Diebold Inc.

2003-09-13 Thread R. A. Hettinga 
I wonder if there are any mirrors of this out there?

Cheers,
RAH

--- begin forwarded text


Status:  U
Date: Fri, 12 Sep 2003 18:36:13 -0700
From: Elias <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US;
rv:1.0.2) Gecko/20021120 Netscape/7.01
To: Fork <[EMAIL PROTECTED]>
Cc:
Subject: Diebold Inc.
Reply-To: Fork <[EMAIL PROTECTED]>
List-Id: Friends of Rohit Khare  
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,

Sender: [EMAIL PROTECTED]

Holy election time stories, BatMan! I wonder how/when this will hit major media... 
Hope none of you have stock in this company.

Reeling,
Elias

 Original Message 
[...]

"It doesn't matter who votes, it matters who counts the votes"- Joe Stalin

DIEBOLD DEMANDS WEB SITES REMOVE SOFTWARE
AND DAMNING EMAILS, CHARGING COPYRIGHT VIOLATIONS!

http://www.smashthetrifecta.com/
DIEBOLD ALERT
All files yanked by webhost at request of Diebold, Inc.

A copy of the email is below. I received this 28 hours after the now-vanished files 
went live.

While I am not a legal professional in any way, I firmly believe that these files, 
while copyrighted, carry credible evidence of illegal vote-accessing activity and thus 
are not covered under the DCMA due to the "dirty hands" defense, which disallows an 
entity seeking damages in cases involving illegal activities connected to that which 
is being protected.

I furthermore adamantly oppose the secrecy and unlawful proliferation of voting 
machines lacking in an auditable, transparent paper backup trail as mandated by law 
via the Helping Americans Vote Act. I refuse to stand by and watch our voting rights 
be subverted, controlled, and ultimately destroyed.

I will post further updates, should they become available.

--Zhade


-- Original message --

September 11, 2003
Jennifer Bryan Dragonwind Internet Services 608 Live Oak Drive Cedar Park, TX 78613
[EMAIL PROTECTED]
RE: COPYRIGHT INFRINGEMENT
Ms. Jennifer Bryan,
We represent Diebold, Incorporated and its wholly owned subsidiary Diebold Election 
Systems, Inc. (collectively "Diebold"). Diebold is the owner of copyrights in certain 
software, documentation, and other works of authorship associated with its proprietary 
electronic voting machines ("Diebold Property"). It has recently come to our clients' 
attention that you appear to be hosting the following website: 
www.smashthetrifecta.com on one or more of your 
servers, identified as NS1.DRAGONWIND.NET or NS2.DRAGONWIND.NET. This websinte , 
particularly each of the following pages, includes program and/or data files 
containing Diebold Property.:

http://www.smashthetrifecta.com/pimaupgrade.zip
http://www.smashthetrifecta.com/GEMSIS-1-17-17.ZIP
http://www.smashthetrifecta.com/GEMSIS-1-17-23.zip
http://www.coopster.net/Web%20Shares/GEMSIS-1-18-17.zip
http://www.smashthetrifecta.com/cobb-corrected-100102-backup.zip
http://www.smashthetrifecta.com/sloprimary030502.zip
http://www.smashthetrifecta.com/ATL-TSRepair.zip

Other information posted on these web pages encourages the downloading of Diebold 
Property from the server and describes how to circumvent passwords and other 
technological measures that are designed to control access to the Diebold property. 
The owner of the smashthetrifecta.com website does not have Diebold's consent to use 
any Diebold Property. These web pages infringe Diebold's copyrights by (1) placing an 
unauthorized copy of the Diebold Property on the server, (2) making the Diebold 
property available to third parties to download from the server and authorizing third 
parties to further infringe our clients' copyrights by downloading and therefore 
copying Diebold Property, and (3) encouraging and assisting in the circumvention of 
copyright protection systems. The purpose of this letter is to advise you of our 
clients' rights and to seek your agreement to the following:

1. To stop using and to immediately delete any Diebold Property from all computer 
systems used by you, or operated under your control, and to confirm having done so in 
writing;

2. To confirm, in writing, that you have no backup copies of any Diebold Property;

3. To cease making Diebold Property available on your server and to cease providing 
the opportunity for any third parties to download, and thereby copy, Diebold Property.

The value of property protect

quantum hype

2003-09-13 Thread martin f krafft 
Dear Cryptoexperts,

With

  http://www.magiqtech.com/press/navajounveiled.pdf

and the general hype about quantum cryptography, I am bugged by
a question that I can't really solve. I understand the quantum
theory and how it makes it impossible for two parties to read the
same stream. However, what I don't understand is how that adds to
security.

The main problem I have with understanding the technology is in the
fact that any observation of the quantum stream is immediately
detectable -- but at the recipient's side, and only if checksums are
being employed, which are not disturbed by continual or sporadic
photon flips.

