Re: US Court says no privacy in wiretap law

2004-07-04 Thread Ivan Krstic
William Allen Simpson wrote:
Switches, routers, and any intermediate computers are fair game for 
warrantless wiretaps.
It seems privacy and free speech are becoming lost concepts worldwide. 
This just came out today:
So not only does China mercilessly filter the Internet for their 
residents (several weeks ago, they blocked access to Wikipedia), now 
they also filter SMSs. North Korea chose not to bother altogether, and 
after introducing cell phone service a year and a half ago, recently 
shut it down completely for fear of too much foreign influence. I need 
not say international calls were blocked, both inbound and outbound, 
during the period the network was operational.

Is there nothing that can be done about any of this? Do we just stand 
by, watching some of our most important human rights go to shit?

This sets my blood boiling like very few other things.
Caustically embittered,
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

md5 cracking for short texts

2004-07-04 Thread Perry E. Metzger

These folks have a service that will find the text that hashed to an
MD5 if the text is less than or equal to 8 characters in length and
matches [0-9a-z]+


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Question on the state of the security industry

2004-07-04 Thread Ian Grigg
I shared the gist of the question with a leader
of the Anti-Phishing Working Group, Peter Cassidy.
Thanks Dan, and thanks Peter,
I think we have that situation.  For the first
time we are facing a real, difficult security
problem.  And the security experts have shot
their wad. 
--- Part One
(just addressing Part one in this email)
I think the reason that, to date, the security community has
been largely silent on phishing is that this sort of attack was
considered a confidence scheme that was only potent against
dim-wits - and we all know how symathetic the IT
security/cryptography community is to those with less than
powerful intellects.

OK.  It could well be that the community has an
inbuilt bias against protecting those that aren't
able to protect themselves.  If so, this would be
cognitive dissonance on a community scale:  in this
case, SSL, CAs, browsers are all set up to meet
the goal of totally secure by default.
Yet, we know there aren't any secure systems, this
is Adi Shamir's 1st law.
Ignoring attacks on dimwits is one way to meet that
goal, comfortably.
But, let's go back to the goal.  Why has it been
set?  Because it's been widely recognised and assumed
that the user is not capable of dealing with their own
security.  In fact, in its lifetime over the last decade,
browsers have migrated from a ternary security rating
presented to the user, to whit, the old 40 bit crypto
security, to a binary security rating, confirming
the basic principle that users don't know and don't
care, and thus the secure browsing model has to do
all the security for the user.  Further, they've been
protected from the infamous half-way house of self-
signed certs, presumably because they are too dim-
witted to recognise when they need less or more
security against the evil and pervasive MITM.
Who is thus a dimwit.  And, in order to bring it
together with Adi's 1st law, we ignore attacks
on dimwits (or in more technical terms, we assume
that those attacks are outside the security model).
(A further piece of evidence for this is a recent
policy debate conducted by Frank Hecker of Mozilla,
which confirmed that the default build and root
list for distribution of Mozilla is designed for
users who could not make security choices for
So, I think you're right.
 Also, it is true, it was considered a
 sub-set of SPAM.
And?  If we characterise phishing as a sub-set
of spam, does this mean we simply pass the buck
to anti-spam vendors?  Or is this just another
way of cataloging the problem in a convenient
box so we can ignore it?
(Not that I'm disagreeing with the observation,
just curious as to where it leads...)

The reliance on broadcast spam as a vehicle for consumer data
recruitment is remaining but the payload is changing and, I
think, in that advance is room for important contributions by
the IT security/cryptography community. In a classic phishing
scenario, the mark gets a bogus e-mail, believes it and
surrenders his consumer data and then gets a big surprise on his
next bank statement. What is emerging is the use of spam to
spread trojans to plant key-loggers to intercept consumer data
or, in the future, to silently mine it from the consumer's PC.
Some of this malware is surprizingly clever. One of the APWG
committeemen has been watching the devleopment of trojans that
arrive as seemingly random blobs of ASCII that decrypt
themselves with a one-time key embedded in the message - they
all go singing straight past anti-virus.
This is actually much more serious, and I've
noticed that the media has picked up on this,
but the security community remains
characteristically silent.
What is happening now is that we are getting
much more complex attacks - and viruses are
being deployed for commercial theft rather
than spyware - information theft - or ego
proofs.  This feels like the nightmare
scenario, but I suppose it's ok because it
only happens to dimwits?
(On another note, as this is a cryptography
list, I'd encourage Peter and Dan to report
on the nature of the crypto used in the
Since phishing, when successful, can return real money the
approaches will become ever more sophisticated, relying far less
on deception and more on subterfuge.
I agree this is to be expected.  Once a
revenue stream is earnt, we can expect that
money to be invested back into areas that
are fruitful.  So we can expect much more
and more complex and difficult attacks.
I.e., it's only just starting.

