uscourts.gov/wiretap02/contents.html (they are now required to report on encryption incidents) says: Encryption was reported to have been encountered in 16 wiretaps terminated in 2002 and in 18 wiretaps terminated in calendar year 2001 or earlier but reported for the first time in 2002; however in none of these case was encryption reported to have prevented law enforcement officials from obtaining the plain text of the communications intercepted. By comparison they reported 1358 intercepts authorized in 2002. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]