So MagiQ and others claim that the technology is theoretically
unbreakable. How so? If I have 20 bytes of data to send, and someone
reads the photon stream before the recipient, that someone will have
access to the 20 bytes before the recipient can look at the 20
bytes, decide they have been "tampered" with, and alert the sender.
So I use symmetric encryption and quantum cryptography for the key
exchange... the same situation here. Maybe the recipient will be
able to tell the sender about the junk it receives, but Mallory
already has read some of the text being ciphered.

In addition to that, the MITM attack seems to be pertinent, unless
I use public-key encryption and authentication. But then I am back
to cryptography whose strength is based on intractability and not on
a proof. And now I fail to see why quantum crypto is hyped so much.

Maybe I am completely misguided, but I would really appreciate some
explanation or even pointers. Or someone wants to spend a couple of
minutes to explain the process of theoretically unbreakable quantum
cryptography step-by-step.

Note: I am reading MagiQ's press release with the
subtract-marketing-b/s grain of salt. Of course, their technology is
superior to everything. However, most of my information and the food
for my questions stem from the more scientific side, having read
about it in articles in renowned magazines and mailing list posts.

Thanks,

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
joan of arc heard voices too.


pgp0.pgp
Description: PGP signature

Re: quantum hype

2003-09-13 Thread David Wagner 
martin f krafft  wrote:
>So MagiQ and others claim that the technology is theoretically
>unbreakable. How so? If I have 20 bytes of data to send, and someone
>reads the photon stream before the recipient, that someone will have
>access to the 20 bytes before the recipient can look at the 20
>bytes, decide they have been "tampered" with, and alert the sender.

You're absolutely right.  Quantum cryptography *assumes* that you
have an authentic, untamperable channel between sender and receiver.
The standard quantum key-exchange protocols are only applicable when
there is some other mechanism guaranteeing that the guy at the other end
of the fibre optic cable is the guy you wanted to talk to, and that noone
else can splice into the middle of the cable and mount a MITM attack.

One corollary of this is that, if we want end-to-end security, one can't
stick classical routers or other such equipment in the middle of the
connection between you and I.  If we want to support quantum crypto,
the conventional network architectures just won't work, because any two
endpoints who want to communicate have to have a direct piece of glass.
Quantum crypto might work fine for dedicated point-to-point links,
but it seems to be lousy for large networks.

For these reasons, and other reasons, quantum crypto looks pretty
impractical to me, for most practical purposes.  There is some very
pretty theory behind it, but I predict quantum crypto will never replace
general-purpose network encryption schemes like SSH, SSL, and IPSec.

As you say, there is a lot of hype out there, but as you're discovering,
it has to be read very carefully.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

2003-09-13 Thread martin f krafft 
also sprach David Wagner <[EMAIL PROTECTED]> [2003.09.13.2306 +0200]:
> You're absolutely right.  Quantum cryptography *assumes* that you
> have an authentic, untamperable channel between sender and
> receiver. The standard quantum key-exchange protocols are only
> applicable when there is some other mechanism guaranteeing that
> the guy at the other end of the fibre optic cable is the guy you
> wanted to talk to, and that noone else can splice into the middle
> of the cable and mount a MITM attack.

Uh, so if I have a channel of that sort, why don't I send cleartext?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
"the public is wonderfully tolerant.
 it forgives everything except genius."
-- oscar wilde


pgp0.pgp
Description: PGP signature

Re: quantum hype

2003-09-13 Thread John S. Denker 
On 09/13/2003 03:52 PM, martin f krafft wrote:
> ... any observation of the quantum stream is immediately
> detectable -- but at the recipient's side, and only if checksums are
> being employed, which are not disturbed by continual or sporadic
> photon flips.
>
> someone will have
> access to the 20 bytes before the recipient can look at the 20
> bytes, decide they have been "tampered" with, and alert the sender.
> So I use symmetric encryption and quantum cryptography for the key
> exchange... the same situation here. Maybe the recipient will be
> able to tell the sender about the junk it receives, but Mallory
> already has read some of the text being ciphered.
1) As the subject: line suggests, there is indeed a lot
of hype in the quantum crypto business.  But there is
also a kernel of reality behind it.
2) Typically people use a combination of quantum and non-quantum
techniques.
3) Typically there is a multi-stage process:
 -- Exchange several blocks of keying material.
 -- Check for tampering;  reject blocks that show tampering.
 -- Do some post-processing to reduce vulerability
to undetected tampering.
 -- Use the result to encrypt your actual data.  This
is the first stage at which valuable data is exposed
in any way.
Consider the possibilities:
  *) In each block, Mallory has a 50/50 chance of being able
  to copy a bit without being detected.
  *) More generally, Mallory has a 2^-C chance of being able
  to copy C bits without being detected.
As an easy-to-understand example:
You (Alice and Bob, the good guys) choose a C big enough
that 2^-C looks negligible to you.  Alice sends Bob a
bunch of bits (N>>2C).  Bob tells Alice (in the clear) what
receiver settings he used.  Alice then knows which bits
Bob should have been able to receive correctly.  Alice
tells Bob (in the clear) to check a randomly-chosen set
of C bits, checking that they have the values Alice
thinks they should have.  If this test is passed, it
puts an upper bound on how greedy Mallory has been.
Then Alice tells Bob (in the clear) to use another
(disjoint) set of C bits.  Bob XORs these bits together
and calls it one bit of key.  There is only one chance
in 2^-C that Mallory knows this bit.  The efficiency of the
key-exchange is roughly one part in 2C.  So there is an
exponential security/efficiency tradeoff.  Not too shabby.
The foregoing assumed an error-free channel.  Things get
much worse if the good guys need to do error correction.
There are snake-oily products out there that throw in
some "mild" cryptographic assumptions in order to increase
the efficiency.  So beware.
On 09/13/2003 05:06 PM, David Wagner wrote:
>
> Quantum cryptography *assumes* that you
> have an authentic, untamperable channel between sender and receiver.
Not true.  The signal is continually checked for
tampering;  no assumption need be made.
Not all the world's oil comes from snakes.
Some does, some doesn't.
> if we want end-to-end security, one can't
> stick classical routers or other such equipment in the middle of the
> connection between you and I.
That's true.  A classical router is indistinguishable
from a tap.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