--- Part Two

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Using crypto against Phishing, Spoofing and Spamming...

2004-07-04 Thread Amir Herzberg
Following some of our discussions on this list, I tried to think more 
seriously on how crypto could be used for the basic current security 
threats of spoofing, phishing and spamming. Preliminary write-ups of the 
results are available in the following (or from my homepage):

# Protecting (even) Naïve Web Users, or: Preventing Spoofing and 
Establishing Credentials of Web Sites, at

# Controlling Spam by Secure Internet Content Selection, at

I believe many of you will find some interest in (criticizing?) the new 
ideas and proposals, and I'll be very grateful for any feedback; the 
works already benefited a lot from some discussions on this list, 
including some of you who asked me essentially to `write up your ideas`.

I am also very interested in working with potential implementors; I am 
already working on implementations with students, but, additional and 
potentially more experienced developers may help us turn some of these 
ideas into reality.

BTW, I'm already using the anti-spamming mechanism (trusted logo and 
credentials area) we developed for Mozilla, and it works great; I hope 
we'll feel soon confident enough with the code so we'll be able to put 
it in the public domain. Experienced Mozilla developers who will be 
willing to help test and evaluate the code are invited to contact me.

Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University (information and lectures in cryptography  

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Use cash machines as little as possible

2004-07-04 Thread Anne Lynn Wheeler
ONE of Britain's biggest banks is asking customers to use cash
machines as little as possible to help combat soaring card fraud.
... snip ..
Anne  Lynn Wheeler 

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Question on the state of the security industry (second half not necessarily on topic)

2004-07-04 Thread Ed Reed
I recently had the same trouble with the Centers for Disease Control
(CDC) - who were calling around to followup on infant influenza
innoculations given last fall.

Ultimately, they wanted me to provide authorization to them to receive
HIPPA protected patient records from my son's pediatrician, and I 
couldn't figure out how to get them to definitively pursuade me that
they were really the CDC, who I was willing to be so authorized.

Such research MAY be appropriate, and in this case, I'm a believer in
flu shots, and am generally supportive.

But, while I could (and had to) identify myself to them (it was
a random-number dial canvas), they had no way, short of giving
me an 800 number to call (with obvious trust bootstrap problems
with that) to get past it.

Eventually, I found enough information on the CDC websites
(assuming that DNS wasn't hacked, that my ISP wasn't redirecting
my http queries to a Russian web site, and that the CDC site
hadn't been hacked) to cooperate (talked with 2 supervisors,
5 followup canvasers, etc.)

This is a problem that real life has.  This sort of problem has
been around since telephones came into existence (I didn't think
to check the caller-id on the call, presuming it would point me
to a call center located somewhere on the planet).

We cope.  And when the annoyance gets too bad, we kvetch,
pass laws, and file law suits.  Isn't that pretty much what's
happening, now?

Thought-control countries present separate problems (whether
that's the Patriot Act or the Chinese censorship of SMS messages).

For them, we have to rely on the Internet to route around censorship.
And facilitate alternate routes (silent ones?) when the routers are
own3d by the censors. (sorry - cross-over to another thread).


 Dave Howe [EMAIL PROTECTED] 7/3/2004 8:22:56 PM 
Joseph Ashwood wrote:
 I am continually asked about spam, and I personally treat phishing as
 subset of it, but I have seen virtually no interest in correcting
 problem. I have personally been told I don't even know how many times
 phishing is not an issue.
Well if nothing else, it is impossible for my bank to send me anything
would believe via email now

To take this even slightly more on-topic - does anyone here have a bank

capable of authenticating themselves to you when they ring you?
I have had four phone calls from my bank this year, all of which start

out by asking me to identify myself to them. When I point out that they

must know who I am - as they just phoned me - and that I have no way of

knowing who they are, they are completely lost (probably takes them
from the little paper script pinned to their desk)

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]