2003-09-13 Thread David Wagner 
> On 09/13/2003 05:06 PM, David Wagner wrote:
>  > Quantum cryptography *assumes* that you
>  > have an authentic, untamperable channel between sender and receiver.
> 
> Not true.  The signal is continually checked for
> tampering;  no assumption need be made.

Quantum crypto only helps me exchange a key with whoever
is on the other end of the fibre optic link.  How do I know
that the person I exchanged a key with is the person I wanted
to exchange a key with?  I don't ... unless I can make extra
assumptions (such as that I have a guaranteed-authentic channel
to the party I want to communicate with).

If I can't make any physical assumptions about the authenticity
properties of the underlying channel, I can end up with a scenario
like this: I wanted to exchange a key securely with Bob, but instead,
unbeknownest to me, I ended up securely exchanging key with Mallet.

I believe the following is an accurate characterization:
 Quantum provides confidentiality (protection against eavesdropping),
 but only if you've already established authenticity (protection
 against man-in-the-middle attacks) some other way.
Tell me if I got anything wrong.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

2003-09-13 Thread David Wagner 
martin f krafft  wrote:
>David Wagner <[EMAIL PROTECTED]> writes:
>> You're absolutely right.  Quantum cryptography *assumes* that you
>> have an authentic, untamperable channel between sender and
>> receiver. The standard quantum key-exchange protocols are only
>> applicable when there is some other mechanism guaranteeing that
>> the guy at the other end of the fibre optic cable is the guy you
>> wanted to talk to, and that noone else can splice into the middle
>> of the cable and mount a MITM attack.
>
>Uh, so if I have a channel of that sort, why don't I send cleartext?

Quantum cryptography doesn't assume the channel is immune from
eavesdropping.  It does assume you know who is on the other end, and
no one can splice themselves in as a man-in-the-middle.  (Even though
we have an authentic channel, eavesdropping on the channel might still
be possible.)

One could reasonably ask how often it is in practice that we have a
physical channel whose authenticity we trust, but where eavesdropping
is a threat.  I don't know.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: quantum hype

2003-09-13 Thread John S. Denker 
On 09/13/2003 05:43 PM, David Wagner wrote:
>
> I believe the following is an accurate characterization:
>  Quantum provides confidentiality (protection against eavesdropping),
>  but only if you've already established authenticity (protection
>  against man-in-the-middle attacks) some other way.
I wouldn't have put it quite that way.  Authenticity
doesn't need to come before confidentiality.
Let's consider various threats:
 1) passive eavesdropping.
 2) active eavesdropping including tampering.
 3) simple impersonation at the far end.
 4) MITM, which can be considered a form of
active eavesdropping by means of a double
impersonation.
Quantum key exchange provides end-to-end protection
against passive eavesdropping.  It plugs into the
block diagram in the same place as Diffie-Hellman
key exchange would plug in.  It's the same only a
little stronger (no assumptions about algorithmic
intractability).
That means you can establish a confidential but
anonymous tunnel, and then send authentication
messages through the tunnel.
As far as I know, there are no quantum algorithms
that prevent impersonation.  Perhaps I'll learn of
some tomorrow, but I would be truly surprised.
Quantum mechanics isn't going to tell you that
John Doe #137 is a good guy while John Doe #138
is a bad guy.
This is quite significant, because key exchange is
only one part of any practical system.  Quantum
mountebanks claim to have solved "the" key
distribution problem, but this is untrue.  They
have dealt with _exchange_ of session keys, but
they have not dealt with the _distribution_ of
authentication keys.
Distributing and securing any kind of keys under
(say) battlefield conditions is a nightmare.
Reducing the amount of keying material helps
only slightly, unless you can reduce it to zero,
which has not been achieved AFAIK.
Then you have to consider the cost of very special
endpoint equipment, the cost of a very special
communication channel, and the cost of using that
channel inefficiently.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]